File: blk00281.txt

Mined by AntPool bj5
u=https://cpr.sm/uaNTr36TPy
Cbtcchina.com | tomatocc:
Mined by AntPool usa1
Mined by AntPool bj6
ASCRIBESPOOLREGISTER
ASCRIBESPOOLREGISTER
ASCRIBESPOOLREGISTER
Mined by AntPool usa1
Mined by digcoinwgs3
ASCRIBESPOOLREGISTER
Mined by AntPool sc182
u=https://cpr.sm/-ds-HKG8mL
Mined by AntPool bj6
Mined by AntPool sz0
Mined by AntPool bj6
u=https://cpr.sm/KiCI-nd7CT
u=https://cpr.sm/KiCI-nd7CTp
ASCRIBESPOOLREGISTER
Mined by AntPool bj7
ASCRIBESPOOLREGISTER
ASCRIBESPOOLREGISTER
ASCRIBESPOOLREGISTER
4BTCChina Pool | Charity Engine is changing the world
Mined by digcoinwgs3
Mined by AntPool bj7
Mined by AntPool bj5
u=https://cpr.sm/Qs2L9twANeX
u=https://cpr.sm/_8CMgAha0U
u=https://cpr.sm/Qs2L9twANe
Mined by AntPool sc0
Mined by AntPool usa1
Mined by AntPool bj5
Lgu=http%3A%2F%2Fbit.ly%2F1QcNaes&sha256=18cce3463f4a1b1e1fe581cabe99c81d25d948c560e5dcbb4469605aad211b30uR!
Mined by AntPool sc182
Mined by metabank0050
u=http://t0.com/asset-s3.json
First test on main block chain.
*j(This example stores 47 bytes in the bloc0
ASCRIBESPOOLREGISTER
u=https://t0.com/asset-osd.json
u=https://t0.com/asset-usd.json
Mined by AntPool bj6
Mined by AntPool bj6
u=https://coloredcoin.io/dmt
Mined by AntPool sc0
Mined by AntPool bj5
"j Second test on main block chain.
u=https://coloredcoin.io/dmtp
ASCRIBESPOOLREGISTER
(j&rs5AnvGhjFtoiDuBRAc3DWnRfL7fQSM8ny:usd
:btcchina.com | Happy Birthday to BTCChina from Pixelmatic!
ASCRIBESPOOLREGISTER
Mined by AntPool bj5
u=https://cpr.sm/bgSYRXFgGT
u=https://cpr.sm/5KeCHU_E2k
u=https://cpr.sm/5KeCHU_E2k
u=https://cpr.sm/5KeCHU_E2k
u=https://cpr.sm/5KeCHU_E2k
u=https://cpr.sm/5KeCHU_E2kP
u=https://cpr.sm/5KeCHU_E2k
u=https://cpr.sm/5KeCHU_E2k
u=https://cpr.sm/5KeCHU_E2k
u=https://cpr.sm/5KeCHU_E2k
u=https://cpr.sm/5KeCHU_E2kH
u=http%3A%2F%2Fbit.ly%2F1drFy5R
u=http%3A%2F%2Fbit.ly%2F1QmE9zu
u=http%3A%2F%2Fbit.ly%2F1drFy5R
u=https://cpr.sm/5KeCHU_E2k
u=https://cpr.sm/5KeCHU_E2kx
u=https://cpr.sm/5KeCHU_E2k
u=https://cpr.sm/5KeCHU_E2k
Lgu=http%3A%2F%2Fbit.ly%2F1QcNaes&sha256=bb2937664e5da32422408dd50956d16a35555d6527909e5e93375136f8e8466euR!
Mined by AntPool usa1
9BTCChina Pool | jsyzgaoyou:
u=https://cpr.sm/XTu3tJFLic
u=https://cpr.sm/nfedCIYrV0
Mined by AntPool sc182
Who is Variety Jones?
22:45 < warren> jgarzik: if you aren't near one of the consulates there are some companies that will charge you money to do it...
22:47 < HM3> gmaxwell, the schnorr construction is just cleaner algebraically, and I like that you can't do public key recovery
22:48 < gmaxwell> ::shrugs:: Not really more than anything else that does the same thing, and its compatible.
22:48 < gmaxwell> HM3: yea, sure, I like schnorr too, but randomness isn't an argument for it.
22:49 < HM3> the lack of a need for a perfect RNG during signing is
22:50 < gmaxwell> HM3: DSA and Schnorr are the same in that regard. You derandomize them both under the same method
22:50 < HM3> sure but schnorr requires that construction to work
22:51 < gmaxwell> HM3: no they don't, go look at the schnorr patent. It's described using a random k.
22:52 < HM3> no I mean Schnorr is H(m||rG) and during verification you have to compute the candidate rG and recalculate H(m||rG)
22:52 < warren> "go look at the * patent" told to another engineer is wise?
22:53 < HM3> in DSA you just check, if i remember correctly, that sG is correct
22:53 < gmaxwell> warren: it's expired. Also, you need to go turn in your JD if you think it's not, see in re seagate. :)
22:54 < gmaxwell> (otherwise my response would have been "forget about it, it's patented")
22:55 < HM3> anyway. keeping DSA has no more merit than replacing it if you you plan on breaking compatibility anyway. but it's a fair point that you can derandomize DSA if you don't
22:55 < jgarzik> warren, yep, like Travisa ;p
22:55 < jgarzik> warren, communist state was never destined to make life easy and efficient
22:55 < warren> jgarzik: oh, they do F visas?  didn't see that option
22:56 < warren> jgarzik: I like how easy and efficient things are here.
22:57 < gmaxwell> HM3: hm, why do you say that recovery isn't possible in Schnorr? I believe it is, in fact.
22:57 < HM3> doubtful
22:58 < HM3> sipa agreed with me months ago when i asked him as well :P
22:58 < HM3> Appeal to authority! appeal to authority
22:59 < HM3> s = k - xe
22:59 < HM3> sG = kG - xeG
22:59 < HM3> you know eG and sG but not kG (which is r)
23:00 < HM3> and you know e = H(M||r)
23:00 < HM3> and obviously not xG (the key you're trying to recover)
23:01 < gmaxwell> HM3: You know r.
23:01 < HM3> nah, r isn't part of the sig
23:01 < gmaxwell> pray tell how you compute H(M||r) without it in the verifier?
23:02 < HM3> you calculate candidate r
23:02 < HM3> then compute H(M||r) and compare with e, which = H(M||r)
23:02 < warren> Don't worry, only *hard* math is patentable subject matter.  Not abstract ideas.
23:02 < HM3> I don't know why Wikipedia uses such silly letters
23:03 < HM3> r should be for the randomly selected number damnit
23:03 < gmaxwell> HM3: ah right, you recover r.
23:03 < HM3> gmaxwell, right, but you need the public key you're verifying against to do it
23:04 < HM3> in DSA you s = (1/k) * (H(M) + xr)
23:04 < HM3> and r = kG anyway
23:04 < gmaxwell> well thats a bummer then, minus one for Schnorr signatures. :P
23:04 < HM3> so it's fairly redundant
23:04 < HM3> gmaxwell, but DSA is broken if there's a collision on your hash function :P
23:06 < gmaxwell> so is schnorr, I take your signature and rebind it onto M' where H(M'||r) == H(M||r). :P
23:06 < HM3> if you were stupid and used a raw SHA instead of HMAC, then trick you in to signing 2 length extended messages such that there was a collision,  I can work out your privy
23:06 < HM3> gmaxwell, yes but it wouldn't reveal the private key like DSA would
23:07 < HM3> even your derandomized DSA would if you used H(priv || H(M)) instead of H(priv || M) for the rerandomization bit
23:08 < gmaxwell> Fair enough. I'm not going to argue that you don't need to bother with the private key if you can just rebind, because, I realize that collisions in reality are never quite that freeform. :)
23:09 < HM3> nobody has broken anything decent collision wise yet anyway have they?
23:09 < warren> gmaxwell: thanks for in re seagate, not sure how I didn't see this before.
23:11 < gmaxwell> HM3: sure, md5, though not second-preimages on a arbritaryly selected input.
23:12 < gmaxwell> HM3: I'm busy chastizing myself because I'm usually irritated by people who refuse to distinguish theoretical security from pratical security, and I did almost make that counterargument to you in earnest.
23:13 < HM3> I saw that SHA-3 got knocked down a bit during recent standardisation
23:14 < gmaxwell> HM3: IIRC Schnorr also has nice threshold signatures, alas.
23:14 < HM3> they cut some bit lengths
23:14 < gmaxwell> HM3: yea, they changed the input rate. Which was kinda surprising, because capacity was specifically cited as a reason to exclude cubehash from the final round.
23:15 < HM3> did they give a reason?
23:15 < gmaxwell> Sure, speed.
23:15 < HM3> Pish
23:15 < gmaxwell> Its not entirely unreasonable.
23:15 < gmaxwell> But I was surprised.
23:16 < gmaxwell> DJB did some saber rattling on the NIST list to adjust the capacity to a fixed 576 bits (so a constant 1024 bit input rate)
 which is sort of a middle ground (more security for the orignal proposal at 256 bits output, less than the original proposal for 512 bit output). Doesn't sound like NIST or the Keccak team like the proposal. .. but NIST went quiet
with the government shutdown.
23:17 < gmaxwell> For small inputs (e.g. <1024 bits) it doesn't matter.
23:19 < HM3> maybe when they reopen they'll forget they made the change
23:19 < gmaxwell> it's kinda irritating that the NIST list is closed-access. I see that the wikipedia sha-3 article mentions this discussion but has no citation.
23:19 < gmaxwell> well the change apparently was proposed by the Keccak team, which is totally believable the original capacity was the minimum nist required.
23:19 < gmaxwell> DJB basically said FUCK YOU to that requirement and refused to meet it in his proposal, and... well. :P
23:20 < gmaxwell> the other hashes met the requirement but many of then whined.
23:20 < HM3> Good old DJB
23:20 < HM3> I find his written material very accessible
23:21 < gmaxwell> esp having 512 bits of preimage security for the 512 bit hash required >1024 bits of state (in addition to the update state) which was getting a bit burdensome.
23:22 < gmaxwell> the DJB proposed modification to sha3 would have the nice side effect of making it always process 1024 bits at a time, regardless of the output size.  On that basis I like it.
23:22 < HM3> and presumably that allows for optimisation
23:23 < gmaxwell> (currently it does something like 1344 bits at a time for 256 bit output, and 1088 bits at a time for 512 bit output)
23:23 < gmaxwell> well it simplifies implementations at least, might also make hardware versions that do both sizes easier.
23:24 < HM3> 1337 bits would have been better
23:24 < gmaxwell> I am imagining millions of duck sized engineers stabbing you in the foot.
23:26 < HM3> ah well, i must retire to bed
23:26 < HM3> i'll take that duck sized engineer thing with me
--- Log closed Tue Oct 15 00:00:11 2013
--- Log opened Tue Oct 15 00:00:11 2013
02:12 < warren> sipa: http://dilbert.com/dyn/str_strip/000000000/00000000/0000000/000000/00000/2000/300/2318/2318.strip.gif
02:16 < sipa> let me guess
02:16 < sipa> yup :)
02:26 < warren> sipa: just as likely as my one time pad
05:36 < wumpus> https://github.com/bitcoin/bitcoin/issues/3090 CodeBug : should compare return value from memcmp with zero.
05:36 < wumpus> wrong channel
08:45 < HM3> since Bitcoin already uses boost you could use boost array instead of 'vch' in CKey
08:45 < HM3> would have got operator== for free
09:56 < petertodd> BlueMatt: from the point of view of a SPV node, verifying that a block header is correct is verifying it fully, so relaying that header (or even full block) to other SPV nodes does no harm.
09:57 < sipa> well, you would at least want to announce that you did not verify transactions in that case
09:57 < petertodd> BlueMatt: anyway, I put that in the BIP to show how NODE_BLOOM should be thought of "I'm willing to apply bloom filters to stuff I relay to you" and nothing more
09:57 < petertodd> sipa: which you do because you didn't set NODE_NETWORK (in that case)
09:58 < sipa> right, NODE_BLOOM is orthogonal to what you are relaying
09:58 < petertodd> sipa: exactly
09:59 < petertodd> You could (uselessly) say NODE_BLOOM and !NODE_* just means I'm willing to apply bloom filters to the nothingness I will relay to you; if you implement this I suggest you apply for an art grant.
09:59 < sipa> perhaps apply it to addr or alert messages :p
10:00 < petertodd> With an extended NODE_BLOOM definition that makes a lot of sense.
14:41 < gmaxwell> uh. Michael Gronager has ... um. not quite sure what to call it: https://bitcointalk.org/index.php?topic=310954
14:43 < petertodd> looks fixable to me, though ugly
14:44 < gmaxwell> yea, it's apparently already fixed.
14:45 < gmaxwell> 50% drop in namecoin exchange rate though.
14:45 < petertodd> good example of how blockchains can separate proof-of-data distribution, global consensus on ordering, and the actual rules themselves...
14:45 < petertodd> ha, yeah, I should have quickly bought some at the low point :P
15:07 < warren> amusing to see the deniers in the thread
15:10 < amiller> does anyone know who first created namecoin
15:10 < sipa> vinced?
15:15 < K1773R> gmaxwell: (namecoin) holy, thats horrible... i wonder why nobody looked at it :S
15:16 < sipa> i suppose because nobody competent cared? *ducks*
15:16 < amiller> but no one has heard from vinced in a long time?
15:17 < petertodd> K1773R: namecoin isn't getting used for anything yet; it just hasn't caught on
15:17 < petertodd> K1773R: well, other than speculators...
15:18 < K1773R> petertodd: i used it as backup solution for important stuff
15:18 < sipa> eh?
15:18 < petertodd> K1773R: backup? how so?
15:18 < K1773R> your aware its just a simple key/value storage?
15:19 < sipa> yes
15:19 < sipa> but there are certainly easier ways
16:17 < amiller> jtimon, ok well fair enough, that is indeed a good way to do it, but you probably also need a way of discouraging utxo bloat
16:18 < jtimon> amiller I advocate for explicit colors
16:18 < amiller> jtimon, yes i advocate for it too, i just don't see what the solution is for discouraging utxo bloat now that you add a functionality that increases it
16:19 < jtimon> if nobody has to store the full utxo, utxo bloating is not that much of a problem
16:20 < maaku_> amiller: this doesn't result in any utxo bloat...
16:20 < amiller> do coins have at most 1 color or something?
16:20 < maaku_> scripts are in the txin, not out
16:20 < killerstorm> amiller: color tag is just a hash of genesis transaction or something like that. ~32 bytes per UTXO won't hurt.
16:20 < maaku_> amiller: yes
16:21 < amiller> ok that sounds pretty nice.
16:21 < amiller> adding that single op code and that single change to UTXO is by far the simplest way of getting fairly scalable colored coins usage.
16:22 < killerstorm> jtimon: there is no difference between OP_CHECKCOLORVERIFY and explicit colors. OP_CHECKCOLORVERIFY can be in scriptSig.
16:22 < amiller> i'd be really interested to see that
16:22 < jtimon> killerstorm: in fact, in the next version of freimarkets specs, you can save the tag, by ommiting it you mean "the same color as the previous output"
16:22 < killerstorm> jtimon: I mean I'm not aware of any practical difference.
16:22 < amiller> that sounds pretty great to me
16:22 < amiller> how about a reference impl that deviates minimally from satoshi client?
16:24 < maaku_> amiller: what scheme are you talking about?
16:24 < killerstorm> Well I've heard iXcoin guys are interested in implementing this, but they lack developers. (Essentially it is just the guy who does the marketing...)
16:24 < killerstorm> I've outlined the spec although I'm not sure about some decisions.
16:25 < jtimon> saposhi nasakyoto I think (I can't believe ixcoin is alive, and there's still people who say MM kills altcoins...)
16:29 < jtimon> but yeah, why not use it to experiment
16:30 < jtimon> is already MM, it's in a great position to be used for this things
16:31 < killerstorm> It got new life: new PR/marketing team :)
16:32 < killerstorm> MM means that it is 100% controlled by ghash.io
16:32 < jtimon> killerstorm, how do you implement per-asset interest/demurrage with OP_CHECKCOLOR ?
16:32 < jtimon> only ghash.io merge-mines it?
16:33 < killerstorm> No, ghash.io has 40% of bitcoin hashpower and is mining alt-coins. Since some Bitcoin miners do not do merged mining, this means that ghash.io hash more than 50% of hashpower of Namecoin and IXCoin
16:34 < petertodd> killerstorm: +1 wish people realized that earlier
16:39 < warren> http://en.wikipedia.org/wiki/Savitch's_theorem
16:39 < warren> (for those thinking of memory hard to hash but easy to validate PoW, would this theoretical limit apply?)
16:42 < petertodd> I'm not seeing the connection
16:49 < jtimon> I don't see why memory hard is better
16:50 < warren> I didn't say it was.
16:50 < warren> people were discussing it here in past months
16:50 < petertodd> jtimon: the theory is memory hard targets memory, which is most likely to be an availalbe commodity product and thus escapes the ASIC centralization trap
16:51 < petertodd> jtimon: however, practical memory hard that really is ASIC-hard appears to be a very difficult problem
16:51 < petertodd> jtimon: reasonably easy to do in cases where the work to be done in non-parallizable, but crypto-consensus systems must be parallelizable
17:01 < jtimon> I don't see why ASICs are worse
17:05 < warren> IMHO, mining pool centralization is the real problem, not ASIC's.
17:07 < jtimon> warren, agreed, and I thought that was solved with trustless pools (p2pool, eligious...)
17:07 < petertodd> jtimon: ASICs centralize control in the hands of a very small number of chip fabs
17:08 < maaku_> petertodd: meh, coordinated quality control could mitigate that
17:08 < petertodd> jtimon: and p2pool and getblocktemplate don't "solve" the problem because there's no incentive to use either
17:08 < petertodd> maaku_: huh?
17:08 < maaku_> petertodd: a scanning electron microscope is not hard to get access to
17:09 < petertodd> jtimon: they *do* help with "non-selfish" actors, but they fall short of the security ideal where bitcoin is secure in the presense of selfish actors
17:09 < maaku_> there should be efforts to take asic chips at random from batches and do SEM scans of their circuits
17:09 < maaku_> then anyone with tools can verify that they are not backdoored
17:09 < petertodd> maaku_: the problem isn't hardware that's bugged, the problem is getting hardware at all - those chip fabs can easily *publicly* control the bitcoin network
17:10 < jtimon> can't the operator of a centralized pool cheat you somehow?
17:10 < maaku_> jtimon: out of your shares, yes
17:10 < jtimon> or decide for you what transactions to, say censor?
17:11 < petertodd> jtimon: they can cheat you in lots of ways, that doesn't change the fact that per unit hashing power they'll be more profitable in many scenarios
17:11 < maaku_> jtimon: using GBT you can choose your own transactions
17:11 < petertodd> jtimon: after all, they might own the hashing power too you know in which case cheating doesn't even come into it - ghash.io owns much of their physical hashing power
17:11 < petertodd> maaku_: in theory, in practice pools don't allow that - very high bandwidth cost
17:12 < maaku_> well, eligius does
17:12 < jtimon> maybe centralized operators aren't being as malevolent as they "should"
17:12 < petertodd> maaku_: yes, and eligius is being operated by alturistic people
17:12 < petertodd> jtimon: who cares? what matters is that our security isn't as good if we have to rely on that
17:13 < maaku_> meh, i would say that eligius is operated by knowlegable people/person
17:13 < sipa> it's my theory that if every actor started out as malevolent/selfish/rational, bitcoin would never have worked
17:13 < sipa> it's an experiment in building a system that doesn't need trust in many actors
17:13 < maaku_> as bitcoin matures i expect more pools to act like Luke-Jr
17:13 < sipa> but we'll need to get there step by step
17:13 < jtimon> sipa you're probably right, the start was incredible difficult
17:14 < maaku_> or maybe the causality is reversed - bitcoin will never mature unless more pools act like Eligius does
17:14 < maaku_> either way once it happens, it happens
17:14 < jtimon> I mean, I wasn't around, but...it's surely the hardest part
17:15 < petertodd> sipa: yes, we got incredibly lucky there
17:16 < petertodd> fact of the matter is that relying on alturism is dangerous and subject to sudden changes
17:16 < petertodd> never mind the fact that what were were talking about, ASIC-hardness, has nothing to do with alturism
17:17 < sipa> yup, but removing much it suddenly is equally dangerous
17:17 < petertodd> sipa: what do you mean by "removing" it?
17:17 < petertodd> sipa: no-one is proposing removing anything
17:17 < sipa> oh, i'm not saying that
17:18 < sipa> but if suddenly many people/miners/whatever started acting selfishly, i'm sure it could hurt bitcoin's survival chances
17:18 < sipa> +suddenly
17:18 < petertodd> oh sure, but the fact that it would hurt just shows that bitcoin is poorly designed
17:18 < sipa> i'd say it just isn't evolved enough :)
17:19 < petertodd> heh, equally true statement
17:19 < petertodd> though the ugly thing is changing the design is probably an economic change so...
17:20 < petertodd> anyway, as I said about the selfish miner attack, these attacks are real, and we're damn lucky that for now the big players are acting alturisticly, take advantage of that time to study alternatives so we'll have them ready when they're needed
17:20 < jtimon> come'on miners have to attack MM chains because "the good of their coin is their good", but they cannot trustless mine because "it is not selfish enough"?
17:21 < petertodd> jtimon: what do you mean by trustless mine?
17:21 < jtimon> p2pool, eligious
17:21 < sipa> p2pool/gbt?
17:21 < jtimon> yes
17:21 < petertodd> jtimon: remember, my point re MM attack was that if you have a big pool, then your MM chain is in a dangerous position
17:22 < petertodd> jtimon: my point with trustless mining is that it *costs more* than just pointing your hashing power at ghash.io
17:22 < jtimon> my point now is to apply your same "for the future of the coin" reasoning for miners to use p2pool/gbt
17:22 < petertodd> after all, this all came up with mastercoin when I got hired to analyze what type of blockchian they should use, and the result was "Why use anything less secure?"
17:23 < petertodd> jtimon: that's a very bad comparison - you're comparing the behavior of a large pool to a small hasher
17:24 < jtimon> a large pool is composed of small hashers
17:25 < jtimon> if anything, they should be more stupid in groups, no?
17:25 < petertodd> not at all, think in terms of incentives to defect and do what's better for you, but worse for the group
17:25 < petertodd> IE, I earn more money for less work if I hash at ghash.io
17:26 < petertodd> vs. "I'm a 30% pool and killing off FooCoin is cheap and easy and the public doesn't like it anyway so the PR will be good for me."
17:26 < petertodd> (especially relevant in my advice to mastercoin you know...)
17:26 < jtimon> IE, I earn more money for less work if I MM instead of attacking a "competing" coin
17:26 < petertodd> oh piss off, scale makes the incentives very different
17:26 < sipa> merge mining a tiny currency doesn't gain you anything significant
17:27 < jtimon> your advice to mastercoin was to use your proof of sacrifice design draft?
17:27 < jrmithdobbs> jtimon: you're failing to control for internet assholes
17:27 < jtimon> sipa how much you lose by gbt vs ghash.io ?
17:27 < jrmithdobbs> "Some men just like to watch the world burn."
21:18 < petertodd> what? satoshidice?
21:19 < Luke-Jr> yes
21:19 < petertodd> ok, go to a jurisdiction where gambling is legal and or replace that example with another business
21:20 < Luke-Jr> I don't see a court accepting the basis that I am forced to do business with <other business>
21:20 < petertodd> Or heck, lets say I write an Android app called "Rip off zeroconf merchants!" that automates the process, and give Eligius 10% of the stolen funds in terms of fees.
21:20 < Luke-Jr> even outside of bitcoin, I have the right to choose who I do and don't do business with
21:20 < petertodd> This has nothing to do with who you choose business with - no-one is making you mine those transactions.
21:21 < petertodd> We're just forcing you to follow standard good practice and accept them into your mempool so double-spends can be detected and not mined.
21:21 < gmaxwell> well be careful to distinguish civil liability and criminal.
21:21 < gmaxwell> I think making a criminal claim out of anything in this space would be very hard.
21:21 < gmaxwell> It's too easy to deny intent.
21:21 < Luke-Jr> petertodd: accepting them into my mempool is forcing me to provide a service to them
21:21 < petertodd> gmaxwell: indeed, and civil is majority, which is a much lower bar...
21:21 < gmaxwell> (except in cases like ghash.io where they were directly and obviously profiting from it)
21:22 < petertodd> gmaxwell: I brought up the app example because it could be used in court to infer conspiracy to commit a crime.
21:22 < Luke-Jr> petertodd: why should I be forced to provide conflict detection services for <your business>?
21:22 < gmaxwell> In a civil claim, its almost sufficient to just show someone was harmed and that you were on the critical path.
21:22 < petertodd> Luke-Jr: what gmaxwell said...
21:22 < petertodd> Luke-Jr: you are being forced to take the minimal accepted prudent action
21:23 < gmaxwell> It's uncertian what the standards people would be held to in the future.
21:23 < petertodd> gmaxwell: +1 - Reality is this is all uncertain.
21:23 < Luke-Jr> petertodd: especially in the case of a spammer, who is abusing these exact resources
21:23 < gmaxwell> Basically as petertodd says. Doing something unusual that is responsible for someone else losing money, which you could or should have foreseen, may leave you with civil liablity.
21:23 < gmaxwell> _may_
21:23 < gmaxwell> In the case of these gambling services its totally moot.
21:24 < Luke-Jr> gmaxwell: even if they know they can lose money?
21:24 < petertodd> gmaxwell: yup, which is why defacto-zeroconf scares me a lot - the other half of it is "something unusual" might just mean you didn't invest as much money in network bandwidth
21:24 < gmaxwell> Their services are very likely unlawful in any jurisdicition that you care about being exposed to, and so they don't get to enjoy relief from the courts.
21:24 < gmaxwell> Luke-Jr: sure, and in defense someone being accused of a civil claim here would point to the fact that everyone knows zeroconf is unsafe.
21:25 < petertodd> Luke-Jr: "Every knows zeroconf is unsafe? Why we have the Lead Developer of Bitcoin on record saying it's safe for low-value transactions and that no pool would mine double-spends to preserve the value of their Bitcoins."
21:25 < gmaxwell> Luke-Jr: most of the US uses https://en.wikipedia.org/wiki/Comparative_negligence in deciding these things...
21:26 < gmaxwell> It's possible to get a decision that "yea, they should have known it was unsafe, so you're only 5% at fault"
21:26 < petertodd> Yup, and 5% of tens of thousands might still bankrupt you.
21:27 < gmaxwell> more importantly, you really just want to not be in a position where someone can bring a claim to court.... just defending is very expensive.
21:27 < petertodd> nor do you want to be in a position where some regulator is actually working behind the scenes to make the case happen
21:28 < Luke-Jr> all sounds like more reason to remove any sense of "defaults" from bitcoind
21:28 < gmaxwell> well, the right case happening wouldn't be so bad.
21:28 < petertodd> Luke-Jr: that I agree with mostly
21:29 < phantomcircuit> gmaxwell, boy is it
21:29  * petertodd brb, starting a fake ringtone company to set precedent
21:30 < gmaxwell> you really want the precident setting defrauded site to be that girls gone wild guy
21:31 < petertodd> ha, ok, "pay by the minute barely legal live BDSM porn"
21:31 < Emcy> cant you just ensire tor mining is a thing for the foreseeable and preclude all this nonsense
21:32 < petertodd> Emcy: "As a major pool, you should put a stop to this nonsense by discouraging blocks with double-spends." <- I've seen this as a suggest way too many times
21:32  * warren is anyone else creeped out by that guy?
21:33 < petertodd> warren: which guy?
21:34 < Emcy> whats wrong with discouraging double spends
21:34 < petertodd> Emcy: by that I mean if you see a block with a double-spend in it, you delibrately orphan it
21:34 < petertodd> Emcy: is very dangerous for consensus
21:34 < Luke-Jr> nOgAnOo: yes; no
21:35 < Emcy> i didint know you could get a double spend into the same block
21:35 < petertodd> Emcy: block would double-spend a tx in the mempool in this case
21:35 < Emcy> that seems bund
21:50 < gmaxwell> Does anyone offer abortions for bitcoin?  Now there would be your double feature test case.
21:50 < gmaxwell> catholic abets a double spend fraud of a payment for an abortion. 0_o
21:54 < Luke-Jr> gmaxwell: you didn't think that through ;)
21:54 < Luke-Jr> I'm not about to aide someone seeking a murder for hire
21:57 < warren> Luke-Jr: now sure how you'd code that into eligius ...
21:58 < gmaxwell> Luke-Jr: no thats exactly the point.
21:58 < gmaxwell> Luke-Jr: someone accepts payments for abortions. You, as expected, block the transactions if you can.
21:58 < gmaxwell> They get ripped off via a double spend as a result.
21:59 < warren> gavinandresen: sent
21:59 < gmaxwell> Now they sue you claiming that you're culpable for the theft. You defend saying that it would be unconscionable to demand that you knowingly aid their enterprise.
22:00 < Luke-Jr> hmm, in that case I'd have to figure out a way to blacklist the coin ;)
22:01 < gmaxwell> I didn't mean it seriously in any case, its a thought expirement about miner culpability. (and what a perrilous route it is)
22:02 < gavinandresen> petertodd: zero-confirmation transactions can be made  "safe-enough" for in-person low-value transactions where there is some trust that the person standing in front of you isn't colluding with a miner to double-spend.
22:03 < gavinandresen> trust/safety are not booleans
22:04 < warren> does the android wallet tell you about double spends?
22:05 < gmaxwell> petertodd: does android wallet still hide (some?) confirmed nlocktime payments?
22:05 < Luke-Jr> it doesn't even get normal spends right, so I doubt it
22:06 < Luke-Jr> btw, anyone here know an accountant into bitcoin?
22:06 < gmaxwell> TD[away]: Were you ever able to get android wallet to compile?
22:11 < BlueMatt> gmaxwell: huh? the android wallet is easy to compile
22:11 < BlueMatt> or are you talking about a branch?
22:14 < gmaxwell> derp right it was multibit that had the issue, now AW.
22:16 < warren> nOgAnOo: You are not being helpful here.
22:37 < jrmithdobbs> Is there a testnet chain big enough for io subsystem fuzzing?
22:38 < jrmithdobbs> I want 100k or so blocks I can throw at n bitcoind instances in parallel for parsing/indexing
22:39 < warren> testnet3 has over 100k blocks
22:39 < warren> not very big though
22:40 < jrmithdobbs> Guess I can jus use the real chain.
22:41 < jrmithdobbs> Actually. Tesnet3 may be ideal
22:41 < jrmithdobbs> Less CPU choking on smaller blocks and more io thrashing
22:43 < jrmithdobbs> Someone have it in a < .8 && <= bdb 4.8 format somewhere?
22:45 < Luke-Jr> uh?
22:45 < Luke-Jr> blockchains don't use db formats
22:47 < jrmithdobbs> The Indra
22:47 < jrmithdobbs> Index
22:48 < jrmithdobbs> Guess could just reindex it, forget how non-intensive test net processing is. ;p
--- Log closed Thu Nov 21 00:00:50 2013
--- Log opened Thu Nov 21 00:00:50 2013
00:42 < petertodd> gmaxwell: no, it's even worse now: looks like anything other than standard nSequence=max and nLockTime=0 just doesn't show up in the wallet at all
00:43 < gmaxwell> petertodd: wow, so setting locktime to other values will hose them, even if the sequence was always max? :-/
00:43 < petertodd> gmaxwell: yup
00:43 < petertodd> gmaxwell: how do people fuck this shit up?
00:43 < petertodd> gmaxwell: the previous behavior was *better* than that
00:46 < gmaxwell> petertodd: thats the kinda question you can only answer by looking at commits.
00:51 < petertodd> gmaxwell: it's probably something to do with edf37998ca6c47c31a72271db136ac94ce2a6a13 in bitcoin
00:52 < gmaxwell> bitcoinj*
00:52 < petertodd> er, right
00:54 < petertodd> gmaxwell: sheesh, it's some new "risk analyzer" thing to try to analyze the risk of double-spends - I should submit a patch that replaces all that stupid code with a single simple calculation that always returns NaN
00:55 < gmaxwell> the logic in the commit message sounds like the bitcoin-qt wallet behavior, its not insane.
00:56 < petertodd> gmaxwell: my point is the thinking behind it
00:56 < petertodd> gmaxwell: anyway, it's probably just that the API changed and somehow it ended up with default off - there's no reference to any of it in bitcoin-wallet
05:18 < TD> gmaxwell: the android wallet? sure. it was multibit that was the problem, right? jim said he fixed that a couple of weeks ago but i didn't try building it since
05:18 < TD> gmaxwell: i had to spend time trying to make bitcoin-qt compile again
05:18 < TD> compiling sucks
05:20 < TD> i guess we should try and keep normal dev stuff in #bitcoin-dev though
05:20 < warren> TD: you use mac?
05:21 < TD> otherwise all we managed is to split one dev channel into two. let's keep #wizards for researchy stuff
05:51  * Luke-Jr facepalms
13:57 < adam3us> amiller: yes... well and by a public constant multiplication
13:57 < adam3us> amiller: so you can actually do ratios also from that
13:58 < amiller> help me understand the range proof
13:58 < amiller> start with notation for like, one input and two outputs
13:59 < adam3us> amiller: its knarly :) the basic idea is you need to prove v from vG+xH with v < 2^m
14:00 < amiller> i'll be happy if i can understand that a) ZK proof that the sum of outputs = sum of inputs, without overflow, b) the receiver learns one of the output values, but not the other output or the input, and c) both outputs are in a form suitable to be used in subsequent transactions
14:00 < adam3us> amiller: its schoenmakers protocol, I just optimize the application of it
14:00 < adam3us> amiller: yes
14:00 < adam3us> amiller: so call the bits of v = v_m ... v_1
14:01 < adam3us> now you prove separately that v_i is either 0 or 1 using generic ZKP of OR which is to introduce a degree of flexibility where the prover can intentionally forge one of the two proofs (but not both) as c=H(params), c1 = random, c2 = c xor c1 prove wrt those 2 challenges
14:03 < amiller> ahhhhh
14:04 < adam3us> amiller: and the rest is basically to obscure it and then there's a verification relation involving 2^j and the random values committed to and showing sum xi = x and you're good to go :)
14:04 < amiller> i think i remember how to do ZK of OR...
14:04 < adam3us> amiller: then i optimized the heck out of the serialization, and what needs to be unique, can be derived from a seed, reused, computed (pub key from sig with schnorr) etc
14:05 < adam3us> yeah you just forge the one that is wrong and choose c1 as a result of that computation then set c2 = c-c1 mod n and do a real proof on that ne
14:08 < adam3us> amiller: the way you avoid the sender knowing too much about the receivers secrets is you create a null value 0G+x0*H aka x0*H (and prove that is true using a schnorr sig) and then the sener adds the payment to it, and yet the sender does not know x0
14:09 < adam3us> amiller: so eg the sender could send 5*G+x1*H and the result is 5*G+(x1+x0)*H and the sender doesnt know x0; sender has to send 5, x1 to recipient out of band or encrypted
14:11 < adam3us> amiller: you can also do proofs of equivalence of discrete log and auditable encryptin so I think you could probably validate that E(5),E(x1) matched the coin, though I didnt work out the details on that and it doesnt seem necessary because the recipient doesnt have to use the input
14:13 < adam3us> petertodd: "is that linear with the number of txouts?" yes; you do a range proof on each output, but you dont need to when you use teh output as the input to a following transaction as its already done
14:14 < adam3us> petertodd: "does it handle any combination of # of txins and # of txouts?" yes, and some of them can be unencrypted optionally (eg the fee)
14:16 < petertodd> adam3us: ok, sounds like this is a bit of an issue with large transactions, as there's a trade-off between "publish the whole tx" as your fraud proof, and having more complex merkle trees
14:16 < petertodd> see, we were thinking of doing merkle sum trees extending into the transaction txins and txouts, which is cheap with un-hidden values, not so cheap with a homeomorphic system
14:19 < adam3us> petertodd: "yes, but the only thing stopping it is that it's possible to mine outside of government control! Reality is with the current system, even with TXO commitments and fraud proofs, at some point a large blocksize will lead to that scenario." i think we have problems like that, and seemingly a number of people dont recognize it yet; I am also not
sure such an asic friendly mining function is good either
14:20 < adam3us> petertodd: in an ideal world one could remove miners, and everyone with whatever power can direct mine for their respective tiny reward
14:20 < petertodd> yes, ASICs are very much the other part of that problem....
14:22 < adam3us> petertodd: you can do better than scrypt(iter=1) - I saw some folks on the forum were proposing a mix of 16 aes and 16 sha3 finalists to increase chip layout; also something dynamic could help; apparently dan kaminsky has some idea about a x86 proof of work which would be inefficient on non x86
14:23 < petertodd> adam3us: If I were to design bitcoin 2.0, I'd design a system where you lose 1% of the value of your coins every year to pay for security, mining can't be outsourced via some type of scheme where rewards can be stolen by whomever did the mining, mining could be done on a small scale, (aka what p2pool does for bitcoin, though probably not that mechanism)
and the pow function was commodity hardware friendly (hopefully no worse than 2x or 3x less cost effective than custom asics)
14:23 < adam3us> petertodd: so about that (no mining pools) is there some way to rely only on a time-stamp server or beacon without having miners validate anything
14:23 < petertodd> yeah, I'm dubious about anythign that targets a chip architecture, too easy to just make an asic that optimizes the architecture, and archs change over time anyway
14:23 < petertodd> I think only mem-hard mining has any hope of working
14:24 < adam3us> petertodd: yes - i think the people who defend hashcash-sha256^2 have some point which is that hardware ALWAYs wins, and if its  complicated or dynamic algorithm the only people with the hw will be people with $100m+ to play with
14:25 < adam3us> petertodd: then we'll see centralization in an even harder to combat form - anther idea is to kick start a not-for-profit open hardware sha256 asic mining manufacturer
14:26 < petertodd> adam3us: see, I strongly disagree on principle because computer ram is stupidly optimized for it's task; design a good ram-hard pow and the custom part of a potential asic will be small enough that at worst it becomes a cottage industry where the custom parts are relatively easy parts like custom pcbs
14:26 < petertodd> adam3us: problem is I haven't figured out how to actually do that...
14:26 < adam3us> petertodd: i dont know much about hw but that seems like a good idea, as butterfly et al are suspected of premining or fatal incompetence
14:26 < adam3us> petertodd: apparently thre's another one called ROMix by the Scrypt author
14:26 < petertodd> adam3us: you mean an open hardware asic mining designer... we're probably never goign to have decentralized IC manufacturing due to the nature of the business
14:26 < petertodd> adam3us: having open designs doesn't help
14:27 < petertodd> *much
14:27 < adam3us> petertodd: Scrypt itself is time-memory tradeable as it was a non-requirement to fix it
14:27 < petertodd> adam3us: yup
14:27 < adam3us> petertodd: yes i agree its not so uch the openness as the ready availability shipped on payment (not 1 year later when its barely profitable)
14:28 < petertodd> See, at a high level, we can do interactive proof-of-storage, but we can't do non-interactive proof-of-storage. (specifically I mean you had some ram that was dedicated to a task for a given amount of time)
14:29 < petertodd> We can do proof-of-memory-bandwidth, but that doesn't appear to be ASIC hard: commodity ram *does* have various trade-offs between total storage, and bank bandwidth, and if you proof bandwidth * time, you can make an ASIC targetting that. (or your algorithm's constants become obsolete over time)
14:29 < petertodd> proof-of-memory-bandwidth also has the annoying habit of being symmetric, computation and validation are both expensive. (litecoin's been optimizing their scrypt implementation to speed up block header validation)
14:30 < adam3us> petertodd: i was wondering if many-ported ram could be a problem too (eg dual ported gfx ram to its logical conclusion eg 16-ports, 128ports)
14:31 < petertodd> adam3us: that's exactly what I mean! for instance I had a scheme for an asymmetricly validatable proof-of-work function with merkle trees where the size of the proofs was directly related to the parallelism possible, and commodity ram had way less parallelism than optimal
14:31 < adam3us> more high level though is there a way to base transaction ordering on a distributed timestamp server or distributed beacon without so much having the miners digging into the tx details
14:32 < petertodd> sure, but how do we keep the timestamp/beacon system secure?
14:32 < adam3us> yes; again hardware ALWAYS does better - its like a rule of physics or something
14:33 < adam3us> petertodd: well for example everyone mines timestamp commitments for reward
14:33 < adam3us> petertodd: thats nearly what committed tx looks like really
14:33 < petertodd> adam3us: no it's not! not pragmatically anyway, sure it'll always be at least some epsilon better, but we can live with ASICs being, say, 2x or 3x more cost efficient - basically that just makes tx's that people want to censor some reasonable amount more expensive. Not perfect, but we can live with that.
14:33 < adam3us> petertodd: the miner doesnt learn much except its ordering something opaque
14:34 < petertodd> As I've said over and over, those schemes are nice, but there is no way they can fully prevent censorship.
14:34 < petertodd> They're plausible deniability really.
14:34 < adam3us> petertodd: agree the scale is critical, 2-3x as you say would be fantastic compared to where we are now
14:34 < petertodd> adam3us: yes, right now we've got more like 1000x
14:36 < adam3us> petertodd: i was thinking one stepping stone towards reducing need for mining pools and miner understanding eg is that you could mine to get voting rights and then use the voting rights to vote on transactions
14:36 < petertodd> Also, keep in mind there's variations of this stuff too: assuming FPGA's are always available as commodity is a weaker assumption, but it's better than nothing. On that basis it might be a lot easier to make mem-hard work.
14:36 < adam3us> petertodd: eg you mine your public key repeatedly for 10mins, everyone does
13:08 < adam3us> musing about organizing private keys as some kind of merkle-tree, if I had Q=dG where d is the root of the tree, then Q=Q1+Q2 where Q1=d1G, Q2=d2G d=d1+d2 mod n, and so on for Q1..Qk for some number.  now say leaf nodes in this tree are worth some standardized unit, 1uBTC.  now you can combine public keys to form a new public key Q0=Q1+Q1' (from Q1 prime another users input)
13:09 < adam3us> to prove authority to sign you must show a merkle path from a public key to the root, and sign it, the depth of the path and the number of leaves you can control proves the amount you are spending
13:10 < adam3us> maybe a block can add all the public keys in it, and then all transactions in it are implicitly mixed
13:11 < adam3us> maybe even all utxo public keys can be implicitly mixed analogously
14:22 < maaku> adam3us: isn't that similar to how lamport signatures work?
14:22 < adam3us> yes kind of but with hashes
14:23 < maaku> adam3us: the problem is bitcoin doesn't use ecdsa sigs, it uses scripts (which have, among other things, ecdsa opcodes)
14:46 < adam3us> maaku: yes its a bit of a blue sky thought
14:47 < adam3us> maaku: wondering if bitcoin used a key per unit like zerocoin, what you could do, it seems that if there is a unique key per unit, there is less meaning to the linking - its meaningless to the network
14:47 < adam3us> maaku: so then i was wondering can you combine lots of keys efficiently into a signature
14:49 < adam3us> maaku: where the verifier cant tell which input signature to the whole block  (or even whole utxo) it came from
14:52 < adam3us> seems to me like you need 1 thread per hyperthread
14:52 < adam3us> eg 4 core i7, then 8 threads
14:53 < adam3us> wow m512 is quite a bit faster
14:54 < adam3us> sorry wrong window on the cores and threads
14:56 < gmaxwell> maaku: yea, I've wagged my finger at adam3us with ugly optimizations that layer violate and special case for specific cryptosystems.	but man, they can be very attractive.
14:56 < petertodd> adam3us: some of my blue-sky blockchain proposals work well with single-sized coin values too
14:57 < gmaxwell> careful that you don't dance back into the space of academic cryptography that isn't actually pratically useful due to limits like that. :)
14:57 < petertodd> gmaxwell: heh, well, if such a limit enables something else, the tradeoff may be worth it...
14:58 < adam3us> petertodd: my thought experiment started hmm maybe zerocoin is silly - its one coin size, if bitcoin had that there would be no change and no meaningful linkage from the network analysis perspective either
14:58 < petertodd> adam3us: yup, it's a good idea - basically what you are doing is making it more bandwidth efficient
14:58 < adam3us> petertodd, gmaxwell: and that seems to be true no? the only person who knows which coin set is linked is the sender & recipient, other than like timing of sending them
14:59 < petertodd> adam3us: thing is, so maybe the trade-off is less bandwidth efficient per tx, but more scalable, in which case the single-sized coin values actually has a very attractive side-effect I hadn't thought of
14:59 < adam3us> petertodd: yes so then i thought ok so going the other way can you represent a big batch of sigs extremely compactly
14:59 < gmaxwell> adam3us: it's correct. if there is no splitting, merging, or address reuse, bitcoin is an anonymous currency upto timing analysis.
15:00 < adam3us> gmaxwell: that would actually meet my idealized definition almost: that only the sender & recipient could link (via subpoena etc)
15:00 < gmaxwell> and even timing analysis is .. meh, it's not like the time someone sends to you implies you are online.
15:00 < adam3us> gmaxwell: community policing
15:00 < adam3us> gmaxwell: exactly - "good enough"
15:00 < adam3us> gmaxwell: if you're not in a hurry spray them out a bit
15:01 < gmaxwell> News at 11: Mixmaster has a purpose again!
15:01 < petertodd> heh
15:01 < gmaxwell> adam3us: but yea, this isn't lost on me, but ISTM I'd never convince anyone of it.
15:01 < gmaxwell> Even the coinjoin stuff I was yabbering about that forever but couldn't get anyone to talk about it until I had a _name_ for it (thanks Peter)
15:02 < petertodd> it's too bad we don't have a "numerical addition" signature type, so you could just make multiple SIGHASH_ANYONECANPAY | SIGHASH_ADDITIVE txin signatures and gradually combine them e.g. for donations
15:02 < adam3us> gmaxwell: bah - let the people who understand jgarzik triangle deal with that
15:02 < petertodd> gmaxwell: heh, and they never thought I'd do anything useful with that art degree...
15:02 < sipa> ISTM?
15:02 < gmaxwell> it seems to me
15:02 < adam3us> petertodd: yes the schnorr sig and it turns out bernsteins EdDSA *is* ec schnorr (thanks gmaxwell for pushing me to read it)
15:03 < adam3us> petertodd: schnorr you can add sigs and keys
15:03 < petertodd> adam3us: right, I was actually thinking of something a lot simpler!
15:05 < gmaxwell> petertodd: did you see my lament about multisig and anonymity groups?
15:05 < petertodd> gmaxwell: nope
15:05 < gmaxwell> petertodd: if we used schnorr than 2 of 2 multisig txn would be indistingushable from regular transactions.
15:05 < adam3us> gmaxwell: re layering violations - when you're out of luck, bend the rules :) we can patch it up best we can afterwards
15:05 < petertodd> gmaxwell: ah, yeah that'd be a good thing...
15:05 < gmaxwell> so the anonymity set for protocols based on them (e.g. coinswaps) would be basically all txn.
15:06 < gmaxwell> adam3us: well, of course, things snapping togeather nicely is sometimes a sign that you understand the problem space...
15:06 < petertodd> gmaxwell: the one good thing about multisig is that at least it's conceivable that what gets actually used will be a relatively small set of versions of it, 2-of-2's, 2-of-3's etc.
15:06 < adam3us> gmaxwell: i love elegance, and bitcoin has a huge amount of it
15:07 < gmaxwell> petertodd: sure sure, still, kinda sad that they're distinguishable.
15:07 < adam3us> petertodd: see also there's a leakage with multisig it tells you how many sigs there are and if its k of n or n of n, with schnorr you have no idea
15:07 < adam3us> petertodd: and it takes the space of 1 sig also
15:07 < petertodd> adam3us: yup, like a fine hyper-optimized sports car - though I feel bad for the mechanic trying to change the oil filter...
15:08 < gmaxwell> in any case, I only brought it up because while the size and flexiblity advantages were old news to me, I hadn't considered the privacy impact.
15:08 < adam3us> petertodd: it also has simple efficient blind sigs
15:08 < TD> good evening
15:09 < adam3us> petertodd: blind sig with EC DSA is not efficiently possible afaik, even with DSA blind sig is horrendous (damgard jurik homomorphic adition in n^5)
15:10 < petertodd> adam3us: I'll pretend I understood what you said :P
15:10 < petertodd> adam3us: by n^5 you mean O(n^5)?
15:10 < adam3us> TD: 'evening we re musing about blue-sky crypto, and lastly aout the wonderful things you could do with schnorr (instead of dsa) adn it turns out which i didnt realize that djb's EdDSA actually is schnorr
15:11 < TD> i haven't looked at EdDSA
15:11 < TD> it's not the same as ed25519?
15:11 < adam3us> petertodd: no i mean the calculations need to be done in a group of size n^5 where n is a like 3072 bit RSA key so like 15360 bit ops
15:11 < adam3us> TD: yes it is
15:11 < petertodd> adam3us: ah, so it's a size issue?
15:12 < adam3us> TD: i mean i always assumed without reading the paper, that it was a diff curve for DSA, but its actually a tweaked verion of EC schnorr sigs which s cool
15:12 < TD> oh
15:12 < TD> interesting
15:12 < TD> yeah i thought that too
15:12 < TD> although they're quite similar aren't they
15:12 < adam3us> petertodd: the intermediate results between the two users, the final result is a normal dsa sig
15:13 < TD> re-reading the schmorr wiki page, it's still based on discrete log and a group of prime order
15:13 < adam3us> TD: yes very, i think dsa wouldn't have existed if not for schnorr's patent (expired 2008)
15:13 < petertodd> adam3us: ah ok, so final sig size is reasonable, but the intermediate state isn't?
15:13 < adam3us> TD: but schnorr has many flexibility, security, size, advantaages
15:13 < TD> sigh. patents.
15:13 < TD> is there anything they can't screw up
15:13 < adam3us> petertodd: yes, the intermediate uses a ton of experimental rade stuff
15:13 < TD> looks like to understand schnorr i will have to learn more maths first
15:13 < adam3us> petertodd: and probably moderately cpu heavy too
15:14 < petertodd> adam3us: right - I was gonna say I think I've got a possible solution to the "data hiding" problem in my txin commitments scheme
15:14 < adam3us> TD: if you understand DSA you'll get it... just djb papers are hard to decipher look at https://en.wikipedia.org/wiki/Schnorr_signature
15:15 < petertodd> adam3us: again, trade-off bandwidth for scalability
15:15 < TD> yeah i'm reading that but i need to [re] learn the definitions of things like "set of congruence classes modulo q"
15:15 < adam3us> TD: basically the only diff is you dont need to invert k
15:15 < TD> this rings bells from a-level maths but i forgot it
15:16 < TD> ed25519 is definitely on my hard-fork wishlist
15:16 < TD> the performance improvement is immense
15:18 < petertodd> adam3us: basically, remember how I was talking about "sharding" the txin space in the scheme with a binary tree? you could make the mining protocol be such that there's a way to force a lower part of the tree to either be revealed, or that part of the chain would backtrack. *If* the data is actually available, the chain shouldn't backtrack, so it's still
secure. If on the other hand the data isn't, well, that was the txout owners ...
15:18 < petertodd> ... responsibility so tough luck. :)
15:18 < petertodd> adam3us: Not exactly a fully-fleshed out idea, but the approach could work.
02:22 < gmaxwell> but I don't think an obvious greedy algorithim exists.
02:23 < andytoshi> so, for the joiner's calculation, it needs to know if certain inputs are obviously linked
02:23 < andytoshi> and "obviously linked" does not sound well-defined to me
02:24 < andytoshi> would it suffice to assume the inputs are independent, and just look at the entropy of the mixer's input-to-output mapping
02:24 < andytoshi> ?
02:25 < andytoshi> that's nice because it's context-independent -- you give me any rawtx and i can compute that without even a network
02:26 < gmaxwell> andytoshi: you can assume the inputs are independant after doing the trivial preprocessing to merge ones with duplicate scriptpubkeys.
02:27 < gmaxwell> if that raw tx is signed you can still do it by looking at the scriptsigs ... most of the time.
02:28 < gmaxwell> andytoshi: the other weird thing is that this 'plausable' metric is kinda odd in that any funnybusiness at all results in a misestimation of 0 entropy.
02:29 < gmaxwell> which actually suggests that it's worth thinking about how we can enable that kind of funny business because
 just like the argument for CJ existing
 if the funny business exists with enough frequency, an attacker is forced to assume any txn might involve funny bussiness.
02:29 < andytoshi> can you give an example of this?
02:30 < gmaxwell> andytoshi: yea, sure, say you and I do a coinjoin. But I actually happened to owe you money, and so the real mapping isn't a 'plausable' one because it transers some of my coin to you.
02:30 < andytoshi> oh, i get what you mean
02:31 < gmaxwell> concretly  e.g. you put in 1 and I put in 5,	 and then you get out 2 and I get out 4.  all that we've discussed above would decide the maximal users there was 1.
02:31 < andytoshi> right, that's great, and it's not at all hard to do now .. if you owe me money, i'd say "let's get in on the next join session"
02:31 < andytoshi> (and with me personally you could even use the donation output
02:32 < andytoshi> )
02:32 < gmaxwell> yea, even outside of the context of a specific coinjoin:  you can do this generally for payments as a way to consoldate change. E.g. if I want you to pay me, I could give you some extra inputs to include.. then you sign and give me the half signed txn.
02:32 < andytoshi> ah, that would require better tool support
02:32 < gmaxwell> Yea, but it could just be an addon in the payment protocol pretty easily.
02:33 < gmaxwell> "Add these extra inputs to the transaction and pay them to me, thanks"
02:34 < gmaxwell> the interesting question is that once you've relaxed the defintiion of 'plausable' to include the possiblity of payments.. I think _any_ mapping is possible.
02:34 < gmaxwell> and the entropy of the coinjoin is basically log2(inputs*outputs)
02:35 < andytoshi> yeah, i think that's correct, which is pretty cool
02:35 < gmaxwell> as there is an auxiliary table of users paying other users.
02:35 < andytoshi> now, perhaps nsa with its psychologists can get information out that we can't
02:35 < gmaxwell> but the problem is that if no one ever does this
 then it doesn't matter. An attacker isn't really constrained to consider corner cases.
02:35 < andytoshi> but that's probably not a threat model we can do anything about
02:35 < andytoshi> right, exactly
02:36 < andytoshi> for now our definition of 'plausible' is good, so let's work with that
02:36 < gmaxwell> oh sure, not all payments are equally likely. For example, I can say that as a prior that auxliary payment table is probably _sparse_ e.g. that it has a low l_0 norm.
02:36 < gmaxwell> and that non-sparse payment tables are very much less likely than sparse ones.
02:36 < gmaxwell> even in a world where people use this frequently.
02:37 < andytoshi> that seems plausible, though it's hard to say in the presence of fees
02:37 < andytoshi> maybe people only want to do transactions if they need to do transactions
02:37 < gmaxwell> well, its just unlikely that you could find N people who all want to pay a bit to each other, for N>2 :P
02:38 < andytoshi> oh, yeah :P
02:38 < gmaxwell> cut-throughs also add some interesting analysis wrinkles, again
 if they actually existed.
02:39 < andytoshi> now, here's a silly question: our definition of coinjoin entropy as "entropy of the mixer's knowledge" .. is it monotonic?
02:39 < andytoshi> monotonic wrt the number of transactions
02:39 < gmaxwell> you mean the number of contributors to a mix?
02:39 < andytoshi> so if my joiner says "there's a 10-bit transaction in here", can somebody put in a transaction which reduces the entropy?
02:39 < gmaxwell> No, it must go up.
02:39 < andytoshi> yeah
02:39 < gmaxwell> (or stay the same)
02:39 < andytoshi> is that obvious?
02:41 < gmaxwell> I think so, otherwise I could just grab a random unrelated txn, add it to a transaction I was analyizing "assume this was joined in" and magically know more about the original transaction. :P
02:41 < andytoshi> i like that argument :)
02:42 < gmaxwell> The understanding that it was monotonic is why I've favored including poorly mixing transactions too, if thats all thats available.
02:43 < gmaxwell> likewise it would be useful to join coinjoins. e.g. if you had a 1 BTC mix and a 0.5 btc mix going on, might as well make the final txn contain both of them.  Maybe you'll get lucky and some change will be ambigious.
02:43 < gmaxwell> And if the attacker is forced to the N^2 model (where people are paying people) then the entropy increases enormously.
02:44 < andytoshi> cool, this all sounds good
02:45 < andytoshi> i'll spend some time trying to compute this entropy
02:45 < andytoshi> maybe i can compute the entropy of output values, and say "the highest-entropy output is XXX" rather than "the most popular output is XXX"
02:46 < andytoshi> i'm not sure if there's a good way to define such a thing..
02:46 < gmaxwell> hm. I wonder what the entropy impact is if you limit the aux matrix to a maximum column L_0 norm of 2. uhh. like "You can may at yourself and at most one other party", or futher "optionally yourself and optionally one other party, and if you are paying that other party, that other party pays no one else"
02:46 < andytoshi> it'd be awesome if i could make the transaction entropy be the sum of the output values' entropy
02:47 < andytoshi> my guess is, it'd reduce the attacker's search space from N^2 to 2N
02:47 < andytoshi> or somethin
02:47 < andytoshi> something drastic*
02:48 < gmaxwell> e.g. a realistic use of the non-admissable coinjoins is one where at most half the participants are each paying up to one additional other participant (who isn't paying anyone but themselves)
02:49 < gmaxwell> I guess one interesting thing when you allow payments is, in fact, that you add up to 'outputs' worth of 'shadow' inputs that provide 0 in.
02:49 < andytoshi> yeah, my guess is that this would be the most common case, after admissable coinjoins, by -far-
02:50 < gmaxwell> well it generalizes all transactions too..  e.g. a regular payment to you with change fits this model now.
02:50 < andytoshi> oh yeah
02:52 < gmaxwell> in any case, a whole bunch of neat papers could come out of this, but I think so long as coinjoins are more acadmic than reality any attacker will just go "lets assume that never happens and we'll sort it out if we do ever find a case where it did"
02:52 < andytoshi> agreed, for now i will compute the entropy assuming no funny business
02:53 < andytoshi> link to a short document explaining the calculation and how to do funny business which makes the tx safer than claimed
02:57 < gmaxwell> BlueMatt: will the pulltester still run if I close a pull?
03:10 < BlueMatt> gmaxwell: no
03:12 < gmaxwell> BlueMatt: seeing things like this pass is always not a happy moment: https://github.com/bitcoin/bitcoin/pull/3469
03:12 < gmaxwell> but as expected since regtest overrides.
03:13 < gmaxwell> but ... reasons I don't love regtest being a seperate mode
03:15 < BlueMatt> true, though pull-tester is designed to test subtle bugs, not head-smacking bugs
03:16 < BlueMatt> it fails at both, but still
03:18 < gmaxwell> Ideally we should be able to test pulltester by inserting head-smacking bugs though, and making sure that every possible headsmacking bug we can think to insert fails... (The reason being that headsmacking bugs are easy to insert and be sure that they're actually bugs and not equally okay changes)
03:18 < BlueMatt> agreed
03:18 < BlueMatt> feel free to code it :p
03:37 < sipa> dang: http://bitcoin.stackexchange.com/questions/19455/searching-for-the-comprehensive-guide-to-creating-crypto-currency
03:39 < warren> sipa: we need someone to actually write the clonecoin generator that we all threatened to write.
03:39 < sipa> yeah
03:39 < warren> option: Set exchange bribe amount [minimum 100 BTC]
03:40 < warren> checkboxes for various bad ideas
03:49 < warren> sipa: would others fund this? I can get one of my students to do this.
03:49 < warren> I can throw in some money.
03:50 < gmaxwell> heck, if done right (costs a small bitcoin payment to make it build) it can be revenue producing.
03:50 < warren> hahah
03:51 < warren> don't release source for the generator.  make it a web app that outputs everything.
03:51 < gmaxwell> oh absolutely.
03:51 < gmaxwell> heck, you could even charge more to get source out with your binaries (take care not to violate the LGPL, it needs to be relinkable) :P
03:52 < warren> checkbox: "Steal sunnyking's proprietary source for centralized broadcast checkpoints.	Will he sue?"
03:52 < warren> haha
03:54 < gmaxwell> [ ] set your own alert key [....]  {+.1 BTC}
03:56 < midnightmagic> lol
03:56 < midnightmagic> that would be so much win
03:56 < midnightmagic> + seednode code generator
03:56 < gmaxwell> yea, it needs to also provide a standalone miner and pool setup. which is kinda a pita.
03:57 < gmaxwell> the miner isn't so bad so long as it uses sha256 / scrypt / primecoin   but the pool setup is more of a pain.
16:18 < gmaxwell> let y = x as uint works in rust.  I'm not sure why you would do let y: uint = x as uint; .. but I don't know that much about rust and haven't written anything other than total toyes in it.
16:19 < HM> well i pulled the example from the tutorial on the rust-lang.org site
16:19 < gmaxwell> HM: it's very likely that each of these things has a reason that someone considers good... or
 if you really believe they don't
 then hell: post to the list! they are still _actively_ changing the syntax in a way that breaks code. And if crap like that is actual oversight then they would fix it.
16:20 < HM> Nah
16:21 < HM> It's too established to change now
16:21 < HM> that's the style they've chosen
16:21 < gmaxwell> If nothing else they should write a FWTFS that explains these things that apparently offend some on first blush.
16:21 < HM> I'm not talking about quirks, i dislike the overall style
16:23 < gmaxwell> well, many of the things you've complained about here are outright quarks, and I know some are well justified, e.g. the function syntax prevents type ambiguity and the AA BB(CC) problem.
16:24 < HM> ok
16:24 < HM> riddle me this
16:25 < HM> if the Rust function declaration syntax looks a lot like a C++11 lambda
16:25 < HM> why does the Rust closure syntax look completely different?
16:26 < HM> I guess because "fn" is an abbreviation for "function name"
16:26 < HM> seems more like a hint to the compiler than to make it more readable for the programmer
16:27 < HM> let square = |x: int| -> uint { x * x as uint };
16:27 < HM> i would probably expect this to be
16:28 < HM> they use the ||'s for the for each syntax
16:28 < HM> it's just weird
16:29  * HM goes to watch GoT
16:33 < HM> apologies for flooding :S
--- Log closed Tue Apr 09 00:00:18 2013
--- Log opened Tue Apr 09 00:00:18 2013
--- Log opened Tue Apr 09 03:13:39 2013
08:28 < HM> Just gone through a paper gmaxwell posted on bitcointalk
08:29 < HM> double blinded ECC signatures - 2010 paper by some folks at Tunghai University
08:29 < HM> i'm glad to say I followed all the algebra
08:30 < HM> it's very cool
08:33 < HM> one of the few papers i read where too much algebraic detail made it harder to follow. kept expanding terms instead of grouping them :S
09:12 < HM> hmm
09:12 < HM> this scheme doesn't prevent colusion between requester and signer
09:20 < HM> also if the signer ever sees a copy of the message it can use its database to discover who requested the signature
09:30 < HM> unless I'm mistaken Chaum's "BLIND SIGNATURES FOR UNTRACEABLE PAYMENTS" proposal doesn't protect you against colusion between payer and signer either
09:31 < HM> "Wei Dai" has a proposal that prevents colusion, but a third party can't verify tokens
09:31 < HM> I haven't seem a scheme that prevents both colusion and allows 3rd party verification
10:26 < gmaxwell> HM: for some protocols you can just have ALL of the participants blind sign.
10:26 < gmaxwell> e.g. for a vote.
10:29 < HM> i'm obviously thinking about digital cash
10:30 < HM> the simplest scheme i've seen has the issuer multiply a random point on a curve by their private key, for a fee. That's easy to blind but a payee can't verify the 'signature' (not really a signature) is legit
10:32 < HM> the 2010 paper you linked to on bitcointalk from Tunghai uni allows that but the signer can never be allowed to see the message again or they can figure out who asked for it to be signed.. and of course to verify the signature you need the message (or a hash of it)
10:33 < HM> so the question, how do you create a signature a 3rd party can verify but you can be sure hasn't been watermarked?
22:03 < warren> jgarzik: gmaxwell: Litecoin-0.8 might easily cut down its UXTO set from the week of spam in November 2011 because the attacker used the same addresses repeatedly.  Just declare all those addresses unspendable.
22:04 < warren> (yes, there is no similar simple solution for bitcoin)
22:09 < gmaxwell> warren: uh didn't the litecoin attacker send 1e-8 litecoin to like every litecoin address?
22:13 < warren> gmaxwell: perhaps in a different part of the attack, I will find out.  I will scan it thoroughly to make sure declared unspendable UXTO are the right ones.  there appear to be a great many that are concentrated in a small number of addresses now.
22:15 < gmaxwell> warren: if you're going to do that in litecoin, why not add utxo aging?
22:15 < warren> gmaxwell: is that written anywhere?
22:15 < amiller> add a utxo rental price
22:15 < amiller> when the parking meter runs out of time, kick out the utxo
22:16 < warren> amiller: more like a purchase price, which I've been suggesting for weeks now.
22:16 < warren> oh ... time limit, I like it.
22:16 < gmaxwell> warren: meh, it's not a purchase price if you can't redeem it.
22:16 < amiller> rental vs purchase
22:16 < warren> I see, rental.
22:16 < amiller> also like a parking meter, you (anyone) can put more coins in
22:16 < amiller> to keep it around longer
22:16 < warren> by spending it
22:16 < amiller> you can have a bitcoin parking meter fairy
22:16 < amiller> that fixes other peoples coins that are about to expire
22:16 < warren> uh
22:17 < gmaxwell> amiller is on the moon right now, leave a message after the beep
22:17 < amiller> just follow your nose starting at 'rental price' and you'll get mostly good ideas.
22:18 < warren> Everyone has to reindex with 0.8.x anyway.  a tiny proportion of those users will have 1e-8 disappear
22:19 < gmaxwell> warren: and then one of those gets spent and the network forks forever.
22:19 < warren> gmaxwell: the network is hardforking anyway
22:19 < gmaxwell> For what?
22:19 < gmaxwell> warren: in any case, it's stupid to solve it one time,
22:19 < warren> (mainly because they don't understand that an immediate fork isn't needed)
22:19 < amiller> people hate the idea of their bitcoins getting forgotten, or getting 'inflated' by demurrage but they'll come around to the idea of safety deposit boxes - those are reasonable
22:20 < gmaxwell> And the, as I illuded to in #bitcoin
 people involved in the project will have a weaker position when some authority _orders_ them to edit the utxo set in the future.
22:20 < gmaxwell> alluded*
22:21 < warren> It's an agnostic UXTO change.  If txo < tiny number, just declare it gone.
22:22 < gmaxwell> warren: so generalize that and say a UTXO lives for 51840*ceil(log10(value)) blocks or something like that.
22:22 < warren> rather: If txo < tiny number prior to block X, just declare it gone.  When <mumble>coin is worth $10 million dollars each in the future it will be usable again.
22:23 < gmaxwell> uh. then all nodes still have to retain the data forever
22:23 < warren> at least it won't be in the UXTO set?
22:25 < amiller> how about when the 'value' changes, then previous utxos are credited proportionally for their time
22:26 < warren> gmaxwell: This might not be needed anyway, literally all of the litecoin spam is in a week during November 2011.  I suspect the simplest and least risky plan is just to figure out which addresses concentrate the most spam UXTO and just eject that.
22:26 < warren> (scanning to be damn sure it effects nobody else)
22:27 < gmaxwell> warren: so you do that and then shortly there after someone just floods you again.
22:28 < warren> gmaxwell: they're welcome to pay the ridiculously high fees
22:28 < gmaxwell> Hell, it would be worth doing that just to make you feel stupid. :P
22:28 < warren> litecoin has two fees, a regular high fee, and an added fee for dust values
22:30  * warren still doesn't have <any>coins.  This is just interesting to think about.
23:03 < gmaxwell> So P2SH^2 am I awesome or what? Best idea I've had all month.
23:14 < BlueMatt> is it really worth implementing though?
23:17 < gmaxwell> I .. think! so.
--- Log closed Wed Apr 10 00:00:06 2013
--- Log opened Wed Apr 10 00:00:06 2013
02:14 < warren> gmaxwell: the super high fees are not an adequate deterrent?  (genuinely confused)
08:28 < HM> Bitcoins Law: when hashing doesn't solve your technical problem, you're not hashing hard enough
13:38 < warren> HM: I'm running the hamster wheel as hard as I can.
14:17 < HM> warren: ?
14:17 < warren> <HM> [02:28:38] Bitcoins Law: when hashing doesn't solve your technical problem, you're not hashing hard enough
14:18 < HM> oh right
14:38 < warren> gmaxwell: how do I obtain voice in -otc?
14:38 < gmaxwell> warren: ask gribble to voice you
14:39 < warren> <gribble> Error: You don't have the #bitcoin-otc,voice capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
14:41 < gmaxwell> be sure that you are identified
14:42 < warren> I did
14:42 < warren> ;;everify right?
14:42 < gmaxwell> Yes.
14:42 < warren> yes, verified
14:43 < warren> assuming ";;voice #bitcoin-otc warren" is the right command
14:44 < gmaxwell> no, ;;voiceme
14:44 < gmaxwell> IIRC
14:44 < gmaxwell> voice is to voice other people.
14:45 < warren> ah, thanks
16:53 < warren> during the panic "/mode +q $~a" was quite useful.
16:54 < warren> Mute everyone who isn't logged into nickserv.
17:55 < gmaxwell> well any method that stops people from talking lowers volume...
17:57 < gmaxwell> Though I boggle that people who'd been in the channel for an hour were still "SELL SELL SELL" as I was kicking people at a rate of about 0.5-1 per _second_ for doing that crap, I really do wonder if some of these people aren't bots.
18:05 < warren> One guy in the channel was encouraging people to change to a safer currency like Terracoin.
18:06  * warren facepalm
18:12 < gmaxwell> I am hans and this is frans and we are here to PUMP YOU UP.
23:28 < jrmithdobbs> does anyone have any idea how to get a CVE reserved for something not in debian or redhat?
23:28 < jrmithdobbs> I emailed cve-assign@mitre.org this morning but no response
23:34 < warren> jrmithdobbs: it isn't in Fedora either?
23:34 < jrmithdobbs> nope
17:10 < adam3us> gavinandresen: "but my lesson learned was "don't mine"" yeah i wasnt expecting to get much more than recoup cost out of it, but i for one missed the GPU mining fun era completely - despite receiving email from satoshi in sep 2008 and feb 2009 saying go check out the client, so this is my variant of that
17:11 < gmaxwell> Mining has done well for me. ::shrugs::
17:12 < gavinandresen> adam3us: if it is any consolation, I did the math in
 2010 and found it was less expensive to buy bitcoins than mine on my CPU.
17:12 < sipa> i think i profited moderately from both gpu and asics
17:13 < sipa> though never large scale
17:13 < sipa> and now i've stopped
17:13 < gmaxwell> wuss. :P
17:14 < adam3us> yes so its just an amusing thing to try, mining, and if i slightly help decentralization so its fine to just leave it on at elec break even
17:15 < gmaxwell> even at break even, it's a nice highly anonymous way to buy coins from the power company, assuming you have the hardware. :P
17:16 < adam3us> gmaxwell: well in fact i was thinking you might earn enough to pay fees on hidden (aka committed) tx which are perfectly unlinkable ;)
17:16 < gmaxwell> though it's still nowhere near break even now..  at current diff and $350 exchange your power would have to cost $1.1578/kwh to make avalons merely break even for power costs.
17:17 < phantomcircuit> gmaxwell, assuming what daily increase in network hash rate?
17:17 < adam3us> gmaxwell: that was partly why i was thinking it'd be interesting to have lower gpu self-mine without pools ie some kind of part-block payout
17:17 < gmaxwell> phantomcircuit: thats _right now_. I mean, I can turn them off in under a minute...
17:17 < phantomcircuit> gmaxwell, right
17:18 < phantomcircuit> you're already made capital costs right?
17:18 < gmaxwell> phantomcircuit: yea, they paid back their initial price in usd on the third day, and the initial price in bitcoin in about 2 weeks.
17:19 < phantomcircuit> gmaxwell, yeah people buying now are going to have a much harder time doing that
17:19 < phantomcircuit> even if you can get delivery tomorrow
17:19 < gmaxwell> indeed, people ask me if they should buy mining hardware and I dunno, the future is hard to predict.
17:19 < gmaxwell> There are optimistic predictions which are nuts, and pessimistic predictions which are slightly less nuts but still nuts. The truth, who knows?
17:20 < MC1984> youd have had to have junked them by now if the price didnt keep skyrocketing
17:20 < adam3us> right - i guess if its cheaper to buy coins just buy coins however
17:20 < phantomcircuit> yeah i mean the knc boxes are entirely sold out i think for months
17:20 < gmaxwell> MC1984: they's still be profitable over power costs at $100/btc, though not very much.
17:21 < adam3us> so i wonder - if the supply problems with asics do finally get resolved
17:21 < adam3us> difficulty will spike, and profitability will sink to electricity cost
17:21 < gmaxwell> adam3us: I dunno miners are different now than in the past, in the gpu days when my (at 6.5cts/kwh power) operation was 2:1 return on power cost hashrate was dropping.
17:21 < MC1984> gmaxwell, i think that just goes to show how ridiculously stinking profitable they were at the beginning
17:22 < adam3us> wonder if that will cause miners to switch off, or bitcoin exchange rate to go up
17:22 < gmaxwell> MC1984: there was a guy who had a chart showing how much money a batch 1 avalon has made, I'm glad he's taken it down.
17:22 < adam3us> (switch off and stop buying more)
17:23 < gmaxwell> adam3us: well, I'm planning on moving my avalons someplace where the power is cheaper.
17:23 < adam3us> see there are two parameters to network hash rate: speed/energy efficiency per unit, and availabiity of units, seems like the asic so far have improved the speed a lot, but the availability is thin
17:24 < gmaxwell> adam3us: availablity has always been ~0 when the profitablity has been high.
17:25 < MC1984> gonna put your boxes into hosting?
17:25 < adam3us> gmaxwell: in theory more availability is good for decentralization (now the litecoin argument) and the counter-argument was sha256 is easy lots of people will make tem
17:26 < adam3us> gmaxwell: not happening that well so far, though i live in hope
17:26 < gmaxwell> it has been happening, but the demand is pretty awesome when the devices are spitting out a ton of coin...
17:26 < MC1984> havent heard a peep out of asicminer for ages though
17:26 < MC1984> i bet they are hiding thier power level
17:30 < gmaxwell> if they're not crazy they've sold their first gen hardware to other suckers^wpeople by now... but who knows.
17:30 < gmaxwell> That whole model was really crappy. I mean, good for them at suckering people to finance them but .. ::shrugs::
17:30 < MC1984> the pie charts says 1%
17:30 < MC1984> and a nice chunk of unknown too
17:31 < MC1984> im actually more pleased that p2pool is holding at 1%
17:31 < MC1984> its not quite oblivion
17:32 < gmaxwell> p2pool is pretty much where its always been. it sagged a bit when the avalons didn't initially work on it..
17:32 < maaku> MC1984: as long as its not decreasing
17:33 < MC1984> i wonder if that more or less represents a percentage of people who give a shit about mining consolidation
17:33 < MC1984> whats the ratio for altruists to stop a system turning to poop?
17:33 < gmaxwell> MC1984: or more like some mixture of that and paranoid about pool op theft,  and who are willing to go through the trouble.
17:34 < MC1984> hm yeah
17:34 < MC1984> its not too much trouble though. i set up a p2pool node once
17:34 < MC1984> i just didnt have anything to mine against it
17:35 < adam3us> why doesnt everyone p2pool?
17:36 < gmaxwell> Some number of people are convinced that all the pool operators are theives... e.g. cypherdoc on the forums.	He claims to solo-mine, though based on his comments I would be a little surprised if it were true.
17:36 < gmaxwell> so you don't have to care about decenteralization to prefer to not use the centeralized pools.
17:36 < MC1984> they could be thieves
17:36 < gmaxwell> they could be, in fact I'm sure some have been.
17:36 < gmaxwell> but you can't tell.
17:37 < MC1984> why so much trust around still
17:37 < maaku> adam3us: it's a hog, you can lose more than the average pool fee on a high-latency connection, variance is super-high, etc.
17:37 < adam3us> help centralization, spread rumors about miners
17:37 < MC1984> some pool ops have been straight guys though
17:37 < adam3us> decentralization i meant
17:37 < midnightmagic> maaku: Mm..  that's not quite true.
17:38 < gmaxwell> For some definition of high, though you also lose pool income on high latency connections too.
17:38 < gmaxwell> though p2pool somewhat more.
17:38 < midnightmagic> adam3us: The statistics as shown make it easier to infer that p2pool is *wasting* mining effort up to 16% or so.
17:38 < gmaxwell> Which isn't the case, but that doesn't stop people from claiming it.
17:38 < maaku> midnightmagic: it's my experience running a p2pool node.. although I haven't synced with forestv's sources in some months
17:39 < gmaxwell> maaku: the time between shares was upped to 30 seconds, which greatly reduced the latency dependance. its still higher, but this isn't entirely bad.
17:39 < maaku> it was much worse under 10s shares (it's now 30s right?)
17:39 < maaku> yeah
17:39 < midnightmagic> adam3us: It requires local knowledge and setup and maintenance of a bitcoind, and a p2pool instance running on either the same machine or another one. I suspect it's mostly just misunderstandings that people don't want to clear up, and the fact that it's got a 15-hour block turnaround time.
17:40 < midnightmagic> there was a spike a few times where the orphan rate just shot right up like crazy with a huge influx of hashrate. I don't know what was going on there. It looked as though someone was trying to mine with smoething big and gave up on it.
17:40 < amiller> i've been thinking about mining and asics and for the moment, equipment costs totally dominate power costs
17:40 < adam3us> as i recall i tried it once and it was like really nothing just just p2pool instead of eligius
17:40 < gmaxwell> P2Pool has roughly 1/10th the orphaning rate of eligius, for example. ... why? beyond the relaying advantages, ... it makes miners fix their latency (or drives away slow miners)
17:41 < adam3us> and my reactin was woah why doesnt everyone do that!
17:41 < amiller> but we alos aren't at the full curve of the chip development cycle, the 65nm chips are coming out now, but once we get to like 20 or whatever intel does, it totally levels off and then there's going to be hardly anymore improvement in hashes per second per dollar-spent-on-chips
17:42 < gmaxwell> adam3us: if you're already running bitcoin-qt / bitcoind  and have a reasonable host.. it's easy.  Otherwise, its actually a lot of work.  People show up in #p2pool	"halp on my atom with drum memory I get 60% effiency!"
17:42 < maaku> lol drum memory
17:42 < gmaxwell> amiller: well, KNC is 28nm but its using structured asic.
17:42 < MC1984> structured?
17:42 < sipa> aka glorified fpga
17:43 < amiller> structured cell arrays are sort of gateway asic, much cheaper than fpga, but still sort of general purpose and less efficient than standard cell array
17:43 < gmaxwell> yea, it's in between a hardcopy fpga and a real asic.
17:43 < MC1984> whats the point of that
17:43 < gmaxwell> lower upfront costs, potentially faster time to market.
17:43 < gmaxwell> The downside is higher marginal costs (per hashrate ... but this is actually really low in any case) and higher power consumption.
17:44 < MC1984> isuppose right now the time to mrket thing makes it worth it
17:45 < MC1984> whats that nifty state about how long it would take current hashrate to recreate the whole chain
17:45 < MC1984> i bet its down to like a week now
13:30 < petertodd> sipa: like, imagine if the payment protocol is widely deployed, and merchants use out-of-band payments extensively to get their zero-fee payments from their customers mined: p2pool wouldn't be able to earn fees at all
13:31 < adam3us> petertodd, sipa: i was noticing when playing with committed transactions, that you dont need to send the values, nor recipients to the miners; only a commitment to them (hash) and a commitment to the senders address
13:31 < petertodd> sipa: I've got what appears to be a pretty good way to do decentralized out-of-band payments though, but it's way more complex than the centralized way :(
13:31 < amiller> jgarzik, uh, well i'm not exactly sure i understand what you mean by oracles / agents there
13:32 < amiller> jgarzik, i guess you just mean semi-trusted parties that aren't the end-users who the protocol actually benefits, but like a server with limited capabilities
13:32 < adam3us> petertodd, sipa: reduces attacks if the miners know as little as possible about what is going on
13:32 < jgarzik> amiller, pretty much
13:34 < amiller> i still feel like calling them autonomous agents or oracles is misleading language that deliberately conveys some kind of additionally trustworthiness that isn't warranted
13:34 < amiller> </monthlyscheduledrant>
13:34 < petertodd> adam3us: ooh, reminds me re: commited txs: I've got an idea where you'd make transactions have commitments of previous ones with a merkle-mountain-range-like scheme so you could efficiently reference any previous transaction up to the genesis block. This is easiest to understand if transactions can only have linear history, but a dag history is doable
too. Anyway, wallet software would receive that history to know the coins are valid, thus pushing validation directly to the users. Obviously some way of pruning that history is important, SCIP is heavy-weight and complex but could work.
13:35 < sipa> thus pushing v[...]
13:35 < petertodd> adam3us: yes, but nothing other than intertia prevents miners from demanding that users reveal enough info to let them know what transactions actually are; again, it's easy to imagine governments regulating mining pools and forcing them to do this.
13:37 < petertodd> adam3us: you really need to keep it possible to mine by small parties to keep that balance towards decentralization - helps the larger pools resist regulation too if they can point out that the smaller miners that can't easily be regulated will just out-compete them if the government forces the larger ones to do things like 51% attack the non-censoring miners
13:37 < petertodd> *government tries to force
13:38 < adam3us> petertodd: it reduces bandwidth if you can send commitments only to the block chain, because ok to send previous tx history back to the last snapshot (or to genesis) is a bit of a privacy leak, its still better than now; and its more efficient to send that to each recipient than broadcast it to everyone
13:38 < adam3us> petertodd: yep, that was exactly the motivation for committed tx - users can yank a 51% miners chain causing him to lose money all day long
13:38 < petertodd> adam3us: yup, commitments with compact proofs of any part of the previous tx history are one form of sharding validation effort.
13:39  * petertodd needs to come up with a good directed acyclic graph version of merkle mountain ranges
13:41 < petertodd> adam3us: wait, explain to me how users "yank a 51% miners chain"?
13:41 < adam3us> petertodd; y'know with homomorphic encrypted values & committed transactions combined, at least the privacy invasion of the full tx history revealed to each recipient is less - you dont see how much money each user has
13:41 < petertodd> adam3us: good point
13:41 < adam3us> petertodd: ah so lets see how did that go, ah yes so you want to make a payment and you're wikileaks (canonical example of unpopular extra-legal blocking)
13:42 < adam3us> petertodd: so you make your payment, wait a few blocks, reveal it; now the 51% miner has to discard 2 blocks of profit and compete against himself; rinse & repeat
13:43 < petertodd> right, and my point is always the government response is to target public bitcoin users and first demand that even though the system is private, they use this new modification of the bitcoin protocol that also sends enough information along-side a transaction to always reveal the contents
13:43 < adam3us> petertodd: that assumes you ever reveal the tx to the network, you could let them circulate in committed form in which case no one not in the tx history knows who paid who
13:44 < amiller> adam3us, suppose you had aribtrary zero knowledge and two party computation or whatever
13:44 < amiller> can we come up with an idealized definition for a private public ledger?
13:44 < amiller> i've been trying to think of a good way to explain this, regardless of the actual implementation efficiency
13:44 < petertodd> then you start getting the pools you can control to apply preferential treatment to non-anonymous transactions, for isntance you only mine ones like that, but still extend blocks otherwise. rinse and repeat, until you get to the point where the pools can do direct 51% attacks on the ones that don't.
13:44 < amiller> no one should need to know anyone's transaction balances
13:44 < adam3us> petertodd: well its not that private in the sense that anyone in the payment chain can reveal stuff that came before, so they are free to make a subpoena, most random merchants and users have no incentive to protect privacy of an actual crime with victims
13:44 < petertodd> it's only the inability of government to control at least 50% of the hashing power that prevents that stuff
13:44 < amiller> a transaction between two people should change their balances in a way that both know, but neither should learn the balances of the other
13:45 < amiller> but everyone should learn the transaction is valid
13:45 < amiller> can you do that even abstractly?
13:45 < petertodd> adam3us: yup. the unhiding data could be done by requiring it to be broadcast encrypted to a government controlled pubkey
13:46 < petertodd> adam3us: "Nothing to fear! You're tx's are private unless a court-order is served and the priv-key is used to decrypt them."
13:46 < adam3us> amiller: maybe zerocoin with homomorphic values? (with fixed value is stupidly inefficient send 1,000,000 1c coins to send $10k?)
13:46 < amiller> btw there's a fully open source alternative to pinocchio/tinyram out https://github.com/srinathtv/pantry/
13:46 < adam3us> petertodd: screw that :)
13:47 < amiller> adam3us, well homomorphic values isn't enough i don't think
13:47 < amiller> because homomorphic encryption uses a single key
13:47 < adam3us> petertodd: we see where that ends, apriori wire tap and data fishing on everyone on the planet in utah; even the EU is right now voted to block SWIFT data sharing
13:48 < petertodd> adam3us: yes, but the only thing stopping it is that it's possible to mine outside of government control! Reality is with the current system, even with TXO commitments and fraud proofs, at some point a large blocksize will lead to that scenario.
13:48 < amiller> perhaps if i want to send you some money and we want ot prove it's valid to everyone else but we don't want to reveal our balances to each other, we could use a two-party computation that computes the homomorphic function or something
13:48 < adam3us> amiller: yes you can do that (encrypted values add up, without learning other balance) see thread on homomorphic value using schoenmakers range proof
13:49 < adam3us> amiller: it works because there are two values in a pederson commitment c1 = v1*G + x1*H
13:49 < adam3us> v1 is the value, x1 is a key that is not revealed
13:49 < adam3us> amiller: no one knows DL(G,H)
13:50 < adam3us> https://bitcointalk.org/index.php?topic=305791.msg3277431#msg3277431
13:51 < petertodd> adam3us: so how much larger would transactions be with this homeomorphic stuff?
13:51 < adam3us> its not really encrypted as such, just committed in a extened-schnorr provable form (bi DH form)
13:51 < adam3us> petertodd: well like I said on the thread best I got so far was 1K-2K per value depending n the precision of the coin vaue
13:52 < amiller> i still don't see how you get the range proof
13:52 < petertodd> petertodd: ok, so that's 1K-2K per txout then basically right? is that linear with the number of txouts?
13:52 < amiller> but i'll read more and try to undersatnd it
13:52 < petertodd> does it handle any combination of # of txins and # of txouts?
13:53 < adam3us> its 3+2m values where m is the number of bits of mantissa (precision) of the bitcoin value and a value is 256-bit/32-byte
13:53 < petertodd> (although I guess you could use a merkle-sum-tree to combine txin values and split txout values)
13:53 < adam3us> so I suggested eg 20-bits (1665bytes) or 27-bits 2016bytes
13:54 < amiller> ok so you do a range proof with roughly one value per bit
13:54 < adam3us> petertodd: amusingly i think you could even validate the entire ledger, add it all up and check it comes to however many coins issued so far
13:54 < adam3us> amiller: yes
13:54 < amiller> how do you communicate the value transferred to the other party?
13:54 < adam3us> no 2 values
13:55 < adam3us> 3+2m
13:55 < adam3us> just tell them
13:56 < adam3us> amiller: out-of-band or encrypted to public key if using the block as a store-and-forward channel
13:56 < amiller> okay
13:56 < adam3us> amiller: the fee is public, rest homomorphic
13:56 < amiller> (i apologize i have a hard time parsing all your posts but i think the idea works out)
13:57 < adam3us> amiller: well actually you can mix encrypted & clear values
13:57 < amiller> the pedersen commitments are only homomorphic with respect to addition aren't they
13:57 < adam3us> amiller: eg if you want to hide the value of your balance, but dont care much to hide the actual payment amount
03:48 < gmaxwell> And likewise, scorched earth is only applicable for things where the reciever would be pissed about an unconfirmed doublespend.
03:48 < gmaxwell> Its not unsolvable, but its an unfortunate complication.
03:48 < petertodd> gmaxwell: yeah, I wrote on the forum about how the payment protocol re: coinjoin should work where you actually give the merchant a non-coinjoin, and coinjoin, version of the tx
03:49 < gmaxwell> it makes me think that perhaps there really should be a signal which says "I swear on my mothers grave that I will not doublespend this transaction {within x time}"
03:49 < gmaxwell> since there are plenty of cases where doublespends are totally legit, and you don't want unconfirmed acceptance in any case.
03:50 < gmaxwell> and also cases where you want unconfirmed acceptance and any doublespend is fraud.
03:50 < petertodd> heh, well, like I say, you give the merchant the non-CJ version, the CJ version, and heck, in some cases even more versions because you've done multiple payments in a row and don't know what will get mined
03:50 < gmaxwell> and its only in the latter where scorched earth is the right strategy.
03:50 < gmaxwell> sure.
03:51 < petertodd> thing in, scorched earth has even more requirements, because the sending tx has to be basically minimal size, so that the sender can't double-spend it with a *smaller* tx
03:56 < Luke-Jr> do C++ or boost have a key-only map type?
03:56 < petertodd> Luke-Jr: you mean a set?
03:56 < Luke-Jr> maybe
03:57 < Luke-Jr> unordered set?
03:57 < petertodd> could be? not familiar with boost
03:58 < Luke-Jr> petertodd: looks like these are both standard C++, thanks
03:58 < Luke-Jr> although.. C++11
04:01 < gmaxwell> Luke-Jr: we use stl sets in varrious places in the codebase.
04:01 < Luke-Jr> but not unordered
04:01 < petertodd> Luke-Jr: does it matter?
04:01 < Luke-Jr> shrug
04:01 < Luke-Jr> I'll use unordered and see if anyone complains XD
04:02 < petertodd> behind the scenes sets get implemented in an ordered fashion often
04:03 < gmaxwell> Luke-Jr: ordered is fine here, they're not in insertion order, they're in whatever search order (based on the comparator of the underlying type) the datastructure needs to make lookups fast.
04:04 < Luke-Jr> I guess I assume std::set is going to be slower than std::unordered_set..
04:04 < petertodd> Luke-Jr: often enough it's all trees behind the scenes anyway...
04:05 < petertodd> Luke-Jr: with C++ that's quite likely because there's no obj.__hash__() like in Python
04:06 < gmaxwell> petertodd: there is actually a generic hash template thing.
04:06 < gmaxwell> petertodd: and I think the unordered set template needs it to work on your type.
04:07 < petertodd> gmaxwell: oh cool, guess I'm wrong
04:19 < Luke-Jr> well, my compiler doesn't have it :<
04:20  * Luke-Jr can't wait for autoconf_pt3 to get merged so the warning on every compile goes away
05:06 < adam3us> y'know the aim of bytemaster birthday hash is amusing - i briefly looked at it in 1997 for hashcash, i actually started my thought process by looking at birthday hashes, but that lasted all of 10min :); it is not progress free so cant fairly be used in a first past the post race
05:07 < adam3us> (his aim is to have fast verify (3 hashes, though he could've easily done it with 2) and yet memory hardness - however he has killed progress freedom, and other more simple issues)
05:09 < adam3us> so its not quite true that it doesnt achieve anything that scrypt does - it achieves memoryless verification, however it has tmto with n^2 advantage, and progress so its broken
05:10 < adam3us> also because of the n^2 advantage custom hardware could dominate it way worse than asic, triple fail :)
05:10 < gmaxwell> adam3us: Their earlier stuff was not a collision problem, I wasn't aware that they switched to that in their latest incarnation as their response on the first one I broke convinced me to never look at their stuff again.
05:11 < gmaxwell> and yea, we had a conversation at collision's for memory hardness in here before, and indeed the advantage for faster miners was brought up, also that you can eliminate the memory hardness with a tradeoff for more computation.
05:11 < adam3us> gmaxwell: someone mining pts got me to look at it
05:11 < adam3us> gmaxwell: yes the problem is the n^2 advantage for memory
05:12 < adam3us> gmaxwell: and the progress, and the tmto they mistakenly thought didnt exist
05:15 < adam3us> u can see it someone using 50 GHz cores (cores x ghz) got bday 180H/min, vs 30 Ghz cores got 50H/min -fast enough processor, for RAM
05:15 < sipa> adam3us: i cannot parse your last sentence
05:16 < adam3us> sipa: because its birthday attack, if your cpus can fill your RAM within the 5mins block interval, the more ram you have the more birthday hashrate n^2 to amount ofram
05:18 < adam3us> what its computing i think is H(cb, a) for random a, coinbase cb; where H finds a 26-bit hashcash (like bitcoin but small difficulty as a pre-screen)
05:18 < adam3us> then they store those values (h1,...h_n) = {H(cb,a),H(cb,b),...}
05:19 < adam3us> and look for 50bit birthday collisions on h_i values, (using a hashtable rather than memory scan)
05:20 < adam3us> finally for each H(cb,a)==H(cb,b) the test if H(cb,a,b) < target
05:21 < adam3us> (the code i found unreadable, the paper vague and stale... talking about scrypt and other ideas; its actually using hashcash-sha512-26 ie partial preimage wth 26-bits of leading 0 using sha512 hash function)
05:21 < gmaxwell> adam3us: if you have super fast logic but gates for memory are costly you can also run near memoryless (like pollard rho w/ period finding), so if you really believe the argument that needing lots of memory is a great enhancement, well, not so much.
05:21 < adam3us> for the H function
05:22 < adam3us> gmaxwell: yes i agree - i said 3 problems, tmto (2 types actually), progress, and n^2 memory advantage
05:23 < gmaxwell> but besides that it's awesome!
05:23 < adam3us> the other tmto is to use a hashtable which is unreliable but more compact
05:23 < adam3us> gmaxwell: lets not mince words - its triply broken :)
05:23 < gmaxwell> I hadn't decoded tmto to time memory trade off for some reason.
05:24 < gmaxwell> I'm waiting for them to think you can use hamming distance instead of prefix matching to prevent that.
05:24 < adam3us> gmaxwell: but the usual cycle method doesnt work i think on partial birthday, only on full birthday, because the cycled finds are almost cetainly of unrelated values
05:24 < gmaxwell> (you can't)
05:25 < gmaxwell> adam3us: sure it does, you just need a function that reads only from the partial chunk for the next step.
05:25 < gmaxwell> (whats even more awesome is you can make this work well for hamming distinct thresholds too... with some mild complication)
05:26 < adam3us> gmaxwell: i dont think so, some proposed the cycle method on the bitshares forum and it got shotdown (not that they know much), but I dont think you can define a meaningful cycle
05:27 < adam3us> gmaxwell: he was forced to py out his $5000 bounty to to forum people, i held off saying anything :)
05:28 < adam3us> (mostly for the unreliable hashtable so it fits in gpu unit L2 cache)
05:28 < gmaxwell> well I haven't looked at their thing, but this does generally work for finding n-bit prefix matches in hash functions. There is a paper I like on it that also goes into the hamming threshold case.
05:30 < adam3us> gmaxwell: its possible i am wrong but what i am thinking is if you find cycle one of r_1, ... r_k, ... and another cycle r'_1,... r'_k the problem i see is that r_{k-1} is unrelated to r'_{k-1} and so on
05:30 < adam3us> (where r_k == r'_k)
05:34 < adam3us> the objective isnt stupid though - i thought of that too - to find an scrypt variant where you can verify without memory.  i believe its challenging without introducing progress
06:31 < adam3us> btw TD: something else wrong with uploading batches of deterministc addresses, they are uncertified.  the payment protocol certifies them, but with an SSL key in server memory.  Obvious attack point
06:35 < adam3us> TD: if the base address is static it can be certified by an offline X509 key, or simply verified with out of band static information
06:42 < TD> no
06:42 < TD> the payment protocol does not specify any kind of "server" or "client". whoever generates the payment request can sign it. SSL or not is irrelevant.
06:42 < TD> so if you have a private key, your wallet would just upload pre-signed payment requests
06:42 < TD> however most individuals do not have a certificate. so, i suspect we'll end up with a different PKI for end users.
06:42 < TD> (and to start with, none at all)
07:23 < adam3us> TD: i imagine any business web site accepting payments has an x509 cert (for SSL associated with the server domain), so if they bother to sign the payment requests, they wold probably reuse the one they already have.  you are right though that they could sign it with en x509 email cert, or a sub-domain cert
07:23 < TD> yes, business websites don't need to batch upload anything. they can generate them on the fly with the ssl key indeed. sorry i thought we were still talking about personal usage
07:23 < adam3us> TD: but there may be expectation issues - surey the relying party should expect a signature from bobsparts.com, not from bob@hotmail.com
07:25 < adam3us> TD: yes.  i am not saying i have a solution, eg the bloombait so far seems to likely have issues but will see what it can do; however at requirements level mostly i am saying it would be nice if were static, then it could be on a business card, brochure, shop window, with zero possibility for web site hacking address redirection
07:26 < TD> people can have their wallets be compromised as well. then it's impossible to recover
07:26 < adam3us> TD: (because signing with the site SSL key is also vulnerable to address hacking)
07:26 < TD> if a web site gets hacked, it can be re-sealed
22:39 < amiller> i actually think that higher variance mining makes more sense here
22:39 < gmaxwell> GIGAVPS, asicminer, "cloud mining" are all examples of hosted mining, and there will be many more. Buzzdave (megabigpower) and BFL have their own hosted mining offerings, etc.
22:40 < amiller> a mining operation that has a lottery interface on one side to its clients and does bitcoin mining on its other would really want low variance
22:40 < amiller> because it could easily promise more money than it can afford to payout
22:40 < gmaxwell> Basically even though the current technical scaling factors strongly discourage big datacenter operations, there are social factors that encourage them.  "derp derp I'm too dumb to run a miner, but I have money and want to make profit mining!"
22:40 < gmaxwell> amiller: you can just make your customers take the mining risk.
22:41 < amiller> right
22:41 < amiller> so that's where the trapdoor thing comes in
22:41 < amiller> i should make it so that any attempt to tie a customer's outcome to the outcome of a particular attempt at mining on the chain
22:42 < HM> the startup risk is large, if you get no customers then you've invested a lot for buggar all
22:42 < amiller> involves a trapdoor that makes it really easy to obscure the actual probability distribution of the chain's payout
22:43 < gmaxwell> HM: sadly preorders in the bitcoin world are ubiquitous, asicminer was entirely funded by selling hundreds of thousands of dollars in shares on the bct forum. They then rigged it up so they'd continue to own a ~majority of the shares. used the funds they raised to fab asics.. and put them online.
22:43 < HM> heh
22:43 < gmaxwell> HM: a lot of the other hosted offerings leave it to the customers responsibility for the mining hardware to show up at their door. Once its their they rack and stack and configure and start sending the user coins.
22:44 < gmaxwell> amiller: okay so your solution is basically to make it so that the hosting company can very easily hide their income, so they can steal from the miners.
22:44 < amiller> yes that's right
22:45 < gmaxwell> amiller: the challenge I see here is that the mining has an expected income, so the amount they can steal is bounded by that probability distribution model. I would also point out that _none_ of these services do any kind of proof at all that they aren't stealing, even though they could today, people don't ask for it.
22:45 < gmaxwell> E.g. ASICMINER could have easily built 50% more chips than they claim to have, and could be running them not as asicminer and no one would know.
22:46 < amiller> sure, i guess they only have shares
22:46 < amiller> my assumption is that a client pays a fixed price for a certain payoff distirbution
22:46 < amiller> like i pay for 10 shares some fraction of them should win
22:46 < amiller> but suppose there is a high variance option
22:47 < amiller> like one out of every hundred blocks wins an extra large amount of bonus or something like that
22:47 < amiller> then you can steal that bonus without raising much suspicion
22:47 < amiller> because it happens very infrequently anyway
22:48 < gmaxwell> Yea, I mean you could send shares to the cutomers to prove that their device was trying to mine in a publically validatable way. But no one asks for that today.  And yes, shares + high variance would make the miner's secure against cheating. (make the shares frequent enough that if the host was stealing more than a tiny amount of work it would be obvious)
22:48 < amiller> i agree no one asks for that today, but they should, perhaps in the future they will
22:48 < gmaxwell> but okay I get the idea. So if there were big bonus blocks periodically... that were blinded.. then the users couldn't tell if they were being robbed.
22:48 < amiller> after people start implementing encryption correctly etc
22:49 < HM> Don't datacenters typically charge by the amp? or say 1 U = X amps and then charge mostly on power consumption?
22:49 < amiller> yeah that's the idea
22:49 < gmaxwell> amiller: I'm ... very concerned they won't. but thats an aside. We can't cure humanity, lets fix the technology at least.
22:50 < amiller> yeah. also etc etc it helps promote general confidence in cryptocurrency to have technical answers especially to the big questions, like, does rational behavior inevitably trend towards centralization, etc.
22:50 < amiller> even if the technical answers to that involve things that aren't even close to implemented yet
22:50 < gmaxwell> (in particular, miners could be using BFGminer with their centeralized pools and BFGminer will prevent a pool from ever "eating its own tail": it will refuse to mine a fork against work the pool had it previously do. Totally kills a broad class of pool-op network attack. But basically no miners deploy bfg for this purpose (many use it but for other reasons))
22:51 < gmaxwell> amiller: a lot of users really have absolutely no clue about the security model, or they're wrong about it in frightening ways. E.g. they think that only the miners validate transactions, and that the miners can pay to whomever they want, however much they want.  E.g. a model where there would be no incentive alignment at all.
22:51 < gmaxwell> And I think this kind of misunderstanding is nearly the majority understanding or not too far from it. Yet they use bitcoin anyways because of, presumably, social proof.
22:52 < gmaxwell> (they also use other altcoins like ppcoin where the developer broadcasts checkpoints that select the network state)
22:52 < gmaxwell> (ppcoin is nominally POS but for "extra security" it has checkpoints broadcast in the network by its creator for ~every block which ultimately dominates the consensus)
22:54 < amiller> people also trust service providers unconditionally for all sorts of stuff
22:54 < HM> amiller, example?
22:54 < amiller> passwords in google docs?
22:55 < gmaxwell> right, part of the problem there is that you can get away with trusting paypal or ebay like that, they have conspicious assets you can send to jail if they cheat and regulation. But people also trust $anonymous_pool_operator because they don't reason about why it's okay to trust ebay.
22:55 < amiller> sure, so i admit that this is a construction of theoretical interest mostly
22:55 < gmaxwell> worse, since even when everything is vulnerable attacks tend to be somewhat rare.... when the shit does hit the fan they blame the specifics rather than the general practices. but oh well.
22:56 < gmaxwell> yea, sorry for the tangent.
22:56 < gmaxwell> We can't fix the social problems unless there are technical solutions in any case.
22:56 < amiller> i agree with 100% of the content of the tangent
22:56 < amiller> but yeah
22:56 < gmaxwell> I just get a bit depressed because even where the technical solutions exist we're not using them yet.. if ever.
22:56 < HM> amiller, the kind of people who put passwords in google docs are likely ignorant of the risk
22:57 < HM> or dismissive of the consequences
22:57 < HM> i wouldn't call that trust
22:58 < amiller> HM the way i think of it is that everyone who ignorantly or whatever is willing to make themselves fully vulnerable to a cloud provider or whatever, i just assume they've already done so
22:58 < amiller> and i effectively treat that as one wealthy entity
22:59 < amiller> the thing to aim for is people who are making rational risk-aware decisions
22:59 < gmaxwell> HM: people leave large amounts of bitcoin in blockchain.info mywallet, which is protected only by the users password, which can be bruteforced by bc.i (or anyone with access to the user's email), at >10 million passwords per second per gpu (and there is no salt, so bc.i or their hacker could attack all customers at once)
22:59 < gmaxwell> and BC.i wallets could be stolen at login time by anyone who injects JS in the pages.
22:59 < amiller> who will take the offer if it's cheaper and they have a good guarantee, in particular regardless of the 'systemic' risk of centralization which affects bitcoin as a whole but doesn't make you earn less
22:59 < gmaxwell> And yet they have hundreds of thousands of users.
22:59 < HM> bc.i don't need to bruteforce the wallets
22:59 < HM> they can just take them
23:00 < gmaxwell> HM: BC.i is a bit misleading about the threat model there, because the private keys are "only in the browser" ... until they give you some JS injection and take them or attack the password.  I mention the password attacks because even if you believe their misleading claims the password stuff is upheld.
23:01 < HM> yes, it's the same with MEGA with files
23:01 < HM> but tangents...
23:01 < gmaxwell> I mean I can go on all day there is countless amounts of misplaced trust.
23:02 < HM> well that's why the financial system being full of systemic risk is a *good* thing
23:02 < HM> everyone knows when it reaaally gets bad, something will be done
23:03 < HM> and nobody cares if it's good as long as everybody suffers
23:04 < HM> if the majority of people use blockchain.info then the impact on Bitcoin as a whole if the entire site vanished would be so huge as to effect us all anyway
23:08 < HM> It's kinda like email. Gmail has something like half a billion monthly active gmail accounts
23:09 < HM> some people don't even realise that email is a decentralised thing anymore
23:09 < gmaxwell> it's not even decentralised so much anymore. if you host your own email you have major major problems with anti-spam filters.
23:10 < HM> right
23:10 < gmaxwell> a lot of corporations have been moving to having msft or google host their domains for this reason alone... the other savings are just a perk.
23:11 < gmaxwell> (amusingly, I understand that Mike Hearn may have some personal culpability in this outcome ... :P )
23:11  * sipa whistles
23:11 < HM> lol what?
23:12 < gmaxwell> another googler. Though I don't know that sipa works on anti-spam. :P
23:12 < HM> ah bitcoin and bitcoinfoundy.org are both Gapps
12:54 < adam3us> petertodd: bitcoin already has a signing system, and a key to do the signing, i am just saying use it
12:55 < petertodd> adam3us: anything less means users who *don't* have any reason to dick around manually checking bullshit just because they want to buy a tee-shirt will end up with a less secure system
12:55 < petertodd> adam3us: and a signing system is useless without gobs of infrastructure
12:55 < adam3us> petertodd: the web app level is far less dangerous if the worst you can do is pay money ot the wrong merchant address (as opposed to the attacker direct)
12:56 < petertodd> adam3us: huh? the attacker swaps out the addresses after crackng the site and steals a million bucks from 10,000 users
12:56 < adam3us> petertodd: i am not saying people who are buying t-shirts will care to check it
12:56 < petertodd> adam3us: right, which means you have to have that code in the trezor... so use it
12:56 < adam3us> petertodd: no because the addresses are signed, and users who bother to check, can see hey something is wrong with tshirtsrus
12:56 < petertodd> adam3us: paranoid level gets to have the PGP fingerprints displayed prominently
12:56 < adam3us> petertodd: their TOFU account number just changed??
12:57 < adam3us> petertodd: even a browser plugin handling payment requests could check that
12:57 < petertodd> adam3us: there is no difference between checking "signed addresses" and "CA fingerprint matches up", zero.
12:57 < adam3us> petertodd: you realize how tricky it is to get any sense out of pgp wot? latest version of gpg is all but unintelligible to me
12:58 < adam3us> petertodd: screw wot, i just mean a self-certified tofu hd wallet base key and expecting transaction numbers (one-use addresses) to be signed with it
12:58 < petertodd> adam3us: where did I say you'd be using WoT for this? most paranoid users would want to verify fingerprints with manual mechanisms, some could use WoT, but we're *much better* if we encourage an ecosystem that doesn't fragment things
12:59 < petertodd> adam3us: and like I keep sayng, making it PGP lets you do useful things like have known ways to send your merchant an encrypted email
12:59 < petertodd> adam3us: you are *not* thinking about second order effects here
12:59 < adam3us> petertodd: i just think its more useful to the careful user to have a tofu account number to read off and compare. than a string of (to him) uncorrelated random one-use addresses - that tell shim precisely nothing
13:00 < adam3us> petertodd: and the web level browser level and client machines are like swiss cheese and will get rampantly exploited
13:00 < petertodd> adam3us: yes, and using a PGP code-path for that use-case is better and encourages good practices across the board, rather than a bunch of highly specific shit that doesn't do anyone any good
13:00 < adam3us> petertodd: there are no second order effects - if you're buying t-shirts and you dont care dont look at the account number alright
13:01 < adam3us> petertodd: bullshit - how is throwing pgp at the poor user going to help anything
13:01 < petertodd> adam3us: damn right there is, now there's no transition path between low, medium, and high security, that's very bad
13:01 < adam3us> petertodd: so i think the low to medium level is done via payment request as is
13:02 < petertodd> adam3us: we want a system where the average user goes and gets the green CA-certified box saying "TeeShirt Company", then when they become a distributor of said company is told "Hey, go check that the fingerprint matched up ok? Just to be safe." now you've gone from low to high security seemlessly.
13:02 < adam3us> petertodd: problem is if the server is compromised someone can undetectably to users swap out the pool of one-use addresses
13:02 < gmaxwell> petertodd: so what we need to do is introduce the things pgp lacks to pgp and to fix it, rather than go off seperately or pretend that pgp as is .. is a solution.
13:02 < petertodd> adam3us: No, as I said before, you add a mechanism *to the payment protocol* to have a separate CA key (as a subdomain) sign a root address under the hood
13:02 < adam3us> petertodd: the web site will happily sign them with its SSL key (or subdomain key) and facilitate robbing itself
13:03 < petertodd> adam3us: and that's why it's a fucking subdomain, so you *don't* need to keep it online!
13:04 < petertodd> adam3us: you're not getting the payment request from that subdomain, the software just expects the request to be signed by that magic subdomain, and shows the user the address one level up
13:04 < adam3us> petertodd: well wait the payment request includes a description of what ou're buying and amount it cant be offline
13:05 < adam3us> petertodd: whereas one use addresses in the hd wallet derivation method can be pre-generated offline and uploaded as a batch, they could be signed offline, but there is currently a missing part to do that (thats basically all i was trying to say)
13:05 < petertodd> adam3us: sure it can, as I said before, you have two payment protocol-related certs here: one to sign requests semi-online, another to sign long-term root keys
13:06 < petertodd> adam3us: now you have a system that has pretty good security in the default case, *and* can be easily upgraded to paranoid level by a manual check
13:06 < adam3us> petertodd: but the message to be signed is different: one is a one-use address (offline) and the other is a description of your order (online)
13:06 < petertodd> adam3us: rather than creating balkanized shit
13:07 < petertodd> adam3us: yes, and what's wrong with that? users wallet is programmed to expect both, and barfs if it doesn't see what it expects
13:07 < adam3us> petertodd: so then you're saying teh same thing except ou like x509 and i dont.  i think for something as compact, simple, direct nd bitcion meaningful as a proof of hd wallet ownership should be a 64 byte thing on the one use address, not a few KB of asn1
13:07 < petertodd> adam3us: if not all merchants use this, just make the UI in the wallets have a silly golden shield or something for the extra-high-security version, and make it easy to check fingerprints manually
13:08 < petertodd> adam3us: sure, but the code *has to be implemented on the wallet anyway*, so use a mechanism that allows for nice user-friendly transparent upgrades
13:08 < adam3us> petertodd: yeah i think e have some ux and naming to fix up, but i would call the merchant HD wallet base address the merchant account number, and the one-use address the invoice number
13:09 < adam3us> petertodd: seems a bit ugly to say oh yeah, and that account number, bitcion has a key, but it chose to delegate that to a web app, a untrusted third party (CA) and browser to tinker with
13:09 < petertodd> adam3us: heck, you see what I'm doing here? what I'm really doing is extending the merchant's identity that you usually transact with to verify a HD wallet base - you're strongly arguing to only do the latter which is silly
13:10 < petertodd> adam3us: we're not delegating it to anything - hardware wallets and offline wallet software *has* to implement CA certs for the 95% use-case
13:11 < adam3us> petertodd: i dont think CA are good model, ca infrastructure is rooted, 100s of dodgy CAs, hacked CAs, hostile govt operated CAs by govts of various shades .	that way lies account seizure
13:11 < petertodd> adam3us: who cares? CAs are a better model than nothing. Reality is 95% of users will outsouce their security - there is nothing we can do about that.
13:11 < adam3us> petertodd: you can sign extra stuff with x509 while you're signing the payent request - why not, but i think its simpler to also independently and natively sign the one-use addresses
13:12 < adam3us> petertodd: its not either or.	sign the account numbers with the hd wallet master.  and sign everything best effort on the web app layer with the payment request
13:12 < adam3us> petertodd: what i am saying is like a checksum on a credit card digit
13:13 < petertodd> adam3us: no it's not - a hd wallet seed signed once by a long-term identity cert means that some theif can't do anything more interesting than blackhole funds in the worst case - in the better case you use a derivation system that's deterministic enough to always recreate the key(s)
13:13 < adam3us> petertodd: what you are saying is like maybe SET (doomed credit card web security protocol)
13:14 < petertodd> adam3us: nah, it's silly to be signing shit, remind yourself how HD wallets work... you don't need to sign addresses derived from them, spendability only with the HD seed is guaranteed anyway
13:14 < adam3us> petertodd: i think this is an instructive analog: banks do not use third party auth (openid, CA issued certs without pinning, or site enrolment) becaus tehy want to control their own security
13:15 < petertodd> also if you are signing stuff, then that encourages you to keep your keys online, which is bad...
13:15 < petertodd> adam3us: yes, and then they can tell their customers their PGP fingerprint and do it that way...
13:15 < adam3us> petertodd: not signing data just the one-use address
13:15 < petertodd> adam3us: yes, and given HD seed S and nonce n S+n is a one-use address that only S' can spend
13:22 < adam3us> petertodd: yes this is true, but only if the site and user share a sub-wallet & chain code (which they can do, and maybe should do for recurring biz)
13:22 < adam3us> petertodd: but i was thinking maybe with a signature on the one-use address, whch the user can strip before using on the network, you get that kind of spender simple tofu verification
13:25 < petertodd> adam3us: timo's pay-to-contract makes a lot of sense there you know... yeah, now maybe you really do what a address that can't be proven to have anything to do with the hd seed, but why not extend that initial thing to sign a bunch in advance? again, you don't want to encourage keeping that long-term-id key online often
16:39 < nanotube> to soon? :P
16:43 < nanotube> ... slowly getting my connection count back after node restart. up to 88 now.
16:57 < HM3> why aren't node addresses stored persistently?
16:57 < sipa> they are
16:57 < sipa> peers.dat
16:59 < HM3> ah
17:54 < nanotube> what's the default expiration of errors? i'm still seeing the 'check date and time' error in getinfo, though my timeoffset has settled to 0. (probably initially caused by my initial peer set being significantly off, i recall gmax mentioning something about there being some mistimed peers out there.)
18:00 < gmaxwell> nanotube: some error never go away (unless replaced by another one), thats one of them.
18:01 < nanotube> doh
18:02  * nanotube thinks it should go away once timeoffset drops below some threshold
18:02 < nanotube> though... it's rather immaterial.
18:07 < nanotube> well would you lookit this, a live bitcoin node counter: http://getaddr.bitnodes.io/
18:08 < HM3> cool site
18:08 < gmaxwell> yea, except the numbers on the front page are pure bullshit.
18:08 < gmaxwell> (they're counting addr messages)
18:08 < gmaxwell> if you click through to the report, e.g. http://getaddr.bitnodes.io/194/
18:09 < gmaxwell> the field "nodes_version (version)" is how many they actually connected to.
18:09 < HM3> i don't know why that is bad
18:09 < HM3> what is nodes_getaddr?
18:10 < gmaxwell> how many unique IPs they got from address messages.
18:10 < gmaxwell> which includes scads and scads of never-reachable addresses, due to god knows what.
18:11 < HM3> but those nodes may be connected out right?
18:11 < gmaxwell> Some, but most? Unlikely, considering the addresses include e.g. huge ranges of sequential numbers.
18:11 < nanotube> gmaxwell: oh... crap. and there i was being happy we have 100knodes.
18:12 < HM3> so probably people with dynamic IPs
18:12 < gmaxwell> HM3: out only nodes don't announce themselves in any case.
18:12 < HM3> stale messages
18:12 < HM3> ah
18:12 < gmaxwell> HM3: and moronic dos attacks, and misconfigured firewalls, and who knows what.
18:13 < sipa> my crawler tracks 66k addresses now
18:13 < sipa> of which it considers 3.8k "good"
18:13 < nanotube> what's 'good', how many have been reachable within the past 30days?
18:13 < sipa> it has also banned 730k addresses for being consistently bad :p
18:13 < nanotube> heh
18:13 < sipa> the rules are fuzzy and too complex
18:14 < sipa> go read the source :p
18:15 < nanotube> haha well, 'really roughly'
18:16 < HM3> so probably bigger than Tor in terms of relay nodes, but probably smaller than the number of skype users who signed off in the time it took me to type this.
18:16 < nanotube> lol yea
18:16 < gmaxwell> well, in particular, it means we're dangerously close to runing out of sockets.
18:17 < gmaxwell> (even absent an attack)
18:17 < HM3> what?
18:17 < gmaxwell> as 4000*125/8 = 62500 ... so it means that we can only support 62500 nodes with good listeners (including bitcoinj nodes and such that would never announce)
18:18 < nanotube> hm well, it seems we're not /that/ close. after a day-ish of uptime, i'm only at 83 connections out of 512.
18:18 < gmaxwell> nanotube: 83 is 66% of the normal capacity.
18:18 < nanotube> if we were really close, i presume my slots would fill up much faster.
18:18 < gmaxwell> (I think 2/3 is not super comfortable)
18:19 < gmaxwell> (and the /16 limitation means that we're not very equally distributed)
18:19 < sipa> nanotube: https://github.com/sipa/bitcoin-seeder/blob/master/db.h#L103
18:19 < nanotube> sure, i dig.
18:19 < gmaxwell> It's not urgent yet, but it seems we have a trend that isn't good either.
18:19 < HM3> what's this socket limit about?
18:20 < nanotube> HM3: listener nodes allow 125 max inbound connections by default.
18:20 < gmaxwell> HM3: we have memory usage per peer, so there is a limit to the number of concurrent peers. Right now the default limit is 125 (and few nodes adjust that)
18:20 < nanotube> non-listener nodes try to make 8 outbound.
18:21 < HM3> oh i see
18:22 < gmaxwell> Obviously one path is to try to really get the per peer resources down so we could have nodes with a thousand peers or whatever... but thats resource heavy, and still leaves the network more DOS vulnerable than one with just more nodes.
18:22 < HM3> so you need a listening node to out node ratio of 125:8
18:22 < nanotube> though 4k listening nodes at 125 each suggests that we should have 500k open slots.
18:22 < HM3> with perfect meshing
18:23 < gmaxwell> nanotube: yes, but nodes use 8 slots... sooooo. at 62k we start to saturate.
18:23 < HM3> err 8 : 125
18:24 < gmaxwell> of course, this is absent attacks. One issue with this model is that an attacker with a single IP can use 1/slots of the whole network's capacity, even if we implement kicking off duplicate connections. (thus conversations about things like proof of storage and private bloom queries)
18:24 < nanotube> gmaxwell: yea, but if we put in your logic about randomly dumping peers based on some scoring criteria, thus ensuring node churn, being at 62k nodes won't be a big problem.
18:25 < nanotube> but yes, certainly it's something we need to think about before it becomes a problem.
18:25 < gmaxwell> nanotube: or at least less of one, if the order of nodes drops too far the risk of partitioning increases. (though thats a reason e.g. to priortize peers that give you novel transactions and blocks)
18:26 < nanotube> mm
18:26 < nanotube> anyway.. foodtime. o/
18:26 < HM3> Why is there a high memory cost to a connection?
18:26 < sipa> buffers
18:27 < HM3> I mean I have a Bittorrent client that maintains hundreds of connections
18:27 < sipa> and quite some state
18:27 < HM3> still uses less memory than bitcoind
18:27 < gmaxwell> HM3: most of bitcoinds memory is not connections right now.
18:29 < HM3> any thoughts on how you'll solve it?
18:30 < sipa> adding a builtin solitaire in bitcoin-qt may increase the number of fullnodes?
18:30 < gmaxwell> We need more nodes regardless, we could do things to scale up the connection count... but I think thats less important simply because if we have only a couple thousand nodes its too trivial to dos them regardless of their max connection counts.
18:30 < gmaxwell> Once we have headers first and pruning there should be less disavantage to running full nodes.
18:31 < gmaxwell> It may also be that we can't solve it before a major outage happens, because right now users don't think they have any personal reason to take the costs of running a full node. :(
18:32 < HM3> bundling. integrate bitcoind in to a popular torrent client so people can tip seeders :P you'll have millions overnight
18:33 < gmaxwell> and then someone implements another version that uses a SPV node instead, and you'll lose millions overnight.
18:34 < HM3> well then you play the starving hacker card and say serving "Linux ISOs" is a team sport
18:34 < gmaxwell> If that worked, then we could use Bitcoin users
 who presumably already have more skin in keeping bitcoin running.
18:35 < sipa> fancy graphs!
18:35 < sipa> and some animations
18:35 < sipa> how the chain is being built
18:35 < sipa> matrix-style
18:35 < HM3> defrag style
18:35 < HM3> coloured blocks
18:36 < sipa> yeeeees
18:39 < HM3> how many fullnode implementations are there out there now?
18:40 < gmaxwell> correct ones? who the fuck knows. I have very little confidence in the other teams, most of them have not even run and passed the block tester.
18:40 < gmaxwell> It's a very hard task.
18:40 < sipa> bitcoinj has one (certainly incomplete), btcd, bitsofproof, ...
18:40 < sipa> no idea how correct they are
18:40 < sipa> i'm sure there are a ton other attempts
18:40 < HM3> i think btcd guy said he had passed some of your tests?
18:40 < gmaxwell> btcd talked a good talk but was trivially forked.
18:40 < sipa> but those are certainly near-complete
18:41 < HM3> ah
18:41 < sipa> gmaxwell: which rule did they miss?
18:41 < gmaxwell> sipa: they were evaluating validity in untaken branches in scripts.
18:41 < sipa> ah
18:41 < gmaxwell> (and their response was to try to report it as a bug and suggest we fix it)
18:42 < HM3> lol
18:42 < gmaxwell> ::shrugs::
18:42 < HM3> please do, i might be richer on that fork :P
18:42 < sipa> do they even understand the concept of a hardfork?
18:42 < sipa> or rather, the distinction between soft and hard forks
18:42 < gmaxwell> I don't know. I can't tell. They're eager to please.
18:42 < gmaxwell> So everything I say they agree with.
18:44 < gmaxwell> (which I suppose is better than arguing with everything)  But I just don't know how hard they're working at it. They've not discovered any surprising behavior on their own, which is my normal benchmark, but that only works for so long.
18:44 < gmaxwell> (eventually I become all knowing and so no implementations can tell me something I didn't know. :P)
18:45 < sipa> which, ironically, makes you the #1 person capable of writing an alt fullnode
18:45 < jgarzik> maxcoin?
18:45 < sipa> i wonder how well i'd do implementing bitcoin from scratch, only looking up constants and opcodes and stuff
18:47 < sipa> BlueMatt: seems the comparisontool jar you gave me doesn't even accept current bitcoind...
18:47 < sipa> as in git head, pre-headersfirst
18:48 < gmaxwell> There are degrees of knowing. I knew how the evaluation logic worked, but I might have made the same evaluation mistake even though I "knew" better.
18:49 < HM3> it's probably easier to make a specification for the post-hardfork version
18:50 < sipa> HM3: i've been wanting to write a bitcoin-like thing from scratch for a while, with all sillyness (in my opinion, of course) fixed :p
18:50 < gmaxwell> well, don't think a good spec magically makes this stuff easy. It just makes it slightly less awful.
18:50 < HM3> sure, and nobody follows specs anyway
18:50 < sipa> finding time for that is obviously a joke
18:51 < jgarzik> a good spec is simply Knuth's semantic programming
13:59 < gmaxwell> HM_: yea, I'd like to think of some examples that don't involve breaking the law. But I don't know that there really are any: if your trade is not likely to bring fire, you can use a trust public mediator for an escrow.
13:59 < HM_> if it's expensive to verify it has to be expensive to generate as well though
13:59 < HM_> otherwise you can flood the network with candidate solutions and DDoS the whole thing?
14:00 < gmaxwell> HM_: you can use hashcash to solve that. (or make candidates pay you a small amount of bitcoin) no problem.
14:00 < HM_> hmm yeah
14:01 < HM_> so it's a C subset?
14:01 < gmaxwell> The validation is actually cheap for this kind of thing... but still slower than ecdsa in practice.. which would keep us from putting the validator directly in bitcoin,
14:02 < gmaxwell> they invented a mips like register based machine language, and made GCC (dragonegg/llvm) able to compile to it. It doesn't have floating point IIRC.
14:02 < realazthat> mmm
14:02 < realazthat> fp can be done on top
14:02 < gmaxwell> sure.
14:02 < realazthat> thats really cool hehe
14:03 < realazthat> mmm I'd want to play with that
14:03 < gmaxwell> Or you just write fixed point code. No biggie.  The bigger problems is that it's not fast and needs lots of ram on the prover side.
14:03 < gmaxwell> But it sounds efficient enough to be actually usable for _something_ now.
14:03 < gmaxwell> And they've actually implemented it.
14:04 < realazthat> yeah, I just wanna play with it external to bitcoin
14:04 < realazthat> are they to release the codes?
14:04 < realazthat> I hope so
14:11 < gmaxwell> Yes. They were talking about setting up a github page and such.
14:11 < gmaxwell> and, it sounded like they were willing to make it available in advance to bitcoin wizard types interested in working with it.
14:12 < gmaxwell> I haven't asked for it yet simply because I do not have enough bandwidth to do something with it in the next few days....
14:12 < gmaxwell> But I'd really like to actually execute that protocol I described, and make a zero knoweldge contingent payment. Just need to figure out something to buy thats sexier than a cracked password.
14:13 < gmaxwell> (I wish the xkcd thing were ongoing, I could buy a solution to that! :P )
14:15 < realazthat> lol
14:18 < gmaxwell> Ah. Perhaps I could buy the infinitely good solution from Randall Munroe. (and get him to reopen submissions, so that 'Bitcoin' could be the top of the list)
14:19 < realazthat> mmm
14:19 < realazthat> can you explain the xkcd reference?
14:22 < gmaxwell> http://www.explainxkcd.com/wiki/index.php?title=1193:_Externalities
14:26 < gmaxwell> http://almamater.xkcd.com/  (I'm xiph.org with the 392 score)
14:27 < gmaxwell> Only tied with stanford :(
14:27 < realazthat> oh the hashing competition :D
14:28 < gmaxwell> Randall actually knows the preimage. (or at least, he indicated that he did in IRC)
14:29 < realazthat> haha
14:29 < realazthat> do you need that to use it as a challenge?
14:30 < gmaxwell> 'that'?
14:30 < realazthat> the preimage
14:31 < gmaxwell> No, he could have made a challenge with a random target (or a target of all zeros). The fact that the target had 'high entropy' suggests that he knows the preimage... and as I said, he said that he did.
15:17 < BlueMatt> gmaxwell: or...just make it so no one has to download the chain ever again...
15:17 < BlueMatt> "but the chain is 100GB" go fuck yourself, just use computational integrity
15:19 < gmaxwell> I said that " for example, you could use these techniques to produce checkpoints that can't cheat."
15:19 < BlueMatt> well, you dont expect me to read the whole scrollback, do you?
15:20 < gmaxwell> BlueMatt: it's not realastic yet... well, I joked that if we got all of google's computing power for a week perhaps we could compute a CI signature. :P
15:20 < gmaxwell> er realistic.
15:20 < BlueMatt> yea, I know, I just keep hoping
15:20 < gmaxwell> At least the naive way of doing it... really the biggest problem is all the state needed in validation to track unspent coins.
15:25 < BlueMatt> yea, maybe when we all have 512GB ram in every machine...
15:25 < gmaxwell> BlueMatt: not even 'every' ... the validation side doesn't sound terrible.
15:26 < BlueMatt> ahh, well then we just need to find a computer to do the original signing...
15:26 < BlueMatt> lets get TD/sipa to do it...
15:29 < BlueMatt> I wonder how much it has to go back over the data during the signing (or if swapping it out to an ssd would actually work)
15:30 < gmaxwell> Right. TD had mentioned some unrelated work on garbled circuits was intractable until some software engineers had a go at it and reorged the algorithim to work in a streaming-from-disk manner.
15:31 < gmaxwell> The other problem with this stuff is that getting people convinced that the process is sound might be hard. Apparently their work has something like 400 pages of dense mathmatical proofs behind it.
15:31 < BlueMatt> ahhhh
15:32 < BlueMatt> well, I dont know that I would really trust it immediately (or for the next few years) anyway...
15:32 < gmaxwell> But of course, actually _using_ it for something would make good incentives to attack it!
15:32 < BlueMatt> still, the idea that it will clearly be possible in the immediate future means the argument that the chain is growing too fast (and not the utxo set) is invalid
15:33 < sipa> gmaxwell: but will verifying the proof be cheaper than just verifying the chain?
15:34 < gmaxwell> For some size of the chain it should be. The complexity is polynomial on the size of the program (the rules) you're validating.
15:34 < gmaxwell> (complexity of validating)
15:34 < sipa> ic
15:34 < sipa> magic :S
15:34 < BlueMatt> as long as its similar and you can throw out the chain data itself instead of still having to distribute the chain in the form of input data
15:35 < gmaxwell> BlueMatt: I don't agree. You're streaching. You still need the bandwidth to recieve blocks to actually use the network in real time. It just means the history bloat will be less of an issue perhaps.
15:35 < gmaxwell> stretching*.
15:35 < BlueMatt> yes, thats my point
15:35 < BlueMatt> its just blocks/time instead of total blocks
15:35 < BlueMatt> (in data)
15:35 < gmaxwell> I don't think anyone has argued that the history is an issue. Mostly people are willing to ignore the bootstrap time/cost. (maybe thats unwise too)
15:36 < BlueMatt> Ive heard it once or twice
15:37 < gmaxwell> well you've heard me say it wrt pruning and needing to be really careful about how we handle it (e.g. that I want to have addr message signal that nodes have random subsets of the chain in addition to just the most recent few thousand blocks).. but thats still true, since this stuff probably won't be pratical for bootstrap for a couple years at best.
15:37 < gmaxwell> But thats not a scaling concern... it's a pruning concern specifically.
15:38 < BlueMatt> meh
15:39 < gmaxwell> I don't want the network to depend on having archive nodes to bootstrap. Esp when there will be plenty of users happy to donate more disk space but not as much as a full archive.  Archive nodes, if thats all we have, will be quite costly to operate... and I can reliably predict people will start saying "more people should use SPV nodes" as an answer to
archive nodes being totally saturated.
15:40 < gmaxwell> People should be able to pick the disk space they donate to the network continuously from utxo only all the way up to archive.
15:41 < BlueMatt> not sure we need /that/ much flexibility, but chunks of tens of thousands of blocks yea
15:42 < BlueMatt> would be interesting to split that off into a separate bootstrap network
15:44 < gmaxwell> yea, I just want node to be able to signal a single range in addition to a range from top.
15:44 < gmaxwell> More ranges would be nice but I don't think they're important.
15:46 < gmaxwell> e.g. a service flag that says it keeps the last 2016, and a range that it has 120000-160000.
15:47 < petertodd> warren: keepbitcoinfree.org
15:48  * BlueMatt :(
15:48  * BlueMatt isnt opposed to making most bootstrap on some 3rd party network
15:48 < petertodd> BlueMatt: btw you may want to argue over email with me - I won't be on irc much in the next week
15:49 < BlueMatt> meh, we clearly fundamentally disagree
15:49 < BlueMatt> not sure arguing helps any there
15:49 < petertodd> not surprising
15:49 < petertodd> after all, it's not a technical decision, it's about what you value in bitcoin
15:49 < BlueMatt> not really
15:49 < BlueMatt> well, at least not the way that video presented it
15:49 < BlueMatt> in the extreme, sure
15:50 < gmaxwell> BlueMatt: just be really careful that you're not treating "other network" as magic. There are reasons why you can do this better with integration with our network, as well as by knowing about the data you're working with.
15:50 < BlueMatt> gmaxwell: meh, its easier to treat it as magic...
15:50 < petertodd> it was really interesting being at the developer round table, talking about scalability stuff, and when it was over a half dozen argentinian investors surrounded me with questions - they were extremely concerned about centralization and anonymity
15:50 < BlueMatt> but, no, yea it makes more sense on our network, but it would have to be half-separated
15:51 < BlueMatt> petertodd: I have no doubt that scare-videos scare people...
15:51 < gmaxwell> BlueMatt: our trackerless torrent hardly works
 requires a weakly trusted party to give you the torrent ID (and wastes your time/bandwidth if its wrong). External network doesn't make it trivial for bitcoin participants to turn a knob to control their contribution level, unless we bundled the third party network software and increase our attack surface.
File trading protocols get people banned from some networks for reasons unrelated t
15:52 < BlueMatt> gmaxwell: yes, this is why it does actually make more sense to put it on a standard bitcoin p2p network
03:43 < Taek42> I was wondering if it would be possible to build a higher-level lanugage on bitcoin script
03:43 < Taek42> right
03:43 < Taek42> Image a C-like that output bitcoin-script instead of assembly
03:43 < stonecoldpat> michagogo|cloud: jesuscoin i love it
03:43 < justanotheruser> Yes, it wouldn't be turing complete, but it would allow for turing complete scripts that get cut off if they run too long (so pseudo-turing-complete)
03:44 < justanotheruser> well not cut off, but only be accepted if they have a limited run time
03:44 < Taek42> As long as you have a reliable way of measuring where the scripts get cut off
03:44 < Taek42> because all hosts would need to agree if a script took too long to terminate
03:44 < justanotheruser> Taek42: it would be like measuring where transactions get cut off. The miners determined it
03:44 < justanotheruser> (in terms of size)
03:45 < Taek42> hmmm
03:47 < justanotheruser> The transactor could say how many cycles the script should take in the header. If it takes more than that, then the miner can spend the transaction themselves maybe? (This is the best way I can think of preventing DoSing miners with large scripts
03:47 < justanotheruser> I suppose that would limit the ability to give people scripts that they can spend later though
03:48 < justanotheruser> well actually nvm the statement directly above this
03:48 < justanotheruser> you should build these scripts so they can't run arbitrarily longly, otherwise someone will donate the tx to miners
03:49 < justanotheruser> nsh: Are you saying this system would hurt stability of the price?
03:50 < nsh> not necessarily, just that things tend toward instability as the degrees of freedom increase
03:51 < justanotheruser> nsh: when you say degrees of freedom do you mean it in the mathematical sense, or could I substitute degrees with amount?
03:51 < Taek42> nsh I'm not sure I agree with that
03:52 < nsh> mathematical, but perhaps i'm wrong
03:52 < nsh> certainly in mechanical dynamic systems you are more likely to exhibit chaotic behaviour when you have more (dynamically coupled) degrees of freedom
03:52 < justanotheruser> nsh: could you explain what a degree of freedom is in these terms then?
03:53 < nsh> "In mechanics, the degree of freedom (DOF) of a mechanical system is the number of independent parameters that define its configuration. It is the number of parameters that determine the state of a physical system"
03:53 < justanotheruser> nsh: Are you saying bitcoin price would be more stable if it didn't have p2sh?
03:53 < nsh> no
03:54 < justanotheruser> doesn't p2sh add a DOF?
03:54 < nsh> the price stability derives from the network stability, which derives from everyone's behaviours being constrained (by "enlightened self-interest") to keep things working in some defined manner
03:55 < nsh> yes, but you're making stronger assertions :)
03:55 < Taek42> depends on what you mean by network
03:56 < justanotheruser> nsh: Does another DOF hurt network stability?
03:56 < Taek42> bitcoins price instability derives from the fact that the volume in circulation can't adjust to the demand
03:56 < Taek42> and the demand has been all over the map
03:56 < nsh> justanotheruser, depends
03:56 < nsh> what i proposed was that as the number of DoFs increases then the entire system _tends_ towards more unstable behaviour
03:57 < justanotheruser> hm
03:57 < nsh> to go from that to saying adding one DoF neccessarily increase instability requires some additional evidence
03:57 < justanotheruser> I'm not sure if I agree with you. I don't think it makes in less stable unless it makes it less secure
03:57 < nsh> and anyway, i'm probably just smoking crack
04:00 < justanotheruser> Another advantage I see in this is a limit on CPU intensive scripts. No longer will we have to worry about transactions that take a long time to validate but are inexpensive because they take up little physical space
04:19 < sipa> the reason why turing complete scripts are a bad idea is because you cannot determine the cost of running without running
04:19 < sipa> even if it's not actually turing complete and limited to some high amount of cycles
04:21 < nsh> which means easy DoS attacks?
04:22 < Taek42> If you had it in a sterile environment (no malware issues), I would think that the only problem would be large scripts (too much data) or long scripts (too much runtime)
04:23 < Taek42> wouldn't limiting the cycles prevent that?
04:27 < sipa> if one transaction costs 1000 times more to validate than another, you need pretty good policying to make sure it is deincentivized
04:31 < Taek42> or you could charge each transaction equal to the theoretical limit on how expensive it is
04:31 < Taek42> then the miners will be happy
04:31 < Taek42> or you could wait to charge until you know how many clock cycles were spent validating it
04:35 < sipa> the problem is that mining is constrained by size, so will end up picking transactions with sufficient fee per byte
04:35 < sipa> if you want the same incentive for execution, you need a hard limit per block on validation cost
04:35 < sipa> which complicates optimal transaction selectiom
09:40 < petertodd> sipa: I really don't see what the big deal is; you have to execute the script anyway yourself to validate that the transaction is valid. Adding opcode counters to Eval() isn't a big deal.
09:40 < petertodd> sipa: sure there's some theoretical static analysis stuff you could do, but it's consensus critical - keep it simple and stupid
09:53 < andytoshi> petertodd: suppose i make a script which has fee for 100000 iterations, but runs for 100001, so it can't validate
09:53 < andytoshi> is there a nice way to prevent a DoS along those lines?
09:54 < petertodd> andytoshi: probably not, but at least that's a local DoS attack - lots of those
09:55 < petertodd> andytoshi: anyway, a csript can't exceed the limit for a whole block by definition, and block propagation has to be fast, thus it can't be that much of an issue
09:55 < andytoshi> yeah, fair enough, i guess people are free to make IsStandard reject anything that might take too long for their system
09:55 < andytoshi> also a good point
09:55 < petertodd> andytoshi: yup
09:56 < petertodd> andytoshi: and static analysis is all well and good, but like I say, it'd be in consensus critical codepaths...
09:57 < andytoshi> yeah, perhaps it's a meta-problem that people will try to do it if they see a benefit
09:57 < petertodd> lol!
09:58 < andytoshi> the real problem i see with turing-completeness is that the block limits you'd have to put on it are too stringent for anything cool to be done
09:58 < andytoshi> OTOH if we could do snark-validation so only one person (potentially the transactors themselves) ever have to compute it, i'd be happy with it
09:58 < petertodd> yeah, but like I say, until we get SCIP you have to have limits because you have to actually run the code to validate! turing completeness has nothing to do with that
10:22 < gmaxwell> andytoshi: certantly the block limits you'd have to have would be too stringent to do anything interesting if the instruction set weren't very high level, and if we had to assume execution via a very dumb interperter.
10:22 < gmaxwell> the latter is probably true, the former not so much.
10:23 < gmaxwell> This isn't to say I'm necessarily a fan of turing complete script. I do think getting an execution counter right is hard.
10:23 < petertodd> gmaxwell: just do a MAST design and make sure your MAST hash function is more costly than anything else...
10:24 < adam3us> btw about pegged side-chain, i think the actual spv proven side->main protocol would not need to be run.  its just a threat that it could be run.  cross chain-atomic swaps can do the actual swap.  and market makers can do it.  if volume dries up or mkt maker low on funds he can clear via side->main spv proof.
10:24 < nsh> petertodd, what's MAST?
10:24 < gmaxwell> adam3us: it needs to be run some, but perhaps not much.
10:24 < petertodd> nsh: merkleized abstract syntax tree
10:25 < nsh> ah, ty
10:25 < gmaxwell> petertodd: I don't think it would be efficient to force every branch to be mast, besides loops with unknown depth can't be seperately mast-ed.
10:25 < adam3us> gmaxwell: yes.  it depends on the willingness of mkt maker to hold btc funds  someone with big long term btc holdings anyway would be willing to mkt make all-day-long for 0.1% or whatever, its near free risk free money for executing a script.  its a form of interest for btc holdins
10:26 < petertodd> gmaxwell: which is my serious point: turing completeness often gives you more efficient code in cpu and code size
10:26 < gmaxwell> adam3us: I mean, you'd need to have at least one execution to get funds there in the first place.
10:27 < gmaxwell> petertodd: certantly low level opcodes do not.
10:27 < gmaxwell> adam3us: but yea, that was part of my point when we previously discussed. It can be expensive because it's not a primary daily mechenism.
10:27 < adam3us> gmaxwell: agreed.  mkt makers might need to do rare large tx in which ever direction is leading to a liquidity exhausting direction.  but the mkt maker spread should be tiny as anyone holding btc can do it, and they can do it with airgap security if they want trezor/armory so there should be lots of security
10:28 < adam3us> gmaxwell: agreed.  i think everything i just said was in the original thread.	just emphasizing how cool that is :)
10:29 < gmaxwell> sipa: I think you could perhaps resolve the selection complication by just counting each byte as one instruction too, and have only an instruction limit. Then at least the optimization can remain in one dimension.
10:29 < gmaxwell> I still think implementors will totally screw up their instruction counting, esp when slower scripts start driving them ot JIT.
10:30 < gmaxwell> it might help if every signature needed to have its final instruction count with it, and they're forced to match exactly.
05:02 < maaku> by reorg attack you mean 51% / 100% attack?
05:02 < petertodd> maaku: oh! actually, this is perfect: voting on the inflation rate naturally has an opposed set of incentives - set a minimum rate, and let people proof-of-stake vote increases in it.
05:02 < petertodd> maaku: or really s/inflation/demurrange/ to make it PR acceptable
05:02 < EasyAt> maaku: I'm curious what warren means by reorg attack
05:03 < petertodd> maaku: which is perfect because demurrange is the only sane way to fund mining long-term (+ tx fees, but never only tx fees)
05:03 < warren> maaku: lots of the little pure PoW coins seem to come under reorg attacks often
05:03 < warren> but I never hear of it happening to freicoin
05:04 < petertodd> maaku: I suspect with rates like 0.1% to 3-5% the loss per year is low enough that users may be willing to vote it up, which is fine, and gives some agility to attacks that might do soem good.
05:05 < EasyAt> petertodd: Is it still demurrange implies the value is being redstributed to miners whether the currency is tranferring or now.
05:05 < maaku> petertodd: we haven't found a way to auto-regulate demurrge rates, or voting scheme which doesn't assume the electorate is alturistic macroeconomics professionals
05:05 < EasyAt> As in you have a tax just for holding and not moving currency
05:06 < EasyAt> inflation essentially
05:06 < maaku> hence the fixed 4.9% ... a fluctuating rate would actually be ideal, but I don't know how to do that securely and safely
05:06 < maaku> EasyAt: no, it's a fee on all money, fullstop. moving or hoarding doesn't make a difference.
05:06 < EasyAt> intersting
05:06 < EasyAt> So no penalty whether you move or hold
05:07 < maaku> well, the same penalty i guess
05:07 < maaku> warren: we've not really been subject to such attacks
05:07  * maaku knocks on wood
05:07 < maaku> but really it makes no difference what pow algorithm you use
05:07 < warren> I know
05:07 < maaku> i assume you're talking about 51% attacks
05:07 < warren> yes
05:07 < petertodd> maaku: right, but my point being, the worst outcome is the rate drops down to some low minimum value hopefuily high enough to keep attackers at bay indefinitely. The best outcome is that if it looks like miners do need more incentive, human alturism can do some good. Will that happen? Who knows, but the downside is just technical risk.
05:07 < EasyAt> Is a reorg attack a 51% attack? or something very similar
05:08 < maaku> warren: long term, we're moving to merged mining
05:08 < EasyAt> maybe less hash stake then 51% but getting lucky and reoring in your favor?
05:08 < warren> EasyAt: You don't need 51% to do a "51%" attack.
05:08 < EasyAt> warren: that's what i mean
05:09 < EasyAt> maybe less hash stake then 51% but getting lucky and reoring in your favor?
05:09 < EasyAt> is what i said
05:09 < maaku> petertodd: if the goal is just to provide limited income to miners, that's a good strategy. i could see it reaching steady-state at the security & profit  break-even point (but maybe there are some game dynamics at play too)
05:09 < maaku> but with freicoin, the desire is 0% basic interest, which I don't believe such a scheme would achieve
05:11 < maaku> warren: we have done the easy stuff (fix time traveller bug, no asymmetrical diff adjustment, etc.), but also we have a much faster acting (but stable!) FIR-filter difficulty adjustment algorithm
05:11 < maaku> so that also helps
05:13 < petertodd> maaku: thing is you don't care about profit, you just care that a given % of the total value of the coin goes to paying for hashing power guaranteed.
05:13 < petertodd> maaku: I'm not seeing how that turns into game dynamics assuming reasonable decentralization
05:16 < maaku> petertodd: so in freicoin there are two knobs to tweak: (1) the demurrage rate, and (2) how much of that goes to the miners (vs other distribution mechanisms, such as the above-mentioned 'republicoin' proof-of-stake voting)
05:17 < petertodd> maaku: right, where I'm proposing a system with just knob #1
05:17 < maaku> i can see how a secure voting mechanism could lead to the latter (although I don't have such a protocol, yet), but not the former
05:17 < maaku> yeah i figured you don't care about the other aspect, but that's the context in which I'm working on this
05:17 < petertodd> no, I think it's the other way around, because the former have opposite incentives than the latter, guaranteed. (assuming no external attack threat)
05:18 < petertodd> after all, miners can always refuse to mine a transaction due to too-low fees - refusing to mine because of too-low % vote is not much different
05:18 < petertodd> and if anything, that's much less likely to be gamed in many senses
05:18 < maaku> i think that's what I meant - it's late here, i must have switched them in my mind
05:18 < petertodd> ah good
05:19 < petertodd> speaking of, I proof-of-stake vote all the demurrange to myself
05:20 < maaku> i expect you could construct a voting scheme for regulating the rate of income given to miners, I don't think a voting scheme would work to set demurrage rate at what is necessary to achieve 0% basic interest
05:20 < petertodd> "0% basic interest"?
05:21 < maaku> petertodd: do you have majority stakeholder vote?
05:21 < petertodd> maaku: not yet, but the moment I do it's a tipping point...
05:21 < maaku> we're anticipating that if we structure the elections properly, we will have competing factions that form governments, and the real-world outcome is that you won't get 51% votes to "pay ourselves"
05:22 < maaku> i'd like to formalize that argument before we deploy though
05:22 < petertodd> yeah, probably true enough
05:22 < maaku> hence the name "republicoin"
05:22 < petertodd> I'd sure as hell formalize it - just look at all the screwy things with incentives that have been found lately
05:22 < maaku> yeah
05:23 < maaku> basic interest == liquidity preemium, when we're talking about currency
05:23 < petertodd> rght
05:23 < petertodd> *right
05:27 < maaku> Gesell wrote several monographs showing how the parasitic behavior of the financial industry and government, and the ruinous effect that has on society is due to the liquidity preemium
05:27 < maaku> https://www.community-exchange.org/docs/Gesell/en/neo/
05:28 < maaku> so the experiment of freicoin is: set the liquidity preemium = 0%, and see if that helps create positive economic incentives, as predicted
05:29 < petertodd> ...and the experiment you actually have wound up running, is will cryptocoin people ever adopt anything with demurrange?
05:30 < maaku> haha, suprisingly the answer is a mild yes
05:30 < maaku> but no, we've been targetting groups outside of bitcoind
05:30 < petertodd> indeed, and I wasn't saying that in a negative way! I'm quite happy to see *that* experiment happen even if I don't give a damn about economic theory :)
05:31 < maaku> while most freicoin users may have heard of, downloaded, and maybe used bitcoin, most of them did not become active until they got involved with freicoin
05:31 < maaku> and we've mainly been reaching out to monetary reform groups, which suprisingly haven't heard of or done anything with bitcoin either
05:31 < petertodd> there were some occupy types adopting it or something similar IIRC?
05:32 < petertodd> and agreeing to use a decentralized demurrange cryptocurrency is wonderfully democratic
05:32 < maaku> we framed the original crowdfund campaign in the language of occupy, but suprisingly there was very little interest
05:32 < maaku> we've seen interest peak the most in the regional/community currency movement
05:32 < petertodd> huh, too abstract maybe
05:33 < maaku> possibly, or maybe even too concrete. the problem with occupy is that they all have agreement on the problems, but 100 protestors have 101 different solutions in mind
05:33 < maaku> this wasn't the solution any of the occupy people we talked to had in mind ;)
05:34 < petertodd> did they add it to their mental solutions list? because if so you added to the problem :P
05:35 < petertodd> you know, one of the annoying things about crypto-currencies is how the basic dynamics of proof-of-foo make experimentation hard - normally a small currency experiment might be worthless, but it is secure
05:36 < maaku> you'd think it'd be a perfect match though - occupy prime problem is the banks that contol directly or indirectly so much of our society. gesell's basic thesis is that ilquidity preemium is the root cause of that. problem identified, solution provided...
05:36 < petertodd> "wtf is liquidity preemium? sounds like something a banker would talk about"
05:36 < maaku> heh
05:37 < petertodd> I'm glad that you're self-aware enough to laugh at that!
05:40 < maaku> Well I (and Gesell) are not anti-banker - gasp! Gesell is totally a free-market capitalist, and so am I.
05:40 < maaku> What Gesell is against is the unfair advantage banks have, and how they naturally use that advantage to ill gain
05:41 < maaku> He then goes to considerable length in showing how that advantage is exactly equal to "basic interest" - that interest which remains after you subtract out the risk preemiums, time preference, etc.
05:41 < petertodd> yeah, of course, monetary issues aside, understanding credit risk is something where scales leads to bigger profits
05:41 < maaku> So neutralize that, and you've got a level playing field - banks want to loan to you just as much as you need them
05:42 < petertodd> rick preemiums aren't easy to measure after all
05:42 < petertodd> *risk
05:42 < maaku> yeah they're not
05:43 < maaku> but people who have money should be entitled to the reward of taking that risk
05:43 < maaku> they just shouldn't be entitled to that reward... + 5% for absolutely no  reason
05:44 < petertodd> right, otoh if the cost of figuring out that premium works out to be 5%, well, what's the diference exactly?
05:44 < petertodd> real world-will be somewhere in between, but it might not make such a big difference is my point
03:27 < petertodd> I had a scar for ages myself on my thumb due to a photoflash circuit...
11:19 < jgarzik> petertodd, random note, perhaps obvious: USB and PCI traffic may be observed, just like ethernet traffic
11:19 < jgarzik> (recalling conversation a while ago)
19:57 < petertodd> So I think you can do compact NI proofs of colored coins: suppose I have a tx with two colored coin inputs, each worth 1BTC.
19:58 < petertodd> I just need to select one of those txins randomly, and prove (via a proof back to genesis) that it's a real colored coin txin.
19:58 < petertodd> Now if I try to make a false tx proof, with only one real input, I have a 50:50 chance of destroying my colored coin output by spending it to an invalid transaction that doesn't have a valid proof, so when you add it all up I can't get ahead.
19:59 < petertodd> The same applies for n inputs, and equally inputs that aren't equal in value provided I select the inputs in a weighted random fashion.
20:00 < petertodd> As for the random number, the best I can think of is to take the next n blockshashes, computer hash % n, and take the mode to select the input I prove.
20:00 < gmaxwell> meh, it's 50:50 for the cheater though. He doesn't care if four steps down the new NI proof catches the cheating.
20:01 < petertodd> Well, this is the thing: every proof is a full path all the way to genesis of one txin - I don't think I can do better than that. But at least it's just one path, O(n) size.
20:02 < gmaxwell> right but the cheater has 50/50 odds of winning in their cheat.
20:02 < petertodd> Sure, but their expected return is still zero.
20:02 < petertodd> slightly negative including fees
20:03 < gmaxwell> oh because it destroys their coin if they lose.
20:03 < petertodd> exactly
20:08 < petertodd> Now, see this works especially well with mastercoin, because every tx sends a fee to the exodus address.... :/
20:10 < gmaxwell> I think it only does that because ... thats basically the only mental tool that they have available to identify the mastercoin transactions.
20:11 < petertodd> yeah.... as you may have guessed I'm the guy who offered to write them a proper spec
20:11 < petertodd> I don't have high hopes :/
20:15 < gmaxwell> Well, I think you hurt their feelings, since I got a PM saying asking for feedback on their crazy checkmultisig stuff saying that you were demanding a lot of money to tell them the flaws in it. :P
20:15 < sipa> heh, i got the same mail :)
20:15 < petertodd> I'm not exactly surprised. Though he's remarkably friendly to me.
20:15 < sipa> they told me it was you
20:16 < petertodd> Lol, technically I haven't talked about money yet...
20:17 < petertodd> I'm *really* not happy with how he's going about it all, on the other hand, I don't think he's a bad guy, just naive and clueless.
20:17 < petertodd> Not his fault the community is crazy.
20:17 < sipa> he certainly doesn't strike me as a scammer
20:18 < petertodd> Me neither, but I also don't think he's going to wind up making something worth a half million...
20:24 < gmaxwell> sipa: they told you it was me? or that it was peter?
20:24 < sipa> peter
20:25 < sipa> they didn't tell you?
20:25 < gmaxwell> oh yea, sure, and I didn't disbelieve it. I think I said that I wasn't super inclined to give them free consulting as I viewed what they were doing was harmful to and competative with bitcoin.
20:28 < petertodd> gmaxwell: I told him I wasn't as worried about UTXO harm, as I was about the whole thing blowing up and going no-where because it's a bad idea.
20:29 < gmaxwell> That was also my conclusion after it was mentioned they were using a bc.i wallet... I dunno if I said that on the forum. I feel really bad, I suspect everyone involved is just hopeful but misguided.
20:30 < petertodd> Yup. I was pretty harsh in my first post - I wouldn't have in another situation - but given the money involved it deserved bluntness I think.
20:30 < midnightmagic> International journal of network security & its applications is the shittiest online journal I've ever had the displeasure of grovelling through.
20:30 < midnightmagic> (sorry for the interruption)
20:37 < gmaxwell> Yea, indeed, that fact that they were solicitcing (and recieved) a ton of money also reduced my typically overwhelming level of charm.
20:38 < petertodd> And amount of money that makes me more than happy to ask for some too.
21:03 < gavinandresen> "give me money and I'll tell you why your idea sucks" is never going to make friends, though.
21:04 < petertodd> Meh, what I was offering to design wasn't his idea actually. (the tx encoding)
21:26 < jgarzik> hah
21:26 < petertodd> jgarzik: ...says a lot about the project...
22:06 < warren> didn't ecocoin offer money for a security audit?
23:31 < amiller> hm.
23:34 < amiller> you know, my approach would basically end pooled mining
23:34 < amiller> anyway, i have been struggling with this zero knowledge proof of work signature thing
23:34 < amiller> all the straightforward things i came up with just using discrete log tricks don't really work
23:35 < amiller> the ones you can do zero knowledge over directly aren't good crypto hash functions
23:35 < jgarzik> amiller, ending pooled mining would be fine, though it will never happen due to intertia ;p
23:36 < amiller> jgarzik, well if my doom&gloom prediction comes true and hosted mining starts to catch on...
23:36 < amiller> it would be good to have a solution in store!
23:36 < amiller> anyway so i know i can use Pinocchio (or TinyRAM) to do zero knowledge proofs of work generically
23:36 < amiller> the downside is it takes a long ass time to construct the proof, even if verification is pretty efficient
23:37 < amiller> so...
23:37 < amiller> the clever way out is that the use of this zk proof of work is really only needed as a special device to prevent hosted mining
23:37 < amiller> you have to have the "option" of doing a zk PoW, but ordinary users wouldn't actualy have to take that option
23:37 < amiller> you can decide after the fact
23:38 < amiller> empirically it would take about 1 minute to produce the zk PoW for 2xSHA256 using pinocchio
23:38 < amiller> it could be parallelized too
23:38 < amiller> if it's only meant to prevent cloud mining, then it only has to be plausible for a cloud service provider to take that option!
23:40 < nanotube> people already trust pools not to skim/steal. what people /won't/ trust is other miners not to steal. so to really end pooled mining you have to enable other miners to appropriate more than their fair share (or steal entire blocks)
23:41 < amiller> stealing entire blocks is exactly what i'm suggesting
23:41 < nanotube> stealing by pool operator, or by fellow peer miners?
23:41 < amiller> by fellow peer miners
23:41 < nanotube> ah, in that case... carry on. :)
23:42 < nanotube> i just saw you said that a "cloud service provider" can do something, so i assumed that wouldn't include a random fellow miner.
23:42  * nanotube hasn't really been reading this discussion :)
23:43 < amiller> normally you commit to your transactions before you do the mining
23:43 < amiller> but to prevent outsourcing, i want to make it possible to bind to transactions after the fact
23:44 < amiller> also to use the proof of work without revealing anything about the nonce or extranonce you used, all of which might make the work 'detectable'
23:44 < amiller> to prevent outsourcing, there has to be a "perfect temptation" for the miner to claim the work for itself without any risk of getting caught!
23:45 < amiller> basically i'm recommending using the TinyRAM or Pinocchio zero-knowledge-proofs-for-C things
23:45 < amiller> as an alternate way of claiming the work
23:45 < warren> nanotube: solution withholding attacks already happen on pools
23:45 < amiller> warren, solution withholding isn't as good a threat as solution-stealing
23:47 < nanotube> warren: yes, but you don't get any money if you withhold.
23:47 < nanotube> and griefing with no profit (or even a small monetary loss) is practically speaking not a realistic threat.
23:48 < warren> nanotube: it works on competing PPS pools
23:49 < nanotube> well, define 'works'. does anyone actually make any money out of it? :)
23:49 < nanotube> sure you can drive a pool out of business with this. but that's about it.
23:50 < nanotube> amiller: yea, miner being able to grab a solution for himself by ex-post attaching himself as payout would be just right. :)
23:50 < warren> nanotube: I'm just saying that's what happens
23:51 < nanotube> well sure, but as an individual miner, i don't have to care about it. if my pool goes out of business, i just move on.
23:51 < nanotube> (as long as i set up autopayouts to be relatively frequent :) )
23:52 < warren> an interesting phenomenon now is "switch mining"
23:52 < warren> all the coins using the same hash have pools that transparently switch to a different chain that is more "profitable" at that moment
23:52 < warren> causes huge swings of strip mining and stagnation
23:53 < nanotube> hehe nice
23:54 < warren> forget about "51%".... 5000% can be pointed at a target
23:55 < warren> that's why you see them deploying centralized broadcast checkpoints now
23:56 < nanotube> so in other words, being a latecomer with the same hash, you can no longer be decentralized like bitcoin eh
23:56 < nanotube> talk about first mover advantage eh
23:57 < warren> there's a great many scrypt clones based on 0.6.3 now
23:58 < nanotube> hmm
23:58 < warren> and others are deploying with scrypt-jane or other hashes
23:58 < nanotube> the floodgates have opened
--- Log closed Tue Sep 17 00:00:46 2013
--- Log opened Tue Sep 17 00:00:46 2013
00:04 < amiller> the sad thing is i'd like to actually support pooled mining
00:04 < amiller> like if people's motivation is to lower their variance, there's nothing bad about that
00:04 < amiller> especially if they have their own hashpower
00:04 < amiller> it actually supports decentralization to support something like that
05:37 < gmaxwell> mappum: not at all, in fact. go try fetching the bitcoin blockchain torrent with no trackers.
05:37 < petertodd> gmaxwell: I've got enough older friends to be scared shitless in an exestential way already...
05:39 < mappum> interesting
05:42 < gmaxwell> mappum: bittorrent dht is mostly fail, it works .. kinda.. for very large swarms that can also do peer exchange, but mostly it just ends up helping people find other trackers. For small swarms it'll often spin finding nothing even when its not getting attacked.
05:42 < gmaxwell> It made sense in the bittorrent model because it was just enough more to make it so that you couldn't kill one (or a couple) original trackers and take out a swarm.
05:43 < midnightmagic> lol
05:43 < midnightmagic> you're never getting away from dhts are you
05:43 < gmaxwell> http://bitcoinstats.com/irc/bitcoin-dev/logs/2012/04/16#l1334585717
05:44 < mappum> sorry, i didn't know it was such a hot button D:
05:44 < midnightmagic> haha
05:45 < gmaxwell> meh, it's not a hot button, it's just .. common. Well, not in #wizards.
05:45 < gmaxwell> But there was a period of time when we couldn't go days without someone joing #bitcoin-dev and responding to the very first thing they heard with USE A DHT.
05:45 < midnightmagic> mappum: the endless, endless stream of users who come in to #bitcoin and insist we adopt dht rather than dns/irc for initial peer discovery is really astounding. it's jsut a running joke is all. no worries man.
05:46 < petertodd> mappum: pro-tip: suggest fidelity bonds instead, like a fidelity-bonded DHT
05:46 < gmaxwell> or instead of *, you name a technical challenge we've had in the bitcoin ecosystem and someone has suggested a DHT to solve it.
05:46 < gmaxwell> Signature validation slow?  Use a DHT.   etc.
05:47 < mappum> well i'm glad, i hadn't thought about the vulnerabilities. i'll have to think about making mine sybil-proof and manipulated-hash-proof
05:48 < gmaxwell> in your case, I don't see how a dht ID helps you. the pool would just store all the data for all the dht IDs. and could just produce work for any of them (assuming there was even an incentive in the system to not just have one ID)
05:48 < mappum> right, i realized that's not the solution, i'm just too tired to do the thinking right now
05:48 < gmaxwell> The nearest thing I've seen to a strong DHT system is cjdns.
05:48 < gmaxwell> and it uses the 'dht' only for routing.
05:49 < gmaxwell> maybe freenet, though freenet is ... uh.. really lossy.
05:49 < petertodd> gmaxwell: yeah, though being lossy is part of how they handle spam
05:49 < gmaxwell> and freenet opennet is not secure, while freenet darknet and cjdns are rather similar in many respects.
05:50 < gmaxwell> right, freenet works, but mostly because it doesn't promise very much. :P
05:50 < petertodd> gmaxwell: though freenet opennet is not secure in the same sense that tor isn't all that secure either...
05:50 < petertodd> gmaxwell: underpromise and... deliver
05:51 < gmaxwell> petertodd: I mean, opennet has some trivial sybil vulnerabilties. Tor doesn't but only because of the centeralized directory authorities.
05:51 < gmaxwell> darknet freenet loses the sybil risk for the same reason cjdns does. the users are expected to not select sybil peers.
05:52 < petertodd> gmaxwell: right, although I'm not sure the directory authorities actually help that much - they can't know if someone is logging
05:52 < petertodd> gmaxwell: they are only able to keep the system safe from sybils attempting to make Tor not function
05:57 < petertodd> gmaxwell: oh, speaking of, i2p has hashcash on their todo list: http://www.i2p2.de/todo
05:58 < gmaxwell> hashcash, in java, tm.
05:59 < petertodd> gmaxwell: heh, Bitcoin sacrifice is the only sane way to do it
06:10 < adam3us> btw sdl (sergio damien lerner) claims to have an efficient unpublished anonymity solution https://bitcointalk.org/index.php?topic=305791.msg3733685#msg3733685 which he has not published for year for "ethical reasons"??
06:11 < petertodd> SDL is weird...
06:13 < adam3us> petertodd: my response "I'd sure publish it immediately if I had figured it out and feel I did a good thing for society." and "Personally I think gambling has far more ethical worries than users being able to transact privately with something approaching the analogous already existing levels of privacy in other systems.  For some people gambling becomes a near ruining addiction."
06:13 < petertodd> adam3us: you're doing well with these responses lately you know
06:14 < gmaxwell> adam3us: s/some/many/
06:14 < gmaxwell> it's shocking.
06:14 < adam3us> petertodd: (his phd thesis is about fair poker) and i think he looked at anonymity because he wanted to reduce scope for gaming collusion where you can cheat
06:14 < gmaxwell> in any case, IIRC the appecoin thing was he basically proposes you make the entire txout set a reencryption mix and every miner reencrypts it every block or something.
06:15 < petertodd> adam3us: was eye opening a few months ago when I mentioned that satoshidice wanted to hire me for some analysis to my boss, and he thought doing so was totally unethical based on it being gambling - he wouldn't have raised an eyebrow if I'd told him DPR wanted to hire me
06:15 < gmaxwell> (which is a protocol you'd expect from a guy who did research on mental poker)
06:15 < adam3us> gmaxwell: hmm that doesnt sound so good for end2end privacy, its trust me privacy with the current random block winner?
06:16 < gmaxwell> (e.g. the same way that you shuffle in some poker schemes)
06:16 < adam3us> gmaxwell: y'know maybe i vaguely read that in something he wrote now you mention it
06:16 < gmaxwell> adam3us: well sort of, they shuffle the _whole_ utxo set, so even though each block winner knows his mix, the set of all block winners is presumably strong.
06:16 < gmaxwell> unless mining has become 100% centeralized.
06:17 < gmaxwell> (or unless people are bribing miners for permutation lists)
06:17 < petertodd> gmaxwell: needs to be some way to make releasing the permutation list risky, like if you could somehow use that info to steal the block reward
06:17 < gmaxwell> but of course, reshuffling the whole utxo every block (or even every N blocks) is completely unrealistic.
06:18 < gmaxwell> and the cut and choose proofs required to show that the shuffle was fair wouldn't be small. (well perhaps, I did post some optimizations which might help, at the cost of making them expensive to verify)
09:04 < adam3us> gmaxwell: yes i think having shuffling miners do a provable encrypted shuffle of utxo (or a subset of it) is interesting, i meant  its not as secure as blinding like zercoin which can be unconditionally secure anonymity (and doesnt rely on trust of a random, though growing over time, collection of miners)
17:07 < phantomcircuit> gmaxwell, *cough* https://github.com/mycelium-com/wallet/issues/9
17:10 < gmaxwell> phantomcircuit: thanks, bleh. https://github.com/mycelium-com/wallet/issues/9#issuecomment-29424301
17:10 < gmaxwell> I don't understand why this particular BIP got a firestorm of attention recently.
17:11 < gmaxwell> phantomcircuit: on that subject, your commentary on https://bitcointalk.org/index.php?topic=258678.0 would be helpful.
17:11 < gmaxwell> jrmithdobbs: as would yours.
17:14 < phantomcircuit> gmaxwell, im not sure my understanding of ECDSA is strong enough to usefully comment on it but i'll give it a read anyways
17:14 < gmaxwell> phantomcircuit: it's all symetric crypto.
19:42 < midnightmagic> btw, the public domain assertion in that hd wallets-with-optional-encryption is a potential law-bomb.
20:06 < sipa> ?
20:15 < midnightmagic> sipa: there are many places where assigning something to the public domain isn't possible, and doesn't serve as a disclaimer of rights. apparently. it has to be something more, like "this work can be used for any purpose, by anybody, forever. also at your own risk blah blah. also we grant you royalty-free use of any of our applicable patents blah blah
we promise not to patent-troll you later blah blah."
20:15 < midnightmagic> it's why OSI rejected the copyright commons 0-license
20:19 < gwillen> midnightmagic: er, the whole point of the commons-0 license is to have that wording in it
20:19 < gwillen> where you put it in the public domain if you can, and if not you grant all rights to everybody forever etc. etc.
20:20 < midnightmagic> gwillen: The lack of patent language killed it. http://opensource.org/faq#public-domain
20:20 < gwillen> midnightmagic: I'm reading the faq right now, it appears that the opposite is true
20:20 < gwillen> midnightmagic: what killed is is that there _was_ patent language
20:20 < gwillen> that specifically said patent rights are _retained
20:21 < gwillen> and apparently OSI thought that was worse than licenses that don't mention patents at all
20:22 < midnightmagic> Right.
20:22 < midnightmagic> "We retain the right to sue you into oblivion whenever we want."
20:22 < gwillen> *shrugs*
20:22 < gwillen> it seems like a minor thing to me
20:23 < gwillen> since it's very likely that patent rights are in fact retained when using an actual public domain dedication, where possible
20:23 < gwillen> or a simple open source license
20:23 < gwillen> e.g. when using the MIT license which I think has no mention of patents at all
20:28 < phantomcircuit> http://hackingdistributed.com/2013/11/27/bitcoin-leveldb/
20:29 < phantomcircuit> warren, gmaxwell ^
20:30 < warren> yeah
20:32 < phantomcircuit> if that's really leveldbs mmap strategy
20:32 < phantomcircuit> that is retarded
20:34 < cfields> phantomcircuit: agreed. It seems very inefficient and dangerous to me.
20:34 < phantomcircuit> tbh most everything about the implementation of leveldb seems insane to me
20:34 < phantomcircuit> such as journal entries not having sequence numbers
20:34 < gwillen> it does seem odd to me that munmap doesn't flush
20:34 < gwillen> that's really weird behavior
10:36 < pigeons> well i know a few miners who see the control they exert as protecting the network from things like spam transactions
10:36 < adam3us> jtimon: so even their reward would be lost
10:37 < pigeons> and things like the address-reuse deprioritization wouldnt be possible i suppose
10:37 < jtimon> how and why would users ignore censor miners and how they find out what blocks are censored?
10:38 < adam3us> pigeons: the fact that we have pools at all people seem to think was an unfortunate unforseen technology limitation.
10:39 < jtimon> well, my argument is the same that with the ghash.io topic p2pool/eligious pools are not a problem
10:39 < adam3us> jtimon: well thats the objective, to arrange that this would happen.  for it to happen unfortunately i think only committed-tx can be considered valid.  or all clients have a button in them or a switch over mechanism that public tx can be disable in event of widescle problems
10:39 < adam3us> jtimon: its a technical insurance policy or threat.
10:40 < jtimon> I think inputs-only transactions would have a similar anonymity effect and they seem more scalable to me
10:40 < pigeons> its a shame it seems like its not technical limitations keeping p2pool adoption from increasing as much as places like ghash
10:40 < jtimon> and also more "compatible" with regular txs
10:40 < adam3us> jtimon: how does that work?  do u mean where the output is p2sh so the miner cant tell who it is being paid to?
10:41 < pigeons> and its not technical limitations why stratum is much more widepread than gbt
10:41 < pigeons> but yeah the limitations existed at the time pools emerged and grew
10:41 < adam3us> pigeons: ghash also has lots of hw in their datacenter.  but the herd mentality that gets people to give % of their mining reward to miners when it is not necessary is strange yes.
10:43 < adam3us> jtimon: if inputs-only means output addr is obscured via p2sh i think its significantly weaker mechanism.  most of the policy relates to history not static receipt address censor.  its easy to make new addresses (or sender derived address like stealth)
10:43 < jtimon> adam3us: this is ptertodd's very open design https://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03307.html
10:44 < jtimon> but let me summarize the way I see it integrated with regular transactions
10:45 < jtimon> transactions only include inputs, not outputs, and miners only include them if none of the inputs they contain have been seen (you need expiries in the TXI set for scalability)
10:46 < jtimon> the inputs may actually be garbage, refer to outputs that don't even exist
10:46 < jtimon> and all the history of the outputs is transmitted directly between users, it doesn't touch the chain
10:46 < jtimon> makes sense?
10:47 < jtimon> well, I haven't really though much about interoperate with regular transactions (going from private back to public)
10:48 < jtimon> the main problem here seems to be: how fees are paid?
10:48 < jtimon> and the only answer seems to be pow fees
10:48 < jtimon> petertodd doesn't go beyond that
10:48 < jtimon> I think you could have a regular blockchain
10:49 < jtimon> and optional pow fees
10:49 < jtimon> which miners can somehow "add" to their per-block PoW
10:50 < jtimon> maybe you want ot combine it with the "orphan blocks count for the total pow of a given chain" thing on that academic paper
10:50 < adam3us> jtimon: btw the first half of that writeup was stuff i summarized to petertodd (the entanglement, timestamp/namespace/minimum validation required) he could've mentioned it... i didnt read the rest of it before to see the txin proposal.  it seems like a subset of comitted tx
10:51 < jtimon> yeah, seems very similar
10:53 < adam3us> jtimon: he could've alternately written "hey here's some stuff adam told me he explored, and i have another idea why dont we tweak committed tx to expose the txin" :)  i think that is a more accurate summary of what he wrote.
10:54 < adam3us> jtimon: the thing is as i said above probably the bulk of the policy risk is based on the history.  the thing about passing history around off-chain was in the committed-tx writeup
10:55 < jtimon> if he had done that I would have explained the txin proposal to you much faster ;)
10:56 < adam3us> jtimon: and to include clear txt tx-in exposes history.  or alternatively if the txin	is unlinkable because its never published (its ambiguous at the end) then what he wrote IS committed-tx
10:56 < adam3us> jtimon: (yeah sorry i was reading the post so i didnt see your explanation above until you wrote quite a bit you were writing while i was reading)
10:57 < jtimon> np
10:58 < adam3us> jtimon: i think gmaxwell said in the committed-tx thread it might nearly but not quite be implementable with script.
10:58 < jtimon> that post of him, reminded me a discussion Ryan and I had about a txid-only chain for one of our ripplecoins
10:59 < jtimon> we wanted to put the powin transactions
10:59 < jtimon> if you made the pow on top of another transaction, the pow was "summed up" (we didn't thought in detail about that PoW addition operation)
11:00 < jtimon> so people will commit their transaction on top of the longest chain they see
11:01 < jtimon> and then we needed a git-like merge
11:01 < adam3us> jtimon: yes i was wondering about something like that.  i had a PoW variant with addition, however it is very approximate addition and has variance reduction so creates mining fairness issues.
11:01 < jtimon> but we realize that didn't prevented doublespendings ;(
11:02 < jtimon> adam3us: ok, but it's good to know that it's not completely impossible
11:03 < adam3us> jtimon: well ghost protocol could reduce sensitivity to how long it takes to reach consensus (ie not so concerned about orphan rate anymore).
11:03 < jtimon> I think it started here? https://bitcointalk.org/?topic=4382.0
11:05 < jtimon> disclaimer: we were mainly interested in ripple, so we just really wanted a minimal p2p timestamping mechanism
11:05 < adam3us> jtimon: i was thinking of something related that ideally you would like to allow users to direct mine for small reward without pools and ended up with something ghost-like.  i was thinking its too complicated and the incentives looked like they could work but wre also more complicated rules, and maybe more bandwidth a bit.  so i thought this is too inellgant.
seemingly the ghost authors thought it ok.
11:05 < jtimon> if this tx id gets into the chain before expiry, all the sub-txs in it are valid, otherwise none is valid
11:06 < adam3us> jtimon: i see in the rfugger thread u linked that you and he had a similar idea about building on non-conflicting orphans.  why not indeed, link them all in by reference.
11:06 < jtimon> sorry don't know ghost
11:07 < jtimon> my latest idea as said was that miners added the user's tx-pow to their block pow
11:07 < adam3us> jtimon: there is an academic paper.  they claim if you dont ignore orphans but hash into the coinbase non-conflicting orphans and change a few things you can have faster block interval without convegence problems
11:08 < jtimon> oh, that's ghost? yeah, that's what I meant by "" maybe you want ot combine it with the "orphan blocks count for the total pow of a given chain" thing on that academic paper "" earlier
11:09 < adam3us> jtimon: see it seems to me desirable that a user can claim anytime during the 2week retarget period any work of even small value.  then we have less centralization risk.  now a way to do that is separate reward from voting.
11:10 < jtimon> the users reward is getting their transaction into the block, why would they get anything else?
11:10 < adam3us> jtimon: so why not mine on a public key that you use to vote..  then the voting power of the public key is related to the amount of pow on it.  and you can use it with a sort of PoS like vote
11:10 < adam3us> jtimon: i mean not specifically about your per tx pow, but that i wanted to be able to solo mine say 0.01 btc and claim it relyably without needing pools
11:11 < jtimon> what's the purpose?
11:11 < adam3us> jtimon: dislike of mining pool cenrtalization risk :)
11:11 < jtimon> the purpose of mining is validation not distribution
11:12 < adam3us> jtimon: so i tried to explore how could i solo mine.  one answer is to be able to mine for smaller amounts.
11:12 < jtimon> but if you're mining old stuff, why should the network reward you?
11:12 < adam3us> jtimon: agreed.  but maybe it can be a two stage process.  stage 1 mine for small coinbase-like reward, stage 2 use PoS on the coinbase reward to vote for fee reward
11:13 < jtimon> I tend to distrust PoS
11:13 < adam3us> jtimon: u would be mining only your public key.  its a kind of micro-level PoS within the 2 week retarget interval only or something
11:14 < jtimon> in freicoin the retargetting is 9 blocks and if bitcoin ever hardforks I would suggest to update to our filter too
11:14 < adam3us> jtimon: agreed PoS is not economically attractive.  centralization of vote via money instead.	not pretty. and many PoS have actual protocol defect to allow mining on multiple candidate block sin parallel so devolve to PoW
11:15 < jtimon> "mining only your public key" how do you mine "on a public key"?
11:15 < adam3us> jtimon: my idea is not at a working stage, this was just as close as i got .
11:15 < jtimon> oh, I see
11:16 < justanotheruser> Do you think PoS could ever work in a currency?
11:16 < adam3us> jtimon: the idea is mining is like to get the right to vote on what the next block is. so i though well why cant i mine on a signature key, and then use the signature key to cast a weighted voted.  maybe i can get the same feature but with more flexibility in minimum mining contribution and minimum reward. and so less dependence on pools.
11:17 < adam3us> jtimon: but it tends to have problems.  could i sell the vote.  could i save up voting power for one transaction to double spend it etc.
11:17 < jtimon> ok, now I get the point
04:09 < adam3us> gmaxwell: i guess would could impose some sanity eg reward < 50 as fees are << reward for now - no good thing can come.  i know someone could accidentally spend > 1btc fee but that is probably a mistake
04:10 < adam3us> gmaxwell: local submission could be good for that reason
04:10 < gmaxwell> adam3us: there are blocks with subsidy >> 50
04:10 < adam3us> gmaxwell: but surely thats a costly mistake rather than anything good
04:10 < gmaxwell> I think the record holder is something like 350 or something like that.
04:10 < maaku> people have accidentally spent 100's btc fees
04:11 < adam3us> maaku: right, but its a mistake - you could usefully declare such transactions invalid (some simple heuristic)
04:11 < gmaxwell> in any case, limiting inflation to 25 BTC from space doesn't really help that much. Esp since you can create inflation against spv clients simply by spending inputs that never existed.
04:11 < maaku> adam3us: does it matter? if you don't claim it some other pool will
04:11 < adam3us> maaku: as i understand it miners were gracious enough to refund it, but they would not have to
04:12 < maaku> at least if you claim it you can be kind and offer it back
04:12 < adam3us> maaku: well if its invalid its not even forwarded, your client should reject even sending it - mistakes were people lose large amounts of money are not good
04:14 < adam3us> see its an interesting thing - many people have views and things to say in support of decentralization - maybe there are simple things that could be done to support decentralization (like get users to chose their own block) while using pools to even out luck; or just encourage p2pool if it can take the load
04:15 < gmaxwell> adam3us: well thats the "coinbase only pooling"
 user chooses their own block, pooling only for the payment.  But it needs some software work: A new GBT extension to say "send me only a coinbase", miner support to merge work from two sources, and poolserver work to accept shares.  ... plus its becoming increasingly hard to get miners to even run bitcoind/bitcoin-qt
04:17 < gmaxwell> (at least coinbase only mining would decouple the choice of policy with choice of income-pooling, even in a world where hashers were still blindly handing over their votes to quasianonymous parties on the internet)
04:17 < adam3us> gmaxwell: that latter thing i was thinking could be combated without a full node, eg get people to get a coinbase feed from somone else (anyone other than a pool)
04:19 < adam3us> gmaxwell: in principle picking a coinbase at random from non-pool entities could be better, though that is sybil attackable.  eg why not pick one from a power user you know who is running a full node, thats far better than trusting a pool; and also i like encouraging that the client locally submit to disrupt selfish stuff
04:19 < gmaxwell> it could be, yes, it's still handing over control... but without the barriers to entry where we seem to always have a mining oligarchy due to the obvious improvements to variance from being with a large pool in a world where miners really have few objective things to guide their decisions.
04:19 < adam3us> gmaxwell: i wonder if people like pools like a form of team-play, leaderboard thing
04:20 < gmaxwell> yes, to some extent, though I think that has mostly passed. It was certantly a big thing in the pre-asic times.
04:22 < gmaxwell> adam3us: I think that a lot of the hashers are basically just "mental bandwidth limited" are are picking "safe" popular choices, and that why you see them paying remarkably high fees. But I'm guessing. No one is studying this... and I'm not sure how you'd go about doing it.
04:22 < adam3us> was there ever a conclusion to cex.io investigation of the double spend attack?
04:22 < gmaxwell> adam3us: they said they'd look into it, no further comments. Subsiquently ghash.io dropped their fees from 3% to 0%.
04:22 < adam3us> (on the satoshi-dice clone)
04:23 < gmaxwell> Just keeping up with the hardware vendors,
 new products and which thing is the scam of the week
 could easily be a full time job.
04:25 < gmaxwell> (and ghash.io is the largest pool now, with 27.23% of the hashpower, though its impossible to know how much of that is actually public miners vs just cex itself, or how much of CEX mining power is "owned" by the public, vs internally owned)
04:26 < gmaxwell> In other news, 50btc still claims to have 3.2TH/s, and I think they stopped paying people over two months ago now.
04:27 < adam3us> gmaxwell: so cex.io is both a hosted mining (with public ownership or lease) and a publicly accessible pool?
04:27 < adam3us> gmaxwell: 50btc LOL ha ha
04:28 < gmaxwell> Yea, so the same party owns cex.io and ghash.io. Ghash.io is their mining pool which is available to the public (via a somewhat unfriendly registration process that involves making a cex.io account)
04:29 < adam3us> gmaxwell: bitcoin .. like swift, but where half federated nodes are run by people who dont care, dont read instructions, dont update software
04:30 < gmaxwell> cex.io is a large initially privately owned mining farm, which then created a trading market for selling hashpower to the public (and allowing the public to trade the hashpower between each other). In theory you can pay CEX to derack your hashpower and send you hardware, I'm not aware of anyone having done this. All cex.io hashpower is pointed at ghash.io.
04:31 < gmaxwell> adam3us: they might have cared but they just got scammed by three hardware vendors and are too busy rebooting their rasberry pis and praying that they'll break even.
04:31 < adam3us> gmaxwell: i am just thinking one could separate the luck pooling from the vote pooling.  then any big players keen to disavow centralization could show statistics of where the vote is being used
04:32 < gmaxwell> adam3us: yes, thats the idea behing the "coinbase only pooling" I mentioned before. It's technically simple, just needs some software development, and perhaps some bludgoning to convince pool ops that they should support it, and miners that they should use it.
04:32 < adam3us> gmaxwell: so terminology coinbase = the pools reward address?
04:33 < warren> adam3us: coinbase tx pays out to any defined address(es)
04:33 < gmaxwell> Coinbase being the reward transaction.
04:33 < adam3us> gmaxwell, warren: ok
04:34 < warren> adam3us: I think only eligius and p2pool payout directly to miners in coinbase tx
04:34 < gmaxwell> The idea is that the pool would just give you the transaction (plus flags for which modifications you were allowed to make to it), and you'd submit shares back.
04:34 < gmaxwell> Other pools have in the past, I'm not sure if any others do right now.
04:35 < adam3us> gmaxwell: well my way of thinking is to be aghast that the pool thinks it has any say - ie the block should contain the pools reward addr (the coinbase) and the rest should be chosen freely by the miner :)
04:36 < warren> gmaxwell: did you already mention the huge coinbase tx issue?
04:36 < gmaxwell> sure, and it could have been that way today, except no one thought of it in 2010. ... back then the example protocol was getwork.
04:36 < adam3us> gmaxwell: i guess its a transfer of the hashcash logic - the coinbase is the resource address, the rest is miner chosen
04:37 < gmaxwell> And a lot of miners
 even pool operators
 have only a very limited understanding of how this stuff actually works, so the idea that you could split up the decisions from the payment pooling was not obvious to people.
04:37 < adam3us> *** depressing state of affairs, tolerated with cynical dark humor by all
04:37 < gmaxwell> (or that you could make decenteralized pools)
04:37 < gmaxwell> and now we have intertia _plus_ centeralized systems are always easier.
04:39 < adam3us> i wonder if there could be an engineered dis-economy of scale, just enough to disrupt stupidity, centralized
04:39 < gmaxwell> adam3us: Well there is amiller's anti-cloud-hashing idea, but it's a bit rocket sciency, both economically and technically.
04:40 < adam3us> gmaxwell: it didnt quite work also if i recall
04:40 < nsh> (also in the sense that it uses rocket engines)
04:41 < gmaxwell> Amiller suggests that if the network would accept instead of a block you submit a zero knoweldge proof that you know of a block at this position and would like to instead pay some other address. .. so anyone running a miner can trivially steal solutions.
04:42 < gmaxwell> I think it would "work" ... but it runs into problems like right now people happily give money to cloud hasing places without any evidence at all that the cloud place isn't robbing them blind.
04:42 < adam3us> gmaxwell: i wonder if momentum could work (the proof of work based on birthday collisions) we laughed at its failures but perhaps it is fixable
04:43 < adam3us> gmaxwell: seemingly a defacto proof that technical approaches have limited effect on the stupid or careless shall we say
04:43 < gmaxwell> e.g. amiller's design would totally kill pooled mining, with a possible outcome of all hashing being cloud hashing... because at least a huge centeralzied place has a reputation to protect.
04:47 < adam3us> so about momentum briefly. i could find no proper description of it but basically the idea is the entries in the memory table are themselves small proofs of work (25-bit?), and then the task is to find H(a)=H(b) and finally H(a,b) < target now i think the thing is the target is high enough that memory is filled quickly
04:47 < adam3us> (though i see no reason restricting memory)
04:47 < adam3us> otherwise it suffers from quadratic advantage in fast cpu & ram
04:48 < adam3us> as well as compact storage
04:48 < adam3us> (eg lossy storage like bloom filter to do a tmto to fit it into a gpu)
04:48 < gmaxwell> I'm not sure how this helps anything. I follow that you can probably set the parameters so that it doesn't create an advantage for being a larger hasher.
23:48 < midnightmagic> petertodd: they measured that which was measurable: mathematics improvements between entry and exit grades for schools
23:48 < midnightmagic> .. lol now now. the research they do is better than forming opinions in a vacuum
23:48 < petertodd> midnightmagic: ah, so they measured improvements, who had the higher scores exiting?
23:49 < gmaxwell> petertodd: not all opportunities are equal to all. I mean sure, some child of some inner city gang bangers could have traveled 4 mi the the nearest library with internet access back in 2010, and joined #bitcoin and written some bad poetry for a thousand bitcoin and be a millionaire now.  But none did.
23:49 < midnightmagic> petertodd: public schools had grrater improvements when co paring identical students with identical backgrounda.
23:49 < petertodd> midnightmagic: just as easily you can explain that as private school kids started off smart and couldn't be educated much farther, or more importantly, they had better things to do with their time than focus on math improvements
23:50 < midnightmagic> petertodd: nope. they selected those ones out
23:50 < justanotheruser> midnightmagic: are you saying that schools should be segregated by income?
23:50 < gmaxwell> justanotheruser: they are already segregated by income.
23:50 < midnightmagic> as much as it's possible to know such things, there's now basically zero reason to think private schools provide a better education
23:50 < justanotheruser> gmaxwell: they bus students from poor schools to rich schools in some states
23:51 < midnightmagic> justanotheruser: nope. i'm saying private schools are lying when they claim to provide superior education
23:52 < petertodd> gmaxwell: heh, well, OTOH I know a guy from nairobi who did something not unlike that... moral of the story is raw opportunities actually don't do much in the face of culture and parents, and those are likely strongly geneticly related in many ways anyway.
23:53 < gmaxwell> okay, sure, I was also binning culture and parents in with opportunities. It's not like its your fault what parrents you had.
23:53 < midnightmagic> yes. adoptions help a lot with those kinds of studies too.
23:53 < midnightmagic> pretty fascinating how much people seem to be screwed if born to poor parents.
23:54 < petertodd> gmaxwell: yup, my point being blaming "society" for that kind of thing is misguided - we already do a tremendous amount
23:54 < gmaxwell> ::shrugs:: part of creating an optimally successful society is providing the infrastructure that helps people achieve their capability even if they're born into a dysfunctional family (and help family dysfunction not exist).
23:54 < petertodd> midnightmagic: gee, might have something fundemental going on...
23:55 < midnightmagic> petertodd: yeah, probably not straight genetics. some is, but parentage makes up for a lot of that. i.e. the success breeds overconfidence false loop
23:55 < petertodd> gmaxwell: yup, and frankly I *do* think we do a very good job of that and it's hard to figure out how to actually do a better job of it in most situations. I also think our effects, especially in schools, to further level the playing field are counter-productive - e.g. closing gifted programs in favor of yet more money at the lowest scoring percentile.
23:56 < midnightmagic> imo that kind of nonsense is b-s
23:56 < midnightmagic> closing gifted student programs?! wtf
23:57 < gmaxwell> well you are in canada. So perhaps things are better done there. :)
23:57 < midnightmagic> i'll let you know. i personally appear to be one of those weird outliers.
23:58 < gmaxwell> midnightmagic: "no child left behind" (a 2001 piece of education legislation and the resulting programs) in the US is often wryly refered to as "no child gets ahead"
23:58 < petertodd> midnightmagic: well, that's how the politics of it works. I know the people running the program where I lived then fought for years to keep it open, and always had to be very careful as to how it was portrayed - specifically they stressed heavily how the kids who were in the program statisticly did *worse* than the general population for a lot of different
metrics, such as university admissions.
23:58 < midnightmagic> lol
23:59 < petertodd> midnightmagic: basically anything to avoid looking elitist
23:59 < midnightmagic> s art kids need a challenge or their study habits are nonexistent. yeah that makes sense what you're saying.
23:59 < gmaxwell> Se also: http://en.wikipedia.org/wiki/No_Child_Left_Behind_Act#Effects_on_school_and_students
23:59 < gmaxwell> er see*
--- Log closed Wed Jan 15 00:00:03 2014
--- Log opened Wed Jan 15 00:00:03 2014
--- Day changed Wed Jan 15 2014
00:00 < petertodd> midnightmagic: heh, well with a challenge that was true too, but anyway :P
00:00 < andytoshi> gmaxwell: i can say from personal experience that public schools in BC are not run effectively, they are very much "no child gets ahead" and they were an absolute hell to get through
00:00 < midnightmagic> hehe
00:00 < gmaxwell> I know a number of _good_ high-school teachers who left teaching due to the effects of that legislation.
00:00 < petertodd> gmaxwell: can't blame them, that stuff is just depressing to deal with
00:00 < midnightmagic> andytoshi: you think so? i had the exact opposite experience in BC
00:01 < andytoshi> midnightmagic: i was in cloverdale, it is the cowboy town beside langley, they had no gifted programs
00:01 < midnightmagic> vancouver. interesting.
00:02 < andytoshi> midnightmagic: i finished every hs math class by the end of grade 9, then no more math. 'science' was watching bill nye videos and doing handouts, i was typically done the work for the day in about 15 minutes, then 6 hours or so of staring at walls
00:02 < midnightmagic> i was in the interior, they specifically pushes the smart kids into beneficial grade programs for university entrance.
00:02 < andytoshi> midnightmagic: eventually i found some good teachers who helped me game the system, and i got out 18 months early
00:02 < petertodd> andytoshi: ha, ironic how my highschool was a "inner city" one with a population of almost entirely recent immigrants, very pool, with significant gang violence and... I had a much better experience
00:03 < andytoshi> 2 years early* i stuck around to finish my phys. ed. requirements :P
00:03 < andytoshi> so i don't count that semester as hs
00:03 < petertodd> andytoshi: and then my brother was in a hs in one of the richest parts of the city, upper-upper-middle-class, and... actually lots of gang violence *in* the school, and shit academics.
00:03 < andytoshi> petertodd: fascinating
00:04 < andytoshi> there is a lesson here about anecdotal evidence i'm sure :)
00:04 < midnightmagic> my hs teachers did the optional calculus prep stuff. probably for my specific benefit actually, the rest of the kids were rolling their eyes.
00:04 < andytoshi> maybe we should apologise to midnightmagic for calling his sociologists stupid
00:04 < petertodd> andytoshi: hehe, toronto is not a good source of typical demographic data :)
00:04 < midnightmagic> lol a.k.a. my wife.
00:04 < midnightmagic> no apology necessary, it's a well studied ohenomena.
00:04 < midnightmagic> er.. *non
00:05 < petertodd> andytoshi: over 50% of the toronto population wasn't even born in canada
00:06 < midnightmagic> well, without immigration our pop would be shrinking. :-)
00:06 < midnightmagic> would suck if canada died.
00:06 < andytoshi> petertodd: this is true of vancouver as well, though probably not in cloverdale where i was
00:06 < gmaxwell> Oh I GEDed out of school the moment it was permitted, in florida by statute the GED is absolutely equivalent to a highschool diploma
 you even get the same paper the normal graduates get. Was kind of of no brainer. I took the test cold two days after my birthday (earliest time offered) scored a 99th percentile. It was trivial stuff. ::shrugs:: I understand
that it wasn't too uncommon to do this in the 70s but the schools fought ...
00:06 < gmaxwell> ... back against it with a bunch of FUD because it was draining them of their most academically capable students.
00:06 < andytoshi> oh, cloverdale is right above white rock, from silk road hitman fame :)
00:07 < andytoshi> so i'll stop saying 'near vancouver' here
00:07 < petertodd> andytoshi: what's the kind of immigrants that vancouver gets anyway? asia? middle-east?
00:07 < midnightmagic> andytoshi: i'm confident nobody thinks you're that guy lol
00:07 < midnightmagic> ha ha ha awesome
00:07 < midnightmagic> petertodd: asian, then east indian
00:07 < gmaxwell> I was impressed by the density of asian people in vancouver.
00:07 < andytoshi> petertodd: east asia, mostly china and phillipines, then india
00:08 < petertodd> gmaxwell: sheesh, that kinda sucks that you were in a position where that made sense
00:08 < midnightmagic> richmond doesn't even have english signage in some places.
00:08 < petertodd> andytoshi: oh, interesting, toronto seems to get much more from the middle east
00:09 < midnightmagic> gmaxwell: how old were you re: GED?
00:09 < midnightmagic> (wife is curious)
00:09 < gmaxwell> 16.
00:09 < petertodd> andytoshi: OCAD had a *tonne* of Iranians for instance
00:09 < midnightmagic> nice.
00:09 < andytoshi> gmaxwell: that's awesome, i wish i had that option
00:09 < andytoshi> maybe i did, it didn't occur to me
00:10 < midnightmagic> i skipped a grade, grad'd at 17. skipping a grade was really horrible. not recommended.
00:10 < midnightmagic> petertodd: what's OCAD?
00:10 < andytoshi> petertodd: interesting, i've only met one iranian
00:10 < petertodd> midnightmagic: I think one of the things the gifted program did a good job at was giving kids reasons not to skip grades...
00:10 < midnightmagic> I love Iranians they're awesome
00:10 < petertodd> midnightmagic: http://www.ocadu.ca/ <- art school I went too
16:45 < amiller> it says that the inputs are all linked together because they're in the same wallet
16:46 < amiller> that really isnt true, coinjoin makes use of the fact that's not true, you can sign a tx if you know one of the txinputs without knowing the other keys
16:46 < amiller> nor is it the case that the output is linked to the input
16:46 < amiller> coinjoin relies on that too
16:47 < gmaxwell> Yes, this was written by someone who didn't know about CoinJoin
16:47 < amiller> the only advantage of this thing is the incrementalness and that's kind of irrelevant
16:47 < gmaxwell> As a pure anonymity tool I think this is not very helpful over coinjoin. Agreed.
16:48 < gmaxwell> it's a little helpful because its more loosly coupled.
16:48 < gmaxwell> But the anti-censorship, pro-relaying, and compression properties are potentially more interesting.
16:49 < gmaxwell> my reply points out that its not that interesting for anonymity.
16:49 < gmaxwell> "I'm glad to see someone with an aggregate signatures proposal.  From an anonymity perspective, I believe a cryptographic approach is unnecessary, and they are very difficulty to deploy, but still may useful in the future."
16:52 < gmaxwell> amiller: one sort of annoying property is that in some cases this can't achieve anonymity as good as coinjoin!
16:53 < gmaxwell> E.g. all the users for this block join a coinjoin, they use a SMPC sort to distribute their requested output addresses among each other.
16:54 < gmaxwell> There is no way to achieve that level of anonymity with this one way aggregation scheme.
16:56 < gmaxwell> amiller: you could reply to that thread and point out they got the linking stuff wrong. :)
16:56 < amiller> *am already doing so*
16:58 < gmaxwell> (I didn't even notice, I'm so used to _everyone_ getting that wrong)
17:01 < jgarzik> http://io9.com/a-new-digital-world-is-emerging-thats-too-fast-for-us-1286428447
17:01 < jgarzik> The problem, however, is that this new digital environment features agents that are not only making decisions faster than we can comprehend, they are also making decisions in a way that defies traditional theories of finance. In other words, it has taken on the form of a machine ecology
 one that includes virtual predators and prey.
17:01 < jgarzik> Consequently, computer scientists are taking an ecological perspective by looking at the new environment in terms of a competitive population of adaptive trading agents.
17:01 < jgarzik> "
17:03 < gmaxwell> jgarzik: did you ever see the textbook on amazon that was a billion dollars?
17:04 < jgarzik> heh, saw a screenshot
17:05 < jgarzik> one of the many Themes Garzik Harps On is that computer scientists should be looking at biology for models, theories, and correlations
17:06 < jgarzik> distributed computing, especially decentralized computing, is all about organic behaviors like herds, infections and inoculations, swarms, emergent behaviors, ...
17:07 < jgarzik> Just like human beings, they stop being purely predictable engineering systems behaving within set parameters and become organic feedback systems
17:08 < jgarzik> A really fun problem is decentralized auctions, eBay-style
17:08 < jgarzik> How to fairly handle the final few seconds of a real time auction?
17:09 < jgarzik> sniping is a DoS of sorts
17:09 < gmaxwell> yea, "don't hold that kind of auction"
17:09 < gmaxwell> if you do sealed bid auctions the problem goes away.
17:09 < jgarzik> or Dutch
17:13  * jgarzik wonders the name for this style of auction:  wait X duration after last bid, then close auction.  if someone bids, timeout clock resets to X.
17:18 < jgarzik> How to integrate bitcoin with a sealed bid auction, in a least-trust method?  Is there any way to (a) prove you will spend the funds if you are the winner while (b) not spending the failed bids?
17:18 < gmaxwell> yes, make all the bid transactions conflict a single input. Only one can make it into the blockchain.
17:18 < jgarzik> Certainly an auction robot could accept bids, then refund the losers.	Any way to avoid the robot stealing the funds from the failed bids?
17:19 < jgarzik> conflict?
17:19 < gmaxwell> They all spend input X.
17:19 < gmaxwell> (and other inputs to pay for their bid)
17:19 < jgarzik> seems vulnerable to griefing
17:20 < gmaxwell> easy to fix.
17:20 < gmaxwell> (I think).
17:21 < gmaxwell> The person selling the thing has 1 BTC. You are a bidder ... you write a transaction spending that 1 BTC and he signs for it.
17:21 < jgarzik> My naive scheme:  robot announces "private key for 1 satoshi is $this" to channel, and everyone writes a transaction that spends a satoshi + their auction bid input
17:21 < gmaxwell> if the signature is a SIGHASH_SINGLE then he doesn't have to see your bid.
17:21 < jgarzik> but a griefer might just spend the bitcoin outside of the loop
17:22 < jgarzik> ah, duh
17:22 < jgarzik> no need to give out the private key, just have auctioneer sign it. understood.
17:23 < jgarzik> neat
17:23 < jgarzik> auctioneer announces the anchor transaction for the auction (the input everyone spends), and people bid from there
17:26 < jgarzik> This would be a fun demo to write.  A little HTTP-based auction server, modeled after bittorrent trackers.  Just keep track of abstract metadata on the auction, zero content (for privacy / deniability).
17:27 < gmaxwell> now a tricker thing to do is to make it into a secure _second price_ auction.. now that I don't know how to do. :P
17:27 < gmaxwell> (thats a sealed bit auction where the highest bidder pays the next highest price)
17:29 < jgarzik> I think the "bid-extends-timeout" solves the game theory motivation to DoS in the final seconds of the auction
17:30 < jgarzik> unfortunately, IIRC, bid-extends-timeout was also used on a couple notable click-lottery "buy a plasma TV for $75!" pseudo-auction sites.
17:31 < gmaxwell> I think either sealed bids or bid extends timeout solves the dos. sealed bids also discourage self dealing. (e.g. the seller bids up the bidders to try to get them to bid more, if he accidentally wins, oh well, no biggie)
17:32 < jgarzik> petertodd, I need to get a little demo website going, that helps people timestamp their SINs
17:32 < jgarzik> for a tiny fee, of course
17:32 < jgarzik> gmaxwell, good point
17:33 < jgarzik> gmaxwell, from my reading it sounds like sealed-bid and Dutch might tend towards a slightly lower final price than eBay style
17:33 < jgarzik> so economics might pull sellers towards ebay-style / bid-extends
17:34 < jgarzik> -EFAMILY.  Might write that HTTP server tonight, hmmm :)  *poof*
17:34 < gmaxwell> The economics wanks will tell you that the sealed bid second price auction is the optimal thing. They even gave someone a nobel prize for it.
17:35 < gmaxwell> But since I dunno how to make a direct bitcoin one of those... simpler is probably better. :P
17:59 < gmaxwell> This stanford pairing based crypto library is pretty nice.
18:30 < gmaxwell> Okay, I've successfully got that signature scheme working.
18:51 < maaku> jgarzik: except for some minor warts ebay is a Vickrey auction, which is ideal for both buyer and seller (the proof won Vickrey the nobel prize gmaxwell alluded to)
18:56 < maaku> jgarzik: you might also be intersted in : http://www.eecs.harvard.edu/~shieber/Biblio/Papers/icec06.pdf
19:04 < gmaxwell> maaku: hm? how is ebay a vickrey auction? it's not sealed, the winner is the highest price and pays their offered price.
19:05 < nanotube> gmaxwell: nope. you can set a max bid of 1000, but you'll only pay a bit above second highest.
19:05 < nanotube> and nobody will learn what your sealed bid is, until you're outbid.
19:05 < gmaxwell> oh! of course, that proxy biding makes it effectively second price (plus bid increment)
19:05 < nanotube> so you /could/ use it as a plain second-price sealed bid auction - just post your maximum, walk away.
19:06 < nanotube> that people don't and try to snipe and crap is just how people are. :P you don't have to join them.
19:06 < gmaxwell> maaku: nanotube: thanks, I didn't realize that before. (You can tell I haven't used ebay much ever and not at all recently)
19:07 < nanotube> mm :)
19:07 < gmaxwell> okay, well, I dunno how to do that with bitcoin without a trusted party or non-trival multiparty computation.
19:07 < gmaxwell> a simple auction where people throw out bids and only one happens is easy however.
19:08 < nanotube> what's your scheme, briefly, for doing th latter
19:10 < gmaxwell> nanotube: Alice holds an auction, alice advises everyone of some bitcoin she holds and an address to pay to.	You want to bid. You write a transaction spending some of your coins and alice's coin that pays to alice (and if any chance back to you). You sign it and give it to alice.
19:10 < gmaxwell> all the other bidders do the same.
19:10 < gmaxwell> When alice gets bored, she signs and announce the transaction.
19:11 < nanotube> ah, cute! and obv there's no way to force alice to sign second highest bid rather than highest....
19:12 < gmaxwell> well you want the highest bidder to pay the second price. :P
19:12 < gmaxwell> it's easy to do with a semitrusted oracle.
19:13 < gmaxwell> e.g. Oscar the observer watches the bids and his signature is required for the auction to be completed.
19:13 < gmaxwell> and then oscar can enforce whatever rules he likes.
19:13 < nanotube> well, the good part is that theory says (as i recall) that the expected proceeds are the same from a second price or a first price auction
19:13 < gmaxwell> I though first price encouraged bidders to underbid?
19:13 < nanotube> in expectation, in a second price auction people have the incentive to bid their true value. in first price, bidders shade their bids
19:14 < nanotube> but "on average" they should produce the same outcome, price-wise
19:14 < nanotube> at least if i recall my auction reading correctly. been a while :)
16:11 < andytoshi> nsh: you can always study set theory if this dichotomy bothers you ;)
16:13  * nsh smiles
16:14 < nsh> (set-theoretical approches, e.g. fuzzy logic, are still fundamentally predicated upon bivalent membership identity, and can do more than concealing the dichotomy at a lower level of analysis)
16:16 < nsh> (a really non-binary system of logic has values that are qualitatively different to truth and falsity, rather than shades of the two)
16:18 < andytoshi> i meant, you can reject the law of excluded middle and do logic that way..
16:19 < andytoshi> i don't know what field those people claim to be part of
16:19 < andytoshi> without making any claims as to what's in the middle
16:20 < andytoshi> hmm, you're still right, it's either true or not --- and false or not
16:20 < andytoshi> perhaps you should study zen then
16:24 < nsh> it's not just the law of the excluded middle. that's one pillar of bivalence. the other is the law of non-contradiction. every A is A, no A is not-A
16:25 < nsh> it's difficult to imagine a system without the law of non-contradiction. whether this is a reflection of a universal truth [sic] or a result of our historical mathematical/logical/linguistic enculturation is an open question :)
16:25 < jtimon> A + 0 = A, A + 1 = 1
16:27 < andytoshi> you don't need much in the way of axioms for a single contradiction to imply every statement is true..
16:28 < andytoshi> so it's definitely baked pretty hard into historical logic
16:28 < andytoshi> i'm not familiar with the attempts to fix this non-robustness
16:29  * nsh nods
16:31 < nsh> there is a body of work due to Lukasiewicz but it's accompanied by an unfortunate tendency of later thinkers to reduce it back to bimodality
16:33 < nsh> More recently A. S. Karpenko. it's my occasional hobby to casually read up on it, but more slips past me than sticks, as with most matters
16:35 < nsh> discussed in some detail here: http://www.oocities.org/m_valuedlets/tranche4.html but unless you have predilection to wading through schizoform word salad it might not be much use to you :)
16:36 < andytoshi> 'fraid not :)
16:36 < nsh> fair enough
16:52 <@gmaxwell> pigeons: I thought beertoken was backed by some promise to deliver beer (not just one bottle, but some larger quantity as set by some kind of board or something)
16:59 <@gmaxwell> jtimon: I've seen a number of pretty concerning technical behaviors from coinbase, so I'd believe any random thing.
17:58 < pigeons> gmaxwell: there wasn't a beertokens comittee, it was just steve, and yes like all these things from silver certificates to mtgox usd it ultimately comes down to a promise
17:58 < pigeons> the promise was to redeem each beertoken for one bottle of a specific type of beer that steve liked and was common in thailand where he lived
17:59 < pigeons> but he didnt buy the beer and refrigeration and storage, he backed it with bitcoins, which brought up a problem as bitcoins decreased in value a lot from when he set them aside
17:59 < pigeons> he ended up buying more coins to make up the difference
18:01 < pigeons> and guys, BigDataBorat says "My contact at Coinbase say use of MongoDB strictly for reason of give client plausible deniability."
18:01 < pigeons> https://twitter.com/BigDataBorat
18:01 <@gmaxwell> what the heck does that mean?
18:02 < pigeons> "Estimate of MongoDB's value vary, one replica say $700m, one replica say $1.2 billion, one replica say 1.5 billion."
18:02 <@gmaxwell> "when we stole all the coins we could plausably deny it being theft?"
18:02 < pigeons> yes that's what it means
18:03 < Luke-Jr> lol
18:04 < nsh> hi orperelman. i liked your work on the poincare conjecture
18:04 < nsh> thanks for inventing bitcoin :)
18:05 < nsh> (i'm not personally sure ricci flow with surgery is a valid technique, but i'm not a topologist)
18:48 < maaku> andytoshi: isn't that constructivist math? (removing the law of excluded middle)
19:06 < andytoshi> maaku: yeah, that's the name for doing mathematics that way (e.g. rejecting proofs by contradiction)
19:07 < andytoshi> there are subsets of logic (which i have ~0 knowledge of) which do things like fuzzy logic and try to make this concrete
19:08 < andytoshi> my girlfriend was into constructivist math for a short while, not believing in anything that wasn't computable
19:08 < andytoshi> but it's nearly impossible to do a lot of classical mathematics that way
19:22 < nsh> depends how you define "doing mathematics"
19:22 < nsh> :)
19:23 < nsh> as a pursuit of noble platonic truths, or as a means towards solving practical problems...
19:24 < nsh> i'm not sure there are many engineering artifacts that are based predominently on an existential proof
19:24 < nsh> hmm, not so sure, now i think about it a bit more
19:53 <@gmaxwell> they're not unrelated.
19:53 <@gmaxwell> if you find some totally abstract "noble platonic truth" it can be a bridge that solves a pratical problem.
19:53  * nsh nods
19:55 <@gmaxwell> e.g. there is a bunch of NP proof stuff where you can show a proof system is sound by reducing it to a 2d graph coloring problem, and then show that if the system is unsound it would contradict four coloring, which otherwise is kinda useless trivia.
19:56 < nsh> right, came across that recently in a talk, funnily enough
21:44 < maaku> but ultimately you have to reduce it to be constructivist to enter the realm of engineering
21:45 < maaku> e.g. if you look at real numbers constructively, you get this funny think called numerical analysis ...
21:47 < nsh> analysis was pretty practical when it came to aiming canon :)
21:48 < nsh> computers are still named after the art of ordinance in french...
21:55 < nsh> (philosophically, it fascinates me that the assumption of the continuum, even though actual algorithmic infinities are avoided, yields such powerful results in anaylsis. we can calculate things in continuuous sets that would suffer combinatoric explosion over discrete structures...)
21:56 <@gmaxwell> Stirling's approximation <3
21:57 < phantomcircuit> wtf
21:57 <@gmaxwell> being able to answer questions like  from an infinite distribution of 50/50 true/false how likely is it you'd draw 30 and get 5 true... answering it combinitorically is impossible.
21:57 < phantomcircuit> i just noticed google wallet is still using checkout.google.com
22:00  * nsh nods
--- Log closed Sun Dec 22 00:00:17 2013
--- Log opened Sun Dec 22 00:00:17 2013
03:36 < Emcy> ccc.de tls 1.0 1024bit rsa
03:36 < Emcy> and my browser doesnt trust the CA anyway :/
03:37 < Emcy> "Besides the usual digital infrastructure with Wifi, telephone etc., 30C3 will feature for the first time a pneumatic tube system, with the pretty name Seidenstrasse."
03:37 < Emcy> wut
03:39 <@gmaxwell> oh fun, something BIP32 like cannot be used with ed25519.
03:40 <@gmaxwell> or rather, not with standard implementations.
03:40 <@gmaxwell> they rig the multiplier so that the most significant bit must always be 1.
03:41 < Emcy> whats ed25519 again
03:50 < maaku> Emcy: DJB's crypto
03:51 < maaku> gmaxwell: can ed25519 be easily modified to make it work?
04:06 <@gmaxwell> maaku: the curve is fine, the constant time multipler implementation
04:21 <@gmaxwell> y'all see the deck of cards secret key agreement thing? brillant.
04:24 <@gmaxwell> Take a regular deck of cards. Shuffle it.  Then split the deck in half. I give you one half, I take the other. Tada. We now have a ~51 bit shared secret
 each card either ended up with you or me (we lose a bit from the definition of who is 1/0 being arbritary)
04:31 < maaku> gmaxwell: yeah i posted in the armory thread that a shuffled deck of cards makes a good inconspicous private key
04:31 < maaku> and 51 bits for a shared secret is plenty good enough for many protocols
04:33 <@gmaxwell> maaku: damn, and when I moved I think I tossed a box with like 50 decks of cards in it. (marketing swag from my prior employer, two corporate brandings old)
04:33 < maaku> if i ever worked border security, i'd shuffle any deck of cards I come across
04:33 <@gmaxwell> the shuffling isn't required!
04:33 <@gmaxwell> if you split a deck then just membership in one person's side or the other is the data! not the permutation!
04:36 <@gmaxwell> works with two decks too. e.g. take two decks shuffle and split. then membership in one side or another is the key though you lose a quite a few bits there due to dupes. (e.g. log2(3^52)=82.4 minus 1 bit for parity... three states, because both cards ended up on one side, or both on the other, or each person had a card)
04:37 <@gmaxwell> and the permutation doesn't matter.
04:39 <@gmaxwell> the bummer is that cards aren't printed on both sides. if they were inputting your key would be easy: just spew the cards out on a table and take a picture.
04:47 < maaku> gmaxwell: reverse theorientation of one deck
04:48 < maaku> or use different colored back
04:52 <@gmaxwell> yea, that gets you some more bits, but I guess it's not so hard to place all the cards face up for photographing.
04:55 < petertodd> also worth considering that there are tonnes of common games in card format that can be used for this stuff, IE magic the gathering cards have well-defined "multiverseid's" worth at least a few bits each, and a deck's contents can be turned into the key based on a sorted list of all such card ids
04:55 < petertodd> though the border guards would probably be wondering why a guy as cool looking as myself has MTG cards; I'd have to explain it was for a friend
04:56 <@gmaxwell> petertodd: the thing that I found neat was just that you could convey so many bits by which side got the card, and be completely robust to ordering
04:57 <@gmaxwell> it means that I can keep a stack of sealed cards in by bag. meet you, totally unprepapred, open the cards shuffle split, and we walk away with a relatively easily entered shared secret that doesn't look too conspicious
01:33 < andytoshi> so if we can efficiently loop through these partitions we can brute-force the problem from here ... provided we have fewer than, say, 45 inputs and 45 outputs
01:33 < gmaxwell> there is probably some trivial greedy preprocessing that can be done.
01:34 < gmaxwell> Obviously you should merge all inputs with the same scriptpubkey and all outputs with the same scriptpubkey.
01:34 < gmaxwell> and force any input/output pair with the same scripubkey to be connected, perhaps, (e.g. just remove the output and deduct the input)
01:35 < andytoshi> oh, this is true .. coinjoin already merges outputs, but it doesn't have knowledge of the inputs
01:35 < gmaxwell> well your coinjoin does, but of course I was thinking in terms of an abstract tool that could be run on any transaction.
01:36 < CodeShark> are we talking generalized coin selection optimization?
01:36 < gmaxwell> then there may be other outputs which are forced which I think can be found in a greedy way.
01:36 < gmaxwell> hm.
01:36 < CodeShark> or is this some specific problem?
01:37 < andytoshi> CodeShark: we are looking at "given some transaction, what is the maximum possible number of participants?"
01:37 < gmaxwell> CodeShark: no, talking about taking a transaction and identifying the maximum number of coinjoin participants under reasonable constraints.
01:37 < gmaxwell> (reasonable constraints like the CJ participants not giving away their money)
01:38 < gmaxwell> CodeShark: e.g. what is the largest plausable number of participants in this transaction: https://blockchain.info/tx/a0350aa856b77edeaa08ae9df5047855d487c40490d11713461d200ea70b09c6
01:39 < CodeShark> so the minimum is obviously one, the maximum is the number of inputs with distinct redeemscripts, yes?
01:40 < andytoshi> well, if there are fewer outputs than inputs, then the total number of outputs could be the maximum
01:40 < gmaxwell> CodeShark: nah, because there may be no plausable flow.  For example, say you had 10 distinct inputs.. and 1 output. There is only one participant (under reasonable constraints)
01:41 < CodeShark> ok, so maximum = min(distinct input scripts, output scripts)
01:41 < gmaxwell> nah, because if you constrain them to not throw away values you must look at the values.
01:42 < andytoshi> no, there still might not be a plausible flow .. eg if there are 10 inputs and 10 outputs
01:42 < gmaxwell> Say you have 50,.5,.5 in  and 25,25,1  out.
01:42 < andytoshi> and one input is massive, all the others are 0.1, and every output is 0.2
01:42 < gmaxwell> In that case you have a maximum of 2.
01:42 < CodeShark> right, my bounds were very weak
01:43 < gmaxwell> yea, you're giving loose bounds, we want the tight maximum bound. As its a measure of privacy the coinjoin provides.
01:43 < andytoshi> it would be nice if 1 wasn't always plausible :)
01:44 < andytoshi> even a lower bound would be useful if it was nontrivial
01:44 < CodeShark> what if we simply required all inputs to be the same value? then each participant would first have to create outputs of specific denominations
01:44 < CodeShark> and join a transaction of a particular denomination
01:44 < gmaxwell> 1 being plausable is good because its also what makes ordinary txn look potentially like CJs. :P
01:44 < CodeShark> yeah, ok :)
01:45 < andytoshi> CodeShark: well, that makes CJ's stand out, and it's also easy to work around by just going back one layer in the transaction dag
01:46 < gmaxwell> andytoshi: hm. interestingly, I think the maximal maximal count may not always have the highest entropy!
01:46 < andytoshi> and then you've even got free association information from the homogeonizing transactions
01:46 < andytoshi> gmaxwell: that is interesting, and that feeling is why i don't think we can do this 100% greedily
01:46 < andytoshi> but for me, for now, it is just a feeling ..
01:48 < CodeShark> I'm not even entirely clear on coin selection optimization within a single wallet, let alone coinjoin :p
01:48 < andytoshi> well, coin selection (to evade this analysis) is an even harder problem, i think
01:49 < CodeShark> if we want coinjoin to be obscure, we want it to mimic typical coin selection strategies for common wallets
01:49 < gmaxwell> can't
 goals are to different, instead wallets should mimic coinjoins. :)
01:49 < gmaxwell> s/to/too/
01:49 < gmaxwell> coinjoins can't be fully obscure simply because >2 outputs are rare.
01:51 < CodeShark> yeah, true - and while there's a good use case for sendmany from servers, for typical interactive users, these use cases are more rare
01:52 < gmaxwell> andytoshi: e.g. there may be some mapping that gives you N users but is unique, e.g. only 1 N user path between inputs and outputs.  But then there is some <N mapping where it is non-unique.
01:53 < andytoshi> oh, fascinating
01:53 < andytoshi> what on earth can we say about that?
01:53 < andytoshi> about its anonymity*
01:54 < gmaxwell> well for a coinjoin over all you could just count all plausable mappings (for all possible N) and the coinjoin's entropy is log2(that).
01:55 < gmaxwell> e.g. 50,.5,.5 in  and 25,25,1 out  has an entropy of 1 bit.
01:55 < andytoshi> hmm, if that is the most useful metric than it saves us the trouble of doing all this optimization
01:56 < gmaxwell> I dunno that it does, because you still have to reject impluausable mappings.
01:56 < andytoshi> if we loop over every possible mapping, that's easy, just a bunch of addition
01:57 < gmaxwell> Finding the maximum N is just a subset of the problem.. it's just the highest N for which there remain any plausable mappings.
01:58 < andytoshi> yeah, but we can use a weak upper bound for N in this case
01:59 < andytoshi> i wonder if we want to compute something sharper: the entropy of the individual outputs
01:59 < andytoshi> (it's really not clear to me how to define that)
02:00 < gmaxwell> the interesting thing about output entropy is that it's not independant.
02:01 < gmaxwell> e.g. output X could have come from input 2 if and only if output Y didn't.
02:02 < andytoshi> we can arrange these possibilities in a giant decision tree, and compute some sort of entropy on that..
02:03 < andytoshi> there is also something called mutual information
02:03 < gmaxwell> I guess measuring per output has some useful properties.. since in a wallet you'd want to know e.g. which of your inputs are tainted.
02:03 < andytoshi> http://mathoverflow.net/questions/88364/is-this-a-situation-where-triple-mutual-information-is-always-non-negative
02:04 < gmaxwell> andytoshi: I'm trying to come up with a "conservative" version of it which isn't trivial.
02:04 < andytoshi> (this was a question my supervisor asked about whether he could apply some tool called 'diversities' (i have a single-author paper on the analytic properties of these) to computing mutual information
02:04 < gmaxwell> E.g. assume the attacker knows "a lot" about the other outputs, what is your entropy. The problem with that is that the obvious form of a lot is "knows all the other outputs" in which case the entropy is 0
02:05 < andytoshi> now, what this tells you is that "all the other outputs" is strongly coupled to your output
02:05 < andytoshi> maybe you want to know, how strongly are my various outputs coupled to each other?
02:06 < gmaxwell> andytoshi: multial infomation is just the joint entropy minus the conditional entropies.
02:07 < gmaxwell> andytoshi: well I'd like to be able to answer how tightly my keys (inputs or outputs) are coupled after a transaction. So that I can decide to group the keys and freely merge them in future txn if they are too tightly coupled.
02:07 < nsh> hmm
02:08 < andytoshi> yeah, so this is a more useful thing to wonder about than "how tightly coupled are all the outputs of this specific transaction"
02:08 < gmaxwell> interestingly, even when paying someone without coinjoin the number of players is 2 and we can talk about the coupling in the change output(s).
02:09 < gmaxwell> though the most entropy we can have in a single output when there are only two players is 1 bit.
02:10 < andytoshi> here is a selfish question: if we take the definition of diversity from page 2 of http://arxiv.org/pdf/1307.1897.pdf , can we describe this coupling as a diversity?
02:10 < andytoshi> (it is selfish because if the answer is yes, then i can perhaps finangle a publication while still doing something useful for bitcoin)
02:12 < andytoshi> describe some measure of coupling*
02:13 < gmaxwell> I must confess, the first sentence of the abstract triggered turboencabulator-detection for me.
02:14 < gmaxwell> ( https://www.youtube.com/watch?v=rLDgQg6bq7o )
02:15 < andytoshi> hahaha
02:16 < andytoshi> what is meant by that claim is, "this is used by biologists for some tree-calculation something", which is true but not anything i know anything about
02:16 < andytoshi> i admit, the core of that paper is almost cartoonishly "mathematicians inventing problems for no reason except to have fun solutions"
02:19 < andytoshi> but here is a paper relating this stuff to flow problems: http://arxiv.org/abs/1312.5408
02:19 < andytoshi> so i am not blowing smoke when i suggest that it's applicable :)
02:20 < gmaxwell> I think for any of this stuff you could imagine some hypothetical 'mixer' with perfect knoweldge of the inputs to output mapping, and just measure the entropy of his knoweldge. It gets more interesting when you consider graphs with many coinjoins.
02:20 < gmaxwell> esp if the many coinjoins are not wired up like a switching network, so that the inadmissablity of multiple inputs later deanonymizes earlier coinjoins.
02:20 < andytoshi> yeah, i think that's the most useful thing for the joiner itself to output
02:21 < andytoshi> but if, for example, some output always winds up matched to a certain input, the owner of that output would like to know this
02:22 < gmaxwell> yea. indeed. though at least that can be solved purely locally.
05:59 < gmaxwell> I mean, I think I now have a mental model to predict miner behavior somewhat... which mostly seems to work. But it basically starts with the premise that miners are uninformed and somewhat lazy. When they try to get informed they get overloaded quickly.
05:59 < warren> I haven't been paying attention to the Bitcoin pools.  The first and only bitcoin pool I ever used was p2pool.	The issue preventing Litecoin pools from spreading hashrate out more is there is a tiny quantity of competent pool operators capable of keeping their software secure against exploits and robust against DDoS attacks.
06:00 < warren> There existed a few massive pools in the past who killed themselves with a payout bug
06:01 < warren> and a few just don't recover from a DDoS attack
06:01 < gmaxwell> The algorithim for selecting a pool looks like: look at the pie chart on bc.i. Compare a couple of the biggest pools. Find nothing really distinguishing between them, pick the largest.
06:01 < warren> The survivors could be behind killing their competition.  We have no way of knowing.
06:02 < adam3us> its puzzling indeed that there appears no model to get financing for core dev work that must happen for bitcoin to progress, despite there being $3b resting on it
06:02 < gmaxwell> p2pool almost doubled in size in the weeks following convincing bc.i to stop hiding p2pool on their chart.
06:02 < warren> percentage wise of global hashrate, how much did it peak at before?
06:02 < adam3us> gmaxwell: cant people run multiple independent instances of p2pool to scale it?
06:03 < gmaxwell> adam3us: sure, actually in the past some people have run it privately.  But there shouldn't /need/ to be multiple ones to scale it.
06:03 < warren> adam3us: Litecoin Dev raised $xxk in donations, we're spending a portion of that on various things, mostly security related development that could benefit Bitcoin too.
06:03 < adam3us> (you guys should be sleeping btw:)
06:03 < warren> I know =(
06:04 < adam3us> warren: esp you if youre in hawaii
06:04 < adam3us> but yeah about dev its really rubbish and disappointing the rate of progress and funding ..
06:05 < adam3us> eg colored coin i though has a lot of potential and yet the progress has been really slow; there are some people trying to get professional funding now (company, biz plan etc) so maybe that'll create something open
06:06 < gmaxwell> the people getting funding are doing mostly terrible things, see also: mastercoin
06:06 < warren> https://bitcointalk.org/index.php?topic=320695.0  <---- Bitcoin 0.8.5 + Litecoin 0.8 patches (minus the litecoin protocol)
06:06 < adam3us> (though coloring in a way that creates bitcoin dust is something i am not keen on; must be a better way to do it with side-chains if they just thought about it)
06:06 < gmaxwell> adam3us: thinking gets in the way of spending time on posts and fundraising. :)
06:06 < adam3us> warren: that is bitcoin omg link? yes i was hyped when i saw that
06:06 < warren> gmaxwell: omg, and quite a lot of funding with zero code
06:07 < gmaxwell> warren: I liked it when I asked them to use OP_RETURN instead of their garbage addresses and got told that they couldn't because they were currently creating all their mastercoin transactions by hand in a bc.i web wallet.
06:07 < adam3us> mastercoin, yes that was terrible, and it surely will fail because of the negative regard people will hold the premine in
06:08 < gmaxwell> (I stopped complaining in public about it at that point... "okay, this is going to fail on its own")
06:08 < TD> i concluded that ages ago
06:08 < TD> the whitepaper was nonsensical
06:08 < warren> gmaxwell: they tried to hire me to work on client software.  I told them to do the majority of their crap off-chain...
06:08 < adam3us> but they actually got money in a way which is disreputable
06:08 < adam3us> an yet the people doing reputable things seemingly do not
06:08 < gmaxwell> yea I ignored it initially because the whitepaper was nonsensical, then I suddenly started seeing lots of dust transactions on the network, and went searching for the cause.
06:09 < adam3us> so this is going to drive more disreputable things unless msc crashes and burns
06:09 < TD> it seems to hit the sweet spot where it seems technically credible enough to pull in a lot of suckers, but not quite credible enough to actually work
06:09 < warren> TD: pets.com
06:10 < TD> lol
06:10 < gmaxwell> adam3us: yea, look at all the altcoins (not even talking about ltc here, the zillions of other ones)... some of them have managed to monitize pretty well on the exchanges with patches that did little more than change the name of the software... its really depressing.
06:10 < adam3us> TD: to my reading the msc paper was a list of noble aspirations with no indication of how or even if they could be achieved technically, plus the disreputable invest now for big discount, limited time offer like say timeshare sales
06:11 < adam3us> the protoshares by bitshare is barely better
06:11 < gmaxwell> Or _usefully_ achieved technically.  E.g. "p2p replacement for mtgox!"  uhhhh..
06:11 < TD> i try to stay positive. what this shows is there's tremendous demand for cryptocurrency technology that works
06:12 < gmaxwell> s/ that works//
06:12 < TD> yes. but there's even more demand for stuff that works!
06:12 < gmaxwell> There is a tremendous demand for promises of future riches.
06:12 < adam3us> pts are not even anything, just a bitcoin alt-coin as a place holder until / if they finish coding their bitshare system, iwth a promise that you own 10% of bitshares, but they screwed up their params almost as badly as terracoin and mined 1/4 of issue in 1 week that was designed to take 3months
06:12 < gmaxwell> Something which works but due to honesty and understanding can't promise future riches... not clear there is much demand.
06:12 < TD> yeah. well. that's certainly one possibility.
06:13 < adam3us> TD: i am not sure, i had a look at the pts irc channel an it seems most of the miners had no clue why or what it is, they just wanted in early in case it went somewhere
06:13 < TD> i think people get hyped due to second order effects though. "i want this cool tech because it will make bitcoin more useful and thus more valuable:
06:13 < TD> but it's MUCH harder to build it than just promise the moon
06:13 < adam3us> the guy bytemaster? bitshares cto - was slapping out unsigned binaries on non SSL - very scary
06:13 < gmaxwell> TD: both bitshares and mastercoin have directly traded on that thinking even where it made no sense.
06:14 < gmaxwell> (claiming that they were enhancements to bitcoin, where in the case of esp bitshares I am unable to find any relationship with bitcoin at all except them exploiting the name in their marketing)
06:14 < adam3us> gmaxwell, TD: oh yes and when pts params failed, they put out misleading info saying you HAD to upgrade under somethreat to a massively revised param set; if the users had cludes they'd have forked the code and said no
06:15 < gmaxwell> adam3us: well realsolid already proved that what you can get away with is nearly boundless. An amazing history there that you missed.
06:15 < TD> yes these schemes are just ridiculous
06:15 < TD> what i mean is that whenever i go to a conference, i get mobbed by people asking "where's the contracts apps"
06:15 < adam3us> seems to me it'd be nice to get i dunno some salary equiv to what y'all can pull in industry to sit i a bitcoin lab not-for-profi
06:16 < gmaxwell> (guy created an altcoin and kept revising the rules over and over again, ... making me pretty much convinced it was an expirement in how disreputable you could make a cryptocurrency and still have users)
06:16 < TD> so i mean there's definitely a population of people that isn't just bandwagon jumping but _really_ want to see all the cool exotic features that were discussed come true
06:16 < adam3us> which'd take say $5mil/year or something to hoover up the top brains and make somewhere nice for them to work
06:16 < warren> adam3us: "slapping out unsigned binaries on non SSL - very scary" ... like cgminer!
06:16 < TD> a big part of mastercoin's marketing is claiming that the reason bitcoin doesn't have $FEATURE is that the core developers are too conservative, scared, not well funded enough, whatever
06:16 < TD> and that mastercoin resolves this problem thus bringing such features faster
06:17 < TD> warren: cgminer is AFAIK detected as a virus by now, by most AV systems :(
06:17 < gmaxwell> TD: except, you know, $FEATURE, seldom needs anything in core software.
06:17 < adam3us> TD: yes this is why i keep harping on about bitcoin staging
06:17 < TD> yes, all this stuff is obvious to us, but much less so to other people
06:17 < adam3us> and why i was psyched to see warren made a step towars it with bitcoin omg release :)
06:17 < warren> toward what?
06:17 < adam3us> bitcoin staging could keep the rapid dev within the bitcoin brand
06:17 < TD> luke used to maintain a "bitcoin next". dunno if he still does
06:17 < adam3us> bitcoin staging
06:17 < gmaxwell> And even if it did need it, you can test it without deploying it.... of course that requires writing something, or even figuring out in detail how it might work.
06:17 < adam3us> hmm link?
06:18 < gmaxwell> Luke still does.
06:18 < warren> adam3us: it isn't really staging, it was "I put all this work into litecoin, might as well make a bitcoin client"
06:18 < TD> gmaxwell: the good news is, someone stepped up to take over PayFile from me last week, and he seems to be credible - is already produced pull reqs. so I am hoping that quite soon we will have perhaps the first easy to use gui micropayments (contracts) based app
06:18 < TD> that people can actually download real binaries of, run, and use for something useful
06:18 < adam3us> i know but apart from the peg mechanism you did the work that i thought would need to be done
06:48 < TD> you mean, working on scalability, other than maintaining an entire SPV implementation ... :)
06:49 < petertodd> the real problem there is "worse is better" and things like inputs.io already exist, so even incremental imrpovements become hard
06:49 < petertodd> adam3us: meh, you can audit off-chain stuff easily.
06:49 < adam3us> petertodd: right, i think its pressing problem even if bitcoin scales for a few years, because momentum "good enuf" will push everyone onto inferior centralized solution
06:49 < petertodd> adam3us: again, an auditable, decentralized base is what you build on.
06:50 < adam3us> petertodd: right, but how
06:50 < petertodd> adam3us: yes, either "good enough" will be the worst possible off-chain solutions with no auditing at all, or SPV clients with no auditing of the blockchain and a small number of centralized full-nodes/miners
06:51 < adam3us> petertodd: if coinbase and 20 more like them rule 99.99% of tx in a few years, and they settle between them on the block chain at $1mil at the end of the day.. how is that bitcoin
06:51 < petertodd> adam3us: at least with the former you can bolt-on auditng at any time
06:51 < adam3us> petertodd: they'd just as well settle with a wire transfer
06:51 < petertodd> adam3us: simple example, you can audit that backing funds exist with merkle sum trees
06:51 < adam3us> petertodd: agree, auditability is good
06:51 < petertodd> adam3us: heck, have you read any of my fidelity bonded banking stuff? not only can you audit, you can punish fraud
06:52 < petertodd> adam3us: that's bitcoin because for $10 or $100 or whatever it ends up being you can pay that tx fee too and have equal access that anyone else does.
06:53 < adam3us> petertodd: alternatively you can add auditability to banking networks, they probably will at some point as its more secure than firewall and fiat balance in a db - at that point its all the same thing
06:53 < petertodd> adam3us: Bitcoin isn't about making things *free*, it's about making barriers to entry be based on proof-of-work and nothing else.
06:53 < adam3us> petertodd: i think what you lose is the bearer / ecash property
06:53 < petertodd> adam3us: auditability is much less interesting than decentralization of control
06:53 < adam3us> petertodd: agreed
06:54 < petertodd> adam3us: the issue isn't banks committing fraud, it's banks commiting *legal* fraud. Everyone knows currencies are inflated, it's not a secret.
06:54 < adam3us> petertodd: i made a claim that ecash is not ecash unless its irrevocable and unseizeable/unfreezable
06:54 < adam3us> petertodd: and i'm more interested in ecash that ripple iou networks which are just papalizing banking networks and will revert to form in 5 years
06:55 < petertodd> Well, worst case with 1MB blocks forever and the dumbest possible off-chian solutions is that you can make your savings irrevocable and unseizable/unfreezable. That's pretty damn good.
06:55 < petertodd> With fidelity bonded banking, you're savings are much harder to revoke or seize, because the moment you do so you can prove to the world that has happened, and the world can chose to go to another bank.
06:56 < adam3us> petertodd: yes two things: digital scarcity is a new commodity class, and separately ecash is better than a claim on a balance on a server with its bitcoin denominated or usd, block chain audited or not
06:56 < petertodd> Right, but the onus is on you to figure out how you can have your cake and eat it too, because in it's current form Bitcoin is fundementally unscalable. The "solutions" to scability are all to introduce more centralization.
06:57 < adam3us> petertodd: are you sure your funds are unseizable in a $10k dust rule network with coinbase model? you dont even have your private key...
06:57 < adam3us> petertodd: what if you dont have enough funds to pay the min fee
06:58 < petertodd> adam3us: The first $10k of your funds got seized, but your other $100k didn't. That's a huge improvement over the whole lot being seized because Bitcoin mining has long sicne become a regulated activity with blacklists.
06:58 < adam3us> petertodd: "The "solutions" to scability are all to introduce more centralization." yes so far and that is a negative and worrying tren d for bitcoins meaningful continued existence
07:00 < adam3us> petertodd: i thought chris odom opentx model showed promise as a direction; his voting pool tx servers are auditable and rebuildable by users using the sum of the tx receipts they receive
07:00 < petertodd> BTW, lets suppose Bitcoin is worth 100 trillion, and 1% of that amount every year goes to miners in the form of fees. That works out to $20/kilobyte transaction fees, rather affordable!)
07:01 < adam3us> petertodd: not bd, but how many Gbps is a full node feed ;)
07:01 < petertodd> no, I'm saying we keep 1MB blocks in that example.
07:02 < adam3us> petertodd: probably need satellite network for globalbroadcast or the interwebs will melt with many full nodes
07:02 < petertodd> Why?
07:02 < adam3us> petertodd: n^2 everyone on the planets cup of 2nd cup coffee
07:03 < adam3us> petertodd: whats the famous canadian coffee shop? maybe it was timhortons ;
07:04 < adam3us> petertodd: clearly it can scale to some extent but its less interesting if its a clearing network than a direct user network
07:04 < petertodd> oops, I got that calculation wrong... lol, $20,000/kilobyte tx fees, not so affordable. However, lets say 100 billion valuation, 1 billion a year to miners, and you're at $20/KB.
07:04 < adam3us> petertodd: if it gets that large i expect the people running the show could just as well turn off their miners and sign clearing agreements
07:05 < petertodd> (right now tx's cost about $20 already in fact due to the inflation subsidy...)
07:05 < adam3us> petertodd: yeah thats kind of scarcy... hidden cost.. people say btc costs 2c but its actually 1000x worse
07:06 < petertodd> Fucking hell, who cares how "interesting" it is for your morning coffee? What's important is that we have a solid decentralized store of value with a decent way to move it around. We can improve upon that later, but don't fuck up the base.
07:06 < petertodd> Fundemetnally we have to figure out how to make validation scale.
07:06 < petertodd> Second fundemental is we have to figure out how to make transaction selection scale.
07:07 < adam3us> petertodd: u mean validation scale is reduce the broadcast bandwidth feed fr a full node? or cpu?
07:07 < petertodd> CPU isn't very interesting, don't focus on that. Bandwidth is what's interesting because censorship-resistant bandwidth is hard to come by.
07:08 < petertodd> Censorship-resistant CPU power is availble at stores around the country...
07:09 < adam3us> petertodd: yes;; so a ultra-crude what-if is say divide the n^2 into 1000 subgroups, payments are then either in-subgroup or cross subgroup, and mergemine subgroups
07:09 < adam3us> petertodd: cross subgroup takes 2 tx but thats stil smaller than 1 tx broadcast 1000x wider
07:10 < petertodd> yup, I proposed that one a few months ago
07:11 < adam3us> petertodd: yes i think multiple people proposed the same what-if
07:11 < adam3us> petertodd: I did, vitalk did also probably others... but its not clear how well that could work
07:12 < petertodd> AFAIK I was first :P The issue actually comes up with fidelity bonded banking, because you need to ensure that proof-of-fraud can be effectively published, and you need to have proof that you know about all fraud published for some given domain.
07:13 < petertodd> Anyway, I hope we agree that until a viable system for subgroups is proposed, and it's possible to mine blocks in a decentralized fashion, it's deeply dangerous to tinker with the scalability of Bitcoin.
07:15 < adam3us> petertodd: i'm not sure - you're saying dont change anything until we know the best longer term scaling approach or the scalability patches might actually make things worse?
07:15 < adam3us> petertodd: decentralized mining... yes i think that could be a nice partial win if that could be figured out
07:15 < petertodd> adam3us: remember that we've got people in this community who want to remove blocksize limits entirely while leaving the rest of the system as-is.
07:16 < petertodd> That's the idiotic opposition you're up against, not people who have a deep understanding of Bitcoin.
07:17 < adam3us> petertodd: gotcha, yes i agree with your previous arguments that upping he bw requirements aggressively is dangerous for decentrailzation (and also why i said i'm not sure i buy the "bitcoin scales to visa" type of hand-waving - oh yes, how and at what cost)
07:18 < petertodd> adam3us: With sufficient trust you can make any pig fly. :P
07:18 < adam3us> petertodd: u know i hear swift itself is nominally p2p
07:18 < petertodd> Ha, yup!
07:18 < adam3us> petertodd: so if the way we reach visa scaling is to run 50 bitcoin nodes on a closed network contrlled by big banks i am not so intereste
07:19 < petertodd> Exactly. And in between now and that, there's a lot of trade-offs.
07:19 < petertodd> 10MiB blocks aren't so, bad, 100MiB kinda iffy etc.
07:20 < adam3us> petertodd: we need something fundamental new insight .. the picture so far is moderately clear, but no clear path forward is in sight
07:20 < petertodd> Now where the "just remove the limits entirely" thing is so obnoxious is that the basic idea, just let miners chose, is such a fundemental misunderstanding of the nature of validation and trust in Bitcoin.
07:21 < petertodd> of course there's no clear path forward, every path has different costs to different people!
07:22 < adam3us> petertodd: u might wonder if there is some moderate incremental scalability gain lurking in using accumulator tree vs hashtree
07:22 < petertodd> heck, there's a decent enough chance that nothing at all will happen and Bitcoin will remain, technically, identical to it's current form for a long, long time.
15:40 < phantomcircuit> i stand corrected
15:40 < phantomcircuit> that's actually pretty huge
15:40 < petertodd> Yup, it's was also the original blocksize limit.
15:40 < petertodd> which makes me think satoshi hadn't planned for one at all...
15:44 < sipa> petertodd: gavin fixed what?
15:44 < midnightmagic> ^^ by the way, gavin, if you use as the freenode IRC server password your nickserv authentication details you don't get the changing host thing.
15:44 < petertodd> sipa: his original rejection message patch let an attacker put fake entries into your log file
15:45 < petertodd> sipa: didn't filter out newlines :/
15:45 < gavinandresen> midnightmagic: how do i "use the freenode IRC server password"
15:46 < gavinandresen> IRC passwords are still a mystery to me, is there a clear explanation of which password does what somewhere?
15:46 < midnightmagic> gavinandresen: One sec..
15:46 < MoALTz> midnightmagic: edit server, server password in xchat right?
15:47 < midnightmagic> Yes. The IRC server password. You construct it like so:	 NickName:NickservPassword
15:47 < gavinandresen> midnightmagic: okey dokey.  What is the Username then?
15:47 < midnightmagic> http://freenode.net/faq.shtml
15:47 < midnightmagic> No username.  There should just be a password field.
15:48 < midnightmagic> http://freenode.net/faq.shtml#nicksetup	<-- there it is.
15:49 < midnightmagic> In plain irssi, for example, you would connect with: /connect chat.freenode.net 6667 mquin:uwhY8wgzWw22-zXs.M39p    or your deets in place of..
15:49 < midnightmagic> there you go. I think that did it.
15:50 < MoALTz> midnightmagic: what happens if your zombie hasn't disconnected yet?
15:50 < gavinandresen> mmm.  Colloquy UI is confusing, it gives me Username and Password for server connection
15:50 < midnightmagic> MoALTz: It's not foolproof. In the event of a netsplit I think something weird happens then.
15:50 < gavinandresen>
 and isn't smart enough to do the nickname:password thing, I guess
15:50 < midnightmagic> nah it's a freenode-ism I think.
15:51 < gavinandresen> that was my mistake, then-- looking at IRC help instead of FREENODE help....
15:51 < midnightmagic> MoALTz: Also I don't know what happens with zombies..
15:52 < midnightmagic> gavinandresen: znc, the bouncer I use, also uses that style to authenticate individual users and log them in to a user session. In znc, the server configuration line just has something like this: 2610:150:2c68::d0:dab:1de5 +6697 midnightmagic:MyNickServPasswordItsALongOne
15:56 < warren> Luke-Jr: jgarzik: it is not only ACK'ed things, it tests not-yet-approved things if we think it's a good idea and we tested it.
15:58 < amiller> MyNickServPasswordItsALongOneAlsoHighEntropyEjKRUaOJPo
15:59 < phantomcircuit> gavinandresen, colloquy like most os x software makes it impossible
15:59 < warren> well crap, someone reports the OMG build still corrupts on macos x
16:00 < gavinandresen> warren: mmm.  I got corruption running git HEAD, so that doesn't surprise me
16:01 < petertodd> warren: sheesh, I ran a bitcoin node for months on a computer with such flaky ram I couldn't get firefox to work for more than an hour at a time and it never corrupted the blockchain once :/
16:01 < warren> gavinandresen: corrupted even after a clean shutdown of bitcoin?
16:02 < gavinandresen> warren: was probably a dirty shutdown
16:02 < petertodd> warren: maddening how some stupid fs sync crap has a bigger effect than that ram
16:04 < sipa> petertodd: i doubt the corruption problems we're seeing are related to flaky hardware
16:04 < sipa> or at least, some
16:05 < petertodd> sipa: exactly my point; hardware/os lying about syncing is more of a threat than the hardware not working at all
16:06 < warren> It isn't clear if the corruption is only on certain versions of the OS.
16:06 < warren> I've seen most reports on 10.8+
16:06 < warren> one report on 10.7
16:07 < warren> none on 10.6, which might mean nobody is using 10.6?
16:08 < petertodd> warren: any chance the people on 10.6 are using different hardware than 10.7? (dunno nuthin about macs myself)
16:08 < gavinandresen> warren: I'm running 10.7
16:09 < petertodd> FWIW I did a SSD write corruption test a few years back at work, and I did find a SSD drive brand that lied about data syncing, so it's quite possibly a hardware thing related to some choice Apple made.
16:11 < warren> indeed, some brands of SSD are notorious
16:13 < warren> gavinandresen: what hardware?  apple provided HD/SSD?
16:13 < warren> gavinandresen: FWIW, our mac dev and coblee have *never* experienced corruption
16:13 < petertodd> warren: yup, and sadly this could just be some choice Apple has made that's far from easy for us to deal with.
16:13 < gavinandresen> warren: I have no idea, I bought this mac used.	I got corruption on both the SSD and the spinning disk.
16:18 < warren> gavinandresen: at this point are we willing to post a bounty on this?  "Reproduce corruption on demand, explain why it is happening." and separately "provide a fix that passes bitcoin dev approval"?
16:18 < gavinandresen> warren: sure, if you're willing to hold the money and judge the 'approval' go for it
16:19 < petertodd> gavinandresen: re: relay first double spend, you relaying the whole double-spend tx?
16:19 < warren> gavinandresen: where can the money come from?  we can pledge some from our funds
16:20 < gavinandresen> petertodd: yes, relaying the first double-spend as if it were the first spend
16:20 < sipa> with a different message?
16:20 < petertodd> gavinandresen: what happens if the first double-spend was a 200byte tx, and the second a 100KiB tx?
16:21 < gavinandresen> petertodd: then 100,200 bytes get relayed across the network
16:21 < gavinandresen>
 assuming that both pass the IsStandard tests.
16:21 < petertodd> ugly...
16:21 < gavinandresen> simple
16:22 < petertodd> 500x cheaper to DoS the network. OTOH I like how this makes it easy to do replace-by-fee.
16:22 < gavinandresen> sipa: what do you mean, "with a different message" ?  No, just a normal inv / tx
16:22 < gavinandresen> (inv / getdata / tx)
16:22 < sipa> hmm, but without taking it into the mempool
16:23 < gavinandresen> petertodd: 500x ???  You can broadcast 100K transactions now.  This will make it at most 2x times easier to try to DoS the network.
16:23 < sipa> i'm not sure it's advisable to relay a transaction we're not considering valid ourself
16:23 < petertodd> gavinandresen: No, 500x, because I'm only paying for the bandwidth of the 200 byte tx. (or actually, even smaller than that is possible)
16:23 < gavinandresen> sipa: right, does not go into the mempool
16:24 < gavinandresen> sipa: the whole point is to broadcast it so that accepting-payment-in-person merchants will see the invalid transaction and can react
16:24 < petertodd> gavinandresen: Probably not an issue in practice, because someone will do replace-by-fee mining, but then that kinda defeats the purpose in a way...
16:24 < sipa> gavinandresen: right, which is why i'd use a different message
16:25 < warren> gavinandresen: is the foundation willing to add funds to such a bounty?
16:25 < gavinandresen> sipa: that just complicates the code unnecessarily
16:25 < warren> we can ask for public donations too
16:25 < sipa> to 1) make it clear that we're not actually considering this one valid and 2) make old nodes ignore it
16:25 < sipa> then again, nothing prevents someone from taking a faketx message and broadcasting it as a t
16:25 < sipa> as a tx
16:26 < gavinandresen> sipa: exactly, the code you'd write is exactly the same
16:26 < petertodd> sipa: Interesting thought: I can use this to broadcast a replacement, and because it's a standard inv, any miner who didn't get it the first time for some reason, and doesn't have it in their mempool, will get the second one. If the second one is a higher fee, maybe this time they'll accept it!
16:27 < sipa> yes, it may have unintended replacement effects
16:27 < sipa> giving a double spend higher chances for being mined than before
16:27 < gavinandresen> again, the reason for doing this is 0-confirmation transactions for merchants monitoring the chain.
16:27 < sipa> that's why i'd prefer not doing it the same way
16:27 < gavinandresen> err.. monitoring the network....
16:27 < sipa> i'm pretty sure it will lead to double-spends becoming easier :)
16:28 < gavinandresen> Easier-but-easier-to-detect is fine
16:28 < petertodd> sipa: Yeah, e.g. it makes it even easier to double-spend by broadcasting a, say, satoshidice tx, then waiting for my reply, then broadcasting a double-spend that doesn't involve satoshidice - I havea 10% chance of it getting mined by eligius without even needing to contact them directly.
16:28 < petertodd> Heh, funny thing I'm definitely going to ACK that patch because it's a step towards replace-by-fee and pure-profit-driven mining.
16:29 < sipa> petertodd: i'm in the middle about that, but imho the client should try to get peers to do the same
16:29 < sipa> so if you're doing replace-by-fee, i'm perfectly fine with it being the same tx message
16:29 < petertodd> sipa: get peers to what exactly?
16:30 < petertodd> sipa: ah, yeah, replace-by-fee would definitely use the same tx message
16:30 < gavinandresen> sipa: 0-confirmation double spends are pretty easy today.  I'm completely convinced early detection is more important than trying to prevent them.
16:30 < sipa> but if you're explicitly not considering a transaction valid, i don't like making it seem to others that you do
16:30 < sipa> gavinandresen: fair enough, i agree there
16:30 < gavinandresen> Lets debate replace-by-fee separately...
16:31 < warren> crap, two reports of corruption after a clean shutdown...
16:31 < warren> this makes no sense
16:31 < petertodd> gavinandresen: Well, the beauty of this is it lets miners decide for themselves given they now can easily get the replacement with no effort.
00:23 < gmaxwell> maaku: "You can spend these coins if you solve my puzzle" "psyche... I just spent them out from under you even though the code said I couldn't because I can create false proofs for this verification key."
00:24 < gmaxwell> amiller: the upside is removing the CRS the downsides are that the proofs are much larger (tens of kilobytes) and the zero-knoweldge is no longer perfect.
00:25 < amiller> i see.
00:26 < gmaxwell> amiller: well I'm glad your koolaid tap on the CRS stuff ran out. I dunno why everyone thinks its so acceptable.. it is in some cases, not others.
00:26 < gmaxwell> What they're talking about doing in zerocash I think its completely unacceptable.
00:26 < gmaxwell> then again, for that application 20kbyte signatures is probably also unacceptable.
00:27 < amiller> how far do you think they can smear around the anytrust kind of setup
00:27 < gmaxwell> (and for that matter, q-power knoweldge of exponent, bilinear pairing stuff is by itself probably unacceptable)
00:27 < amiller> that was a question someone asked, matt green answered affirmatively, i didn't seek any details
00:28 < gmaxwell> What was?
00:28 < amiller> whether you could distribute the setup among N parties
00:28 < gmaxwell> yea, I think thats half BS
00:28 < amiller> where any of the N parties has to delete their data
00:28 < amiller> okay
00:29 < gmaxwell> I don't know of any systems for _active_ secure MPC that don't themselves require a zk-snark, certantly none that are implemented.
00:29 < gmaxwell> (you can take any semi-honest-secure MPC scheme and make it active secure if you make all the players do their work under ZK-proof that they're obeying with the protocol)
00:29 < maaku> gmaxwell: i see
00:30 < gmaxwell> It's possible in theory at least. But what does N need to be? and where is even a beginning of an implementation?  even with just three parties it would be the largest MPC task ever attempted.
00:30 < amiller> yeah everything attempted in practice so far has been semi honest
00:30 < amiller> afaik
00:31 < gmaxwell> Yes, as far as I can tell.  And I think we have a chicken and egg problem here. We have almost pratically efficient snarks actually implemented but in the CRS model.
00:31 < gmaxwell> You could, in theory, make the CRS with MPC.	.. but active secure MPC that looks remotely pratical is a passive MPC + SNARKS.
00:32 < gmaxwell> and the CRS computation isn't horrible but there is a lot of it ... for zerocoin they're talking about 1.6GByte prover keys (which actually sounded small to me).
00:33 < gmaxwell> So somehow you've got N party active secure MPC and you're going to compute 1.6 gbytes of CRS in it?
00:33 < gmaxwell> And realistically I think N can't just be 3.	Start talking about 30 and thats more interesting.
00:33 < amiller> yeah. i came to that conclusion pretty quickly too
00:34 < amiller> sell tickets to the big setup phase MPC as your fundraiser gimmick!
00:35 < gmaxwell> I mean there are neat things you can do... one of the mpc nodes should be in a faraday cage in a bunker filled with C4. And you should exploide it when the computation is finished.	People would pay to see that. :P
00:36 < amiller> david blaine could do one too
00:36 < gmaxwell> the undetectable compromise part is part of what makes this so bad for ZC where it wouldn't be an issue elsewhere.
00:37 < gmaxwell> lots of room for fud.
00:37 < gmaxwell> "NSA supercomputer cracked the crypto to recover the key whole cloth, and now the US government can print unlimited coins! Prove me wrong!"
00:38 < gmaxwell> at least if it were detectable you could freeze new spends and deploy another ZK proof system (perhaps a less efficient one)
00:39 < amiller> i learned about a formalism called "covert security" that's weaker but promises detection like that...
00:39 < amiller> but i couldn't find any trace of someone actually getting any cheaper construction that way
00:40 < gmaxwell> well the GGPR12 stuff is super brittle to knowing the CRS. Its easier to compute a fake proof than validate a proof if you know the CRS.
00:41 < gmaxwell> and I think the way the perfect zero knoweldge is achieved it must be that way.
00:42 < gmaxwell> (because you can basically show that for any set of passing input group elements some CRS exists thats makes those element a valid proof, regardless of the statement being true or not)
00:44 < gmaxwell> In any case, Iddo has given me the impression that I'm not the only person who's seen the limitations of the CRS model.
00:46 < amiller> i've seen some modifications to CRSs to make them more useful and composable but not that get rid of the trusted/private state somehow
00:47 < amiller> i don't have any idea what comes next
00:52 < gmaxwell> amiller: why not post to the http://www.scipr-lab.org/ mailing list and whine about the CRS trust assumptions and ask what they're going to do about them? :P
00:52 < gmaxwell> As I said, I /think/ they're also working on a backend without one.  But I don't know anything about it as it's not mentioned in their papers on their tinyram work.
03:01 < nsh> gmaxwell, if it helps, didactically, you can compare the security of the CRS model to the security of DUAL_EC_DRBG....
03:06 < gmaxwell> Hm!
03:06 < gmaxwell> point.
06:17 < adam3us> gmaxwell: so while i agree that H(nonce)[rand(32)] ^ prefix is an interesting incremental improvement of raw prefix, with an example 8-bit prefix, and [] being byte index, ^=xor, it still publicly allows elimination.  ie with probability (255/256)^32=88% it eliminates you as a payee of any given reusable payment.
06:17 < adam3us> gmaxwell: (posted this and related on bitcoin-dev)
07:56 < jtimon> somebody claimed here (I don't know if it was you maaku), that some people were suspicious about scrypt being GPU mined from the beginning
07:57 < jtimon> does anybody have any reference to that?
08:04 < jtimon> hmm, is this it? https://bitcointalk.org/index.php?topic=63365.0
08:04 < jtimon> I'm considering mentioning rumors about it and putting a link on an article about p2p currencies I'm finishing
08:07 < jtimon> I don't know...wasn't coinhunter a scammer?
08:07 < jtimon> "Artforz publicly admitted to creating a GPU miner for litecoin numerous times" any link to this?
08:08 < jtimon> I'll keep searching, just browsing out loud in case anybody can give me some clues or a better link
09:17 < Emcy> hmm apparently GCHQ couldnt crack truecrypt with the password "$ur4ht4ub4h8"
09:17 < Emcy> they had to sling the guy in jail and sweat it out of him
09:18 < Emcy> isnt that a weak password? Is that a bit surprising.
09:18 < adam3us> jtimon: ha thats pretty interesting  the guys claim seems quite plausible.  casts coblee / artforz in a bad light if so.  i was before now supposing the failure of scrypt params chosen to be yet another alt param fail on their part.  but maybe it was a "fail" ie not real! they designed it that way and exploited it to the max until someone else figured it out
09:18 < adam3us> Emcy: yeah i saw that.. my thoughts also, we have nothign to worry about :) combined might of GCHQ cant crack that short/low entropy password.. chortle.
09:19 < adam3us> Emcy: what we dont know however is the program used.  maybe it has some memory hard stretching or something preventing fpgas or whatever gchq has
09:19 < Emcy> and yet a skilled cracker with a good custom dictionary and a handful of radeons might
09:20 < adam3us> Emcy: if it was unstretched, for sure; lot of former gpu miners coul crack that with their own cards!
09:21 < Emcy> ok i assume it was truecrypt
09:22 < Emcy> http://www.bbc.co.uk/news/uk-25745989 look hes got a beard so hes probably up to no good!
09:22 < adam3us> jtimon: analogously i was similarly suspicious of dan larimer with his momentum hash and protoshares.	that no GPU status fell pretty fast though he fought the claim all the way down
09:23 < Emcy> adam3us isnt it fairly common knowledge that someone was mining LTC rather faster than should have been possible early on
09:23 < tacotime_> I recall artforz had mentioned he implemented it on GPU And it was slower
09:24 < tacotime_> The algo itself is slower on GPU if you don't use the TMTO trick (only store every other value in the memory pad and look up the others on the fly)
09:25 < tacotime_> There's a little bit of reason to believe that solar designer and artforz may have been the same person, but I won't eloborate
09:25 < adam3us> Emcy:	I dont know wasnt paying attention at the time. tacotime_: the thread jtimon posted above says their programmer spent 4hrs and made something 150x faster than artforz claimed best.
09:26 < tacotime_> You honestly trust something coinhunter said?
09:26 < tacotime_> The guy who has stolen hundreds (probably thousands) of BTC from the community over the past 2 years? ;)
09:26 < adam3us> tacotime_: solar designer is pretty crypto sharp, he posts on cpunks/crypto lists a lot and seems to have clues.  seems to me if that is artforz alter ego he'd have the sharps to do a little TMTO
09:27 < adam3us> tacotime_: yeah i heard of solid coin by infamy/reputation only wasnt paying attention back then.  he's that guy?
09:27 < tacotime_> yeah
09:27 < tacotime_> RealSolid/CoinHunter, same person
09:28 < tacotime_> http://www.openwall.com/lists/crypt-dev/2013/03/21/1
09:28 < adam3us> tacotime_: apparently his antics were so stupid/evil/greedy as to remain the subject of lore 3 years later :)	thats how i heard about solid coin at all
09:28 < tacotime_> I'm not sure where mtrlt was updated to the desynchro/TMTO trick though
09:29 < tacotime_> Or if pooler had first picked it up when optimizing his LTC miner
09:30 < adam3us> tacotime_: i think i saw solar designers TMTO experiments, he mustve cross posted to one of the crypto lists
09:30 < tacotime_> yeah
09:31 < tacotime_> mtrlt also ran off with a load if bitcoins after claiming he would implement primecoin miner on gpu
17:56 < gmaxwell> jtimon: if you don't download the whole chain then miners participants in the past before you joined could have cheated and freely written themselves blank checks. Its very nice today that when people ask about this (which they frequently do) I can give them a very strong answer: No, your software audits against that, and you can audit its code (or have
someone else do so) to make sure that it does.
17:56 < adam3us> gmaxwell: committed tx would be your only remaining defense against policy, you can still do a few things, notice when they make changes etc, but with less power to do anything about it
17:56 < maaku> gmaxwell: our approach is to move more transactions off-chain onto private servers, and use the public concensus mechanism only when necessary (e.g. cross-server trade)
17:57 < gmaxwell> adam3us: sipa has a great argument that goes: At one extreme blocks are maximally small and no one can transact but everyone can validate and so the system is centeralized because so few can transact. At the other extreme the blocks are enormous and everyone can transact but no one can validate, so the system is again centeralized because we must trust
the few validators.  The ideal behavior is somewhere in between.
17:57 < adam3us> maaku: in a way thats mirroring bitcoin activity, most mtgox,bitstamp trades are in server
17:58 < adam3us> gmaxwell: sounds like sipa's block chain triangle:)
17:58 < maaku> adam3us: yes, but we'd like to do it in a way where your 'off-chain wallet' contains similar security gurantees - server can't spend your coins without your sig, and any modification of the spend history is detectable, etc.
17:58 < jtimon> gmaxwell, with maaku's UTXO index hashed on every block, it's just a matter of how long in the past you want to go
17:58 < gmaxwell> Sipa Circumflex of Centeralization.
17:59 < jtimon> back to genesis? to the last checkpoint?
17:59 < maaku> similar to OT in that regard, but using bitcoin structures for interoperability
17:59 < gmaxwell> jtimon: allow me to be offended while you lecture one of the first people to suggest committed utxo on the subject of them...
17:59 < adam3us> maaku: i agree its the holy grail of off chain transactions " we'd like to do it in a way where your 'off-chain wallet' contains similar security gurantees - server can't spend your coins without your sig, and any modification of the spend history is detectable, etc."
18:00 < maaku> ok well read the paper and give us your feedback
18:00 < gmaxwell> jtimon: regardless not validating the rules is a break in the security model, and its one that may have weird interactions with incentives. Today a miner that does a bit reorg can only reorder transactions, in an enviroment where many nodes don't validate deeply, they can write themselves a blank check.
18:01 < maaku> we're implicitly assuming some form of tx commitment though (not mentioned in the paper), which is the source of some of the security protections
18:01 < adam3us> maaku: not saying i have a solution, though like presumably many others its occupied my thoughts for some time
18:01 < gmaxwell> This isn't to say that its not a good tradeoff, but its not clear that its a free one.
18:01 < jtimon> sorry, gmaxwell, and yes, I've heard that potential problem, I think from retep
18:02 < adam3us> maaku: on loose idea is to use the bitcoin block chain to timestamp the merkle root of the offchain servers transaction log
18:02 < gmaxwell> I suppose its a change which actually could be made in bitcoin because basically none of the users have a mental model of the security that makes any sense... though its kinda sad that it wouldn't be controversial to revise the security model in such a substantial way.
18:04 < adam3us> gmaxwell: i'm with you on this one, the assurances of immutability are the strongest feature of bitcoin
18:04 < jtimon> the way I see it, it's configurable security, you can still be a full node, miners should be prepeared for very big reorgs
18:04 < gmaxwell> jtimon: moral hazard.
18:04 < gmaxwell> If you're in a minority you're actually worse off setting security higher than other people.
18:05 < jtimon> I see
18:05 < gmaxwell> And if you can reduce your costs and let some other sucker take the work of making the security promises good? oh well.
18:05 < gmaxwell> (worse off because it's a consensus system: it's often more important to agree than to be right
18:05 < maaku> ... which is why i'm staunchly against probabalistic validation
18:06 < gmaxwell> maaku: if its over old history that you wouldn't have validated anyways? and your response it to just shut down and nag the user?  I don't worry about that. It's just a backstop that means that manual intervention would kill an attack that depended on a historical rule validation.
18:06 < adam3us> gmaxwell: agree vs right; I agree: it seems to me that other than SPV, miners could indirectly facilitate consistent distributed arbitration of a random decision, so long as its immutable
18:06 < gmaxwell> Likewise, the fraud notices stuff would make probablistic validation not a consensus risk. ... (though a software engineering risk... :( )
18:08 < adam3us> gmaxwell: just based on timestamping, no other validation; full node users could do committed tx fine with that assumption
18:09 < adam3us> if there is a way to shard activity within a timestamp tree, you might be able to scale that further than a miner validated blockchain (the miners in this model would just be timestamping merkle roots)
18:10 < jtimon> so you just timestamp things and the validation comes later, no?
18:10 < gmaxwell> maaku: the other question is: if your choice is "only google does the validation" vs "lots of parties do probabalistic validation with some risk of consensus failure" I don't think that it's a hard decision. There are lots of nice centeralized systems out there, I don't think bitcoin is really competition for them.	And I do think in the long run some
compromises will be the matter of effectively centeralizing the whole ball of wax ...
18:10 < gmaxwell> ... or not.
18:10 < gmaxwell> adam3us: the incentive model is goofed up though if unfaithful validation doesn't make your 'work' wasted.
18:11 < gmaxwell> e.g. say it's constructed so you could timestamp multiple orthorgonal consensuses ... you might as well timestamp a zillion of them just in case one is preferred over another.
18:11 < gmaxwell> (this is the problem proof of stake has)
18:12 < adam3us> jtimon: yes committed tx are validated by users (including full tx history) and in this timestamping only use of it peers would need to be full nodes, but maybe it can be sharded to eg freimarket servers for the merkle root
18:14 < jtimon> it reminds me to a "crap serializer" idea I had, but mine was centralized
18:14 < adam3us> gmaxwell: so the hypothetical would be have lots of OT like servers as supernodes (but still peers) they participate in the timestamp consensus
18:14 < jtimon> how do you agree on the p2p serialization? do you have a thread?
18:15 < adam3us> gmaxwell: users transact on a given server with receipts, if anything goes wrong they switch servers; the server cant undo things because its transaction merkle root is timestamped
18:17 < gmaxwell> adam3us: how do you prevent supply doubling where users clone themselves and start transacting on two servers in parallel?
18:17 < adam3us> users, servers audit other servers ot be sure they never put conflicting statements in their tx tree
18:20 < adam3us> gmaxwell: possibly (or so i was loosely thinking) each asset has a home server that is the authority on ordering transactions involving it - the idea is distributed consensus is hard but individual consensus is trivial, and mining timestamping prevents revisionism, and audit detects problems, and then you need some migration property where you can move the
asset to a new home using receipts (but only after timestamp validates the move)
18:21 < adam3us> gmaxwell: say it costs higher fees to move via the timestamp chain to another server, so there is a disincentive to move unless actual problem; and servers cant cheat as they are audited and the system reacts to cheating
18:22 < adam3us> gmaxwell: its basically OT + blockchain timestamping for merkle root timestamping, and reward (coin mining via blockchain timestamping) and to validate the movement of an asset to a new home
18:24 < adam3us> it becomes simpler to change mining details also when it is only doing timestamping eg as its low bandwidth, doesnt deal with 0-confirm ordering, nor validation of transaction details, nor fee collection
18:25 < gmaxwell> adam3us: this is starting to tread into the space I was talking about with the coinwitness stuff (using non-interactive zero knoweldge proofs to delegate coins to external transacript producing systems and eventually pull them back)
18:25 < gmaxwell> transcript*
18:27 < maaku> gmaxwell: I think if we move a lot of things off-chain (including day-to-day payments), and start using the chain mostly for global concensus over multi-server trades, we won't have to scale bitcoin much
18:27 < adam3us> gmaxwell: have to re-read that, while i thoght scip/snark interesting i mentally put it in the 'future crypto' bucket to keep an eye on
18:28 < adam3us> maaku: yes, but a bit of an open question how that can be done while preserving the bitcoin properties
18:28 < maaku> so fears about needing "google-scale" are not yet convincing, imho
18:29 < gmaxwell> maaku: personally I hope so, but that comes with another worry. Say we jack way up the block size, and the things move off to other systems (for things like instant confirmation) ... will bitcoin be able to support itself on fees with the enormous block sizes but most txn off chains? hell
 would it be able to support adequate security with fees even with
current blocksizes?   Petertodd gave a vision of the future where those ...
16:09 < amiller> i want to talk about p2ptradex
16:09 < amiller> you guys read this post? https://bitslog.wordpress.com/2013/05/20/p2ptradex-back-from-the-future/
16:25 < gmaxwell> amiller: what about it? ... results in enormous transactions to have any real degree of cross chain proof, and even then only gets you spv security.
16:25 < amiller> i don't think any of that is necessarily true
16:25 < amiller> first of all it doesn't have to be about transaction size, proof size can be amortized for many transactions
16:26 < gmaxwell> The first is true so long as headers are a singly linked list.
16:26 < amiller> under normal conditions, two blockchains are perhaps roughly synchronized
16:26 < amiller> you could merkle tree over the headers and go down to log
16:26 < gmaxwell> The second is true so long as you don't comingle the consensus of the two chains.
16:26 < amiller> you don't have to do full validation
16:26 < gmaxwell> amiller: only by changing the headers.
16:26 < amiller> the thing is you can be asymmetric in two ways
16:26 < amiller> like if i am trading my bitcoins for your litecoins
16:27 < amiller> i don't really care if the bitcoin side gets canceled
16:27 < gmaxwell> amiller: no, but I sure do.
16:27 < amiller> i'm only concerned that the bitcoin side goes through and litecoin gets canceled
16:27 < amiller> right
16:28 < amiller> so i am happy if the bitcoin side just trusts litecoin at face value
16:28 < gmaxwell> I mean the _whole_ point of doing anything fancy there is to control the cancelation behavior, otherwise you can just do joint secret locked outputs.
16:28 < amiller> i don't care if the bitcoin chain only does spv validation of litecoin because i'm going to be just as vulnerable to litecoin anywa
16:28 < amiller> likewise you'll be happy if litecoin does only spv validation of bitcoin
16:29 < amiller> because you're going to end up with bitcoins anyway and if spv isn't good enough then something horrible has happened
16:29 < gmaxwell> amiller: say we're going to trade 1000 BTC worth of coins and I can buy computing power at near mining cost rates on the open market.
16:30 < gmaxwell> how big must the transactions be before its not cheaper to mine bogus blocks instead of completing the transaction?
16:31 < amiller> right so the tricky case is when there's a big disparity in mining power between the two chains
16:31 < amiller> but lets say we agree on the price
16:31 < amiller> it's proportionally a much bigger transaction on the tiny litecoin chain
16:31 < amiller> so i should correspondingly wait much longer before i'm sure
16:32 < gmaxwell> just assume it's 'bitcoin to bitcoin' if you will. I still think the result ends up ugly.
16:32 < amiller> the proof doesn't all have to be in the transaction, i think sdlerner's particular solution is wrong and ugly but the key idea works
16:34 < amiller> like assume you can use something like the hash-value-highway to get a concise aggregate sample of work
16:34 < gmaxwell> even a cut and choose compression of the headers ends up being quite large.
16:34 < amiller> basically since there are tiny trivial litecoin blocks so frequently, it would suck to try to say that bitcoin has to validate two weeks worth of ltc blocks before comitting the transaction
16:35 < gmaxwell> amiller: I think the bitcoin bitcoin case sucks too, as mentioned. even when you get to dozens of headers the transaction is rather enormous.
16:35 < amiller> but if i'm going to end up with litecoin anyway, i'm okay if bitcoin only does concise work-sampling validation
16:35 < amiller> if there is a lot of volume of btc to litecoin trades then we can all amortize the validation
16:35 < amiller> there's no reason each individual transaction has to repeat the whole process
16:36 < amiller> there's maybe a scheduling/batching challenge in there
16:36 < gmaxwell> and any subsetting case will still need n bits of selection where n is fairly large compared to work.
16:36 < amiller> that's not true i don't see why you'd say that?
16:36 < gmaxwell> amiller: yes if you comingle the consensus algorithim, and effectively merge the chains
 requiring all full validators to validate both, it obviously works.
16:36 < amiller> no i'm saying it doesn't require full validation
16:37 < gmaxwell> amiller: because if your sample is just one point then a single lucky block can rob all concurrent spends. and also may take forever to come, leaving the transactions stuck for a long time.
16:38 < gmaxwell> amiller: if it's not full validting that surprise its just spv security. And SPV is quite weak when you have an information hiding risk.
16:38 < gmaxwell> So you need a lot of header proof to make SPV with a hiding risk not laughably bad.
16:38 < amiller> what do you mean
16:38 < amiller> i don't follow what you mean by informtion hiding
16:38 < amiller> if you mean errors in transactions then header doesn't solve that anyway so i don't know what you mean
16:39 < gmaxwell> As I said before, consider a 1000 BTC trade  "bitcoin to bitcoin" via this mechenism.  Say you require 12 headers. I can buy that computation for about 300 BTC. A big profit to cheat. The inner validation only knows what you tell it, it can't go out and discover that there is a longer chain far ahead of that one.
16:40 < amiller> that's true of any btc transaction with the threat of double spending
16:40 < gmaxwell> No, it's not
 because you can find out that there is a longer chain, so that someone spending weeks to produce a 12 header stub does no good, as the whole world has moved along.
16:41 < gmaxwell> SPV in information isolation requires only energy. SPV when there is no isolation requires energy at high power.
16:42 < gmaxwell> I think this is a tangent in any case.
16:42 < amiller> the rules for applying include an amount of work in both chains
16:42 < amiller> so it's not just 12 headers at any time
16:42 < amiller> but 12 bitcoin headers before say 60 headers of litecoin
16:42 < amiller> 60+epsilon
16:43 < gmaxwell> you can't be guaranteed any particular processing speed
 especially for your jumbogram transaction.
16:43 < amiller> if i'm confident i'm going to learn about 60 litecoin headers before you learn about 12 bitcoin headers, then i'm okay
16:44 < amiller> the point is we are both taking bets about the rate of proof-of-work of the chain we're going to end up on
16:44 < amiller> and any substantial change in that would make us vulnerable to double spends where we end up anyway
16:44 < gmaxwell> And this accomplishes exactly what?
16:45 < gmaxwell> A _trivial_ protocol already reduces this problem to pure holdup risk.
16:45 < amiller> right so i'm solving the holdup risk for a cross-chain transaction, up to the same security guarantee we have against double-spending in an individual chain
16:46 < gmaxwell> except you're not. Because the transactions cannot be mined atomically in both.
16:47 < gmaxwell> The rates of the two chains might be a nice constant ratio, but the _start time_ has no particular reason to have a non-zero offset in the two chains.
17:26 < amiller> ok i almost worked it out
17:26 < amiller> difficult to explain, this may take a few tries
17:27 < amiller> i'm giving you my bitcoins and you're giving me your litecoins, but suppose i'm able to produce a short proof that the the litecoin chain has moved on several blocks *without* having your end of the transaction on it
17:27 < amiller> i should be able to present that proof to the bitcoin chain and use it to cancel my sending bitcoins to you
17:31 < gmaxwell> right, okay, so you need a UTXO proof, plus headers.
17:31 < amiller> not full headers, less than spv
17:31 < amiller> just a work sample
17:31 < amiller> that can be seriously small
17:32 < gmaxwell> Be concrete.  I know ways to reduce enormous amounts of work to merely large, but I'm not seeing how you actually get something compact.
17:32 < gmaxwell> and a utxo proof is log(total utxo)
17:34 < gmaxwell> (the two ways I know to reduce enormous amounts to large is the hash highway method, and hash highway I think you need a header format change or you can't show the headers are related, or non-interactive cut an choose)
17:34 < amiller> header format change yes
17:34 < amiller> the noninteractive cut and choose isn't necessary
17:35 < amiller> basically i don't need to assert that the header samples form a valid chain
17:36 < gmaxwell> you do need to assert they came after the utxo proof connected header.
17:36 < amiller> i just have to show that they are very unlikely to be constructed without the minimum amount of work, and that they all occurred after some deadline (meaning there's some path of preimages that leads to some origin point of interest)
17:36 < gmaxwell> s/came after/ are connected to.
17:39 < gmaxwell> amiller: otherwise I mine a single fake litecoin block with a fake utxo committment and give you that and a dozen real litecoin headers.
17:40 < amiller> hm, right, so i should check that the utxo commitment associated with each block couldn't have had data in it that contradicts my claim (that the transaction i care about has not shown up)
17:41 < gmaxwell> yea... so 800 bytes per block... :(
17:43 < amiller> if that's the only thing to grimace at i'm happy
17:43 < amiller> imo this is a building-block for not-necessarily-global blockchains
17:43 < gmaxwell> by per block I mean per block in your proof.
17:44 < amiller> yes i know
17:44 < amiller> if there's a lot of volume of btc to ltc transactions then we can all amortize the validation of work
17:44 < gmaxwell> well the utxo membership proofs can't really be substantially combined.
17:45 < amiller> yes but i only need it on the last one if there are canonical litecoin headers already
17:45 < gmaxwell> canonical litecoin headers implies full nodes validating litecoin blocks.
17:46 < amiller> either way this is just a possible optimization
10:26 < amiller> instead, if you built in something like this feature i'm describing, any attempt to tweak the rules to let in an extra million, even "only just this once",  would require porting over everyone's signatures to some new thing all at once
10:27 < amiller> easily?
10:28 < petertodd> amiller: yeah, just make it possible to steal block rewards given proof of fraud
10:28 < amiller> i'm more optimistic the other way around... if i have a good definition, i can find someone who can do the relevant crypto, or i can wait 5 years and pinocchio or tinyram will be fast enough
10:28 < amiller> to steal anyone's block rewards?
10:28 < amiller> i don't think that solves it
10:28 < amiller> because it's still a simple "tweak" to the rules to make one particular fraud not count
10:29 < amiller> i'm not talking about someone sneaking in a deviant block undetected
10:29 < amiller> i'm talking about publicly getting everyone to agree to tweak a rule and then just accepting it
10:29 < petertodd> ah, hmm... sounds like magic :)
10:30 < petertodd> anyway, if everyone agrees, they can just as easily agree to change the rules to turn your system off
10:31 < amiller> right but then it's all or nothing
10:31 < amiller> this is meant to prevent tiny rule changes
10:31 < amiller> that otherwise preserve the system in tact
10:31 < petertodd> they had to agree to change validation...
10:31 < amiller> which makes it more plausible that you could convince everyone to agree to go along with it
10:31 < amiller> which means the system could plausible evolve over time
10:31 < amiller> if you actually wanted to bake in certain rules permanently then you could use this technique
10:33 < petertodd> well, anyway, if you figure out how to I'll be impressed all the same
10:33 < amiller> i think the trick is to relate signatures to block validation
10:34 < amiller> the signature scheme would have to be able to use knowledge of a violated rule as an alternate way of being accepted
10:35 < amiller> this means if a miner can include a block that violates a rule, he can also sign anyone's signatures
10:35 < amiller> the point is you could still just switch to another blockchain, but you would have to leave everyone's keypairs behind
10:36 < amiller> another way of putting it is that when you generate a spending keypair, you'd be making that keypair affixed to particular set of constitutional rules
11:00 < gmaxwell> petertodd: http://www.reddit.com/r/Bitcoin/comments/1pjiv4/coinswap_a_transaction_protocol_to_trade_coins/
11:00 < petertodd> nice
11:00 < petertodd> although, I suspect the headline won't be understood as to me teleporting value...
11:08 < gmaxwell> Well, I added: http://www.reddit.com/r/Bitcoin/comments/1pjiv4/coinswap_a_transaction_protocol_to_trade_coins/cd2xqif
11:09 < petertodd> that looks better
12:30 < adam3us> amiller: so for example say by modifying the constitution you are allowed to add a factor of our chosing to the coin public keysand hence to know the discrete log and spend them
12:31 < amiller> i think - something like that
12:31 < adam3us> amiller: or alternatively people seem really scared of even soft forks ;P, so maybe its not essential in pracitce, but its an interesting question
12:32 < amiller> it's easier for me to think of this in terms of generic zero knowledge and circuits
12:33 < amiller> a public key is like the SNARK for a circuit that is valid if *either* the signature for the transaction is correct *or* you have evidence that the previous block hash contains an invalid rule
12:33 < adam3us> amiller: so what i mean is if the factor you add during your mining in constitutionally valid ways (no variation) are definitoinally things you cant know the discrete log of (as they are hash outputs eg)
12:33 < adam3us> amiller: gotcha actually thats sort of generic ZKP or model
12:34 < adam3us> amiller: and yet by varying u get more freedom in the factor so could chose it maliciously
12:35 < adam3us> amiller: thats not actually the same of course, what you are saying via ZKP or is that not only could you be malicious if inclined, but you definitinally create teh risk by introducing an OR zkp
12:36 < amiller> yes
12:36 < amiller> it's tricky though because
12:37 < adam3us> amiller: i could ctually see that working no?
12:37 < amiller> transactions ordinarily just refer to the transaction graph, separately from blocks
12:37 < adam3us> amiller: yes there is a block / tx mismatch, that is quite inconvenient
12:37 < amiller> so i don't see immediately how to rule out that you could still just change the protocol and keep using the same public keys
12:38 < amiller> this doesn't have the desired effect if you could just interpret the existing signing keys with a different validation circuit
12:38 < amiller> the approach should be to somehow make the signing keys totally useless except in the context of valid blocks
12:38 < adam3us> amiller: right; seems like that might need something more sophisticated concept
12:39 < adam3us> amiller: like all sigs are based on SCIP/SNARK but bound to the constitution hash so that if its varied the proofs no longer are valid
12:39 < amiller> i still think this is definable just using zero knowledge and arranging things carefully
12:39 < amiller> yeah exactly
12:39 < amiller> it would turn "small one-time-only tweaks/exceptions" into suddenly *everyone's* problem that has any coins
12:41 < adam3us> amiller: yes the use-case is clear; prevents special pleadings by governments as now - bending constitutional rules due to political expediency ina  time of financial difficulty
12:41 < amiller> right
12:41 < adam3us> amiller: if the cost is everyones money goes up in smoke, thats clearly worse; financial armageddon
12:42 < amiller> as it concerns bitcoin, i believe that currently people *overestimate* the relatively ease of convincing everyone to go along with an incrementally rule-bending change that doesn't really affect them and might as well go with the flow
12:42 < amiller> at the same time, even a tool like this isn't a perfect solution to everything
12:42 < amiller> the ability to change rules through consensus is actually a pretty positive thing so far
12:43 < adam3us> amiller: i was just talking with petertodd about even well meaning short-termism creating problems through lack of focus on the big picture (upthread)
12:43 < amiller> i can imagine having some rules baked in this way and other rules able to change like currently through hardfork
12:43 < amiller> it seems like it would be clearly a useful tool to add but it's not obvious how best to apply it
12:44 < adam3us> amiller: yes; probably the main risk is bitcoin has a quite entangled hard to modify design, and code bug could screw core value up; would be useful if there was a way to finalize core value protection and do other higher level features separately without risking it
12:45 < adam3us> amiller: 21mil coin cap & mining production rate function are good candidates
12:46 < amiller> yeah, 21mil coin cap definitely the most fun one to aim at with this
13:00 < adam3us> amiller: so what if u made each ecdsa sig instead zkp of knowledge of DL of Q (bound to H(tx) aka ECDSA(tx) OR NOT (reward ==25 || epoch==2 & reward==12.t ...)
13:01 < adam3us> amiller: if you make a soft fork on reward, suddenly everyone will be able to spend anything
13:02 < adam3us> amiller: thats even a compact proof using representation problem (extended schnorr)
13:02 < adam3us> amiller: brands stuff can prove ==, NOT (aka !=) and OR is generic
13:04 < adam3us> amiller: could be more simply referring to currentReward()
13:50 < gmaxwell> Man, dealing with users is hard: http://0bin.net/paste/e6R8Cv8TJEdr-Fq0#c36UxiHSURdA06LPQPNiCvyiOIQ++XGScvPoTvJ/lEg=
14:47 < K1773R> gmaxwell: those ppl deserve loosing their coins S:
14:47 < gmaxwell> K1773R: we need those people happily using bitcoin to make it have a functioning economy. :)
14:48 < K1773R> gmaxwell: unfortunately yea
14:49 < amiller> adam3us, so actually.... the trick must be to allow the miner to hide the tranasction signature
14:50 < amiller> if the user submits an actual signature, then the miner can construct a ZKP that hides either (the attached signature is valid OR the prev block hash is bad)
14:50 < amiller> uh hm that still has that problem that you could give a different ZK proof for the same signature :/
14:51 < amiller> this isn't a clean change but you could require that all transactions are interactive and the tx itself requires a signature of the most recent block
15:02 < amiller> this would sort of be a general approach to having a non-reusable signature scheme
15:02 < amiller> normally signatures can be taken out of context
15:03 < amiller> i could be participating in a game where i use my gpg key to sign chess moves
15:03 < amiller> but someone else could pick some new protocol that also uses my signatures and maybe they conflict in some way
15:24 < MC1984> oh this is real.....
15:35 < sipa> is this the real life?
15:40 < gmaxwell> Or is this fantasy?
15:40 < gmaxwell>	     ^just
16:35 < gmaxwell> joining #eligius right now may be good for popcorn.  The operator of betcoin.tm waynetbarclay is mad about eligius blocking his (SD style) 'dice' transactions and appears to be making veiled threats of DDOS attacks.
16:39 < warren> pastebin log?
17:43 < sipa> maaku: the name compactisgnature actually comes from the fact that not using DER is more compact
17:43 < maaku> ah
17:44 < sipa> adding the recovery bit was later i think
18:24 < gmaxwell> petertodd: Luke-Jr apparently wasn't aware that the DBG transaction wasn't getting mined.
18:25  * Luke-Jr figured petertodd figured out a way around it :p
--- Log closed Thu Oct 31 00:00:27 2013
--- Log opened Thu Oct 31 00:00:27 2013
--- Day changed Thu Oct 31 2013
02:47 < warren> hmm, I see next-test didn't integrate Coin Control and watch only either.
05:53 < HM2> hmm
18:37 < shesek> so I guess Satoshi is now heavily invested in Jesuscoin? :)
18:37 < shesek> he should own a pretty large chunk of it
18:39 < shesek> given his large ownership in the early bitcoin blocks
18:39 < sipa> ...?
18:40 < maaku> shesek: yes, but unfortunately he Ascended into heaven in 2010 without leaving any of his public keys to his disciples :\
18:40 < maaku> /public/private/
18:40 < sipa> someone should create a Nakamotocoin - dedicated to The Ascended One
18:41 < sipa> by mocking his Creation
20:19 < justanotheruser> thanks andytoshi
20:22 < gmaxwell> From #p2pool:
20:22 < gmaxwell> 17:20 < owowo> gmaxwell: can you explain why ppl are mining on those BIG pools?
20:22 < gmaxwell> 17:21 < owowo> I don't get it, they must get more coin there.
20:23 < gmaxwell> oh he says he was kidding now.
20:23 < gmaxwell> dude just nearly dodged getting face-stabbed.
20:27 < shesek> bigger pools could operate on lower margins, so miners could benefit from the lower fees
20:27 < shesek> I'm not really familiar with pools though, so I'm not sure if that's true in practice
20:27 < gmaxwell> shesek: except that there are smaller 0 fee options (including p2pool)
20:28 < gmaxwell> the biggest pools have historically had the highest fees.
20:29 < gmaxwell> (the exception being ghash.io, and thats weird on a couple levels including the that its widely understood that the owners of ghash.io own a majority of the hashpower on their pool)
20:29 < shesek> doesn't ghash's hashpower comes mostly from cex?
20:30 < gmaxwell> shesek: yes, common ownership.
20:30 < shesek> which is physically owned by them, but should be "owned" by other people
20:31 < shesek> though as long as they have physical ownership over the hardware, its really a matter of trusting them
20:31 < gmaxwell> yea, no clue how much of cex is "owned" by other people
 they don't disclose that, the prices are off the charts.
20:32 < gmaxwell> in any case, ignoring ghash.io it's always been the case that the largest pools had the highest fees, almost nearly in order.
20:32 < shesek> btw, about p2pool, doesn't it have a much higher orphan rate that would really effect payouts for the worse?
20:32 < gmaxwell> wow
20:32  * gmaxwell cries
20:32 < gmaxwell> shesek: no, P2pool's orphan rate is lower than other pools by an order of magnitude.
20:32 < shesek> sorry, I'm really not familiar with p2pool and pools in general, I'm just asking to educate myself better :)
20:33 < gmaxwell> My crying is because it's just a replay of the constant fud that circulates and has no basis in reality. :( It's not your fault the whole world is dumb.
20:33 < shesek> so it seems like a lot of people are misinformed about that, I've read that in multiple places
20:34 < shesek> and I wonder how it worked out like that with the pools fees
20:34 < shesek> and why people keep joining the bigger pools if that's the case
20:35 < shesek> it might be psychological, where people think that bigger pools are better for some reason
20:35 < shesek> they face a choice paralysis when they need to pick one, and go after the largest one hoping that its somewhat better
20:35 < gmaxwell> back in early 2012 there was a span when p2pool had a somewhat high orphan rate, it's not clear if it was just bad luck or a real problem but major work was done to improve it. The end result has in the last several months had only 2 orphans against like 1627 blocks. Compared to, say, eligius which has had somewhat more than 1% orphans (also typical for other pools)
20:36 < gmaxwell> Overall p2pool has solved about 107% of the blocks you would have expected based on its observed work done.
20:37 < gmaxwell> shesek: oh a lot of people misunderstand why pooling exists, they think that mining is a race
 and in a race the fastest party always (or almost always) wins.
20:37 < gmaxwell> They talk about needing an X TH miner in order to "keep up" and things like that.
20:37 < gmaxwell> Following that logic, the biggest would be best. sooo.
20:38 < gmaxwell> also explains the inverse fee relationship. They think the biggest is best but attempt
 without the aid of math or understanding
 to balance that against fees.
20:38 < shesek> educating miners better could definitely help here, some more official resources about that could do some good
20:39 < shesek> an "introduction to mining" on bitcoin.org or something
20:40 < shesek> I do think there's some choice paralysis in play here too. Miners don't really have any effective way to pick a pool, which makes that choice somewhat hard... I guess that some just pick the biggest by default
20:40 < gmaxwell> yes, "so many other people choose it, it has to be good"
20:41 < gmaxwell> we've also seen some "large pool cycling" where the second or third largest pool gets a lucky run and shows up at the top of the charts... and then it becomes the largest pool.
20:42 < gmaxwell> P2pool has a bunch of UX stupidity that doesn't help
 even feeds into the misunderstandings.
20:42 < shesek> perhaps something that helped pick a pool, with a weighted random based on the inverse popularity
20:42 < gmaxwell> there really is only one pool we should be recommending, p2pool. It's the only suriving pool thats a decenteralized system.
20:42 < shesek> could be marketed as "help save Bitcoin from centralization by using this!"
20:43 < gmaxwell> warren has been trying that.
20:44 < shesek> setting up an "whatpoolshouldipick.com" that simply gave one pool in a big font with a link, explaining how the selection works, could be nice
20:44 < shesek> and help overcome that choice paralysis
20:44 < shesek> but yeah, long term, p2pool is much better
20:45 < shesek> but its still somewhat inaccessible to users and requires setting up a full node
20:45 < shesek> I saw a thread about this on bitcointalk, it would really help if they setup a nice looking website with instructions and easier way to get it up and running
20:45 < gmaxwell> 'they'
20:46 < gmaxwell> it's not like there is a P2pool company.
20:47 < shesek> well, yeah, it should really be a community effort
20:47 < shesek> not really "they", more like "we"
20:47 < gmaxwell> At the moment setting up a full node is so burdensom that its sort of the long poll in the tent. Sync really needs to be fixed.
20:49 < shesek> what are your current thoughts on the best way to address this?
20:50 < gmaxwell> It's addressed by sipa's headers first sync work.
20:50 < gmaxwell> But the code is immature.
20:52 < shesek> sipa closed https://github.com/bitcoin/bitcoin/pull/2964 saying that he's working on something better, is it public yet?
20:52 < shesek> can't seem to find a newer pull request / issue
20:54 < gmaxwell> shesek: he has been pipelining the changes since it seemed to be a bit much at once. https://github.com/bitcoin/bitcoin/pull/3370
21:02 < shesek> cool, I haven't really kept up with developments on that front, looks like a good solution
21:05 < shesek> gmaxwell, what do you think about that website I suggested? I think it could be pretty cool as a go-to solution for picking a pool
21:05 < shesek> can even be provably fair by basing the "random" choice on the user's ip and user agent
--- Log closed Wed Jan 08 21:14:13 2014
--- Log opened Wed Jan 08 21:19:30 2014
--- Log closed Thu Jan 09 00:00:17 2014
--- Log opened Thu Jan 09 00:00:17 2014
01:17 < justanotheruser> Has anyone made any proposals for anonymity networks upon which things like coinjoins and coinswaps could take place?
01:22 < michagogo|cloud> I left the Jesuscoin-killing script (replaying the Bitcoin blockchain) running overnight
01:23 < michagogo|cloud> Only gotten as far as block 234853
01:25 < justanotheruser> michagogo|cloud: nice, you actually made the magic changing thing
01:26 < michagogo|cloud> justanotheruser: I actually tweaked linearize.py to do that
01:26 < justanotheruser> michagogo|cloud: does jesuscoin have a community at all?
01:26 < michagogo|cloud> But before I actually ran it, I realized that I didn't need to
01:26 < michagogo|cloud> This script also works: http://0bin.net/paste/OFWqJ7Lj0k0GO0o4#Rd6uP8VFxwv3SEO4HQAwtF+Vy5M3ZtaUrrKC9m3qI+w=
01:26 < michagogo|cloud> justanotheruser: Not really, afaik
01:27 < justanotheruser> michagogo|cloud: Is this only possible because jesuscoin has all bitcoins defaults?
01:27 < michagogo|cloud> justanotheruser: Yes
01:27 < michagogo|cloud> It's a 100% clone of Bitcoin
01:27 < michagogo|cloud> Specifically the genesis block and parameters
01:29 < wyager> Oh my god
01:29 < wyager> that is so stupid
01:29 < wyager> And hilarious
01:31 < justanotheruser> heh
01:31 < justanotheruser> I wonder why no one did this for ixcoin or i0coin
01:31 < justanotheruser> well I guess ixcoin had a premine, but i0coin it might be possible
01:58 < justanotheruser> Bitcoin currently only allows turing incomplete scripts. Please tell me why an altcoin that has a limit on both block size and cycles executed to verify a blocks transaction (allowing turing complete scripts) is a bad idea.
03:35 < nsh> justanotheruser, it's not a bad idea, experimentally. it might be a foolhardy store of value
03:36 < justanotheruser> nsh: why?
03:37 < nsh> because there's no explicit incentive analysis that guarantees behaviour converges towards the subset of actions that preserve integrity
03:38 < nsh> there could be weird effects that stop people self-interestedly cooperating to keep value stable
03:38 < nsh> (there could also not)
03:38 < Taek42> technically, if you limit the number of cycles then it's not turing complete
03:41 < justanotheruser> Taek42: the scripts were never turing complete
03:42 < justanotheruser> and there can only be a limited number of scripts per block, therefore the blocks were never turing complete
03:42 < Taek42> I know that, was just knit-picking
03:43 < justanotheruser> Taek42: oh, I misunderstood. You were referring to my original statement where I said this could be turing complete.
07:26 < TD> if your addresses become compromised and they are on business cards, etc, you're hosed
07:26 < adam3us> TD: well they either need cold wallets, or air gapped armory-style deterministic wallets
07:27 < adam3us> TD: yes.  it would only make sense to publish a static address really with an offline wallet for the disaster recovery reason you gave
09:07 < phantomcircuit> TD, that's a good point
09:24 < adam3us> phantomcircuit, TD: i guess the certification model extends the other way also: if you put on your biz card the master offline business/user identity pub key address, you could have the blockchain timestamp the signed subwallet deterministic address, as an analog to certifiate transparency in x509 world, and ask any full node for SPV validation this identitys address.
09:25 < TD> i'm much more interested in ways to link keys/payreqs to social networks
09:25 < TD> as that is what people seem to use these days
09:26 < adam3us> phantomcircuit, TD: kind of complicated however.  ideally you want to be able to support scenarios where the wallet is offline, but connected to the network via the merchange only, without them getting ripped off via the unspecified change
09:26 < TD> i mean even email seems to be in its death throes for a lot of people
09:26 < TD> the number of times  i try to email someone and discover their entire online presence exists only on various social networks or via stupid online forms is .... irritating
09:26 < TD> twitter is not a replacement for a public, non-obfuscated email address!
09:26 < TD> but this is the trend of our times
09:26 < phantomcircuit> TD, people or companies?
09:26 < adam3us> TD: i share your frustrations :)
09:27 < TD> people
09:27 < phantomcircuit> TD, bizarre
09:27 < TD> companies still use it as much as ever, AFAICT
09:27 < TD> email is still the best for "serious" communication
09:27 < adam3us> there maybe some aspect of scale - if you are going to wire a company a lot of money, you want to be sure you have the right address/account number in this analog
09:27 < phantomcircuit> TD, personally i avoid email for company <-> customer communication as much as possible
09:27 < TD> but a lot of people don't really engage in a lot of serious conversation online. it's all short messages and social networks are better for that
09:27 < phantomcircuit> it's enormously difficult to keep straight who you're dealing with
09:28 < adam3us> TD: i just engaged in some research q about hashcash for udp/ip anti-DoS with a fellow who seemed to want to do it over twitter; twitter even dropped msgs, lots of htem, so i had to go search for them
09:28 < TD> ugh
09:29 < TD> yeah i can't believe anyone wants to use twitter for anything approximating work. but now i feel like i'm getting old and i'm  not yet 30
09:29 < TD> some years ago the gmail team did a lot of research that scared the crap out of the entire division
09:29 < TD> it basically said that an entire generation didn't use email at all. period.
09:29 < TD> the only reason they had an email address was to register at sites
09:29 < TD> and/or because their university/school insisted on one
09:29 < adam3us> TD: I mean i recognize the guys handle he's been on cpunks for years, and i believe he's highly competent in host security circles, but holy moly that is not a topic for twitter
09:29 < TD> it had been 100% killed by facebook
09:29 < TD> now facebook is getting killed by WhatsApp
09:30 < TD> so, trying to keep up with how people organise and communicate is a waste of time. much better to find a way to be general about this and coattail it
09:30 < TD> hence my interest in steganographically encoding short URLs where you can find a payreq into profile pictures
09:31 < TD> that's one thing all these mediums have in common (er, except email, but email has attachments)
09:31 < phantomcircuit> TD, gotta love whatsapp's security
09:31 < TD> "startup code". though i think they improved it since
09:31 < phantomcircuit> lol duplex rc4 streams with the same key
09:31 < adam3us> TD, sipa: btw re discussion yesterday about why people are confused that an address is static, i presume you may've come across living in zurich, with swiss private banks if you ask for a private payment, they send the transfer only with a transaction number, not a sending account number - its rather similar to bitcoin, but most people dont know about that or how it works
09:32 < phantomcircuit> adam3us, it would probably be easier to explain to people as a single use credit card number but for the mechant
09:32 < phantomcircuit> (maybe)
09:33 < adam3us> phantomcircuit: yes that is a good analog, just amused me that in some ways bitcoin addresses are a reinvention of swiss banking privacy technique, on use transaction numbers in place of accounts
09:34 < TD> heck i live in switzerland and have never encountered that
09:34 < TD> swiss banks are like any other bank as far as I can see. except, reasonably competent
09:34 < TD> (in terms of their user-facing stuff)
09:34 < TD> (not their investment decisions)
09:34 < BlueMatt> or their signup requirements for americans.....
09:34 < adam3us> TD: you'd have to request it, see people with swiss private bank accounts are sensitive about other people learning their account number
09:36 < TD> well that's not their fault
09:36 < TD> anyway their signup requirements are mostly very simple.   "you cannot be american". doesn't get simpler than that!
09:36 < BlueMatt> heh
09:36 < phantomcircuit> TD, well you can be american, but you have to basically allow them to give you entire account history to anybody who asks for it
09:37 < phantomcircuit> also you needs lots of money
09:37 < BlueMatt> (and prove residency)
09:37 < TD> no quite a few banks just forbid US citizens period
09:37 < TD> some will do it and handle the requirements yes
09:37 < phantomcircuit> TD, those bans are always dependent on how much you want to deposit
09:37 < adam3us> btw Ian Grigg/systemics with their sox protocol ran for a time a payments server demo with one-use, or user-controlled creation of multiple account numbers.  he was the guy who also operated egolds transaction server under contract somewhere in the caribbean - its ananlogous to the swiss private banking privacy model, and the bitcoin model
09:38 < adam3us> phantomcircuit: $500k min deposit i think
09:39 < phantomcircuit> adam3us, yeah i guess
09:39 < phantomcircuit> but i dont see why anybody would bother unless they actually lived in .ch
09:39 < adam3us> Ian Grigg actually wanted to use chaum/brands signing but couldnt get a license due to the chaum patent getting locked up in a patent holding company and other similar issues
09:41 < adam3us> phantomcircuit: well its private is the point (financial privacy) and .ch has some nice AAA rated banks (the US doesnt have any) also if you live in spain, cyrpus, much of europe its a great way to avoid getting an involuntary depositor haircut
09:41 < phantomcircuit> adam3us, for a us citizen there isn't really much more privacy
09:42 < phantomcircuit> so really what you're getting is a competent bank in the .eu
09:42 < adam3us> phantomcircuit: its orthogonal from taxes - you have to declare it or get taxed anyway if you have a european passport also.  there is also asset protection.	they do not seize funds without a swiss court seeing evidence and it passing their legal standard
09:43 < TD> it looks like there's going to be a referendum on FATCA actually
09:43 < TD> which worries me a great deal
09:43 < TD> that could lead to "interesting times" for sure ...
09:44 < adam3us> TD: grr facta, wipo etc.  i wish the chinese would just say no, hire falkvinge as advisor, and start a counter-veiling force
09:44 < TD> i quite like switzerland. i hope it doesn't end up engaged in a bloody fight it's too small to win
09:45 < TD> it's fat-ca  not facta, though the former is much harder to say
09:45 < TD> well unfortunately the nature of how fatca works mean no one country by itself can stop it. that's rather the nature of empire, see, conquered lands are forced to join the army and fight the next one
09:45 < TD> until nobody is able to stop the conquering army and you end up with rome
09:46 < TD> it takes *simultaneous* opposition
09:46 < TD> that isn't going to happen.
09:47 < phantomcircuit> adam3us, theoretically that provides some level of protection
09:48 < phantomcircuit> in practice however very few us citizens with funds in swiss banks would benefit from that in a meaningful way
09:50 < adam3us> TD: yes fatca is the equivalent of viral licensing. they are trying to take over and unify.  its a very bad trend because it precludes jurisdictional competition and societal exploration of	conventions pulls everyone down to the lowest denominator (whatever american politicans are paid by lobbyists to think)
09:50 < TD> i would put it more simply:  it is the end of independent countries and the formal start of the american empire
09:50 < BlueMatt> hah, yep, welcome to us banking regulation (and others, ie trade sanctions...)
09:50 < BlueMatt> we own the world, screw everyone else
09:51 < adam3us> TD: agreed.  the only hope I see is the rise of asia ecomic and geopolitical influence
09:51 < BlueMatt> and yet even americans have a fundamental hate for their politicians....
09:51 < BlueMatt> one would hope the eu would be large enough and willing to compete, but that clearly isnt gonna happen
09:51 < TD> yes it's quite an unstable situation, where you have a tiny number of people in washington who are despised by nearly everyone including the people they claim to represent
09:52 < adam3us> TD: and the meteoric rise of rick falkvinge & pirate party, still an outlier but growin
09:52 < TD> the only thing keeping a  lid on it, is the fact that technically they were "voted" for, but i wonder how long that will continue to placate people
09:52 < TD> BlueMatt: well, compete in what sense?
15:29 < adam3us> jtimon: so long as the contracts catalog that you consider as your benchmark are implementable in a turing completeness sense, with the current script language, maybe its better to focus on a translator from psuedo-legalese to script.  and add minimal script extensions to cover any gaps rather than going for eval like generality and trying to contain the damage
15:29 < gmaxwell> jtimon: Yes. It's not about "dumb" it's about having forced choice.
15:29 < jtimon> maybe maaku and I are too optimistic but to me it seems an exhageration
15:30  * adam3us is loathe to repeat that long thread
15:30 < jtimon> "having forced choice"? I don't understand
15:30 < gmaxwell> sure you could _choose_ to refuse to do business with this or that, or refuse to accept this or that coin. You could also choose to live in a cardboard box under the freeway.
15:30 < gmaxwell> Not all choices are meaningful, even in the presence of perfect information.
15:30 < jtimon> who forces you to accept amlcoins? who forces you to turn your btc into amlcoins?
15:30 < maaku> jtimon: well, we're also thinking about this in the context of having 5% of the monetary base refreshed annually
15:31 < adam3us> adam3us: but in summary as the regulators have much control over the gateways to banking infra, a viral amlcoin enforced at exchanges would already be enough i think
15:31 < jtimon> maaku and they think it from the perspective that deflation doesn't matter, so 1% of the current btc will be ok, and 0.1%, 0.001%...
15:32 < adam3us> jtimon: anyone who only accepts amlcoins that you have a poor choice with (no service or amlcoin, amlcoin as change because of the payment integrator they are using etc)
15:33 < jtimon> the way you talk about it, is like if btc would be dommed if bitpay and gox stopped accepting bitcoin and moved to ltc...
15:33 < andytoshi> adam3us: it occurs to me re your 'redcode' scenario that this is exactly what happened in the real global financial system in 2008
15:34 < andytoshi> ie the legalese that contracts for derivatives are written in is turing complete, and extrospection capabalities are determined by a regulatory regime that did not do cogent incentive analysis
15:34 < adam3us> andytoshi: haha yes.  the system was virus prone.  the fintech/bankster boys dreamed up viral make-money fast schemes that are doomed to crash with OPM
15:34 < andytoshi> which led to things like, eg the cds market hitting a 4 quadrillion cap :P
15:34 < jtimon> " amlcoin enforced at exchanges" you mean prohibiting bitcoin exchanges?
15:35 < adam3us> andytoshi: fascinating analogy.  and we think we can protect that by restricting the contract language? (probably not)
15:35 < gmaxwell> jtimon: it's much harder politically to shut down bitcoin exchanges when to do so you're suppressing bitcoin. Much easier where "on no bitcoin exchanges are fully permitted! they just have to comply with the law
15:36 < andytoshi> adam3us: so this is very cool, there is potential here for us to describe the horrible subtlety of financial regulation, in the context of cryptosystem currencies (which i have mentioned before, lets us do a lot of spherical-human economic analysis thanks to trustlessness)
15:36 < adam3us> jtimon: much was said upthread but yes  exchanges already comply with aml, if bitcoin supports viral aml, regulaor will say "ok so use it or shutdown" and users will say ok i want to buy $100k btc i can spend a month on bitcoin-otc (coffee shops for cash) or put u with amlcoin etc
15:36 < jtimon> adam3us: I just don't believe all countries will prohibit bitcoin exchanges
15:36 < andytoshi> and have a very simple-to-describe but very precise "here is where the thinking went wrong" explanation of that whole situation
15:37 < jtimon> " users will say ok i want to buy $100k btc " wasn't your assumption that the users weren't able to get btc out of the exchange anymore, just amlcoins?
15:37 < adam3us> jtimon: i think if the world was as sure as you are about financial regulation and bitcoin the price would be $100k/coin already :D  i thnk oneof the main things holding bitcoin back is just that - uncertaintly about regulation! its not that there havent been multiple non-basket case jurisdictions that have behaved erratically with bt regulation
15:38 < andytoshi> adam3us: re "restricting language", maybe that is exactly what we want to do, combined with maaku's "provably nonviral" ideas
15:38 < adam3us> jtimon: right.  thats what would happen to any exchange that was forced by regulation to use amlcoin covenants
15:38 < andytoshi> because we've seen in real life that pasting "don't act in bad faith" policies onto a turing complete system lets people do weird destructive things
15:39 < adam3us> andytoshi: i dunno sounds like halting problem^2 in hardness
15:39 < gmaxwell> adam3us: no, because as maaku pointed out, you can fail-safe.
15:39 < gmaxwell> If the static analysis can't prove your transaction sufficiently non-viral, its just not valid.
15:39 < andytoshi> adam3us: the result would be basically a whitelist of policies, and if people can prove that new things are safe maybe they could post a SNARK showing that or something, so the hard analysis is on them
15:39 < adam3us> andytoshi: BUT what we can do and i pushed this thought to a few offline people, is have auditable insurance coverage through the insurer, the reinsurer, the assets, the companies balance sheet, revenue, dividendes etc.
15:42 < adam3us> gmaxwell: maybe.  now security depends on a few more components including a theorem prover's comprehension vs virus writers
15:42 < adam3us> andytoshi: nice to have a fast to verify compact proof yes.
15:43 < andytoshi> adam3us: we could maybe put these proofs in the blockchain along with a unique identifier, then require all txes to reference the proof that they are safe
15:43 < nsh> we're on to viral transactions now? great...
15:43 < andytoshi> obviously this is a half-baked idea, as you say theorem proving is not developed enough to do such high-consequence real-world stuff
15:44 < adam3us> andytoshi: maybe.  or we could amuse ourselves with what we can do with non-extrospection languages
15:44 < andytoshi> yeah, i'm really impressed and surprised with what you guys have found to be possible
15:44 < nsh> i'd like to see a fully darwinian transactosphere...
15:45 < adam3us> nsh: suggest looking at ethereum.  will be interesting to spectate :)
15:45  * nsh nods
15:47 < nsh> had a very unbaked and thoroughly handwavey idea about a DSA-authorized capabilities-based distributed computational system over a blockchain with costed access to scripts and (computational) inputs somehow marked to market by utility or complexity
15:48 < nsh> not sure exactly what all those words means though so it'll probably remain pretty deep in my imagination :)
15:49  * adam3us wonders if its considered part of redcode game to write ethereum stealing viruses?
15:49 < andytoshi> that's interesting, if you can infect a majority of hashpower you can "hack the matrix" so to speak :P
15:50 < nsh> (it's always part of the metagame to cheat in ways that haven't be considered and thus explicitly prohibited)
15:50 < andytoshi> i guess i mean, if you can infect almost all the validating nodes
15:51 < gmaxwell> I think I mentioned before, some of these altcoins basically appear to have no nodes... even 'widely' used ones: people just mine directly to exchange accounts.
15:51 < gmaxwell> so you've got a couple of pools, a couple of exchanges, an odd geek or two, and thats it.
15:52 < adam3us> nsh, andytoshi: i was thinking there could be two levels of viral ethereum progrms.  a) within the interpreted execution space, eg viral covenants etc; b) escape the interpreter via sandbox escape.	i wonder though, they probably wouldnt find it funny even if you did
15:52 < gmaxwell> and these are things where there is no huge cost to running a node... the chains are small because there are few txn.
15:53 < adam3us> gmaxwell: ha not only no tx, no wallet, but not even any full nodes.
15:53 < nsh> hmmm
15:54 < gmaxwell> well there are some levels of transactions, but no real reason for someone to run a node. So thats the kind of outcome I'd expect for ethereum, particularly because running a node would be expensive.
15:54 < adam3us> gmaxwell: i was thinking beyond coingen.io why not virtualize the whole thing.  pay for virtual VPS, virtual ASIC hardware,... maybe you can make that provably fair like central but fair dice; i mean what the difference its only a tulip/pryamid coin anyway.  people can speculate on synthetic nothing without wasting eletricity then
15:55 < gmaxwell> adam3us: you could call it "mastercoin"
15:55 < adam3us> gmaxwell: minioncoin.	many someone should fork mastercoin and put it on top of dogecoin
15:56 < gmaxwell> Every dog has his master.
15:56 < gmaxwell> Many leashes. Such dogwalk.
15:56 < gmaxwell> the "exodus" needs to be DogCarRide
15:57 < adam3us> gmaxwell: please can 2014 be the year of the death of tulip coins?
16:00 < kinlo> heh, to see gmaxwell talk dogetalk made me laugh :)
16:03 < michagogo|cloud> andytoshi: Erm, you've given me an error I've never seen before
16:03 < michagogo|cloud> http://imgur.com/ZTcyCyR,kwBmvFO
16:04 < michagogo|cloud> andytoshi: Is the file I got broken?
16:04 < michagogo|cloud> 3836c0fef1bffbb4ed7c35564dbb23ad51295a74df7bc53b234b13e198bf4264 */cygdrive/c/Users/Micha/Downloads/cj-windows.zip
16:04 < gmaxwell> kinlo: that meme was a favorite in my household two months ago. dogecoin is kinda overplaying it at this point.
16:04 < michagogo|cloud> (sha256)
16:04 < maaku> "maybe.	now security depends on a few more components including a theorem prover's comprehension vs virus writers" <-- there's no way you'd want the therom prover to be part of consensus
16:04 < maaku> i was suggesting it as part of the IsStandard check and wallet code
11:52 < TD> i am rather skeptical about widespread coinjoining. small scale joining gives you a small modicum of deniability .... how much privacy it gives you is rather an open question at this point
12:00 < petertodd> Emcy: in the short term my main thinking is to use coinjoin with two-party-mixes as a way to thoroughly break the idea that transactions are authored by a single person. There's a lot of work to do beyond that, but breaking that assumption is a very important first step.
12:01 < petertodd> Emcy: e.g. naive two-party-mixes leak information with regard to the values on the txins and txouts, but subsequent efforts can help plug that leak by, for instance, using value-matching techniques where one party to the transaction delibrately matches the values of the other party's txouts
12:03 < petertodd> Emcy: this also ties into merge avoidance: if txins are not always merged into a single txout to make a payment you have a lot more flexibility in making coinjoins that don't give external observers useful information. equally that people are doing merge-avoidance with coinjoin means that even when you don't use that feature, transactions have solid plausible deniability
12:08 < petertodd> Emcy: example: I want to pay you, and you've told me you'll accept up to two txouts for that payment. I do a two-party CJ mix with someone who needs a specific output value, and I use one of those txouts to match their value, the other to send you the balance of the payment, and I have a third txout with my change.
12:19 < petertodd> Hmm... and come to think of it, rather than calling it "merge avoidance", the idea is better described as "merge flexibility" - the receiver of funds is saying "here's how many txouts I'm willing to accept, use that to better optimize how you merge the txouts you are using to pay me to balance privacy and cost per transaction". Using CoinJoin in conjunction
with merge flexibility is a win because it lets you get away with fewer txouts - more ...
12:19 < petertodd> ... merging - at the same privacy level. In short, it's cheaper for a given level of privacy.
12:22 < Emcy> petertodd i fear it will take much more. Youre assuming rationality about how the system works.
12:23 < petertodd> Emcy: explain?
12:23 < Emcy> consider how bad IP addresses are for identifying individuals vis a vis the war on bittorrent
12:23 < Emcy> they do it anyway, no one seems to care much that they get it wrong all the time
12:24 < petertodd> Emcy: oh sure, don't get me wrong, I'm not saying this is easy. The fact that "merge avoidance" seems to have been proposed as a way to let blacklists still function shows how hard this will be.
12:24 < petertodd> Emcy: But we can only respond by making better privacy as cheap and easy as possible and trying to get as many people using it as possible.
12:24 < Emcy> it seems like you have to stop the idea that some sort of convenient data can ID a person and what they do before people get it into thier heads, never mind that it might be completely wrong anyway
12:24 < petertodd> Emcy: even blockchain.info's centralized coinjoin implementation is a huge win in that regard
12:25 < Emcy> thats why convalidation makes me worry even as it is now
12:25 < petertodd> same, but again, sitting around and complaining won't fix things.
12:27 < Emcy> do you really think mikes merge avoidance thing was really proposed specifically to let blacklists get a foot in the door?
12:27 < Emcy> I thought it was more CJ + merge thing complementing each others weaknesses
12:28 < petertodd> Emcy: yes. from the article on medium: "Merge avoidance doesn
t interfere with coin tracing."
12:28 < petertodd> Emcy: the original proposal was merge avoidance as a complete replacement for coinjoin; fortunately it complements coinjoin very nicely
12:29 < petertodd> Emcy: notably everything that makes merge avoidance possible to use without coinjoin can be re-used to use it with coinjoin.
12:29 < Emcy> can you link? I thought i read it. maybe that went right over my head
12:29 < petertodd> Emcy: https://medium.com/p/7f95a386692f
12:29 < petertodd> Emcy: it's at the bottom of the article
12:30 < petertodd> Emcy: the article is very misleading about coinjoin as well, giving lots of reasons not to use it
12:31 < Emcy> i really want to believe hes playing devils advocate like it was a 10 pence a go street fighter arcade cabinet in 1989
12:32 < petertodd> Emcy: FWIW merge avoidance isn't new either - the first time I heard of the concept was from adam back pointing out how pervasive merge avoidance gives privacy properties very similar to zerocoin. (if coins are always fixed in size)
12:33 < petertodd> Emcy: lol!
12:36 < Emcy> it just seems like there are quite a few people confusing pragmatism with submitting fully to the usual strictures requested on disruptive new techs without a fight
12:38 < Emcy> if you cant imagine something better than the way things basically already are with a new coat of paint then why the fuck are you here frankly.....
12:39  * nsh subscribes to Emcy's newsletter
12:39 < petertodd> lol
12:39 < Emcy> yeah i completely missed that last paragraph of that article somehow
12:40 < petertodd> Emcy: heh, the interesting thing is how that paragraph was in there in the first place - nicely transparent
12:40 < petertodd> Emcy: anyway, we're lucky that good solutions appear to exist; hopefully as they are implemented we don't find show-stopping problems
12:42 < Emcy> hopefully hes wrong about mergepurge being in lieu of coinjoin, and people realise they work better together...........but he might be right
12:43 < petertodd> the laws around this stuff are certainely still in flux
12:43 < Emcy> i have a heavy suspicion there are LOTS of people in bitcoin who would betray it utterly to The Man if it means the price keeps going up, which it preatty much will as long as its not banned or somthing
12:43 < petertodd> agreed
12:44 < Emcy> right, and if that happens then the uncomfortable conclusion is that every other shitty and irrational thing in the world is the way it is because it has to be, because we suck.
12:45 < Emcy> perhaps thats my projecting though
12:45 < TD> Emcy: it works for bittorrent because basically all IPs that participate in a particular torrent are all doing the same thing (i.e. violating copyright). you can't generalise from that to bitcoin.
12:46 < andytoshi> Emcy: a lot of people here are dimly aware that "bitcoin is decentralized" but simply cannot imagine anything else .. only recently have people started talking about this stuff like it's something normal people should be doing
12:46 < TD> i don't think my article is misleading about coinjoin. it balances other things that were written about it by pointing out some obvious problems.
12:46 < andytoshi> so we'll see an improvement as awareness increases
12:46 < TD> which were not being adequately covered elsewhere
12:47 < petertodd> TD: cj will be soon implemented without centralized servers, so you can correct that, you can also correct the long waits as the plan is to combine users who want txs to go through now with ones who are willing to wait
12:47 < TD> if/when those things happen i would amend the article. however it's not misleading to describe the world as it is now.
12:47 < andytoshi> TD's article also talked about how cj is not a panacea .. i agree, this was not really mentioned elsewhere
12:48 < petertodd> TD: coinjoin isn't implemented now, so talking about a theoretical bad implementation isn't honest
12:48 < TD> somehow you don't believe what genjix or blockchain did is coinjoin?
12:48 < petertodd> TD: note how bc.i's implementation uses techniques to negate most of those concerns
12:49 < petertodd> TD: genjix is a quick prototype. anyway, it's dishonest to talk about what merge avoidance might be unless you are willing to compare it to what coinjoin just as plausibly might be
12:50 < TD> i don't think there was any dishonesty in my article at all, it correctly reflected the issues that exist with implementing both approaches. but i'm tired of arguing about this. you will continue to paint me as dishonest and somehow part of a conspiracy regardless of what i write, because that's what you do.
12:50 < petertodd> TD: if you don't want to be painted as dishonest, then don't write stuff that leads to that conclusion
12:51 < TD> see? i haven't. it's just you.
12:51 < petertodd> TD: this conversation isn't going to be very productive for either of us
12:51 < maaku> TD: genjix and blockchain.info (and andytoshi's) are not the protocol described in gmaxwell's original posting
12:51 < TD> correct
12:52 < petertodd> maaku: yup. more to the point, coinjoin is a whole family of techniques, with different tradeoffs. I'm pushing two-party-mixes because I believe that the tradeoffs are useful, but other approaches (like yours!) have tradeoffs that make more sense in different circumstances.
12:54 < petertodd> TD: anyway, please do work on merge avoidance - as I say above it'll really help make coinjoin more useful
12:55 < TD> lots of other things to do first. like actually get the payment protocol launched and used.
12:58 < petertodd> TD: seems to me that a good first step would be to define an output range in the Output message in the payment protocol: "optional <something> amount_range = 3;"
12:59 < TD> well, you can do some merge avoidance with the v1 protocol as specified
12:59 < Emcy> TD no the point is that you cant link an IP to a person to any sort of acceptable evidentiary standard, for the act of infringment. But it happens anyway.
12:59 < TD> which is no surprise because i designed it that way from the start
12:59 < petertodd> TD: sum of all outputs must == sum of all amounts
12:59 < TD> Emcy: of course you can. Find a torrent that is for a movie. Find all participants in that Torrent. They're all distributing the movie. Open/closed case, right?
10:30 < adam3us> gmaxwell: its the missing part of my hypothesis that a 1-way peg is already close to plausible for mkt maker to fill the gap, if there is eg some long term chain migration plan.  in this way no migration is necessary.
10:32 < adam3us> gmaxwell: pay per cycle.  yes seems plausible, but may create lumpy work load for nodes.  maybe processing with in a given time-frame becomes critical to the semantics of the tx even.  the point of TC would be to use it as a meta-programming language to define new coins and rules.  eg in this kind of system something like p2sh change is just a script with
no system code changes.  a script can define a new concept
10:33 < gmaxwell> yea, I'm still not arguing letting validation become expensive is a good idea. :P  Just filling out the idea.
10:34 < adam3us> gmaxwell: but u have to wonder about the safety of that.  btc script is intentionally constrained and even then people were value scared enuf to disable most of it.  general script are even disabled right (only certain pre-cooked ones allowed)?  this on the other hand may allow a clever set of scripts to attack each other, and
10:35 < gmaxwell> Implementers currently get script execution all wrong and it's already quite simple.
10:35 < adam3us> gmaxwell: so somone creates a btc/usd call option, and someone else creates another script to do something else or a competing call option and it steals all the money from the other call options.  its like redcode
10:36 < petertodd> adam3us: I don't think we're ready to have scripts run on thier own - creates consensus issues about when a script is supposed to run!
10:38 < adam3us> gmaxwell: even if the interpreter is correct (single implementation = spec satoshi style) i am not sure about the redcode game issue
10:38 < petertodd> redcode game?
10:39 < adam3us> petertodd: never played it but http://en.wikipedia.org/wiki/Core_War
10:39 < petertodd> adam3us: ah! yeah that's a classic
10:39 < adam3us> petertodd: users battle for control of the cpu with hostile code
10:40 < petertodd> Interesting thought: transactions and the blockchain are a way of stringing multiple bits of code together in a DAG.
10:41 < gmaxwell> adam3us: certantly that kind of ecosystem would create greater incentives for reorgs.
10:42 < andytoshi> petertodd: i have thought about making a blockchain-based haskell-like language
10:42 < andytoshi> sadly, i could see no point to it
10:43 < petertodd> andytoshi: I had the similar idea of doing a HSM with merklized forth actually - pretty much the exact opposite direction in terms of implementation complexity
10:45 < andytoshi> hsm == Hierarchical storage management ?
10:45 < gmaxwell> hardware security module
10:46 < andytoshi> gmaxwell: ah, that's what i thought, but i didn't see the connection to merklized forth
10:46 < adam3us1> gmaxwell: but even if (hypothetically) the incentives worked, and the interpreter escape issue was magically solved, and program counter issues avoided... i am still wondering if its fundmentally unprovably dangerous
10:46 < petertodd> andytoshi: it's more because forth is incredibly simple, so it's more likely you'd actually get the implementation right
10:47 < adam3us1> gmaxwell: see i mean it defines a language for writing bitcoin functions, new script functions, new semantics for value transfer or whatever, its fully general; but in such an environment would u not be in a core-war / redcode scenario is my point
10:47 < petertodd> andytoshi: yet forth still can do lisp-like tricks by doing data as code
10:48 < andytoshi> petertodd: oh, i see
10:48 < andytoshi> i should've looked up forth instead of hsm :P all i know is 'stack-based language'
10:48 < gmaxwell> adam3us1: I'm not sure if it would be core-war or not. If resource constraints work they'd be fighting the resource constraints not each other. Certantly lots of people would lose money by writing dumb code that can be tricked. "LOL I integer overflowed your transaction and took all your monies!"
10:49 < adam3us1> gmaxwell: its almost but not quite, like you linked a remote execution of java byte code for fees and feature extension ito the bitcoinj - in theory flexible - in practice dangerously generic
10:49 < gmaxwell> and yes, I think it would be very very hard to make safe in a single implementation, and exceptionally hard to safely reimplement.
10:50 < adam3us1> gmaxwell: i mean that one could just take your private key and be done.  but yes exactly, the question is beyond that even competently written script extensions written in a generic jvm bytecode kind of level be systematically safe from any other byte code string that could be later run in the competing ecosystem
10:50 < gmaxwell> This is why I prefer the path of using SNARKs of some kind for more complex scripts.
10:50 < andytoshi> it seems that any instance of 'breaking out of the sandbox' would be a forking scenario, since it'd probably depend on the memory layout of the targets
10:51 < gmaxwell> adam3us1: I mean, right now eligius isn't using a multisignature address for the emergency pool address because they don't know how to go forward on making sure their prefered script formulation is safe.
10:51 < adam3us1> gmaxwell: well snarks just mean that u dont run the code, you run the verifier on the proof the code was run; it still vulnerable if it is as self-extensible as TC arbitrary vm bytecode level code
10:52 < petertodd> gmaxwell: you mean they don't have the tools to just go make a scriptSig to try spending it?
10:52 < gmaxwell> andytoshi: maybe, overwriting the behavior of one other opcode might be possible just with a constant offset.
10:53 < gmaxwell> petertodd: they want to have a    {a and b} or {{a or b} and 2 of 3{c,d,e}}	sort of script. They came up with one, but were not completely confident that their coding was flawless (or if unexpected behavior in op_if would let funds get stolen)
10:54 < gmaxwell> adam3us1: at least there is no "code escape" bug in the snark case. Or consensus-criticial-implementation-consistency bugs.
10:54 < andytoshi> adam3us1: are you talking about finding bugs in the snark circuit (which is commited to in the preprocessing stage) itself?
10:54 < petertodd> gmaxwell: ah, did they do the "op_if" as "select block of code" style?
10:54 < gmaxwell> only the risk that you write a bad script.
10:54 < adam3us1> gmaxwell: i am thinking it may have even some mathematical provability limits.  if u consider the near infinite (finite because of program counter limit per time-slice)  set of computable functions how can you generically prove that there exists no other function that can damage teh intended properties of the former extension function when used by anyone.
10:55 < adam3us1> gmaxwell: correct on the code ecsape and interpretation fork
10:55 < gmaxwell> petertodd: they did two checksigs and accumulator to count how many worked, and if its not two, they drop into an op_if block that checks the accumulator for one, and runs a check multisig.
10:55 < adam3us1> andytoshi: no i am just saying if each and every user can go wild and create bitcoin script language extensions dynamically how do u know the resulting ecosystem will be safe after each dynamic new feature is added.  it is maybe mathematically undecidable
10:56 < gmaxwell> adam3us1: sure, or
  "You can steal my coins if you can find the discrete log of 0xdeadbeef"
10:56 < andytoshi> adam3us1: oh, gotcha, still on the redcode scenario
10:57 < petertodd> gmaxwell: right, see I would do that as op_if 2 a b checkmultisig else if a checksigverify else b checksigverify endif 2 c d e 3 checkmultisig endif
10:57 < adam3us1> gmaxwell: but these TC extensions are stateful.  so if there is any rational logic to disabling simple things like XOR script, this is like letting anyone define new opcodes and higher level functions running arbitrary byte code.  how is that safe in comparison
10:58 < petertodd> gmaxwell: spend with sig_a sig_b 1, or with: sig_c sig_d (sig_a or sig_b) 1/0 0
10:58 < petertodd> gmaxwell: no accumulator needed
10:58 < gmaxwell> petertodd: well that form repeats the pubkeys a fair bit.
10:59 < petertodd> gmaxwell: yes, but it's very simple to understand
10:59 < gmaxwell> adam3us1: yea, I can't justify stateful things.
10:59 < gmaxwell> petertodd: but ... we want to both have and eat the cake.
11:00 < petertodd> gmaxwell: lets see if we can succesfully eat a muffin without losing tens of thousands of dollars
11:00 < gmaxwell> petertodd: in any case, it's an issue that the ability to safely use fancier scripts is that they're moderately risky.
11:01 < gmaxwell> but (1) my comment was also an existance proof that people are actually smart enough to realize this (2) it's sort of their own problem if they don't.
11:01 < petertodd> gmaxwell: well that's just inherent to doing complex things
11:01 < andytoshi> i thought the rationale for having disabled opcodes is that they could screw with the people running the code (i.e. everyone) to cause either DoS attacks of some form, or worse, forks
11:01 < gmaxwell> (It wasn't me who pointed out that script was risky either, I think)
11:01 < andytoshi> but in case of snarks, everybody is just verifying that a specific (TC-complete) circuit was run
11:02 < gmaxwell> andytoshi: we disabled the op_codes because lshift was exploitable to crash nodes.
11:02 < petertodd> andytoshi: the rational was "oh shit! lets be super cautious now"
11:02 < gmaxwell> It turns out that some of the other disabled ones had other bugs too.
11:02 < petertodd> andytoshi: lshift could have been fixed, but just disabling was easy
11:02 < petertodd> andytoshi: back then I don't think people fully understood how hard re-enablingthem would be
11:03 < adam3us1> gmaxwell: what next.	google nacl (sandbox execution of x86 binaries).  activex for bitcoin :)
11:03 < andytoshi> well, i'd hope that we donet have OP_OPENNETWORKPORT ;)
22:32 < gmaxwell> e.g. who cares if you use dollars as your daily spending money. Gold exists and is 'deflationary' (maybe, ignoring your collapse argument)... so if the argument is true why isn't the economy collapsing due to people rapidly converting every free dollar they have to gold?
22:33 < andytoshi> the claim is that once people have their gold, they stop converting anything to anything..
22:33 < andytoshi> which is arguably even sillier
22:36 < gmaxwell> I think a lot of this ultimately stems from the fact that there are inherent unfairnesses and inefficiencies in the whole concept of durable money.
22:36 < gmaxwell> But the notion that money itself is a purely artificial construct and perhaps not perfect in every way, is so far outside of peoples thinking that they get stuck in weird dissonance.
22:38 < gmaxwell> At least in the US our society has placed money in a position of existing as a kind of independant good
 decoupled from the productivity and happiness of people that we just don't really have the right perspective needed to critically question the behavior and role of money in our society.
22:39 < gmaxwell> In perhaps the same way that societies with slavery seemed to have a generally difficult time reasoning about the pratical and ethical implications of it.
22:40 < andytoshi> what is interesting is that if you look at most any society throughout history, they always come up with some sort of currency, and these currencies are so similar that we recognize them today as money
22:40 < andytoshi> perhaps the same is true of slavery
22:41 < andytoshi> it is more than ordinary can't-think-outside-the-box dissonance because this really does seem baked into human thinking
22:42 < andytoshi> the problem of finding a consistent measure of value is universal, and money solves this extremely well ..
22:42 < andytoshi> and then it is represented by some physical good or token, so it naturally assumes a reality of its on
22:42 < andytoshi> own*
22:43 < andytoshi> bitcoin is fascinating because it is not physical and acts in highly non-physical ways, but it still solves the problem that money does
22:44 < gmaxwell> Yea, I don't mean to suggest that we shouldn't have money. Money enables a lot of awesome stuff, but it has a bunch of odd behavior too.
22:45 < gmaxwell> E.g. with durable money you can do things like do one really useful thing, and then never do anything useful again and have society provide for you... in a way which is highly non-linear, e.g. doing N x 1/N useful things is in no way assured to do anywhere near as well for you esp if the GDP is growing.
22:46 < gmaxwell> simply because you can get a bunch of money, and then loan it out to get exponentially more.
22:47 < andytoshi> otoh, when you invest it or lend it out, even though society is supporting you, the wealth they are throwing at you does not act like your wealth
22:48 < andytoshi> so even though you are (unfairly) becoming very wealthy, there is a larger efficiency gain for society
22:48 < andytoshi> in principle, anyway
22:48 < gmaxwell> which is an effect which is _entirely_ decoupled from the whole idea of wanting to be able to do "barter at arms length"... maybe a good effect or a bad effect, but it seems like an inherent effect in money as our societies have envisioned it.
22:48 < andytoshi> this is true, these things are very hard to decouple mentally
22:49 < andytoshi> that, i think, is ordinary human dissonance
22:50 < gmaxwell> yea, I'm not good at it myself, and personally ... perhaps I'm not a great person to question this system because I've benefited from it tremendously, at least if I measure my wellbeing relative to most of the world.
22:51 < andytoshi> mm, myself as well
22:52 < andytoshi> and tbh i think very little about the function of money, despite thinking about bitcoin a lot ... my economic curiosity mostly lies in what happens when machines are able to exchange value
22:52 < andytoshi> suppose we actually had a market with rational actors -- and these actors never needed to sleep or relax
22:53 < andytoshi> the -wizards discussions are fascinating, because maybe they could even be 100% evilly selfish, and even so they could trust each other
22:53 < gmaxwell> yea, well, most of my thinking only really extends to the realization that it's actually more complicated then we take for granted.
22:55 < andytoshi> i think humans avoid a ton of the complexity by relying on biological impulses to trust each other
22:55 < andytoshi> and on the police :)
22:55 < gmaxwell> andytoshi: well, yea, but also somewhat scarry too if you go too wizards-wank about it.  Imagine now that you have uploaded minds in computers... then everything you're thinking about also applies to "people" too, at least in theory. Which sounds neat, but then you wonder about the social implications of things like ZK-SNARKS meaning that it could actually
be physically impossible to tell a convincing lie, no matter how good the ...
22:55 < gmaxwell> ... justification.
22:57 < andytoshi> wow, i have not considered that ... i need to write some scifi about this, try to explore the social implications
22:58 < andytoshi> (not good scifi, or even anything i'd publish .. just something to organize my own thoughts)
23:00  * andytoshi grabs another beer
23:02 < gmaxwell> the nearest I've seen to touching any of these matters is in the latter half of "Rapture of the Nerds" (Doctorow, Stross
 both of whom I think are crappy writers, but I enjoy their books) there is a part where the people enter into a bar which is I/O isolated from the rest of the universe, the reason for this is because the bar implements a contracts
system where violating the rules is impossible (if you violate the rules the bar ...
23:02 < gmaxwell> ... rewinds state to undo the violation)
23:03 < gmaxwell> most of this stuff hasn't been touched in scifi because the authors just really have no clue it's possible. PCP theorm is still pretty recent and the implications really haven't percolated all that far.
23:05 < andytoshi> i just encountered its philosophy today in 'quantum computing since democritus', i don't have a clear idea of it yet
--- Log closed Mon Dec 30 00:00:39 2013
--- Log opened Mon Dec 30 00:00:39 2013
00:59  * andytoshi-logbot is logging
00:59 < andytoshi> <.<
01:04 < pigeons> there is a book called The Anarchistic Colossus by A E van Vogt where immediate punishment from "Kirlian computers" enables an anarchistic society, perhaps "weak" and ripe for alien invasion...
01:28 < gmaxwell> heh xkcd  "Extremely Strong Goldbach conjecture"
01:31 < BlueMatt> gmaxwell: lol
01:45  * midnightmagic CHEERS for comment about Stross + Doctorow being crappy writers!!
01:45 < midnightmagic> i couldn't even fnish the atrocity archives.
01:49 < gmaxwell> they really are, also rudy rucker is a crappy writer too.. but again some neat ideas.
01:51 < midnightmagic> Snow Crash couldn't been a short story. He has these brilliant oases of ideas and diction in the middle of whole empty deserts of shitty prose
01:52 < midnightmagic> *could've
01:56 < midnightmagic> .. which pretty much defines most modern scifi these days.  Oh Stephenson, how your cryptonomicon disappointed.
01:57 < gmaxwell> I'm mostly fine with Neal Stephenson's writing. He's long winded, and well, perhaps I'm not the person you should look to for criticism of that.
01:57 < gmaxwell> it does annoy me that I can't ever recommend his books to most people because they're simply too long.
01:57 < gmaxwell> If you can't read a long (say 80kword) novel in a single sitting then you basically can't enjoy his books.
02:08 < midnightmagic> I read Tommyknockers in basicaly one sitting.
02:19 < midnightmagic> I gots staying power. Blindsight in one sitting. 50+ chapters of HPMoR in one sitting. Greg Bear's blood music in one. Herbert's Hellstrom's Hive and Dune, Chalker's old Wellworld novels, Four Lords of the Diamond, Stross' Friday ripoff (Saturn's Children I think? I'm trying to forget,) and entire collections of Lovecraft even though it was written
at the turn of the century and is clunky.
02:21 < andytoshi> nice -- i've had neuromancer and cryptonomicon sitting on my HD for several years now
02:21 < midnightmagic> Neuromancer was an easy couple hours. Heck I can read comp sci textbooks in one go (makes studying them later easier)
02:22 < andytoshi> i can read textbooks for hours on end, with fun books i always feel like i ought to be doing something useful if i'm gonna stare at text for several hours
02:22 < andytoshi> ...and yet, i have no problem with IRC...
02:22 < midnightmagic> But Snow Crash. Damn. Half that stuff didn't even belong in there. Or Gaiman's American Gods. What the hell man. Thunderbird's super-powerful but the christian deities don't make an appearance?
02:22 < midnightmagic> bah
02:24 < midnightmagic> Nooooo they're making a series out of it
02:33 < nsh> American Gods was pretty consistently good reading for me
03:35 < maaku> andytoshi, money has not taken consistent form over time
03:35 < maaku> that is to say what we call 'money' has been changing in nature time after time throughout human history
03:35 < maaku> with measurable effects
03:38 < gmaxwell> (there was a reason that I qualified my statements with 'durable money', tough perhaps thats not the best definition for the effects I was talking about)
03:39 < maaku> yeah you know my bias on that, but even so it's not like historical money can be put in just two categories
03:40 < maaku> its weird and bizaare how many fundamentally different systems we used for the same function, and retroactively we tend to think what we use now has always been the case
03:43 < gmaxwell> not just always been the case, but is the only kind that can exist.
03:43 < maaku> yeah
03:43 < gmaxwell> which is also somewhat amusing because we currently do use other kinds of money too, we just don't reconize it as such.
18:17 < TD> probably. TPM runs on the LPC bus, traditionally.
18:18 < TD> though you may already have a TPM without knowing?
18:18 < Luke-Jr> I guess I should look at the header..
18:18 < TD> did you actually check?
18:18 < Luke-Jr> yes
18:18 < Luke-Jr> it was on my "list of things I lose in this upgrade"
18:18 < TD> i mean, there might be one integrated into some other chip
18:18 < TD> did you check if the kernel can see one?
18:18 < Luke-Jr> ASRock Z87 Extreme4
18:19 < Luke-Jr> not sure what I'd be looking for there
18:22 < TD> i think on some systems there is a /proc/tpm
18:22 < TD> but i dunno if that's always true
18:22 < TD> it might require a modprobe tpm first
18:22 < TD> not that it really matters if you have a hard disk
18:23 < TD> it's only an issue for people with log-structured file systems or SSDs
18:25 < maaku> TD: so long as it remains computable on consumer hardware, no such thing as overkill
18:25 < Luke-Jr> maaku: but you'll slow down my compiles!
18:25 < Luke-Jr> <.<
18:26 < Luke-Jr> TCSD TDDL ERROR: Could not find a device to open!
18:26 < Luke-Jr> guess I have none
18:29 < Luke-Jr> Newegg has no TPM stuff it seems
18:34 < gmaxwell> ebay.
18:39 < Emcy> pond reads similar to bitmessage
18:42 < maaku> Emcy: similar, but better imho
18:43 < Emcy> that means its less likely to catch on
18:44 < maaku> Emcy: ? I don't think bitmessage has any significant mindshare to speak of
18:44 < TD> it's not very similar
18:44 < maaku> if anything Pond is probably more well known (outside of bitcoin community)
18:45 < Emcy> just a joke. the good stuff gets passed up for the first thing that sort of works all the time
18:46 < Emcy> http://www.wired.com/opinion/2013/11/this-is-how-the-internet-backbone-has-been-turned-into-a-weapon decent overview
18:46 < Emcy> "weaponised" is a fair way to put it
19:09 < adam3us> jgarzik said on the zc thread "would rather see automatic mixing and privacy built into every client." you know actually that would be quite a reasonable fungibility fix in the face of coin validation fungibility risks - if its generally default and non-opt-in feature.	then the default reaction of biz will be to reject coin validation or they lose sales
19:11 < Emcy> if its not ubiquitous then using such measures automatically makes you the target you never wanted to be
19:11 < Emcy> so better that it is
19:17 < warren> I might have set a trap in the Litecoin code months ago that breaks in an obscure way if used with feathercoin's parameters...
19:18 < warren> but they are having trouble getting the ordinary functionality to work
19:18 < Emcy> heh
19:18 < Emcy> what does feathercoin do anyway
19:19 < warren> Emcy: copy > rename > add new logo > pump with lots of videos
19:19 < Emcy> also why dont you play with scrypt until gpu mining is actually infeasible, as claimed at the beginning
19:20 < sipa> i don't think many litecoin users still value that idea
19:20 < warren> or rather, it isn't broken with feathercoin's parameters, just becomes exploitable
19:20 < warren> I might have done this.
19:22 < Emcy> that was litcoins whole conceit though
19:22 < Emcy> to run on all those shitty semprons in bitcoin mining rigs
19:22 < warren> Emcy: Litecoin - sponsored by AMD
19:23 < Emcy> a-are you joking
19:24 < warren> maybe
19:24 < sipa> after AMD bought ATI, suddenly litecoin became viable on GPUs
19:24 < sipa> it all makes sense!
19:26 < Emcy> shiiiiiiiiiit
19:26 < Emcy> wonder how it goes on those APUs
19:26 < warren> not too well.  relies on memory bandwidth
19:27 < Emcy> so with ddr3 2500 or whatever then
19:27 < warren> might be decent on a PS4, if it were hackable
19:27 < Emcy> thats still well below gddr i suppose
19:32 < Emcy> i wonder what hardware security the new consoles will have
19:32 < Emcy> might make decent miner as you say if someone can break it
19:33 < Emcy> or a nice little PC
19:36 < warren> I was joking earlier, and a lot of this isn't wizards material.
21:52 < Luke-Jr> [00:24:48] <sipa> after AMD bought ATI, suddenly litecoin became viable on GPUs <-- hahahahaa
23:41 < warren> https://bitcointalk.org/index.php?topic=337294
23:41 < warren> anything to edit/add?
--- Log closed Mon Nov 18 00:00:00 2013
--- Log opened Mon Nov 18 00:00:00 2013
--- Day changed Mon Nov 18 2013
00:54 < Luke-Jr> warren: it's not clear that doing just the first item gets some reward
00:55 < Luke-Jr> nor that 2 and/or 3 might be done without 1, in case 1 is impossible
00:55 < Luke-Jr> 3 should probably be split up between writing a fix, and getting it merged
00:55 < Luke-Jr> ie, someone who writes a fix but doesn't have the patience for getting stuff merged should still get something
00:55 < warren> Luke-Jr: devs have power to decide apportionment, so whatever.
00:56 < Luke-Jr> warren: yes, but people might see the list and give up because they don't know how to code
00:56 < Luke-Jr> it should be clear that non-developers can contribute toward 1 for part of the bounty
18:11 < petertodd> so... headers first
18:12 < sipa> i was discussion this with petertodd
18:12 < sipa> and this question came up
18:12 < sipa> what if you know about multiple header chains whose tips are better than what you currently have
18:13 < sipa> perhaps there's this situation: A-B-c, A-B-d-e
18:13 < sipa> eh wait
18:13 < petertodd> no, that's correct
18:13 < sipa> A-B-c and A-d-e-f
18:13 < sipa> and you have A and B, but not c d e f
18:14 < sipa> do you only try to fetch blocks for d e f, or do you also try to fetch c?
18:14 < petertodd> and the same problem *is* present on A-B-c, A-B-d-e
18:15 < sipa> agree, but the case with a reorganization is more revealing probably
18:15 < petertodd> so my scenario was, suppose we have an attacker who is mining blocks, but decided to withhold the actual contents. with headers first you'll find out abotu the headers, and hence the chain, but I argue you have to try to download all tree tips simultaneously, so that you can advance your fully verified tree so the majority of hashing power can move forward
18:16 < sipa> if the case becomes A-B-c vs A-d-e-f-g-h-i-j-k-l-m
18:16 < sipa> then it's probably easier to see that you should fetch c too, just to keep up with a potentially best chain, while you're fetching the potentially even better one
18:17 < petertodd> right, because d could be invalid, as an example
18:17 < sipa> indeed
18:17 < sipa> though you did already verify PoW, so that is very unlikely
18:17 < petertodd> well... :)
18:18 < petertodd> could be all sorts of crazy economic incentives, for instance if you figures out how to get the other hashing power trying to extend different tips
18:18 < sipa> we shouldn't assume it's valid of course
18:18 < petertodd> main thing is we want an algorithm that's going to get everyone to come to consensus about what fully validated chain tip to continue mining on, regardless of what crazyness is going on with the headers
18:19 < sipa> yup
18:19 < petertodd> like, suppose we had a bug where a block somehow made the networking code crash, leaving a connection in a state of limbo
18:19 < petertodd> plausible with threads for instance
18:20 < petertodd> oh, shit, this makes the blockwithholding strategy even worse you know:
18:21 < petertodd> suppose we have A-B-C-d-e-f-g-h-i, and we have fully verified up to i and are trying to make j
18:21 < petertodd> now, if there's ever any slowdown in block distribution, we could wind up with hashing power split on A-B-C, A-B-C-D, A-B-C-D-E etc.
18:23 < sipa> well the best rational strategy is probably to mine empty blocks on top of the best header chain you know
18:24 < petertodd> yes unfortunately, modulo fees
18:24 < sipa> and never build on blocks when you know there's better header chains
18:24 < sipa> modulo fees indeed
18:24 < petertodd> but that means if someone ever loses a block entirely, we're screwed
18:25 < sipa> ewww
18:25 < petertodd> lovely 'eh?
18:26 < petertodd> also, suppose we have a fork: A-B-c and A-B-d, now bandwidth is split 50:50 downloading c and d, which makes it more likely someone will create block e, which divides the bandwidth again...
18:27 < sipa> well, if block propagation is even comparable in speed to mining speed, there is certainly a problem
18:27 < sipa> headers-first doesn't change that
18:28 < sipa> but the fact that someone could create a header, announce it, and never announce the block... worries me
18:28 < petertodd> not in general no, but in this specific case yes because of how the code would now download blocks simultaneously - that wouldn't happen before
18:28 < petertodd> although, actually, "relay all blocks including orphans" may have this affect
18:28 < petertodd> s/affect/effect/
18:29 < sipa> right, but since you *know* the header strucutre already, you can make smarter decisions in what to download
18:29 < petertodd> well, but are they actually smarter decisions?
18:29 < sipa> than what?
18:30 < petertodd> then simultaneous - again, thinking about the possibility of attack or network affecting bugs
18:32 < petertodd> for instance, suppose you always tried to download the next block in the longest chain first, and then switch to another block on a timeout, but kept mining in case the next block was invalid - if you found a block, other miners doing the same thing wouldn't build upon it because it wasn't the longest chain
18:34 < petertodd> you could have 90% of the hashing power wasting it's time, while 10% is extending a slightly longer chain just by making all your nodes artifically slow down the download of the blocks in your extension
18:47 < warren> http://www.reddit.com/r/Bitcoin/new/  please vote up "Can you fix the LevelDB database corruption bug affecting Bitcoin-Qt on some platforms? 5+ BTC bounty."
18:49 < Emcy> if you guys can find it why do you think anyone else can
18:49 < Emcy> and if they can, why are they not already here
18:49 < theymos> You don't need to be a Bitcoin wizard to find a bug in a database library.
06:47 < jtimon> exactly, you deserve to receive something in exchange for whatever you previously provided to society
06:47 < deantrade> But for as long as you just hold the money, its like you just did all of that work in exchange for nothing, so the rest of society benefited at your expense
06:47 < jtimon> but why society must allow you to think what you want in exchange for as long as you want with no cost?
06:48 < deantrade> There is no gauruntee the money will have the same market purchasing power in the future.
06:48 < deantrade> There is no one forcing anyone to accept some amount of money for anything, its free trade
06:49 < jtimon> yeah, if many savers hoard, it will have an even greater market value in real terms
06:49 < jtimon> I'm assuming monetary monopoly all along
06:49 < jtimon> for example, a gold standard
06:49 < deantrade> Unless a new form of money is created that has better features, then the old money becomes worthless
06:49 < jtimon> there's some force here
06:50 < deantrade> Monetary monopoly: money monopolies do not last either.  They have lasted long time durations, but not forever.
06:50 < jtimon> with a free monetary market edflation is not that harmful because trade and investment can just occur in other currencies
06:51 < jtimon> with a free monetary market, let's say real capital yields drop to 1%
06:51 < deantrade> I agree, people can just chose to invest in whatever they want.  It would just be fraudulent to create a currency where you say it will have one inflation plan, and then later to do some different plan.
06:51 < jtimon> savers don't lend or invest bitcoins anymore
06:52 < jtimon> it doesn't matter, other savers will be happy to lend their frc at 0%interest
06:52 < deantrade> How was the gold standard forced?  Or do you mean in our current situation there is force?
06:52 < jtimon> in our current situation there is force, yes
06:53 < jtimon> and in the gold standard was the same monpoly
06:53 < jtimon> the legal tender was 1 gold mark or whatever
06:53 < deantrade> Savers only options right now is [US Tresuries, Stocks, or Land], gold, bitcoins, what else?  (In brackets = in a bubble)
06:53 < jtimon> dependin on the country
06:54 < jtimon> real capital
06:54 < deantrade> What did that mean though "legal tender"?  At one time it just meant "You can only call it a dollar if it is this many ounces of gold".
06:54 < jtimon> stocks could be counted as real capital, but I agree they're probably still in bubble prices
06:55 < jtimon> the problem is when you can only trade using thalers, whatever the quantity of silver that defines them
06:55 < deantrade> In a free market where banks/money was not a monopoly, "banks" would not be protected from default (their owners would be held liable to pay up), and banks would offer higher interest rates to money market accounts
06:56 < jtimon> interest rates would not be manipulated
06:56 < deantrade> But in the world as it is now, banks just print money and lend out at way lower interest rates than savers would be willing to accept.
06:56 < deantrade> And then banks offer pretty much 0% interest rate to savers.
06:57 < deantrade> So savers are stuck having to invest in US Treasuries, stocks, land (and gold/bitcoins for the smart ones)
06:57 < jtimon> but I think that with enough mutual credit currencies (usually 0% interest) and demurrage currencies like freicoin interests would tend to zero in a free market
06:58 < jtimon> I agree the current situation sucks
06:58 < jtimon> I believe it will end up just as Gesell predicted: hyperinflation
06:58 < deantrade> This is also Austrian Economist's prediction.
06:58 < jtimon> https://www.community-exchange.org/docs/Gesell/en/neo/part3/13.htm
06:59 < jtimon> Gesell, studied bohem-bawerk, he has more to do with Menger than with Keynes
07:00 < jtimon> in fact, he's closer to Menger than Mises in certain senses, like rejecting the notion of so called "intrinsic value"
07:00 < deantrade> Factories and farms etc... they don't just exist and produce the same amount of products at the same efficiency no matter the owner.
07:00 < jtimon> a dogma very often widespread among "austrians"
07:00 < deantrade> I reject "intrinsic value".
07:01 < deantrade> Value is only relative to one who acts to attain goals.
07:01 < jtimon> but the markets forces the operators of the "unefficient capitals" to change hands
07:02 < jtimon> that's good, unfortunately many goldbugs (and even bitcoiners) don't think like you
07:02 < deantrade> Right... and poor people who prove to be capable of operating them, but don't have the capital to buy them at the moment will look for a loan.
07:02 < jtimon> yes
07:03 < deantrade> And there are many rich people who die, and their children blow the money on drugs etc.
07:03 < jtimon> yes
07:04 < jtimon> there's no need to redistribute wealth from rich to poor, but it's completely necessary to stop redistributing wealth from the poor to the rich
07:04 < deantrade> So productive people live and die.  And when a poor productive person sees that they could vastly improve their life by just loaining some amount of money at some interest rate, then they will take the offer.
07:04 < jtimon> the problem is that some monetary systems impede that interest rate to be zero
07:05 < jtimon> which would represent optimal prosperity: maximum capital accumulation for society
07:06 < jtimon> would be the best position possible for workers (comparatively with capital)
07:07 < jtimon> well, negative itnerest rates would be "unfair for capital" but they're not natural even with demurrage
07:08 < deantrade> Interest rates should simply be chosen by the market.  Interest rates are chosen by two people who come together with differing resources and contracts to deliver at a later time, and fully mutually voluntary acceptence of the contract.
07:08 < jtimon> interest rates are voluntary and determined by the market with freicoin too
07:09 < jtimon> nobody forces you to dodge the demurrage fee by lending or investing
07:09 < deantrade> I'm not disagreeing with that.  I'm disagreeing with the idea that somehow having a money supply that is decreasing is necessarily bad, particularly when that money is just one competing currency when there are many others to chose from.
07:10 < jtimon> I think it's bad only if it's the only money
07:11 < jtimon> I don't think bitcoin will hurt society with its deflation because it will never be monopoly money
07:11 < jtimon> it just won't be as useful to society as it could be if it had demurrage
07:12 < deantrade> Useful to attain what?
07:12 < jtimon> economic development and prosperity
07:12 < deantrade> Economic development and prosperity of which group of people?
07:14 < jtimon> for everyone that produces and consumes
07:14 < jtimon> the higher the itnerest rates, the more everyone pays for what he consumes
07:15 < deantrade> Not necessarily.
07:15 < jtimon> the higher the interest rates the lower the precentage of good prices come from worker wages
07:15 < jtimon> name a single consuming good that doesn't include interest in its final selling price
07:17 < jtimon> for some that % is as high as 50%
07:17 < deantrade> When you pay over time with high interest rate, if the money supply is increasing more rapidly than the interest rate, then later when you pay the interest you potentially have to exchange a lower market value than what the money was worth when you agreed to the deal.
07:18 < jtimon> that's why the inflation premium is a compenent of interest
07:19 < jtimon> sadly inflation indexes are usually manipulated nowdays
07:19 < deantrade> 2% CPI haha
07:20 < deantrade> Fred Monetary Base has been increasing at >30% per year for 5 years now (since 2008 housing financial crisis)
07:20 < jtimon> what I mean is that most people pay far more interests than they receive, even when they haven't borrowed any money
07:20 < wumpus> no matter the economic arguments for it, no one would have bought into bitcoin if it had demurrage; many people were already not taking it seriously for being "virtual", let alone if your holdings magically evaporate over time
07:21 < jtimon> wumpus yes, probably something like bitcoin was destined to be the first crypto
07:21 < wumpus> a future cryptocurrency could do it differently, but bitcoin had to be like this to work
07:21 < jtimon> there was a time when people believed that money couldn't be made of paper, now some people doubt that it can be made of bits
07:21 < wumpus> for example freicoin, had it not included the strange centralized contribution for every mined block
07:22 < jtimon> probably the first p2p currency had to have fully p2p distribution too, no matter how wasteful that is
07:23 < deantrade> Wasteful?
07:23 < jtimon> in terms of real resources, yes
07:23 < jtimon> it's subsidizing security
07:23 < deantrade> How is giving out practically worthless bitcoins (initially worthless) wasteful?
07:24 < wumpus> decentralized systems are by definition less efficient than centralized systems, but compensate for this with added robustness
07:24 < jtimon> no, mining like we're doing now is wasteful
07:24 < jtimon> wumpus, but when the 21 M are issued, fees should provide enough security
07:25 < deantrade> Mining is essential.  Prove of work that you earned the money.  You'd rather the bitcoins were handed out willy nilly like helocopter Ben?
07:25 < wumpus> I have decided for myself that I like the robustness more than the efficiency, but your opinion may vary
07:25 < jtimon> I prefer that they're are given to noprofits you freely decide to donate to like in freicoin, obviously
07:26 < jtimon> http://foundation.freicoin.org/
07:26 < jtimon> by the way, crypto-currencies related projects can be listed too even if they're not legally non-profits
07:27 < deantrade> You say "robustness", as if that doesn't also make it efficient.  Bitcoin is an extremely efficient value storage and value ownership transfer system.
05:53 < HM2> article floating around praising Satoshis choice of the k1 curve over r1
05:53 < HM2> currently top of HN
05:53 < HM2> I thought the parameters to r1 were selected deterministically
05:54 < HM2> oh well
06:06 < sipa> HM2: with a 20-byte seed
06:06 < sipa> making the whole deterministic part quite suspicious :)
06:11 < HM2> You'd think NIST would have revealed the seed in light of recent events
06:16 < sipa> the seed isn't secret
06:16 < sipa> it is just long
06:16 < sipa> meaning it can have been selected by a brute force search for vulnerable parameters
06:17 < HM2> why couldn't they have gone for the classic value of pi
06:19 < sipa> or the string "5" or something
06:21 < HM2> sipa, how's your secp256k1 project coming along?
06:21 < HM2> has it reached peak performance?
06:41 < sipa> haven't worked on it for a while
06:56 < warren> HM2: crazy litecoin users are using it
06:58 < HM2> good good
07:26 < adam3us> HM2: nist probably dont know the real seed its probably in an HSM at NSA
07:26 < adam3us> HM2: i think its basically confirmed that it was backedoored; werent some of hte snowden docs published or seen by schneier and greenwald including the internal project summary bragging of th successful backdooring of nist process
07:31 < HM2> There haven't actually been any proof that NIST standards have been backdoored.
07:31 < HM2> I think the NSA presentations made a very strong indication that that was the case
07:32 < HM2> even the EC based RNG that is 'backdoored' is only a 'could be' backdoor (which is enough not to use it)
07:32 < HM2> for all we know the private parameters used to seed that could be lost and not in the hands of the NSA
07:33 < HM2> at least as far as I'm aware
07:33 < HM2> it's hard to keep a aprised of all the revelations concisely.
07:33 < HM2> *apprised
07:34 < HM2> the NSA has no reason to brag about their capabilities though, so it's very likely everything is as feared
07:35 < adam3us> HM2: so basically as i understood it from skimming the news over time, the level of confirmation was there were internal nsa docs in the snowden trove, that were read as indicating yes ec dbrng was backdoored
07:36 < HM2> no, not exactly. it gave a year
07:36 < adam3us> HM2: and particularly as the design seemed very contrived, and the backdoor potential was identified by ferguson et al at microsoft and published some years back, thats pretty much the end of it
07:36 < HM2> and the EC RNG was released that year
07:37 < adam3us> HM2: how does that confirm or refute the strong indication that could is actually was (backdoored)?
07:37 < HM2> I'm not sure who the target audience for the slides released was
07:37 < HM2> if your target is politicians you might want to brag
07:37 < HM2> if your target is foreign ally agencies maybe you want to brag
07:38 < HM2> maybe not
07:38 < HM2> they were all very vague, sadly not a single specific cryptocapability has been leaked afaik
07:38 < adam3us> HM2: i think its internal, but there was seeming lots of internal bragging, as it is about vying for recognition and internal project funding and kudos etc
07:39 < HM2> right
07:39 < adam3us> HM2: snowden made some relatively specific statements about crypto capacities that are lacking - ie public key crypto is good, if no impl mistakes and no hw / sw backdoors
07:40 < adam3us> is this channel logged publicly.. i found a petertodd amazon hosted log fragment; is there a full log searchable?
07:40 < HM2> there was mention of a 'major breakthrough' a few years back that hinted at cracking capability
07:41 < HM2> no idea
07:41 < HM2> you should assume it's all logged and kept in my personal blockchain
07:42 < HM2> in order for me to quickly fake something you said 3 months ago, i'd need a computer the size of jupiter ;)
07:45 < adam3us> is warren hand here the warren togami founder of fedora?
07:45 < adam3us> seems potentially apt that he could start bitcoin staging - the fedora to bitcoins rhel/centos
07:46 < adam3us> (tho he seems attached to making litecoin work in that role at present)
07:46 < HM2> I don't know. They're all faceless ninjas to me.
07:48 < adam3us> i read some old wired article that mentioned charles lee, and that warren togami had stepped in as lead dev of litecoin... then it occurred to me, hey that probably was warren who was talking about litecoin dev speed and healthy competition to bitcoin pushing chnges into bitcoin indirectly yesteray :)
07:49 < adam3us> it'd be easy enough to fork litechoin and put hashcash-sha256^2 and more work but defined method to put in the 1:1 one way peg allowing bitcoin transfer in place of mining
07:50 < jgarzik_> adam3us, yes, warren == warren togami of Fedora.  He and I both worked at Red Hat on Fedora, too.
08:12 < adam3us> erm so patents - has anyone tried to think about a model for preventing/deterring bitcoin related startups from patenting obvious and core things?
08:14 < adam3us> starting to rear its really ugly head unfortunately and i am pissed; people may not know the history but crytpocurrency ecash was littered with mothballed patents stifling products - i personally know a solid biz ecash guy who was blocked from doing something chaum related due to that patent
08:14 < jgarzik_> adam3us, bitcoin is a laggard in this area
08:15 < adam3us> particularly when digicash went bankrupt the VC type investors sold the patents to a random big co infospace that sat n them until they expired
08:15 < jgarzik_> adam3us, coming from Linux, we were really proactive about registering trademarks and patents for open stuff, then donating those to a foundation, preemptively
08:16 < adam3us> jgarzik_: i was thinking the same, maybe bitcoin founation can do something lke the IBM anti-patent abuse pool
08:17 < adam3us> jgarzik: the patent pool could have teeth in that anyone who tries to assert a patent outside of the pool, is denied use of any patent in the pool; but free for everyone else
08:17 < jgarzik_> adam3us, http://www.openinventionnetwork.com gathers patents from many sources, licenses them royalty-free, and can be used for patent defense through Mutually Assured Destruction
08:18 < jgarzik_> MAD: company A and company B cross-license each other's patents.  If a violation occurs, the other party revokes the patents they licensed
08:18 < adam3us> jgarzik: good, ibm mad like approach (microsoft was scared of accidentally tripping on IBM mad which is a good sign that its a good approach)
08:18 < jgarzik_> works with patent pools too
08:18 < jgarzik_> IBM is a fscking patent behemoth
08:19 < jgarzik_> surprisingly they are pretty benevolent in the software patent space, compared to many others, even though they don't have to be
08:19 < adam3us> jgarzik: they also have some kind of MAD scheme going that microsoft were more scared of than GNU
08:19 < adam3us> jgarzik: so whether its bitcoin foundation or the open thing you mentioned, or IBM: my point is there are no bitcoin patents in an open pool
08:20 < adam3us> jgarzik: and the various bitcoin startups are probably right now creating a raft of them to be "defensive" which is actually lethal
08:21 < HM2> it's not really lethal
08:21 < adam3us> jgarzik_: as when some of them start to go under the VCs that care more about money than bitcoin will sell them to the highest bidder
08:21 < HM2> mutually ensured destruction generally works quite well
08:21 < adam3us> HM2: viz digicash history and infospace
08:21 < adam3us> HM2: yes but there is no MAD, and bitcoin foundation has no patents
08:22 < jgarzik_> for MAD to work, you have to have patents others want
08:22 < HM2> Isn't the foundation just a benevolent observor/advisor?
08:22 < adam3us> jgarzik_: i think its past time the foundation or someone suggest strongly to all the bitcoin startups that they form a MAD pool, to preclude their patents falling into the wrong hands if they go out of business
08:22 < HM2> It doesn't even own the trademark does it?
08:23 < jgarzik_> yeah TM is an issue too, though I think MagicalTux was working on getting the TM for community benefit
08:23 < adam3us> jgarzik_: bitcoinFOO startup may have a patent for "defensive" reasons, bt when it goes under and is sold to a patent troll, it becomes offensive ... good intentions of bitcoinFOO no longer count
08:23 < jgarzik_> adam3us, agreed
08:23 < HM2> the Linux Foundation springs to mind
08:24 < adam3us> jgarzik_: or imagine worse things; US government seizes patents from the foundation as part of a court judgement, and asserts patent to make bitcoin-qt infringing
08:25 < jgarzik_> adam3us, so unlikely it's not worth worrying about
08:25 < adam3us> jgarzik_: patents should be abolished, but until then a bitcoin MAD pool should be created and probably should be held by an international, mulit-jurisdictional entity
08:27 < adam3us> jgarzik_: debatable, weak point on my part; main point bitcoin community probaby defensively needs a MAD pool in the hands of someone trustworthy and aligned with the community; i cant say more probably but i expect anyone with involvement with a commercial bitcoin entity has seen moves to patent something "defensively"
08:27 < jgarzik_> adam3us, agreed
08:27 < jgarzik_> adam3us, agreed (RE abolished + MAD pool)
08:28 < HM2> I'd worry more about the trademark
08:28 < adam3us> jgarzik_: so me = crypto guy, who could chase that down in foundation terms and make it happen?
08:28 < jgarzik_> adam3us, patrick murck, maybe
08:28 < HM2> someone could just buy it up the TM and just stick the name on whatever centralised currency they wish
08:28 < HM2> buy up the*
08:29 < jgarzik_> adam3us, tell him I pointed you to http://www.openinventionnetwork.com as an example
08:29 < jgarzik_> HM2, well like patent's concept of prior art, there is a way to show TM land grabs by third parties
08:29 < adam3us> jgarzik_: maybe a topic for this xgbtc list - didnt accept the list invite yet
08:29 < HM2> sure
08:29 < jgarzik_> adam3us, never heard of xgbtc
12:51 < jtimon> what fees?
12:51 < jtimon> bitcoin fees?
12:51 < petertodd> remember, ripple is all about optimizing who owes who, but why do you care exactly?
12:51 < jtimon> that's what money is all about
12:52 < jtimon> "bitcoin is about who has what, but why do you care?" I don't understand your point
12:52 < petertodd> what money is about doesn't matter for the end-user, they just want to solve a business problem
12:52 < adam3us> petertodd: freimarket includes real-ripple as a sub-component so freicoins that are IOU based can interop with frecoins that are mined (minus demurrage)
12:53 < jtimon> seriously I don't get your point about not caring
12:53 < jtimon> how would you don't care about who owes you and who you owe too?
12:53 < adam3us> petertodd: i think its a logical and self-consistent system, remains to be seen on adoptions.	some of adoption is first to market, network effects etc.
12:54 < jtimon> petertood: you don't see any value in a ripple network or in credit in general?
12:54 < petertodd> jtimon: because my *business* problem is "I want to make money, and I can make money if I sell icecream, and if my icecream distributor loans me some stock, I'll pay him back and we'll both make money."
12:54 < adam3us> jtimon: i think petertodd is still on competition & adoption, his q. why would someone prefer freimarket IOU freicoin over btc
12:54 < petertodd> jtimon: The "meaning" of money means absolutely nothing to either party in that transaction.
12:55 < jtimon> petertodd: people don't want money, people want the stuff they buy with it
12:55 < adam3us> jtimon: its also a value store i guess.
12:55 < jtimon> it's not about preferring, you have your wares that by definition you don't want and want to sell
12:55 < petertodd> jtimon: and that's the thing, "I'm an icecream mfg, I need milk, now if you farmers give me some milk, I'll give you some money once I sell my icecream" - that's another business relationship
12:56 < jtimon> exactly
12:56 < jtimon> that can be done with "money" or credit
12:56 < petertodd> jtimon: ripple says "hey! this forms a cool graph when we add the customers into a big decentralized distributed database!" and can make those credit relationships magically collapse when the customer buys the icecream or soemthing
12:57 < jtimon> the important stuff is are the icecream and the milk, the rest are just numbers to make that happen
12:57 < petertodd> jtimon: meanwhile the business say "Who cares? Doing it the old way is plenty efficient and the new way requires a bunch of software and buy-in from a zillion parties."
12:57 < jtimon> that's the ideal situation in ripple, try to come back to the b2b stage
12:57 < jtimon> you sell icecream in summer
12:58 < jtimon> I go to you and say "do you accept ourtown's local currency for the ice cream"
12:58 < jtimon> you say "no, I prefer bitcoin"
12:58 < jtimon> "ok, ?I don't have bitcoin, keep your icecream"
12:59 < jtimon> if you want milk and you can buy it with both local credit currency and bitcoin, why reject any of the two?
12:59 < petertodd> and that's the problem, any real business will say "Why the hell do I care about these local currencies? Let someone else figure out how to convert FooDollars to and from Bitcoin so we can focus on making icecream, our core competency."
13:00 < jtimon> hehe, you remind me to people talking about real businesses and bitcoin a while back...
13:00 < petertodd> You might not be aware of this, but one of the reasons Net 30 day works is because there exist third party credit rating agencies that specialize in figuring out whether or not your counterparty will pay you back.
13:01 < jtimon> the magic of ripple is that you will only ever receive the currencies you accept
13:01 < petertodd> ...and when those agencies aren't good enough, the reason why Net 30 day works is because often suppliers have special insights into their customer's businesses, and thus credit worthyness, that is otherwise really hard to get.
13:01 < jtimon> and the payer doesn't need to bother about conversions neither: the system does them
13:01 < jtimon> yes, I'm aware
13:01 < petertodd> jtimon: That's not magic at all.
13:01 < jtimon> no, it's not magic
13:01 < jtimon> it's tech
13:02 < petertodd> jtimon: That's the magic of "I price my icecream in dollars."
13:02 < adam3us> petertodd: well i guess bitcoin doesnt do it
13:02 < petertodd> jtimon: You don't need ripple for that
13:02 < adam3us> petertodd:  bitpay et al let you though, ok
13:02 < jtimon> you can say "I price my icecream in gbp, I accept btc, bristol pounds or gbp"
13:03 < petertodd> adam3us: Exactly! bitpay, and the exchanges they work with, managed to outsource all that highly specialized work related to figuring out how to convert bitcoins to dollars
13:03 < jtimon> I go there with frc and sevillan pumas
13:03 < adam3us> petertodd: probably where a difference comes in is its hard to take out btc denominated loans because its volatile and trending up in price.
13:03 < jtimon> I push "pay 1 gbp to this merchant" the system says "want to pay X frc or Y pumas?
13:04 < jtimon> what's the unconvenience?
13:04 < jtimon> petertodd: a ripple network can do what bitpay does!!
13:04 < petertodd> jtimon: the unconvenience is that you needed this big ripple thing with a zillion credit relationships for it to work, when the alternative is to let some specialist handle it for you
13:05 < jtimon> no, I said the merchant just accepted 3 currencies, that's 3 credit relationships
13:05 < petertodd> jtimon: See, if tx fees to and from sevillan pumas are low, then you're customer, or you, can just as easily use that specialist to convert it for you.
13:06 < petertodd> jtimon: That's a *low overhead* solution to the problem that doesn't require much adoption to work. Ripple is the exact opposite.
13:06 < jtimon> but the point of the system is unite the infrastructure of the different currencies NOT TO NEED the specialist
13:06 < jtimon> whatever, I don't think I can convince you
13:06 < petertodd> jtimon: Modern economics has realized over and over again that specialists are excellent solutions to most problems.
13:07 < jtimon> so please, answer my previous question "you don't see much value in a ripple network or in credit in general?"
13:07 < petertodd> I see lots of value in credit, because people use credit all the time. Ripple, not much value at all.
13:07 < jtimon> petertodd, argument of authority fallacy, your authority: "modern economics"
13:08 < jtimon> Ripple = credit
13:08 < petertodd> jtimon: No, ripple is a way to manage credit. There are other ways to manage credit.
13:08 < jtimon> it's just the same thing with a more convenient infrastructure
13:08 < petertodd> jtimon: You think it's more convenient, I don't for a whole host of reasons.
13:09 < jtimon> what's the difference between an international payment and a ripple transaction?
13:09 < jtimon> transitive credit, it's the same thing
13:09 < petertodd> And the biggest problem with Ripple is the value of it is network effect dependent, so if only a small network of people use it it has very little value. That's a enormous bootstrapping problem on top of all the other problems of it.
13:09 < jtimon> you know, banks took all that overhead of trusting each other
13:09 < adam3us> jtimon: if u really lend people money in small amounts, often you dont get it back.  thats my experience.  and lending money to friends & family generally is not a good idea.  when something goes wrong it leads to problems.
13:10 < petertodd> jtimon: yes, and banks are specialists at that task. Ripple is asking everyone to get in the business of doing that, which goes against the tendency in modern economies to specialise.
13:11 < petertodd> adam3us: yup, it's worth noting that Net 30 day credit relationships are declining as businesses become more complex and transactions more convenient.
13:11 < jtimon> I'm saying it won't start with personal credit, but with b2b, local currencies, p2p markets gateways...
13:11 < adam3us> petertodd: i think the notional advantage of ripple.com is that they can cancel out some debts and so reduce the fees
13:11 < jtimon> the small participants can join later
13:11 < petertodd> adam3us: yup, which means it's in competition with every solution that reduces fees... and there are a huge number of ways to do that
13:12 < jtimon> just to be clear, I'm talking about ripple the concept not ripple.com
13:12 < petertodd> jtimon: doesn't work that way, often those small participants are what make the ripple network loops happen that let credit relationships get canceled out - the core thing that ripple does
13:12 < adam3us> petertodd: actually ripple.com is very poorly explained online.  i am not sure if it also has issued values other than iou values mixing on its network.
13:12 < petertodd> adam3us: ripple.com is an abomination and we shall not refer to it again
13:12 < jtimon> the way you trust in ripple.com is very risky for users
13:12 < adam3us> jtimon: yes.  thats why i put ripple.com when i wanted to refer to them
13:12 < jtimon> because it assumes 1 aaaUSD = 1 bbbUSD
13:13 < adam3us> petertodd: hehe the R-word.
13:13 < jtimon> that's not necessarily true in 2PC ripple or freimarkets
13:14 < maaku> jtimon: replacements can be used for microchannel payments (e.g. utility bill)
13:14 < petertodd> See, fidelity bonded banks are an excellent example of something where ripple can work very well, and one of the reasons that works is because the whole point is to keep tx fees low, 1 aaaBTC == 1 bbbBTC, and all the logic about the trust relationships can be handled in software (talking about the ideal fidelity bonded bank stuff here)
13:15 < petertodd> But that's a crazy-specialized example, and the whole concept of fidelity bonded banking is just as likely to get pushed out by other ways of getting low tx fees.
13:15 < jtimon> aaaBTC/bbbBTC should be just a market like any other
18:57 < jtimon> antonopolous was that guy that got himself filmed having dinner, drinking wine and talking about bitcoin in a restaurant?
18:57 < jron> jtimon: yes
18:57 < jtimon> I didn't watched the whole video but that was kind of odd
19:01 < jtimon> does this make any sense? https://bitcointalk.org/index.php?topic=430705.msg4715291#msg4715291
19:01 < jtimon> isn't getBlock template the same thing as GBT ?
19:02 < sipa> yes
19:03 < sipa> i assume it's a typo, but i've no idea for what
19:25 < andytoshi> ;;later tell nsh i did the talk, didn't get to any wizards stuff, it was very boring, sorry
19:25 < gribble> The operation succeeded.
23:10 < tt_away> It's late and I'm tired and going through ProtoShares source code; does PTS only use SHA512 as a hash function?  It mentions sCrypt in the white paper, but I'm not seeing it.
23:10 < tt_away> Also these indentations ahhhhhHHHH
--- Log closed Sat Feb 01 00:00:14 2014
21:10 < warren> https://togami.com/~warren/archive/2013/example-bitcoind-dos-mitigation-via-iptables.txt  (with a limit that is not quite this small)
21:10 < jgarzik> network attacks against bitcoin have best ROI today </standard refrain>
21:10 < nanotube> <gmaxwell> Today you can fill up all connection slots on the bitcoin network with 1 IP. <- i thought current code prevented multiple connection from same subnet ?
21:11 < gmaxwell> nanotube: no, we won't make outbound connections to the same netgroup (/16 for ipv4) but inbound is unrestricted. And it should be
 since otherwise it would be somewhat hard to connect from some universities and countries.
21:12 < nanotube> hmm
21:12 < gmaxwell> (instead, when we fill up instead of turning away new connections we should see if there is a less attractive old one to punt, e.g. punt the duplicate IPs preferentially)
21:12 < gmaxwell> But we don't right now.
21:12 < nanotube> huh, so we don't even block the same ip from connecting twice?
21:12 < warren> nope
21:12 < jgarzik> code it up and PR it ;p
21:12 < nanotube> at the very least, /that/ seems like a low-cost thing.
21:13 < gmaxwell> nope And if we did, as I said, that would cause some problems.
21:13 < nanotube> no country/university has only one ip :)
21:13 < warren> nanotube: and that isn't a good defense if you think about ipv6
21:13 < gmaxwell> nanotube: actually several countries connect entirely from a single IP.
21:13  * nanotube avoids thinking about ipv6 >_>
21:13 < gmaxwell> E.g. Qatar IIRC.
21:13 < nanotube> but heh the private bloom filters bit is pretty cool.
21:13 < nanotube> heh really? wow.
21:14 < nanotube> so quatar just has one giant country-wide NAT ?
21:14 < gmaxwell> yea.
21:14 < nanotube> lol >_<
21:14 < gmaxwell> Things you learn being a Wikipedia admin. "oops you just blocked Qatar. Again" "Opps you just blocked univsity of foo. Again."
21:14 < nanotube> well, all of qatar probably has 2 bitcoin users. they'll manage.
21:14 < nanotube> hehe
21:15 < gmaxwell> I accidentaly the whole qatar.
21:15 < nanotube> is it deliberate, or were they just not allocated any ips?
21:15 < gmaxwell> In any case, it would be pretty easy to make the node-full behavior turn into kick out some old peer based on some priority thing. I would have done it already but there really is no end to the amount of thinking you can do behind the priortization scheme.
21:15 < gmaxwell> speaking of that.. I should probably just PR my dont-use-get-my-ip patch, since it seems no one is going to review the idea without a PR...
21:16 < gmaxwell> :P
21:16 < gmaxwell> but first, dinner.
21:16 < gmaxwell> nanotube: I assume it's more or less deliberate.
21:17 < warren> is there one state owned ISP?
21:17 < nanotube> probably
21:18 < gmaxwell> I would assume, I never looked into it. Thats the case in a lot of those places.
21:19 < gmaxwell> not exactly that most important use cases, but I'd rather not make the system gratitiously hostile. there are a bunch of reasons why you generally want to allow multiple connects from the same IP. E.g. my local nodes addnode each other.. and if we were limited to 1 they'd get rejected... even from nodes that don't listen on the public internet.
21:20 < warren> local nodes would have RFC1918 addresses?
21:20 < gmaxwell> mine don't. Not everyone is behind n-layers of nat, esp on ipv6.
21:21 < warren> especially with ipv6, limiting per IP probably isn't going to work
21:22 < gmaxwell> In any case, go look in the logs here I described my thinking on this, I think there should be a set of priortization which protects some nodes from being dropped and then randomly drops based on a score for the rest, the score could include things like being in the same ipv6 /48 as other peers.
21:22 < gmaxwell> (or even the same /32)
21:28 < warren> hm, "BitcoinJ always bootstraps from DNS seeds."
21:30 < jgarzik> indeed
21:31 < jgarzik> bitcoinj-based Bitcoin Wallet does not rotate keys for each transaction
21:31 < jgarzik> bitcoinj-based Bitcoin Wallet does not support P2Sh
21:35 < warren> multibit also appears to not tell you how many peers you have
21:35 < warren> seems rather insecure for the default client on bitcoin.or
21:35 < warren> org
21:40 < gmaxwell> warren: I think multibit only connects to 4 too, but I also thought that about android wallet and sipa demonstrated otherwise.
21:41 < gmaxwell> IIRC bitcoinj also only queries a single dns seed at random. e.g. instead of doing something like taking one peer from each round robbin. (though not like its hard for a network attacker to intercept DNS)
21:42 < gmaxwell> I dunno if you saw the last round of snodwn papers but it looks like the NSA has a DNS race interception infrastructure.. e.g. use passive taps to see dns queries and then respond faster.
21:42 < warren> wouldn't you see two responses if you were the victim of that?
21:42 < gmaxwell> sure, but you take the first one.
21:42 < warren> and nobody is watching for the second
21:43 < gmaxwell> (I have a friend that runs a really big DNS GSLB infrastructure that works that way too: you query for their domain, they forward the query to all their clusters, and then when the NTP clock strikes the next 100ms interval they all respond at the same time)
21:43 < jgarzik> interesting
21:44 < jgarzik> I know ISC does a lot of anycast
21:44 < jgarzik> anycast works much better for UDP than TCP ;p
21:44 < gmaxwell> hehe indeed.
21:45 < jgarzik> For at least a decade, F root was the most distributed DNS setup by 10x, IIRC
21:46 < jgarzik> At least one other root went distributed years ago, hopefully the others have followed by now
21:46 < jgarzik> Google's new database consensus/sync stuff relies on accurate clocks
21:47 < jgarzik> as 'time' is fundamentally distributed and (in theory) always synchronized
21:47 < jgarzik> relying on that become then an expensive hardware problem of "getting the right time, always"
21:47 < jgarzik> *becomes
--- Log closed Sun Oct 13 00:00:05 2013
--- Log opened Sun Oct 13 00:00:05 2013
01:27 < warren> who is the primary person behind pull tester?
02:25 < sipa> warren: bluematt
07:13 < gmaxwell> petertodd: I just thought up another storage hard function. This one is super simple.
07:14 < gmaxwell> Say you have a tree structured pseudorandom function:   e.g	H(seed) = {Left half, Right half}  ... H(Left half) = {Left half, Right half}  and so on so a single seed can expand to a ginormous tree.
07:14 < gmaxwell> Server gives the client a random seed and the tree size.  The client goes and computes the leafs of the tree and stores the results.
07:15 < gmaxwell> Then the server can challenge the client:  The server randomly picks a leaf, evaluates it itself.. and says to the client "tell me what the index is for the leaf with value X"
07:16 < gmaxwell> the only efficient way for the client to answer would be to have computed a hashtable over the results... otherwise it has to recompute the whole tree.
07:35 < gmaxwell> yippie.
07:43 < gmaxwell> unrelayed: http://cryptome.org/2013/10/homo-crypto-sym.pdf  claims fully homorphic encryption with much better performance and only linear plaintext expansion. (factor of 16)
13:19 < amiller> i sort of have a wrench in the works as far as consensus theory goes
13:19 < amiller> i normally say something like 'every valid transaction is eventually included'
13:19 < amiller> but 'valid' is a moving target and can change, for example in a double spend when one transaction invalidates another
13:20 < amiller> suppose there were an opcode that let you refer to the current blocks' transaction height
13:20 < amiller> and you could make a transaction that was only valid every 1000th block
13:20 < amiller> would that transaction be guaranteed to get committed eventually?
13:21 < amiller> this is basically about whether a sub-50% attacker can consistently snipe a particular block as long as it's not too oftne
13:21 < sipa> well the script system is designed such that a transaction that is once valid, is never invalidated (except for double spending)
13:21 < amiller> well with multisigs the doublespend might not be in your control
13:21 < sipa> it is never in your control
13:21 < amiller> also this is specifically about a hypothetical new opcode
13:22 < amiller> it's in your control if you kept your private key private and don't do it
13:22 < sipa> one of your predecessors may double-spend
13:22 < amiller> good point
13:22 < amiller> hm
13:22 < sipa> it's why software doesn't allow you to spend without confirmations
13:23 < sipa> because it's not enough to trust coins you receive; you must also trust that they're unlikely to be reverted by the senders of the senders
13:24 < amiller> there's other related things like sd_lerner's suggestion to have 'invalid after <date>' opposite of locktime
13:26 < sipa> it does mean a receiver needs to track recent (all?) history of its inputs, to judge how likely they are to become permanently unspendable
13:27 < sipa> as a reorg of a transaction right at the border it very risky
13:27 < amiller> if it's safe to wait 6 blocks anyway, then that's enough
13:28 < amiller> like if you wait long enough that the last guy can't revert it, then no one before can either
13:28 < sipa> true
13:28 < amiller> but still my question is about the other direction
13:29 < amiller> how quickly can you get a tx in a block
13:29 < sipa> i wouldn't say it's always guaranteed that you can
13:29 < sipa> it depends on economic factors
13:29 < amiller> if someone wants to prevent you from getting a tx in even 1/1000 blocks, can they?
13:30 < sipa> assuming miners are greedy/rational and choose transactions with the highest fee/byte ratio
13:31 < sipa> all that's needed is someone constantly creating transactions with higher fee than yours
15:29 < HM3> or they could take your family hostage and threaten to beat them if you make said transaction.
16:39 < nanotube> or put a bounty of 80kUSD on the head of any miner who mines it into a block. >_>
09:31 < azariah4> adam3us1: hmm, did you see the op (59) EXTRO in the current version of the paper?
09:32 < adam3us1> azariah4: ethereum paper? no.  i did describe the extrospection viral goo risk to vitalik tho :)
09:33 < azariah4> ah yes, now I reached your post in the thread talking about it :)
09:33 < adam3us1> azariah4: maaku_ was discussing it for freimarket too and he figured he could somewhat contain it by disabling extrospect on basic coins (non contract)
09:35 < azariah4> well, even if one could prove the language itself has no extrospection, the fact that it has a form of persistent storage could be a issue in practice
09:36 < azariah4> e.g. one specific impl of a ethereum node has overflow/bounds bug in its impl, enabling a script to read outside its defined persistent storage
09:36 < adam3us1> azariah4: it seems interesting to me however to look at contracts you can build by composing dependent and hash-locked non-extrospection bitcoin scripts or other composing methods.	while it seems at first laborious to not be able to express these in a single contract, so long as its functionally equivalent an all the intereting useful things can be built,
without adding extrospection i think that can be enuf, and suspect it might be a des
09:37 < adam3us1> azariah4: yes.  i think they have sparse storage tho.  maybe the address space was like 2^128 or something vast if i recall
09:39 < azariah4> yepp [0 ... 2^256-1] for both temp and persistent storage
09:40 < azariah4> hopefully they can post some updates about these risks before their fundraiser starts in a week
10:11 < Ursium> azariah4: i'm not sure there's anyone from the core dev team on this channel (i could be wrong) - is that something you could raise on forum.ethereum.org?
10:14 < azariah4> I could, but I need to read more about it first to properly understand it :>
10:57 < adam3us1> azariah4: didnt they already write about security risk soewhere?  vitalik wrote an article on bitcoinmagazine recently also (didnt read it all yet)
13:26 < maaku_> azariah4: the scripting language would have to be perfectly sandboxed, yes
13:27 < maaku_> but we are talking about a language that could be as small as a dozen or so opcodes, 2-3 types, and an implementation measured in the hundreds of lines of C++ code
13:28 < maaku_> these can be made safe. it could even be proven safe, if you have the resources to do so
13:29 < maaku_> well, i'm talking about my language here, not etherium's
13:29 < TD> maaku_: there were exploits in bitcoin script even though that's tiny. so ..... this stuff is hard :)
13:30 < maaku_> TD: bitcoin's scripting language is more complex than a minimal turning complete language
13:30 < maaku_> and was not given appropriate care and attention
13:37 < maaku_> what i'm saying is there's nothing magical about writing a scripting interpreter that makes it dangerous in itself
13:38 < maaku_> compared to say, the network stack, which is quite a bit larger and also has to be free of remote exploits
14:23 < gmaxwell> maaku_: sure there is, the script interperter is procol normative in a way the net code isn't. It doesn't just have to be free of "remote exploits" it has to be free of consistency failures. So that adds a number of additional constraints and makes it fixing it hard.
14:24 < gmaxwell> maaku_: and of course all that "just a couple hundred lines of code" stuff fails if you then need to make it fast and implementers find that they're pratically required to employ a JIT compiler for it.
14:27 < TD> the world has a poor track record when it comes to sandboxing malicious code
--- Log closed Mon Jan 27 00:00:02 2014
--- Log opened Mon Jan 27 00:00:02 2014
05:07 < _ingsoc> :/
05:31 < grazs> a what
08:18 < warren> http://www.identitymind.com/company/partners/  "There are about 10 Billion devices in the world that are connected to the Internet and BlueCava aims to identify all of them."
08:18 < warren> frightening
08:20 < brisque> wonder what they're using to distinguish devices. surely most embedded linux devices all have the same public fingerprint, there's barely anything to distinguish them.
08:21 < warren> more bitcoin devices than humans in the world
08:22 < nsh> s#bitcoin#tcp/ip#
08:23 < TD> i am skeptical about the 10 billion figure
08:24 < TD> having worked in the field myself i am a lot MORE skeptical about identifying all of them being a remotely realistic goal
08:26 < brisque> their goal seems to be attempting to correlate users between devices. matching one browser fingerprint with another, rather than trying to uniquely identify devices.
08:28 < TD> yes of course
08:28 < TD> it's still rather hard
08:29 < TD> well, assuming you "play the game" normally of course
08:30 < brisque> I doubt any of these companies do. if google is using browser bugs to track Safari devices against their cookie settings, you can be pretty sure these companies are going even dirtier.
08:31 < TD> ah, well you don't know the story of that bug.
08:31 < TD> there is a long explanation of it here: http://lauren.vortex.com/archive/000937.html
08:31 < TD> tl;dr that was actually a bug in safari and google got the blame for it. nice, huh
08:32 < TD> by "play the game" i meant, try and do it all in the browser. if i had a really compelling product to sell for credit cards i'd ask the user to download and run a native app
08:33 < TD> you can get a lot more scammers that way, of course
08:34 < brisque> TD: that's interesting, i heard the noise around the time but the followup must not have had quite the journalistic merit.
08:35 < TD> the "story" was revealed by the wall street journal at a time when Murdoch was giving speeches about how Google was destroying the newspaper business and it'd be saved by the iPad
08:36 < TD> and it went downhill from there
08:37 < brisque> that bluecarva.com thing seems reasonably standard. it does the usual, user agent, plugin version, installed fonts, all the normal fingerprinting stuff. attempts to put cookies and lcoalstorage cookies everywhere, and that's about the end of it.
08:38 < brisque> comes with a big scary warning about how the source they're presenting is confidential and secret, but that's about the end of it.
08:39 < TD> yeah that's typical
08:39 < TD> of course carders know about all of that
08:39 < brisque> coinbase uses all of those too, interestingly enough.
08:44 < brisque> looks like bluecarva tries to use clock skew as a fingerprint too, that's one I hadn't thought of before.
09:16 < aksyn> you can probably fingerprint a browser version based on rendering time of certain DOM elements
09:17 < aksyn> and yeh, shotgun crap into cookies, localstorage, flash cookies etc. to identify users
09:18 < aksyn> market seems busy for a monday night
09:18 < aksyn> on huobi at least
11:57 < tacotime_> http://www.businessinsider.com/report-ceo-of-major-bitcoin-exchange-arrested-2014-1
11:57 < tacotime_> whoops
12:00 < grazs> but he looks so honest
12:01 < tacotime_> Popped on those charges for just a mil too, sucks.
12:02 < gmaxwell> Guess the folks who were hoping to get coins back from him, http://bitinstant.info/ are out of luck.
12:14 < sipa> gmaxwell: get coins back?
12:18 < gmaxwell> sipa: right before bitinstant shut down apparently they bought BTC from a number of parties and never paid. see the link.
12:23 < sipa> ewww
12:26 < pigeons> SHREM is also charged with one count of willful failure to file a suspicious activity report, which carries a maximum sentence of five years in prison.
12:27 < sipa> and the site is gone
12:28 < tacotime_> I'm guessing maybe they dug up the silk road stuff after getting subpoenas/warrants related to fraud.
12:33 < phantomcircuit> tacotime_, yeah or you know they're reading all of the silkroad message system messages
12:33 < phantomcircuit> im thinking that one
12:33 < _ingsoc> Highly unlikely they'd arrest someone high profile without a solid case that'll probably end up in a successful prosecution.
12:34 < krl> having messages in cleartext on a site like that...
12:36 < tacotime_> krl: You really think someone would do that?  Just go on illegal marketplace sites on the internet and use cleartext to communicate? :yaranaika face:
12:36 < home_jg> TorMail data was also seized in its entirety
12:36 < home_jg> as part of the Freedom Hosting takedown
12:36 < krl> people will unless you force them not to
12:37 < home_jg> at _ingsoc implied, arrests at the federal level are not usually made unless they are convinced they have a strong case.
12:38 < home_jg> successful prosecution rate is > 90%.	They also overcharge, hoping to negotiate down to a guilty plea that sticks
12:39 < home_jg> will make the NY hearing _very_ interesting.  It appears that was the intention (just my supposition...)
12:40 < sipa> what hearing?
12:41 < tacotime_> http://www.coindesk.com/charlie-shrem-to-banks-we-want-to-work-with-you/
12:41 < tacotime_> I guess maybe he should have been working with Swiss banks.
12:41 < home_jg> sipa, https://twitter.com/BenLawsky/status/426431501115211776 etc.
12:41 < home_jg> NYDFS is holding hearings, similar to the US senate hearings.
12:42 < home_jg> Lawsky is the "you should have BitLicenses" guy at NY-DFS
12:42 < sipa> New York... depth first search?
12:42 < home_jg> Dept Financial Services
12:42 < home_jg> NY regulator of money transmitters
12:42 < sipa> got it
12:43 < home_jg> I think these hearings will be much more harsh than the US Senate hearings
12:55 < gmaxwell> home_jg: well the 90% conviction rate is in part because damn near everyone pleds guilty because its so stacked against you.
13:10 < michagogo|cloud> Um
13:10 < michagogo|cloud> Did bitinstant market to SR users or something?
13:11 < pigeons> not like the charge would imply
13:49 < TD> michagogo|cloud: read the criminal complaint
13:49 < TD> michagogo|cloud: the dude is almost certainly going to spend a long time behind bars
19:42 < jtimon> but with prefixes, can't you just ask for more info than you need?
19:42 < petertodd> jtimon: that's the whole point of prefixes!
19:43 < jtimon> I know, more bandwidth
19:43 < petertodd> jtimon: gah, have you read that paper of mine?
19:43 < jtimon> my point is I don't see the bad side, with prefixes you can have the best privacy of them all at the cost of bandwith
19:44 < petertodd> jtimon: ah, well, that's why I'm pushing the idea :) sounds like we're in agreement
19:44 < jtimon> sorry, no
19:44 < petertodd> jtimon: you should, because everyone loves debating this without actually reading the damn thing and why I think it's worth making these tradeoffs
19:44 < petertodd> jtimon: http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03612.html
19:45 < petertodd> I mean, hell, it's paragraph three where I outline that my threat model is an attacker controlling a reasonable number of the nodes you're SPV client is going to connect too... which is a *very* reasonable attack model.
19:46 < petertodd> Again, saying this because I've actually done this personally by throwing some cash at Amazon EC2
19:46 < jtimon> yes, I don't understand adam's objections, yet I don't know what's the alternative, but yes, as said earlier to adam you shouldn't bother much explaining me this because I haven't read steakth addresses yet, really my fault for trying to follow again, sorry
19:46 < petertodd> jtimon: thanks
19:47 < CodeShark> jtimon: there's so much stuff going on in this space right now you'd be excused for not reading absolutely everything :)
19:47 < adam3us> petertodd: btw backing up a bit time-lock and stego, i dont think consensus is affected by unavailibility of the key, and the key can be encrypted for the recipeint and stored in the block chain
19:47 < petertodd> adam3us: no, the recipient is the public
19:47 < adam3us> petertodd: so then its  simple matter if people do not reveal the key, they cant respend
19:47 < petertodd> adam3us: that's got nothing to do with it
19:48 < CodeShark> the recipient's key is already a hash of a pubkey
19:48 < adam3us> petertodd: yes for your other use case.  but then make it available from all nodes (its validatable against the ciphertext)
19:48 < petertodd> adam3us: the problem is that miners who know a tx is part of some consensus scheme may want to censor the tx and not mine it, yet the tx data *must* be guaranteed to be made public to everyone for a consensus scheme to work, thus, use timelock to force miners to either delay *all* transactions, or give up trying to censor
19:48 < jtimon> CodeShark yes, that's why I was "passing on stealth addresses for now", as a filter, but then I shouldn't try to follow the discussions about it intervening in them
19:49 < petertodd> adam3us: there is no way to prove publication unless you can guarantee that the data can be decrypted
19:50 < CodeShark> whether or not keys are encrypted has no effect on privacy as long as the keys (encrypted or not) can be associated with a wallet
19:50 < adam3us> petertodd: i guess you are assuming a network where 90% of miners and nodes hate msc spam and want to kill it ;) so then you cant rely even on relaying and it maybe difficult to find a node with the key?
19:50 < petertodd> adam3us: consider a key:value(s) consensus system: if it's just encrypted, I could hold onto the key, then release it after the fact, changing the consensus suddenly
19:51 < petertodd> adam3us: that's the whole fucking point of it: how to make an embedded consensus system that's uncensorable unless miners implement whitelists
19:51 < petertodd> adam3us: of course I'm assuming that - if I wasn't it wouldn't be much of a result
19:52 < petertodd> adam3us: I mean, hell we've got an existance proof that if only some miners hate you you can still get your tx's mined...
19:53 < adam3us> petertodd: ok then; it a bit slow tho time-lock.  maybe you can find a subnet of msc-relaying nodes
19:54 < petertodd> adam3us: well sure, but that's not unlike making the block time longer - perfectly acceptable for a lot of applications
19:55 < petertodd> adam3us: I'm not claiming mastercoin should go and implement it right now - I'm pointing out that they could
19:56 < adam3us> petertodd: yep.  i have some more stego end-game ideas.  still holding them back :)
19:56 < adam3us> petertodd: meaning i dont disagree the steganographer wins. in the en game
19:57 < petertodd> adam3us: meh, do everyone some good and just publish them so people stop making shitty assumptions about scalability
19:58 < adam3us> petertodd: they are not so interesting, just silly things you could do if you had to (if bandwidth was no obstacle).  you probably already thought of them.
19:59 < petertodd> adam3us: ah, well if they're less efficient don't bother
20:00 < petertodd> adam3us: anyway, the interesting thing is how to make crypto-currencies where utxo bloat and so on doesn't matter, and I think we're close to solving that pretty thoroughly
20:00 < adam3us> petertodd: cant u get get consensus by time-stamping and using a separate msc-only network for the data?
20:00 < petertodd> adam3us: consensus isn't just time-stamping
20:01 < petertodd> adam3us: proof-of-publication matters, and it's really not trivial
20:01 < petertodd> adam3us: heck, maybe there is no general solution to it
20:01 < adam3us> petertodd: well i mean if you tolerate jamming.  just have nodes stop if they cant obtain a full explanation of the time-stamp merkle tree.
20:02 < petertodd> adam3us: the point of proof-of-publication is to tolerate jamming you know...
20:03 < adam3us> petertodd: hmm so you want to send the (time-lock) encrypted msg in the chain because then its atomically delivered so either you get it or you dont.
20:03 < petertodd> adam3us: frankly I think many in the bitcoin community are letting their desire to keep data out of the chain blind them to how fucking hard it is to make these things secure
20:03 < adam3us> petertodd: stego wins.  i know it :)
20:04 < adam3us> petertodd: even if you have to use like morse code in the lsbit!
20:04 < petertodd> adam3us: it's not about "stego winning" - it's that people keep pushing MM and similar schemes not because it's better for the consensus system in question, but because it's better for bitcoin
20:05 < petertodd> adam3us: and whenever those consensus schemes take that advice, we bitcoin devs fool ourselves
20:05 < adam3us> petertodd: oh diff meaning.  ok well given the scalability limitations, absent a robust scalability fix, as you said sharding seems better.  so a MM chain is a crude form of sharding.  if security is important buy some kncminers to tip the balance.  or work on educating users to not use big pools etc.
20:05 < petertodd> adam3us: and you know, unless you honestly look at the incentives and attacks possible, you're not going to come up with MM schemes that *actually* work
20:06 < adam3us> petertodd: sure.
20:06 < petertodd> "educatiing users" fuck off
20:06 < petertodd> we've got a system where you *earn more money* mining at a big pool
20:06 < petertodd> that's fundemental to how bitcoin works and isn't going to change
20:06 < adam3us> petertodd: there are other ways to "educate" users you know.  that may require tor for the educators safety...
20:07 < petertodd> adam3us: all solutions that don't help *decentralized consensus systems*
20:07 < adam3us> petertodd: i wonder if any o fthem are selfish mining
20:07 < maaku_> petertodd: currently, you earn more money mining p2pool...
20:07 < petertodd> maaku_: not if you take your time into account for many miners...
20:07 < adam3us> maaku_: yes.  this is very puzzling to me.
20:07 < adam3us> petertodd: but its just as easy to pick p2pool from the list
20:08 < maaku_> adam3us: you don't pick p2pool from a list, you run a local daemon
20:08 < petertodd> maaku_: like it or not we probably have to get to the point where pools *can't* exist, and simultaneously fix scalability
20:08 < maaku_> but i've found it to be very stable at least
20:09 < adam3us> maaku_: i htought one of the miners i tried seemed to support p2pool out of the box (if it ran a daemon itself maybe)
20:09 < maaku_> petertodd: i like getting rid of pools. i don't like the negative side effects i've seen come attached to such proposals
20:09 < petertodd> adam3us: did you have a full node? if not you weren't using p2pool
20:09 < adam3us> petertodd: i did yes
20:09 < petertodd> maaku_: meh, just means you have to keep working on the proposals
20:09 < maaku_> adam3us: that'd be great if it does, but it probably just connected to a public p2pool node
20:10 < maaku_> which is really no different than a centralized pool as far as this conversation is concerned
20:10 < petertodd> maaku_: don't think I'm saying I have a perfect solution yet, I'm just saying we're incredibly naive in this community thinking stuff like p2pool is much of a fix
20:10 < petertodd> heh, heck, adam not knowing exactly what his hashing power was doing is a great example of why this is hard...
20:10 < adam3us> warren: maybe in your p2pool fixing budget you could try get a shiny nice UX GPU / ASIC scrypt/hashcash miner that bundles p2pool and makes it the default
20:11 < petertodd> adam3us: meh, that shiney p2pool bundle is an easy thing that people are already working on for free
20:11 < warren> adam3us: p2pool requires high CPU and disk i/o performance to be efficient =(
20:11 < adam3us> petertodd: i think the UX might be the key though.  if someones doing it for fre fine
20:12 < maaku_> warren adam3us: really all you need to do is bundle up a py2exe virtual environment for p2pool with gitian builds of bitcoind and bfgminer
20:12 < petertodd> warren: I set my p2pool node to mine very small blocks for that reason
20:12 < maaku_> let bfgminer --p2pool set up the services
20:12 < petertodd> warren: I think it's set to like 0.01BTC/KB fee or something
22:24 < andytoshi> yeah, but it's easy to get an endorsement in academia
22:25 < andytoshi> also if you had an account before they started doing endorsements
22:25 < andytoshi> i think you're free
22:25 < Mike_B> http://arxiv.org/find/cs/1/au:+Yakhontov_S/0/1/0/all/0/1
22:25 < Mike_B> heh
22:25 < Mike_B> his first paper was some other random thing
22:26 < Mike_B> he probably was like "can you endorse me for this algorithms paper?" and the guy was like "sure"
22:26 < Mike_B> second paper after that: "P = NP"
22:26 < Mike_B> i'd be pissed if i was the endorser
22:28 < andytoshi> lol yeah, i'd be annoyed
22:28 < andytoshi> tbh i'd probably never bother to find out :P
22:39 < gmaxwell> we find out later it was just created as an effort to manipulate bitcoin prices.
22:40 < gmaxwell> Mike_B: meh, give him an easy one, ask for an md5 second preimage of the all zeros md5sum.
22:41 < Mike_B> ha
22:44 < Mike_B> i wonder how security would change if you replaced the usual 10m blockchain confirm with the following process
22:45 < Mike_B> 1) set difficulty so that each miner can solve the problem in (some shorter amount of time, like 10s)
22:45 < Mike_B> 2) wait for N miners to have declared a solution
22:46 < Mike_B> (assuming N is large)
22:46 < gmaxwell> not progress free.
22:46 < Mike_B> 3) have those miners come to consensus
22:46 < Mike_B> "progress free"?
22:46 < gmaxwell> A large miner has an unfair advantage.
22:46 < gmaxwell> He will mine with his large hashpower, claiming to be M small miners.
22:47 < Mike_B> right but is that just the same 51% vulnerability?
22:47 < gmaxwell> and his partial results for himself, and then come to consensus with himself, and by keeping his partial results to himself he gets a superlinear speedup.
22:47 < gmaxwell> At the extreme the fastest miner always wins.
22:47 < gmaxwell> no its not.
22:49 < Mike_B> so say you have an expected solving time of s, and you need N miners for a quorum, so that s*N = 10 minutes
22:49 < gmaxwell> imagine the extreme version where every hash is a winner. I am 4gh/s you are 3gh/s.  Target is 40giga-shares to solve a block. How many blocks will you solve?
22:50 < Mike_B> what do you mean by "giga-shares?"
22:50 < gmaxwell> hashes.
22:51 < Mike_B> if every hash is a winner, doesn't that mean the target is 1 hash to solve a block?
22:51 < gmaxwell> I mean every hash meets your lower criteria.
22:51 < gmaxwell> I'm using an extreme example where the ratio of the lower criteria to the block criteria is very large.
22:51 < gmaxwell> In those cases mining becomes a race and the fastest miner ~always wins.
22:52 < gmaxwell> it's true when the ratio isn't large, but the advantage is somewhat less.
22:53 < gmaxwell> The method you're describing (breaking up the hashcash into N smaller hashcashes) is suggested in some hashcash papers to reduce variance, but it has the property that it's not progress free, which is why we don't use it.
22:53 < Mike_B> don't understand what you mean by "lower criteria" and "block criteria"
22:53 < gmaxwell> lower criteria is your "solving criteria"
22:54 < gmaxwell> Mike_B: in your own language set N to a large value like a billion.
22:55 < Mike_B> ok, and now what
22:55 < Mike_B> N is a billion, s is tiny, N*s = 10m
22:57 < gmaxwell> now you have some miners and one a good amount faster than the others. instead of sharing his partial solutions he hordes them (or at least hordes them unless he learns of someone else having too many of them).
22:59 < Mike_B> ok
23:05 < Mike_B> gmaxwell: i still don't see the issue, sorry
23:05 < Mike_B> you're talking about a case where a miner has a plurality of hashpower but not a majority?
23:07 < gwillen> Mike_B: I haven't fully understood the issue, but consider that _any_ scheme here you have a threshold of "N miners" can do something by consensus, there's something wrong
23:07 < gwillen> Mike_B: because one miner can always claim to be N miners for any value of N
23:07 < gwillen> so either the threshold is not necessary, or it's broken
23:08 < gwillen> I don't know which is the case here
23:10 < Mike_B> gwillen: i mean N verified proofs of work
23:10 < Mike_B> could be the same miner more than once
23:11 < gwillen> okay, N distinct proofs of work, that defeats my objection
23:11 < gwillen> I don't understand gmaxwell's well enough to know what it does to his
23:12 < gwillen> oh, I think I see
23:12 < gwillen> when it's a single share you need, everybody has a chance proportional to their hashpower, but it's high variance
23:13 < gwillen> if you need N smaller shares, you reduce the variance, but you also reduce the chance of people with low hashpower and increase the chance of people with high hashpower
23:13 < gwillen> if you need 1 share that takes a million seconds on average, winning is proportional to hashpower
23:14 < gwillen> if you need a million shares that take 1 second on average, the guy with the most hashpower will win every time
23:14 < gwillen> (if I'm thinking about this right)
23:14 < gmaxwell> Thats what I'm arguing, yes.
23:14 < gwillen> ok.
23:14 < gmaxwell> It's nor progress free. As you find shares you're making progress.
23:14 < gwillen> oh, interesting
23:14 < gwillen> progress-freedom makes it a poisson process
23:15 < gwillen> and only a poisson process has the right statistics for winning to be proportionate to hashpower
23:15 < Mike_B> gmaxwell, can you link me to a paper that describes this
23:17 < Mike_B> if you're saying one exists, anyway
23:18 < Mike_B> gwillen: what i'm trying to figure out is what the analogue of the 51% vulnerability is as N changes
23:18 < gmaxwell> I thought there was, but I'm not finding it at the moment, I'll look more after dinner. :)
23:18 < gwillen> Mike_B: as I understand it, you could indeed compute an analogous percentage as a function of N
23:18 < gwillen> but I don't know how off the top of my head
23:19 < Mike_B> gmaxwell: alright, well i'd much appreciate it if you do find anything
23:19 < gwillen> I could probably work it out but I have real work I need to be doing
23:20 < Mike_B> gwillen: fair enugh
23:20 < Mike_B> enouh
23:20 < Mike_B> god damn it
23:20 < Mike_B> :(
23:21  * Mike_B "enoughghghghghghghghghghghghg"
23:23 < gmaxwell> new lenovo keyboard?
23:24 < Mike_B> no, i just developed a neuromuscular disorder that lasted 2 seconds
23:26 < gmaxwell> It's been known to happen to bitcoiners. :(
23:27 < Mike_B> bitcoin-related finger tremor
23:28 < Mike_B> ok, so i see your objectionnow
23:28 < Mike_B> so you're saying the target is 0xfffff....
23:28 < Mike_B> so every hash wins, but you need a trillion hashes or whatever
23:29 < Mike_B> so if you have double the hashpower I do, you generate hashes twice as fast
23:30 < Mike_B> and i guess you're saying there's a strategy where you can hoard hashes and i, the poor unsuspecting sap, just broadcasts them to the network
23:30 < Mike_B> is that right?
23:31 < Mike_B> i guess i'm just not sure how you'd use hoarding hashes to have influence more than your hashpower
23:31 < Mike_B> you'd have to wait for me to pass some threshold and thend ump
--- Log closed Thu Dec 05 00:00:32 2013
--- Log opened Thu Dec 05 00:00:32 2013
01:01 < amiller> gmaxwell, what do you think of the transaction notation in the "mpc on bitcoin" paper
01:01 < amiller> is it easy to read?
01:02 < amiller> it's a pretty sound compromise between the current academic notation and how we're used to looking at them, i think
01:03 < amiller> i guess i should try writing something else out in that style
08:21 < jtimon> maaku I'm still on page 5, but this P = NP paper looks very good
08:22 < jtimon> I thought you believed this was possible since you tried it yourself
08:28 < fagmuffinz> jtimon, link?
08:28 < jtimon> <maaku> supposid proof of P=NP : http://arxiv.org/pdf/1208.0954.pdf
08:28 < jtimon> <maaku> dubious of a proof that's only 24 pages long
08:38 < t7> can you express the problem in coq or agda?
08:46 < _ingsoc> For a second I thought it was this guy: https://en.wikipedia.org/wiki/Sergei_Yakhontov
08:46 < _ingsoc> I would have been like, damn, that's badass.
08:52 < iddo> jtimon: it's not new, it's revised from 2012, see http://arxiv.org/abs/1208.0954 and http://www.win.tue.nl/~gwoegi/P-versus-NP.htm
08:53 < nsh> what was the problem in 2012?
08:53 < nsh> shouldn't a constructive proof of P=NP leads pretty directly to an efficient algorithms/reductions for All The Problems
08:54 < nsh> ?
08:54 < TD> huh
08:54 < TD> it's funny to see a list of papers along with claims "This paper proves P=NP" followed by "This paper proves P/=NP"
08:55 < nsh> yeah
08:55 < nsh> --
08:55 < nsh> [Equal]: In September 2012, Sergey V. Yakhontov proved that P=NP. The proof is constructive, and explicitly gives a polynomial time deterministic algorithm that determines whether there exists a polynomial-length accepting computational path for a given non-deterministic single-tape Turing machine. The paper is available at http://arxiv.org/abs/1208.0954.
08:55 < nsh> (Thanks to Ricardo Mota Gomes for providing this link.)
08:55 < nsh> --
08:55 < iddo> nsh: serious people stopped trying to look for problems in non-peer-reviewed papers like this, e.g. http://www.wisdom.weizmann.ac.il/~oded/p-vs-np.html
08:56 < nsh> (constructively determining the existence of something is not constructive)
08:56 < TD> isn't looking for problems rather what peer review means?
08:56 < sipa> nsh: there are classes above NP that would be unaffected (ExpTime, ...)
08:56 < nsh> sipa, right
08:56 < sipa> also, polynomial does not imply efficient by any real-world standard
08:56 < sipa> (assume it was polynomial in the 100th degree?)
08:58 < nsh> have there been many cases of polynomial algorithms being found but only with high exponents?
08:58 < nsh> i have the impression (but i don't know how reliable it is) that generally relatively efficient algorithms are found where they exist at all
18:53 < adam3us> btw it would be super embarasising if the thing which over took bitcoin if it happened was esentially a lame param tweak
18:53 < gmaxwell> PPC would be interesting to me if it weren't sullied with that stupid block signing.
18:53 < maaku> the pun on "free market" was just too good to pass up
18:54 < maaku> geistgeld, my favorite. 15 second blocks
18:54 < maaku> that actually was useful
18:54 < maaku> and appropriately, now dead
18:54 < gmaxwell> the scrypt expirement ran its coarse and failed as an expirement: It failed its stated goal, and it's had negative side effects (making initial (/spv) sync slow).  Double sad is that many people (myself included) predicted exactly this outcome.
18:54 < adam3us> sipa: yes litecoin main claim was giving gpu miners something to play with when asics came
18:55 < sipa> i wonder, with PPC, can you mine on both branches of a block chain fork at once, without loss?
18:55 < jtimon> wasn't geistgeld the first one with scrypt?
18:55 < gmaxwell> maaku: I liked "liquidcoin" the one with the difficulty set to a fixed level... it rapidly turned into a thousand seperate currencies as nodes could never manage to converge.
18:55 < adam3us> sipa: well even that was unintended if i caught up correctly it aimed for cpu preference and failed, luckily for it asics came along
18:56 < gmaxwell> sipa: with PoS you can indeed, thats why PoS is sad.	PPC arbritrates forks with a special altert message that adds a checkpoint, run by the developer.
18:56 < jtimon> I dream with a SCIP/spark-based pow
18:57 < sipa> gmaxwell: i keep reading "PoS" as "piece of shit"
18:57 < adam3us> he he
18:57 < petertodd> gmaxwell, maaku: working on a paper analyzing profitability of tx fees - results are looking pretty ugly w/ centralizing mining having at best linear improvements in profitability.
18:58 < sipa> gmaxwell: oh, so that is actually why the checkpoints are needed
18:58 < adam3us> gmaxwell: scrypt spv problem being higher hash validation cost?
18:58 < petertodd> gmaxwell, maaku: you can very quickly construct a proof that in any circumstance mining is something where increased hashing power gives you more profits per unit work
18:58 < sipa> gmaxwell: i thought it was to prevent tons of SHA256 power working against it
18:58 < petertodd> gmaxwell, maaku: which we knew... but it looks like under certain circumstances the implications of that are really ugly.
18:58 < gmaxwell> adam3us: no it wasn't, LTC's claim was that it was cpu only (gpu resistant) :P
18:58 < adam3us> gmaxwell: yes i read that
18:59 < sipa> < adam3us> sipa: yes litecoin main claim was giving gpu miners something to play with when asics came    <-- unsure what you mean here
18:59 < gmaxwell> sipa: most of PPC blocks is PoS mining now, the SHA256 difficulty is quite high.
18:59 < adam3us> gmaxwell: "and it's had negative side effects (making initial (/spv) sync slow)." was referring to that ... scrypt spv problem being higher hash validation cost?
18:59 < petertodd> bbl
19:00 < jtimon> the theory now is that ASICs = centralization = less security: I think bitshares offers an "even-harder-to-asic" pow
19:00 < gmaxwell> sipa: the first version of PPC PoS was super vulnerable, by throwing CPU at the POS you could find a path of solutions where your coins were the lucky POS cons for every block.
19:00 < adam3us> sipa: never mind, i just meant that it would've probably died if asic mining hadnt freed up lots of gpus, when its failed attempt to be better on cpu failed
19:00 < sipa> adam3us: ic
19:00 < sipa> adam3us: ironic :)
19:01 < gmaxwell> sipa: they stopped the majority attack by the alert lockins and then did a hardfork to change the PoS so that the stake is selected using POW blocks to prevet that kind of fork and search to favor your own stake.
19:01 < adam3us> sipa: litecoin investors made money from a failure that succeed for random reasons outside of its authors control or expectation
19:02 < gmaxwell> but you can still mine all possible forks, and its rational to do so... you just can't use doing that to make yourself mine all the blocks. :P
19:02 < jtimon> I guess atlantis had a lot to do with ltc success too
19:02 < gmaxwell> (unless you also have a lot of hashpower)
19:02 < adam3us> sipa: but it is kind of interesting that the value of a coin is partly fom the fun that can be had in the act of mining it... if you take away peoples toys by removing gpu mining and asics being hard to get, then thats what happens
19:03 < adam3us> jtimon: atlantis?
19:03 < jtimon> was another silk road that accepted both btc and ltc
19:03 < gmaxwell> adam3us: litecoin mining was really weird for a long time, e.g. it was net unproftable over power for a very long time until GPU mining took off.
19:04 < adam3us> btw i had a look at bitshares protocoin mining run and they very badly screwed their params, but the psychology of the miners on the #protoshares channel was interesting... they mostly didnt understand what it was or why they were mining it, just it was fun, and they were early and getting  discount/jump on a timelimited offer
19:05 < gmaxwell> adam3us: yea, mining all the new things blindly has been at times very profitable.
19:05 < adam3us> (they hard forked their params with no warning to the alarm of users who prepaid for like hosting services on a month basis that bitshares was taking referral commission on)
19:05 < adam3us> i was too late to encourage their users to reject and not upgrade!
19:06 < gmaxwell> adam3us: nothing can compete with with all the crazy stuff solid coin did.
19:06 < adam3us> (they put a message n their site to say you have to upgrde or else, but the threat w incorrect - if the miners revolted that wouldve been the end of th param change plan)
19:06 < gmaxwell> I'm pretty sure you could do a hardfork of a moderately successful altcoin where you just moved half the users balances to yourself, and they'd take it.
19:06 < midnightmagic> gmaxwell: I wonder if that's the anonymous developer who wants to add in all that new stuff to an altcoin fork.
19:06 < jtimon> gmaxwell, do you have more on your interactive hashtree proof besides this thread? https://bitcointalk.org/index.php?topic=284194.0
19:07 < gmaxwell> jtimon: the block cut and choose idea at the bottom is applicable to any fiat shamir style non-interactive proof, it just potentially makes them smaller for a given security level.
19:08 < gmaxwell> midnightmagic: hm?
19:08 < adam3us> gmaxwell: btw about your aside about patent trolls, i did send a mail to the foundation lawyer guy and matonis, and they replied to say yes they were working on a defensive shared patent pool
19:09 < gmaxwell> midnightmagic: realsolid hardly did anything original
19:09 < sipa> he was perhaps the first to use floating point in consensus-critical code :)
19:09 < gmaxwell> adam3us: uhh. that the foundation would own? danger danger. 501(c)(6) assets can be taken in bankrupcy to creditors, and bankrupcy transfers can sever otherwise perpetual licenses.
19:10 < midnightmagic> gmaxwell: The ideas lists were collected from others' hardfork wishlists
19:10 < adam3us> gmaxwell: but yeah i dont know.. i suggested such risks to jgarzik who was on the thread here and he seemed less worried
19:10 < gmaxwell> midnightmagic: well ideas are a dime a dozen, sit down I'll pump out another gross of them for you.
19:10 < midnightmagic> :)
19:10 < adam3us> it seemed to me a risk that the foundation could be legally attacked and the patents seized
19:12 < adam3us> but the current alternative is not fantastic either that each new bitcoin startup probably patents half a dozen defensive things, that sooner or later will get bought by a troll, or sol to a big co that does nothing with it apart from park it in a 5000 patent defensive pool
19:12 < adam3us> it happened with chaums digicash patents, until they expired
19:14 < gmaxwell> adam3us: SFLC considers that kind of risk significant, for codec patents we've used a complicated interlocking scheme with multiple 501(c)(3) (which have special asset disposition rules which prevent them from being taken in a bankrupcy), e.g. mozilla filed patents and then assigned them to Xiph.Org under an agreement controlling the dispostion of the
patents should Xiph.Org go away., and we still consider it generally risky as ...
19:14 < gmaxwell> ... opposed to pure defensive publication. (but the risk was necessary because we had to be able to force other potential patent holders to adopt licensing terms we specified and thus needed negotiating leverage)
19:15 < adam3us> i see - maybe you should fwd that to the lawyer guy & matonis
19:15 < gmaxwell> The biggest problem in true defensive patenting is that under current caselaw in the US a bankrupcy court can disolve _any_ licensing agreement, and they do.
19:16 < gmaxwell> (this is also why things like the twitter patent pledge thing are nice in spirit but may not work in practice)
19:16 < adam3us> i was thinking it would be nice to have some way to defnesively avoid patents becoming troll material
19:17 < gmaxwell> the next best idea was to embed trapdoor misconduct in the patent application process, so that our patents were trivally invalidatable but only to us.. uh.. I hope that expresses how hard we considered the process to be. :)
19:17 < adam3us> that bitcoin startups have; maybe they can own them but they revert to the foundation - far out of my depth other than hating patents with a vengence and seeing too many fo them through consulting on crypto for people and wanting to avoid seeing the digicash patent endgame
19:18 < adam3us> if there was a safe way to have  defensive pool, it would be good to have something to pressure bitcoin startups to assign their patents too so they can be forced to be sincere about their defensive plans
21:35 < gmaxwell> at some point I believe we'll add some (or multiple) kinds of finite resource priority peers can use to get slots if they're having problems. I've got a couple ideas for that.
21:49 < nanotube> hm, that's interesting
21:52 < nanotube> mem was stable at 16conn, restarted with 128.
--- Log closed Wed Sep 11 00:00:26 2013
--- Log opened Wed Sep 11 00:00:26 2013
00:11 < nanotube> 27 peers, 13 tor. 269/598M ram. (vs 268/585 at 16 peers)
00:11 < nanotube> jrmithdobbs: maybe something changed in a month, but i'm definitely seeing plenty of tor peers.
07:35 < nanotube> 27 tor out of 52. 302/591 mem.
07:35 < nanotube> that /is/ pretty small mem impact per connection, it seems.
07:36 < gmaxwell> it used to be much larger, but, yea, that mostly should have been fixed.
16:21 < nanotube> also, 33 out of 57 connections are tor. definitely some popularity there.
16:37 < nanotube> we could probably use sipa's crawler to get a rough estimate of how many torcoin nodes there are...
17:54 < sipa> nanotube: i crawl tor
20:34 < nanotube> sipa: ah cool. so got any rough estimate? :)
20:35 < sipa> there's 31 onion peers in my database
20:40 < nanotube> heh, i have 35 tor peers right now as we speak. >_<
20:42 < nanotube> but those are people connecting to me, so maybe they are not running a hidden service
--- Log closed Thu Sep 12 00:00:29 2013
--- Log opened Thu Sep 12 00:00:29 2013
01:16 < gmaxwell> nanotube: exactly, we're short of short on onion peers. :(
08:39 < nanotube> there seems to be a decent list on https://en.bitcoin.it/wiki/Fallback_Nodes
10:03 < gmaxwell> petertodd: https://bitcointalk.org/index.php?topic=292857.0  someone proposes a composable signature scheme based on pairing crypto.
10:05 < gmaxwell> e.g. you have a bunch of pubkeys, and values signed... and you can't tell which signed which. bonus: they seem to be claiming the aggregate is constant size.
10:06 < gmaxwell> (though they make some claim about the security model essential to the size being constant and not linear in the number of signatures which I don't understand)
11:44 < petertodd> gmaxwell: broken link
11:45 < petertodd> Sounds promising though!
11:52 < gmaxwell> petertodd: sorry, I moved around some posts: https://bitcointalk.org/index.php?topic=290971.0
11:53 < gmaxwell> In any case, you start of with a bunch of  {key, message, signature}	and can aggregate one way into a {N x key, N x message, signature} such that you can't tell which key signed for which message. The final signature may be constant in length.
11:53 < gmaxwell> (may because they had some security handwave I didn't follow, otherwise its linear)
14:04 < amiller> i really think i've figured out the economics of bitcoin
14:04 < amiller> it has to be unprofitable for everyone
14:06 < amiller> we have to assume it's always more efficient for large corporations to mine, because of economies of scale etc etc
14:07 < amiller> this is the underlying reason why people panic about the trend of bitcoin towards centralized mining
14:07 < amiller> and it's compelling
14:08 < amiller> if it's unprofitable for some people to mine and profitable for others, then unfortunately it's likely to be profitable only for people with the biggest investments
14:08 < amiller> but this lottery theory is totally a way around that
14:09 < amiller> the solution is basically to make it unprofitable for everyone, including the potentially enormous miners
14:10 < amiller> and in fact the motivation to participate, despite it being unprofitable, is most applicable to the small users and not to the biggest players
14:11 < jgarzik> One argument I've always made is that larger corporations, if they decide to buy into bitcoin mining, will be willing to mine even at a loss
14:11 < amiller> i think the opposite
14:11 < amiller> maybe if they have some external reason as well, like political influence i suppose?
14:12 < jgarzik> amiller, you may obtain several opportunities of ancillary value from mining
14:12 < jgarzik> amiller, mining your own transactions, slowing down your competitors, strategic value, etc.
14:12 < jgarzik> amiller, general network security, lessening dominance of others
14:13 < jgarzik> amiller, laundering (the 110% PPS case)
14:13 < amiller> i see
14:13 < amiller> that's not detrimental, it doesn't necessarily imply the winner take all case
14:13 < jgarzik> agree
14:14 < jgarzik> not trying to rebut your argument, just noting all the value that may be extracted even if the mining itself is notionally unprofitable
14:14 < amiller> sure, fair enough
14:14 < amiller> some of that almost counts as altruistic model as well, basically you've described like a bitcoin stewarding company
14:15 < amiller> it would be disconcerting if a potentially strictly-greedy newtork-ambivalent cost-cutting company could get more and more profitable just by mining and accumulating compute power
14:16 < amiller> so i'm really comfortable now with this decision theory called Cumulative Prospect Theory
14:16 < amiller> it's a generalization of the standard Expected Utility version
14:16 < amiller> EU says that no one ever participates in lotteries, CPT accounts for that
14:17 < amiller> i'm really confident now that modeling bitcoin miners as CPT-rational agents is the way to go
14:19 < amiller> it's not inherently irrational to play a lottery with -ev
14:19 < amiller> which is a nice observation because we know that people do
14:19 < amiller> what's neat is that a lot of people of ordinary wealth may be very excited about the potential of winning like $2500 by mining a block
14:20 < amiller> when the potentially reward is tuned right, basically the most amount of people will participate and the ev will drop
14:21 < amiller> yet $2500 is nothing to a big company, and they're less and less likely to get a big enough jackpot to make it worth participating
14:24 < jgarzik> not necessarily stewarding -- I was thinking to myself of an idealized "bitcoin bank", or an HSBC/Goldman bank that wants to participate with bitcoin
14:24 < jgarzik> If you want to participate in the network, there is value in helping to defend it
14:25 < jgarzik> another thought, the most dfficult problem to solve:  how to compensate people for joining the network and relaying transactions
14:26 < jgarzik> otherwise we quickly degenerate into only miners running full nodes (which, admittedly, Satoshi described as an end game)
14:37 < jgarzik> amiller, compare price of hardware versus likely expected payoff
14:37 < jgarzik> amiller, it's expensive hardware for a low-payoff lottery, right now
14:38 < jgarzik> any hardware within the reach of normal people will on average produce 1 block every 10 years or so
14:38 < jgarzik> and it seems like that trend will continue
14:38 < amiller> one thing i found is that the cost is totally dominated by equipment rather than power
14:38 < amiller> it surprises me whenver i do that calculation
14:38 < jgarzik> indeed
14:39 < jgarzik> though my $300/month power bill increase was painful today :)
14:39 < jgarzik> 2x Avalon, 2x BFL
14:39 < jgarzik> (need to get that other Av back up)
14:39 < gmaxwell> petertodd: https://bitcointalk.org/index.php?topic=290971.msg3139004#msg3139004
14:39 < amiller> i'm interested in the structure of bitcoin's reward
14:39 < amiller> like if there were bigger jackpots
14:40 < amiller> perhaps sometimes you could win a thousand bitcoin bonus
14:40 < amiller> that would change the way in which people participate
14:40 < amiller> even if somehow the expected profit was fixed
14:40 < amiller> that's my point overall i guess is that i'm moving away from an expected-profit-centric analysis of the rewards
14:40 < gmaxwell> 11:19 < amiller> what's neat is that a lot of people of ordinary wealth may be very excited about the potential of winning like $2500 by mining a block
14:41 < gmaxwell> ^ doesn't explain why most people won't solo mine,
 even in small amounts... even with a positive ev. :P
14:42 < gmaxwell> amiller: a significant fraction of miners think mining is a race, and that you get super linear rewards from big aggregates. "So much for rational agents" .. so perhaps thats what explains the prevailance of pooling, it doesn't seem to explain the near absense of solomining.
14:42 < gmaxwell> jgarzik: 11:25 < jgarzik> another thought, the most dfficult problem to solve:  how to compensate people for joining the network and relaying transactions
14:43 < gmaxwell> So, there was just a "anonymity" proposal that resolves that as a side effect.
14:43 < amiller> gmaxwell, i have two responses, one is that it could easily be something that happens later as people learn to understand the economics better, the other is that perhaps the $2500 is even too steep and people would like to have a small chance at winning like $20 or something
14:44 < amiller> there are tons of studies on lottery design, and its' well known that lottery designs typically have lots of different prizes
14:44 < jgarzik> Explaining the near absence of solo mining:  There is a rather large chance you will /never/ get paid for that noisy, loud hardware you had to fight to obtain.
14:44 < amiller> i found one paper that looks at optimal lottery design for a market of CPT agents in partiuclar, and basically concludes that an optimal lottery has a continuous prize distribution, not just finite prizes
14:44 < jgarzik> The motivation to help the network is not nearly so strong.
14:44 < amiller> bitcoin has exactly one prize
14:44 < amiller> for bigger prizes, you have to go to satoshi dice
14:44 < amiller> for smaller prizes, you have to go to satoshi dice
14:45 < gmaxwell> jgarzik: I mean back when CPU mining was still profitable (postive EV over power costs) but not very, I had basically no luck convincing now gpu miners to spin up their cpus laying around solo mining.
11:58 < jtimon> petertood: "reduce the consensus "size"", that's what I meant here " though the most promising scalability improvements can only come from more data being directly exchanged between parties without toughing the chain"
11:58 < petertodd> TD: ha, for once we're on agreement on scalability (at least on what we should do in the short/medium term)
11:59 < jtimon> TD ok I get your point
11:59 < TD> i'll go  out and celebrate tonight :)
11:59 < jtimon> TD but that's assuming no merged mining :(
11:59 < petertodd> TD: and for long-term, we can probably agree that we don't know yet becaues the research hasn't been done :)
12:00 < TD> the scaling issues with bitcoin aren't really mining, they're to do with management of the chain/transaction rates/etc. so merged mined altcoins are fine.
12:00 < TD> indeed!
12:00 < jtimon> yeah, maybe I'm just envisioning the worst-case scalability scenario, and still future looks bright
12:00 < petertodd> jtimon: ah, well depends on your definition of "the chain" - I think long-term we can create systems where, very roughly speaking, you have multiple chains where the "timestamping" PoW is all merged, but the proof-of-publication isn't
12:01 < petertodd> jtimon: so your tx on *a* blockchain might be subject to consensus by an audience of 10,000 or whatever, but the "audience" timestamping it may be millions
12:02 < petertodd> jtimon: and most likely the tech will be such that the more valuable transactions end up paying higher (absolute) fees, and are "seen" by a larger audience
12:02 < adam3us> TD: i'm more excited about pegged side-chains (aka alts but with bitcoin price pegging in lieu of new scarcity races) as a building block to explore sharding and other features.  then each guy with a crazy idea can go knock himself out on a side chain without creating dust on bitcoin main meta-coin style, and without creating a new tulip coin with scarcity
race sales-hook being his "feature"
12:02 < jtimon> petertodd: I just don't know how you're going to do that
12:02 < petertodd> jtimon: the open research problems are all related to how does security work there
12:03 < jtimon> petertodd: as said some kind of sharding  would be very nice
12:03 < petertodd> jtimon: well, I've got some ideas - day before yesterday I outlined one on -wizards
12:03 < jtimon> yeah you half-explained me one, but I was unconvinced
12:04 < petertodd> adam3us: yeah, merge-mined sharding w/ pegged value is probably a reasonable way to upgrade bitcoin 1.0 to this kind of technology
12:04 < jtimon> I'm happy that you're thinking about these things though
12:04 < petertodd> adam3us: but as I say, the specifcs are an open question right now
12:04 < adam3us> anyway its not doom & gloom, we're not all out of ideas, maybe petertodd is full of it or maybe he finds the magic formula :)
12:05 < jtimon> petertodd: one idea I had in mind was partitioning the sequencing itself
12:05 < helo> sharding is sending bitcoin to an unspendable bitcoin addresses to mint altcoin?
12:05 < adam3us> petertodd: right exactly.  so lets build pegged side-chain and let a dozen people and startups go try see if they can figure it out
12:05 < jtimon> but I haven't found a way to make it p2p
12:05 < adam3us> helo: no sharding is generic... just means split up the volume somehow
12:06 < helo> ok
12:06 < adam3us> helo: pegged side-chain involves proof of transfer (you can move the coin back too, not destroyed as such)
12:06 < petertodd> adam3us: heh, worst comes to worst all my off-chain stuff *does* work just fine subject to the semi-centralization involved, and it has the enormous advantage that implementations of it can fail and won't take down the whole system with it
12:06 < jtimon> helo: like having half transactions in one chain and the other half in another chain
12:07 < jtimon> helo: I meant that for sharding
12:07 < adam3us> petertodd: it is highly likely that at least one person will try to claim solving it via a centralized server.  well we have open transactions even :) federated but auditable, and rebuildable from receipts
12:07 < petertodd> jtimon: yeah, atomicicity of transactions in sharded systems is a really interesting question
12:08 < petertodd> adam3us: yup, my actualy claim to fame in that space is only better systems of auditing and fraud punishment - the idea itself is so simple as to get reinvented constantly
12:08 < petertodd> adam3us: *actual
12:08 < jtimon> let me explain how would it work "centralized", maybe you can come up with a way to make that p2p
12:08 < adam3us> petertodd, jtimon: so pegged side chain, like 100 of them merge mined, coins moved via SPV proof of move or atomic cross chain swap.  seems not implausible
12:08 < jtimon> or someone else
12:09 < petertodd> jtimon: see fidelity bonded banks where the machine readable fraud proofs are what makes it possible to do it p2p
12:09 < jtimon> adam3us: that still requires fat validation miners
12:09 < petertodd> jtimon: no it doesn't, mining is scalable because miners don't have to validate all chains
12:09 < jtimon> petertodd you don't know what I'm going to say yet
12:10 < adam3us> jtimon: it merged mined, but maybe some model can be found for mining without having all 100 full tx feed.   its not like most mining power right now is even looking at the tx...
12:10 < jtimon> petertodd: there was no sharding in adam3us not implausible comment
12:11 < jtimon> "pegged side chain, like 100 of them merge mined, coins moved via SPV proof of move or atomic cross chain swap.  seems not implausible"
12:11 < adam3us> anyway we dont have to solve it today... more worried about how to provably preventing someone sneaking fractional reserve into a side-chain at this moment.
12:11 < adam3us> jtimon: yeah is just a definitional thing.  you could consider the 100 side chains 100 shards
12:12 < petertodd> adam3us: well, like I said above, the trick is to separate timestamping form the proof-of-publication - merge-mined side chains can naturally work that way if they are genuinely merge-mined, as opposed to just a soft-forking change
12:12 < adam3us> petertodd: yes this is a kind of open transactions argument.  i buy that as a plausible thing to explore.
12:12 < jtimon> well, since we don't know how to shard yet and you didn't explicitly mentioned it, I thought you meant we could still scale doing that without sharding
12:13 < adam3us> jtimon: i was thinking of a use-case of (multiple identical) pegged side-chains as a mechanism for sharding
12:13 < petertodd> jtimon: well, remember my thought example of the tree-like consensus system? if your top node in that tree is the bitcoin blockchain, then the two leaves logically are your merge-mined side-chains
12:14 < petertodd> jtimon: which is why coming up with a backwards-compatible upgrade is actually fairly plausible - ugly, but feasible
12:15 < jtimon> adam3us: but the pegging thing is to solve the "exchange rate" problem TD mentions
12:15 < adam3us> petertodd: its the beauty of pegged side-chain, the side chain (or lots of them, or competing lots of them) can go do experiments while retaining bitcoin main fungibility
12:15 < petertodd> adam3us: yup
12:16 < jtimon> adam3us: I'm saying I don't know a technical solution for merged mining + sharding in the first place, seem kind of incompatible to me
12:16 < adam3us> jtimon: right.  but pegged side-chains also form security firewalled experiment zones for interesting things, like sharding, freimarket script extensions, utxo compaction, zerocoins, comitted tx... anything within reason
12:17 < adam3us> petertodd: the limitation is oniy i think it has to be not too alien for bitcoin to not be able to consume the side-chains SPV proof of move
12:18 < jtimon> adam3us: security firewalled? what in pegcoin makes it more attractive to merge mine than say, devcoin?
12:18 < petertodd> adam3us: nah, I'd say the bigger limitation is that long-term PoW security needs to be paid for by fees, and the basic economic model is screwy there and has a high potential of failure
12:18 < adam3us> jtimon: incentive you mean? ask petertodd he's the incentive / game-theory gur ;P
12:18 < petertodd> adam3us: it's the think with off-chain stuff: it becoming too effective is a huge risk in the long-term!
12:19 < petertodd> adam3us: now that's like, 10 years away long term hopefully, but it's a problem that needs solving eventually
12:19 < adam3us> petertodd: it seems like the biggest open q about it really.  incentives.  but its not like that solved in main.  $25k/block or $150k/6-block is the price to admission (x the failure rate to build a chain long enough)
12:20 < jtimon> petertodd are you suggesting off-chain technology working nicely and securely is a "huge risk"? what do you mean?
12:21 < adam3us> petertodd: Maybe its a TD thing.  we (humans) want and need this to work, so maybe most honest people will do it and that will carry the day
12:21 < petertodd> adam3us: yup, currently my best guess is per-tx PoW schemes (and actually, maybe per *txin* PoW schemes) with anti-pooling stuff and PoW algorithms more resistant to ASIC centralization is what'll work, but those are all -wizard level questions and lots of research to be done
12:21 < adam3us> jtimon: he's worried about an incentive break down leading to attacks
12:22 < jtimon> adam3us well I ask you because you made the firewall claim, but I'm happy receiving an explanation from anybody
12:22 < petertodd> adam3us: in the meantime, honesty and other non-ideal second order effects will help the existing system limp along for a lot longer than it deserves too
12:22 < petertodd> jtimon: yes, in the long term the PoW security needs to be paid for, and one of the few reasonable ways to do it is transaction fees, no-txs == no pow security in many very plausible future models
19:32 <@gmaxwell> at some point this should get built, even if its just a toy insecure form.
19:33 <@gmaxwell> people were talking in #bitcoin-offtopic about building an IRC micropayment bot...
19:33 <@petertodd> Did you read my bonded ledgers thing?
19:33 <@gmaxwell> You send it 1btc.. then you can bot: pay petertodd 0.012345 btc    and eventually petertodd can checkout if he likes.
19:33 <@petertodd> The idea of focusing on making a ledger who you are only holding to not allow double-spends to happen is nice.
19:34 <@gmaxwell> Not secure, not private, etc. But it would be insanely useful. It would do micropayments instantly in a way bitcoin cannot, it would avoid blockchain bloat and transaction fees..  etc. Even the weakest forms of your chaum bank stuff would be better than "just trust the bank"
19:35 <@gmaxwell> the bonded ledgers was just the OP code for double spends?
19:35 <@petertodd> Yeah, and if it's just a ledger, you could re-use all the Bitcoin transaction machinery, including machinery to do double-spend proofs.
19:35 <@petertodd> Pretty much, and if the scripting system was just slightly more powerful, you probably wouldn't even need a dedicated opcode.
19:36 <@gmaxwell> I wonder how you could construct its transactions to make the proof of doublespending maximally small?
19:37 <@petertodd> Basically decompose CHECKSIG, allow for string manipulation, and provide a way to constraint was the txout set of a scriptPubKey spend is.
19:37 <@gmaxwell> though I suppose ideally it would work on bitcointransactions so you could use it for both on and off chain doublespending prevention.
19:37 <@gmaxwell> though that presupposes a public ledger which is lame.
19:37 <@petertodd> Well, one key thing would be for signatures to use a hash tree to generate the hashes. You just have to show that the inputs were the same both times, not the outputs.
19:38 <@gmaxwell> yea, I've wanted to define a transaction format that is tree structured
 for other reasons: to build altchains that don't validate burried signatures.
19:38 <@petertodd> Public ledger is the easiest, but you don't have to do that. One way would be to use a crypto accumulator ont he set of all txins spent.
19:39 <@petertodd> So you would challenge the ledger periodicly to prove they didn't double-spend your transactions.
19:39 <@petertodd> hmm... actually, that could work very nicely...
19:40 <@petertodd> You do need the ledger to publish some type of "state of the ledger" publicly, in a way that can be retrieved anonymously, but, for instance, that could be done with the ledgers deposit and withdrawl transactions as a smalldata.
19:41 <@petertodd> Basically, for any tx the ledger ever makes, if you find the ledgers signature on it you can simple say "OK, so that's the state of the ledger, now prove to me that you didn't double-spend my input"
19:41 <@gmaxwell> the advantage, e.g. of an irc paybot is better scale for microtxn, and improved privacy (basically privacy more like IRCs: not cryptostrong but ephemerial so long as everyone is playing nice)
19:42 <@petertodd> And when you accept a transaction from the ledger, ask for *that* transctions history, back to where it came from in the blockchain.
19:43 <@petertodd> I assume you've seen reddit's bitcointip right?
19:44 <@gmaxwell> yes. pretty horrible in that it makes a bitcoin txn per tip or at least it did.
19:44 <@gmaxwell> "worst of all worlds: insecure, slow, and non-scalable"
19:44 <@petertodd> Pretty sure it still does; it's blockchain.info based.
19:44 <@petertodd> Especially given the tiny size of tips.
19:45 <@gmaxwell> Yea, b.i
 doesn't even have a facility for internal transactions.
19:45 <@petertodd> OK, so there's a goal: an library for auditable off-chain transactions.
19:45 <@petertodd> Well, how could b.i and still meet it's security promises?
19:46 <@gmaxwell> by allowing you to have some portion of your balance with b.i instead of in your wallet, of course.
19:46 <@petertodd> Well, sure, but then they need my auditable off-chain tx library. :P
19:46 <@gmaxwell> :)
19:46 <@gmaxwell> mtgox seems to do fine without one.
19:47 <@petertodd> mtgox is big enough to have credibility, of coruse, so is b.i
19:47 <@gmaxwell> What would the audits prove?
19:47 <@petertodd> The audits *could* prove fraud, if caught.
19:47 <@gmaxwell> I mean what kind of fraud.
19:47 <@petertodd> Well, lets say the ledger is internally doing a full blockchain basically, one tx per block.
19:48 <@petertodd> Each block is signed by the ledger, and the blockchain is linked by a merkle mountain range hash system.
19:48 <@petertodd> You also have a UTXO proof system basically.
19:49 <@petertodd> So, one valid query would be to ask "Give me a full transaction history from my tx back to the on-chain tx"
19:49 <@gmaxwell> Right, how do you avoid the proofs not becoming exponential as coins split and merge?
19:49 <@petertodd> It's a good question, likely the ledger can only say "proofs will never be more than 1MiB" or something.
19:50 <@gmaxwell> basically, I'm thinking this hidden blockchain model imposes some performance limits on the dumb-irc-bot-bank that would be unfortunate.
19:50 <@petertodd> I mean, heck, just make the whole thing downloadable, and every year or so just throw it away and start fresh.
19:50 <@petertodd> Yeah, it's a tough one.
19:51 <@petertodd> Double-spend fraud in the ledger is detectable enough, with a spent-UTXO accumulator.
19:51 <@gmaxwell> well what do we really need to prove: that the users balances sum to the deposits, right? What else for that application?
19:51 <@petertodd> Yes, I think that's the biggest one.
19:52 <@petertodd> The other thing is proving that the ledger isn't giving me my money back, although for now that doesn't need to be automatic.
19:53 <@gmaxwell> So, the bot publishes an anonmized list of accounts and their balances. And it publishes sigmessages showing it holds an equal amount of bitcoin.  You can see your balance in the public list,
19:53 <@petertodd> Hmm... well if every transaction is in a chain, and updates a balance sum, that helps. At least all the transactions to and from the ledger can be easily audited. (to deposit the ledger would sign your deposit tx as well)
19:55 <@petertodd> Do we need balances, or scriptPubKey txout hashes?
19:55 <@petertodd> (with merkle summing)
19:55 <@gmaxwell> if your balance changes on you and you don't agree... you publish a "fuck you, bot stole my balance"--account key.  which people hash to get the anonmized account key, and the bot publishes a list of all the txn to your account, and all withdraws should be signed by you.
19:56 <@gmaxwell> and if the bot can't produce a transaction log that matches the balance sheet, we know it robbed that person.
19:57 <@petertodd> That works easy enough.
19:57 <@gmaxwell> initial deposits into the system could basically be handled by the payment protocol type non-repudation.
19:58 <@petertodd> So basically, the bot can't inflate the balance, provided that every user checks that their balance is shown in the public ledger.
19:58 <@petertodd> The ledger balance must match up to the on-chain balance.
19:58 <@gmaxwell> You go to deposit in, bot says "okay, I'll add 1 btc to account H(pubkey), iff you pay address 1unrelated" --bot  ... and if you don't get credited you can cry foul on that too.
19:59 <@petertodd> Yes, my fidelity-bonded ledger thing even had a special UTXO out query opcode for that, to use internally with the ledger.
19:59 <@gmaxwell> I don't think that on chain deposits would actually go in directly. Instead the system would be started off with one account: "bank" and a balance owned by the bank. Payments into the system would go into the bank owner's private wallet, and he'd move funds from the bank internal balance to the user mostly.
20:00 <@petertodd> OK, that's reasonable, and as you say, the deposit includes the promise to move the balance from the bank balance to your one.
20:00 <@gmaxwell> (of course the balance balance could be increased over time, but there wouldn't need to be a 1:1 match. This would also enable people to buy space in the bank using chaum tokens, mtgox codes, or whatever they want
 since deposit inside the bank and on the chain are decoupled)
20:01 <@gmaxwell> well whatever they want subject to how automated fraud handling should be.
20:01 <@petertodd> It's still very reliant on that public ledger of all balances, but seems doable.
20:01 <@gmaxwell> the public leger would need to be delayed somewhat, I expect.
20:01 <@petertodd> For privacy?
20:01 <@petertodd> Delaying is fine provided it includes some type of hash linking back to your tx's.
20:02 <@petertodd> You want to be able to prove that a tx you performed should have been included in the master published ledger hash, but wasn't.
20:03 < ielo> hello helo
20:03 < ielo> ielo helo
20:05 <@amiller> i think this use of proving txs  is only useful if there's osmething automated that happens
20:05 <@amiller> but this is a good reason to want the big bitcoin blockchain to be capable of metavalidation of other chains
20:05 <@amiller> because something like a doublspend in a minor chain can trigger an insurance payout in a larger chain
20:05 <@petertodd> amiller: This is the toy system - we'll implement automated proofs later.
20:06 <@petertodd> amiller: Basically this is Mt. Gox redeem codes + some auditing.
20:13 <@gmaxwell> petertodd: I guess the balance sheet really ought to be a Merkle-sum-tree.. this way they only publish the root, and only allow users to query their own balance.
20:14 <@gmaxwell> if the whole balance sheet is public you can grok out whos transacting with who by observing matching changes in balance.
20:14 <@gmaxwell> with a Merkle-sum-tree deanonymization requires the users to cooperate to deanonymize each other.
20:58 <@gmaxwell> I also have a related proposal, which needs a new transaction format, that I call checkpoint-transactions where users specify checkpoints in their transactions and the fees can only be recovered (completely?) in chains where the checkpoint matches.
20:58 < amiller> petertodd, fair enough but i think that's not interesting and/or not a reason to try to understand the behavior of optimal miners better
20:59 <@gmaxwell> amiller: I don't think your solution is stable. There will just be an incentive to reduce that fee via whatever other means are available. External fees, promoting locked/checkpointed txn/ etc.
20:59 < amiller> so you are saying that i acn do it cheaper
20:59 < amiller> by paying someone out of band
21:00 <@gmaxwell> I think so.
21:00 < petertodd> amiller: sure, and this is -wizards, but remember there is value in fixing the problem for 95% of the cases
21:00 < amiller> i don't see why that's any chaeper or more effective than broadcasting the remainder as af ee
21:01 <@gmaxwell> amiller: because unless the fee you take is zero there still exists some orphaning incentive.
21:01 <@gmaxwell> and unless the fee you give away is zero there is some incentive to take fee move to another way.
21:01 < amiller> i think the optimal amount to take is exactly the fair cost of the work
21:02 < amiller> like that would an equilibrium point because anyone else would be indifferent to mine above or below you
21:02 < amiller> which would be good, like it would be good if such a stable equilibrium existed
21:02 <@gmaxwell> But I want moar. and I can get moar if I just arrange to pay in a way other than fees.
21:03 < amiller> what other ways are there and how do i include them in this model so i can argue about under what conditions they're cheaper
21:03 < amiller> pay per shares?
21:03 < amiller> i just claimed that the equilibrium is taking eactly the cost of thew ork
21:03 < amiller> meaning exactly the same as what it would take to purchase mining shares
21:04 < amiller> so those are the same equilibriums
21:04 <@gmaxwell> I'm not talking about purchasing mining shares.
21:04 <@gmaxwell> okay, we're not communicating and I have work to do.
21:06 < amiller> "you send me shares and I pay you with regular bitcoin transactions"
21:07 < amiller> that's why i assumed that's what you were talking about
21:10 <@gmaxwell> amiller: Ah, I see how I wasn't clear.  I mean that I pay you for proof that you're attempting to work on my transactions, I dont give a hoot for the rest of the block, I'm not paying you for that, just the fees for mine.
21:10 <@gmaxwell> I'm not running the mining infrastructure or anything else.
21:10 <@gmaxwell> you could do the same work and send proof to hundreds of parties.
21:13 < amiller> ok well i still don't see why that would be a cheaper way to get mining power to work on your transactions
21:13 < amiller> i have to afk a bit so i'll try to work out what you might mean and you can work :o
21:34 <@gmaxwell> amiller: it's cheaper simply because the parties you pay don't have to give any of it away to avoid the risk of being orphaned to steal it.
22:31 < amiller> ah ok so yeah my premise that this begins with someone paying extraordinary fees is silly because there's no good reason for anyone to pay such a fee
22:33 < petertodd> amiller: fidelity bonds
22:33 < amiller> oh yeah hm
22:33 < petertodd> amiller: although if the fidelity bond fee is high enough to create weird incentives, it's not working correct
22:34 < amiller> if there was a time that there were more rational miners that were prepared to take advantage of opportunities like that
22:34 <@gmaxwell> you can make the fidelity bond into a transaction chain easily enough.
22:34 < amiller> then i think it would be better to remove the coinbase maturity limit
22:34 < amiller> i think i don't understand what it's there for anyway
22:35 < petertodd> gmaxwell: yeah, my protocol is designed to make that easy
22:35 <@gmaxwell> It prevents a reorg for making honest people into thieves.
22:35 < petertodd> gmaxwell: in part for that reason
22:36 < petertodd> yup, like imagine no maturity, someone spreads a coinbase tx to hundreds of people, and then it gets reorged
22:36 < petertodd> even on a technical level that's ugly
22:36 <@gmaxwell> It also reduces the boom-and-bust incentive
 where you get a bunch of hashpower to majority attack the chain for a bit then quickly sell the coin before anyone notices you've been attacking. Though I think this is just a side benefit.
22:37 < amiller> i don't see how that is unique to coinbase as opposed to any other transaction
22:37 < petertodd> amiller: any other transaction can be put in another block
22:38 < petertodd> (modulo tx mutability)
22:40 < amiller> i see, so it's like a double spend, except a) it's easier to pull off because it will definitely work because it can't be spent in another block (that's the important part) and b) the attacker doesn't get his coins back
22:41 < amiller> that doesn't seem compelling to me because it's still caveat emptor as far as waiting for 6 blocks before believe you own the coin
22:41 < petertodd> yeah, that's one way of looking at it. I mean the main thing is just that it creates horridly ugly accounting problems
22:41 < petertodd> I doubt satoshi thought too hard about nash equilibriums for weirdly high fees - heck, I found an email from him dated nov 2008 where he wasn't even sure if bitcoin would have tx fees at all
22:42 < amiller> (tbh it's not really that i'm so concerned with high tx fees but i'm trying to get a good grasp of this and it's a toehold, and i have so few others!)
22:43 < petertodd> it'd be good to understand it better before people start making crazy fidelity bond sacrifices...
22:48 < amiller> it's possible that a weird high-tx fee attempt could make a double-spend attack cheaper
22:49 < amiller> my new fantasy prediction is that a stylized "rational mining pool" will eventually become predominate and shortly nearly everyone else will follow
22:50 < amiller> you know, that and the 'auto-double spend' feature gets built into every client so that in the case of a huge fork, no one wants to be the guy with the hot potato that gives up a windfall to the scumbag after you who has it enabled
22:51 < petertodd> heh, you'd like my mempool rewrite...
22:52 < amiller> i'm afraid i'm going to dislike it only because it will make this network-mapping project i'm about to try not work so well
22:52 < petertodd> lol, what's this project?
22:52 < amiller> i want to probe the network to see which peers are actually connected with sockets
22:52 < amiller> the simple case is i want to see if node A and node B share a connection
22:53 < petertodd> ah, I better develop some alt-p2p info distribution systems quick...
22:53 < amiller> i create two conflicting txs Tx0 and Tx1, I send Tx0 to both A and B, and simultaneously send Tx1 to everyone else i can connect to
22:53 < petertodd> interesting
22:53 < amiller> now A and B are logically isolated from everyone else
22:53 < amiller> I can send Tx0' to A and see if B relays it
22:53 < amiller> if so, i know they're connected, or at most they're connected via a dark pool dude
22:54 < amiller> because no one else will relay Tx0' because it conflicts with Tx0
22:54 < amiller> this can be improved in pretty straightforward ways to do a lot of mapping in fewer passes
22:54 < petertodd> and you can use that to trace back connections to individual mining pool nodes
22:54 < amiller> it breaks if people relay conflicting transactions or use different rules for mempool
22:55 < petertodd> yeah, replace-by-fee isn't a problem, but the totally different mempool behavior could be
22:55 < petertodd> still, just pay a reasonably high fee to get high priority, and make the profitability equal for both txs
22:55 < amiller> yeah
22:55 < amiller> well lmk if you start to propose something that would braek this
22:56 < amiller> because i think it's probably better for everyone if they obscure their connections but it would defeat my attempt at glory
22:56 < amiller> also petertodd tell me what you think of this
22:56 < amiller> a major thing that is lacking is the ability to get realtime measurements of mining power
22:56 < amiller> this would be solved if mining pools would release some of their shares, as realtime streams of proof of work
22:56 < petertodd> heh, I think you are a bad person, incapable of love, for trying to defeat anonymity, but at the same time, I'd much, much rather see you do it, so you should do this
22:57 < petertodd> well, just ask them nicely...
22:57 < amiller> well asking them is one thing
22:57 < amiller> but i'd rather everyone demand it because they acknowledge its better for the network to do so
22:57 < amiller> anyone who's doing mining should be able to produce concise summaries of their work
22:57 < amiller> just a sample of their shares, like their nearest misses
22:58 < amiller> i could measure p2pool this way of course
22:58 < amiller> but "ethical" pools like slush or btcguild or whatever should adopt this too because it would make it easier to respond to changes
22:58 < amiller> for example during the 0.7/0.8 fork it would make it easier/quicker to estimate just how much of the hashpower has switched behaviors or something
22:58 < petertodd> sounds like central authority...
22:59 < amiller> no it's inherently distributed
22:59 < petertodd> if you need that information, I think it'd be better to ask how can you *not* need it
22:59 < amiller> do you grok what i mean by concise samples of proof of work
22:59 < amiller> oh i see what you mean
23:00 < amiller> the realtime information could be used to amplify movements like that?
23:00 < petertodd> see, I think we're better off accempting that in the short term mining is this crazy random process, and you just have to wait until consensus emerges
17:46 < amiller> lets keep consideing the worst case where i am the only one using this trade path and so i have to pay for the entire validation
17:47 < gmaxwell> that in and of itself is a residual hold up risk.
17:48 < gmaxwell> e.g. I can at least extort the value of that refund minus epsilon assuming the non-iterated interaction.
17:48 < amiller> lets decide we figure out what that price will be and set an appropriate length of time
17:48 < gmaxwell> I'm not sure how much of a real risk holdup actually is.
17:48 < amiller> does this solve the race condition
17:48 < amiller> i still can't put my finger on how to state this
17:48 < gmaxwell> The interesting thing is that it's always been possible to do secure-except-holdup cross chain transactions
 and no one is doing it.
17:49 < gmaxwell> But you can't say that holdup is some enormous scare factor because plenty of people do totally insecure cross chain trades.
17:49 < gmaxwell> I have a feeling that holdup isn't actually a big problem. It's a problem
 but you could just add a little bit of reputation or identity and basically eliminate it.
17:50 < petertodd> All the evidence that the holdup happened can be right in the blockchain making the reuse problem fidelity bonds face much easier to solve.
17:50 < gmaxwell> (or at least reduce it to the point where that kind of solution is cheaper
 even considering the weighed failures
 than the infrastructure required and the direct costs for your proof-refund txns)
17:51 < amiller> i'm aiming bigger, if this is solvable then it's useful for local rather than global chains
17:51 < gmaxwell> petertodd: right, you can even say a foo-bond can only be used for one txout at a time.
17:52 < petertodd> gmaxwell: exactly
17:52 < gmaxwell> amiller: I realize this, as a fundimental way of making thing scale better.  ... making the global chain a metachain that validates cross chain transactions, effectively. In which case its reasonable for the local chains to all watch the global chain but not viceversa.
17:52 < amiller> right
17:52 < amiller> yeah... well put
17:53 < petertodd> worst comes to worst, use the global chain for consensus on the fidelity bonds
17:54 < petertodd> And the existence of a global chain can be used directly for your proof-of-work algorithm via proof-of-sacrifice.
17:57 < amiller> ok so along the way, at the very least we've talked just now about a new result for SPV verification
17:57 < amiller> you can sample work and show that a coin *is still available/unspent* without even having to validate all the headers
17:58 < petertodd> ? I missed how that works
17:58 < amiller> petertodd, do you know the work-sampling idea
17:59 < petertodd> amiller: no
18:00 < amiller> petertodd, https://bitcointalk.org/index.php?topic=98986.0
18:00 < amiller> if you have some big collection of blocks, and you want to estimate the total amount of proof-of-work used to create them all, you can do that just by sampling a really small number of them
18:01 < amiller> if there are a million blocks with at least two zeros 00xxxxx
18:01 < petertodd> right, seems obvious enough
18:02 < amiller> then there are probably at least a hundred blocks with several more zeros 00000xxx
18:02 < gmaxwell> amiller: works for large numbers, not so much for small numbers though.. and that doesn't prove they're connected, unless the structure is changed to link along the hash highway.
18:03 < amiller> the structure can be changed pretty efficiently to have a sort of skip-list like thing to make it easier to produce that sample
18:03 < amiller> for spv it's not necessary to prove they're connected, you just have to prove they all don't disagree
18:04 < petertodd> amiller: merkle mountain range: https://github.com/opentimestamps/opentimestamps-server/blob/master/doc/merkle-mountain-range.md
18:04 < petertodd> how are you going to show they don't disagree?
18:04 < gmaxwell> I'm not actually sure if thats better for proving header difficutly than a straight non-interactive cut and choose. The later is easier to put proofs in just some blocks.
18:05 < amiller> petertodd, by showing that each member of the sample commits to a utxo and that each utxo still has the transaction in it i want to prove still exists
18:05 < gmaxwell> petertodd: you repeat the proof for each block
 e.g. it's unspent here and here and here and here. you don't need to show they're connected.
18:05 < gmaxwell> big proof though.
18:06 < amiller> gmaxwell, i think you might be right about cut and choose working just as well
18:07 < amiller> in any case it's basically just possible to do this
18:09 < petertodd> amiller: Why not just do a binary search?
18:10 < petertodd> amiller: Oh wait, I'm dumb...
18:11 < gmaxwell> its kinda sad no one has proposed a non-interactive cut and choose to faster bootstrap spv.
18:11 < amiller> i guess i still don't know how to efficiently prove that it wasn't spent in the last 10 blocks, because you can fake that work easier
18:11 < petertodd> Well, SPV bootstraps pretty fast anyway...
18:11 < amiller> i think i worked out that you could sample work more finely towards the front and get some benefit
18:12 < petertodd> amiller: Proving a coin wasn't spent recently is always going to be insecure - you only have a recent mined block as witness.
18:12 < gmaxwell> petertodd: they're distributing "checkpoints" with SPV clients now to make them bootstrap fast. :(
18:13 < petertodd> amiller: I mentioned to TD earlier today the idea of miners committing to a merkle tree of txids in their mempool, just to prove visibility, you could use that if the commitment included txins being spent.
18:13 < gmaxwell> (though their checkpoints aren't the same kind of thing the reference client has
 at least in bitcoinj based stuff they're a "if you can connect back at least this far, the sum of the rest of the diff is Y", as far as I understand it)
18:14 < petertodd> gmaxwell: What? True, I guess on a cellphone ~100MB adds up or whatever it is...
18:14 < gmaxwell> well it's 20mbytes right now.
18:14 < gmaxwell> but the fetching isn't very efficient.
18:14 < gmaxwell> e.g. not pipelined.
18:15 < petertodd> gmaxwell: What do you mean by pipelined? You just mean we can't ask for more than one block header at a time?
18:17 < gmaxwell> I thought they did scalar fetching instead of piplelining, but I might be incorrect. I'm going by what I've seen from logged getheaders but perhaps I'm just missing them setting the count to >1.
18:17 < gmaxwell> Otherwise I don't really understand the reason for the optimization.
18:18 < petertodd> gah, powers out, wonder how long the ups's at work last...
18:18 < petertodd> gmaxwell: TD's NSA handlers?
18:19 < petertodd> I guess you should be able to set your bloom filter to match nothing, then ask for sequences of blocks, and get just the headers pipelined
18:22 < gmaxwell> petertodd: I mean, getheaders works just like getblocks and should be able to pipeline.
18:23 < gmaxwell> I just didn't think it was being used that way; but its likely that I'm stupid
19:32 < amiller> so this should also work with other-than-proof of work
19:33 < amiller> suppose there are just two separately-trusted serializer entities like opentransaction servers or quorum or whatever
19:36 < amiller> eh i'll finish that thought later
--- Log closed Tue Jul 09 00:00:22 2013
--- Log opened Tue Jul 09 00:00:22 2013
10:48 < petertodd> gmaxwell, amiller: powers back - Toronto just broke the record for most rain in a single day in history, 126mm, vs. the previous of 121mm during hurricane hazel in the 50's... the creek behind my apartment rose about 15ft, although fortunately the engineering is pretty good and houses are set back enough that other than a flooded school it was just some
basements here and there flooded.
10:53 < amiller> ahh... hopefully your basement wasn't affected!
10:53 < amiller> according to my logs you did not miss any conversation :)
10:54 < petertodd> I'm on the twelfth floor :)
10:54 < petertodd> thought my legs are killing me... the backup power for the elevators and lights died, and I spent a few hours helping people up to their apartments who didn't have lights...
11:16 < gmaxwell> 'here is a flashlight, drop it down the garbage chute when you make it'
12:38 < petertodd> gmaxwell: clever
15:08 < gmaxwell> petertodd: have you pondered the implications of replacing chaum tokens in a chaumian bank with zerocoin?  I think it lets you make the signing oracle memoryless (well, enough to verify ZC proofs).
15:09 < petertodd> gmaxwell: That's a good idea actually
15:10 < petertodd> gmaxwell: Although right now I'm convinced the right way to go is with a proof-of-sacrifice blockchain.
15:10 < gmaxwell> Further reducing the scale of the part that has to be trustworthy and resistant to regulator weirdness.  Also, if we had a more scalable group signature scheme, the bank could be pretty massively distributed.
15:11 < petertodd> gmaxwell: Auditing the signing oracle would be really easy too.
15:12 < petertodd> gmaxwell: Oh hang on though, you still need consensus about the state of the zerocoin accumulator, so it's not memoryless
15:12 < gmaxwell> petertodd: no you don't.
15:12 < petertodd> How does that work?
15:12 < gmaxwell> it signs the last proof it saw.
15:13 < gmaxwell> and then you just present that proof with your next update.
15:13 < gmaxwell> same way a storageless full miner could still add transactions with the help of a client that has the utxo.
15:13 < petertodd> Yes, but it needs to know the height of the last proof signed. That's not totally memoryless
15:14 < gmaxwell> Fair point. In the case where its not distributed it still reduces it to a counter.
15:14  * jgarzik listens -- this might have application on my idea for a network of bots that enable off-chain transactions, with some level of prove-they-are-not-cheating
05:17 < gmaxwell> jtimon: well not quite because there is no perfect competition, so everyone with friction along that path are taking their tax.
05:17 < deantrade> Well, if the coins weren't spent for 100 years, then the market probably already adjusted to the lower effective money supply, then like if the original miners who forgot/lost their private keys all get their coins thrown out, people will then know for sure the money supply actually is smaller.
05:18 < jtimon> think about paper wallets, physical representations of bitcoin...
05:18 < jtimon> gmaxwell there is perfect competition in theory
05:19 < jtimon> and bitcoin's "demand for security" is extremely elastic
05:20 < gmaxwell> security is basically a perfect lemon market. You only need any at all except in hindsight.
05:20 < deantrade> jtimon: on that note, I was thinking that eventually people will make altcoins with all sorts of different fixed inflation rates (fixed per ledger), and then let the market decide which inflation rate they want to use.
05:22 < deantrade> I wish bitcoin didn't have such drastic changes in block reward...  50 25 12.5...  its a big deal when transaction fees are significantly less than inflation block reward
05:23 < deantrade> I mean to say, it shoulda been made more continual, no?
05:23 < gmaxwell> seemed to work out okay in practice.
05:24 < gmaxwell> piecewise constant has certian planning and accounting advantages.
05:24 < deantrade> In practice it didn't really matter too much to the miners.	But when the next transition hits, miners will have tro do lots of planning yea on what kind of hardware they want to buy and run.
05:24 < jtimon> in freicoin it decreases linearly
05:25 < jtimon> gmaxwell some have said that the first reward halving caused the following "bubble"
05:25 < deantrade> In just one block the reward for mining is going to half when it had been the same for 4 years, that is going to have a big effect on network hash rate when it happens
05:25 < jtimon> deantrade not necessarily, it can also affect prices, or both or a combination
05:26 < gmaxwell> jtimon: the following bubble was pretty long after (three months?)
05:26 < gmaxwell> jtimon: if so, uh. well I am not complaining.
05:26 < deantrade> jtimon: No, I don't think so.  Bitcoin is valuable because it is better than other currencies/money/banking systems.
05:26 < deantrade> Maybe bitcoin's halving just brought lots of media attention and more confidence to the system because it was maturing.
05:27 < jtimon> I think it was Impaler who speculated that that was the time it took for the markets to "feel the lack of new bitcoins coming"
05:27 < jtimon> according to him, miners speculated as much as they could but then they had to sell some part to pay the bills
05:28 < jtimon> I think liear would have been better but I don't think it is a big deal really
05:29 < deantrade> Linear?  I'm not sure what you mean.  Do you mean a more continual reward reduction rather than one step every 4 years?
05:29 < gmaxwell> jtimon: I'm skeptical, market volume was a pretty big multiple of the newly mined coins by then (oddly it seems lower now) but I guess its unknowable.
05:30 < jtimon> deantrade yes, in frc it is reduced every block until it is not reduced anymore
05:30 < gmaxwell> the biggest argument against the half operation that I have is that it creates a pretty big incentive to orphan the last block!
05:31 < gmaxwell> but arguably a continuious formula makes for a much smaller incentive to do that constantly instead of only a couple times in the system's life.
05:31 < jtimon> gmaxwell yeah I don't know, Impaler or galambo (I think was Impaler) made some numbers I think, but I agree is probably unknowable
05:32 < jtimon> never thought about it that way
05:32 < gmaxwell> jtimon: it's also hard to sort out because we actually changed who was mining at that time.
05:33 < gmaxwell> When the 50->25 change happened I was watching eagerly to see if we'd get stuck warring for the last 50 btc block. :P
05:33 < jtimon> I have no idea, but it was an interesting hypothesis
05:33 < gmaxwell> certantly we had miners which were large enough to where doing so would have been rational.
05:33 < deantrade> I was just looking at the FAQ on freicoin.  I disagree with a lot of what the author has to say, his philosophy.  It flies in the face of Austrian Economics.
05:33 < jtimon> yeah, we have to rewrite those faqs to somthing more neutral
05:34 < jtimon> r000n wrote those faqs
05:34 < deantrade> For example: "But money is created by the government, isn't it?"  You say the government doesn't make the money, but that's not quite right.
05:34 < jtimon> I wrote ones before but then they were assimilated into the about page...
05:34 < deantrade> The Federal Government's Military and Citizen Police enforce the US's monopoly on money in the US and in international trade
05:34 < jtimon> it's not very well expressed
05:35 < jtimon> but comercial banks create most of the money, even if the state enforced that privilege
05:35 < deantrade> In exchange, the Federal Reserve prints them lots of money for thier protection racket.
05:35 < deantrade> Yea, I agree, the commercial banks also with their FDIC default protection get to print lots of money for themselves too
05:36 < jtimon> the treasury could print the money directly without needing to "exchange" anything with the fed
05:36 < deantrade> Yea but that would be less confusing, and they like to keep the sheeple confused
05:36 < jtimon> that's what "greenbackers", positive money and other monetary reformist propose
05:37 < jtimon> what backs paper money is the state and its promise to tax you on that currency
05:37 < deantrade> Anyways, yea the government is the enforcer of the monopoly money, the gov steals from gold backed private banks (NORFED/egold/1933)
05:37 < jtimon> not anything in the feds balance sheet
05:38 < deantrade> No, what backs paper money is that using paper money and banks increases our productivity via productivity gains in specialization and trade
05:38 < jtimon> that's what back all money, but yes, true
05:38 < deantrade> Its just that there is a monopoly enforcement on USD, so we have to use USD to get those productivity gains
05:39 < jtimon> what i mean is that state money (like any other money) doesn't need any backing
05:40 < jtimon> and the goverment could take all the seignoriage for itself instead of giving it to the banking cartel
05:40 < deantrade> I agree, only for money to have reliable limited supply and for it to be easily/most efficent in trading is what makes money valuable as money
05:40 < jtimon> it doesn't even need to impose a monopoly
05:41 < deantrade> Hm, but the banking cartel is kind of like the smart people, and the government is just pandering politicans who do what the cartel wants.
05:42 < jtimon> yeah, the politicians don't rule
05:43 < deantrade> Freicoin says that the underlying cause of the boom/bust cycle is the entrenchment of the financial elite...  so it then concludes that for people to be able to own durable valubable things for a long time is bad.
05:43 < deantrade> That is invalid.
05:43 < deantrade> The boom/bust cycle is caused by monopoly money enforcement + money supply manipulation.
05:45 < jtimon> no, what causes monetary cycles is nominally everlasting money's incapability of producing zero interest rates when real capital yields naturally drop that low
05:45 < jtimon> keynes didn't solved the problem, but the problem is older than him
05:45 < jtimon> there was monetary cycles with gold
05:46 < jtimon> we really need to correct the fact, thank you for pointing that out
05:47 < deantrade> "There was monetary cycles with gold"-> not so much when there were private banks, there were local and chain defaults, and booms from bankers increasing their reserve ratios... but nothing like what the Federal Reserve can do.
05:47 < jtimon> probably you learn more about free-money by reading directly from Gesell
05:48 < jtimon> well, I'm not historian
05:49 < jtimon> but when do you say monetary cicles started?
05:50 < jtimon> Gesell, predicted hyperiflation as the unoavoidable end of keynes-like schemes, yet was strongly against gold and blamed it for cycles
05:50 < deantrade> "money's incapability of producing zero interest rates when real capital yields drop that low"-> uh... in the free market... every durable good has an interest rate that directly corresponds to how much value over time it brings to the market owners as demand and people's strength of desire to own something now rather than later.
05:51 < deantrade> Monetary cycles start when banks loan out at higher rates then they can afford to stay in business without defaulting.
05:51 < deantrade> When banks loan more out (higher reserve ratios) (lower interest rates)
05:52 < jtimon> deantrade so called "time preference" theory of interest is based on the fallacy that everybody prefers things in the present over things in the future
05:52 < jtimon> just because everybody prefers dollars and gold in the present than in the future
05:53 < deantrade> If people don't care when they have something then interest rates go lower.	That doesn't make it invalid/fallacy, you are just confirming what I am saying.
05:53 < jtimon> interest rates, like any other price, depends on supply and demand
05:54 < deantrade> But if people want things more right away then interest rates go up.
05:54 < jtimon> capital yields are profits, and depend on competition, not in the intrinsic properties of the real capital
05:54 < jtimon> the more factories there are, the less each one of them yields
05:54 < deantrade> Agreed on last 2 statements.
05:55 < jtimon> and if people prefer things in the future they go negative? that can't happen with gold, usd or btc
05:55 < jtimon> money DOES HAVE and effect on people's time preference, more than the other way around
05:56 < petertodd> well, maybe not ok as it might make mapping inter-network connections easier...
05:58 <@gmaxwell> hm. making a blind SIN into a rate limit is a little tricky.	"This message is signed by key(s) from the SIN SET, with at least X btc in value" isn't enough, since its not a rate. (e.g. you can keep doing it)
05:59 < petertodd> can't the blinding be deterministic? IE it maps to one and only one sacrifice from the set of all prior sacrifices
06:00 <@gmaxwell> You need an additional  "Random ID X	is the hash of a determinsitic signature of time T, by key(s) from the SIN SET, with at least X btc in value." term.
06:00 < petertodd> yeah
06:00 <@gmaxwell> where time is quantized to get you your rate limit.
06:01 <@gmaxwell> (perhaps just divided by the value times some rate control factor set by the system)
06:01 < CodeShark> sorry for interrupting
but what's a sacrifice?
06:01 <@gmaxwell> CodeShark: e.g. https://en.bitcoin.it/wiki/Identity_protocol_v1
06:02 < petertodd> CodeShark: underlyng mechanism: https://en.bitcoin.it/wiki/Fidelity_bonds
06:02 < CodeShark> oh, that :)
06:02 <@gmaxwell> yea, perhaps a better page.
06:02 < petertodd> gmaxwell: I need to do a specific "proof-of-sacrifice" page
06:02 <@gmaxwell> doesn't have to be coins to fees, could just be coins parked in the UTXO set or something else... but coins in the utxo set can keep moving, which makes sacrifice better.
06:06 <@gmaxwell> sadly even the fastest ZKP system would still effectively be a POW ratelimit right now. :P
06:06 < CodeShark> by "parked" you mean something like a reverse timelock?
06:07 < CodeShark> "coins cannot be spent until after block X"
06:07 < petertodd> gmaxwell: lol
06:07 < petertodd> CodeShark: that's not yet possible to do in bitcoin
06:07 < CodeShark> petertodd: I know - but in principle it could be done
06:08 < petertodd> gmaxwell: coins in the UTXO set do have the disadvantage of making attacks cheaper, kinda like merge-mining
06:08 < CodeShark> this is wizards, after all :)
06:08 <@gmaxwell> CodeShark: by parked I just mean, e.g. coins that were sitting in place as of time X. ... perhaps moved right after.
06:08 < petertodd> CodeShark: true!
06:09 <@gmaxwell> e.g. at the first block after midnight every night (by the blockchain timestamps) becomes the parking-block-height. If we had some kind of utxo commitment you'd just prove your had coins as of the most recent parking height... and that gives you bitmessage bandwidth.
06:10 <@gmaxwell> so long as the snapshot is atomic there is no double dipping.
06:11 <@gmaxwell> and as PT pointed out before the utxo commitment doesn't even need to be in bitcoin itself, it could just be computed by bitmessage nodes. (though theyd have to have the full utxo set to do it)
06:11 <@gmaxwell> probably sins are better though, since they're more easily found, etc.
06:14 < petertodd> gmaxwell: I'm very skeptical of systems that allow for re-use across different applications - UTXO-based stuff falls into that category
06:14 < petertodd> gmaxwell: thre is the disadvantage of a smaller anonymity set though
06:15 <@gmaxwell> yea, using the whole utxo set has the biggest anonymity set.
06:16 < petertodd> oh, speaking of, so I came up with a nice scheme for non-interactive stealth addresses
06:17 < petertodd> your anonymity set is some configurable subset of all transactions
06:17 <@gmaxwell> whats a stealth address?
06:18 < petertodd> just have the receiver publish a pubkey, and the sender does ECDH with the pubkey of one of the inputs to derive shared secret x, which is then used to derive a destination address from the receivers pubkey
06:18 < petertodd> the receiver now scans the whole blockchain looking for funds it can spend. To make it more efficient, just use some mechanism so that scan only has to happen for a subset of all transactions, e.g. by forcing one of the addresses in the transaction to have some specific prefix
06:19 < petertodd> stealth address being a publicly known address where funds sent to it are not known publicly
06:19 <@gmaxwell> yea, bytecoin suggested something like that a long time ago!
06:19 < petertodd> nice!
06:19 <@gmaxwell> (he also described how to send an undetectable encrypted message inside it!)
06:20 < petertodd> ha, I was just re-reading that post...
06:20 < petertodd> obviously not very well :P
06:20 < petertodd> or maybe well enough!
06:20 < petertodd> anyway it's a pretty decent solution to soemthing amir and co have been worrid about for awhile
06:20 <@gmaxwell> yea, in any case, yea .. it's just computationally expensive for the reciever...
06:21 <@gmaxwell> and I don't really know that payments with one way communication are really all that interestesting.
06:21 < petertodd> not a big deal - so is bitmessage which was (one of) his alternatives
06:21 <@gmaxwell> maybe they are. I dunno.
06:21 <@gmaxwell> perhaps there should be an address type defined for "donation addresses" which are just that.
06:22 < petertodd> I suspect that making stealth addresses well-supported would in practice get rid of a lot of address re-use due to UI constraints
06:22 <@gmaxwell> as far as your "analysis bait"  I suggest using R as a sidechannel.
06:22 <@gmaxwell> yea, I agree, you win. it's an awesome point.
06:22 < petertodd> if we can tell people the "address" for their wallet is some stealth address, I think we'd have a decent UI that people would actually use correctly
06:23 <@gmaxwell> it's one of the few cases we've had where address reuse is hard to eliminate, and the cost on the reciever is not so high... plus if they're special donation addresses that fact that its reciever expensive isn't so bad.
06:23 < petertodd> well, it needs to be a distinguisher that prefix-filtering can identify (annoyingly bloom filtering can't pull this off without making the transactions distinguishable)
06:24 < petertodd> and the great thing with prefix-filtering is that stealth addresses done that way are no more bandwidth intensive than the alternative
06:24 <@gmaxwell> well it could have its own filtering.
06:24 <@gmaxwell> e.g. some servers that tell you about all transactions meeting some criteria.
06:25 < petertodd> yeah, although we're not likely to do mined commitments to those lists which kinda sucks
06:25 < petertodd> we're very likely to do prefix-filtering compatible commits
06:25 < petertodd> *commitments
06:27 < CodeShark> I'd love to see a CAS which compensates you for providing resources to the network for all these kinds of things
06:28 <@gmaxwell> petertodd: so.. downsides, an arbritary point multiply is a fair bit more expensive than multiplies with a generator. and you now have to keep a secret key online in order to tell which txn are paying you.
06:28 < petertodd> the hard part is figuring out how to force the dest address into the right format, if you have txin pubkey A and receiver pubkey B you get a fixed B', now you can brute force with some incrementing integer i, but that upps the computational effort for the receiver proportionally
06:29 < petertodd> gmaxwell: the secret key doesn't need to be the same secret as unlocks the funds though
06:29 < petertodd> gmaxwell: doubles the size of the address though
06:29 < petertodd> (which is already larger than usual)
06:30 <@gmaxwell> petertodd: I think it's okay if the address is kinda big. After all it has to be big just to have a pubkey.
06:30 < CodeShark> what does UI simplicity have to do with underlying protocols? when you connect to an ssl site, there's a whole handshake mechanism going on under the hood most users don't ever notice
06:30 < petertodd> gmaxwell: yup
06:30 <@gmaxwell> CodeShark: Reality.
06:30 < petertodd> CodeShark: it matters a lot because people like to pass around addresses in things like PGP-signed emails
06:30 <@gmaxwell> CodeShark: go solve address reuse for things like donation addresses that people slap on forum signatures. :)
06:30 < petertodd> CodeShark: requiring payment protocol for that stuff really sucks
06:32 < CodeShark> ok, granted, that is a reasonable use case
06:33 < petertodd> gmaxwell: a cheap trick would be to fail a bit on absolute indistinguishability and reuse, say, nSequence for the prefix-forcing integer
06:34 < petertodd> gmaxwell: you could even use the nonce on the signature, but that breaks determinism...
06:34 <@gmaxwell> petertodd: I don't know why you didn't like my R grinding. :P
06:34 <@gmaxwell> oh thats why
06:34 < petertodd> gmaxwell: yeah, this should be compatible with as many wallets as possible
06:36 <@gmaxwell> meh, if you don't require any obvious 'bait' then its easy.
06:37 < petertodd> what do you mean by that?
06:42 <@gmaxwell> I mean the tricky part is adding something distinguishable to the transaction.
06:42 < petertodd> oh right
06:42 < petertodd> well
06:42 <@gmaxwell> should just benchmark and see how expensive it is to do ecdh with every txn in the blockchain.
06:42 < petertodd> yeah
06:43 < petertodd> can't be much different than syncing the blockchain on a full node...
06:45 < petertodd> with the two key version you can outsource the computational work too - the risk is only that the counterparty could deanonymize you, something, say, electrum servers already can do
06:46 <@gmaxwell> yep.
10:43 < HM2> http://boingboing.net/2013/12/15/bruce-schneier-and-eben-moglen-2.html
10:43 < HM2> can't believe i missed this over the last week
10:50 < adam3us> btw the card thing P(52,26) is conveniently > 2^128.  course then you have to keep them from getting accidentally shuffled
10:58 < adam3us> vaguely related to the idea to use shuffled subset of bit-card.de plastic bitcoin cards to avoid trust in printer https://bitcointalk.org/index.php?topic=330819.msg3548144#msg3548144 pay to address created by adding Q values off half of them, use the other half to check the private key is under the sticker
13:37 < gmaxwell> Sadly that doesn't prevent bitcoin from comitting suicide, but at least it would be with the consent of people that own a bunch of it.
13:37 < petertodd> Yup. I'm happy if Bitcoin is destroyed with the concent of those holding Bitcoins myself.
13:37 < petertodd> *consent
13:38 < petertodd> From a practical perspective, it also takes a lot of politics out of the situation IMO.
13:39 < gmaxwell> Well, to be clear: it's some kind of 'majority' consent... which means that some people holding bitcoin will not consent to the suicide.  But the alternatives sound worse.
13:39 < gmaxwell> (e.g. alternatives being technical guy political tournamants and fork-risking-wars over client software)
13:40 < gmaxwell> I think ideally would have been to establish bitcoin with initial parameters that could be kept forever.
13:40 < gmaxwell> But since that seems to be impossible, having an economic majority seems like the next best thing.
13:41 < petertodd> Yup, see Peter Vessenes comments about how much a fork would harm bitcoin: https://github.com/pmlaw/The-Bitcoin-Foundation-Legal-Repo/pull/4#issuecomment-18988575
13:42 < petertodd> In a sense the presense of alt-coins makes it always be an economic majority thing, but the process of people dumping bitcoin for another coin will be really ugly.
13:42 < petertodd> Much better if we come to consensus on an equitable process to choose the limit.
13:43 < petertodd> It'll still lead to PR campaigns and the like of course, but those efforts become less relevant to the dev team.
13:45 < petertodd> The voting method is also designed such that an SPV client can verify the vote, and in particular, that means even if you don't hold the coins directly you can verify the person you did voted according to your wishes. (or the majority of a banks clients wishes for instance)
13:46 < gmaxwell> petertodd: can it support key delegation? in particular I should be able to take my coin signing keys offline.
13:46 < realzies> so imma start up an llvm backend project, and see where I can go
13:46 < realzies> I've never dealt with LLVM backend api, so its gonna be a learning experience
13:46 < petertodd> gmaxwell: With scripting support, yes.
13:46 < realzies> but first, breakfast
13:47 < petertodd> gmaxwell: The idea is a vote is considered valid if a scriptSig matches a txout scriptPubKey, so just add a special OP_VOTE thing - would work best with MAST support.
13:47 < gmaxwell> wow, you seem to have politically influenced vessenes.
13:48 < petertodd> Well, jdillon too.
13:49 < gmaxwell> One problem with the vote thing
 I expency is there is an uncountably infinite number of free parameters.
13:49 < gmaxwell> e.g. how fast can the parameters be changed, what are the maximums and minimums.
13:49 < petertodd> For sure, such votes can be extended to anything...
13:50 < petertodd> You could just as easily vote on the coin distribution schedule.
13:50 < gmaxwell> Yes, _HOWEVER_, as I said above the ideal is that we have something and that it never changes
 let people switch currencies if we got it that wrong.
13:50 < petertodd> But then again, changing the blocksize is setting precedent that we're willing to change an economic parameter too.
13:51 < gmaxwell> But well, that doesn't work when basically everyone can agree that the paramter is probably not right at least not right forever.
13:51 < gmaxwell> I think we can all agree that the distribution schedule is right enough forever.
13:51 < petertodd> Yeah, well, something I realized recently was you can construct a PoW function for an alt-coin that forces miners to prove they've attacked Bitcoin.
13:51 < gmaxwell> And changing it against the consent of some would be no better than letting people change currencies on their own.
13:52 < gmaxwell> petertodd: oh sure, trivial to do. merge mine with bitcoin and constrain it to only be 'bad blocks'.
13:52 < petertodd> Yeah, anyway, if there *was* a strong movement to change the distribution schedule, well, it'd be better to do it with a vote that by fiat.
13:53 < gmaxwell> Whereas with blocksize, I do think that changing it with the consent of most but not all is actually still politically and morally superior to saying "fuck you, switch to fatcoin".
13:53 < petertodd> gmaxwell: Yup, and make those bad blocks empty aside from a bunch of UTXO spam...
13:53 < petertodd> Yeah, and what jdillon proposed was to calculate the median of the votes, which means that everyones vote did count.
13:55 < gmaxwell> I'll have to look at the details later, I'm still getting myself comfortable with making the blocksize controlled that way.
13:55 < petertodd> Yeah, and details matter - I don't think you can prove a median was calculated accurately without all votes for instance.
13:56 < gmaxwell> I suppose you could gain traction for a particular implementation by proposing them and
 externally to the blockchain
 gain POS signmessages.
13:56 < petertodd> Ha, yeah for sure.
13:56 < gmaxwell> petertodd: yes, I would have instead expected something where each block commits to a set of votes, and the block hash picks a representative vote.
13:56 < petertodd> gmaxwell: Yup, NIZK-style random vote.
13:57 < petertodd> gmaxwell: He did say that the per-block vote should be median, and to then take the mean of the blocks - that can be proved incrementally.
13:58 < gmaxwell> one problem with voting is that many voters will be pretty indifferent. It will be easy to buy their votes.
13:58 < petertodd> Oh, and the nonce for the NIZK proof should probably be taken by getting the LSB of the last 64 blocks...
13:59 < gmaxwell> does that matter?
13:59 < petertodd> Sure, but it's ultimately an economic power vote anyway - what I'd be more worried about is wallet software that votes behind users backs.
13:59 < gmaxwell> If the current block goes into the proof, which it must.. then you could search for your favorite vote.
13:59 < petertodd> Yes, because you want to make sure that you can't apply more hashing power to mess with the vote.
13:59 < gmaxwell> petertodd: yea, except you don't solve that.
14:00 < gmaxwell> e.g. H(last block .. this block) is no better than H(this block) for picking the resulting value.
14:00 < petertodd> Sure I do, if the LSB of the current vote only allows you to influence the path taken at the bottom of the tree, they you have the least possible control. (if the bottom is sorted)
14:01 < gmaxwell> then you can deny entry into the tree for selected votes to get two votes you like into the position decided by that bit.
14:01 < gmaxwell> and then you get complete selection with only 1 bit more work.
14:01 < petertodd> Right, but the miner choses what votes to include in the first palce.
14:01 < petertodd> *place
14:02 < gmaxwell> I'll have to go read jdillion's thing then, as I'm not quite following how its really solved.
14:02 < petertodd> We're only trying to make sure they can't include 10 votes, and claim all 10 were for the highest size.
14:03 < gmaxwell> so, maybe it would help the proposal: but I would suggest that engineering sanity constrains the maximum rate of blocksize change.
14:03 < gmaxwell> And so instead of people voting on a particular size they could just vote for larger or not.
14:04 < gmaxwell> and stop voting for larger when its large enough.
14:04 < petertodd> Yeah, he's done that to a degree: if the size goes up, and people stop voting, the status quo votes are for the average of the new and old size, so the size will automatically start going down again.
14:04 < petertodd> One issue with sanity constraints is picking the rate of max change is in itself political...
14:05 < gmaxwell> yea thats what I was talking about uncountable paramter space.
14:05 < gmaxwell> But I think it's less bad.
14:06 < gmaxwell> The exact value is debatable, but I think I can say "whatever it is, it shouldn't be faster than doubling every year" and I think no one would argue.
14:07 < petertodd> Hmm... given the votes are essentially part of the UTXO set, actually what the miner does is add votes to that set, and the NIZK is then picking representative votes - it is acceptable to then calculate the median of the votes for the blocks in the past year in that case.
14:07 < gmaxwell> maybe the downward limit is harder to guess.
14:07 < petertodd> gmaxwell: I'm sure Mike would. :P
14:07 < gmaxwell> I don't think he would, or if he did he'd give up easily.
14:07 < petertodd> Yeah, in jdillons proposal with miner consent the limit can drop as fast as the users want it too.
14:08 < gmaxwell> doubling every year is really really fast. It's faster than expected computer scaling.
14:08 < petertodd> Which is interesting: a 50% economic majority, with 50% hashing power, can vote to shutdown Bitcoin.
14:08 < gmaxwell> and yet it's still slow enough that you can plan for it. Every fiscial year plan to double the amount of storage you're already using. :P
14:08 < petertodd> True, doubling works for that.
14:09 < gmaxwell> petertodd: should there be a minimum maximum? on one hand, it's stupid to vote it down to nothing. OTOH miners can already do that.
14:09 < gmaxwell> the vote would just make it easier for miners to coordinate doing that.
14:09 < petertodd> Heh, you could say every year we pick a representative UTXO, and if they voted to double, we do.
14:10 < gmaxwell> petertodd: variance is a bit high on that. :P
14:10 < petertodd> Yup, I don't see anything wrong with that, and after all it *does* require 50% majority of miners.
14:10 < petertodd> A 50% majority can always chose to ignore the minority including those votes.
14:10 < gmaxwell> petertodd: just for technical reasons, a limit might make sense, because, uh. you don't want to actually stupidly end up in a state where a next block isn't possible. :P
14:11 < petertodd> Yeah, heck, a lower limit of 1MB would probably be fine.
14:11 < petertodd> Maybe say 100KB for sake of argument.
16:31 < petertodd> now, back to my main point: why can't I parallelize that? I have a n port memory block, so I just have n different cuckoo cycle-finding attempts running in parallel
16:32 < tromp__> because prior to insertion both cuckoo[i] and cukoo[j] may alrd point elsewhere
16:32 < tromp__> because the paths from one attemp will totally screw up the paths from the opther
16:32 < petertodd> so what? sometimes these attempts will collide, but that's just a probability thing, we can discard those failed attempts
16:33 < petertodd> I'm still getting parallelism
16:33 < tromp__> no you'll almost never be able to follow a long path of edges all from one attempt
16:33 < petertodd> tromp__: how long is long?
16:34 < tromp__> to find a 42 cycle, you'll need to follow for instance paths of length 21 from each of i and j
16:34 < tromp__> and all these 41 edges you follow MUST be from the same attempt
16:34 < petertodd> (btw, the magic word here is birthday)
16:34 < tromp__> so your odds of running even 2 instances in parallel are about 2^-41
16:34 < tromp__> good luck with that
16:35 < petertodd> ah, but are you sure I can't be more clever than that?
16:35 < tromp__> my paper analyses a more sensible case of trying to reduce memory
16:35 < tromp__> i cannot prove it, but i'm pretty sure
16:36 < tromp__> i'll bet money on it
16:36 < petertodd> like, suppose handle collissions by quickly grabbing an adjacent memory cell to temporarily store the extra data?
16:36 < petertodd> that's the kind of thing a custom ASIC could be engineered to do cheaply
16:36 < petertodd> *suppose I
16:37 < tromp__> then you're essentially creating a bucket instead of a single slot
16:37 < petertodd> tromp__: sure, but I can do that really cheaply!
16:37 < tromp__> no, adjacent slots will mostly be in use
16:37 < petertodd> tromp__: why?
16:38 < tromp__> because you''ll be at a load of close to 50% before you find cycles
16:38 < petertodd> for instance, with my grid of small memory bank architecture I can easily have the circuits for each small bank handle that deconfliction
16:38 < tromp__> so almost half of all slots are filled
16:39 < petertodd> tromp__: right, but remember all that matters is we find a short cycle
16:39 < tromp__> plus the administrative overhead of keeping track of which slots store an i edge of an i-1/i+1 edge will kill you
16:40 < petertodd> in software it'd kill you, in hardware it won't
16:40 < tromp__> yes, if you call 42 short
16:40 < petertodd> 42 is short compared to hundreds of mb
16:41 < tromp__> basically, if you try to use shortcuts for edges that work 90% of the time, then you'l still be only 0.9^42 effevtive
16:41 < tromp__> which is negligably small
16:42 < tromp__> cuckoo makes you use most of N * 32 bits for a single attempt
16:42 < petertodd> you're still not getting it... let me try another argument
16:42 < petertodd> so remember what I was saying about how memory works?
16:42 < petertodd> even in the *single* attempt case, a routed memory architecture uses a lot less power than a standard one
16:42 < tromp__> let me ask a qst first
16:43 < petertodd> qst?
16:43 < tromp__> if you think you can run multiple instances within memory, are you claiming that you can run cuckoo with half the designed memory?
16:43 < petertodd> tromp__: no, I'm claiming I can run it in less power
16:44 < tromp__> power is alrd pretty small since most time is spent waiting for memory latency
16:44 < petertodd> if you think power is what matters then you don't understand the economics of PoW...
16:44 < tromp__> you assume that PoW must be dominated by cpu bound computation
16:44 < petertodd> you're always in the situation where if you use the equipment for more than a few months power costs more than the equipment
16:45 < tromp__> that's why cuckoo is different.
16:45 < tromp__> you'll be spending way more on RAM prices than on power
16:46 < petertodd> if you want me to believe that, then get a hardware designer to analyse your design, you haven't done that
16:48 < tromp__> i just want you to believe that you cannot feasibly run cuckoo within half the designated memory, even if you add lots of non-memory asics
16:48 < petertodd> tromp__: which I'm not claiming - asics can be memory optimized too you know
16:48 < petertodd> a interesting construction technique for that is to take a memory die and overlay it with a non-memory die actually - extremely low latency, and totally custom
16:49 < tromp__> since cuckoo really randomly access the random-access-memory, it will be hard to optimize memory layout
16:49 < petertodd> could be a good way to do the routed memory option actually, and then use power-gating to turn off whatever part of the dies isn't being used for computation, as well as put the dram's into lower power modes
16:50 < petertodd> you don't have to optimize layout, you optimize the wiring that gets the signals to and from the memory cells
16:50 < petertodd> like I said, you burn a lot of power getting the data from the dram cell to the processor and back - shorten those wires and the hwole thing uses a lot less power
16:50 < petertodd> how do you shorten them? crazy custom asics, and die-on-die is a pretty solid way to do that
16:51 < petertodd> you also get lower latency by shortening them, and you *did* say cuckoo is latency hard...
16:51 < tromp__> any such optimizatoin would benefit existing ram chips as well. we can assume that samsung alrd optimized their memory chips pretty well
16:52 < petertodd> no they won't, dram is constrained by the fact that it has to be general purpose, I'm saying you can optimize for latency by placing a asic with the computational part of the circuit - not much - directly on top of the memory die
16:52 < petertodd> remember that L1 and L2 cache is basically that same strategy, but with tradeoffs due to all the computational circuits needed in a modern processor
16:52 < tromp__> the computational part of cuckoo is really small. just one hash per edge
16:53 < petertodd> exactly! that's a huge problem
16:53 < tromp__> whereas you need to do 3.3 memory reads and 1.75 memory writes per edge on avg
16:53 < tromp__> so it's really dominated by latency
16:53 < petertodd> so my custom asic die can be those tiny little hashing units scattered all over the place, and my custom memory die can have a lot of read/write ports so that the wires to the closest hashing unit are short, thus reducing the latency
16:53 < tromp__> putting hash circuits on your memory die doesnt help much
16:54 < petertodd> once you find your hash, then the wires to the *next* memory cell/hashing unit can also be short
16:54 < petertodd> tromp__: if you think that doesn't help much, you don't think L1/L2 cache helps either
16:54 < tromp__> all the memmory accesses still need to be coordinated to properly follow the paths
16:54 < tromp__> and reverse parts
16:54 < petertodd> so? that can be done locally with custom routing circuitry dedicated to that task
16:54 < tromp__> for cuckoo, L1/L2 cache will be quite useless
16:55 < petertodd> yes, only because it's so small, I'm telling you how to make essentially a custom GPU dedicated to hashing with distributed memory to keep latencies down
16:56 < tromp__> your hashers will be idle 99.999% of the time
16:56 < petertodd> and that's a good thing! when they're idle they use no power
16:56 < petertodd> in fact you'd probably do best with a really custom async-logic implementation of this so you don't have to route clock signals a long distance
16:56 < tromp__> and have no benefit over a single hasher doing all the hashing work
16:57 < petertodd> yes you do, getting the data to and from that hashing uses a lot of power
16:57 < tromp__> you cannot avoid the latency induced by having to coordinate values read from random memory locations
16:57 < tromp__> no matter what wiring, the distance between 2 random memory locations is still large
16:57 < petertodd> yes I do, my hashing circuitry and memory routing circuitry is physically located closer to the cells than before, so speed of light is short
16:58 < petertodd> nope, I can do far more efficiently if the computation and routing happens on the same die and/or module
16:58 < petertodd> remember, the reason why main memory access are so slow is because of the speed of light - I've proposing a design that shortens all those distances drasticly
16:59 < tromp__> your not shortening the distance from random location cuckoo[i] to random location  cuckoo[j]
16:59 < tromp__> and the algorithm's action depend on both those values
17:00 < petertodd> yes I am! the distance in commodity hardware is about 10cm, I'm shortening it to about cm
17:00 < petertodd> *about 1cm
17:00 < petertodd> even less if I use crazy 3d packaging... which I can because this is low power!
17:00 < petertodd> like, I should actually sandwich at least three dies, hashing in the middle and memory on either side
17:01 < petertodd> (you may not know this, by direct die-to-die connections are possible these days with techniques like microdots of conductive glue)
17:01 < tromp__> if 3d memory becomes feasible you'll see it on commoduty hardware first
17:02 < petertodd> hint: you already do, it gets used for cache and even main memory (in system-on-a-chip designs)
17:02 < petertodd> problem is those designs aren't optimized for latency
17:03 < petertodd> instead they *tradeoff* area for latency, and then make it back up by taking advantage of locality with caching
17:03 < phantomcircuit> petertodd, for scrypt?
17:03 < petertodd> which means I can create a custom design by optimizing for latency at the expense of some area cost
17:03 < petertodd> phantomcircuit: we're talking about cuckoo cycle pow
17:04 < petertodd> phantomcircuit: it's supposed to be asic hard, but it's actually the exact opposite
08:58 < iddo> TD: yeah but they prefer (anonymous) submission to conference for peer review, instead of posting it publicly and confusing random people who come across false proofs
08:58 < nsh> confusion has some overlap with inspiration :)
08:58 < nsh> i don't mind 1000 quacks if there's one genius
08:59 < nsh> (the ratio is probably much higher in practice though)
09:01 < iddo> nsh: i think poly time algorithms for interesting problems are no more than a small const in exponent after optimizations, say n^6 or n^12 when n is the bit size
09:02 < nsh> right, i wonder why this is though... seems very... fortunate
09:02 < iddo> nsh: obviously you can have artificial problems like clique of size 1000 in an arbitrary graph, with poly time complexity of n^1000
09:02 < nsh> sure, there'll always be nasty cases. but it's a question of how they're distributed i suppose
09:26 < jtimon> so iddo, has the paper been proven wrong?
09:29 < iddo> jtimon: probably no one serious tried to look and refute it
09:29 < andytoshi> jtimon: this paper is a tangled structure of about 30 definitions and 10 nested algorithms which purports to be a program which proves the existence of a poly-time algo for a given NP problem
09:29 < andytoshi> (i think)
09:29 < andytoshi> nobody is going to peer-review that when it's just a random thing on the arxiv
09:29 < iddo> jtimon: is you google you can find explanations, e.g. http://www.scottaaronson.com/blog/?p=458
09:32 < pigeons> http://arxiv.org/abs/0711.0770 this one is clearer
09:32 < andytoshi> (iddo's link is a general "how to judge P vs NP papers without reading too closely" article)
09:36 < iddo> there was a claim that looked serious (involving a new tecnique of statistical physics) about 3 years ago, so Terence Tao and co. looked and demolished it within a few days after it became public: http://michaelnielsen.org/polymath1/index.php?title=Deolalikar's_P!%3DNP_paper
09:41 < t7> Terence Tao used to hang out in the go-lang irc channel :|
09:45 < andytoshi> does he not anymore? he seems to spend an impossible amount of time hanging out on the internet
09:45 < andytoshi> considering how much work he gets done..
09:46 < t7> andytoshi i stopped using go a long time ago
09:54 < jtimon> pigeons you gave me a link about a physics unified theory
09:54 < pigeons> yeah sorry, bad joke
09:54 < jtimon> ah, ok
09:54 < jtimon> this one is clearer
09:54 < pigeons> i was trying to comment on the reliability of arxiv.org papers
09:54 < jtimon> I see
09:55 < pigeons> but if you have to explain the joke, it wasnt a very good one :)
09:55 < jtimon> but is there a critique to this concrete proposal?
09:56 < jtimon> although thank you for the link iddo
09:58 < jtimon> or it was just rewarded as "not enough serious" and not reviewd by anyone or something?
12:35 < maaku> jtimon: the paper has only been up for hours
12:36 < jtimon> oh, I see, so there's probably no critique yet
13:37 < zooko> Huh, there are two papers recently added to eprint.iacr.org with "proof of space" in their title.
13:37 < zooko> amiller: have you seen gmaxwell's argument that making mining-effort into a "dual purpose" operation isn't necessarily good?
13:38 < amiller> fwiw i am *not* in favor of "dual purpose" unless the dual purpose is intrinsic to the system itself somehow
13:38 < amiller> zooko, ^
13:38 < amiller> that probably makes no sense i can try to elaborate though
13:41  * nsh nods
13:41 < gmaxwell> it makes sense to me.
13:42 < andytoshi> it makes sense to me
13:43 < amiller> ok :)
13:43 < andytoshi> though i'd have to think a bit about why you feel that way
13:43 < amiller> these two proofs of space papers are interesitng that they show up though http://eprint.iacr.org/2013/805 and http://eprint.iacr.org/2013/796
13:44 < amiller> i can't really figure out if they're better than gmaxwell's proof of storage
13:46 < nsh> eerily simlar works
13:46 < nsh> (per abstract, at leasts)
13:47 < amiller> oh, one of the auhtors of one of them is also on the Secure Multiparty Computation on Bitcoin paper
13:47 < zooko> amiller: that makes sense.
13:47 < amiller> university of warsaw seems to have a strong bitcoin research faction now...
13:47 < zooko> amiller: because of gmaxwell's argument about weakened incentives for correct consensus-building?
13:48 < amiller> zooko, yes that's the argument i have in mind and think is right
13:48 < zooko> ("consensus-building"
13:48 < zooko> amiller: thanks.
13:51 < gmaxwell> amiller: I think the first paper there is basically isomorphic to my proposal with a lot of obfscuating language.
13:52 < gmaxwell> well not quite isomorphic.
13:53 < amiller> do we have a standard template form letter yet to send people who write papers and don't cite forums posts they should
13:53  * amiller wants to see whatever iddo sent the lottery paper auhtors
13:54 < _ingsoc> Lottery paper?
13:55 < amiller> _ingsoc, http://eprint.iacr.org/2013/784 summarized in this thread https://bitcointalk.org/index.php?topic=355174.0
13:56 < _ingsoc> Oh cool. Thank you. :)
14:10 < iddo> amiller: i pasted the link here yesterday: http://www.cs.technion.ac.il/~idddo/cointossBitcoin.pdf
14:10 < iddo> i asked them to reference this in their paper, but they haven't replied so far
19:23 < andytoshi> like, in 100 years?
19:24 < andytoshi> it's growing at well under 10gb/year
19:25 < andytoshi> the block limit is 1mb, let's suppose that each one takes 1mb on disk, and that the blocks come every 10 minutes
19:26 < andytoshi> that's 144 per day, 52560 per year
19:26 < andytoshi> 52.5 gb
19:26 < andytoshi> so 20 years minimum
19:26 < gmaxwell> nOgAnOo: Bitcoin already is decenteralized, so I'm confused by your question.
19:31 < phantomcircuit> gmaxwell, i think he means storage of old blocks
19:31 < gavinandresen> andytoshi: yes, but there is broad consensus that we will need to increase the max blocksize soon-ish.
19:33 < phantomcircuit> nOgAnOo, nobody is going to watch that
19:33 < gavinandresen> mmm.  it is on youtube, it must be correct.
19:33 < phantomcircuit> you might as well have just asked us to stare at the wall for 5 minutes
19:33 < gavinandresen> nOgAnOo: there are lots of plans for how to scale up bitcoin while keeping it decentralized.
19:34 < gavinandresen> nOgAnOo: actually IMPLEMENTING them will take time, careful thought, etc.
19:34 < gavinandresen> In any case, scaling up is in the category of "good problem to have"
19:36  * andytoshi is actually watching the video..
19:37 < andytoshi> "250 gigabytes within 2 years"
19:38 < phantomcircuit> andytoshi, otherwise known as "i pulled this number out of my ass"
19:38 < andytoshi> mmhmm
19:38 < andytoshi> after that it sorta crumbles from lies into incoherency
19:38 < andytoshi> to answer your question nOgAnOo, there is thought going into blockchain expansion, but no concrete plans
19:39 < andytoshi> and it's not even close to as urgent as that video claims
19:40  * nsh smiles
19:40 < andytoshi> nOgAnOo: if you listen to this channel you'll see links to research drifting by
19:40 < andytoshi> following them would involve a -lot- of background research i'm afraid
19:40 < jrmithdobbs> so you're a moron asking why you're a moron that doesn't understand a different moron, good show
19:40 < jrmithdobbs> good show indeed
19:41 < andytoshi> but you're not going to get a coherent picture of anything from youtubers
19:42 < phantomcircuit> lol
19:42 < jrmithdobbs> andytoshi: or "christian" researchers ... or any "religious sect" researchers, for that matter
19:43 < jrmithdobbs> andytoshi: "<3
19:43 < edulix> did I read christian researcher in bitcoin-wizards? makes sense, mixing different kind of magic
19:44 < andytoshi> jrmithdobbs: i recently moved to america, was caught off guard by the amount of "god bless"s that go on between strangers here
19:44 < andytoshi> so i give them all the benefit of the doubt
19:45 < amiller> gesundheit
19:45 < jrmithdobbs> andytoshi: where i grew up in texas and have developed a 7th sense for the bullshit and know exactly when to start mocking instead of attempting to teach
19:45 < jrmithdobbs> andytoshi: ;p
19:46 < andytoshi> well, i'm still learning ;)
19:46 < edulix> nOgAnOo:  in the new world order, maybe vatican opens the next mtgox :p
19:51 < nsh> there are sci-fi precendents for this
19:52 < nsh> (deranged-seeming religious beliefs inspiring technological uptake from strange quarters)
19:52 < nsh> also historical precedents :)
19:52 < nsh> but the sci-fi ones are more fun
19:53 < jrmithdobbs> we don't need sci-fi examples, we've got luke! ;p
19:59  * nsh smiles
20:20 < amiller> i'm trying to think of how to explain what's significant about the choices made about how much deposits are needed for the lottery game
20:20 < amiller> in N player lottery game from this paper
20:20 < amiller> say each party puts in 1 coin
20:20 < amiller> the point is that one person is supposed to win N coins
20:20 < amiller> first just note that the expected utility is zero
20:21 < amiller> expected money payout anyway
20:21 < amiller> if the other party goes away you don't necessarily learn the result
20:21 < amiller> one of the parties i mean
20:22 < amiller> but who cares if he has already put in his money
20:22 < amiller> there's a sort of common problem in protocols like this where you show fairness is impossible
20:22 < amiller> suppose you *could* carry out the protocol fairly if someone doesn't send their message in time
20:23 < amiller> that means that last parties message is optional and he might as well not send it
20:23 < amiller> but then the second to last party's input must have mattered
20:23 < amiller> so you follow that back and either you already knew the outcome for the beginning, or someone's participation makes a difference whether it's fair or not
20:23 < amiller> and so the solution is to overcompensate
08:36 < iddo> hmm headers first is an optimization that isn't related to merkle datastruct (like MMR) for lite nodes, i think?
08:37 < sipa> not at all
08:37 < sipa> completely orthogonal
08:38 < iddo> ok, peter todd and amiller said yesterday that the MMR stuff can mitigate DoS that checkpoints currently protects against, i wonder why...
08:39 < sipa> checkpoints don't protect against a DoS, they are just there to make not-checking-all-signatures safe
08:40 < sipa> wait, no, they do protect against a dos by helpig the heuristics determine if an early block in the chain has a chance of beatig the total known PoW
08:40 < iddo> sipa: yes i mean what gmaxwell said: https://bitcointalk.org/index.php?topic=194078.msg2014204#msg2014204 (i.e. you ignore diff-1 at genesis because you already have a checkpoint)
08:41 < iddo> but then peter todd said that MMR can give this anti-DoS without checkpoints, and amiller said that the reason is that blocks have commitments to the UTXO set
08:42 < iddo> but i don't see why it helps, yet
08:43 < iddo> this is in the context of the new paper by Aviv Zohar, it seems that anti-DoS is easier with Bitcoin rules than his new rules, assuming that there are no checkpoints
08:45 < iddo> for example the most naive anti-DoS is for the Bitcoin node to have some quota and not accept more than certain amount of forks for each block, so if in the future it turns out that a competing fork is better then that node will need to ask peers for blocks that it rejected in the past
08:46 < iddo> but with the new paper, this naive anti-DoS doesn't work, i think
08:46 < iddo> (could cause netsplits that don't re-converge)
08:48 < iddo> and even if it can work with the new rules, the communication among nodes will be much greater i think
09:35 < petertodd> iddo: emphasis on *sum* tree - the MMR (or just merkle tree) lets you interactively query your peer to be sure the total sum work claimed makes sense. But yeah, even without the sum tree just working backwards from current best block is pretty good too.
09:49 < iddo> petertodd: trying to understand you... isn't that just a method to prove more efficiently that a competing fork has more weight?
09:50 < iddo> petertodd: what i don't understand, diff-1 PoW blocks are (relatively) easy to generate, what's the rule that will cause you to ignore them instead of DoS attack where you'd be bloating your local copy of the blockchain with them?
09:51 < iddo> (checkpoints do prevent this kind of DoS attack)
09:56 < iddo> it still seems to me that with Bitcoin rules to select the best chain we can have anti-DoS mechanisms (without checkpoints) against diff-1 orphans at genesis attack, while with Aviv Zohar's rules I'm not so sure
10:00 < iddo> but i'm still unclear why amiller and you said that such merkle trees remove the need for checkpoints, is it just in the context of bootstrapping new nodes without doing too much work verifying the entire history, or also in the context of anti-DoS ?
10:57 < amiller> iddo, well... you can do something like starting at SPV security and gradually validating the chain
11:05 < iddo> amiller: but not all nodes can do that, i think? the question is still whether full nodes should eliminate orphan branches or keep them, if they always eliminate then the communication can blowup?
11:07 < amiller> eventually eliminate them?
11:09 < iddo> yes i think that with Bitcoin it may be safe to eliminate old orphans (assuming no checkpoints), but with Aviv Zohar's rules, i'm not sure yet
11:09 < amiller> you may even think of it as an incentive thing, there's a tradeoff from an individuals point of view
11:09 < amiller> potentially keeping some orphans around will save on future bandwidth, but at the cost of storage now
11:10 < iddo> it's also not only about eliminating orphans that you already have, but also about rejecting new orphans, like the 1-diff at genesis attack
11:12 < iddo> with Bitcoin i think that it can be safe to reject short orphans (with small risk that you may need to request them later and waste communication), but with Aviv Zohar's rule, not sure..
12:14 < iddo> ok i summarized what i asked here, in the public thread: https://bitcointalk.org/index.php?topic=359582.msg3867074#msg3867074
12:19 < iddo> gmaxwell: with this new rule, you think that blocks need to point to all their ancestors only because of lite clients? full nodes can calculate the difficulty of a block without it having pointers to ancestors, i think?
12:20 < amiller> one question i've had is how you do efficient merging
12:20 < amiller> to make sure the same work doesn't show up in multiple places in the same tree
12:29 < iddo> amiller: btw if you can dig up #bitcoin-dev or mailing list link where you first proposed this rule, maybe they could reference you in this paper:) might be worthwhile, there's plan for followup paper too
12:38 < amiller> i send an email to the thread with the irc log from bitcoin-dev
12:39 < amiller> i wouldn't mind having an acknowledgement but i didn't develop the idea very far at all :p
12:39 < amiller> i'm really glad that someone is working on it.
12:42 < amiller> i also tried to emphasize that, it's not even that their idea isn't fine as is (we haven't argued super well that there *clearly is* a big dos attack), but that it's difficult to analyze that there are no dos attacks, so being conservative to include thing is understandable
12:43 < amiller> so if they really want to say there thing is practical and ready to implement, they should come up with some really compelling anti-dos analysis
12:44 < amiller> that's just my opinion though :o
12:46 < iddo> yes that's all true, probably difficult to analyse it in theory, trying simulations first is a good idea
14:32 < warren> gmaxwell: hm.... the previous thoughts about pruning included nodes having a random subset of the blockchain to serve to peers.  that seems good, but that may have privacy issues?
14:32 < warren> gmaxwell: you can use that to identify nodes
14:34 < gmaxwell> You can use many things to distinguish nodes already. So what about it?
14:35 < gmaxwell> You propose instead forcing nodes to use tens of gigabytes of disk space if they want to contribute at all to distributed storage?
14:35 < warren> no
14:35 < gmaxwell> It doesn't connect transactions to anything.
14:36 < warren> are there ways to obscure the subset so it is less certainly a unique identifier
14:36 < gmaxwell> I never suggested a random subset that would be stupid, I always suggested contigious quantized ranges.
14:37 < gmaxwell> (stupid because it would take a lot more data to express than just a range or two)
14:38 < warren> ok
14:43 < sipa> and be a lot harder to make sure that a particular block is available
14:44 < sipa> in particular, you'd need O(n^2) nodes that serve the same n blocks with the same probability to get equal chance a particular block is available
14:45 < warren> when I connect to random bitcoin peers now, it seems that often many of the peers are useless, too slow or fake
14:45 < iddo> in the future we can have SCIP proofs for UTXO "checkpoints", so less need to serve old blocks
14:46 < warren> hmm key birthdates would help
14:57 < gmaxwell> iddo: perhaps, we need scip that doesn't need a trusted CRS.. and prover performance that at least makes it possible to run.
14:58 < gmaxwell> I don't know if we'll have that in 2 years, 5 years, or 10 years.
15:01 < iddo> proof size is logarithmic in num of computation steps (computation == verifying the history, maybe optimized by composing with prev SCIP checkpoints), the issue is how big are the constants of this log size proof....
15:01 < iddo> this is for the variant without CRS
15:08 < phantomcircuit> warren, you can already uniquely identify peers fairly reliably
15:08 < phantomcircuit> they give everybody the same version nonce iirc
15:49 < gmaxwell> iddo: well for checkpoints it can be rather large, eventually it will be small relative to the blockchain. :)  But I worry about computing it just being infeasable. If it costs $1k in compute time thats doable, if it costs $1m in compute time thats right out.
15:56 < amiller> hrm, what should be the parts of a bitcoin gambling tool that plays through games of iddo's protocol?
15:57 < amiller> i am thinking it should be a self contained wallet
15:57 < amiller> because i would want to have some notion of 'sending coins to my gambling wallet' rather than integrating it with my personal bitcoind or something big like that
15:58 < amiller> really i would want this to be SPV something, it's not particularly supposed to provide bandwidth to anyone
16:05 < amiller> i guess i should study bitcoinj
16:33 < gmaxwell> iddo: I really wish people with implementations of snarks for C would release something... there are 'small' applications we could use the stuff for right away. Like proving ownership of a bitcoin without disclosing which bitcoin you own.
16:35 < sipa> i've been out for too long... how does snarks relate to scip?
16:37 < maaku> sipa: scip is snarks
16:37 < maaku> SNARKS is the general term
16:37 < maaku> SCIP is what Eli et al call their implementation of a SNARKS system
16:37 < maaku> gmaxwell: correct me if i'm wrong
16:39 < gmaxwell> sipa: SCIP is just what Eli et all call their SNARKS for C stuff.
16:40 < sipa> ok
16:40 < sipa> are they abbreviations of something?
16:40 < gmaxwell> SNARK = succinct argument of knowledge  (sometimes zk-SNARK when its also zero knowledge). succinct ~meaning that its sublinear in the witness size, argument because they are only computationally sound, they're not a proof.
16:41 < gmaxwell> (there is some proof that you cannot produce a proof (perfectly sound) which is succinct, the best you can do is computationally sound)
16:43 < gwillen> gmaxwell: is there a 30-second explanation of what 'computationally sound' means in this context?
09:33 < michagogo|cloud> - We would like to remind you that unauthorised public logging of channels on the network is prohibited. Public channel logging should only take place where the channel owner(s) has requested this and users of the channel are all made aware (if you are publically logging your channel, you may wish to	keep a notice in the topic and perhaps as an on-join
09:33 < michagogo|cloud> message).
09:33 < michagogo|cloud> (minus a few line breaks)
09:34 < andytoshi> yeah, i see it now
09:35 < andytoshi> i'll stop publishing the logs until i get an ack from someone
09:38 < michagogo|cloud> andytoshi: At the moment, it's not "someone", it's greg
09:39 < michagogo|cloud> (or jgarzik, if he decides that he wants to get freenode staff to op him in here)
09:53 < andytoshi> michagogo|cloud: did you get my message late last night, saying i fixed the donation address thing with the coinjoiner?
09:53 < andytoshi> http://testing.wpsoftware.net/coinjoin/sign.php?session=b3b098642a36f1aa62a333f5a15a6e98a04dfb7622e4eb3dd74f3d706f149d7b
09:53 < michagogo|cloud> I signed and submitted
09:54 < michagogo|cloud> (earlier, when I saw that)
09:55 < andytoshi> hmm, i'm pretty sure i did as well
09:55 < andytoshi> i re-submitted just in case, otherwise i've got a new bug :(
10:00 < michagogo|cloud> just resubmitted just in case
10:01 < andytoshi> thx
10:01 < andytoshi> it looks like all the signatures are in the database, if it's not working then there's a merging problem
10:11 < michagogo|cloud> andytoshi: any luck?
10:14 < andytoshi> michagogo|cloud: yeah, the outputs are subtly different for what i signed and what you signed
10:14 < andytoshi> like, the scriptpubkeys have slightly different hex
10:15 < andytoshi> but, the DB shouldn't have accepted any such discrepancies, so i'm not sure (a) how this could even happen or (b) how it got through the site's input filter
10:16 < andytoshi> i signed 76a9143312004af0b4d2323676e488ae6900c9cb3b38c888ac:10000000
10:16 < andytoshi> u signed 76a9148c04bfe5e2a91b609b92d4f7af6cadda9d1e47e088ac:10000000
10:16 < andytoshi> oh, those are actually completely different..
10:17 < andytoshi> what i wrote there is scriptPubKey:nValue
10:21 < andytoshi> ok, this is embarassing ... i changed the output of coinjoin a few days ago, and i updated the PHP code to check errors correctly when validating unsigned transactions
10:22 < andytoshi> but forgot to update the code which validted signed transactions
10:26 < andytosh1> you submitted a signed transaction that didn't match the one offered by the site (probably because you re-submitted your signed transaction from last time, but this is a new session so the inputs/outputs got reordered)
10:26 < michagogo|cloud> I did?
10:27 < andytosh1> it appears so, yeah
10:27 < andytosh1> one moment, i'll clear out the signed transactions from the db and we can both resubmit
10:27 < andytosh1> done
10:27 < andytosh1> oops, i have to put the seed one back :P
10:29 < andytosh1> ok, can you try again?
10:31 < michagogo|cloud> done
10:32 < michagogo|cloud> andytosh1: submitted
10:33 < andytosh1> thx, got yours
10:34 < andytosh1> seems like it did not get mine..
10:40 < andytosh1> ok, now the one that i submitted, bitcoind cannot decode :} but again, php is accepting it..
10:45 < andytoshi> awesome, it went through :) tx d08ed6edab38bbd80eb96739777b096ccc654f5a1c398baeeaa11355b6d75bd6
10:45 < andytoshi> thanks a ton for testing, i'm glad we had so much bad input
11:02 < jgarzik> hrm
11:03 < jgarzik> Has anyone worked on a script form that does "<multisig> AND <multisig>"?
11:03 < jgarzik> OP_AND is disabled
11:19 < nsh> HULK SPLIT!
11:24 < gmaxwell> jgarzik: works for true false, also you can do that with OP_IF, or with just two CHECKMULTISIG VERIFY in a row
13:01 < jgarzik> gmaxwell, I was thinking "if multisig then multisig else false endif".  Two multisig in a row should work too...
17:33 < andytoshi> if i want to update my joiner to use blinded addresses, what user tools (if any) exist for this?
17:34 < andytoshi> if i write some, what papers should i read re implementing the crypto?
17:37 < nsh> andytoshi, what are blinded addresses?
17:37 < andytoshi> nsh: https://en.wikipedia.org/wiki/Blind_signature is a good overview
17:37 < nsh> chaum's blind sigs?
17:37 < andytoshi> yeah
17:37 < nsh> kk, reading
17:37 < gmaxwell> andytoshi: see maaku's git repo.
17:37 < andytoshi> cool, thx
17:38 < gmaxwell> (He implemented RSA blind signatures for this stuff)
17:45 < andytoshi> he has, for example, in the function _pad_message "REVIEW: I need a professional cryptographer...Does it matter in this particular applicaiton if the padding is deterministic instead of random?"
17:45 < andytoshi> if there are any professional cryptographers on here, i am curious too :)
18:25 < maaku> i asked that of gmaxwell iirc, and no it doesn't matter
18:25 < maaku> but also, it doesn't matter if it is deterministic or not
18:25 < maaku> the protocol changed a bit since I wrote that
18:40 < nsh> maaku, issue that springs to mind is that blind signing is insecure if the keys are also used to encrypt, which is generally not (so far, to my knowledge) the case with bitcoin privkeys, but worthy of consideration nevertheless
18:41 < maaku> coinjoin keys are ephemeral RSA keys used for that join only
18:41 < nsh> ah
18:42 < maaku> although I would prefer schnorr ec blind signatures using one of djb's curves, if someone went through the trouble of working out how to do that
18:43 < maaku> but yeah, throwaway keys on a different curve, so not much danger of that
18:43  * nsh nods
18:43 < maaku> i just wasn't sure if deterministic padding weakened the signature or otherwise led to any sort of attack
18:44 < gmaxwell> maaku: funny, I was going to make a comment to that effect;  "if you feel like implementing something, blind schnorr would probably be better"
18:44  * nsh reads http://blog.cryptographyengineering.com/p/note-on-blind-signature-schemes.html
18:46 < maaku> all the pieces are there, I think, but I wouldn't trust myself to put them together
18:46 < maaku> I'm an informed user of crypographic systems, not an experienced practitioner of the art
18:47 < maaku> but RSA is hard to f@&# up
18:48 < gmaxwell> Hm? ha. Thats exactly the opposite of my view.
18:48 < jrmithdobbs> rsa is pretty easy to fuckup
18:48 < gmaxwell> RSA is pretty easy to F^$%# up and EC systems tend to be harder
18:48 < jrmithdobbs> especially if you have to write it for multiple different hw platforms or runtime environments
18:48 < gmaxwell> "Oh you thought you were signing? HAH No. You were decrypting things for me. Sucks to be you!"
18:48 < maaku> i meant not implement correctly -- fewer moving parts with rsa
18:48 < jrmithdobbs> ya
18:49 < jrmithdobbs> that ya was to gmaxwell's comment
18:50 < jrmithdobbs> maaku: a lot of the errors you can make implementing rsa are less immediately obvious but more completely destructive to the security of your protocol/use
18:50 < maaku> jrmithdobbs: i'm aware
18:50 < gmaxwell> maaku: well fair enough, though once you have the primitives already
18:50 < andytoshi> i'd be interested in looking at schnorr signatures, i've got a few papers about them backlogged
18:52 < maaku> gmaxwell: yeah that's what i'm saying - i don't trust myself to modify djb's sources to do schnorr blind sig and trust that it actually *is* correct signature primatives
18:53 < maaku> but if someone where to write that, it'd be easier and safer to integrate into coinjoin implementations (and faster, and higher secuirty level .. really no downsides)
18:54 < gmaxwell> maaku: well I believe that no changes are required in the validator, so that should help gain confidence that its correct.
18:55 < gmaxwell> e.g. it should just need a blind/unblind/and blindsign function (and the latter only because the normal signing functions do the hash internally).. and the result should be verifyable with an unmodified code.
19:02 < adam3us> maaku: i might be persuaded to try that (EdDSA ==EC Schnorr blind sig)
--- Log closed Tue Dec 17 00:00:02 2013
--- Log opened Tue Dec 17 00:00:02 2013
00:20 < gmaxwell> ugh. https://bitcointalk.org/index.php?topic=374085.0
00:22 < Luke-Jr> gmaxwell: well, Gavin did encourage it in his blog
00:24 < gmaxwell> mostly ugging at advocating it for "Logins to websites without passwords" and "pseudonyms" where encryption is entirely the wrong tool, and the requirement to have 'spent' from it is completely unnecessary because signmessage already does those things, and a lesser ugh at the address reuse that implies.
00:25 < gmaxwell> it's also probably only about 50 lines of code, just seems weird to me to see people making annoucements for such small things.
00:25 < Luke-Jr> I was ugging at the data-in-bitcoin-blockchain :P
00:26 < gmaxwell> they aren't putting any data in the blockchain yet.
00:27 < gmaxwell> all they're doing is using blockchain.info as a addr to pubkey service and doing encrypted messages using ECDH with that pubkey.
00:27 < Luke-Jr> O.o
00:29 < gmaxwell> Luke-Jr: mind giving a polite response on the loging / identity points  pointing out that doing that via signmessage is already a widely established practice, doesn't require making transactions, carrying around the public key explicitly, or consulting (centeralized) databases?
00:31 < Luke-Jr> gmaxwell: well, this claims to be the inverse?
00:32 < Luke-Jr> oh, you mean just respond to that point
00:33 < gmaxwell> yea. I don't see any reason why you'd use something based on this over signmessage, but there may be people who see this post (even the author) who is unaware of signmessage.
00:35 < andytoshi> istr altoz being around for a long time, he should be aware of these things..
00:36 < Luke-Jr> gmaxwell: http://bitcointroll.org/?topic=374085.msg4004568#msg4004568
00:37 < gmaxwell> Thanks.
17:14 < jtimon> gmaxwell: interesting prediction, but you've said two options, so that's my point, we can't predict the future of hardware, what architecture are we anti-optimizing against?
17:15 < sipa> i'm not sure it matters
17:15 < jtimon> yeah gmaxwell xmm mmx
17:15 < gmaxwell> jtimon: we? I think it's all stupid regardless. :)
17:16 < gmaxwell> as I said, I don't think arch targeting can prevent there being at least a small constant improvement from dedicated implementations. Since mining is ~near perfect competition that small factor is enough to generally exclude the non-specialized stuff regardless.
17:16 < gmaxwell> And so simple circuits like SHA256 at least improve equality of access.. anyone can design a sha256 asic which is pretty competative, (well if not actually fabricate it themselves)
17:17 < gmaxwell> vs if you really did build something that required AMD scale engineering, then you'd much more likely have a hardware monopoly or near so.
17:17 < gmaxwell> simple fast circuits also have fast verification, which is very helpful too.
17:18 < jtimon> ok, so I see you have even more reasons than me against the "quest for the perfect mining function"
17:19 < gmaxwell> I think that like a lot of things in engineering you can only optimize so far and then its all just messy tradeoffs.
17:19 < sipa> heh, maybe we need an altcoin optimized for ASICs
17:20 < gmaxwell> DES POW.
17:20 < sipa> where the PoW function is has a trivial optimal circuit design
17:20 < jtimon> targeting GPU-friendly but ASIC-hard is specially odd for me since 1) as you said the later doesn't really exists 2) GPUs are already a market with concentrated production (the problem suppesedly solved by "hardness")
17:20 < jtimon> sipa there's one alt named ASICcoin
17:21 < gmaxwell> DES sboxes make for trivial combinitoric logic, it's much slower on current cpus/gpus than it is in direct hardware all other things equal.
17:22 < gmaxwell> the sha256 circuit is really straight forward already. You can get some gains by careful staging to equalize latencies...
17:33 < andytoshi> i have a crazy idea (involving nonexistant crypto) for a research pathway to a SNARK without forge-enabling keying material: http://download.wpsoftware.net/bitcoin/wizardry/public-fhe.pdf
17:34 < andytoshi> throwing it out here because there's probably something obviously dumb about it, and you guys are good at catching that stuff
17:58 < gwern> http://www.reddit.com/r/ethereum/comments/1vh94e/dagger_updates/
18:30 < jtimon> how "computer hardware" is not "theoretical computer science"?
18:32 < jtimon> oh, not experts in hardware, I missread
21:56 < gmaxwell> There was a puzzle in the MIT mystery hunt that some folks here would like solving.
21:57 < gmaxwell> oh. crud. I guess I can't post it until after the hunt is over, so forget the last line for three days.
23:38 < jcrubino> is it possible to have an address that is both a valid litecoin and bitcoin address?
--- Log closed Sat Jan 18 00:00:29 2014
--- Log opened Sat Jan 18 00:00:29 2014
00:02 < Taek42> gmaxwell what do you do for a living?
00:02 < phantomcircuit> Taek42, he works at mozilla doing stuff and things
02:24 < justanotheruser> jcrubino: no simply because of the fact that litecoins version number starts is L, not 1
02:38 < jcrubino> justanotheruser: I have a testnet address that passes validation tests by both daemon clients
02:39 < justanotheruser> jcrubino: Hmm. I suppose if both daemons ignore the version it could be valid
02:40 < brisque> justanotheruser: I explained in #bitcoin-dev that you can use the same public keys, just the address reads differently.
02:40 < jcrubino> I chaes my tail in circles while unit testing over that
02:40 < justanotheruser> what character does the testnet address start with
02:40 < brisque> m or n
02:40 < brisque> ;;bc,wiki address prefixes
02:40 < gribble> https://en.bitcoin.it/wiki/List_of_address_prefixes | Dec 25, 2013 ... The encoding includes a version byte, which affects the first character in the address. The following is a list of some prefixes which are in use.
02:40 < justanotheruser> brisque: I meant for litecoin
02:40 < brisque> does litecoin have a testnet?
02:40 < jcrubino> yes
02:41 < justanotheruser> brisque: yes, but I figured it would would be valid for the bitcoin daemon considering the daemon might consider the version number bad
02:42 < brisque> if the testnet prefix is the same it'll work with no problem
02:42 < jcrubino> assumming I change out the address prefix in bitcoind  to the litecoin version what else needs to change to make it litecoind ?
02:42 < justanotheruser> jcrubino: ultimately you can have a public key hash that is valid for both bitcoin and litecoin. An address is just a conversion to base 58 with a version number
02:42 < brisque> jcrubino: mainly just the POW system and the logo.
02:43 < jcrubino> does a non mining  daemon  verify the pow or does it just relay ?
02:45 < brisque> ever node validates the POW of every block
13:21 < justanotheruser> If it is possible to have a PoW that only has a maximum of like 5% improvement from CPU to ASIC, is that beneficial?
13:27 < nsh> justanotheruser, in general, no.
13:31 < maaku> justanotheruser: the best you could probably do is several multiples, maybe an order of magnitude
13:46 < justanotheruser> maaku: eh, I disagree. If the hashing function takes up a lot of code and uses many different RISC instructions, then you could use an ASIC, but it would might prohibitively expensive because you have to have so much circuitry to have the hash function implemented.
13:46 < justanotheruser> s/takes up a/uses a
13:48  * nsh frowns
14:03 < adam3us> justanotheruser: the hashing function would have to be very dynamically dependent on the instructins, or it can be special cased; even then someone can make the minimal unrolled cpu strip out everything else and put that circuity down redundancy	as many times as it will fit.	i think inevitably almost, hw wins, by a decent margin
14:06 < adam3us> maybe another direction is a FPGA friendly design, and hope ASIC/FPGA advantage will narrow as a trend.
14:06 < justanotheruser> adam3us: Yeah dynamically dependent instructions would be better. If you made it use all instructions, and it involved storing data in the registers, etc wouldn't the ASICs essentially be effecient CPUs?
14:07 < gmaxwell> why does this pow wanking keep going on here?
14:07 < gmaxwell> I can't imagine a less interesting subject.
14:07 < gmaxwell> Does anyone here even care about it?
14:07 < adam3us> potentially.  however its a bit of a weird cpu.  it doesnt mind the input being a counter, and 99.99999% of the outputs are thrown away
14:08 < justanotheruser> adam3us: maybe the PoW could require all the outputs.
14:09 < justanotheruser> One problem I see with this is verification taking a long time
14:09 < andytoshi> gmaxwell: +1, guys we had a long long discussion about this yesterday and completely overwhelmed my ability to follow the entire -wizards scrollback
14:09 < gmaxwell> I just don't even understand why it's being discussed, since I don't think anyone here even thinks its actually all that important.
14:10 < gmaxwell> (though maybe my tolerance is limited because I'm only looking in here once/twice a day because I'm busy elsewhere right now)
14:10 < justanotheruser> gmaxwell: It seems one of your altcoin ideas linked in the topic involves a modified PoW
14:10 < adam3us> maybe we need a #bitcoin-pow-wankery ;)
14:11 < gmaxwell> justanotheruser: I specfically avoided this kind of BS on that list. All the 'modified pow' there were achieving some other purpose than architectural overoptimization.
14:11 < adam3us> justanotheruser: many of the alts sole 'hook' (aka fake argument for existence/sales pitch) is a different pow for "decentralization"
14:12 < gmaxwell> I think there is no end to what you can discuss in that space, and the arguements that its a useful tradeoff are very hard to make a clear argument for.
14:12 < gmaxwell> It's just the kind of superficial thing that people can discuss forever.  e.g. "random POW generator"
14:12 < justanotheruser> adam3us: I agree it doesn't save electricity or anything like that. People just end up spending money on the hardware instead of the electricity.
14:13 < adam3us> justanotheruser: so at a high level, it would not have to be so slow to verify just because it depends on the dynamic execution of a randomly generated machine code I think
14:13 < adam3us> justanotheruser: seems to me asic-hardness ends up using more electricity typically
14:15 < jtimon> justanotheruser when your ASIC competitors are doing 4% profits, will you mine at -1%?
14:16 < justanotheruser> jtimon: ASICs probably wouldn't give them 4% profits because they would have to buy new hardware
14:16 < adam3us> but its probably more fruitful towards decentralization to try find ways to put diseconomies of scale into the protocol somehow or make bitcoin less vulnerable to 25/33/50% attack, selfish mining and policy/censorship with any level of centralization, then maybe we dont even care
14:16 < justanotheruser> The ops here seem to want us to change the topic though.
14:16 < jtimon> profits = gains after all costs, including capital costs
14:17 < justanotheruser> jtimon: I don't understand why you defined profits. It doesn't really change anything about what I said.
14:18 < adam3us> as i recall no one found a good answer to the 25/33% attack, and ghash is at 34% now coincidentally
14:19 < justanotheruser> adam3us: what's the 25/33% attack? Just them being able do a large reorg some of the time?
14:19 < gmaxwell> it's the argument that pow-wanking for foo-hardness is irrelevant becausing the perfect competition of mining will drive even marginally less efficient out of business. You can debate how much slop there is... but whever you decide it won't be a huge amount.
19:50 < jtimon> I'm not saying it's not a difficult problem, I'm saying you can model the filter with against random curves without modeling any mining economics
19:51 < gmaxwell> No you can't. A filter with overshoot behaves very differently in a non-linear system than does one which is critically damped.
19:51 < jtimon> there could be an earthquake destroying 40% of the hashrate and you should be preapared as well
19:51 < phantomcircuit> gmaxwell, is there a cap on how large the change in difficult can be for any one period? (either up or down) ?
19:51 < gmaxwell> What I'm pointing out is that some filters can actually cause system failure under some mining economics models.
19:51 < gmaxwell> phantomcircuit: yes, 4x.
19:51 < phantomcircuit> oh
19:51 < gmaxwell> (in both directions)
19:52 < phantomcircuit> so that's effectively only relevant for down
19:52 < jtimon> gmaxwell I think all filters could fail under certain conditions
19:52 < gmaxwell> the box filter is probably unconditionally safe.
19:52 < jtimon> you must chose the conditions you're not prepared for
19:52 < gmaxwell> jtimon: forget "prepared", I'm pointing out that some designs can fail when nothing changes or goes wrong.
19:54 < gmaxwell> In an enviroment where miners turn off when not profitable and turn on when profitable, a design that has overshoot can drive the system into instability. miners turn on, diff goes up, but it goes up too much and then even more miners turn off. then when it goes down it goes down by too much and more miners turn on, and each swing a great portion of the
hashrate is being pulled into the oscillation.
19:54 < jtimon> I haven't studied any of the filters so I believe a box filter could be better and there's designs that can failt with a constant hashrate
19:54 < midnightmagic> keynesian beauty contest to the rescue?
19:54 < midnightmagic> :-)
19:54 < jtimon> but when's the point in chosing those?
19:55 < gmaxwell> jtimon: I think the design in freicoin is one that can fail with constant hashrate!
19:55 < jtimon> gmaxwell you can also manually change diff with a hardfork
19:55 < gmaxwell> (it has a pretty substantial overshoot)
19:56 < jtimon> oh, I see
19:56 < jtimon> I didn't know
19:56 < gmaxwell> jtimon: which is part of the reason that worrying about black swans is probably a waste of time, esp if the result is something thats riskier.
19:56 < jtimon> like most times, it's a tradeoff
20:00 < jtimon> in any case, maybe you're right that a less "responsive" filter is better long term, with a mature market without so much subsidy
20:01 < jtimon> but in this case (allowing bitcoin asic miners to come and go, but not to mine both at the same time) we desperately needed something more prepared for wild swings
20:03 < gmaxwell> my complaint there is not about responsive.
20:05 < maaku_> gmaxwell: the overshoot is not that substantial
20:05 < maaku_> the prarameters themselves are slightly underdamped
20:05 < maaku_> and the overshoot comes from the 144-block window
20:06 < gmaxwell> maaku_: Hm. from the FIR filter I saw you using before it could be as high as 20%, IIRC though perhaps it got changed?
20:06 < maaku_> so with big square-wave changes, it takes a dozen or more blocks to react
20:06 < maaku_> no, it hasn't changed.
20:07 < maaku_> i just have a different opinion of those numbers - overshooting by 20% when someone is toggling an order of magnitude more hash power than your entire network is pretty good, imho
20:07 < maaku_> we were <1Th/s, and getting hit by 10Th/s chain hoppers
20:10 < gmaxwell> thats not what overshoot means, thats called group delay when it takes a long time to react at all.
20:11 < gmaxwell> Overshoot is when it does react that it can react more than the change.
20:12 < maaku_> yes, well you want a little bit of that
20:12 < maaku_> you want it to be underdamped, slightly
22:37 < justanotheruser1> How many inputs and how many outputs can be in a transaction? Is there a limit on this other than 1mb?
--- Log closed Sat Jan 25 00:00:57 2014
--- Log opened Sat Jan 25 00:00:57 2014
01:31 < maaku_> justanotheruser: 18,446,744,073,709,551,615
01:31 < maaku_> you hit the 1mb limit long before then, however
03:07 < adam3us1> so i think i found a way to (network) efficiently and securely do SPV for single use addresses.  now that i thought about it I dont see why i didnt see it before as it an application of NIFS which i described up as a problem statement of in 1996, and found a mechanism for in 1998 (novel use of IBE) and Boneh found a more efficient building block for in 2001 (the weil pairing)
03:08 < adam3us1> NIFS http://www.cypherspace.org/adam/nifs/
03:10 < adam3us1> it was thought up to provide forward secrecy for email where there is no interactive communication.  read that.  its basically like a public derivation variant of HD wallet concept but where anyone can be after the fact given a private key
03:17 < adam3us1> hmm maybe not ... gotta think more about this (just woke up:) i am thinking weil pairing gives the extra flexibiliy so you can have someone derive a public encryption key for you from a reusable encryption pub key and the previous block number, then do a derivation from the reusable address with a random factor by sender, encrypt factor with the derived
pub enc key, and then afterwards you can derive the corresponding private dec key and s
03:18 < adam3us1> and therefore the query (the private key) could be unique to the block only, obviously very compact, useless for correlating with other blocks, and non-interactive
03:20 < gmaxwell> well, we can do what tor is looking to do with hidden services but its not blind to someone who knows your address.
03:21 < gmaxwell> hm. interesting yea okay
03:22 < adam3us1> yes ok i think brain woke up, its not NIFS its a diff problem statement a variant without the forward-secrecy as you need random lookup in the tag space, and to be able to safely send people the private key
03:22 < gmaxwell> so how about this:  take the reusable address scheme,  but make the ECDH  pubkey   be  pubkey + H(blocknumber)*G
03:23 < gmaxwell> the problem there is that it has the private key unzip attack that BIP32 has.
03:23 < adam3us1> gmaxwell: basically each user is their own IBE server, they publish the IBE params as their reusable public address
03:23 < gmaxwell> yea, I don't think this is doable without pairing
	the EC addition way to do it has the unzip attack.
03:23 < adam3us1> gmaxwell: so with IBE your identity is your key, so encrypt with the pub key derived from the previous block hash as "identity"
03:24 < adam3us1> gmaxwell: then do the normal sender choose rndom factor, encrypt factor with the derived pub key, ten to delegate a per block decrypt capability, you send the node the corresponding private key that you derive using your IBE private key.
03:24 < adam3us1> gmaxwell: agreed
03:25 < gmaxwell> then again the pairing is only needed for recognition, so it could be employed here.	it would allow you to produce unique per block recognition keys. Someone you gave your reconigition private keys to could only reconize your transactions that used those keys.
03:25 < adam3us1> gmaxwell: unfortunately that lets weil-pairing crypto into the tent
03:25 < gmaxwell> But its only for privacy, I'm okay with that, but it's an implementation barrier.
03:25 < adam3us1> gmaxwell: yes.
03:26 < gmaxwell> (IMO thats how we should be using pairing in cryptosystems: for lower value applications, and solving things that can't be solved any other way)
03:26 < adam3us1> gmaxwell: well its a start, a proof of concept that its possible.  petertodd started to think it maybe provably not, but that seemed wrong to me, and its a good thing he asked the q of can u prove it not, cos it triggered me to think in the other direction :)
03:27 < adam3us1> gmaxwell: yeah, if it has a sane failure mode.  there maybe ways to contain the failure a bit with normal mechansims eg a few IBE keys or such
03:28 < adam3us1> gmaxwell: also i think IBE is technically overkill we dont really need a comm channel, that is a side effect of the previous mechanism.  so we may be able to do better.
03:29 < adam3us1> gmaxwell: we just want a per block discriminant private key, we dont actually need to allow the node to decrypt something, it can give it to the SPV node and it can decrypt it, itself
03:29 < gmaxwell> well really what we want is a BIP32 like derivation which doesn't have the unzip attack.
03:29 < adam3us1> gmaxwell: exactly.
03:31 < adam3us1> gmaxwell: i dont think u can do it like that tho, because thats what i was trying to do with NIFS and I made and broke a few mechanisms 1996 and concluded you cant do it with DL, hence the IBE connection to NIFS 1998, and then Boneh weil pairing 2001 made it secure/efficient (but esoteric)
03:33 < gmaxwell> ::nods::
03:34 < adam3us1> gmaxwell: but this seems something with lower requirements, more like a new problem statement, so maybe something below IBE can be found.  anyway i was excited to have a proof of concept, even weil pairing using... have to think about that next step more :)
03:35 < gmaxwell> I'd thought about using the prior block as an identity parmeter but I didn't see how to get away from simulation by anyone who knew the address... the IBE approach indeed would work.
03:39 < gmaxwell> petertodd: to decode for you, since you may not be familar with IBE stuff: The idea is that the user has a master private key, which results in a master public key. Anyone can take a prior block hash and combine it with the master public key to get a session pubkey which could be used to encrypt a chaincode included in an OP_RETURN.   Using the master
private key the user can derrive the session private key, which can then be used to ...
03:39 < gmaxwell> ... reconize transactions using the same session key.
economy from the blockchain is actually an important enough property, kinda ...
18:37 < gmaxwell> ... weird that you couldn't though!
18:38 < petertodd> maaku: for instance a really extreme example is to create a consensus system with no concept of coins at all, that does nothing more than map H(program)->Eval(program), if the program can access blockchain data as part of it's execution, the program itself can implement a bitcoin-like currency!
18:38 < petertodd> maaku: (sorry, that's commit to (H(program), input arguments)->Eval() to be exact)
18:38 < gmaxwell> "best part of this is that you already need 16GB to store the blockchain," ... ::sigh:: this isn't true, and it's also why I was asking about pruning in zero cash. Seems that they don't realize you can prune simply because the reference software doesnt'.
18:39 < petertodd> gmaxwell: or worse, have their marketing hats on...
18:39 < gmaxwell> I don't see any easy and catch free way to get pruning into an anonymous coin though.
18:39 < gmaxwell> petertodd: nah I just don't think they know a lot of people don't.
18:39 < petertodd> gmaxwell: ugh, pruning is in the satoshi whitepaper...
18:40 < gmaxwell> you think they really read it?
18:40 < petertodd> gmaxwell: the interesting part isn't that you can do pruning, but the extent to which the fact that you can is a bad thing
18:41 < gmaxwell> in any case, for these anonymous coin ideas what you end up having to have is a database of encrypted coins which have been created, and another database of non-encrypted coins that have been spent.
18:42 < maaku> petertodd: ok, i understand the feature request now. do you know a way in which this might be implemented?
18:42 < gmaxwell> The ZK proof when you spend is of a statement like  "This decrypted coin exists in encrypted form in the encrypted coin database". And then the newly decrypted coin is added to the database of spent coins.
18:42 < petertodd> gmaxwell: though the database can be split up; you can think of both databases as cryptographic accumulators supporting VerExists() and conversely VerNoExist(), and thus get succinct proofs of either for SPV.
18:43 < gmaxwell> so you can't prune the encrypted coin database because you can't tell which entries have been spent. And you can't prune the spent coins database because then the coins could just be respent.
18:43 < gmaxwell> The coins database can be append only, but the spent coins database needs an efficient VerNoExist() so it must be key ordered.
18:44 < gmaxwell> key ordered makes it hard to outsource efficiently. (requires tracking the network)
18:44 < maaku> petertodd: if script was homoiconic it would be easier to attach a script which takes the transaction as input and outputs scripts to be attached to the outputs
18:44 < maaku> and those could be carried forward
18:44 < petertodd> maaku: well, in Bitcoin you need a very invasive soft-fork. vitalik's ethereum is in those directions, but the implementation is yuck
18:44 < Alanius> couldn't one store the spent coins in a merkle mountain range? Or am I mixing things up here?
18:45 < petertodd> gmaxwell: right, with spent that's the same problem as UTXO proofs. although you can design it so that the spent database need not be held in entirely for any one miner
18:45 < maaku> Alanius: "the spent coins database needs an efficient VerNoExist() so it must be key ordered"
18:45 < Alanius> ah, mmr'
18:45 < Alanius> s do not allow proof of non-existence?
18:45 < petertodd> Alanius: MMR can be used for unspent only, and I'm going to be very interested to find out if that's what they did
18:46 < petertodd> Alanius: they do, but the proof-of-non-existance is O(m log n) in size for a span of m blocks
18:46 < petertodd> Alanius: which you can do in zk-snark fashion, but that's costly
18:46 < maaku> petertodd: i think that's misleading from the context of his question
18:46 < maaku> Alanius: you can only prove non-existence based on what is being indexed
18:47 < maaku> MMR is indexed based on insertion order
18:47 < maaku> so you can prove, for example, that no coin was spent in between two adjacently spent coins
18:47 < jtimon> petertodd: I like a generic scheme too, I'm just not contrained to softforks, seriously I don't know what your claim is yet what solution and what problem are you referring to from my link?
18:47 < maaku> which is pretty useless
18:48 < Alanius> maaku: thanks! very intuitive explanation :)
18:48 < maaku> jtimon: he wants to attach arbitrary validation rules to outputs, and have those propogate in arbitrary ways in future transactions
18:48 < petertodd> maaku: but that's the thing, it's *not* useless, if you can prove when the coin was created, you naturally have a reasonable limit on the non-existance proof, which is a way that you could get something akin to pruning in zerocoin
18:48 < petertodd> maaku: basically the cost to make the zk-proof would increase as the coin gets older, but my understanding is that cost blows up very fast with current zk-snark technology
18:49 < gmaxwell> yea, so my thought for pruning is that when you create a coin you could created it with a generation number (which is made public by the ZK proof)
18:49 < gmaxwell> where 'generation number' means like "what month was it created in"
18:49 < petertodd> gmaxwell: yup
18:50 < gmaxwell> and then you can say that coins become unspendable after so many months, allowing you to prune both data sets.
18:50 < gmaxwell> But its kinda ugly.
18:50 < Alanius> that would partition the anonymity set
18:50 < gmaxwell> as it reduces your anonymity set and makes your coins expire.. and we can't even tell how many coins have expired!
18:50 < petertodd> gmaxwell: but why make them unspendable? just force you to prove correct manipulation of the spent set in your tx
18:51 < gmaxwell> petertodd: hm. and store the new spent set root? so you never close off an old spent set, it just becomes more espensive to spend from it?
18:51 < gmaxwell> I suppose thats true.
18:51 < petertodd> gmaxwell: well, doesn't even have to be more expensive, just more annoying
18:52 < gmaxwell> You still have the anonymity set reduction though, alas.
18:52 < petertodd> gmaxwell: basically if you're spent token set is a single radix tree, then you have a bunch of data that needs accessibility, to do better, shard that
18:52 < petertodd> gmaxwell: sure, but it's still easily inline with what coinjoin can do (anonymity set of tx's happening at roughly the same time)
18:53 < gmaxwell> oh it's much better since same time could be defined to be a month or more.
18:53 < petertodd> exactly!
18:53 < gmaxwell> it's still not free however.
18:53 < petertodd> and you want some amount of time anyway, as mining needs to imply at least having the data, so you want mining to be tied to, say, the last month of data
18:53 < gmaxwell> also there are some other tradeoffs which come into play.
18:53 < petertodd> ?
18:54 < gmaxwell> The ZK proofs are going to be most efficient if they have no branching, just a constant number of hash evaluations and some muxes to get data on the right side of the hash input.
18:54 < gmaxwell> One of the plus sides of pruning is that it should make the ZK proofs faster.
18:54 < petertodd> gmaxwell: so make a tree of every month from now until eternity
18:55 < petertodd> ok, sure
18:55 < gmaxwell> "once we have these coins we put in the hash tree; 64-depth key (2^64); when want to redeem; reveal the serial number, and can reveal 64-hashes before in the tree; "
18:55 < gmaxwell> (quoting from the talk)
18:55 < gmaxwell> sounds like they fixed the tree size at 64 deep so that they'd 'never' run out of room.
18:55 < petertodd> (note how they must have some mechanism to make collisions hard...)
18:56 < gmaxwell> With pruning we can do better and say, have a 2^33 deep tree. Which is fine for a months of transactions.
18:56 < petertodd> (oh, actually, no that's not true, you don't need that)
18:56 < petertodd> true, although the risk of accidentally picking someone elses serial number goes up
18:57 < gmaxwell> petertodd: no need to have a risk of that, you just use a >128 bit random serial number.
18:57 < gmaxwell> one turn of the compression function takes 512 bits.
18:58 < gmaxwell> In there you have to fit the value of the coin, a P2SH hash for the pubkey needed to spend it, and a serial number.
18:58 < petertodd> gmaxwell: wait, so how does that help? the tree is indexed right, so if the first 33 bits match I have a problem
18:58 < jtimon> for scalable "anonymous" transactions, more than zerocoin-like stuff I like petertodd's inputs only approach with an expiry on the UTXI entries
18:58 < gmaxwell> petertodd: no no, it's insertion ordered.
18:59 < petertodd> gmaxwell: oh right, doh
18:59 < petertodd> gmaxwell: quite correct
19:00 < petertodd> gmaxwell: well basically, the depth of that tree is purely your anonymity set
19:00 < gmaxwell> yes
19:00 < gmaxwell> say a coin looks like this [128 bit serial number, 64 bit future extensibility, 64 bit value, 256 bit P2SH hash]   you add it to an insertion ordered tree.
19:01 < petertodd> jtimon: it's only scalable if you can figure out the right mining incentives and solve the data-hiding attack sufficiently
19:01 < gmaxwell> And then to emerge COIN  you just produce a ZK proof that  H(COIN)  is in the tree.. which takes Log2(size) hashes under the ZK proof.
19:01 < gmaxwell> so if you require multiple trees for pruing purposes, then you can make them reasonably small at the cost of reducing the anonymity set.
19:03 < jtimon> petertodd, I don't know the data-hiding attack, but from what I hear from maaku what you're talking about is new, can I read a summary somewhere?
19:03 < petertodd> jtimon: https://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03307.html
15:11 < maaku> jtimon: http://pastebin.com/vUnrtLME
15:11 < TD> also i doubt any such system would be generic
15:11 < adam3us> gmaxwell: see i optimized the zkp range proof a lot manually in problem specific ways and still came to 1.5kB
15:11 < jtimon> thanks maaku
15:11 < TD> but sure, we can call them SNARKs instead
15:12 < adam3us> gmaxwell, TD: so i must be being dumb if their compiler can outperform me :)..  but yes i stayed well clear of pairing
15:12 < TD> they use a lot of very complicated techniques
15:13 < TD> i only understand some of it
15:13 < amiller> with pinocchio you can create a proof for SHA1 in 15 seconds on a single thread desktop computer
15:13 < amiller> i'm pretty tinyram beats that
15:13 < gmaxwell> and the proof is a couple pairing group elements.
15:13 < adam3us> TD: its very powerful	if that scales, so we can forgive pairing
15:13 < adam3us> gmaxwell: thats amazing
15:14 < TD> i thought it was 8 elements
15:14 < adam3us> and is this non IP-encrusted?
15:14 < warren> My BFL arrives today, far too late to be useful.
15:15 < gmaxwell> Well they have another backend that uses fiat-shamir with locally testable codes... the proofs are bigger but not astronomically large.
15:15 < adam3us> warren: still waiting for mine its been stuck as "fulfilled" but not shipped
15:15 < gmaxwell> (like zerocoin size)
15:15 < amiller> adam3us, there are currently three competing snarks projects, tinyram http://www.scipr-lab.org/tinyram  pantry https://github.com/srinathtv/pantry and pinocchio https://research.microsoft.com/en-us/projects/verifcomp/
15:16 < gmaxwell> adam3us: I did some searches a while back and didn't find anything, but who knows what of their optimizations they may have patented in the last year.
15:16 < adam3us> do yu know if any of them have not covered it with lots of patents
15:16 < warren> adam3us: I missed the "use paypal tos to force BFL refund" thread by 1 day.
15:16 < amiller> adam3us, of these tinyram isn't out yet, pantry is fully open source, pinocchio is mostly open source except for the backend which they're working on reimplemnting open source
15:16 < gmaxwell> If they do, it'll be sad because the history of crypto says that patented crypto is dead on arrival.
15:16 < adam3us> warren: i missed that outright... bought a part upgrade to the 600GH and left order for the smaller 5GH
15:17 < adam3us> gmaxwell, amiller, TD: ok you convinced me I have to learn what they are doing!
15:18 < amiller> adam3us, http://eprint.iacr.org/2012/215.pdf this is the GGPR scheme underlying pinocchio and pantry
15:18 < adam3us> jtimon: i think the committed tx topic did not continue when you lost connection
15:18 < jtimon> I still don't understand commited coins, gmaxwell perfectly explained my worries "he's asking about the case where you are d in a chain of hidden spends.   a->b b->c c->d  And he's confused about how you know that a->q  didn't happend first."
15:19 < gmaxwell> jtimon: when you are d, and get paid by c you demand he provide you the required keys to trade your payment back to entirely public inputs.
15:19 < amiller> adam3us, actually GGPR underlies tinyram as well
15:19 < adam3us> jtimon: yes so the thing is if a->q happened it would be on the block chain, the encrypted/hashed tx and a second H(a), the sender must prvoide info to convince you that isnt the case, ie that that is a forgery/spam
15:19 < gmaxwell> jtimon: and when you do so, because you have a's public key, you can see that a->b is the first a spend in the chain.
15:20 < warren> adam3us: I sold this BFL on ebay.  The first attempt failed with no bids.  The second attempt succeeded with a bid.  BFL forced the first expired listing offline with a "trademark/counterfeit" claim while leaving the high priced successful bids untouched...
15:20 < adam3us> warren: wow thats hostile
15:20 < jtimon> so a->b is in hidden form in the chain
15:20 < warren> I'm pretty sure that's abusing the law to manipulate perception of value.
15:21 < jtimon> b->c must also be in hidden form in the chain, right?
15:21 < adam3us> yes
15:21 < adam3us> it not offchain, its onchain but in encrypted/hashed form
15:21 < adam3us> such that anyone can see which are spends of the same key, they just dont know which key
15:22 < jtimon> and when I receive C->D, C also gives me proof that a->b, b->c and c->d where actually signed properly
15:22 < jtimon> were
15:23 < gmaxwell> well he gives you the keys required for you to be able to check for yourself. (it's not in zero knoweldge)
15:23 < adam3us> jtimon: yes, he just gives you a sym key that allows you to decrypt
15:23 < adam3us> jtimon: you can validate it yourself then as the bit of the block chain you care about is now decryptable and visible to you
15:24 < jtimon> so now I want to pay D -> E in public form
15:24 < gmaxwell> you would make those secrets public at that point, so the whole network could validate what you wanted before.
15:24 < jtimon> couldn't C try to publicly pay C -> C2 first ?
15:24 < adam3us> jtimon: you have to publish all the committed ones or the recipient otherwise needs keys for a-<c
15:25 < adam3us> jtimon: no because of the trick that a public spend correlates with the committed spends
15:25 < adam3us> as a public spend incudes pub key (not just address), and H(pub) can be calculated fro it, and H(pub) is attached cleartext to each committed spend
15:25 < jtimon> but no one is seeing any relation between hiden (commited is confusing sorry) spends
15:26 < jtimon> ok, so every hiden spent refers to the previous one
15:26 < maaku> hidden is a much better term
15:26 < jtimon> explicitly
15:26 < gmaxwell> jtimon: to make d -> e in public you disclose the keys, so the relations then become clear.
15:26 < maaku> yes, these are not blinded
15:27 < jtimon> but not until I publicly pay d -> e ?
15:27 < gmaxwell> right.
15:27 < jtimon> then at any time c -> c2 or b -> b2 could be bradcasted
15:27 < jtimon> no?
15:28 < maaku> yes, but it would be meaningless
15:28 < gmaxwell> No.
15:28 < gmaxwell> (as maaku says)
15:28 < adam3us> not really because people receiving them can see they are spent
15:28 < gmaxwell> Because everyone with the keys can see which comittments were first.
15:28 < maaku> c2 or b2 would have the keys necessary to go check the chain and realize they were double-spent
15:28 < adam3us> as with (c->c2) in clear form, you know public key of C, and that is attached to the original spend as H(c)
15:28 < gmaxwell> and the hidden -> public validation checks this too.
15:28 < adam3us> eeven if they didnt
15:29 < jtimon> ok, so then every hiden spent references the previous hiden spent
15:30 < adam3us> jtimon: the recipient of a hidden spend needs keys back to the first non hidden ancestor
15:30 < adam3us> jtimon: actually with optimiation its just one sym key you disclose at any time
15:30 < jtimon> let's say I have d -> e (public) prepared at home but I chose not to broadcast it until next week
15:30 < adam3us> jtimon: the sym key gives you enough to navigate backwards, decrypt, then validate normally
15:30 < gmaxwell> yea, because you could change the keys in the encrypted data.
15:31 < jtimon> there's 3 possibilities
15:31 < gmaxwell> s/change/chain/
15:31 < gmaxwell> jtimon: I think you've thought yourself into a rut, this isn't that complicated.
15:32 < adam3us> jtimon: i think the thing your maybe missing is that, a public spend is also validated against its inputs, and the inputs are encrypted and so its rejected
15:32 < jtimon> 1) When miners receive public(C -> C2), they realise it is invalid because something in hidden(C->D) indicates it
15:33 < jtimon> hidden(C->D) is already in the chain
15:33 < adam3us> jtimon: think you meant c->d2, yes they can see tht hidden(c->d) was with the same key c as clear c->d2 so its invalid
15:34 < jtimon> ok, I got it
15:34 < adam3us> jtimon: so if clear spend of c->d2 comes after hidden spend c->d then d2 is a double spend and rejected; its interesting because in its hidden form the miner knows almost nothing so he can apply no policy
15:34 < gmaxwell> it would still work if they couldn't however, certantly easier that they can.
15:34 < jtimon> but no, I meant c2 to express that belongs to the same person
15:35 < jtimon> so, c->d publicly states {C, H(C->D)}
15:35 < adam3us> gmaxwell: ? what mean "it would still work if they couldn't however, certantly easier that they can."
15:36 < adam3us> hidden(c->d) = E(tx), H(c) approximatel
15:36 < jtimon> isn't this also traceable?
15:36 < gmaxwell> adam3us: I mean the requirement that miners can reject a double spend isn't a strict requirement. So long as the reciever can identify the first spend thats in the chain thats enough for the scheme to work.
15:36 < adam3us> jtimon: so if you send c->d2 publicly now anyone can compute H(c) and see wait that was alrady spent
15:36 < gmaxwell> jtimon: once the data is made public, sure.
15:36 < adam3us> gmaxwell: ah yes
15:37 < adam3us> jtimon: before its public its utterly hidden except to the people in the path
15:37 < adam3us> jtimon: you cant even tell is a path, the hidden tx are opaque blobs and H(c) is useless if you dont know c
15:38 < adam3us> amiller, gmaxwell, TD: surely SCIP-coin can be a game changer if there is an efficient non-patented version.  or maybe the community can buy them out :)
15:39 < gmaxwell> then the other conversation we had was where I pointed out that using a sufficiently powerful (tm) zero knoweldge proof system you could do the private->public change without making the keys public. (I wrote about this at length in a forum thread of its own)
15:39 < gmaxwell> ( https://bitcointalk.org/index.php?topic=277389.0 )
15:40 < adam3us> gmaxwell: think i missed that forum thread sounds like what you said above about SCIP
10:19 < gmaxwell> he doesn't agree, sadly. E.g. he has a definition of 'fully rigid' that doesn't include setting the base point: http://safecurves.cr.yp.to/rigid.html
10:19 < gmaxwell> I'll forward you email. one sec.
10:19 < adam3us> gmaxwell: i think we've got the same assumptions but to say it is easy to get two base points G & H which you can readily see no one knows the private key for (eg G=hash2curve(pi), H=hash2curve(e) for pi & e)
10:20 < adam3us> gmaxwell: i mean no one knows the discrete log of them to anything in particular, and certainly no one knows x st H=xG
10:21 < gmaxwell> adam3us: sure, but you have to pick your base point that way.. and it doesn't appear that anything anyone is likely to use right now does.
10:21 < adam3us> gmaxwell: i mean otherwie its a joke find H=hash2curve(pi), compute x=random, then set G=x^-1H => H=xG
10:21 < gmaxwell> adam3us: thats what I sent DJB.
10:21 < adam3us> gmaxwell: holy moly i am going to hit DJB! shame on twitter
10:22 < gmaxwell> (I mean I sent him an example sage notebook where I do exactly that, G=x^-1H )
10:25 < gmaxwell> I can agree with him that it's not the most important thing... but it's also so easily avoided as an issue.  I suspect he may have been disinclined to agree with me because his curves wouldn't meet the criteria (I have no clue where his base points came from).
10:27 < adam3us> gmaxwell: reading this bit now "What about rigid choices of base points?" from http://safecurves.cr.yp.to/rigid.html
10:28 < gmaxwell> Oh, wow, he must have added that after my email discussion with him!
10:30 < adam3us> gmaxwell: hmm he still disagrees however, he claims it doesnt matter however this maybe another one of those "depend what the use case is" things.  to me i think the base should be fairly chosen or even  a small set of fairly chosen base points should be presented
10:31 < adam3us> gmaxwell: thats rather narrow minded - if someone needs G & H then they cant use his G.  they have to ignore it and safely generate two more
10:32 < adam3us> gmaxwell: which is a big onus to put on the implementor now they have to get into complex EC math arguments and understand the curve generation and limitations.  big area for mistake or community rejection of their proposal
10:34 < gmaxwell> adam3us: I think the smallest possible x / y for performance reasons (makes a multiply easier) isn't /terrible/. I didn't realize thats what he'd done for his own curves.
10:34 < gmaxwell> But yea, I'm glad you agree that its stupid to not get this right.
10:35 < adam3us> gmaxwell: : oh thats not too bad.  u have to consider also that someone could adapt the curve params to have a known discrete log small x,y.  but as the curve params are chosen deterministically with rigid criteria and plausible seed
10:36 < adam3us> gmaxwell: then its probably ok
10:36 < gmaxwell> adam3us: yea, funny that I managed to not gather that from his emails. I only realized it after reading the update to the page and then looking at the values.
10:37 < adam3us> gmaxwell: he probably never said it - unstated assumption
10:42 < cfields> https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0cb112f7400187275da81a05a9ad0534f1430139
10:42 < cfields> all determinism problems in binutils (that i'm aware of) fixed.
10:42 < sipa> \o/
10:44 < adam3us> btw about bitcoin implies need for end2end airgap model, someone i talked to said they discovered an egress vpn tunnel via their custom firewall scripts (pretty hard core security geek to notice) within a few ays of talking to me.  seems like skype is a risk suggest not running it at all, running in vm (maybe there are people with skype & vm escape zerodays)
or running it on a burner laptop on a different network literally
10:44 < adam3us> for people who seemingly are incapable of installing jabber client & otr because they want to do bitcoin stuff, but thats too complex :|
10:46 < adam3us> advice: paranoia *= 2 if you have bitcoins non airgapped, exchange accounts with bitcoins or doing bitcoin dev work.  my prediction this security attack to the level of being willing to burn 0days to get into suspected intersting places ramping up
10:48 < adam3us> even airgapped bitcoins are at risk if you spend them.  you need some better way to check the deposit address on exchanges.  they need to use unique per user chain codes
10:48 < K1773R> setup the honeypots!
10:54 < gmaxwell> I've been using canary coins for a long time, never had one trigger, so I don't know if they work.
10:55 < adam3us> probably IMO baseband processor hacked or other smart-phone vector to attack google authenticators are the next step.	it'll take the shine out of bitcoin if non-tech users get ripped (or even reasonably tech people who dont know how to setup hard core secure environments)
10:55 < gmaxwell> (canary coins = leave an easily found unencrypted wallet.dat on bastion hosts; hopefully someone who compromises the host moves the coins right away thus alerting you)
10:57 < adam3us> gmaxwell: yes.  there maybe different attacks tho - random ones, and targeted ones aimed at people with known early bitcoins or who might be suspected to have early bitcoins.  unfortunately i am in the suspected but actually not - have to tolerate the attacks, but without the coin hoard :)
10:58 < adam3us> and we saw jdillions pgp was compromise and his private decrypte msgs posted on the forum.  pgp on line computer is probably not good in this environment
10:58 < gmaxwell> adam3us: well thats true for lots of us. I worry about people following me home. It's not nice to fear that some idiot might think that mugging you might yield a hundred million dollars .. without actually having the hundred million dollars. :P
11:01 < adam3us> gmaxwell: precisely. you cant afford or dont want to spend 1/3 your salary in using 100-millionaire private security type setups (body guards). so its kind of a shitty situation.  you are exposed to the risks without the upside.
11:02 < adam3us> gmaxwell: this is why my bct sig line said for a long time "I am not satoshi" => i dont have many coins
11:03 < cfields> hmm, who should i ping about gitian stuff?
11:03 < gmaxwell> devrandom
11:03 < cfields> i need a raring builder
11:03 < cfields> ok. he comes around irc, right?
11:04 < cfields> nm, i see him in -dev
11:04 < adam3us> also OS upgrades are stupidly insecure.  they are checking signatures not hashes.  they cant check hashes because the new module wasnt coded at the time.  we need something like laurie's cert transparency for OS patch hash transparency; as is possibly a weak point is the ubuntu/fedora etc package builder, or for anything x509 code signed another hacked CA
11:05 < cfields> ping Luke-Jr
11:10 < adam3us> so what about end to end address security. if you and another user have a trezor.  say you need to pay someone 1btc or something non-trivial how do you know you have the recipients address, if you are using an online computer to create the offline signable transaction
11:11 < adam3us> seems like you need to use an address signed by the sender's base keypair (and encrypted with your base keypair) for end2end privacy and address authenticity
11:13 < adam3us> new armory feature I think  you could make it a non-transferable signature probably would be slightly better if the payment request receiver is airgapped.
11:13 < adam3us> maybe this could be done as a payment request extension
11:14 < petertodd> adam3us: addresses aren't useful; identities are
11:14 < petertodd> adam3us: people keep trying to re-invent PGP...
11:14 < adam3us> this bitcoin thing is getting ahead of its own operational security tools - trajectory could be disrupted, or stupid central trust solutions or static addresses used as a counter-measure
11:15 < adam3us> petertodd: right, but when you send someone address via an unsecured connection and online computer (which maybe subject to 0-day compromise even with best precautions as the bitcoin stakes increase)
11:16 < adam3us> petertodd: currently you make no attempt to prove the identity owning the address to the offline wallet abot to make thepayent.  yu just read if off the screen of a potentially compromised system which can put someone elses address on teh screeen
11:16 < petertodd> adam3us: yeah, but doing fancy crypto with addresses doesn't change a thing - the address still doesn't involve a human-meaningful identity
11:16 < petertodd> adam3us: well yeah, that's what the payment protocol is for, and for the decentralized case, add OpenPGP support and teach TREZOR about the WoT (have fun with that!)
11:17 < adam3us> petertodd: well there's no trust anchor.  in the same way we exchange pgp fingerprints, we need to exchange like static vanity/random encryption address, and use that for encryption
11:17 < adam3us> petertodd: pff payment protcool is signed by an online ssl signing key
11:18 < petertodd> adam3us: sure, but would you rather exchange a single purpose bitcoin addr or a actually using for stuff in general pgp fingerprint?
11:18 < adam3us> petertodd: i bet 99% of web servers will sign it with their existing SSL key
11:18 < petertodd> adam3us: that's the only way it could possibly work
11:18 < petertodd> adam3us: payment protocol doesn't do any good if the identity involved != the identity of the website the user just visited
11:18 < petertodd> adam3us: sad but true
11:18 < jgarzik_> adam3us, scrolling back a bit, what do you mean RE OS upgrades when you say "they cant check hashes because the new module wasnt coded at the time."
11:19 < adam3us> petertodd: what i mean is we have the infrastructure available, but just lack the tools.  offline wallet use base address as identity, but hash on biz card, pgp sign as attribute etc
11:19 < jgarzik_> adam3us, RPMs sign file hashes
03:36 < gmaxwell> amiller: you may find interesting: https://bitcointalk.org/index.php?topic=327767.0  looks like somewhat strong evidence of a 25% hashpower miner using it to exploit a gambling site.
03:36 < gmaxwell> (I'd say conclusive, but I think it's at least slightly plausable that someone else is framing them)
03:41 < michagogo|cloud> gmaxwell: could you give an example of a way they could be framed?
03:42 < michagogo|cloud> Finding their mining node or something?
03:42 < gmaxwell> e.g.
03:42 < gmaxwell> 3. Going further, I found the address the earnings from attack were sent to: 12e8322A9YqPbGBzFU6zXqn7KuBEHrpAAv
03:42 < gmaxwell> https://blockchain.info/tx/292e7354fbca1847f0cbdc87a7d62bc37e58e8b6fa773ef4846b959f28c42910
03:42 < gmaxwell> And then part of these funds (125 BTC) was sent to ghash.io's mining address:
03:42 < gmaxwell> https://blockchain.info/tx/48168cf655d0ac0c7c2733288ca72e69ecd515a9a0ab2821087eb33deb7c6962
03:42 < gmaxwell> ...
03:42 < gmaxwell> The attacker could have just paid some of their loot to ghash.io to make it look like they were in on it.
03:44 < phantomcircuit> gmaxwell, that's a lot of coin to frame them
03:44 < gmaxwell> To be clear: I think it's more likely that the simpler explination is correct. I'm just trying to behave responsibly by making it clear that I haven't seen enough to eliminate all doubt.
03:45 < gmaxwell> phantomcircuit: if you're a competing pool... and the funds were the procedes of an attack.. I don't see why losing half of them to frame someone wouldn't be a great plan.
03:46 < phantomcircuit> there isn't really anybody competing with them
03:46 < phantomcircuit> iirc most of their hashing power is from cex.io
03:46 < phantomcircuit> who aren't going to care about this at all
03:47 < gmaxwell> also, I expect that if there are attacks going on whats actually happening is that GHash.io is doing hashpower for hire instead of attacking themselves.
03:48 < gmaxwell> which would also explain all the evidence and changes the surface of culpability somewhat. (and more importantly, teaches us a slightly different lesson)
03:49 < phantomcircuit> gmaxwell, 45k transaction fee
03:49 < phantomcircuit> heh
03:49 < gmaxwell> e.g. the payments aren't to frame, they're payments for the hashpower they bought.
03:49 < gmaxwell> step 1) buy hashpower for a small markup over its worth, step 2) double spend the crap out of some shitty gambling site, step 3) profit.
03:51 < gmaxwell> just requires someone with a bunch of hashpower which is greedy or stupid enough to go along with people buying their hashpower. Sadly, lots of people sold hashpower on pirate40's service (confirmed by the SEC).
03:53 < gmaxwell> another interesting point is that they could have profitably (well, positive EV) performed this attack even if the gambling site had been required 6 confirms, if they really did have 25% hashpower behind the attack.
03:54 < gmaxwell> (25% reverses 6 confirms 5% of the time)
03:55 < michagogo|cloud> gmaxwell: so I'm guessing house edge is <5%?
03:55 < phantomcircuit> gmaxwell, except that screwing with unconfirmed transactions isn't likely to freak anybody out
03:55 < phantomcircuit> screwing with 6 confirm transactions is
03:56 < michagogo|cloud> Also you have the coinbases that you lose if you fail
03:56 < gmaxwell> michagogo|cloud: yea, these betting sites always have really small edges, enough that they almost certantly fail the https://en.wikipedia.org/wiki/Kelly_criterion for the largest bets they allow
03:58 < gmaxwell> michagogo|cloud: yea, you just need the attack to be profitable enough that you offset the coinbase loss expected. Which you can do because the absolute return on the attack is infinite (well, bounded by the casino's bank account, maximum bet size, and number of txn you can put in a block) even though the relative return is only some percentage.
03:59 < gmaxwell> this isn't to say that attacking 0 confirmed stuff isn't much better for the attacker, it is... but just 6 confirms doesn't stop such an attack from being postive EV if you can buy the hashpower to do it at a small markup.
04:01 < gmaxwell> Because the site does 0 confirm you can double spend them with no hashpower at all. I don't really understand why the attacker bothered with the hashpower.
04:01 < gmaxwell> Your success rate is lower, sure, but your costs are lower.
04:01 < warren> Despite this, people don't seem concerned about the real problem, massive centralization.
04:02 < warren> And I'm thrilled by the huge positive response to the p2pool grant yesterday.
04:02 < warren> <crickets>
04:02 < phantomcircuit> gmaxwell, the obvious answer is because they already had it
04:04 < gmaxwell> warren: dude, no one gives a shit about technology except us. :(  This is why I think paying people to mine on p2pool is important.  Or rather, it's not that people don't care, it's that it's really mentally expensive to sort this stuff out so people don't think about it.  If you tell them upfront that they'll make more by switching to p2pool, then they
don't have to think through the other stuff.
04:05 < phantomcircuit> lol it's funny cause really nobody cares
04:05 < warren> gmaxwell: make p2pool more scalable and easy enough for a caveman, maybe with no apparent share orphans/DOA with share merging, and tell them the pool's fees are lower than anything else, and then entice people to join with random donation subsidies.
04:06 < warren> currently I'm not confident that donating is well spent to attract miners who will stay
04:06 < phantomcircuit> warren, people are hella lazy
04:06 < phantomcircuit> once it's setup nobody is changing shit
04:07 < warren> it's rather scary that things are moving beyond mere centralized pools ... huge hashrate for hire
04:07 < gmaxwell> warren: perhaps but it will be months at best before its not a huge pita. and most of that isn't fixing p2pool. The fact that people are trying to run their mining on hardware that can't run bitcoind is at least as big of a barrier as anything inside p2pool.
04:07 < gmaxwell> warren: most people using bitcoin have no idea what role mining fills in the system.
04:07 < warren> gmaxwell: indeed
04:08 < gmaxwell> I reported here week before last of my expirence at the SV bitcoin users group. Lots of exicted people
 even generally technically competent ones (uh with technical CVs that include a lot of php and ruby...), almost none with any real clue how bitcoin works.
04:08 < gmaxwell> Even miners often have no clue what role mining serves.
04:09 < warren> past assumptions always assumed that large quantities of greedy miners will secure the network
04:09 < warren> centralized pools broke that
04:09 < warren> and greed can lead to even worse things
04:10 < gmaxwell> well, someone made the mistake of assuming miners were rational and well informed.
04:10 < michagogo|cloud> 11:05:45 <warren> gmaxwell: make p2pool more scalable and easy enough for a caveman, maybe with no apparent share orphans/DOA with share merging, and tell them the pool's fees are lower than anything else, and then entice people to join with random donation subsidies.
04:10 < michagogo|cloud> AIUI, p2pool's model inherently has many stales
04:10 < gmaxwell> the fucking stales are irrelevant. gah. stop @#$#@$ derailing things with that warren.
04:10 < warren> michagogo|cloud: please don't get into this right now, you're demonstrating the most common misunderstanding of p2pool
04:11 < gmaxwell> warren: and you encouraged him to accidentally! see how that works?
04:11 < michagogo|cloud> But the payout mechanism means that all that matters is your stales aren't proportionally more than others'
04:11 < michagogo|cloud> Okay, sorry
04:12 < gmaxwell> michagogo|cloud: :) if nothing else there is a major UI problem there though. Because it's hard to get people to as sophicated an understanding as that.
04:12 < michagogo|cloud> Lol, #$#@$ got detected as a channel
04:13 < warren> one of the proposed counter-measures against the selfish miner thing was the honest pools forming a cartel.  If p2pool were to grow huge, that would become impossible.  Now that being possible at all is scary.
04:20 < warren> gmaxwell: I don't see any fix for the greedy miners seeking profit by selling their hashes issue.
05:52 < adam3us> so is there any reason not everyone is mining on p2pool?
05:53 < sipa> compexity & variance
05:54 < gmaxwell> Yep, plus ignorance and lazy.
05:54 < gmaxwell> People think pool fees of 3% aren't much...
05:55 < warren> adam3us: https://bitcointalk.org/index.php?topic=329860.0
05:55 < sipa> when they're less than your monthly variance, you won't notice it anway :)
05:55 < gmaxwell> (but really, it's a lot more work to use: you have to run bitcoind.. which is like a day plus of install time and 15 gb of disk space and means you can't run on a rasberry pi)
05:55 < gmaxwell> (then you have to run p2pool, which is at least pretty easy)
05:55 < adam3us> to me 3% is phenomenally high, maybe i should start a pool with lower fees that refuses no GBT miners
05:56 < gmaxwell> vs: plug in miner, type in url. Recieve bitcoins.
05:56 < gmaxwell> adam3us: then you're suspect because you charge too little, obviously the majority of people paying 3% or more are getting something of value!
05:56 < gmaxwell> plus for non-PPS pools, being a small pool means you have enormous variance, you're objectively less good.
05:57 < gmaxwell> (or at least, very small pool)
05:57 < gmaxwell> (once you're finding a block a day the variance is probably not so bad)
05:57 < adam3us> gmaxwell: yeah the reality of decisions people make is sooo stupid that moderately smart people cant even comprehend or predict the market outcomes
05:57 < warren> sigh, I really thought at least one person would have donated there.
19:46 < petertodd> what's nifty about it, is a core bit of the trust would be the exact same merkle-sum utxo tree that Bitcoin itself might have one day
--- Log closed Mon Apr 15 21:30:49 2013
--- Log opened Tue Apr 16 07:52:17 2013
--- Log closed Tue Apr 16 07:52:45 2013
--- Log opened Tue Apr 16 07:53:09 2013
--- Log closed Wed Apr 17 00:00:52 2013
--- Log opened Wed Apr 17 00:00:52 2013
--- Log closed Wed Apr 17 01:04:57 2013
--- Log opened Wed Apr 17 16:25:13 2013
--- Log closed Thu Apr 18 00:00:54 2013
--- Log opened Thu Apr 18 00:00:54 2013
--- Log closed Thu Apr 18 00:58:33 2013
--- Log opened Thu Apr 18 01:13:52 2013
22:03 < realazthat> sipa: ping
--- Log closed Fri Apr 19 00:00:55 2013
--- Log opened Fri Apr 19 00:00:55 2013
--- Log closed Fri Apr 19 02:38:04 2013
--- Log opened Fri Apr 19 02:44:28 2013
03:23 < sipa> realazthat: yes?
03:23 < realazthat> I had a question but I'm following the boston situation :P
03:24 < realazthat> O
03:24 < realazthat> er
03:25 < realazthat> I'll ping you when I wake
--- Log closed Sat Apr 20 00:00:56 2013
--- Log opened Sat Apr 20 00:00:56 2013
--- Log closed Sat Apr 20 00:19:43 2013
--- Log opened Sat Apr 20 00:45:29 2013
--- Log closed Sat Apr 20 01:23:01 2013
--- Log opened Sat Apr 20 01:28:14 2013
20:46 < vazakl-> sup
--- Log closed Sun Apr 21 00:00:58 2013
--- Log opened Sun Apr 21 00:00:58 2013
--- Log closed Mon Apr 22 00:00:59 2013
--- Log opened Mon Apr 22 00:00:59 2013
--- Log closed Mon Apr 22 02:09:04 2013
--- Log opened Mon Apr 22 04:14:23 2013
--- Log closed Tue Apr 23 00:00:00 2013
--- Log opened Tue Apr 23 00:00:00 2013
--- Log closed Tue Apr 23 02:54:37 2013
--- Log opened Tue Apr 23 03:09:51 2013
03:09 !zelazny.freenode.net [freenode-info] if you're at a conference and other people are having trouble connecting, please mention it to staff: http://freenode.net/faq.shtml#gettinghelp
15:13 < DrChill> About to make a bot that buys and sells +0.75%, thoughts? It would get the average price after a successful buy+sell, and then use that to make the next trade
15:14 < realazthat> so you make money assuming bitcoin goes up
15:14 < realazthat> eventually
15:14 < realazthat> in that case, why not just buy and hold?
15:14 < realazthat> hmm dunno
15:15 < DrChill> It would buy low and sell high but in small increments
15:15 < DrChill> So even if the market is stable, it would profit
15:15 < realazthat> try it on old data :D
15:16 < DrChill> Indeed, I used to do something like this on a game, and made some profit doing it, should be fun to make :)
15:18 < realazthat> lol
15:49 < sipa> DrChill: off topic here
15:50 < DrChill> sipa: Ah, ok, sorry
--- Log closed Wed Apr 24 00:00:01 2013
--- Log opened Wed Apr 24 00:00:01 2013
--- Log opened Wed Apr 24 10:04:23 2013
19:11 < amiller> i've been working on a couple new thoughts
19:11 < amiller> about incentive modeling
19:11 < amiller> i think the coinbase maturity time is hamrful
19:11 < amiller> i'll explain why
19:11 < amiller> lets say for now my model is some mix of attacker / honest / rational miners
19:12 < amiller> where all of the miners have to pay their mining costs, and the key thing about the rational ones is that they have to earn at least enough profit to pay off their costs otherwise they don't participate
19:13 < amiller> what we want, and what seems to generally be the case, is that it's rational to act like the honest nodes, in other words building on the longest valid chain you know about
19:14 < amiller> and basically the reason why that's rational is because if you mine on any smaller chain, it's more likely that someone else will extend the other block rather than yours so it will be wasted
19:14 < amiller> this breaks down under some conditions.
19:14 < amiller> the particular scenario i want to focus on is when there is an enormous anomalous fee paid in a single block
19:15 < amiller> think of a million dollar transaction fee
19:15 < amiller> suppose someone mines that block and claims that whole fee
19:16 < amiller> you have a choice of either trying to mine your own block and claim the fee for yourself or building top of that other guy's claim
19:18 < amiller> if you assume everyone else is honest, then you stand a lot more to gain by working on your own block
19:18 < amiller> that means it is not a nash equilibrium to work on someone else's block.
19:18 < amiller> ok so
19:19 < amiller> on the other extreme, you have to consider that even if you succeed at mining the block, it's possible other people won't extend yours anyway
19:19 < amiller> so!
19:20 < amiller> what's the optimal behavior/
19:20 < amiller> you try to mine on the other block
19:20 < amiller> but if you succeed
19:20 < amiller> you take only a tiny bit of the fee for yourself!
19:20 < amiller> you broadcast a new transaction that puts most of the enormous fee back into the mempool!
19:21 < realazthat> hehe
19:21 < realazthat> or,
19:21 < amiller> now everyone would be fighting over that block more than yours
19:21 < amiller> so the nash equilibrium is when you take exactly what the cost of the work is
19:22 < amiller> because that's when no one has any incentive to remove your work for only a marginally higher rewards
19:22 < realazthat> you "make a deal" with a bunch of mining coops to fork at that very block, giving rogues a chance at that fee
19:22 < realazthat> or is that one of your suggestions
19:22 < realazthat> mm nvm
19:22 < realazthat> I think its the same thing
19:23 < amiller> now notice how the coinbase maturity prevents the nash equilibrium strategy from being reached
19:24 < amiller> because the only way someone could create that offshoot transaction to keep progress going forward
19:24 < amiller> is if you have unbounded budget in reserve
19:24 < amiller> because you can't use your coinbase transaction that earns the huge fee to create a transaction for them to include in the next block
19:25 < amiller> therefore the coinbase maturity actually *encourages* anti-consensus behavior
19:25 < amiller> it makes it impossible to take anything less than the whole damn rfee
19:25 < amiller> thus greatly increasing the value in quibbling over a big fee
20:20 <@gmaxwell> amiller: for some time I've wished that half the fee paid out in this block, and half of the rest paid out in the next block and so on.
20:21 <@gmaxwell> amiller: but this creates incentives to pay fees externally.
20:21 < amiller> i think my solution is great
20:21 < amiller> it means it's an auction
20:21 < amiller> you should take as much of the fee for yourself as you can except to the extent it makes it more likely for someone else just to outmine you
20:21 < amiller> actually i can be a litlte more specific than that
20:22 < amiller> nvm no i can't
20:25 <@gmaxwell> amiller: I don't think that actually matters, you'd just force people to pay you out of band instead of via direct fees.
20:26 < amiller> gmaxwell, i don't see what you mean
20:27 <@gmaxwell> amiller: the equlibrium state is that there are no fees in transactions at all, and people are just paying miners via some other means.
20:29 < amiller> i don't see why that's an equilibrium either
20:30 < sipa> i think the equilibrium state is that people who care about security, run a miner themself
20:30 < sipa> to get their own transactions mined
20:31 < amiller> i don't see how that helps security either
20:32 < amiller> anyway there's at least two different types of roles here, the miners and the users, and for the sake of the discussion i originally meant to hold the users constant
20:32 < amiller> where they pay whatever the fees are worth and the only way to do it is via transaction fee
20:33 < amiller> i don't understand how the ability to pay people out of band changes it or why that's cheaper/preferable
20:33 < amiller> or why mining your own transactions helps anything
20:36 < sipa> 'equilibrium' != 'helps'
20:37 < sipa> (but i'm not very knowledgeable about this, so if you don't agree, assume i'm wrong)
20:40 <@gmaxwell> amiller: because in my example there are no 'fees', and so incentive to orphan transactions.
20:42 < amiller> gmaxwell, i don't understand how this side payment mechanism works, so i don't really understand what you mean
20:43 <@gmaxwell> amiller: E.g. you send me shares and I pay you with regular bitcoin transactions just for virtue of trying to mine my transaction.
20:44 < amiller> and that's more cost effective than attaching a fee to a transaction
20:44 <@gmaxwell> it removes any orphaning incentive.
20:47 < amiller> sorry what's an orphaning incentive
20:48 < amiller> the only reason to pay tx fees is to be included in the next block as opposed to some later block right
20:55 <@gmaxwell> 16:14 < amiller> this breaks down under some conditions.
20:55 <@gmaxwell> 16:14 < amiller> the particular scenario i want to focus on is when there is an enormous anomalous fee paid in a single block
20:55 <@gmaxwell> 16:15 < amiller> think of a million dollar transaction fee
20:55 <@gmaxwell> 16:15 < amiller> suppose someone mines that block and claims that whole fee
20:55 <@gmaxwell> 16:16 < amiller> you have a choice of either trying to mine your own block and claim the fee for yourself or building top of that other guy's claim
20:55 < amiller> oh i see
20:57 <@gmaxwell> also on that subject petertodd has suggested that all users should nlocktime their transaction at the earliest height they think they could be reasonably mined at... so the chain must move forward to gobble up those fees.
20:57 < amiller> so my solution is for the miner who mines to put the rest back as a fee for the next miner to take
20:57 < petertodd> keep in mind, the worst case scenario only happens with optimal miners who have actually implemented code to do all this magic stuff. If you make it nearly always not worthwhile that code won't exist.
17:22 < sipa> bitcoin (at the protocol level) isn't designed for microtransactions
17:27 < phantomcircuit> arbart, trust a third party
17:27 < phantomcircuit> remember that the transactions are micro
17:30 < sipa> #bitcoin-dev please, btw
17:31 < arbart> sipa, cool, that is what i was wondering then i guess
17:31 < arbart> and alright, what is the purpose of this channel then, I thought it was similar?
17:33 < Luke-Jr> this channel is more like extreme advanced stuff that isn't really practical :p
17:33 < arbart> well that is what I like :)
17:33 < sipa> arbart: oh, i misread your line
17:34 < sipa> i thought you said "what is the state of enabling microtransactions", which would apply to bitcoin-as-it-exists today
17:34 < sipa> for state-of-the-art, there are some more interesting ideas
17:34 < sipa> like probabilistic transactions
17:34 < arbart> yes, now you are talking :) why i came here
17:36 < gmaxwell> probablistic transactions are more of a social/political challenge than a technical one. (I think the lottery protocols iddo/adam3us worked on can basically be applied directly to create a probablistic payment)
17:37 < arbart> ah interesting, i didn't find this before, now searching 'probabilistic transactions', i find much stuff! sipa, thank you already!
17:37 < sipa> arbart: gmaxwell certainly has more state about it than i do
17:39 < arbart> gmaxwell: what is the social/political challenge you see with it?
17:39 < Luke-Jr> arbart: 'probabilistic transactions' essentially means 9 times out of 10, you get nothing, and the 1 other time you get a penny
17:40 < gmaxwell> arbart: Many people seem to not regard a probablistic payment as a payment.
17:41 < arbart> ok, i'm starting to see. reading https://bitcointalk.org/index.php?topic=62558 right now.
17:43 < sipa> gmaxwell: many seem to not regard playing lotto as paying tax either
17:46 < gmaxwell> sipa: People are implementing batch DSA verification in this thread: https://bitcointalk.org/index.php?topic=427025.0
17:46 < arbart> it is interesting so far :)
17:46 < arbart> i understand it now
17:47 < sipa> gmaxwell: how do they overcome not knowing R.y?
17:47 < arbart> i think i am in -wizards and not -dev is because stuff like that gmaxwell is good to have, but not enough a solution, something more extreme :) is needed
17:48 < gmaxwell> sipa: brute force.
17:49 < arbart> i suppose it is hard to tell though, that looks interesting, and combined with pruning and all, might be enable native nanotransactions
17:50 < petertodd> arbart: pruning doesn't make the bandwidth problem go away unfortunately
17:50 < gmaxwell> sipa: basically you guess the sign and test and apparently this still comes out ahead.
17:50 < gmaxwell> arbart: native nanotransactions
17:50 < gmaxwell> doesn't really sound sensible in a global consensus system.
17:50 < arbart> :)
17:50 < gmaxwell> Now, you can do things to perform them non-globally and that perhaps becomes more interesting.
17:50 < arbart> hmm :)
17:50 < petertodd> arbart: now, an interesting question is if you really need global consensus? I think there are blockchain structures that don't
17:51 < arbart> ahh, right
17:51 < gmaxwell> So there are a couple paths to relaxing that which have different tradeoffs.
17:51 < petertodd> arbart: right now just trusting a third-party is probably far more practical
17:51 < arbart> maybe global checkpointing, but only local is interested in the details usually, etc?
17:52 < petertodd> arbart: trusting third-parties and non-global-consensus blockchains have interesting convergence re: security I suspect
17:52 < gmaxwell> are you just stringing words togeather? :P
17:52 < arbart> i understand the third-party thing, another avenue im interested in
17:52 < petertodd> arbart: global *ordering* is a better term
17:52 < petertodd> arbart: heh, lets see if I can explain my pet idea to you re: tree-chains... so imagine you have a blockchain, and you merge mined two child chains with it, left and right.
17:52 < arbart> only out of the necessity you think is there
17:52 < petertodd> arbart: you know what merge-mine means?
17:53 < arbart> ok, i get that term
17:53 < arbart> petertodd: not yet
17:54 < petertodd> mining: I find a pow solution so that my block will be part of the consensus
17:54 < petertodd> merge-mining: the rules of the system let me re-use a pow solution from a different consensus system, letting me do one bit of work, yet get two blocks from two different systems
17:54 < arbart> ok, intuitive :)
17:55 < petertodd> merge-mining is implemented by just letting you prove the block solution for sytem #2 by showing a merkle path through some tree that terminates in the blockheader for system #1
17:55 < petertodd> (namecoin does this)
17:56 < arbart> ok, i was guessing that, so i think i got it :)
17:56 < petertodd> right, so we have the parent chain, and two child chians, left and right, got that? you can mine the parent chain, or the parent chain and the left chain, or parent and right chain (in our system)
17:57 < arbart> petertodd: was just about to prod you :)
17:57 < petertodd> basically it's *exclusive*, you can only mine the left *or* right child chain (or neither)
17:57 < arbart> oh ok, noted
17:58 < petertodd> this means the work done on these child chians will tend to be half that of the parent (assuming the reward is halved for instance)
17:58 < petertodd> however, this also means that a given miner only needs the data, and thus bandwidth, cost of the parent and one child. so the total # of transactions in both children can be higher and the system still works
17:59 < petertodd> the downside is that transactions in either child chain have less security, it only requires 25% of the hashing power to reorg that chain as the parent chain
17:59 < petertodd> got that?
17:59 < arbart> oh wow, yes, a load balancing mechanism :) thinking about the security aspect though
18:00 < petertodd> yeah, so we've figured out how to make it more scalable, now, what about the security? well, lets make a new rule! if a pow solution for a child chain *also* meets the difficulty of the parent, we say that block is fixed - it's only allowed to be reorganized if the parent chain itself gets reoganized
18:01 < petertodd> now it takes 50% of total hashing power to attack the child chain right? nope
18:01 < petertodd> can you guess why?
18:01 < arbart> i guess im missing the reorganized part
18:02 < petertodd> reorg just means work is done to extend a block other than the current best block, so when your node learns about the longer chain, suddenly the shorter one is made invalid by definition
18:02 < arbart> well at least because only half the network is working on each side of the chain?
18:02 < petertodd> remember, the problem bitcoin is trying to solve is consensus on what's the longest chain
18:02 < arbart> ah nice okay, was just missing that definition
18:02 < petertodd> arbart: sure, but an attacker can still get some hashing power somehow and reorg one of those child chians, and they only need 25% of the total hashing power to do that
18:02 < arbart> or word i mean
18:03 < petertodd> good
18:03 < arbart> ah right, half of half, got it now.
18:03 < petertodd> yup
18:04 < Luke-Jr> petertodd: you coming to Miami?
18:04 < petertodd> so here's the question: with this fancy "parent chain locks things" scheme, why can the child chain be still attacked with just 25% hashing power?
18:04 < petertodd> Luke-Jr: isn't that, like, right now?
18:04 < Luke-Jr> petertodd: tomorrow :p
18:04 < petertodd> Luke-Jr: heh, nah, tomorrow's my last day of work, couldn't make it
18:05 < petertodd> Luke-Jr: how long does it go? I guess I could strictly speaking... :P
18:05 < Luke-Jr> Saturday and Sunday is the main conference! :p
18:05 < petertodd> Luke-Jr: heh, nah, too tight
18:05 < arbart> hmm, that is a sucky result, a good question to analyze, in order to make sure it is right :)
18:05 < Luke-Jr> Friday is just the pre-conference thing
18:05 < petertodd> arbart: Well, lets think this through: what does attack mean anyway?
18:06 < petertodd> arbart: So, I could attack the chain by making only empty blocks and make it useless, I could also attack it by reorganizing it and double-spending transactions... but there's one other thing I can do.
18:06 < arbart> well the value of what they are attacking is also half i suppose. that counts for enough to throw the game theory?
18:06 < Luke-Jr> petertodd: the first case is debatable
18:06 < petertodd> arbart: maybe! but what if they're just assholes and want to burn the world?
18:07 < petertodd> arbart: we might as well know how much said assholes need to spend
18:07 < arbart> so the one you didn't list is to just not allow new txs to be added?
18:07 < petertodd> Luke-Jr: for sake of argument, we'll say empty blocks are an attack
18:07 < petertodd> arbart: yup
18:07 < gmaxwell> "making only empty blocks and make it useless"
18:07 < arbart> ok, heh, that is the main one i knew about
18:07 < petertodd> arbart: oh, sorry, no, there's one I didn't list that's more subtle
18:08 < arbart> petertodd: ok, i understand, and agree with that knowledge being valueable!
18:09 < petertodd> arbart: I'll give you a hint: this rule where a particularly good PoW "locks" in the chain, how would you actually implement that?
18:10 < arbart> oh my, so put in their own entire child chain?
18:10 < petertodd> well, here's the big thing: in this scheme I'm assuming that miners mining these child chains also have full consensus on the parent, and all associated data
18:10 < arbart> i wondered about the exact implementation of what you asked there, but did not forumlate or see how it is done yet.
18:11 < petertodd> yeah, implementation is critical
18:11 < arbart> ok,
18:11 < arbart> i was thinking it wouldn't be that easy for my fear there
12:39 < petertodd> Luke-Jr: Like it or not sometimes there are *very* good reasons to be able to prove that the whole of Bitcoin was able to see your data.
12:40 < Luke-Jr> petertodd: not good reasons to force the whole of Bitcoin to see/store data they never consented to see/store
12:41 < petertodd> Meh, Bitcoin can be a better financial system with some of these uses.
12:42 < jgarzik> Luke-Jr, disagree.  Plenty of uses for timestamping.  That alone could revolutionize accounting and finance, in a way that bitcoin-the-currency doesn't IMO
12:42 < jgarzik> gotta strike a balance.  the majority of users just want to transfer or hold bitcoins-the-currency.
12:42 < Luke-Jr> jgarzik: timestamping does not require cluttering the bitcoin blockchain
12:43 < Luke-Jr> just shove a hash in the merged-mining merkletree and that's it
12:43 < jgarzik> require? no.  no other chain has the same strength, so rational economic actors will look at the strongest chain.
12:43 < jgarzik> yes, if there was an alt-chain for data, that all pool ops carried, things would be different
12:43 < petertodd> Luke-Jr: There are applications beyond timestamping you know - announce/commit sacrifices are a perfect example where genuine provably visibility is absolutely vital.
12:44 < Luke-Jr> petertodd: those are just timestamping too afaik
12:44 < petertodd> Luke-Jr: No they aren't: timestamping the announce is useless, you *must* prove that the whole of Bitcoin had the opportunity in advance to mine it.
12:45 < Luke-Jr> hmm
12:45 < Luke-Jr> how would a pre-announce merged-mined block not work for that?
12:47 < petertodd> Luke-Jr: Because if the alt-chain is merge mined by, say, 25% of mining pools your sacrifices are already so dubious as to be nearly worthless.
12:47 < petertodd> Luke-Jr: You need strong convincing evidence that the transaction really was visible to all.
12:47 < Luke-Jr> petertodd: not really. even 25% gives you 1 in 4 blocks
12:48 < Luke-Jr> you just need to wait 1-4 blocks additonal
12:48 < Luke-Jr> hmm
12:49 < Luke-Jr> yeah, I think it should be fine
12:49 < Luke-Jr> I do see another problem that affects it regardless of where the pre-announce is done..
12:49 < petertodd> Luke-Jr: It has nothing to do with waiting; the issue is that with 25% a 12.5% pool has sufficient hashing power to 51% attack the proof-of-visibility chain and create sacrifices that were never publicly announced and thus aren't true sacrifices at all.
12:50 < Luke-Jr> petertodd: tie the POV chain to the BC chain
12:50 < Luke-Jr> POV blocks are only valid if they're in the BC chain
12:50 < Luke-Jr> in fact, POV doesn't need a chain of its own at all
12:50 < petertodd> Luke-Jr: Again, that's irrelevant. You need to show that the chain was public knowledge.
12:51 < Luke-Jr> ok, so then make POV a chain again, and each POV block confirms the previous was visible
12:51 < petertodd> Only with a very high participation rate among Bitcoin miners is the proof any good, and frankly at that point you're in the same situation you were before with bloating up a blockchain...
12:52 < Luke-Jr> not the same situation, no
12:52 < Luke-Jr> *users* don't need it
12:52 < petertodd> That's the thing, all it confirms is that x amount of hashing power saw a given transaction, if that x is even just 25% of the main Bitcoin blockchain the proof is already pretty dubious.
12:53 < petertodd> Announce/commit sacrifices already have the issue where you really need to discount them by 50% from the get-go to be sure, and at least 10% or so even if you aren't being cautious.
12:54 < Luke-Jr> why can't you just have a rule that the redemption of a send-to-any must occur in a separate block from the send-to-any itself, to be valid?
12:54 < petertodd> Well, indeed, any type of sacrifice to mining fees, with the possible exception of ones that are only spendable way in the future - months - which can't be done with the current scripting system.
12:55 < petertodd> Luke-Jr: That's what I proposed on the mailing list, and that's a soft fork. The other way is to do the sacrifice as a anyone-can-spend in the coinbase tx.
12:56 < Luke-Jr> petertodd: it's not a soft fork, it just has a risk some miner is a jerk and screws you :p
12:56 < petertodd> Luke-Jr: um... yeah... That's about a 100% risk if fidelity bonds are used even just a bit.
12:56 < petertodd> Luke-Jr: Who doesn't want free BTC?
12:57 < Luke-Jr> too bad there's no nLockTime for scriptPubKeys :P
12:58 < petertodd> Yup...
12:59 < petertodd> Anyway, point is, that's just one example where visibility proofs are essential, and there are a whole lot more out there... dismissing any and all data from the blockchain goes too far.
13:10 < Luke-Jr> I still see no need for it to be part of the BC blockchain
13:11 < Luke-Jr> a merged mine chain can be just as effective while not forcing itself on people who have not agreed to it
13:20 < petertodd> Like jgarzik said with this stuff you want to go for the strongest blockchain, and that'll be Bitcoin. Even merge mining doesn't help there because you are never going to get 100% participation, and if you do, it's damn near equivalent to putting it in the blockchain anyway.
13:22 < Luke-Jr> only equivalent for miners, not for everyone else
13:23 < Luke-Jr> and forcing people to do things against their consent is not justified to get 100%
13:23 < petertodd> Pff, don't give me that consent crap. If you want to enforce that, enforce it with code.
13:23 < Luke-Jr> exactly my point
13:24 < Luke-Jr> POV code should be written so that people can't force others to participate against their consent.
13:24 < petertodd> People run code that accepts arbitrary data right now; to say they aren't consenting to what the code they are running allows is silly.
13:24 < Luke-Jr> ie, if you don't use the merged chain, I won't recognize your proof
13:24 < petertodd> No, Bitcoin-Qt should be written to match what the users wish to consent too.
13:24 < Luke-Jr> petertodd: no, it isn't silly
13:25 < Luke-Jr> yes, gmaxwell proposed a solution to fix this problem on the Bitcoin side
13:25 < petertodd> If we wanted to govern ourselves by social rules we would be using something other than Bitcoin...
13:25 < Luke-Jr> Bitcoin != anarchist
13:25 < petertodd> yup, and gmaxwell's solution works well and if the userbase wishes to they can use it - if you are so concerned about this go and implement that solution!
13:26 < gmaxwell> feh. never that simple.
13:26 < petertodd> But don't give me crap about consent when people are willingly running code that works otherwise.
13:26 < gmaxwell> In a frictionless enviroment what you say is true, but we're not in a frictionless enviroment.
13:28 < gmaxwell> It's not like accepting my hash preimage stuff
 even if it were all implemented and tested
 is costless. A lot of people would resit it because they're simply unsure or don't understand the implications, even people who are very concerned about people stuffing troublesome data on their disks.
13:28 < gmaxwell> Go look at all the sites that will not pay to 3xxx adddresses. :(
13:28 < petertodd> That is true, but going and pouting that people are putting data in the blockchain obviously doesn't stop people from doing so - technical measures stop people.
13:29 < gmaxwell> I don't agree completely. Society is part of how this works too. Pouting influences behavior, including technical ones.  It may, in fact, be a necessary precondition to deploying the technical solution.
13:30 < gmaxwell> We have lots of tools in our toolbelt, and we'd be fools to not use all of them because we've fixated on a particular kind of tool being right for a particular kind of problem.
13:30 < gmaxwell> Though, let me go back here a bit
13:31 < gmaxwell> If you're talking about data which is on the order of
 32 bytes/txn ... well, you cannot securely bind a transaction to external data any smaller than that.
13:32 < petertodd> Don't get me wrong, I'm not going to say social measures are useless, my point is that they have proven to be not very useful again and again to anyone who has a reason to go against the social measures.
13:32 < petertodd> They're fine for discouraging people working on hobby projects, but that's about it.
13:32 < gmaxwell> Once you start getting bigger you have to worry that (1) deployment of the preimage stuff will actually break your system, (2) desire to preserve your system (I haven't followed the discussion, I assume you were talking about buting sacrifices in pubkeys?) might be used to argue against preimages, which kinda sucks.
13:33 < petertodd> gmaxwell: Well I was mainly using it as an example where you need a genuine proof-of-visibility and anything less just doesn't work.
13:33 < gmaxwell> amusingly I think that social measures are more effective against businesses han hobby projects
 the latter is in a better position to say "fuck you, I don't care what _anyone_ thinks"
13:34 < petertodd> gmaxwell: In response to Luke's assertian that merge mine chains and merkle-trees for timestamping is always good enough.
13:34 < petertodd> The problem is in Bitcoin businesses are often totally anonymous, and the issues where the social measures matter are complex technical things.
13:35 < gmaxwell> petertodd: ultimately any idea that depends on getting unjammablity from bitcoin is really fragile, I think. Simply because capacity will kill you if nothing else does.
13:35 < gmaxwell> meh. doesn't really matter if they're anonymous or not, I can deny a business income by social ostracism of their _customers_.
13:35 < petertodd> On the other hand if you can architect in a way where limited capacity is ok, it's the best solution out there.
20:12 < maaku> oh i meant lazy vs strict parameter evaluation (e.g. Haskell)
20:12 < jrmithdobbs> after doing nothing but writing haskell for the last 2 months
20:12 < jrmithdobbs> lol
20:12 < sipa> tree pieces are delimited by choose operators
20:12 < maaku> yes you definately need lazy/short-cut conditionals
20:12 < petertodd> gmaxwell, sipa: remember that one potential way of doing this is rather explicitly with OP_EVAL and OP_HASH160 (essentially)
20:13 < gmaxwell> sipa: I think you could go further and have two kinds of choose operator, one that hashes and one that doesn't.
20:13 < sipa> gmaxwell: well there can be a regular ifthenelse operator
20:13 < sipa> that has no choose magic
20:13 < gmaxwell> right. fair enough.
20:14 < sipa> i'm saying the same thing i think
20:14 < sipa> except choose is special in that it explicitly takes a hash as argument, and not an expression
20:14 < gmaxwell> Right.
20:15 < petertodd> sipa: note that simple if-else-endif isn't sufficient if scripts or script fragments can return a value before reaching the end of the block - you might not want the rest of the block to be public
20:15 < sipa> but so is const or access, they don't take subexpression eithet
20:15 < sipa> petertodd: these are not imperative programs, there is no return operator
20:16 < sipa> they're just expressions
20:16 < petertodd> sipa: right
20:16 < gmaxwell> petertodd: even if there were you could always wrap hte hidden data with another choice.
20:16 < petertodd> gmaxwell: true
20:17 < sipa> yeah, choice is there to hide pieces of the script
20:17 < sipa> either because they are large
20:17 < sipa> or because they are private
20:17 < petertodd> sipa: hmm... so when is choice not something you can do with an if block?
20:19 < gmaxwell> (kind of a fun thing where we could make standard addresses  a choice with ecdsa in one branch and then a hash based quantum hard signature in the other... and if there is a compromise of ECDSA we soft fork to deny ecdsa redemption while people redeem coins via the hash based signing.)
20:19 < sipa> i don't think it's really an if in any caze
20:19 < sipa> let me come up with an example
20:19 < sipa> to do a 1-of-2 multisig
20:20 < sipa> let's say scriptA is something that fetches a sig from the stack and verifies it with pubkeyA
20:20 < maaku> hrm. I just realized that by executing code from the stack Joy/Cat makes it difficult to Merklize...
20:20 < sipa> scriptB is the same, but for pubkeyB
20:20 < petertodd> sipa: right
20:21 < petertodd> maaku: you can still merklize the initial code up to where the stack is executed
20:21 < jtimon> maaku: that seems right, I guess AST-script it is
20:21 < sipa> now you construct a script of the form choice(scriptA,scriptB), and put its merkle root in the output
20:21 < sipa> however, to spend it
20:22 < sipa> you either use choiceL(scriptA,hash[scriptB])
20:22 < sipa> or choiceR(hash[scriptA],scriptB)
20:22 < petertodd> sipa: see, I'm not sure how that's any different from IF <executed ops> ELSE <hash> ENDIF
20:22 < petertodd> sipa: which is how I always envisioned MAST to work
20:22 < sipa> it's an if then else, but the if/else is hardcoded
20:23 < sipa> it cannot be an expression
20:23 < sipa> its runtime semantics is just the identity
20:24 < sipa> it only affects how the hash of the script is computed
20:24 < sipa> note that choiceL(scriptA,hash[scriptB]) evaluates to just scriptA
20:25 < petertodd> right, and by that I mean in the binary representation of a script, you'd have some way to signify a IF code block that must never be executed, followed by the hash, vs. one containing actual opcodes
20:25 < sipa> right, but i don't like to think of it in term of executable operations
20:26 < sipa> it's just a tree with certain parts covered, by giving a hash instead
20:26 < petertodd> well, we're using similar words for the same thing :)
20:26 < sipa> sure
20:27 < sipa> but i think your original question really was
20:27 < petertodd> see, my real point is, with merklized forth it gets even more sophisticated, because your symbol table is hashes of code, and potentially at runtime you'd do something more sophisticated there just get some chunk of code dynamically
20:27 < petertodd> yet you can still arrange such that code that's never executed is never provided
20:27 < sipa> that's over my head :)
20:28 < sipa> anyway
20:28 < sipa> one question is if there are other merkle-choosing-like operations possible
20:28 < sipa> which do not mimick if-then-else
20:29 < sipa> i think if you have some for(i in [0..n], f(i)) operator
20:29 < petertodd> sipa: tl;dr: forth can do the magic that lisp can do, not with macros, but with self-modifying code
20:30 < sipa> with n a constant integer
20:30 < petertodd> right
20:30 < sipa> then you can have a merkle version of it as well
20:30 < sipa> that takes the hash of the non-evaluated loops
20:30 < petertodd> and for that matter, you can do tail-recursion for loops too...
20:30 < petertodd> and that can still be merklized
20:31 < sipa> without needing to reveal how many loops you wanted to be possible
20:31 < gmaxwell> sipa: well ... if you have a homorphic hash you can do 1 of N execution more efficiently. Though I'm not aware of any way to do that which we'd consider in scope for this discussion.
20:32 < sipa> haha
20:32 < maaku> petertodd: how are you going to merklize forth?
20:32 < maaku> ah, are you thinking of replacing a quoted block with its merkle hash?
20:33 < petertodd> maaku: remember, we're merklizing the potential code that can be run
20:34 < petertodd> maaku: so if you end up with code that defines new symbols, but doesn't use those symbols, then the symbol definition doesn't actually need to happen if that particular execution trace doesn't use them
20:35 < gmaxwell> sipa: so, linear iterative compression.
20:35 < gmaxwell> say you have some straight line code that can stop at some point.
20:35 < maaku> petertodd: ok, in Joy at least "if/else" is handled like so (I think it's the same for Forth): <predicate-evaluation> [quoted-true-block] [quoted-false-block] OP_IF
20:36 < maaku> in other words, push the code on the stack before execution
20:36 < petertodd> maaku: correct
20:36 < maaku> so I suppose we can replace the branch not taken with OP_RETURN (when executing), plus an affixed hash value for what was there
20:36 < gmaxwell> ins0 1 2 3 4 5 6 7 8	      you compute  H(ins0....H(6|H(7|H(8))...)	and then if you execute and run to step 4 and stop, you'd provide  0 1 2 3 4 H(5...H(8)).
20:37 < maaku> ok that would work
20:37 < petertodd> maaku: and a symbol is a chunk of code, so you have <predicate> Symbol1 Symbol2 OP_IF, and symbol2 never executes, then where the symbol is defined in the first place can be replaced with just the hash of the opcodes that would have been put there
20:37 < gmaxwell> I think that structure is not equal to choices.
20:37 < sipa> gmaxwell: that's exactly what i meant
20:37 < sipa> with the for loop
20:37 < gmaxwell> okay, good then I came about to the same thought.
20:37 < gmaxwell> is there something that generalizes those two? are there more?
20:38 < sipa> very good question!
20:38 < sipa> but it's really about some parametrizable control flow
20:38 < sipa> oh um
20:39 < sipa> this is an expression language
20:39 < sipa> a for loop doesn't really make sense
20:39 < sipa> but you can replace it by a fold
20:39 < sipa> fold(3,f,x) computing f(f(f(x)))
20:40 < petertodd> sipa: you know, you can replace a for loop with repeated opcodes, and zlib compression...
20:40 < sipa> where that recursive hashing becomes much more apparent
20:40 < maaku> jtimon: see above ^^
20:40 < jtimon> yeah
20:41 < sipa> petertodd: that doesn't allow hiding the number of iterations from the root hash
20:41 < jtimon> "Combinators in Joy behave much like functionals or higher order functions in other languages, they minimise the need for recursive and non-recursive definitions."
20:41 < jtimon> maybe it's relevant although I'm starting to get tired and following your interesting conversation gets harder
20:41 < petertodd> sipa: ah, your example of a for loop is to loop based on a stack constant, not a symbol constant?
20:42 < sipa> petertodd: based on a constant given in the spending script
20:42 < petertodd> sipa: yeah, that's different
20:42 < sipa> petertodd: but NOT given in what goes in the root hash
20:42 < gmaxwell> fundimentally the _maximum_ depth of the loop could be hidden. (mean I can describe a language that allows this)
20:42 < petertodd> sipa: yup
20:43 < sipa> yes, you need to know a maximum iteration count
20:44 < sipa> but you don't have to reveal it
20:45 < gmaxwell> might be interesting to describe a hash based winternitz compressed signature in this language, assuming there exists an OP_PUSH_TX_HASH ... I propose that if our choice operator(s) are good then a maximally efficient winternitz signature will be completely natural.
20:46 < sipa> .. you lost me
20:47 < gmaxwell> sipa: you know how a lamport signature works, right?
20:48 < sipa> more or less, yes
20:48 < gmaxwell> for each message bit x, reveal either preimage_x or H(x) depending on if the message bit is 1 or 0. The public key is just the root hash over this data.
20:50 < sipa> hmm
20:50 < sipa> i need to see that on paper
20:50 < sipa> but now now
20:50 < gmaxwell> winternitz optimization:  take your message bits in groups of
 4 bits.  so your 256 bit message becomes 64  4 bits words.   you have then 64 preimages.  H( ... 16hashes total ..H(H(preimage_n)))  and your message word selects how deep in this structure you reveal.
20:51 < sipa> right
20:51 < sipa> so you weigh a smaller signatures over deeper hashes
14:37 < adam3us> petertodd: in the next round everyone gets as many votes as they have on their public key and the result defines which tx is first
14:37 < adam3us> (its all random anyway, it doesnt even matter which is first, just that one is chosen)
14:37 < petertodd> Interesting! That could be a decent way to reduce variance, although sounds like distributing the blocks for them to be voted on could be bandwidth intensive.
14:38 < adam3us> if the reward comes direct, maybe people can direct mine
14:39 < petertodd> (FWIW, fpga hardware is in the realm of 10x to 100x less efficient than ASICs depending on what you are trying to do; the FPGA's are commodity assumption is a lot easier to meet - maybe litecoin scrypt is already there)
14:39 < petertodd> adam3us: an idea I had was for the tx merkle tree to include pow
14:40 < petertodd> adam3us: like, every node on the tree would be able to include a specific pow, and you would sum total work
14:40 < petertodd> adam3us: makes it easy for anyone to do the pow for their own transactions, but the validation of the pow has to be reasonable efficient
14:42 < petertodd> (conveniently medium to high-end FPGAs these days all come with blockrams scattered over the die surface)
14:43 < petertodd> (sizes tend to be in the dozens to low hundreds of KiB per block ram, same size as litecoin scrypt assumes)
14:44 < petertodd> (the block rams however are themselves *not* as efficient as dedicated ASICs, because modern memory uses unique IC processes that verge on black magic; I'd have to investigate more to get an idea of what kinds of cost ratios are involved here and what they'd look like in the future)
14:49 < adam3us> petertodd: "an idea I had was for the tx merkle tree to include pow" did you see this paper http://hashcash.org/papers/merkle-proof.pdf by fabien coelho, i'm pretty sure you did maybe you were on the im thread when i heard a ref to it
14:49 < adam3us> "An (Almost) Constant-Effort Solution-Verification Proof-of-Work Protocol based on Merkle Trees"
14:50 < adam3us> its just  space optimization and verification time optimization over sending n sub-puzzles, but its quite nice
14:50 < amiller> i bring up that paper a lot
14:50 < amiller> (but when i do, it never solves the problem i want it to)
14:50 < adam3us> amiller: it ws probably you i heard it from
14:52 < petertodd> right, that's where I got the idea
14:52 < adam3us> anyway in principle if you can earn voting rights by making disconnected proofs of work the proofs of work are not first past th post races and could even be deterministic (0 variance)
14:53 < adam3us> an end to luck, and you pick your own work size
14:54 < petertodd> Right, but how will that avoid the fastest miner wins problem?
14:54 < adam3us> petertodd: "sounds like distributing the blocks for them to be voted on could be bandwidth intensive." well they're broadcast already for spending
14:54 < adam3us> petertodd: well there is no winner, everyone collects voting power
14:55 < adam3us> petertodd: then you take a vote on which of double-spent tx are first
14:55 < adam3us> petertodd: tx with highest (or lowest) vote wins
14:55 < petertodd> Right, but think about the mechanics a bit more: how do you come to consensus on what block you're even going to vote on?
14:55 < adam3us> petertodd: like i say i dont think it even matters which is first, just that one wins - mining is quite random - the decision is made by a random node in proportion to power
14:57 < adam3us> petertodd:yes i get what you mean, but i this case as the voting rights are disconnected from the item voted on, ou can just vote on the few tx that have any conflict (maybe) individually or a sig on a list of them
14:57 < amiller> whta bout dakami's proof of x86?
14:57 < amiller> i wanna see that
14:58 < adam3us> amiller:  dont know i just saw something vague from peter vesennes(sp?) forwared from xgbtc (ex google bitcoin list) how exclusionary!
14:58 < amiller> it's like the corollary of the no-free-lunch theorem
14:58 < amiller> everyone's optimal at something
14:58 < adam3us> amiller: i think some people are still stuck at not realizing a GPU *is* a better cpu (for mining)
14:59 < petertodd> adam3us: right, but you have to be careful to make sure that people can't reassign their votes - maybe force the pow that creates the votes reference a blockhash for timestamp that hash
15:01 < Luke-Jr> amiller: give Intel a monopoly on bitcoin?
15:02 < amiller> Luke-Jr, i wouldn't have chosen x86, presumably if you can do it for x86 you could do it for anything else too like a TI dsp which has an open spec, or arm
15:02 < Luke-Jr> ARM is even more closed than x86
15:02 < Luke-Jr> I'm not aware of any open TI dsps
15:02 < amiller> i don't even think it's a desirable property, i think bitcoin mining *should* only run on dedicated hardware :/
15:02 < Luke-Jr> perhaps a subset of MIPS would work :p
15:03 < Luke-Jr> amiller: yes, but obviously this would be defining dedicated hardware as "x86"
15:03 < petertodd> amiller: that means control of bitcoin is centralized in the hands of the 2-3 chip fab companies in the world
15:03 < Luke-Jr> back in 2009, an ideal POW would have been one where RAM *was* the ASIC; but SHA256d has caught up
15:03 < amiller> build more chip fabs then
15:04 < petertodd> amiller: the entire world economy appears to be too small to do that. seriously
15:04 < amiller> meh
15:04 < petertodd> amiller: leading edge chip fabrication facilities are insanely expensive
15:04 < amiller> perhaps those don't even optimize for the kind of thing that makes a good bitcoin miner?
15:04 < amiller> i guess that doesn't make nsese
15:05 < petertodd> I understand your concern re: hash-reenting attackers, but understand it's a trade-off. It would be *very* easy for only a few governments (probably just one) to demand that all Bitcoin mining hardware be regulated in the future.
15:06 < Luke-Jr> frankly, POW is flawed unless over 50% of the world's electric production goes into mining at the most efficient way possible
15:06 < amiller> that is only if your attacker is that big
15:06 < Luke-Jr> frankly, POW is flawed unless over 50% of the world's electric production goes into mining at the most efficient way possible
15:06 < Luke-Jr> at some point, a replacement is needed
15:08 < petertodd> Luke-Jr: nah, that's a certificational flaw, not a pragmatic one :) The flaw really is more that the effort that goes into proof-of-work is only economically, say, 1% to 10% of the value of the system per year, which means any attacker gets a fairly large ratio of value destroyed to value spent, but there's nothing new about that... (box-cutters vs. the WTF)
15:08 < adam3us> petertodd: "adam3us: right, but you have to be careful to make sure that people can't reassign their votes - maybe force the pow that creates the votes reference a blockhash for timestamp that hash" yes there would have to be a timestamp chain included in the work to define the range of tx allowed for voting, and i suppose all previous round tx need to go
in there also which comes back to how do you arrive at a serialization
15:08 < petertodd> s/WTF/WTC/...
15:09 < adam3us> amiller: re kaminksy this is what was forwarded to me email, posted by peter vessenes:
15:09 < petertodd> adam3us: yup, and it sounds like it'll be tricky to come up with a sufficiently simple system for that! though maybe just a direct timestamp chain would work, I'd have to think more...
15:09 < Luke-Jr> petertodd: I'm assuming the value goes up forever
15:09 < petertodd> it'd be really cool if a pure timestamp chain came out of this effort with a fairly short block interval...
15:09 < petertodd> Luke-Jr: ?
15:10 < adam3us> amiller: (on the ex google btc list) "   Kaminsky proposed to me a proof of execution architecture plan which
15:10 < adam3us>    sounds like it could guarantee it was running on Intel cores. I don't
15:10 < adam3us>    want to steal his thunder, but it would be a proof of work that could
15:10 < adam3us>    (provably?) disintermediate both botnet miners and ASIC companies.
15:10 < adam3us>  I've been trolling around for someone to lead a 'health of mining'
15:10 < adam3us>  committee for the Foundation, but haven't found someone willing to do the work of pulling the right folks together -- any volunteers here?"
15:10 < Luke-Jr> petertodd: at some point, it will become worthwhile to attack
15:10 < Luke-Jr> adam3us: ex google btc list?
15:12 < adam3us> sorry that was messed up, again: vesennes "Kaminsky proposed to me a proof of execution architecture plan which sounds like it could guarantee it was running on Intel cores.	I don't want to steal his thunder, but it would be a proof of work that could (provably?) disintermediate both botnet miners and ASIC companies. I've been trolling around for someone
to lead a 'health of mining' committee for the Foundation, but haven't found someone wi
15:12 < Luke-Jr> sounds like something I'm already involved in, though not as a committee
15:12 < sipa> adam3us: the foundation hasn't really had much to do with development or technical stuff
15:13 < adam3us> petertodd: "it'd be really cool if a pure timestamp chain came out of this effort with a fairly short block interval..." (yeah I know you like your timestamp server;)
15:13 < sipa> also, what do you mean by 'ex google btc list' ?
15:13 < sipa> is there a bitcoin mailing list for ex-googlers? :p
15:14 < adam3us> luke-jr, amiller, sipa: yes when my buddy forwarded it to me (I dont know how he got it because he's not an ex-googler) I was like WTF? exclusive ex-google bitcoin list? how ugly and exclusionary
15:15 < adam3us>  could imagine vessenes got the wrong idea kaminsky likes to throw off the cuff thoughts and rants without thinking them through it maybe quite an unvalidated vague design idea
15:15 < Luke-Jr> adam3us: anyhow, health of mining is right up the avenue of things I've been doing for a long time
15:15 < amiller> former-marine silk-road squad
20:20 < petertodd> CodeShark: yeah, they fucked that one up though because strings blk*.dat wasn't cut-n-paste-able
20:20 < petertodd> CodeShark: cute though
20:21 < CodeShark> the retrieval tool shouldn't rely on the blk*.dat files at all
20:21 < CodeShark> retrieval should be possible via p2p protocol
20:21 <@gmaxwell> petertodd: see, you don't need an upload tool.. you just need datacoin.
20:21 < petertodd> CodeShark: no, I just mean that bootstrapping it was tough because you had to decode the tx containing the tool yourself
20:22 <@gmaxwell> it has the tool built in.
20:22 < petertodd> CodeShark: well that's a fun one: you can easily design this stuff to be SPV compatible re: bloom filters
20:22 < petertodd> CodeShark: even easier if someone implements prefix filters
20:23 < CodeShark> right
20:26 < petertodd> gmaxwell: it's always a trade-off between fees and security of your data...
20:27 < CodeShark> well, wrt txout bloat, the most sensible "wizards" solution seems to be to decrement the output value as a function of age until it drops to zero, at which point it is unspendable
20:28 < petertodd> CodeShark: MMR TXO commitments shift storage to wallets (roughly speaking)
20:28 < CodeShark> MMR - not sure I'm familiar with that acronym
20:29 < petertodd> CodeShark: merkle-mountain-range
20:29 < CodeShark> how does that work?
20:30 < petertodd> CodeShark: https://bitcointalk.org/index.php?topic=314467.msg3371194#msg3371194
20:31 < petertodd> CodeShark: there's some ugly issues re: bandwidth storage tradeoffs however - given that miners don't actually have an incentive to broadcast their blocks to >%30 of hashing power there can be incentives to make blocks full of UTXO spends that are ancient that no-one has cached
20:32 < petertodd> CodeShark: but that's a general problem...
20:34 < CodeShark> ah yes, interesting stuff. it's too bad the forums are so cluttered with garbage
on occasion you do find good reads. I suppose I could filter by author :)
20:34 < petertodd> CodeShark: heh, well my fault for not having it writtne up as a paper yet
20:43 < CodeShark> the way things are right now, a secure signing node would have to store the complete transactions containing their outputs anyhow
20:43 < CodeShark> if for no other reason than that there's no other way for it to verify the output values
20:44 < CodeShark> so here we're also adding an O(log2) structure for proofs
20:44 < CodeShark> of existence in blocks
20:50 < CodeShark> existence of new outputs/removal of spent outputs, I should say
20:50 < petertodd> yeah, it's a fair bit of bandwidth over just the txin data
20:51 < petertodd> OTOH it is purely a tradeoff - if you have the UTXO set you don't have that cost
20:54 < CodeShark> so you would advertise whether or not you have the UTXO in the initial handshake?
20:55 < nsh> hmmm, there might be privacy implications in the negotiation
20:55 < petertodd> well, e.g. for a block being distributed if you don't have the utxo ask your peer to provide the proof
20:55 < CodeShark> asking the peer to provide the proof requires one more roundtrip
which introduces greater latency
20:56 < petertodd> CodeShark: yup, which is why you want to have as many utxo's on hand as you can store
20:56 < CodeShark> point is you could establish whether or not you have the complete utxo in the initial negotiation
20:56 < petertodd> CodeShark: but at some point you run out of space, so you drop ones that are unlikely to be spent
20:56 < petertodd> CodeShark: well you could give your peer a bloom filter of wha tyou have, for example
20:57 < CodeShark> right, something along those lines might work
20:57 < petertodd> yup, lots of options, main thing is that all those options are things that aren't forks
20:59 < nsh> perhaps it might be good to enable an ecology to these things: let various different approaches be 'right' and let natural selection on the basis of effectiveness and cost tend toward improvement
21:00 < nsh> the monocultural aspects of the bitcoin network should be whittled to a fine point of essential security and consistency
21:00 < CodeShark> problem is natural selection favors diversity (i.e. forks)
21:00 < petertodd> nsh: agreed, although people tend to complain that their wallets don't go fast :)
21:01 < nsh> mmm
21:01 < CodeShark> well, these approaches don't require block chain forks - but they do require care with protocol issues
21:02 < nsh> CodeShark, can't you look at the (hard)fork border as the boundary of an island (let's call it Coinagascar)? you can still have diversity within those confines...
21:03 < CodeShark> I suppose we could separate the core validation algorithms from the specifics of the protocol itself :)
21:03 < CodeShark> as in the specifics of networking with pees
21:03 < CodeShark> *peers
21:03  * nsh nods
21:04 < nsh> the downside is that you lose some of the shepherding function of the core dev team
21:04 < nsh> but i would anticipate that function isn't long-term sustainable if bitcoin grows into a very large ecosystem anyway
21:05 < nsh> and it's already accepted that you choosing to use one solution over another can have financial implications
21:05 < nsh> s/you //
21:18 < maaku> "In conclusion, I think that humanity should stop publishing papers about Byzantine fault tolerance. I do not blame my fellow researchers for trying to publish in this area, in the same limited sense that I do not blame crackheads for wanting to acquire and then consume cocaine."
21:19 < maaku> ah, microsoft research, how i love thee
21:19  * nsh smiles
21:21 < nsh> hah, that whole piece is great
21:21 < nsh> ( https://research.microsoft.com/en-us/people/mickens/thesaddestmoment.pdf )
21:25 <@gmaxwell> it's generally true of Byzantine fault tolerance. People who shit on Bitcoin are either in denial or unaware of the complete failure that field has been.
21:26 <@gmaxwell> An endless series of impossibly complicated protocols which can only work under highly unrealistic constraints and which generally burst into flames on contact with reality.
21:32 <@gmaxwell> it's basically a field that people have been wanking on more or less ineffectually since the late 1970s, making little useful progress, and then Bitcoin comes along and delivers a working system that is secure in the anonymous model, where like everything else required previously agreed participants, requires linear communication (as opposed to quadratic
in the number of participants), and is relatively simply explained vs the charts ...
21:32 <@gmaxwell> ... in that paper. ... and did so basically as a footnote on the way to producing an entirely new kind of currency.
21:44 < nsh> reminds me of... atomic chemistry until the 1870s. decades of top scientists debating fancy models, vortex theories, all sorts of complex contrivances, and then Mendeleev comes along with the periodic table, pow!
21:49 < petertodd> gmaxwell: OTOH PoW blockchains appear to only work in conjunction with financial incentives
21:50 <@gmaxwell> petertodd: indeed, bitcoin is _not_ a fully general solution.
21:51 < petertodd> gmaxwell: though in many cases you can limit your "byzantine fault vulnerability" to a small part of software that is trusted to give an honest signature for some type of "fake work"
21:51 <@gmaxwell> it just happens to work (so far) for like ... the only application known where byzantine fault tolerance was actually a hard requirement. :P
21:51 < petertodd> gmaxwell: lol, there is that!
22:06 < nsh> serendipity
--- Log closed Wed Dec 25 00:00:25 2013
--- Log opened Wed Dec 25 00:00:25 2013
--- Log closed Thu Dec 26 00:00:28 2013
--- Log opened Thu Dec 26 00:00:28 2013
14:14 < adam3us> nxt yet another big-claim-alt?  100% proof of stake in their case and its own block chain, no source code so far.  all very confusing.  claimed market cap > mastercoin already $100mil http://coinmarketcap.com/ i guess those market caps could do with some market depth caveats really
14:15 < adam3us> for the solidcoin spectators https://nextcoin.org/index.php/topic,104.0.html
14:15 < maaku> adam3us: it's pre-listed on a regular old web exchange
14:15 < adam3us> yes its unclear what if anything the price on dgex.com means - could be manipulated and controlled by nxt devs with ~0 mkt depth
14:16 < maaku> presumably with withdrawls eventually being handled via a premine
14:16 < adam3us> maaku: 71 "investors" donated a total of 21 btc < 1month ago and yet the claim it has a market cap of $100m... ha ha
14:17 < maaku> personally, I never understood the utility of proof-of-stake mining in any fraction
14:17 < maaku> especially when subsidies are involved ... all sorts of bad incentives
14:17 < maaku> about all its done is distract people from the real utility of PoS
14:18 < adam3us> maaku: well superficially it sounds interesting that eg ppcoin claim that for self interest someone holding 10% of stake would not want to double spend or he'd damage value of his own holdings however, then there is an unfair mining advantage to the stake holders which is a diff problem
14:19 < maaku> adam3us: yes, but the way to achieve that control is to allow the PoS participant to vote on something akin to a checkpoint
14:19 < maaku> not to have some sort of protocol-level conversion metric between stake and hashpower
14:19 < adam3us> maaku: i presume u mean effectively different votes for validity vs reward
14:20 < maaku> adam3us: i mean a different protocol for considering best block which takes into account out-of-band stakeholder votes
14:21 < adam3us> maaku: well nxt is 100% stake.. not sure if that even quite makes sense.  the stake was bought for 21 btc in the last month!
17:04 < petertodd> tromp__: anyway, how much hardware design have you actually done? like, any at all? have you even taken a simple digital logic course and played around with some FPGAs?
17:05 < tromp__> yes i did digital logic as part of my cs curriculum
17:05 < tromp__> but never played with FPGAs
17:05 < petertodd> tromp__: yeah, digital logic, but did it talk about implementation level issues?
17:06 < petertodd> tromp__: I'd highly suggest learning about FPGAs at least before you try to design any more PoW algorithms - at least FPGAs let you see how your logic is physically synthesized
17:06 < phantomcircuit> petertodd, this seems like it would at least be better than scrypt as a memory hard function
17:07 < tromp__> scrypt isn't technically a proof of work
17:07 < tromp__> since it's doesn't have trivial verification
17:07 < phantomcircuit> main memory access with DDR3 is ~300 ns
17:07 < petertodd> phantomcircuit: maybe, but the question is memory hard actually what you want? gmaxwell's been pointing out that it's power that matters generally for running costs
17:08 < grazs> hmm, interesting
17:08 < petertodd> grazs: quite likely scrypt is actually *worse* for password hardening because it doesn't use as much power as other alternatives
17:09 < grazs> petertodd: my brain is stuck, I will meditate on this, had kind of an aha-moment though
17:10 < phantomcircuit> petertodd, if you can shift the costs from marginal to capital that is preferable as it reduces the incentive to be dishonest
17:10 < petertodd> phantomcircuit: only for non-commodity hardware
17:10 < phantomcircuit> if you've invested 10m into hardware which wont pay for itself for 10 years you're not going to be dishonest at year 1
17:10 < petertodd> phantomcircuit: for asic-soft algorithms that's a solved problem :)
17:11 < phantomcircuit> petertodd, well yes and no
17:12 < petertodd> tromp__: anyway, I gotta go - learn some more about digital logic and electronics - you need to be at the point where you can draw a reasonable design at the physical layout level, that is how the transistors are located and what wires connect what, if you want to be able to understand this stuff sufficiently
17:12 < phantomcircuit> petertodd, as it stands today the capital cost of asics is significant
17:12 < phantomcircuit> buttt
17:12 < phantomcircuit> that's going to change
17:13 < phantomcircuit> power costs are already significant but not the most significant
17:18 < tromp__> if anyone else has feedback on Cuckoo Cycle, i'd love to hear about it
17:19 < tromp__> it can't get much worse than being told it's the exact opposite of asic-hard :)
17:21 < azariah4> would the proposed ethereum contracts make sense if a contract is run on each node receiving a tx?
17:21 < nsh> additionally, it causes terminal cancer in puppies and war orphans
17:21 < nsh> :)
17:21 < azariah4> it seems they would need some way to only run once, or atleast on a limited number of nodes, with e.g. SNARK so other nodes can verify instead of actually running the script
17:22 < azariah4> especially given the fee per op/storage scheme
17:27 < tromp__> i've seen mention of SNARK proof size being very manageable at 288 bytes, but what's not clear to me is how much time the verification takes and whether that's practical
17:28 < tromp__> AFAIK ethereum is vague on how the processing fees for running scripts are actually distributed and to whom
17:28 < tacotime_> SNARK verification at 288 bytes is trivial
17:29 < tacotime_> But the parameter file size is not iirc
17:30 < tacotime_> For the zerocash implementation, the parameters file for their functions was over a gigabyte.
17:30 < nsh> closer to 2Gb iirc
17:32 < nsh> (i still can't intuit what this public parameters file _is_ -- how it's used as a resource...)
17:32 < azariah4> I suppose the fee scheme for contracts in ethereum could be made so that fees for a script can only be collected by the miner who mined the block containing the tx triggering the contract
17:32 < azariah4> that would make it unlikely (but not impossible of course) for other nodes to run the script
17:34 < tacotime_> nsh: gmaxwell probably knows more about what the parameters files do exactly, I still don't totally understand SCIPs.  My understanding (which could be totally incorrect) is that for any given program you need to generate these parameters and disseminate them with the code you wish to have executed and verified.  Then they are used (how?) when you issue
arbitary inputs to the code to
17:34 < tacotime_> generate proofs that verify your given output.
17:35 < tacotime_> And that the parameters file must arise from a trusted source.
17:35 < nsh> ack to all of that
17:36 < nsh> but in terms of the proving and verifying algorithms: what use they make of the pubparam data
17:36 < nsh> i should just read the papers harder :)
17:37 < tacotime_> I'd love to do that if I didn't have all these other things to do for my grad studies in another field. :P  If you figure it out, ELI5 it to me
17:37 < tromp__> so the parameter file is like a proof template that require further specification of 7 "points" that  get encoded in 288 bytes
17:40 < nsh> okay, but what does template mean in terms of to a mathematical process?
17:40 < nsh> s/ to//
17:44 < tromp__> i imagine it's like the these steps http://en.wikipedia.org/wiki/Elliptic_Curve_DSA#Signature_verification_algorithm in the case of an ECDSA "contract" where (r,s) are the additional points
17:44 < tromp__> those steps are a lot shorter than 1Gb though
17:44 < nsh> andytoshi can explain!
17:45 < nsh> in zk-SNARKS, andytoshi: what is the it, algorithmically, about the public-parameters that is used in the proving and verifying processes?
17:45 < andytoshi> hi nsh, my logs only update every 12 minutes so i don't have any context
17:46 < nsh> i've been trying to get a handle on what is special-and-super-handy about the big public parameters in zk-SNARK systems
17:46 < andytoshi> one sec, i have the snark paper right in front of me..
17:46 < nsh> so far i have a sense that it's some kind of common 'landscape'
17:47 < nsh> and the proof delineates a set of points that allow traversal of the landscape, with traversal being tantamount to verification of the computation's integrity
17:48 < nsh> but that's a long way from groking (and probably wrong, anyway)
17:48 < andytoshi> well, it's similar. the first step in the snark proof is to translate from ordinary C into an arithmetic circuit
17:48 < andytoshi> an arithmetic circuit is a directed acyclic graph where each node is labelled by a semiring operation (addition or multiplication)
17:49 < andytoshi> so you can construct polynomials in terms of that, and it turns out you can translate any bounded running-time program into such a circuit
17:49 < andytoshi> so the "landscape traversal" is just following the dag
17:50 < andytoshi> but there is some more complication because of the memory. circuits do not really encompass reading/writing to memory so there is additional work to do to verify that every read matches an earlier write..
17:50 < nsh> right
17:50 < andytoshi> but in some sense that is incidental, the conceptual miracle happens even without memory
17:50 < nsh> so what is contained in the 1.7Gb pubparem file? and why is it all needed?
17:51 < tacotime_> Is certainty in the case of SCIPs probabilistic for some proof of execution?
17:51 < andytoshi> tacotime_: yeah. but according to the baysians all proofs are probabilistic anyway so this is no problem :)
17:51 < tacotime_> Heh.
17:52 < andytoshi> nsh: sorry, i'm flipping through the snark paper to look at how they compute the execution trace to see if there is some 'simple' idea which gives the compression
17:53 < andytoshi> gmaxwell might know this better than i, it deals heavily in linear pcps which i had never heard of before this paper. so that's some background reading i have to do..
17:56 < andytoshi> Section 3 Verifying Circuit Sat via Linear PCPs is the relevant part of the ben-sasson paper @ http://eprint.iacr.org/2013/507 it has a 'high level' overview but i haven't read it well enough to summarize what's going on
17:58 < azariah4> this paper has some nice gems, hehe
17:58 < azariah4> "Concrete implementations are upper-bounded by computer memory size (and ultimately, the computational capacity of the universe), and thus their asymptotic behavior is ill-defined."
17:58 < azariah4> :D
18:05 < nsh> (dropped out for a moment there; local network troubleshooting for a stupid blue-ray player)
18:06 < andytoshi> what is the last thing you heard?
18:06 < nsh> --
18:06 < nsh> <andytoshi> nsh: sorry, i'm flipping through the snark paper to look at how they compute the execution trace to see if there is some 'simple' idea which gives the compression
18:06 < nsh> <nsh> k
18:06 < nsh> [..]
18:06 < azariah4> andytoshi: they mention memory consistency though
18:06 < nsh> <andytoshi> Section 3 Verifying Circuit Sat via Linear PCPs is the relevant part of the ben-sasson paper @ http://eprint.iacr.org/2013/507 it has a 'high level' overview but i haven't read it well enough to summarize what's going on
18:06 < nsh> --
18:06 < azariah4> in 2.3.2
18:06 < nsh> (missed the whatever was in the ellipsis)
18:07 < andytoshi> nsh: ok, that's the last thing i said.    azariah4: yeah, of course, they solved that problem. but it's not relevant to conceptual questions about snarks
18:07 < andytoshi> nsh: also i said
18:08 < andytoshi> gmaxwell might know this better than i, it deals heavily in linear pcps which i had never heard of before this paper. so that's some background reading i have to do..
18:11  * nsh nods
18:11 < nsh> thanks in any case
19:38 < adam3us> gmaxwell: so set r'=R.x, and find a new Q' =cQ that matches ie its true that sR=H(m)*G+rQ' = sR=H(m)*G+r*c*Q
19:40 < adam3us> gmaxwell: for that to work rc = r', so c=r'*r^-1 mod n; now you have a standard DSA sig but on a multiple of the recipients public key, the factor c is secret as the random factor in the chameleon hash
19:45 < adam3us> gmaxwell: forgery by the recipient would be again sR=?H(m)G+rcQ to find a different c' that matches a different H(m') ie to find sR=?H(m')G+rc'Q but as the recipient knows d from dG=Q he can write that sR=?[H(m')+rc'd]G vs [H(m)+rcd] so H(m')+rc'd=H(m)+rcd, so c'=(H(m)-H(m')+rcd)/rd
19:45 < adam3us> gmaxwell: seems to work (though I am tired so i may have screwed something)... did you have an app in mind?
19:46 < adam3us> gmaxwell: maybe more direct bitcoin integratability because it already understands and serializes ECDSA sigs?
19:46 < gmaxwell> adam3us: yea my thought there is that people already have ECDSA code, so a chameleon hashs based on one would be easy to integrate.
19:47 < adam3us> gmaxwell: makes sense and kind of convenient it provisionally seems to work
20:05 < Luke-Jr> http://siliconsaint.blogspot.se/2012/07/temperature-inversion-in-deep-sub.html
--- Log closed Sun Oct 27 00:00:48 2013
--- Log opened Sun Oct 27 00:00:48 2013
05:47 < gmaxwell> adam3us: thank you very much for the crypto-anarchy explination on the forum. It's good to have someone post a structured view, instead of responding to that kind of complaint with "omg fight opression!"
10:47 < adam3us> gmaxwell: some people seem to say hal finney is not pro crypto anarchy I saw, but from what I recall of old cypherpunks posts he has really calm principled/reasoned arguments for why privacy is essential, because you need cryptography to enforce what are actually legal rights strongly etc, and he implemented and operated the first PGP based anonymous remailer,
and RPOW and he was i think the first PGP employee after zimmermann also, its very
10:48 < sipa> its very[...]
10:48 < K1773R> 512 line limit of IRC :P
10:48 < K1773R> s/512/512 chars per/
10:49 < K1773R> seems like a poor irc client :S
10:49 < sipa> i know few that deal well with overlong lines by default
10:50 < adam3us> its pidgin/linux hmm:... he (Finney) implemented and operated the first PGP based anonymous remailer, and RPOW and he was i think the first PGP employee after zimmermann also, its very hard to argue with things the way he puts them
10:51 < sipa> who is 'he'?
10:51 < adam3us> hal finney
10:51 < sipa> hmm, i don't understand
10:51 < adam3us> sipa: we were talking about explaining motivations for cryptographic privacy and I was saying i thoght hal finney does a nice job
10:51 < sipa> ah, by "hard to argue with" you mean "he is right"?
10:52 < adam3us> sipa: oh yes... i mean it sounds so reasonable and logical and non-controversial that the opponent is going to sound like an idiot or churlsih to disgree :)
10:52 < sipa> right, got it
10:53 < sipa> "hard to argue with" sounded like "so stubborn you don't want to argue with"
10:53 < adam3us> sipa: whereas as gmawell said most people say things like "beat state" and what not and then people with statist view lose sight of reason
10:54 < adam3us> sipa: nah - i never actually met him in person, but net the net he is the nicest fellow, least likely to get in a flame war, and actually doing a lot of privacy useful coding, so productive on the "cypherpunks write code" scale also
10:55 < sipa> scale also[...]
10:55 < sipa> wait, that is actually the end :)
10:55 < sipa> sorry, misparse
11:00 < adam3us> sipa: it was in relation to this bitcointalk thread https://bitcointalk.org/index.php?topic=318279.msg3419734#msg3419734
11:01 < adam3us> sipa: which was about chameleon hashes from greg but rapidly diverged into politics when someone said "what you want to forge a contract?? thats illegal" as a complete mismatch of understanding
11:01 < HM2> Snow Crash is an awesome book
11:01 < sipa> i remember why i stopped reading the forum :)
11:01 < HM2> The Baroque Cycle series is also great
11:03 < HM2> I can't remember if it was one of the BC books or Cryptonomicon that had the offshore data haven project
11:03 < adam3us> sipa: its almost funny, advanced math & bitcoin limits mixed with "doh" level newbies he he
11:04 < adam3us> HM2: i think that might've been cryptonomicon yes - very cool, like the pirate bay they are also jurisdiction hopping seemingly successfully for many years playing whack-a-mole, or havenco was the closest thing on the offshare oilrig/micro-nation-state
11:07 < HM2> this Chameleon hash thing sounds interesting
11:07 < HM2> it effectively turns the terms of the contract in to a key, right?
11:08 < adam3us> HM2: i love the line in snow crash where they run into the "president of the united states" and no one knows who he is or cares - sort of like the token "president" of somalia he's only president in his own mind as the state is a distant memory
11:08 < HM2> lol i don't recall that
11:10 < HM2> hmmm
11:12 < adam3us> HM2: so the idea which was greg's is that alice & bob can have a contract but keep the contract private, and bob cant tell other people the contract because he has the private key to could forge any contact
11:14 < adam3us> HM2: and yet if bob cheats and doesnt fulfill the contract alice can shame him by revealing the contract, it must be true because either that is the contract, or bob forged it; if bob forged it he's renegning on the contract and if he doesnt forge it alice has some proof that can convince others of what bob agreed to
11:15 < adam3us> hm2: its a bit like a non-transferable signature, except then either party could forge the contract, so alice cant prove anything to other people to shame bob and tarnish his reputation for cheating
11:16 < adam3us> hm2: so its forgeable, but only by bob some kind of mix of a hash function on one side and a non-transferable sig on the other; quite a nice building block
11:17 < HM2> How does the public remediate contract disputes exactly?
11:18 < HM2> If Alice is selling Bob something then either Alice can access the wallet and complete the contract or some public action + Bobs proof of contract can
11:18 < adam3us> HM2: they dont exactly, but if bob has a nice ebay-style rating there is a threat that alice can prove things to other people if he cheats, so he has an incentive to play nice
11:19 < adam3us> hm2: oh yes, the relation to the contract hash, is that in order to cash the payment, bob effectively demonstrates he has the hash, because he has to multiply the base address by it
11:19 < HM2> right so it's not a system to prevent you from being screwed over, like a reversal in a blockchain like system? it's just a reputation system
11:20 < adam3us> hm2: so he cant deny all knowledge as everyone can see the cash in his address and the tx which can be seen to hash from the contract to his address
11:20 < adam3us> hm2: yes its interesting because its simultaneously private (because its non-transferable) and yet there is still a threat of revealing the contact
11:20 < adam3us> hm2: contract
11:21 < HM2> right but if Alice sells Bob a TV and Bob claims he he never received it but Alice took the money, and Alice said Bob did receive it. what do you gain? it's still open to dispute
11:21 < adam3us> hm2: its unusual because normally its either non-transferable or its signed (non-repudiable) and yet like OTR you dont want non-repuiable signatures published or the other party to renege on the implied privacy
11:22 < adam3us> hm2: yes greg on the post mentioned if its a physical item or a matter of opinion kind of contract you might add an arbitrator
11:22 < HM2> what kind of contracts actually benefit then?
11:22 < adam3us> hm2: but if its straight up swap 1BTC for 150 LTC
11:23 < adam3us> hm2:  well that could probably be done atomically, but where you are relying on reputation and want contract privacy
11:23 < HM2> hmm
11:23 < adam3us> hm2: i mean the thesis is that private contacting parties should not have to tell anyone about the contents of their contract
11:23 < adam3us> hm2: so maybe alice doesnt know bob that well and doesnt quite trust him not to blab and show everyone else the ebook she bought because its racy
11:24 < adam3us> hm2: with normal signed contracts bob can prove that because alice signed her order, so bob can embarrass her
11:25 < adam3us> hm2: with chameleon hash based sig, bob cant really do that because bob can make that contract say whatever he wants (he can forge it), so no one will necessarily believe him as there is no transferable proof
11:25 < HM2> oh i'm slowly getting it
11:25 < HM2> so you have a transaction that can be shown by one party to be for anything
11:25 < HM2> and by the other for one specific thing
11:25 < HM2> is that about it?
11:25 < Luke-Jr> sounds useless <.<
11:26 < adam3us> hm2: so far thats standard non-transferable sig (opposite of non-repudiable sig), but the interesting new feature is that in addition to that, alice can actually prove bob accepted the contract so the power to prove things is asymmetric
11:26 < adam3us> hm2: yes
11:26 < HM2> big words like repudiable don't do well for me on Sundays
11:26 < Luke-Jr> lol
11:27 < adam3us> luke-jr: spoilsport - actually i think probably it should be the default sig in smart contracts / bitcoin script! you do want the mechanism to not have unintended side effects for the users
11:27 < HM2> oh
11:27 < HM2> so how does one construct a Chameleon hash with ECs? I understand basic EC algebra
11:27 < Luke-Jr> adam3us: a contract you cannot prove the contents of cannot be enforced, thus has no purpose
11:27 < adam3us> hm2: you dont want that should say
11:28 < adam3us> luke-jr: but you can prove it (alice can)
11:28 < adam3us> luke-jr: its just bob that cant
11:28 < Luke-Jr> adam3us: a one-sided contract is nasty enough already
23:37 < petertodd> gmaxwell: so is this partial UTXO mode scary enough that you'd rather not see it happen or what? I figure long-term we need UTXO posession proofs for miners, and it pushes decentralization by making it easier to run a full-node
23:38 < petertodd> gmaxwell: I really like how it lets those nodes do useful work for the network - relaying tx's increases your anonymity set, and they can serve SPV nodes just fine
23:39 < petertodd> gmaxwell: heck, add a way to make bogus tx's expensive and they can even relay any transaction, or just rely on how the proofs that a tx was bogus just give the partial-UTXO holders information they would have retrieved later anyway
23:39 < petertodd> (needs a relatively expensive *spent* UTXO map, but that map can be distributed)
23:39 < gmaxwell> I don't see why it would hurt.. but if there were a committed utxo you could relay any transaction just by getting the membership proofs for its inputs.
23:40 < petertodd> gmaxwell: yes, that too, and it'd lead to a mode of use more applicable to adding committed UTXO later
23:46 < Luke-Jr> petertodd: should I post "needs rebase" to all your open pullreqs that need it, or can I just make you a list here?
23:47 < petertodd> Luke-Jr: nah, add it to the pullreqs
23:47 < Luke-Jr> k
23:51 < petertodd> Luke-Jr: nLockTime rolling for mining - what timespan do miners actually change the timestamp when doing this?
23:51 < petertodd> Luke-Jr: er, nTime rolling...
23:51 < petertodd> Luke-Jr: and is time rolling now obsolete?
23:52 < Luke-Jr> petertodd: in practice, I'd say it varies :/
23:52 < Luke-Jr> time rolling isn't obsolete, but not implemented with stratum yet
23:52 < petertodd> Luke-Jr: we talking seconds, tens of seconds? minutes?
23:52 < Luke-Jr> it's somewhere near the top of my BFGMiner todo
23:52 < Luke-Jr> petertodd: I would be surprised if ntime was off by more than 5 minutes
23:52 < petertodd> huh, I thought it was actually common
23:53 < Luke-Jr> stratum regressed a lot of progress that had been made with getwork :/
23:54 < petertodd> I was thinking it could be interesting to do a high-resolution timestamping facility by taking the best pow known for every second basically
23:54 < Luke-Jr> well, you might still get a lot of variety from fast pools
23:55 < petertodd> Yeah, it's no good if people need time rolling.
23:55 < petertodd> (although another non-rolled header could be acceptable)
23:57 < petertodd> See, it'd be possible for nLockTime w/ time-based locks to create some really ugly incentives for miners to mine blocks at thelimit of the 2hr window - a timestamping chain could provide a way for nodes to at least detect that their clocks are off, especially given how peers can mess with them.
23:58 < petertodd> It's still dodgy though... I was thinking if nLockTime-by-time inclusion was based on the previous block timestamp it'd be ok, but that still leaves large miners with incentives to screw with the 2hr window, never mind how it can reduce competition if there exists clock skew in the mining nodes.
--- Log closed Wed Jul 17 00:00:57 2013
--- Log opened Wed Jul 17 00:00:57 2013
00:01 < petertodd> (remember that if this is a timestamping facility any node wanting to know the current time simply gets a nonce timestamped, and then they know what time it is!)
00:11 < Luke-Jr> I don't see how nLockTime can discourage forward-dating blocks
00:11 < Luke-Jr> and there is no 2hr window backward..
00:12 < Luke-Jr> well, I guess if miners are behaving there is <.<
00:19 < petertodd> The problem is a block being created with nTime > actual time, and the incentive is to get a head start on other miners to put, say, a high-fee nLockTime in the block you are creating.
00:21 < Luke-Jr> petertodd: but nLockTime only sets a minimum time, it cannot set a maximum
00:22 < petertodd> but that's it, if I have a 1BTC fee tx, with nLockTime expiring in two hours, why not take the increased orphan chance and set nTime on my block to two hours ahead/
00:22 < petertodd> ?
00:22 < petertodd> yet if we allow that incentive, it's very bad for consensus
00:23 < gmaxwell> ha. We can fix.
00:23 < gmaxwell> it's a soft forking fix.
00:23 < gmaxwell> use the last blocks ntime, not this one.
00:23 < Luke-Jr> is sipa's secp256k1 branch reasonably stable?
00:23 < petertodd> gmaxwell: that's what I said...
00:24 < gmaxwell> petertodd: sorry I just read the last couple lines.
00:24 < Luke-Jr> petertodd: AFAIK we already don't relay transactions with time in the future?
00:24 < gmaxwell> petertodd: well I agree. (or not even the last block
 it could use the minimum time)
00:24 < petertodd> gmaxwell: The problem is, that's only a fix if mining power is well distributed, it actually makes things worse because if there is a lot of profit to be gained the miners with a lot of hashing power still have the incentive, and it's to a much greater degree. (their orphan rate is less)
00:24 < Luke-Jr> gmaxwell: the minimum time will be earlier than the last block's :p
00:25 < gmaxwell> Luke-Jr: sure, but that doesn't change it really. Presumably if people start locking in the future miners will run nodes that take what they get and selfishly horde them, creating incentives for all miners to run good collection networks.
00:25 < petertodd> Luke-Jr: sure, but there are lots of ways to learn that a tx exists
00:26 < gmaxwell> petertodd: one of the reasons that the min is important there is because (1) it's hard to advance, and (2) when you advance it you raise the difficulty.
00:26 < petertodd> gmaxwell: I was working on figuring out the expected return - the math is really ugly
00:27 < gmaxwell> petertodd: a worst case expected return may be easier.
00:27 < petertodd> gmaxwell: Worst case is easy - your block is orphaned.
00:28 < petertodd> gmaxwell: See the issue is that once I find a block, the other side needs to find two blocks to beat me. As time goes on more of the other sides hashing power will accept my from the future block as valid, so then you get the next level where the remainder needs three blocks and so on.
00:28 < petertodd> gmaxwell: Pretty sure it can't be done as a closed-form equation.
00:30 < petertodd> gmaxwell: I don't think minimum time works either, because you still get to manipulate it by creating blocks in the future, although the ability too is definitely less. If I could show you'd need >50% hashing power to do anything interesting I'd be set.
00:31 < Luke-Jr> petertodd: hmm, is block-uneconomic-utxo-creation basically just an older revision of what Gavin did in 0.8.2?
00:31 < gmaxwell> petertodd: moving the minimum time forward needs the coperation of >50% of the hashpower over the small median window.
00:32 < petertodd> Luke-Jr: It's what Gavin did but non-hardcoded. I'd emphasize the better, not the older. :P
00:32 < Luke-Jr> petertodd: will you be rebasing it despite its closed status?
00:32 < Luke-Jr> actually, what about Gavin's is hardcoded? <.<
00:33 < petertodd> gmaxwell: Yeah, but you have to assume a steady stream of these incentives.
00:33 < gmaxwell> petertodd: right, so you have some force that turns all miners into a conspiracy.
00:34 < petertodd> gmaxwell: exactly
00:34 < petertodd> gmaxwell: nLockTime by time should have never been added in the first place, but it's such a nice idea on the face of it
00:35 < Luke-Jr> softfork so nLockTime requires data on what block a transaction was created at, and enforces the 10 min per block <.<
00:36 < petertodd> Luke-Jr: ?
00:36 < Luke-Jr> petertodd: for example, if you nLockTime for 1 day from now, it also enforces 144 blocks passing too
00:37 < Luke-Jr> so block count must be >now+144 AND time must be >now+24h
00:37 < Luke-Jr> not perfect, but might help
00:37 < petertodd> Still doesn't help in the usual case where mean interval is < 10 minutes, because you're back to only caring about time.
00:38 < Luke-Jr> usual now, but not eventually
00:38 < petertodd> Right, you've solved half the problem, when measured over the entire lifespan of Bitcoin, and only approximately half. :P
00:39 < Luke-Jr> theory is so much nicer than practice <.<
00:39 < gmaxwell> I'm forgetting why this is a problem again?  If miners mine blocks early, people will just artifically inflate their times or switch to height locking.
00:39 < petertodd> The problem is you're incentivising miners to make the 2hr window for block acceptance effectively shorter.
00:39 < petertodd> Thus requiring accurate clocks for consensus.
00:39 < gmaxwell> if miners do this consistently they'll drive difficulty up too which wouldn't be in their interest.
00:39 < Luke-Jr> ^
00:40 < petertodd> gmaxwell: It's only a fixed 2hr offset, that just drives difficulty up by 0.5%
00:40 < Luke-Jr> and on top of that, you'd just end up treating nTime with a minus-2-hours :p
00:41 < Luke-Jr> if everyone does it, it's predictable.
00:41 < petertodd> More to the point for any individual miner the marginal difference if they do it is effectively zero.
00:41 < gmaxwell> consider, why why cant the 2 hour window be 24 hours?
00:41 < petertodd> Luke-Jr: But that's the problem, if everyone does it, and people respond, then you can extend the interval even further!
00:41 < Luke-Jr> petertodd: how?
00:41 < petertodd> gmaxwell: It should have been more like 24 hours in the first place...
00:42 < Luke-Jr> you don't change the 2h rule
00:42 < Luke-Jr> you just assume miner times will always be up against it
00:42 < gmaxwell> Luke-Jr: move your clock/window forward so you dont reject stupid blocks.
00:42 < petertodd> Luke-Jr: Again, the issue is the effect on *consusus*. I don't care when the tx gets mined, I care that miners are incentivised to break consunsus for anyone without NTP.
00:43 < petertodd> The problem is no matter *what* the window is, there is an incentive to mine as close to the window as possible to accept a tx sooner than your competitors.
07:22 < adam3us> petertodd: yes but that way lies doom unfortunately, if the tx and users continue to scale
07:23 < petertodd> adam3us: do you understand how TXO commitments can be re-worked into a shardable blockchain?
07:24 < petertodd> adam3us: nah, $20 uncensorable transactions of unseizable electronic money is a pretty damn good outcome. Be nice if we can do better than that, but just that alone is pretty good.
07:24 < adam3us> petertodd: i think vaguely is there a forum link or search term?
07:24 < adam3us> petertodd: $20 i agree
07:24 < petertodd> I've explained it in IRC, haven't written anything up on bitcointalk
07:25 < petertodd> Yup. The real danger with off-chain stuff isn't that transactions will be expensive, is that they'll be too cheap! Bitcoin's inflation rate goes to zero in the long run, and at some point the minimum reward to miners will become low enough that the security of the whole system is threatened.
07:25 < adam3us> petertodd: well one argument could be for unseizable digital scarcity wealth storage and not high tx  at all, that is interesting in itself even without p2p tx at any high volume beyond a few tx per year per user
07:26 < petertodd> yup
07:26 < petertodd> you can always build upon that layer
07:26 < adam3us> petertodd: interesting observation, yes offchain success threatens chain security at the limit
07:27 < petertodd> Yeah, on the other hand, what matters isn't what transaction fees are, but rather what profit margin there is. Or to be exact, how much money is uselesslessly spent on overhead rather than mining itself.
07:27 < adam3us> petertodd: without naming names some people seem a little impatient and short-termist and they may steer things into dangerous directions without really thinking things through - i do like how you focus n the long term big picture
07:27 < adam3us> petertodd: its like chess, you dont win by looking at the next move, but at the end game from the start
07:28 < petertodd> People without a good understanding of economics have often argued that we need larger blocks because we need lots of transactions so the fees can support miners, but if those fees go into network bandwidth and harddrives, we haven't gained anything.
07:29 < adam3us> petertodd: and there is lots of scope for extremely plausible long term thinking sabotage disguised as rational short-term pragmatism; i get of assertive short-termists who cant explain or dont wish to entertain long term implications
07:29 < petertodd> For sure. There's a lot of pressure in this community for people like me to stop talking so much about the long term and focus on "real world engineering", but that's the kind of thinking you see at web 2.0 startups, and they have an alarming tendency to die early deaths.
07:30 < adam3us> petertodd: /i get ^suspicious of^ assertive.../
07:30 < petertodd> Ha, for sure, once you start assuming possible malice all this stuff gets really ugly. :P
07:30 < adam3us> petertodd: precisely
07:31 < petertodd> Reminds me: the more I think about it, the more I think I should be encouraging abuse like timestamping and data-in-the-chain so we get a good understanding of the parameters of that abuse before making decisions based on assumptions about what demand there is to do such things.
07:31 < adam3us> petertodd: i've been through a few startups, and without embarrassing the guilty, a guy who wanted to code and stop wasting time thinking and architecting the right solution, within 1year it deadended
07:31 < MoALTz> one idea is that some coin gets lost in every transaction, as well as fees. reason: the "loss" is actually donating value to the network as compensation for bandwidth, hard-drive storage, cpu usage; the losses mean that all the remaining coin gets more valuable
07:32 < petertodd> adam3us: Absolutely. This isn't a standard engineering problem where the solution space is well understood.
07:32 < adam3us> petertodd: it only didnt get ugly at company future level cos i rewrote it from scratch in a 80/hr week skunkworks
07:32 < adam3us> petertodd: 1 week of the right thing vs 1 year x 10 people of "stop talking big picture write code" ... thats the true picture
07:33 < petertodd> adam3us: Heh. Another case in point: maaku has spent a lot of effort implementing UTXO commitments with authenticated radix trees, and meanwhile I come up with TXO commitments seem to have made all that effort obsolete.
07:33 < petertodd> A month in the lab saves a day in the library. :/
07:33 < MoALTz> writing code that does something is indeed better. i need to do more of that.
07:35 < petertodd> Equally though, code is needed too... The lesson is just to understand the problem well before you start getting into code.
07:35 < adam3us> petertodd: that company later sold for $100m that probably wouldnt have happened w/out that rewrite... startups are full of random unproductive "code fast" shit that amazingly frequently ends up in the dustbin, ZKS was like that also
07:35 < adam3us> petertodd: exactly
07:35 < MoALTz> petertodd: easy to overdo it the other way
07:35 < adam3us> petertodd: problem is its very very hard to see any big improvement
07:37 < adam3us> petertodd: i think because of the interconnected cross dependencies; each important piece is fulfilling 3 or 4 functions, and while each function could get scaling by omiting a feature you cant change anything because overall it only just works with all the cross deendencies in place
07:37 < petertodd> MoALTz: The problem with my way is it's hard for people who don't understand the issues in great detail to tell the difference between smart people thinking hard about a problem, and wasting time doing nothing of real value. Code on the other hand can be evaluated for volume relatively easily.
07:38 < adam3us> petertodd, MoALTz: i can actually code, damn fast too; but mostly i am trying to solve the hard problem - if i crack a hard problem, will be coding like a demon :)
07:38 < petertodd> adam3us: Yup. I run into that at my day job all the time, because our system is extremely tightly coupled and unavoidable so. I've quite literally done projects that involved 8 months of design, followed by a week or two of implementation, with the implementation working pretty much perfectly the first time.
07:39 < adam3us> MoALTz: but yes there are multiple pressing issues that have gotta be worked on now that are defined
07:39 < MoALTz> adam3us: i tend to think of ideas, test them in my mind a lot, but cannot keep myself coding up a test implementation for them long enough to test them
07:39 < petertodd> adam3us: I've also had projects with 8 months of implementations, followed by realizing that was all a waste and I should have done a month of design up-front.
07:40 < adam3us> petertodd: a problem in startup culture that contributes is that management thinks of the work so far as "investment" so they cant change path even when they see the writing on the wall that this is a very bad path
07:41 < adam3us> petertodd: when hat you've done so far turns out to be wrong, yo need to be willing to rip it up and start again, they rarely can do that
07:41 < adam3us> petertodd: so ayway more back ontopic: i was wondering about disentangling bitcoin mining dependencies
07:41 < petertodd> Yup. I'm lucky to have a boss who's willing to accept that sometimes you've got to throw away what you've done, but even then it's hard.
07:42 < adam3us> petertodd: as i think in isolation nicer things can be done, just not on the interdependent version
07:43 < adam3us> petertodd: eg if you're talking about reward only (not relating to validation) you could probably direct mine with 0 variance work and no need for mining pools
07:43 < petertodd> Ok, before you get too deep, so lets check: what are the main functions of mining?
07:43 < adam3us> petertodd: so leads to can you separate reward from validation
07:43 < adam3us> petertodd: confusingly many :)
07:43 < petertodd> Yeah, reward != validation.
07:44 < petertodd> OTOH, in practice you need things like tx fees so you can figure out which tx should be in a block.
07:44 < adam3us> petertodd: so reward, blockchain evolution voting, spv client validation, sybil attack defense
07:44 < adam3us> petertodd: did i miss some?
07:45 < adam3us> petertodd: ah yes you reminded converging on a block definition
07:45 < petertodd> See, you're talking about a level farther removed than what I would have said.
07:45 < petertodd> For instance, proof-of-publication is really important.
07:46 < adam3us> petertodd: ah yes arbitrating which tx is first in double spends
07:46 < petertodd> Right, so timestamping.
07:46 < adam3us> petertodd: i was thinking one way to look at it is (apart from spv validation) bitcoin is actualy implementing a timestamping service
07:46 < petertodd> But do you understand what's so important about proof-of-publication? (or to be exact, proof-of-readership)
07:47 < adam3us> petertodd: and actualy something slightly more also: a namespace (like a timestamp but where names are strictly and cryptoraphically  first come first served)
07:48 < adam3us> petertodd: maybe .. are you saying like wht defines a tx as confirmed is taht you see it (and not a double-spend) in the block chain
07:48 < adam3us> petertodd: i think it cn be equated actually to an auditable namespace, where the "name" is the txout
07:48 < petertodd> See, proof-of-publication/readership is what makes timestamping useful to prevent double-spends.
07:49 < petertodd> Do you understand why?
07:49 < adam3us> petertodd: do spell it out, its probable we are saying the same thing, but with different terms; i call that an application of an auditable namspace
23:42 < petertodd> same
23:42 < gmaxwell> petertodd: well look at my example and tell me how a merkle tree would work there?
23:43 < petertodd> oh, wait, stupid, I missed the S doesn't know c part somehow...
23:43 < petertodd> yeah, it's useful in that case
23:43 < petertodd> hmm... how about querying the UTXO set without telling the server what you are querying?
23:45 < gmaxwell> what would you query it for?
23:45 < petertodd> check that a txout is in the set, and thus a transaction someone handed you is valid
23:46 < gmaxwell> so one problem is say you get a hit ... now you say, okay give me the full transaction.
23:46 < gmaxwell> oops the server says, nah that was a fake hit I don't have that txout.
23:47 < petertodd> I'm more thinking you have a contract with a third-party UTXO database provider, and you want to know if a customer's transaction is valid, and neither you nor the customer has a UTXO set (so the customer can't give you a UTXO proof directly)
23:48 < petertodd> Only really useful if you have a safe zero-conf system of course...
23:49 < petertodd> Though it'd be useful for checking fidelity bonds.
23:51 < gmaxwell> In general I could see how this would be useful for a very large database to prevent censorship.
23:51 < gmaxwell> though how do you not get them to censor in advance when constructing the filter. hm.
23:51 < petertodd> Selective censorship
23:51 < petertodd> (client selective)
23:51 < gmaxwell> ah right.
23:52 < petertodd> Given how dodgy anonymous com channels are, that's a really useful thing to be able to do.
--- Log closed Wed Jul 24 00:00:18 2013
--- Log opened Wed Jul 24 00:00:18 2013
00:29 < amiller> hrm, hrm, just how strong is SPV anyway
00:29 < amiller> it's actually really secure
00:29 < petertodd> define "really"
00:30 < amiller> by the ordinary bitcoin assumptions, 51% etc etc, the problem with SPV isn't that a client might get duped or double spent
00:30 < amiller> the bigger problem is that "mining" as an SPV client is irresponsible and a public hazard, which could ruin the 51%
00:30 < amiller> the bigger problem is that "mining" as an SPV client is irresponsible and a public hazard, which could ruin the 51
00:30 < amiller> (er up arrow mistake)
00:31 < amiller> if 51% of miners do full validation and not just SPV, then the point is SPV is safe for everyone else
00:31 < petertodd> so lets say I accept transactions with one confirmation, and you've figured out what node I'm using, how secure is SPV for me in terms of cost to attack me?
00:31 < amiller> one confirmation doesn't count
00:31 < petertodd> why?
00:31 < amiller> it's still 6 or whatever, you have to do a risk calculation
00:31 < petertodd> why is it 6?
00:31 < petertodd> what not 5? or 7?
00:31 < petertodd> or 144?
00:31 < amiller> i carried on a thread once trying to analyze this
00:31 < amiller> 6 is just a social norm
00:32 < petertodd> did you analyze it in terms of probabiity, or cost?
00:32 < amiller> but really you could treat it as a risk management problem
00:32 < amiller> both
00:32 < amiller> cost is basically measured in time
00:32 < petertodd> no, cost is measured in money
00:32 < amiller> the longer you wait, the more of a hassle it is, and the more likely it's not suitable
00:32 < petertodd> lol, "hassle" has nothing to do with attacks
00:32 < petertodd> be precise, how much money does it cost you to attack me, and under what assumptions?
00:33 < amiller> petertodd, the only real interesting thing i came up with is that it isn't even the cost of attacking *you*
00:33 < amiller> it's more about the likelihood of getting swept up in an attack aimed at someone else
00:33 < petertodd> ah, you're getting closer to understanding this...
00:33 < petertodd> so what happens to this cost stuff if the attacker is attacking n targets at once?
00:33 < amiller> my basic model is an attacker with a budget and a time window
00:34 < amiller> i let the attacker have infinite hash power, but not an infinite amount of energy
00:34 < petertodd> how many targets does this attacker have?
00:34 < amiller> the target is some fraction of all the double spend opportunities in whatever time window they're successful in mining an "attack fork"
00:34 < petertodd> right, so your attacker can pay $x/second worth of electricity to get y hashes/second
00:35 < amiller> the attacker can purchase B hashes and he gets them all at once
00:35 < petertodd> heh, you've even more optimistic than I'm talking about, but go on
00:35 < amiller> so fix the network's hash rate, and the attacker's budget B. now the attacker has to pick a time window and a probability of success
00:36 < amiller> one thing i like to consider (i think someone else has talked about this recently) is a doomsday attack where someone makes a credible threat that they're going to reverse 24 hours of blockchain history
00:36 < amiller> beeginning on Jan 1 or something like that
00:36 < amiller> everyone knows (or believes) in advance that doublespends will be possible during this time
00:37 < amiller> (maybe there's some anonymous dropbox where you are supposed to spend your doublespend transactions)
00:37 < amiller> the point of this thought experiment is that the attack might not even need to be skillfully coordinated
00:37 < Luke-Jr> amiller: that'd be a difficult situation to double-spend in
00:37 < amiller> if you had an attack fork, maybe you can just get everyone to doublespend each other
00:37 < petertodd> hang on, go back a second, so how are you calculating return for the attacker against my SPV example?
00:38 < petertodd> what specifically is the attacker doing for that matter?
00:38 < amiller> petertodd, ok ok so i went on a tangent to describe the enormous attack that gets everyone to double spend everything
00:38 < petertodd> remember, I'm an SPV client
00:38 < amiller> the more realistic one i guess is that the point is an attacker pays for and mines an attack fork, and then tries to do some big double spending at that time
00:39 < amiller> petertodd, SPV or not, the point is you go find all the merchants you can
00:39 < petertodd> again, I'm an SPV client, why bother double-spending me at all?
00:39 < amiller> that are willing to make big irreovacalbe actions after some number of blocks
00:39 < petertodd> why not make a block that meets difficulty, and is filled with transactions that are fake?
00:39 < amiller> where that number of blocks is less than what you can mine with your attack budget!
00:40 < amiller> petertodd, the point is, if there's a merchant that lets you drive off with a ferrari after 6 blocks, and you are able to in a timely fashion produce 7 blocks before everyone else makes 6, then you can win a ferrarri
00:41 < petertodd> you're making a lot of assumptions
00:41 < petertodd> I can be much more clever than just trying to double-spend
00:41 < amiller> what else would you do
00:41 < amiller> what else would you need to do
00:41 < amiller> you could double spend money you don't even have
00:41 < petertodd> as I said, I can make blocks that are filled with completely invalid transactions creating money out of thin air
00:41 < petertodd> SPV clients can't tell the difference
00:41 < amiller> sure, good point
00:41 < amiller> that... definitely decreases the cost of an attack
00:42 < petertodd> indeed
00:42 < amiller> especially since if the attack fails in the ordinary double spend case you'd have a lot more to lose.
00:42 < petertodd> doesn't take much to sybil the network, after all, I might have other uses for that capability like trying to figure out who is making what transactions
00:43 < amiller> still, if you can achieve anything against this SPV client, you could also double spend the ordinary clients
00:43 < amiller> and double-spend is still a serious attack
00:43 < amiller> the real havoc is if SPV clients mine.
00:44 < petertodd> the thing is, against an SPV client I don't even need the money, and can launch my attack against a huge number of targets at once, so even if there's a tiny chance of success for any one target I win overall
00:44 < petertodd> (again, goes back to sybiling the network)
00:44 < petertodd> I don't need a 100% sybil
00:45 < amiller> petertodd, it's still very expensive for you to make an attack fork...
00:45 < amiller> a successful attack is more profitable if there are lots of SPV merchants, yeah
00:45 < petertodd> it is *right now*, it might not be in the future as fees become more important, and we don't know
00:46 < petertodd> heck, I could probably pull all this off in a real-life scenario, by, say, controlling the wireless network at a "satoshi circle" event and MITMing everyones android phone
00:47 < petertodd> "Gee, confirmations sure are taking awhile today aren't they?"
00:47 < amiller> it's quiet, too quiet.
00:47 < petertodd> Play it carefully and I can make it look like I lost money in the attack too so it's not obvious who actually made it happen.
00:48 < petertodd> In this scenario 10% of the hashing power would probably be enough for a real-life attack.
00:48 < petertodd> Heck, 0% given people accept zero-conf...
00:48 < amiller> yes
00:48 < amiller> so!
00:48 < amiller> lets say you're going to do a risk analysis
00:48 < amiller> lets say you're about to exchange 1 btc for cash
00:48 < amiller> how long should you wait?
00:48 < amiller> even if you're a full client
00:49 < petertodd> The best way, is for me to check their government issued photo ID and take a picture of it so I can report the counter-party to the police.
00:49 < amiller> heh, so we get as far as we can with the crypto and let government registries pick up the slack :p
00:50 < amiller> i'm not comfortable with protocols for which i don't have a model (not that i have a satisfactory one for bitcoin, which definitely makes me uncomfortable)
09:32 < adam3us> tacotime_: it was the same story again with larimer/protoshare/invictus momentum "cpu only" memory hard PoW, someone showed a few weeks into an impressively large VPS rented power driven difficulty ram that it was duh TMTOable and so worked just fine in GPU
09:32 < tacotime_> He did release some really broken source code, but then just fucked off
09:32 < tacotime_> If it's parallelizable, I find it difficult to believe that a GPU won't run faster even if you need memory
09:33 < tacotime_> GPU vRAM bandwidth is always going to be greater than the DDR3 bus on the main board
09:34 < adam3us> tacotime_: they tend to need unique memory per mining instance, so momentum aimed for 750MB but then someone TMTO'ed that with bloom filter in place of hash-table.  (unreliable but much smaller hash-table)
09:34 < tacotime_> So when I hear about "dagger" I don't pay much attention either... implement it on GPU and play with it for a couple weeks, otherwise don't say it's hard to run on any single piece of hardware
09:34 < tacotime_> mm
09:35 < adam3us> tacotime_: yes.  but GPU ram bus is wider.. like 256-bit, 384-bit etc vs CPU at 64-bit cache line.  so that erodes a bit of the throughput.  and the access is random and usually like 64-bit word size (or should be for this reaso)
09:36 < adam3us> tacotime_: 256-bit might be quite ideal for dagger :) its a merkle tree.
09:38 < adam3us> tacotime_: the only thing dagger is adding is to use coelho's use of fiat-shamir to make verification faster (and a few more links in the tree to make calculating all merkle steps slightly less skippable) its mostly a tweaked coelho merkle PoW.  i mentioned the coelho merkle pow to vitalik its where he got the idea from.
09:40 < killerstorm> hi. does anyone have an idea when OP_RETURN outputs will be usable on the mainnet?
09:41 < jtimon> adam3us, tacotime_ : that's the problem. The story seems plausible, but solidcoin is not a reputable source...
09:41 < jtimon> adam3us, tacotime_ : the fact that "you would be making mining bitcoin and selling them for ltc if you really want the ltc" (I read that somewhere)
09:42 < jtimon> adam3us, tacotime_ : seems to point out in that direction, if ltc mining was less competitive, it should have been more profitable
09:42 < jtimon> maybe it was just a botnet what caused that
09:44 < adam3us> killerstorm: i am guessing that is a color coin related question ;)
09:46 < killerstorm> adam3us: yep. it's possible to do coloring without it, using otherwise unused nSequence is appealing, but people freak out and ask about OP_RETURN
09:47 < killerstorm> also it looks like non-tech people think that use of OP_RETURN makes protocol better and more legitimate :-/
09:48 < jtimon> which reminds me...adam3us seems like enabling "joyscript" in all assets, but disabling the ops needed for quines/covenants on the hostcoin would be a good compromise
09:49 < jtimon> adam3us: you know I don't share yyour same fears, but we don't know of any use case that requires covenants in the hostcoin
09:49 < jtimon> killerstorm: yeah, some freicoiners thought it would allow people to use the chain for messaging, files...
09:51 < adam3us> killerstorm: here's some replayed history from a few days back
09:51 < adam3us> (06:42:24 AM) justanotheruser: "So, with some reluctance, I recently merged
Relay OP_RETURN data TxOut as standard transaction type.
09:51 < adam3us> (06:42:36 AM) justanotheruser: So will it be standard in .9?
09:51 < adam3us> (06:42:52 AM) Luke-Jr: hopefully not
09:51 < adam3us> (06:43:04 AM) gmaxwell: 21:38 < gmaxwell> as of right now in git bitcoin allows data in OP_RETURN though given what people are saying I hope we back that out.
09:51 < adam3us> (09:46:35 PM) adam3us: gmaxwell: "as of right now in git bitcoin allows data in OP_RETURN though given what people are saying I hope we back that out." dont object to backing out (say NO to block-chain spam!), but what are they saying missing context?
09:51 < adam3us> (10:37:04 PM) gmaxwell: adam3us: there have been a number of articles about how bitcoin has been "upgraded" to enable "distributed storage" and such horrifying things like that.
09:51 < adam3us> (10:40:32 PM) adam3us: gmaxwell: ah yes.  its a scary situation indeed.  the flip side is there are then people who will stego encode then in multisigs if you dont, and create needless non-compactable TXOs and on.
09:52 < adam3us> (10:41:17 PM) gmaxwell: adam3us: thats why I didn't oppose it initially. Though the trade off of people thinking it is a good non-antisocial and supported application is concerning.
09:52 < adam3us> (10:41:39 PM) gmaxwell: Esp what happens if abusive use arises and it must be turned back, but there is also non-abusive use?
09:52 < adam3us> killerstorm: (end of few days old discussion paste)
09:54 < jtimon> I don't see it as such a bad thing, I think timestamping is a legitimate use of the chain, but it's sad how people understand it
09:55 < jtimon> about using the nsequence fields...I don't know, some people want to use it for microtransactions channels
09:55 < jtimon> I think the probable solution is for microtransactions to be directly off-chain, but I don't know...
09:55 < adam3us> jtimon, killerstorm: coloring is lower bandwidth than mastercoin (which sends even bid and meta-messages over the blockchain) but its still in theory non-btc tx bandwidth use.
09:56 < adam3us> jtimon: time-stamping at least typically is putting a single hash which is the merkle root of many documents
09:57 < jtimon> adam3us: yeah, I don't think you need to allow more than a single hash after return
09:57 < killerstorm> adam3us: by the way, gmaxwell mentioned that P2SH^2 would make storing data in blockchain impossible, but this is not true, it just makes it more expensive: people can simply 'mine' hashes which have prefixes they need and share data through those prefixes.
09:57 < jtimon> being not in-chain validated, it can be transffered off-chain as well
09:58 < jtimon> p2sh^2 ??
09:58 < killerstorm> jtimon: as far as I know, nSequence is basically dead, it was a bad idea in the first place. It is possible to do same thing (but better!) using multi-signature scripts.
09:58 < adam3us> killerstorm: yes this was mentioned somewhere.  he viewed it as closer.  also there are multiple stego encoding opportunities, eg unused not obviously invalid 1 of 2 multisig addresses etc.	but just because you could stego encode with increasingly lower bit rates doesnt make it a good thing :)  was talking about this with petertodd in the mastercoin
context.. for them they'd as well use a separate merge mined chain IMO
10:00 < jtimon> killerstorm oh, this doesn't use replacements https://bitcointalk.org/index.php?topic=244656.0
10:00 < jtimon> I guess nobody has a use for it then
10:03 < jtimon> adam3us do you know of any proposed use of replacements? https://en.bitcoin.it/wiki/Contracts#Example_5:_Trading_across_chains this needed it?
10:04 < jtimon> well, that can be replaced with coinswap, which doesn't need nseq iirc
10:08 < adam3us> jtimon: i dont know, others would know better
10:09 < adam3us> jtimon, killerstorm: i think killerstorm implemented atomic swap in is chromawallet (color coin wallet) if i recall the announce
10:10 < jtimon> adam3us but that is atomic swap between colors in the same chain
10:10 < jtimon> the link and coinswap is cross-chain
10:11 < killerstorm> transaction replacements are usable under condition that all miners are honest. this just doesn't make any sense.
10:11 < jtimon> well, coinswap can also be used in the same chain for mixing
10:11 < killerstorm> trading-across-chains doesn't need replacements
10:12 < jtimon> killerstorm: yes, you're completely right, miners should just get the transaction with higher fees when they receive double-spends
10:51 < jtimon> I guess we should just remove the seq field in freimarkets...
11:10 < adam3us> jtimon: the seq field was designed for revisable bids?
11:11 < TD> it is designed for mempool replacement
11:11 < TD> basically for high frequency trading between a set of parties (to use satoshis terminology)
11:14 < jtimon> adam3us, TD: yes, but as killerstorm says there's no reason for a miner to accept seq=5 over seq=3 if seq=3 has a hegher fee
11:16 < TD> of course there is
11:16 < TD> this kind of nonsense reasoning about game theory is so destructive
11:17 < TD> the reason is that if useful and compelling apps rely on that functionality, that increases demand for bitcoin and thus the value of their fees and inflationary rewards
11:17 < TD> miners are not thinking only 20 minutes into the future, you know
11:17 < TD> it's sort of like saying "bitcoin can't work because miners have incentive to merge together and then do 51% attacks to double spend"
11:18 < TD> what we actually see is the opposite, where pools throttle themselves if they get too big because to do otherwise would hurt the value of their money
11:18 < pigeons> the same pool that did double spend?
11:18 < pigeons> or facilitate it i mean
11:19 < TD> other pools have done the same thing in the past
11:19 < TD> deepbit, btc guild etc
11:19 < gmaxwell> deepbit was DDOSed off the network for a week solid when it reached 50% I don't believe it ever regulated itself.
11:21 < gmaxwell> I'd like it to be true, but the self regulation is not working well, it's not like 40% is at all okay. Ghash.io stole several hundred btc from betcoin dice when it had just 25% (possible due to betcoin accepting unconfirmed) and then continued to grow to >40% after that.
11:21 < gmaxwell> I dunno about the game theory stuff, I agree it's wankery. But at the same time the observed behaviors are not good either.
11:21 < TD> correctly configured incentives don't magically make better solutions appear though
11:22 < gmaxwell> We agree.
11:22 < gmaxwell> (well you and I at least on that. :) )
16:57 < tholenst> actually, until here you don't need so much; you only need to be able to call ECDSA_CHECKSIG directly, and then you can do it similar to detecting a SHA256 collision
16:57 < sipa> (i'm also not convinced about the usefulness, but that's another matter)
16:58 < tholenst> but -- the problem is that the money which is supposed to back your transaction might be gone once you detect the double spend. For this you need more, and weirder opcodes
16:59 < sipa> well if it's gone, it's gone
17:00 < sipa> going beyond the basic rule of "a coin can only be spent once" is dark magic
17:00 < tholenst> i adhere to that basic rule
17:01 < tholenst> the basic idea is: if you spend a "backing coin", you can only spend it in such a way that for the next... say 100 blocks, it still remains a backing coin
17:01 < tholenst> and only after that it can become a usual coin
17:02 < sipa> mhmm... dark magic :)
17:03 < tholenst> i don't think there's anything dark there
17:03 < sipa> (not impossible, and not necessarily a problem, but i think the consequences become horrible to reason about)
17:04 < tholenst> no, why? will you be happy if i give a proof of some good properties?
17:04 < sipa> no need to convince me :)
17:04 < sipa> it's just interesting to think about
17:04 < tholenst> i seriously think it would be a good idea to have it implemented
17:04 < sipa> as in it means the the spending transaction, as long as the backing coin that can spend from under it, even confirmed, is not actually spendable
17:05 < sipa> or at least, losing fungibility
17:05 < sipa> (those coins would be worth less than other coins)
17:05 < sipa> as they're less certain
17:05 < tholenst> no, you can move them back to normal coins, it just takes 100 blocks
17:05 < sipa> so
17:06 < sipa> you pay me, by spending coins C1, and sending me a coin C2
17:06 < nsh> so wait, we get complete anarchy with a BBC broadcast-loop that removes all the vulgarity and orgies?
17:06 < sipa> as long as C2 is buried less than 100 blocks deep
17:06 < sipa> C1 persists in some form
17:06 < tholenst> no no, I don't send you coin C2; I send you C1, and if I double spend C1, you get to destroy C2
17:06 < sipa> C1 belongs to you, it's the original coin you had
17:07 < sipa> there's nothing special with it, and it's buried 10000 blocks deep
17:07 < tholenst> I own both C1 and C2
17:07 < sipa> wait, what?
17:07 < sipa> i'm not following
17:08 < tholenst> the idea is: in order to pay you with C1, i need to back up the payment with C2. C2 has a different PKScript, which makes it a "backing coin"
17:08 < sipa> wait, let's talk about transactions instead
17:08 < sipa> you create a transaction which spends C1, and what else?
17:08 < tholenst> ok coin = txout
17:08 < sipa> yeah
17:09 < tholenst> I give you a PubKey2-signature of "If you find 2 PK-1 signed messages you may destroy the txout C2"
17:10 < tholenst> "PK-1 signed" is supposed to mean "signed with the same key as C1 is"
17:17 < andytoshi> ok, and C2 needs to be a special invalid-for-100-blocks output?
17:18 < andytoshi> it'd be neat if you could mark outputs as "cannot be spent with fewer than N confirms"
17:18 < tholenst> yes
17:19 < andytoshi> this is cool, i definitely think it changes coin properties too much to be bolted into bitcoin, but istm that it makes sense
17:20 < sipa> istm?
17:20 < andytoshi> as sipa says, there are cases when a "double spend" is a legitimate thing to occur, so these would need to be special transactions
17:20 < andytoshi> it seems to me
17:21 < tholenst> yeah one has to be careful with it; note though that if you can wait a bit (100 blocks) with the double spend, you can first move C2
17:22 < andytoshi> yeah, the receiver of the funds would estimate how long the tx will take to confirm, and require C2 have that many "cannot spent until" ticks left
17:22 < tholenst> anyhow, I plan to write a detailed proposal... I think it's worth it even if it doesn't go into bitcoin. it would finally be some real selling point for an altcoin, imo
17:23 < andytoshi> that'd be great
17:23 < andytoshi> if you can, explore the consequences re fungibility of locking coins like this
17:23 < tholenst> can you elaborate what you mean by that?
17:24 < andytoshi> well, if some coins can be spent quickly and others can't, the quick-spendable ones are more useful
17:24 < nsh> we need an playpit/sandbox for alt-experimentation
17:24 < andytoshi> so rather than "a coin is a coin is a coin" different coins might have different values
17:24 < andytoshi> otoh if they are locked in place, it's hard to claim they have any value, so maybe it's fine
17:24 < andytoshi> nsh: perhaps BlueMatt's thing will give that to us :}
17:25 < nsh> mm, unfortunately as stands it only changes the (mostly) boring things
17:26 < tholenst> well, you  just need 100 blocks to get the backing coins back into normal coins; that's not even a day wait.
17:26 < andytoshi> sure, but given that's apparently popular, i'm sure if you gave BlueMatt a patch he'd inject it into the alts for a few days
17:26 < tholenst> it seems people are already fascinated by BlueMatt's thing :)
17:26 < nsh> haha
17:26 < nsh> i suppose there's no shortage of volunteer test subjects
17:27 < andytoshi> tholenst: ok, another thing to think about is what happens if there is a reorg, and the block at which the coin becomes normal changes
17:27 < nsh> quick, before we end up with ethics panel!
17:27 < nsh> good point
17:27 < tholenst> yes, ok
17:28 < andytoshi> nsh: people releasing cryptographic software without understanding it, and then goading people into putting money into them, are evil, there's no ethical concern in fucking with them
17:28  * nsh smiles
17:30 < Luke-Jr> andytoshi: evil is evil, even if the victim is guilty of evil things themselves
17:31 < andytoshi> Luke-Jr: fair enough
17:31 < andytoshi> tholenst: so, my specific concern is: suppose a coin becomes valid at block 300000, then i spend it in the next block
17:32 < andytoshi> some reorg happens and now the coin becomes valid at block 300005
17:32 < andytoshi> what happens to my spend?
17:32 < sipa> if the coin creation is reorganized, the spending of it is certainly reorganized too!
17:32 < tholenst> maybe bad things? but for that a 100 block reorg needs to happen, and then bad thing happen anyhow
17:32 < andytoshi> sipa: that's my thought, yeah, but it makes reorgs more complicated
17:33 < sipa> i doubt it
17:33 < Alanius> andytoshi: well, as long as they use the power of argument and not of coercion, I'm not sure "evil" is the right word
17:33 < sipa> let's not go there
17:33 < nsh> +1
17:33 < sipa> andytoshi: if everything is defined within one chain, there should be no problem with reorganizations
17:33 < sipa> but i'm not sufficiently understanding the scheme
17:34 < andytoshi> well, i spend something at block 300000, but suppose suddenly it is invalid until block 300500 (this is an extreme case)
17:34 < andytoshi> so suddenly my payment is invalid, and i have a window in which to double-spend
17:34 < sipa> that cannot happen without invalidating the spend as well
17:34 < sipa> as the spend happens after the creation
17:35 < sipa> ah
17:35 < andytoshi> yeah, so this complicates analysis and i think also has consequences for fungibility of recently-valid coins
17:36 < tholenst> I am not sure i understand your problem. Do you agree this only happens if the reorg is something like 100 blocks deep?
17:36 < andytoshi> but i also suspect this is fixable while still retaining the benefits of tholenst's trickery
17:36 < andytoshi> tholenst: yeah, it'd have to be deeper than the coin's invalid-until-N-blocks count
17:36 < andytoshi> so maybe we could require all transactions which do this to have N higher than 100
17:37 < tholenst> ok, i didn't think too much about that yet.
17:37 < andytoshi> or maybe, rather than saying "invalid until 100 confirms" you say "invalid until block 300000" and hardcode the 300000
17:37 < andytoshi> then you don't care about when the tx is actually mined, so there is no concern about reorgs
17:37 < tholenst> you could do that, but then you have to renew the backing txouts periodically; I don't like that
17:38 < andytoshi> well, you'd have to do this anyway i think
17:39 < tholenst> I think it makes sense at this point if I write down the proposal in more detail.
17:39 < andytoshi> yeah, it'd be good to have something precise to discuss
17:41 < tholenst> the input was useful to me anyhow :) more to think about, ty!
17:41 < nsh> what's the distribution of reorg heights?
17:41 < nsh> any theoretical basis for calculating that, or is it near-enough empirical?
17:42 < nsh> s/heights/depths/
17:43 < tholenst> for a theoretical basis, you need to have some kind of clue how fast the block distributes among the miners
17:43 < andytoshi> nsh: (a) hard to make precise, as generally only part of the network perceives a reorg as a reorg, while the rest of them saw the winning chain first, (b) the big ones occur by implementation bugs, which are hard to predict, (c) the small ones probably are also due to network flukes which are also hard to predict, thought they might have a nice distribution
since they're frequent
17:44  * nsh nods
17:44 < nsh> but it should be possible to put a 100-block reorg into an improbability bracket
17:46 < tholenst> agreed, using only mild assumptions that should be possible
18:34 < andytoshi> nsh, tholenst: my expectation is that if you can get any number assuming no horrific forking bitcoind bugs, it'd be like 1/googol or something
18:35 < andytoshi> way way way lower than the chance of a serious dev mistake
18:35 < andytoshi> so that's the probability you need to estimate, and good luck with that :)
18:35 < nsh> pft, i crunch graham's number for breakfast
18:36 < andytoshi> it's higher than 1/graham's number ;)
18:36 < nsh> maybe late lunch then :)
19:46 < andytoshi> BlueMatt: you are "everything that is wrong with cryptos" :)
00:04 < petertodd> same issue with Bitcoin fundementally, but more likely to be a problem in practice "yeah, you see, I can't change my mining pool to prevent those stolen funds from being moved"
00:06 < amiller> how to know if you're an illegally operating MSB tip #103125: you're capable of detect and returning someone's stolen funds...
00:07 < petertodd> lol
00:08 < petertodd> "This isn't a MSB! Why fraudproofs/trusted-hardware/closed source software/The FSM stop that!"
00:10 <@gmaxwell> :)
00:11 <@gmaxwell> I hope at least some people were getting my points about building systems where _no one_ gets put in the awkward position of having to decide to protect a theif.
00:12 < amiller> i'm interested in more ideas/examples of how to encourage things-that-will-eventually-fail to fail immediately and obviously
00:12 < petertodd> gmaxwell: I'd suggest actually saying that directly...
00:12 <@gmaxwell> I thought I did!
00:12 < petertodd> I got it, I doubt even 10% of the audience did.
00:36 <@gmaxwell> " It would have been wrong of us to demand that the operator of a service turn down a well substantiated request in a case like this, it would make them a villain to the kind and honest people their decision harmed. We shouldn't create a world where people have to make choices like that."
00:37 < warren> gmaxwell: so the strongcoin guy detected the thief then modified the .js to take it?  That wasn't entirely clear on the thread.
00:40 < warren> It's amazing to me that the thief would be so dumb to use a traceable wallet at all.
00:41 <@gmaxwell> I mean, being a thief suggests a prior probablity that you are not someone who makes excellent life choices.
00:42 <@gmaxwell> warren: yea, my understanding was that he just modified the script to have if(this_is_such_and_such)sendallfunds(overhere);
00:42 < warren> that's scary.
00:43 < warren> I haven't checked if my blockchain wallet as Chrome extension has been silently updating itself
00:43 <@gmaxwell> It's the expected and obvious outcome and it's what I've spent the last year trying to convince people exists on these sites.
00:43 <@gmaxwell> ...
00:43 <@gmaxwell> warren: the extension only makes sure that the site matches the github, or at least thats how it used to work.
00:43 < warren> I've been meaning to switch away from it for weeks for that reason, and also the ability to brute force attack a wallet.  I strongly suspect someone downloaded all the encrypted wallets.
00:44 <@gmaxwell> yea, a lot of compromises lately and people claiming they had fairly strong keys.
00:44 < warren> I think there were two or three different blockchain wallet attacks
00:44 <@gmaxwell> there might be a vulnerability that let people bulk download the encrypted wallets. (perhaps some xss)
00:45 <@gmaxwell> (er, CSRF really)
00:45 < warren> 1) XSS or java browser exploits from clicking links on btc-e trollchat.  2) Android wallet malware and blockchain's android wallet being far less secure.  3) Weak passphrases and brute force cracking of all encrypted wallets that were downloaded.
00:46 <@gmaxwell> fwiw, I do all my webbrowsing in a seperate VM. Security is just too hard.
00:46 < warren> gmaxwell: reportedly someone is 95% through writing another js client-side encrypted wallet.  he intends on open sourcing it.
00:46 < warren> yeah
00:46 <@gmaxwell> ::Sigh:: sounds like another instawallet waiting to happen. :P
00:46 < warren> sadly there seems to be something wrong with kvm.  It's wayyyy slower than a few months ago.
00:46 <@gmaxwell> People are really too easily convinces that JS wallets are completely secure.
00:47 <@gmaxwell> weird. Working fine for me.
00:47 < warren> not sure what's going on
00:47 <@gmaxwell> s/convinces/convinced/
00:48 < warren> He's writing it for Litecoin, but will launch it for both
00:48 < warren> Litecoin idiot factor is a bit higher ... and MtGox confirmed today that they will launch Litecoin real soon.  https://mtgox.com/pdf/20130424_ddos_statement_and_faq.pdf
00:48 <@gmaxwell> why doesn't he just take the blockchain.info code?
00:49 < warren> not sure, it has no copyright or license notices, suggesting it is on github only to allow auditing?
00:49 < warren> Litecoin remains unmaintained.  I really want to work on it but too busy.  I volunteered to help the professor finish her book before the June 1st deadline.
00:49 <@gmaxwell> oh, hm. I thought it was liberally licensed, I got yelled at by piuk for calling it propritary.
00:49 < warren> oh?
00:50 <@gmaxwell> as far as litecoin goes... ... tell mtgox that they want to pay you to work on it, and perhaps then you could justify some more time?
00:50 <@gmaxwell> if they're trading it .. and litecoin goes explody it could turn out quite bad for them.
00:50 < warren> I seriously doubt they would pay me.
00:51 < warren> well, it could go explody even if maintained
00:51 <@gmaxwell> sure, more likely to if unmaintained.
00:51 <@gmaxwell> I mean, other altcoins have had enormous rewrite attacks in order to exploit exchanges.
00:51 <@gmaxwell> and those exchanges are no longer in business anymore.
00:52 < warren> Litecoin remains vulnerable to the BDB lock limit self-consistency issue now.
00:53 < warren> gmaxwell: how is your relationship with mtgox?  could you suggest this?
00:53 < amiller> oh wow litecoin is being added to mtgox?
00:53 < warren> amiller: yes.  seems premature and risky to me.
00:53 < amiller> i actually did *not* suspect an altcoin would catch on... like this...
00:53 < amiller> crazy times
00:54 <@gmaxwell> magicaltux was saying it was a joke a few weeks ago. I suspect it was a joke and then it got a positive response from someone relevent.
00:54 < warren> I'm not invested in Litecoin.  I'm interested in developing it because 1) they're hurting for devs 2) I want to prove anti-spam policies that Bitcoin seems unwilling to adopt.
00:55 <@gmaxwell> A friend that has some of my old gpus is mining litecoin, ... he went through three pools before finding one that wasn't just robbing him blind.
00:56 <@gmaxwell> (I suspect his anti-samdar is not very finely tuned!)
00:56 < warren> There are honest litecoin pools.  Trouble is they get killed by DDoS often.
00:56 < warren> p2pool is the most reliable way to mine it.
00:57 <@gmaxwell> yea, I think he was on one that got dos killed first, and then switched to something else that just never paid him at all... and then another one which was giving him about 10% of what he should have been getting... and then one that went offline with positive balances.
00:57 < warren> Trouble with p2pool though is the dust + litecoin's super high fees.  I tried to convince forrest to reduce the number of shares in the next p2pool hardfork as the current dust size is unusably small.  He isn't budging.
00:58 <@gmaxwell> people can turn up their share difficulty if they're prefer to not get dust.
00:59 < warren> My maximum 100% efficiency dust size is too small.
00:59 < warren> I had to abuse 7 10KB free tx's to combine a thousand of them yesterday.
00:59 < warren> (maybe not a thousand, a few hundred, dunno)
01:00 <@gmaxwell> huh? changing you share difficulty shouldn't have anything to do with your efficiency!
01:01 < warren> What difficulty factor are you suggesting?
01:01 < warren> 5x less often?
01:02 <@gmaxwell> however much makes it so you don't get paid in every block
01:03 < warren> It allows a maximum of 10x
01:03 < warren> which isn't high enough to do that
01:03 <@gmaxwell> ah, well that seems like an issue.
01:03 <@gmaxwell> it should be claimed not on the up side but on the down side.. e.g. it shouldn't get you set it to more than 1/50th of a block or something.
01:04 < warren> It really isn't clear why Litecoin has such exchange value.  There's NO VENDORS.
01:05 <@gmaxwell> it's speculation
01:05 <@gmaxwell> duh
01:05 < warren> were you serious about asking mtgox to sponsor dev?
01:05 < warren> Not a weekend bounty, like payouts every 3 months as long as progress is made.
01:05 <@gmaxwell> I was, I have no clue if they'll do it
 if they're not already doing it they're morons... given that they're morons, ::shrugs::
01:07 < warren> I'm 60% convinced the hash is a risk.
01:07 <@gmaxwell> know of any online namecoin wallets that support importing private keys? I have some nmc to rid myself of and don't really feel like starting up a namecoin node....
01:07 < warren> It seems implausible that someone would invest money to destroy it though.  They could just extract outsized profits.
01:08 < warren> nope
01:08 < warren> heading to class, bbl
01:54 < petertodd> re: litecoin a silkroad clone started up recently that denominates in litecoin by default
01:55 < amiller> https://gist.github.com/amiller/cf9af3fbc23a629d3084 i summarized my above points about fees and contention here
01:58 < petertodd> Hmm... one odd thing about coinbase tx's is they can-not have non-generation inputs. If you allowed that, and made them an exception to the usual rule that you can-not spend a coinbase, your equilibrium creating behavior can be done, paying part of the fee to the next miner, and yet still avoid the mess of a re-org canceling coinbases.
01:59 < petertodd> The fee you give to the next miner would basically be an anyone-can-spend output from the coinbase tx.
01:59 < amiller> righteous
02:00 < petertodd> yup
02:00 < petertodd> but it's late here, night
02:00 <@gmaxwell> or you do what I suggested before
 make uncollected fees spill forward and you avoid all the weird maturity restrictions
02:01 < petertodd> gmaxwell: makes proofs that the block is correct potentially unbounded in size
02:01 < amiller> no you'd just have everyone keep a counter in their state
02:02 < petertodd> hmm, yeah, I'll think on that, but later
02:06 <@gmaxwell> petertodd: nah, doesn't, you just make the payforward accumulator part of the header.
04:39 < warren> gmaxwell: coblee is concerned about taking donations/sponsorship to help dev because that may create expectations or implied liability
22:10 < amiller> i'm just saying that including it in a storage proof of work puzzle of some kind is an approach to getting replication, which is closer to what you want than just paying one service specific
22:11 < petertodd> Problem is replication factor is a human thing, and it *can't* be proven with a proof-of-work. Sure you can make a storage hard proof-of-work that kinda sorta implies it, but it tells us nothing about how many data centers need to burn down.
22:12 < amiller> the point is i agree that the cool thing about this is that it's not the network's problem if your old data is forgotten, and it can be up to the individual user to take appropriate precuations to pay people to store the relevant data in the right way
22:12 < amiller> we're all in fierce agreement here
22:12 < petertodd> I suspect in reality the "pay to get my txout mined" is more than sufficient to get at least a dozen full copies out there, and remember that if you leave your computing running, even as a partial node, you can both contribute to the validation effort and keep the proofs for yoru txouts up-to-date.
22:12 < gmaxwell> yea, and it's tricky to not create huge outsourcing or consolidation benefits that way. amiller: your best solution against outsourcing requires some pretty tricky economic reasoning on the part of miners which is currently disproven by existing practice (not just in bitcoin but in every place humans transact
 no one ever demands cryptographic proof of anything)
22:12 < amiller> insertion-order-sorted merkle tree is outstandingly cool in this regard
22:13 < amiller> or MMR if you prefer :3
22:13 < gmaxwell> petertodd: well and a logical thing is to also include kind of DHTish recovery service. E.g. randomly keep X gbytes worth of data, so you can have a chance to partake in people paying for recovery.
22:13 < petertodd> Ha, hey, I dedicated Merkle Mountain Ranges to all the hikes in the Canadian Rockies I've had with my dad, so I'm fighting to make the name stick. :P
22:14 < amiller> i'm okay with that :)
22:14 < petertodd> amiller: Hey, at least I didn't call it Todd Trees.
22:14 < amiller> lol
22:14 < gmaxwell> amiller: MMR also implies that you care about the cheap insert rule. :)
22:14 < petertodd> gmaxwell: Yeah, and the "DHT" in this case needs nothing more than sipa's block ranges really - it'd be a long time before the DHT actually needs routing.
22:15 < amiller> i'll consider that MMR refers to not just the data structure but all the implied good properites it has :)
22:15 < gmaxwell> petertodd: yea, locality is good as it reduces the storage and computation required.
22:16 < gmaxwell> I wish sharding it were easier, but there are weird fungibility problems with sharding.
22:16 < petertodd> gmaxwell: I'm pretty sure I can do a sharding scheme that doesn't have fungibility issues actually, although it will have scary fraud issues.
22:17 < gmaxwell> you are not helping my confidence there!
22:17 < petertodd> gmaxwell: It'd also have 51% attack issues given we need a market for transaction fees... although I think with my "per-tx pow" scheme and some proof-of-stake sprinkled in it just barely works...
22:18 < gmaxwell> it works if you have a hierarchal currency. E.g. a master coin that everyone validates. And then shard coins. And you can only spend within shards and between shards and master.  But that hurts fungibility.
22:18 < petertodd> gmaxwell: Yes, multiple currencies makes it really easy. I think on the forum I gave the toy example of a circular set of currencies, where mining always mined an adjacent pair basically.
22:19 < petertodd> (good post to timestamp come to think of it...)
22:20 < amiller> i'm beginning to think even fungibiility doesn't matter asm uch
22:20 < amiller> one thing i've been worrying about with, say, ripple or color coin currencies is how you pay the miners if they don't care about your currency
22:21 < amiller> but you *don't* have to pay all the miners, you only need to pay enough of them
22:21 < amiller> you can mine your own irrelevant transactions if you can afford the cpu but no one else likes your currency
22:21 < amiller> the more broadly valuable your sillycoins are the easier it is to convince all the miners to include it
22:22 < petertodd> amiller: With wallet support it'd be easy enough to paper over the fungibility problems by just trying hard to keep the user's wallet well balanced, and accepting that some transactions take a few more confirms.
22:22 < amiller> sure
22:22 < amiller> you can have an automated portfolio of colored coins too
22:22 < petertodd> amiller: Someone more versed in graph theory than me could probably come up with some scheme where you have log(n) steps to spend any coin.
22:23 < amiller> you could have an altcoin that had proof of work mining, no startup bonus, only self issued currencies, and fees are just paid in IOUcoins of any user's discretion
22:24 < amiller> the only problem is that we don't have much reason yet to be confident that the whole consensus thing works with the current system with all the block bonuses removed
22:24 < petertodd> amiller: Well, do you understand my circularly set of pair-wise-mined currencies example?
22:24 < petertodd> amiller: You can still have block bonuses their.
22:25 < amiller> block bonuses are gonna go away anyway so the question is are voluntary transactions fees just to the miner good enough
22:25 < amiller> i like the idea that eventually you'll have to bribe the next miner to build on your block rather than 'discouraging' it
22:26 < petertodd> Yeah, and anyway to make such schemes work we have to get fraud proofs to work well, and I think right now TXO commitments are the logical way to do that...
22:28 < petertodd> One interesting thing about all this stuff, is suppose we got a nice, shardable, ultra-decentralized currency: I suspect we'd want a token system, with fixed values, so that the transactions related to the lowest value tokens moving around can be reglegated to the lowest security chain.
22:28 < petertodd> Otherwise the whole thing just becomes a nice way to instant-message your friends...
22:28 < amiller> petertodd, no the trick is insurance
22:28 < amiller> i sort of have an idea of how navigating the multi hierarchy currency works
22:29 < amiller> the main questions is how you exchange value from a small currency to a larger one
22:30 < amiller> like even if you have a locally-meaningful currency, it's still beneficial to have a broader audience observe the transactions
22:30 < petertodd> See, I'm thinking of a system where for a long, long time, the "1 satoshi" chain has basically no attention paid to it so fraud is rampant and people don't trade in single satoshis.
22:31 < petertodd> Because if you *can* cheaply trade in single satoshis, securely, then what stops me from timestamping everything? At some point something needs to break down, and there needs to be some way to "communicate" back the cost of the whole system to it's users.
22:31 < petertodd> There Ain't No Such Thing As A Free Lunch!
22:32 < amiller> i think we vaguely agree again :)
22:32 < gmaxwell> shard by txout value.. interesting.
22:32 < gmaxwell> but that creates a linear hieararchy which is kinda lame.
22:32 < petertodd> Yeah, I think it'd probably work best with some kind of storage-hard proof-of-work, especially if it can somehow be directly related to validation.
22:33 < petertodd> gmaxwell: Maybe it doesn't need to be linear? Maybe it's just opportunisticly sharded, IE you mine whatever part of the UTXO set that you want too, and we use fraud proofs to keep people honest.
22:33 < petertodd> A worthless chain won't have many people actually validating it, so every so often someone will get away with fraud, or the data will get lost and coins will become unspendable.
22:34 < petertodd> Conversely the 2^32 satoshi chain is actually economically important, and it's basically impossible to get away with fraud.
22:34 < amiller> sorry in advance for the following ramble but just be glad it's not in bitcoin-dev
22:34 < petertodd> All those chains can operate in lock-step too, so atomic transactions are still possible. (though exchanging a 2x 1 satoshi tokens for a 2 satoshi token won't be possible)
22:34 < amiller> what strikes me as really strange is that with the bribery/incentive/rational modeling it seems like we're headed towards a system that works even if people just do wahtever benefits them
22:35 < amiller> what's the role of the protocol or constitution in that case?
22:35 < amiller> what's even the need for a correct set of rules if following them is optional but just benficial by default somehow
22:35 < amiller> and i wonder if the explanation is that it's arbitrage of some kind between two kinds of rationality
22:35 < amiller> there's like the immediate greedy decision that you'd make fully anonymously
22:36 < amiller> and a separate kind of policy that you want to enforce on everyone else
22:36 < amiller> like it's easy to show support for a certain rule when it's probably not going to affect you anyway, like by building on someone else's block
22:37 < petertodd> I'll warn you, I'm this close to inviting you to #postmodern-bitcoin... :P
22:37 < amiller> likewise it's easy to deviate from the rule when the benefit is clear
22:37 < amiller> yeah well
22:37 < petertodd> heh, though go on :P
22:38 < amiller> that was the end of the thought i guess
22:38 < amiller> sometimes there's a new datastructure at the end, not this time
22:39 < petertodd> gmaxwell: Oh, and you know, what's really interesting with multiple powers of two token chains is that MMR TXO commitments are the perfect data structure for them, given the mandatory data required to mine a new block is very small, and they can continue even if all the data is lost.
22:40 < gmaxwell> well.. there is less need to shard if full verifying requires little state.. the primary advantage is potential bandwidth.
13:01 < gmaxwell> Things like that crop up all over the place, we get them in Bitcoin... they show up in any sufficiently large piece of software or hardware design. In digital electronics you'll sometimes have problems when analog effects that you thought you could ignore crop up.
13:02 < Emcy> obviously its not such a big problem as i think then
13:02 < Emcy> are there any cryptosystems that are unkowable in full by human mind?
13:03 < gmaxwell> Well...
13:04 < gmaxwell> We depend on knowing the thing in order to make arguments for its security. Modern cryprosystems are build out of simple regular parts.  Otherwise if you make something too complex you'll miss a weakness which will be obvious to someone who 'looks at it from another angle'.
13:04 < gmaxwell> So all the primitives we use are quite simple and straighforward.
13:05 < gmaxwell> Though in more recent times people have been building taller towers, systems which are only simple if you abstract away the details.
13:05 < Emcy> but they dont always interact in the way you think they should.
13:06 < Emcy> perhaps one day we will throw together enough primitives that it will turn around and ask us for clemency.....
13:09 < andytoshi> Emcy: there is a good lesson about this in the history of tls
13:10 < andytoshi> http://blog.cryptographyengineering.com/2012/09/on-provable-security-of-tls-part-2.html
13:12 < Emcy> im sure it is provably secure, the auth part is letting it down badly though these days
13:13 < andytoshi> that link has a short blurb about the MAC fiasco in the 90's
13:14 < Emcy> wots taht
13:14 < Emcy> nm ill read
13:15 < andytoshi> it's a classic "things interact in surprising ways when you pile them on" story
13:15 < andytoshi> and the complexity of that probelm was not even very high..
13:17 < Emcy> from what ive seen almost no servers still dont use tls 1.2
13:18 < andytoshi> yeah, i don't think browsers will even accept tls 1.0
13:18 < Emcy> i always thought people used old shit because its been in the trenches longer than new shit.
13:19 < Emcy> i saw a server with tls 1.0 and 1024 rc4 or something recently
13:20 < Emcy> thats pretty bad
13:22 < Emcy> jesus christ it just rained the hardest its ever rained around here in 30 years
13:22 < Emcy> it was raining upwards.......
13:22 < Emcy> wall of water
13:23 < andytoshi> well, i am off to the airport, good talking to you guys
13:24 < Emcy> good flight
13:24 < Emcy> oh
13:34 < Emcy> god dammit planetside 2 has been down for hours
13:35 < Emcy> i spose thats why its free
13:56 < nsh> andytoshi, your link on tls -- reminds me of that scene from one of the hitch-hiker's guide books...
13:56 < nsh> "Arthur goes to the village. He finds a woman seer who swats at flies in front of a cave. She smells horrible. She does her dead goat-like animals. He helps her take her photocopy machine out into the sun because it is solar-powered. She hands the photocopies to him. It is the story of her life. He should read it and not make the decisions she made to end up alone..."
13:56 < nsh> ( http://www.bookrags.com/studyguide-mostly-harmless/chapanal005.html )
13:57 < nsh> someone should teach a remedial history of the internet, annotated at every point where we fucked it up
13:57 < nsh> in case we get a chance to start over at some point :)
14:51 < eclark> what do you think of **********DOGE*********
14:57  * nsh looks at eclark pointedly
16:59 <@gmaxwell> andytoshi, luke: I went and posted the description of my attack on that cryptosystem. (since he tried and didn't figure it out and asked me to explain it)
17:03 < jtimon> gmaxwell do you have a link?
17:05 <@gmaxwell> jtimon: https://bitcointalk.org/index.php?topic=374085.0
17:07 < jtimon> thanks
17:24 < nsh> i don't really understand the assumption that you'd want to have much correspondence with someone you just performed a pseudoanonymous one-time transaction with. i rarely feel the urge to call the hot-dog stand for a chat...
17:26 < helo> maybe authentication to some service that the one-time transaction paid for
17:26 < nsh> mmm
17:34 < helo> people generally handle their bitcoin private keys more securely than most other kinds of private keys, so services that are cobbled together ontop of bitcoin's PKI smell ultra-secure
17:36 < BlueMatt> heh, shit...they recovered rsa pgp private keys from the noise a cpu makes...
17:36 < nsh> yeah, was reading about that today
17:41 <@gmaxwell> BlueMatt: none of the crypto we use for bitcoin is timing/power side channel immune.
17:41 <@gmaxwell> I don't believe there exists constant time implementations of the primitives for secp256k1 at all right now.
17:41 < BlueMatt> gmaxwell: I didnt think they were, I just found this particular paper fun
17:42 < nsh> i wonder how much of the efficiency advantage of EC is lost with constant time primitives...
17:43 <@gmaxwell> nsh: the curve25519 stuff is constant time, and stupid fast... but its partly a result of having picked parameters with that in mind.
17:43 < nsh> hmmm, okay
17:44 < nsh> i wish djb would release the minimaLT code :/
18:06 <@gmaxwell> dear god.
18:06 <@gmaxwell> this guy is wasting unbounded amounts of my time in private message.
18:07 < BlueMatt> so ignore him?
18:07 < BlueMatt> or limit your bw
18:07 <@gmaxwell> I had hoped that I'd not be able to waste any time on him by dispatching luke to respond on the threat, but that ended up like a cesium / water reaction.
18:07 <@gmaxwell> s/threat/thread/
18:08 <@gmaxwell> dude is convinced he's going to revolutionize bitcoin with his grand ideas, but his only expirence is with bc.i.
18:08 <@gmaxwell> and he's all confused about how bitcoin works.
18:08 <@gmaxwell> and every exchange I have with him is revealing another understanding.
18:09 <@gmaxwell> like after message 6 I discover that he's planning on 'solving' the problem that the "messages in transactions are cleartext".
18:09  * nsh chuckles
18:09 < maaku> gmaxwell: there are a dozen people on bitcointalk like that
18:09 < maaku> if only the ignore bit were an option :\
18:09 <@gmaxwell> And the idea that a business that ships out goods to people would generate a new address for each payment seems to be completely foreign to him.
18:10 < BlueMatt> maaku: a dozen? really? theres like a few thousand...
18:10 < maaku> heh
18:10 <@gmaxwell> I could ignore him but I don't want him going and fucking stuff up with his earnest enthusiasm.
18:11 < nsh> there should be a crypto playpen tarpit for people
18:11  * maaku fully expects him to find some inestor willing to throw insane amount of money at his ideas
18:12 < BlueMatt> or...we could just let people implement dumb crypto primitives, and use idiots to steal coins from
18:14 <@gmaxwell> part of the problem, of course, is that even the broken and dumb ones are seldom so bad as to enable theft.
18:15 < BlueMatt> yup
18:15 <@gmaxwell> like
 this guys busted ass cryptography still would take 2^64 queries to a decryption oracle to crack one message. Even if someone had convinced him to reduce the mac to 32 bits, it likely would have only rarely been a pratical attack.
18:16 <@gmaxwell> he also thinks he can do things with transaction "from" addresses.
18:16 < BlueMatt> how much would it cost to put an ad on bitcointalk that just says "THERE IS NO FROM ADDRESS, GET THAT THROUGH YOUR HEAD, IF YOU DONT GET IT, GO AWAY"
18:17 < nsh> ehehe
18:17 <@gmaxwell> BlueMatt: I wonder what the revenue stream from bc.i is? It can't be that great if its really just the ads and they don't have income from spying on people or whatever.
18:18 <@gmaxwell> We could raise money to buy it and shut it down.
18:18 <@gmaxwell> Without notice.
18:18 < BlueMatt> they have pretty reasonable vc funding iirc
18:18 < BlueMatt> so...they must have some business model, somewhere
18:18 <@gmaxwell> And a full screen "HA HA WE TOOK YOUR MONEY, YOU WERE AN IDIOT FOR USING A CENTERALIZED SERVICE"
18:18 <@gmaxwell> darn
18:18 < BlueMatt> even if its "down the road, we..."
18:18 <@gmaxwell> (3) profit.
18:21 < maaku> money up for grabs: https://telegram.org/crypto_contest
18:23 < maaku> http://core.telegram.org/techfaq
18:24 <@gmaxwell> uh.
18:24 <@gmaxwell> that seems really dishonest to me.
18:25 <@gmaxwell> it looks like the security is dependant on their server handing out the correct keys.
18:25 < BlueMatt> they claim you can also do dh p2p and then compare some image that represents the shared key or something
18:25  * BlueMatt didnt read closely, it just said "compare image after dh exchange"
18:28 <@gmaxwell> I wonder why they're using sha1, especially when they need 512 bits of KDF.
18:48 <@gmaxwell> I see that news.ycombinator.com has similar thoughts to me, https://news.ycombinator.com/item?id=6931457
18:51 < nsh> "Yeah, it's probably against the rules of the competition and will get you arrested if you try. But I think if someone does break into their central server and wins the competition that way, they should still be paid out."
18:51 < nsh> i like those odds!
18:53  * gmaxwell contemplates that google search you did earlier today in #bitcoin ... :P
18:54  * nsh smiles
18:55 <@gmaxwell> hm. I was trying to see what their physical location was, and it seems to be run by totally anonymous parties?
18:57 < nsh> can you sell on the google play store anonymously?
18:58 < nsh> LLCs are registered, but anyone can call themselves X LLC https://play.google.com/store/apps/developer?id=Telegram++LLC
19:00 < nsh> possibly William / Jordan A Baker http://trademarks.justia.com/860/10/telegram-86010749.html
19:00 < nsh> (no mention of encryption in the trademark application though)
19:01 < nsh> ( http://companies.findthecompany.com/l/32066563/Telegram-Llc-in-Wilmington-DE )
19:43 < adam3us> hmm this coinmessage thread is locked so i cant join in!  i was going to explain that what the sender claims is R.x from R=rP can be s st there is no solution to s=f(x) ie s is not on the curve.  he doesnt seem to get that (re comments about s being > n)
14:12 < gmaxwell> making it somewhat small means that from day 1 people would need to vote to keep the size up, thats probably good.
14:12 < gmaxwell> e.g. you want to actually make the minimum smaller than the current need so the need to vote doesn't surprise people later.
14:13 < petertodd> The thing is a non-vote is always a vote for the status quo, so people *don't* need to vote if they are happy.
14:13 < petertodd> (or just want the limit to reduce a bit)
14:13 < gmaxwell> petertodd: how do you vote for a reduction?
14:14 < petertodd> You vote for a reduction and a miner can chose to include it.
14:14 < petertodd> *choose
14:14 < petertodd> (john thought some % of the block limit should be reserved for votes FWIW)
14:14 < gmaxwell> hm. perhaps instead the vote-absent-target should be some median of the last N block sizes.
14:15 < gmaxwell> Since miners can already drive it down to nothing regardless of what the voters think.
14:15 < petertodd> That's what john proposed, the limit changes once per year, and a non-vote is a vote for the median of last years and this years limit.
14:15 < gmaxwell> not a median of the limits, a median of the observed blocksizes.
14:15 < petertodd> Basically that's just there so that if a too-high size allows for censorship, the limit will gradually reduce.
14:15 < petertodd> But that means miners can just pad blocks to change peoples status quo votes.
14:16 < gmaxwell> petertodd: yes, so then they stop voting.
14:16 < petertodd> But you can't *not* vote the status quo except by voting something else.
14:17 < gmaxwell> or to be more clear
 miners actual observed behavior _is_ the status quo.
14:18 < gmaxwell> petertodd:  median(blocks) < limit < 2*limit.   You're voting if the limit should be closer to median(blocks) or 2*limit.
14:18 < gmaxwell> if you don't vote, thats a vote for the median, and the limit will fall.
14:18 < petertodd> Hmm... that's reasonable.
14:18 < gmaxwell> (as the median must always be smaller than the limit)
14:18 < gmaxwell> the speed at which it falls depends on the miners behavior.
14:19 < gmaxwell> it will fall slowly if they're consistently right at the limit.
14:19 < petertodd> Although it's easy for all miners to decide to pad blocks to keep median(blocks) == limit
14:19 < gmaxwell> maybe median(blocks)-
  just incease they .. rigt
14:19 < gmaxwell> er right.
14:19 < petertodd> With jdillons proposal, the limit *will* fall even in that case.
14:19 < petertodd> For that matter, not all miners, 50% majority of miners.
14:20 < gmaxwell> yea, doesn't actually even need to be median, it could be a mean or some kind of weighed mean.
14:21 < petertodd> I'd just keep it as vote for 2*limit or vote for limit/2 in that case, pick a representative UTXO for each block, and calculate weighted mean for the past years worth of blocks.
14:21 < petertodd> Every step of that is cheap to prove.
14:22 < gmaxwell> So that has stability problems, I think.
14:23 < gmaxwell> basically, if blocks are full and you're like "fuck! I have more bandwidth, I want cheaper transactions"
14:23 < gmaxwell> you'll be voting 2* all year long with all your friends.
14:23 < gmaxwell> maybe you really only needed a 10% bump.
14:23 < gmaxwell> you'll be pissed alll year and then get a great big step when you really only needed 10% (but you don't _know_ you only needed 10%)
14:24 < gmaxwell> so it should probably be more continious to facilitate discovery.
14:24 < gmaxwell> One problem is that a rolling window has a high group delay.
14:25 < petertodd> Hmm... make the limit change every block, by 2 / (1year/10minutes) ?
14:25 < gmaxwell> so you're voting 2* for a long time, and then finally it really goes up.. and keeps going up even though you're like "fuck, too big!"
14:25 < gmaxwell> so there is a tradeoff there.
14:25 < petertodd> Yes, but everyone can spend their txouts to change their votes.
14:26 < gmaxwell> okay, I'll accept that its acceptably soluable.
14:26 < petertodd> Of course, in the context of computer systems, chances are 2x isn't really a big change.
14:27 < gmaxwell> well not just computer systems.
14:27 < gmaxwell> this is needed to keep fees up to prop up difficulty.
14:28 < petertodd> Against an attacker is does 2x feel like much safety margin?
14:31 < petertodd> Oh nice, so 1year/10minutes = 52,560 ~= 2^16, so the code can simply find a representative UTXO, and if the vote is to raise, do limit += limit>>16
14:31 < petertodd> If the vote isn't to raise, do limit -= limit>>17
14:32 < petertodd> oh, wait, no I'm an idiot...
--- Log closed Fri Jul 19 00:00:02 2013
--- Log opened Fri Jul 19 00:00:02 2013
11:13 < jgarzik> petertodd, RE identity + IRC replacement via P2P flood-fill network...  do you think a PoW element should be included, a la BitMessage?  Or just rely on identity cost and shared opinion
11:13 < jgarzik> ?
11:14 < petertodd> I think identity cost is enough because the domain over where the message is sent is fixed - there's no re-use potential.
11:15 < petertodd> rb
11:15 < petertodd> brb
11:47 < petertodd> back
13:08 < petertodd> jgarzik: I suspect dealing with the graph of trust is going to be tricky... smells like a computationally intensive graph problem.
13:09 < jgarzik> indeed
13:09 < petertodd> One subtlety is you have to apply the same anti-spam rules to messages stating who you trust.
13:10 < petertodd> The other one is how do you find peers who have similar ideas of what to filter.
13:11 < petertodd> For v1.0 maybe the right approach is to not do it as a graph, but as a simple accounting of the sum sacrifice ignoring someone.
13:13 < jgarzik> certainly easier
13:14 < jgarzik> though disappointing there must be some sort of state
13:14 < petertodd> Yes, more minimal state, but that's still state.
13:14 < petertodd> At least it's state without user-controllable parameters - like bitcoin peers can sync to each other and come to consensus.
13:15 < jgarzik> also I wouldn't want everyone in the world on the same P2P network.  My proxy would join user-specified networks, each with their own DNS seeds or methods of address gathering/bootstrapping/sharing.  i.e. join "freenode" network with specified network magic and DNS seeds
13:15 < jgarzik> enables darknets and scaling
13:16 < petertodd> For bitcoin P2P flood fill jdillon suggested that you split things up into different domains by a simple UUID.
13:16 < petertodd> Nodes can even advertise a bloom filter of what UUIDs they participate in.
13:30 < jgarzik> Perhaps, but ultimately I think people should be able to avoid transiting data for networks they care nothing about
13:31 < jgarzik> Proxy can talk to multiple P2P networks just as easily
13:32 < petertodd> Point is with those UUIDs that's exactly what happens, yet to an observer the behavior of all those networks is identical.
13:33 < petertodd> Also allows for a meta-UUID(s) to make peer discovery for a given UUID easier.
16:38 < sipa> every time i (re)join here, it seems the number of people has grown :)
16:39 < petertodd> we'll have to make -gods eventually
16:39 < sipa> well, there's always #bitcoin-satoshi above...
16:40 < petertodd> heh
16:43 < gmaxwell> this is the best bitcoin channel.
16:43 < gmaxwell> well, other than the one where you have to solve the cryptographic puzzle embedded in the blockchain to join...
--- Log closed Sat Jul 20 00:00:05 2013
--- Log opened Sat Jul 20 00:00:05 2013
02:27 < midnightmagic> :-I please don't tell me that unless there is actually a puzzle
02:28 < midnightmagic> lol
02:28  * midnightmagic distracts himself by clicking the bitmaps in obscure unicode glyphs
--- Log closed Sun Jul 21 00:00:08 2013
--- Log opened Sun Jul 21 00:00:08 2013
19:12 < gmaxwell> petertodd: so one additional property your transaction PoW stuff would have is that it would increase the incentive to make sure you include transactions from the far side of a network partition.
--- Log closed Mon Jul 22 00:00:11 2013
--- Log opened Mon Jul 22 00:00:11 2013
06:57 < petertodd> gmaxwell: indeed, for my proof-of-sacrifice ideas, like the zookeyv key-value consensus system, I was thinking that'd basically be the whole incentive to try to broadcast the fact that you made a block/tx as widely as possible
06:58 < petertodd> gmaxwell: Works really well I think if the blockchain has a DAG strucuture and including non-conflicting branches is advantageous.
--- Log closed Tue Jul 23 00:00:15 2013
--- Log opened Tue Jul 23 00:00:15 2013
02:42  * amiller grumbles
02:43 < amiller> i think the first rule of bitcoin is "no global identities"
22:14 < gmaxwell> http://www.tdp.cat/issues/tdp.a015a09.pdf
22:14 < gmaxwell> damnit I must be tired.
22:14 < gmaxwell> Can someone decode which properties there actually achieving there?
23:30 < petertodd> "secure against semi-honest servers" <- you've got good reasons to wonder
23:37 < petertodd> yeah, I don't think it's interesting for us - seems to be an interactive protocol where the client gets a proof that c \in S without knowing S, but you still need that round trip
23:38 < petertodd> I think the advantage over a merkle tree is supposed to be that the underlying primative can be a bloom filter, rather than a complete dataset like a merkle tree
23:40 < gmaxwell> https://news.ycombinator.com/item?id=6094383
23:40 < gmaxwell> there I tried to read it again and managed to uncross my eyes long enough to understand their first form.
23:41 < gmaxwell> it's relatively clever, at at least less obviously horrible to some of the oblivious query stuff... but I can't think of anything we could use it for.
23:41 < petertodd> yeah, and that kinda makes sense, but what they are talking about appears to have to be an interactive protocol
23:41 < gmaxwell> petertodd: it is.
23:41 < gmaxwell> you can't query membership without asking the other side to blind sign for you.
23:41 < petertodd> right, which isn't much better than just a merkle tree
23:42 < gmaxwell> I can't think of anything we can use it for.
07:56 < warren> they're scared suddenly by Luke-Jr's patch, and realization that there's targeted ways for pools to filter only them
07:58 < adam3us> warren: i dont want to give them ideas but i think steganography wins (eg they could use committed tx too (even steganographically encoded variant of it), and we may want to prevent miner policy with (non-stego) committed tx also) Luke-Jr is awesome but miner policy is a slippery slope when we have limited technical defense against miner centralization
07:59 < sipa> luke's patch makes sense, but it's not rational for miners to adopt it
07:59 < sipa> it adds complexity to mining, and can only result in lost fee income
08:00 < adam3us> sipa: his policy was to deprioritize non-unique addresses right? or was the another feature also?
08:00 < sipa> yes
08:01 < adam3us> sipa: and msc is using address tagging i guess
08:01 < warren> adam3us: their address tagging is for dumb reasons that have nothing to do with the goal of the protocol
08:01 < adam3us> sipa: sweet patch btw :)
08:01 < warren> adam3us: it's for the founder to collect a tax on every tx
08:02 < Fistful_1f_LTC> why dont they move to PTS
08:02 < adam3us> warren: yes so the patch is a temporary win
08:02 < Fistful_1f_LTC> or create their own,
08:02 < adam3us> Fistful_1f_LTC: yes i suggested that to ripper123 on the msc thread - pts
08:02 < sipa> PTS?
08:02 < Fistful_1f_LTC> protoshare
08:02 < Fistful_1f_LTC> bitshare
08:03 < adam3us> sipa: protoshares a temporary "please mine this while we code bitshare" and we promise to give pts a 10% premine equity in bitshare
08:03 < Fistful_1f_LTC> lol
08:03 < sipa> brrr
08:03 < warren> Fistful_1f_LTC: I think their goal is to avoid having the entire network being declared illegal by making it impossible to be detected
08:04 < adam3us> Fistful_1f_LTC: its awesome - i hung out the on the #protoshares irc for a short while - most of the people had no idea what or why they wre mining, only that they were there EARLY so if it rocketed theyd make  bundle
08:05 < adam3us> warren: i think stego works, eg built on committed tx.  but only up to the insider attack  someone can get in their identify msc tx via nominal value msc tx, and feed the info and evidence to miners to block
08:08 < Fistful_1f_LTC> adam3us: it's already rallying,
08:08 < adam3us> sipa: the mistakes on pts were almost terracoin in proportion.  its hashrate went up faster than the adjustment could control, so it mined 6months planned in 1 week. they released a hardfork patch and demaned all miners switch
08:08 < Fistful_1f_LTC> i'm mining a ton right now
08:08 < TD> i don't think miners should be down-prioritising address re-use
08:08 < adam3us> Fistful_1f_LTC: i think you maybe could get more speed, like n^2 more by increasing the ram used in the code
08:09 < Fistful_1f_LTC> how would i do that?
08:10 < adam3us> Fistful_1f_LTC: there is a data structure tht stors colision candidates, its set to lke 1GB, if you increase it to 64GB it may run 1000x faster
08:10 < adam3us> Fistful_1f_LTC: (or however much ram you have)
08:11 < Fistful_1f_LTC> using AWS
08:11 < Fistful_1f_LTC> its probably scalable
08:11 < adam3us> Fistful_1f_LTC: yes you can choose instances with more or less RAM, but try it first
08:12 < warren> TD: sipa: sure Luke-Jr's patch may not be rational, although filtering MSC may
08:12 < TD> well it's just not useful, imo. people already have incentives to not re-use addresses
08:13 < Fistful_1f_LTC> ok, you kno which datastructure that is?
08:13 < adam3us> Fistful_1f_LTC: erm 1 sec
08:13 < Fistful_1f_LTC> or which miner are you talking about the coyote one ? or the beer
08:14 < adam3us> Fistful_1f_LTC: either the qt client or the ptsminer client (its the same code)... the bitshare binary they dont release source for
08:14 < warren> and OMG, have you read their "spec"?  The designer seriously doesn't know what he's doing.
08:15 < Fistful_1f_LTC> ok, i use ypool's miner, which is slightly faster,
08:15 < warren> huh, protoshares uses XPM's pow?
08:17 < adam3us> Fistful_1f_LTC: probably from same source... look for semiOrderedMap.cpp
08:17 < Fistful_1f_LTC> adam3us: cool, thanks
08:17 < Fistful_1f_LTC> warren: they use momoentum,
08:18 < adam3us> Fistful_1f_LTC: (I havent tried it... just as they are using birthday collision, until ram is full it speed increases n^2 with size of ram, if the cpu cores are fast enough to fill it in about the size of a block duration)
08:18 < Fistful_1f_LTC> slightly "hardened" scrypt, but it seems it's not that much harder
08:19 < adam3us> Fistful_1f_LTC: did they change it?  i think its H=hashcash-SHA512-26 (26 bit bitcoin like collision)
08:19 < Fistful_1f_LTC> adam3us: i will test it then
08:19 < adam3us> Fistful_1f_LTC: warren: then they find store H(cb,a), H(cb,b) for random values or counters a, until they find H(cb,a)==H(cb,b) in the last 50-bits (50-bit birthday partial collision)
08:20 < adam3us> Fistful_1f_LTC, warren: finally they test if H(cb,a,b) < target
08:21 < adam3us> Fistful_1f_LTC, warren: (cb is coinbase) their idea is its they wanted to make a scrypt variant which was faster to verify (3 hashes) but still needed ram like scrypt, an interesting but unsolved design concept (i thought of it and tried it myself ages ago - its not easy)
08:24 < adam3us> Fistful_1f_LTC, warren: consequently they failed on 3 counts: 1. it has TMTO (via unreliable bloom storage - which they dint realize) so it can probably be made to work in GPU L2 cache; 2. it has progress so powerful computers win more than their share, 3.  it has economies of scale (ie 2x ram = 4x power). triple fail
08:27 < warren> adam3us: I recall Luke-Jr was touting their design earlier while making fun of Litecoin's PoW failure. =)
08:27 < warren> (sure ,Litecoin had a PoW failure)
08:31 < adam3us> warren: litecoin PoW failure was params, this one is algorithmic :) an luckily for the investors in litecoin, the b0rken params turned  to be OK params for GPUs when ASICs took over
08:33 < adam3us> warren: 3am dude.
08:33 < warren> sigh
08:33 < warren> yeah
08:37 < adam3us> warren: it would be interesting to find a way to design a secure memory hard pow that does not require memory to verify and has no progress nor economy of scale problems (nor tmtos)
08:38 < warren> adam3us: I don't have enough CPU's to benefit from that new scamcoin.
08:39 < adam3us> warren: the guy who asked me to look at it rented 80 vsps from the vsp provider that bitshare were getting affiliation profitfor
08:39 < adam3us> warren: then bitshre did the hard fork he had 80 vsp sitting there with nothing to do on a monht contract, he was not happy
08:40 < warren> adam3us: read the launch of XPM and digitalocean?  hilarious
08:40 < adam3us> warren: (the difficulty jump after the fork made it ridiculous)
08:40 < adam3us> warren: no will go take a look for giggles
08:41 < warren> hmm, can't find the URL
08:41 < warren> adam3us: someone made a killing ... from referral codes
09:40 < petertodd> adam3us: the underlying problem isn't the incentive to mine - timestamping by itself is fine - it's the incentive to *publish*
09:41 < petertodd> sipa: sure, but equally adopting the dust patch can only result in lost-fee income too...
09:42 < petertodd> warren: yeah, I told MSC to ditch the address tagging too - they understand the issue and even came up with the idea of creating a globally predictable per-MSC address so that MSC clients could still work via SPV
09:42 < petertodd> warren: s/they/some of them/ :P
09:42 < warren> gavinandresen: just to confirm, you have 5 BTC available for macosx corruption bounty?	1) explain HOW it happens 2) provide a fix that is acceptable for merging by the standard review procedure.
09:43 < warren> petertodd: ooh
09:43 < petertodd> warren: (a MSC investor approached me a while back and paid me to do a bit of consulting for them; said investor decided to sell all the same)
09:43 < warren> petertodd: that's a better design than what I came up with
09:43 < adam3us> petertodd: well if the mine is of a bitcoin coinbase that includes a merkle root for the side-chain - then the miner has to publish it to collect their bitcoin reward
09:44 < petertodd> warren: yeah, basically the idea would be to predict the address, you'd have to duplicate a decent chunk of their code. Obvously that can be stopped, but it's a pain in the ass too.
09:44 < warren> gavinandresen: we'll chip in to the bounty, ask public for more donations to chip in more and post it.
09:44 < petertodd> adam3us: sure, but what if publishing late has incentives for some reason? mastercoin has global state crap so...
09:46 < adam3us> petertodd: well other than selfish mining, delaying publication of bitcoin blocks is playing dice with $25*450
09:47 < petertodd> adam3us: yes, *bitcoin* blocks, we're talking about mastercoin here
09:47 < petertodd> (well I'm talking...)
09:47 < adam3us> petertodd: the pay not to mine, given tx is a problem for bitcoin also, or pay to mine a  different msc merkleroot
09:48 < petertodd> adam3us: right, but remember, this is a side-chain, timestamped, so the problem is what happenes if a MSC tx or block or whatever it's called gets stamped, but not published? it's not a trivial problem
09:50 < adam3us> petertodd: ah i see what you mean.  mining a hash runs the risk that the block is not available.  bitcoin mines a hash, but announces by sending the block in one stage (not hash then block)
09:51 < adam3us> petertodd: i think other miners ignore hashes without blocks, and orphan them
09:51 < petertodd> adam3us: exactly. and with pow mining, it helps that naturally everyone is running flat out - not true with sacrifices/timestamps/etc.
09:58 < petertodd> bbl
14:03 < Luke-Jr> adam3us: there's no slope in miner policy. miners have always had a right to decide which transactions they will and won't accept
14:04 < Luke-Jr> sipa: it's rational for miners to use it because it ensures the value of their earned bitcoin remains
20:35 < amiller> then you'd have to run E(P') in time t^3 just to get the 2nd from last, etc...
20:35 < amiller> E(E(P')) i mean
20:39 < gmaxwell> yuck.
22:59 < amiller> i want to make a new definition for proof of knowledge
22:59 < amiller> bitcoin is really the perfect example for this
23:05 < gmaxwell> hm?
23:05 < amiller> the need for something like an extractor is because of the vacuousness of just saying "there exists", in the sense that a blockhash is valid if there exists some valid blockdata that's a preimage of it
23:05 < amiller> because there are a lot of valid blocks and the hash has collisions somewhere
23:09 < amiller> the recursive snark / proof-carrying-data paper basically defines this "compliance predicate" thing that describes valid blocks but as a recursive statement
23:09 < amiller> hrm
23:09 < gmaxwell> hm. I guess a useful definition of proof of knoweldge required that the thing you're proving be concrete enough that it's not a totally empty claim.
23:11 < amiller> the idea of an extractor is pretty compelling, like it says you have to efficiently provide the witness, where the witness is all the actual data
23:12 < amiller> the technical details are baffling and unnecessary tricky though, like it basically says "given access to compiled program code that produces a proof, there's an efficient reverse-engineering that produces the witness"
23:15 < amiller> so i wonder if there's a more indirect way to do it that's like
23:17 < amiller> rather than saying there's an extractor that extracts the witness, producing the proof using anything other than the witness is hard
23:37 < gmaxwell> it is a bit interesting the the SNARK proof is there exists a witness such that f(public,w)=x... but it doesn't directly prove that the prover knew the witness.
23:39 < amiller> "knew the witness" is really difficult to define
23:44 < amiller> it would be a really minor engineering effort to make pinocchio work for bitcoin
23:44 < amiller> like, who cares if it takes 10 minutes to make a whole blockchain proof
23:45 < amiller> per block even
23:45 < amiller> the "real world practical costs" threshold is a whole lot different if it's public data and its providence concerns a lot of people
23:45 < amiller> provenance*
23:46 < gmaxwell> You think the prover could run that fast, with a state space of several hundred megabytes?
23:46 < gmaxwell> (and ECDSA signature validation in it?)
23:47 < amiller> yeah maybe
23:47 < amiller> one of the weird things is that
23:47 < amiller> because of the algebraic structure (it's bilinear groups based on elliptic curves anyway) you get some kind of strange operations for free
23:47 < gmaxwell> well I think that would be tremendously valuable, it greatly changes our long term scaling, since we could have comitted utxos and then proofs of them and nodes could hotstart without substantially degrading the security model.
23:48 < amiller> yeah it changes things about the whole chains-validating-other-chains kind of stuff too which is more deeply why i'm so interested
23:48 < amiller> so, like, it's possible that lattice based hashes or lattice based signatures would be even cheaper than it seems
23:49 < gmaxwell> eliminating storage of user provided data would also remove a lot of existential risk for us... I think it's only a matter of time before someone tries to use childporn in the historic chain as an excuse to shut down bitcoin or to force it to become centeralized.
23:51 < gmaxwell> I know how to keep user provided data out of the utxo, but can't remove it historically without either proofs of validation or a reduction in the security model. ... but if the computation cost thousands of dollars to perform for the proof thats not a big deal.
23:52 < gmaxwell> (okay, well thousands would be kinda obnoxious, but it's viable)
23:52 < amiller> yeah.
23:54 < gmaxwell> by the numbers I think the majority of bitcoin users don't have a clue about security at all, and would be perfectly happy if all the rules were removed from the software and BTCguild, slush, and asicminer were just trusted to do the right thing. ... so I do worry a lot about a politically hot argument to degrade the security for expedient reasons.
--- Log closed Wed Aug 28 00:00:47 2013
--- Log opened Wed Aug 28 00:00:47 2013
00:31 < Luke-Jr> gmaxwell: maybe BFL should start self-mining. people would care about that.
00:35 < gmaxwell> Anyone able to decode something comprehensible from this: https://bitcointalk.org/index.php?topic=282726.0
01:55 < gmaxwell> wtf. why is most work on secure multiparty computation using a semi-honest participant attack model.
01:55 < gmaxwell> I hate academics.
07:50 < gmaxwell> amiller: did you see me yabbering about performing interactive cut-and-choose with the blockchain itself as the counterparty?
--- Log closed Thu Aug 29 00:00:50 2013
--- Log opened Thu Aug 29 00:00:50 2013
20:15 < gmaxwell> petertodd: so, generalizing the sighash flags.  Imagine a tree structured transaction seralization. There are N leafs matching up to the N data values being encoded.
20:16 < petertodd> Yup
20:16 < gmaxwell> petertodd: you form an N bit vector, setting 1s for all the items you want to sign for, and then you can encode that vector by encoding run lenths values.
20:16 < petertodd> Exactly what I was thinking too
20:17 < gmaxwell> e.g. if N=100 then you might code <100> to indicate all 1s.. or if you code 101111..<end> 1,98 or whatever.
20:17 < petertodd> You can further simplify it too by making the interpretation of that vector be centered on the input, so simple concatenation works.
20:18 < gmaxwell> and then you can stick on the checksig operator this runlength sequence as an input, you gather up the leafs that are matched by the mask and sort them by value.. and thats what you sign.
20:18 < gmaxwell> petertodd: you don't need to though because to support any changes you'd leave the runlength token outside of the signature.
20:18 < gmaxwell> so someone adding to the transaction would just compute another runlength token.
20:19 < petertodd> gmaxwell: Aw heck, I was thinking to simpify that compute code, but yeah, it'd probably just be easier to index from zero anyway.
20:19 < gmaxwell> But ... the downside of this is that it leaves malleability. And I'm annoyed that I see no way to preserve the flexibility I want without creating free malleability.
20:19 < petertodd> Yeah, I think that's impossible. Better to make a new system where you can sign a scriptPubKey:valout output instead.
20:19 < gmaxwell> (if you want to be complicated there are all sorts of fancy things you can do to make coding the runlength value efficient... but since you never hash it.. it's not really protocol normative)
20:20 < petertodd> *scriptPubKey:value
20:20 < gmaxwell> yea, I don't see how the malleability can ever really be completely removed unless you really heavly restrict scriptsig form.
20:20 < petertodd> Hmm... true you could actually not hash it at all, although that'd be a lot of complex changes in the scripting system.
20:21 < gmaxwell> e.g. OP_NOP <push> checksig is still valid.. so you'd have to have a rule saying you couldn't do that.  But I'm suggesting never hashing that value anywhere in the protocol.
20:21 < gmaxwell> basically I'm saying the scriptsigs for a txn would be a seperate hashtree. You'd still commit it in the blockchain but it would be a seperate fork.
20:22 < petertodd> Yeah, see I'm thinking s/OP_NOPn/OP_CHECKSIG2/ basically, and continuing to get the signature from the scriptSig, and continuing to hash that.
20:23 < gmaxwell> well I'm pondering how I'd completely change the transaction format to make some of the things that are clearly broken better.
20:23 < gmaxwell> e.g. the fact that fidelity bond proofs are unreasonably big.
20:23 < petertodd> Yeah, problem is you do want to preserve the backwards compatibility I think. The main thing we're missing is input values; got anything else in mind?
20:24 < petertodd> re: fidelity bonds, I just wrote a OP_CHECKLOCKTIMEVERIFY patch actually.
20:24 < gmaxwell> proof size and prunability of scriptsigs while keeping everything else (same problem) is what concerns me most w/ the current format.
20:24 < gmaxwell> even with OP_CHECKLOCKTIMEVERIFY I can't check a @#$@ single output without hashing the whole txn.
20:25 < gmaxwell> (okay, with the midstate compression perhaps you can get the last one, but thats a kludgy hack)
20:25 < petertodd> Right, and to solve that I think all you actually need is just to extend the merkle tree into the tx, plus making that merkle tree include input CTxOut's
20:25 < gmaxwell> right thats what I'm thinking about. How do you lay out the transaction so the data elements form an efficient tree... and then express the data you want to include in your hash efficiently as some masking over that tree.
20:25 < petertodd> I can't think of any other fields that are needed; maybe a per-transaction checkpoint.
20:26 < petertodd> Ah I see, yes, that's a good approach.
20:27 < petertodd> I guess the easiest would be to just number the roots of that tree, and make your RLL-encoded bitfield spit out indexes.
20:27 < gmaxwell> I think the txn global data is a version, a nlocktime, a checkpoint, and the counts and sums for the subtrees.
20:27 < petertodd> Right, sums are important.
20:27 < petertodd> Do you want a single checkpoint for the whole tx?
20:28 < gmaxwell> And the inputs have a sum tree of input data, the scriptsigs have a sumtree of sigsize bytes, the outputs have a sum tree of output value. the two sums give you the fees.
20:28 < petertodd> That's good
20:29 < gmaxwell> petertodd: I _think_ so, as they're redundant if they aren't identical, but it might make some merging complicated as you'd have to agree on the checkpoints when you include them.. otherwise the checkpoint should just becomes scriptsig operator that pushes the checkpoint onto the stack of data that gets signed.
01:06 < amiller> i have a friend who basically derived this in some private conversation last year :x
01:06 < amiller> i told him i didn't know any signature scheme that could be combined that way
01:06 < amiller> it was specifically about doing red balloons where you can't strip the new fee off
01:07 < gmaxwell> amiller: for ecdsa we have public + r + s   for this we would have public + aggregate(s)  but if it's use for anonymity you have to have an extra public key for each output.
01:07 < gmaxwell> and yea, this is really trivial with pairing crypto.
01:09 < amiller> yeah i ran through your elaboration and it made sense
01:09 < amiller> (i am not really checked out to read and securitize crypto but w/e)
01:09 < gmaxwell> the signature algorithim with one way aggregation is circua 2003. This posters contribution is the idea that if you seperate your spend and your output signatures would be insecure in isolation and aggregate them before announcing, you don't have linking.
01:09 < gmaxwell> Well .. it's pairing which uh. may not give everyone warm fuzzies.
01:10 < gmaxwell> because it's all based on carefully choosing groups withere the delusional DH problem is trivial to solve.
01:11 < amiller> yeah also all elliptic curves were generated by j.e. hoover
01:11 < gmaxwell> man I made the mistake of making a few comments on that, and have had press calling me all week about it.
01:13 < petertodd> gmaxwell: good job
01:14 < amiller> you and matt green.
01:14 < amiller> who visits my office once a week :3
01:14 < amiller> i gave him a copper bitcoin trinket today
01:14 < amiller> if you think *you* open your big mouth....
01:14 < amiller> anyway so...
01:15 < amiller> pairings are fine w/e PBC is easy enough to use and almost fast
01:15 < gmaxwell> amiller: can you ask him what he's doing going and filling reporters heads with the idea that the NSA can steal bitcoin with SHA256 collisions?  That has to be the biggest streach theory I've heard all weak and I really wanna know how the reporter got that out of him. :P
01:15 < gmaxwell> yea PBC is pretty sweet.
01:16 < gmaxwell> one pairing operation per txn is kinda lame but its not nonviable in the slighest.
01:17 < amiller> why not just merge all the tx
01:17 < amiller> miner makes one big ol operation
01:17 < amiller> one pairing and a dozen of the other things the third one
01:36 < gmaxwell> because the validation needs one pairing per message and public key.
01:37 < amiller> oh
01:43 < gmaxwell> (and one G2 multiply)
01:43 < gmaxwell> er GT multiply.
01:43 < gmaxwell> stupid paring terminology.
08:50  * jgarzik continues to work on auctionpunk
08:50 < jgarzik> new sub-idea: address servers
08:51 < jgarzik> Right now, "auctiond" communicates directly with bitcoind, obtaining addresses for payments and watching for those payments
08:51 < jgarzik> If a third component existed to serve out bitcoin addresses, this auction server need never touch a wallet at all
08:52 < jgarzik> that third component could do what auctiond does now -- call bitcoind getaccountaddress -- or read from a static file of 1 million pre-generated addresses, or any other method
12:40 < HM> or if bitcoind actually talked to a database server, everything could just talk to that :P
12:59 < jgarzik> well, this is more an administrative boundary; trying to design an API around that concept.
13:00 < jgarzik> a wallet is a kay management unit.  people may choose to manage keys in different ways.
13:00 < jgarzik> an address server is one way to enable many different wallet configurations.
--- Log closed Sun Sep 15 00:00:39 2013
--- Log opened Sun Sep 15 00:00:39 2013
20:49 < jgarzik> basic auction server complete.  now rewriting JSON-RPC -> HTTP REST ;p
22:08 < petertodd> nifty
22:09 < petertodd> jgarzik: I'm doing some work on what I'm calling the bitcoin.chain module to handle stuff like blockchain header maintenance and what not for python-bitcoinlib
22:11 < petertodd> jgarzik: Thinking it should look something like a magical box where you can ive it blockchain headers, and it figures out what's the biggest sum-work sub-chain, similar to sipa's work on headers-first.
22:12 < petertodd> jgarzik: (obviously it's ok if the box uses a pile of ram in degenerate cases... so long as the more obvious way to do it works well)
22:17 < BlueMatt> how did I end up leaving here? :(
22:17 < BlueMatt> petertodd: researching attacking tpms in what sense? dma to break txt or so?
22:17 < petertodd> BlueMatt: I guess Hogwarts expelled you.
22:18 < BlueMatt> <petertodd> There's a lot of possible attacks, but yeah, breaking memory is a big one. Of course, the big issue with even Intel's TPM stuff is that AFAIK main memory is unencrypted - rather useless.
22:18 < BlueMatt> petertodd: yea, well if you can rewrite kernel code via dma, tpm data can be read arbitrarily, essentially
22:18 < petertodd> Yup, and people overestimate how hard it is to get data out of main memory: just cool down the RAM sticks, turn off the machine, and transfer them to another machine for a cold-boot attack.
22:19 < BlueMatt> hence why txt exists (run program protected from dma, etc, where you can get new tpm status so that you can protect better)
22:19 < petertodd> IE, any application that needs sensitive data stored in RAM is insecure, making a lot of applications useless.
22:19 < BlueMatt> ofc there are (apparently) attacks against txt where you can break the IOMMU protection and then get access to the "protected" program
22:19 < petertodd> Yes, but TXT execution still leaves the program data in RAM unless you do really clever stuff with L1/L2 cache.
22:20 < BlueMatt> petertodd: see https://github.com/TheBlueMatt/linux for some work Ive been doing (and am now continuing) that builds on the TRESOR store-encryption-keys-in-registers stuff
22:20 < BlueMatt> petertodd: yes, but you can get the tpm to hash the program and only allow private data to be read when you load the right program
22:20 < petertodd> Ah cool, yeah that's a nifty approach, and easier to implement than cache tricks from what I hear.
22:21 < BlueMatt> well, except for dma tricks where you just rewrite the kernel code.....
22:21 < petertodd> (note that my main TPM interest is remote attestation, for wallet stuff your type of security is probably fine)
22:22 < BlueMatt> ahh, well yea I mean you essentially need secure IOMMU limits st no hardware can write arbitrary crap to kernel memory
22:23 < BlueMatt> which is being worked on...but there are still drivers that dont do it right (hence my desire to find programmable pcie chips...)
22:23 < petertodd> I also have a project I want to do that'll just be a uC with a cheap FTDI USB<->serial chip and some very simple anti-tamper stuff to store full-disk-encryption keys, as well as provide a way to detect tamper events - the latter could be used to wipe system memory in conjunction with a in-case UPS.
22:24 < petertodd> You basically want to be sure the attacker can't plug in some hardware to a running machine right?
22:24 < gmaxwell> BlueMatt: so there are things like fpga devkits with pcie, but the pcie bus connection is some fixed logic, and may not be able to make do what you want.
22:24 < BlueMatt> petertodd: well, my threat model is how to protect against an attacker who can
22:24 < petertodd> Er, right, make sure an attacker who can can't do anyting interesting. :)
22:25 < BlueMatt> petertodd: see https://forums.hak5.org/index.php?/topic/28816-howto-anti-forensics-mass-storage-device-as-a-key-device-for-fde/ where I build a flash drive that is smart and tries to figure out when someone is trying to read it
22:25 < BlueMatt> petertodd: yea
22:25 < petertodd> BlueMatt: Lol, yeah I saw that earlier, very nifty.
22:26 < petertodd> See, my thinking is that there's probably so much backdoor crap and exploits in standard hardware, that it'd be more productive to add more hardware to the problem, but simple hardware that we can trust.
22:26 < BlueMatt> gmaxwell: fixed bus logic there should be fine, you just have to be able to change how it reports itself to the host
22:27 < BlueMatt> petertodd: yes, a smaller trust base would be nice, but its theoretically possible to do it all properly without any custom hardware so thats what Im looking at
22:28 < BlueMatt> also: doing a wallet in tpm should be done...
22:28 < BlueMatt> wallet in intel txt would be the ultimate in security for private key storage and signing
22:28 < BlueMatt> ofc you should probably just do a hardware thinggy instead, but....
22:29 < petertodd> BlueMatt: Well, they're both ideas with advantages and disadvantages so... if I build my little USB thing, think it'd be easy to write some kernel drivers/dmcrypt startup scripts to use it? I suspect it won't be a very hard project, much less than the other stuff you're working on.
22:31 < petertodd> BlueMatt: Reminds me: apparently the newer intel TXT stuff can even display things on screen securely, and take in user input from the keyboard and mouse securely, at the hardware level!
22:31 < BlueMatt> ooooooooooo
22:32 < BlueMatt> petertodd: in my case its incredibly easy because I just treat it like a flash drive and read in a sector
22:32 < BlueMatt> petertodd: thats probably one of the easiest ways (its already implemented...) and you can still do that in trusted hardware
22:32 < BlueMatt> but reading over serial shouldn't really be any harder
22:33 < petertodd> Well, remember the key idea I have is to make my USB thing actually connect to anti-tamper sensors, so when the thieves steal your server at the colo center the moment they open the case/move it the keys get wiped, yet you can still reboot it/handle power failures.
22:34 < petertodd> (or for that matter, ship it in the mail)
22:34 < BlueMatt> petertodd: you can do that in usb too...
22:34 < BlueMatt> usb with the same chip on the backend
22:34 < BlueMatt> (internal-case usb headers instead of standard A plug, probably)
20:33 < andytoshi> oh, damn, that was my first exposure to 21st century crypto, i thought maybe it was an implementation-friendly field :(
20:35 < gmaxwell> well, it's mixed. A lot of things in pairing crypto are easily implemented. E.g. I went and implemented the OWAS from that paper in under half an hour, including learning to use the pairing crypto library.
22:46 < Taek42> I had an idea for variable-speed blockchains
22:47 < Taek42> which I think would be desirable, because when you set a static rate, you can either be too slow (meaning you could go much faster)
22:47 < Taek42> or too fast (meaning that blocks happen faster than nodes can communicate them)
22:47 < Taek42> and right now, most coins seem to pick arbitrary values
22:49 < Taek42> If you count how many blocks have the same parent (as a percentage)
22:50 < gmaxwell> Taek42: amiller proposed several years ago commiting to orphans to control loop the rate.
22:50 < Taek42> how was the reaction to the proposal. Also, is there a link?
22:50 < gmaxwell> Taek42: but the problem with that it has enormous centeralization risks in two different ways.
22:50 < Taek42> how so?
22:52 < gmaxwell> Say for example that 60% of the hashpower was within the east cost of the US, such as system might happily adapt itself down to 100ms blocks, and just exclude the outside world. Even if the outside blocks were enough to slow it down, the majority could just happily ignore them, since its in their interest to keep it fast. Now, okay, perhaps you have some
sensible floor to prevent this.
22:53 < Taek42> I think I have
22:53 < gmaxwell> Then you have the fact that only miners play in this scheme but the block rate is very important to clients as well. 1 second blocks would be a ~600x increase in bandwidth and cpu for SPV clients over 10 minutes blocks.
22:53 < Taek42> that's only assuming that at 1% blocks the blocks (and not the transaction data) are the majority of the information
22:53 < Taek42> *at 1 second blocks
22:54 < gmaxwell> so while the miners are all getting paid for their mining and can afford fast networks
 tunnels through the earth and neutrino reactor transmitters and what have you
  the rest of nodes have to keep up with the flood but aren't compensated to pay for these increased costs.
22:54 < gmaxwell> and they have no control channel to express this displeasure.
22:55 < Taek42> hmmm
22:56 < gmaxwell> Taek42: why wouldn't it be at 1 second though? the system will keep speeding up until miners can't get lower latency networks, and then it will start excluding miners who are too far out
 e.g. in .au.  Right now there is hardly any incentive to do anything heroic about your network as a miner, but if the time kept going down as miners improved their
connectivity there would be.
22:56 < gmaxwell> amiller_: perhaps has a link to his writeup.
22:57 < Taek42> Well the idea is that when you want to send money over the network you just tell a miner. I don't think faster blockrates would result in less transactions
22:57 < Taek42> unless a faster blockrate meant that non-miners couldn't verify the balance of an adversary
22:57 < gmaxwell> (uh, you know bitcoin has no balances in it
22:57 < Taek42> I'm guessing you are saying a semantic thing
22:58 < gmaxwell> It would intefear with other nodes imposing the rules. Bitcoin is a trustless system, and part of the incentive alignment for miners is that non-miners vaidate their blocks too.
22:59 < Taek42> how can non-miners validate a block? I thought blocks were validated by additional blocks being mined on top of them
22:59 < gmaxwell> ...
22:59 < Taek42> bear with me
22:59 < gmaxwell> By stepping through the data and checking each piece of it against the hundreds of rules of the system.
23:00 < Taek42> oh okay
23:00 < Taek42> but say that a non-miner finds something incorrect
23:00 < Taek42> what happens?
23:00 < wyager> Mmmm
23:01 < wyager> They ignore the block
23:01 < gmaxwell> They just ignore the block forever and all successive blocks. This is what prevents a malicious group of miners from inflating the currency or stealing people's coins (which might have returns great enough to justify their misbehavior)
23:01 < wyager> You're thinking of an SPV node, Taek42
23:01 < wyager> SPV nodes verify blocks by their depth
23:01 < wyager> (right?)
23:01 < wyager> full nodes actually verify blocks
23:01 < Taek42> okay that makes sense
23:01 < wyager> Like, making sure their hash value is low enough and there aren't any illegal transactions and stuff
23:02 < gmaxwell> Bitcoin's security is predominantly autonomous zero trust
 you don't trust anyone at all to the extent that thats possible.  Miners influence is strictly limited to transaction ordering
 which is powerful, but hopefully limited enough to keep them honest.
23:03 < gmaxwell> (and we only trust miners for ordering because we don't have an alternative... it would be nice if physics allowed a decenteralized, autonomous, and consistent ordering
 but it appears not to)
23:03 < Taek42> consistent ordering might be more achievable if you implementing some sorting
23:03 < Taek42> but then miners could still pick different blocks for different transactions
23:04 < Taek42> *implemented
23:05 < gmaxwell> Taek42: sorting can't work unless you have a jamming proof network which can reach all parties in finite time. Otherwise someone can know of a transaction that others don't and the rest only learn later.
23:05 < Taek42> yeah
23:06 < gmaxwell> in any case, thats why we have mining, it solves that little problem.
23:06 < Taek42> with the current bitcoin, what happens when the transaction volume grows to a point where only miners can keep up?
23:07 < gmaxwell> But mining means bitcoin isn't like most cryptosystems, the good guys don't have an exponential advantage over the attacker, only a linear one; so that makes the economics very important too.
23:07 < gmaxwell> Taek42: it can't.
23:07 < Taek42> what do you mean by it can't?
23:07 < Taek42> suppose you reach several thousand transactions per second?
23:07 < gmaxwell> The system has hardcoded rules on the maximum size of blocks technically as absolute as the limit of 21 million total bitcoins. This means that even if the miners want to make huge blocks to stop other people from validating they can't.
23:08 < Taek42> ah
23:08 < gmaxwell> and to increase the limit requires all node software be replaced, so effectively it requires the consent of all the (remaining) users.
23:08 < Taek42> so at some point the demand for transactions could outgrow the hardcoded rule that limits transaction volume
23:09 < gmaxwell> Sure, though there are many differnet ways to deal with that (beyond just upping the limit
 which is perhaps possible, but there is that decenteralization tradeoff).
23:11 < Taek42> forgive me as I start to talk about things I don't know much about; wouldn't a more ideal currency (if theoretically impossible) not require non-miners to participate at all?
23:12 < wyager> Well an ideal currency wouldn't require miners or nodes or any of that stuff :p
23:12 < gmaxwell> Taek42: no, thats horiffic.
23:12 < Taek42> that's a good point
23:12 < Taek42> why horrific?
23:12 < gmaxwell> Taek42: because then you'd have to trust miners. And the whole point of Bitcoin was to eliminate trust.
23:13 < Taek42> what if you only have to trust that 51% of miners are honest?
23:13 < gmaxwell> The ideal system would have no miners, just participants.
23:13 < Taek42> participants that don't need to keep track of the entire state of the system
23:13 < gmaxwell> Taek42: what would make them honest? Bitcoin's assumption isn't merely that most are honest.
23:14 < Taek42> what if you only have to trust that only (epsilon approaching 0%) miners are honest?
23:15 < Taek42> but I see what you are saying
23:15 < gmaxwell> Taek42: after all, the fed's employees are mostly honest.  The fact that everything else gets enforced by mathmatical proof with 100% strength is one of the reasons the fact that honest users don't have an advantage over attackers is perhaps acceptable.
23:15 < Taek42> with bitcoin you don't need to trust some foreign entity, you can verify the whole chain yourself
23:15 < Taek42> but the cost is a 12GB (and growing) file and some computation
23:15 < gmaxwell> no, thats not quite true.
23:16 < Taek42> expand?
23:16 < gmaxwell> You can go ahead and delete the historic blocks, they're only used to initialize new peers.  (well not quite, at least not yet
 if you delete them your node will work fine until a new peer tries to grab a historic block from you and then you'll crash)
23:16 < gmaxwell> you only need the chainstate to verify new blocks that come in.
23:17 < gmaxwell> and thats about 300 MBytes right now.
23:17 < gmaxwell> and grows moderately slowly (looked decidely logarithmic before people started created junk txouts to store data).
23:17 < Taek42> but then you have to trust the incoming chainstate
23:17 < Taek42> if you are new
23:18 < gmaxwell> Nope.
23:18 < Taek42> no?
23:18 < gmaxwell> You can build it for yourself, but not store the historic data. (e.g. you have to inspect it once, but no storage cost)
23:18 < Taek42> okay
23:19 < Taek42> you still won't know though if you are looking at the actual chain or a fork
23:19 < gmaxwell> huh?!
23:19 < Taek42> suppose you are on a malicious network
23:19 < Taek42> feeding you a set of blocks from the genesis block
23:19 < Taek42> at some point they fork
23:19 < Taek42> and create an alternate histroy
23:19 < Taek42> *history
23:19 < gmaxwell> No, you inspect headers first to decide which chain has the most proof of work. Then validate it it. If you find a rule violation you black list that block and reorg.
23:20 < Taek42> assuming you get a block from the correct chain
23:20 < gmaxwell> No, it doesn't matter.
23:20 < Taek42> ???
23:21 < gmaxwell> Taek42: lets contine your example.
23:21 < Taek42> okay, I'll rework it a little though
14:23 < pigeons> I thought this was um, interesting or funny or weird or dangerous or something, "Moreover, the developers have purposefully introduced three security flaws into the source code that they will be releasing, as a means of encouraging the community to scrutinize the code and to prevent people from creating copies of Nxt by simply taking the source code and
re-using it.  People who discover the security holes will be able to claim rewards for fin
14:23 < pigeons> http://nxtcrypto.wikia.com/wiki/FAQ
14:24 < adam3us> maaku: i was thinking maybe one could have a trusted server for simulating alts.  rent virtual "VPS" resources.  buy virtual "ASICs" and so on, the actual money goes to charity or btc QA or something. then its green.  and it doesnt matter if its centralized because dogecoin grade alts have largely no tx anyway.
14:25 < pigeons> there was a game that did that, but its gone now
14:25 < pigeons> it had an internal exchange and you could make your own coins too etc and "virtually" mine them without really mining or using electricity
14:27 < adam3us> pigeons: seems like a lower energy sandbox for dogecoin, shitcoin et al play in, pity it died
14:28 < pigeons> yeah it added simulated pools when they came along and you culd run your own mining pool without having to get ddossed
14:29 < pigeons> you could virtually pre-order your asics and virtually never get them
14:30 < adam3us> pigeons: fantastic
14:31 < pigeons> he sold the code before he closed to a guy who was in over his head and couldnt keep it running but i think at this point it wouldnt really help, best to just start with your own bugs instead of someone else's
14:32 < adam3us> $1k by end of year ;)
14:32 < adam3us> ?
14:36 < adam3us> heh hash rate went over 10 PH and now the format is confused 1.045E7 https://blockchain.info/q/hashrate
15:17 < nsh> someone asks in ##crypto why ripemd-160 is used for addresses rather than just a truncation of sha-256 output
15:17 < nsh> i'm not sure how to answer...
15:20 < maaku> because the great satoshi said so
15:21 < maaku> retroactive reason: because breaking sha-256 doesn't mean a break of the address format, meaning coins would still be secure
15:21  * nsh prostrates before the ceremonial altar
15:21 < nsh> mmm
15:21 < maaku> obviously lots of other things would have to change if sha256 was broken, but you could still keep the same ledger
15:22 < nsh> right
15:34 < iddo> maaku: thats not so clear, if you can do sha256 collisions then you also have collisions for Bitcoin addresses (though i'm not sure how to use it to attack), and if you can do 2nd-preimage attack on sha256 then you can steal coins if someone re-uses an address
15:37 < iddo> an answer on stackexchange says that it's just "belt and suspenders" approach: http://bitcoin.stackexchange.com/questions/9202/why-does-bitcoin-use-two-hash-functions-sha-256-and-ripemd-160-to-create-an-ad
15:39 < andytoshi> gmax suggested that using a second hash function would guarantee that addresses still have a uniform distribution, while truncated-sha is not proven to have this property
15:39 < andytoshi> well, not just the distribution, preimage resistance as well
15:40 < iddo> hmm not sure what you mean by proven, there are no rigorous proofs for heuristic constructions like sha2
15:41 < andytoshi> true, i guess what i mean is "commonly believed"
15:41 < iddo> if sha2 is computationally indistinguishable from a random oracle, then truncated-sha2 is fine
15:42 < andytoshi> sure, but this isn't true because eg there are length extension attacks
15:42 < andytoshi> which distinguish it from a random oracle
15:42 < iddo> not for sha256d
15:43 < andytoshi> yeah -- and mining even depends on sha256d looking like a random oracle
15:43 < andytoshi> so tbh i am just as confused by the ripemd usage as anybody
15:46 < maaku> andytoshi: as I said, if a weakness is found in sha256, it is more likely to be able to be applied to sha256^2 than ripemd160(sha256())
15:47 < iddo> another question is why not just use the full 256 bits of sha256d, then you get an even better benefit of 256 bits of security if you don't re-use addresses, instead of 160 bits... the drawbacks are more bloat on the blockchain, and longer addresses for people to use
15:47 < maaku> so therefore, it's more likely that the current setup would protect users even in a catastrophic break of sha256
15:47 < maaku> iddo: even 160 bits is excessive. the birthday paradox doesn't apply here
15:47 < iddo> maaku: but what if a weakness is found in ripemd-160 ... ?
15:48 < maaku> iddo: nothing happens unless a weakness is found in ripemd-160 AND sha-256
15:48 < maaku> its additive security
15:50 < iddo> maaku: no, if you have 2nd-preimage attack on ripemd-160, then just create fresh ECDSA keypairs + sha256 hash, in a way that you get the same image (i.e. the 2nd-preimage attack) as someone elses Bitcoin address, and then steal his coins
15:52 < iddo> well actually it's not clear, depends how the 2nd-preimage attack works
15:52 < andytoshi> you'd have to get a preimage for the sha256 as well
15:52 < andytoshi> if you can 2nd-preimage SHA256 then i think you've got a problem, because if you can get the same SHA256 hash, it won't matter that you apply RIPEMD-160 on top of it
15:52 < andytoshi> but this is only a concern if you know the pubkey that you are trying to preimage
15:53 < andytoshi> pubkey whose image you are trying to duplicate*
15:54 < andytoshi> but until you spend a coin with a certain address, you don't expose the pubkey (or even its SHA256 hash), so you're ok in the case of no address reuse
15:54 < iddo> if you just find 2nd-preimage of random pubkey, then it wouldn't help you because you wouldn't know the corresponding privkey
15:55 < andytoshi> oh, right, derp
15:57 < iddo> i actually don't really see how either sha2 or ripemd 2nd-preimage attacks can be done in this context (i.e. in the context where you create random-looking pubkeys that are supposed to be the preimage, by invoking the ECDSA keygen)
19:02 < nsh> oh
19:03 < nsh> andytoshi / gmaxwell: thinking back to the question of the factor of 8 in curve25519 scalars, could it be to do with the square property of x coordinates?
19:04 < nsh> --
19:04 < nsh> Firstly, since the field is only 255 bits, the 256th bit is always zero. Thus if an attacker sees a series of 32-byte strings where the top bit of the last byte is always zero, then they can be confident that they are not random strings. This is easy to fix however, just XOR in a random bit and mask it out before processing.
19:04 < nsh> Secondly, the attacker can assume that a 32-byte string is an x coordinate and check whether x3 + 486662x2 + x is a square. This will always be true if the strings are x coordinates, by the curve equation, but will only be true 50% of the time otherwise. This problem is a lot harder to fix.
19:04 < nsh> -- https://www.imperialviolet.org/2013/12/25/elligator.html
19:04 < nsh> (probably not, but it just came back to mind while reading that page)
19:06 < nsh> "Square roots are defined in the standard way for finite fields where q
19:07 < nsh> (eight is rather low number for which to ascribe meaning to coincidence, i know...)
19:35 < andytoshi> nice find nsh, i dunno, i'll have to study this
19:36 < andytoshi> it looks to me that this is about disguising x coordinates, which isn't a goal of plain old ed25519
19:36 < andytoshi> eg they have bit 254 always set, which is a pretty obvious tell
19:38 < nsh> right
19:38 < andytoshi> also iirc we are talking about privkey encoding anyway, which is not broadcast
19:39  * nsh nods
19:39 < andytoshi> otoh, the square property of x coordinates could very well be involved with the factor of 8, i don't know
19:39 < nsh> yes, maybe very vaguely
19:39 < maaku> anyone asked DJB?
19:40 < nsh> no, i was going to tweet him
19:40 < andytoshi> no, i think everyone here is intimidated by him :P
19:40 < nsh> but he doesn't use twitter that extensively. might be better to email him
19:40 < nsh> oh, i don't have that problem :)
19:40 < andytoshi> :)
19:40 < nsh> i fell in the contempt couldron as an infant and the potion had a permanent effect
19:41 < nsh> cauldron*
19:41 < maaku> well it'd spoil the puzzle anyway :)
19:42 < andytoshi> haha
22:38 < warren> http://coinmarketcap.com/  interesting how they count #2
22:44 < phantomcircuit> warren, XRP is an altcoin with bad security
22:44 < phantomcircuit> and a totally fucking HUGE premine
22:45 < warren> phantomcircuit: they included the entire premine in that "market cap"
22:46 < gmaxwell> of course they did, it's part of the market cap.
22:47 < gmaxwell> I dunno how else you'd calculate it.
22:51 < phantomcircuit> warren, the premine is already on the network
22:51 < phantomcircuit> that is a reasonable way to calculate the market cap
22:52 < BlueMatt> it'd be nice if they showed market depth too, though
22:52 < phantomcircuit> however XRP is very illiquid
22:52 < phantomcircuit> so that doesn't mean much of naything
23:01 < phantomcircuit> BlueMatt, nearly all of the bids are for the exact same amount of btc
23:01 < phantomcircuit> 0.2625
23:02 < phantomcircuit> which tells me they're fake bids
23:02 < CodeShark> market caps in general for any of these coins is not particularly meaningful :)
23:02 < CodeShark> you need to take depth into account
23:03 < CodeShark> but these numbers do sound impressive, nonetheless
23:03 < CodeShark> so they do have press value
23:04 < maaku> yeah market cap is totally useless
23:04 < maaku> http://37signals.com/svn/posts/1941-press-release-37signals-valuation-tops-100-billion-after-bold-vc-investment
23:04 < CodeShark> lol
23:06 < BlueMatt> phantomcircuit: even sill, the market depth is significantly lower than btc, which should be shown there
23:07 < CodeShark> a meaningful statistic would be, say, how much you could get in dollars if you currently held 10% of it and sold it right now
23:07 < BlueMatt> maaku: lol, nice
16:19 < gmaxwell> yea, fair enough.
16:20 < maaku> nsh: yeah actually the coincovenant thread is basically a listing of what you could do with a turing-complete script language and introspective builtins
16:21 < maaku> the snark is just a really cool addition
16:21 < gmaxwell> Yea, I think nothing there requires the snark except for efficiency.
16:21 < gmaxwell> might be good to add some examples that need zero knoweldge
16:25 < maaku> petertodd gmaxwell: btw didn't mean to take credit for this old idea. i thought nsh meant the benefits of using Joy
16:27 < nsh> i'm curious in general and specific :)
16:27 < petertodd> I'm curious if joy brings us any joy.
16:32 < maaku>	cdr=-\
16:32 < maaku> 6jm
16:32 < maaku> sorry
16:33 < petertodd> maaku: glad to see you have (formerly) strong passwords
16:33 < maaku> haha, toddler found my keyboard
16:33 < maaku> gmaxwell: well there are bounties. you'd need a zk proof to safely claim a sha256 collision
16:35 < maaku> you can even design a covenant which forces revelation if the coins are to be actually used
16:35  * petertodd says hi to little maaku
16:36 < sipa> cdr-=\   -> that's actually potentially valid C code
17:34 < pigeons> adam3us: I just saw https://github.com/atoponce/d-note uses hashcash to generate a token before you can submit
18:05 < jtimon> ok, so I need a name for the TC merklized extrospective scripting extension I just understood hours ago
18:06 < jtimon> otherwise "the new thing" is taken and I cannot learn or think about anything else new too me
18:06 < sipa> tc?
18:07 < sipa> extrospective?
18:07 < nsh> turing complete, no idea
18:08 < nsh> network-external inputs maybe
18:08 < jtimon> tc = turing complete
18:09 < jtimon> extrospective = you can reference the scripts in the outputs of future transactions, parts in them, and maybe also the current utxo and the block header
18:09 < petertodd> jtimon: that's a pretty good description IMO
18:09 < jtimon> something outside the script itself
18:09 < jtimon> thank you
18:10 < petertodd> jtimon: more than current utxo too, but likely committed data of some kind within (to be clear)
18:11 < jtimon> although joy is a new addition and not necessary for the idea I like joyScripts, although I also like quineScripts, and we could also just maintain coincovenants  (although not all uses use quines/covenants)
18:14 < jtimon> petertodd, you mean previous data in the chain? I guess it could work if people provide proofs to the miners, but for some reason I haven't found yet, that intuitively scares me
18:14 < jtimon> also I don't know any use et neither
18:14 < jtimon> *yet
18:15 < petertodd> jtimon: well, there's the model where it's proof based, referencing the prevblock hash, or you can have a model where miners are expected to actually have some set of data on hand. (that could take a lot of potential forms)
18:16 < jtimon> stateless validation is very attractive
18:17 < jtimon> I'm not sure what you mean by referencing the previous block hash
18:17 < gmaxwell> any stateful process can be reduced to a stateless one just by gathering up the state and presenting it as an input.
18:18 < petertodd> jtimon: IE, make your script take a proof in the form of a merkle path to the prevblockhash
18:18 < jtimon> petertodd: what kind of commited utxo are we assuming if any?
18:19 < petertodd> jtimon: could be a lot of forms, could be a committed MMR TXO too
18:19 < jtimon> I see, just one of them
18:20 < petertodd> jtimon: well, you can do both if you really want :P
18:20 < petertodd> jtimon: and actually, if you do expiration, both could make a lot of sense
18:21 < jtimon> well, I think expiration would be necessary for your TXI thing, but I don't know much about MMR
18:23 < jtimon> the advantages and stuff, I just read that once but I don't remember the motivation
18:23 < jtimon> I'm going to read again
18:24 < jtimon> but maybe a hybrid commited expired-TXI + UTXO would make sense too?
18:24 < petertodd> exactly
18:24 < jtimon> oh, I see
18:24 < jtimon> you use the MMR structure for the TXI ?
18:25 < petertodd> one interesting thing is that you probably want the PoW algorithm to be tightly coupled to some subset of blockchain data - perhaps the last year/GB of it - so a PoW on the UTXO set is an attractive idea
18:25 < petertodd> right, for long-term MMR works really well
18:26 < petertodd> note that when I say "UTXO" set that doesn't necessarily mean it the way you would mean in bitcoin - for some extrospective scripting consensus system your utxo set might mean a lot of things that may or may not be coins
18:27 < jtimon> to be honest, I'm thinking in freimarket's utxo
18:27 < petertodd> e.g. the absolute extreme you can take this idea is for the system to be essentially a key-value global consensus, where keys are H(script) and values the output of those scripts (basically)
18:27 < jtimon> with asset types, unique bitstrings...
18:27 < petertodd> yup
18:28 < petertodd> and mastercoin needs to look something like that if it's going to be useful
18:28 < jtimon> well, values also have refHeight for interest/demurrage and I guess some other minor details
18:28 < petertodd> right
18:29 < jtimon> why " you probably want the PoW algorithm to be tightly coupled to some subset of blockchain data"?
18:29 < petertodd> my extreme example, which I guess I could call MetaCoin, could be done such that the scripts themselves are what define consensus currency systems within MetaCoin
18:29 < petertodd> jtimon: because you want there to be incentive for miners to actually publish the contents of the blocks they mine, rather than just headers
18:30 < petertodd> jtimon: basically with stateless validation you can wind up with miners having no blockchain data at all, and then find out that only a single party has the data, and hence can assist others in creating transactions (or no-one has the data and the coin gets stuck!)
18:30 < jtimon> an interesting thing is that with unique tokens, you have effectively a per-asset namespace that you can use as generic key/value store
18:31 < petertodd> jtimon: yes, *but* that's only useful if either multiple values can be associated with a single key, or the keys are scripts
18:32 < petertodd> jtimon: see, you can view a decentralized consensus system's blockchain as a weird type of cryptographic accumulator - it's easy enough to create a proof that some tx-thing existed or didn't exist in that chain, but you must have blockchain data to update (and create) those proofs
18:32 < jtimon> but the holders could take care of keeping their data, no?
18:33 < gmaxwell> how can you keep data if miners aren't even sending you enough to update your copy?
18:34 < petertodd> gmaxwell: well, remember how with MMR TXO you can get transactions mined with the assistance of third-parties who create the txin proofs for you? of course, with the txin proofs, miners with no blockchain data at all can safely mine the txs
18:35 < petertodd> gmaxwell: hence, you can wind up with a system that appears to work just fine, until one day you realize only one entity has a copy of some or all blockchain data - even worse if you've got some sharded (U)TXO set scheme going on
18:35 < jtimon> gmaxwell I thought your part of the trie in which your data resides cannot be modified if not by you, maybe I misundertood something about maaku's updatable structure
18:36 < jtimon> I also don't understand this senstence "that's only useful if either multiple values can be associated with a single key, or the keys are scripts"
18:36 < petertodd> jtimon: yeah, but what forces miners to actually publish the content of blocks to other miners? nothing
18:36 < petertodd> jtimon: e.g. with my "one entity has a copy of the blockchain" example, miners could be just sending their blocks to that entity, but not to each other, and the system will appear to work just fine
18:36 < petertodd> jtimon: maybe that happens due to lazyness, maybe due to sybil attack, who knows?
18:37 < jtimon> they need to publish the new root of the trie, and they want other miners to believe them, so they will send all the proofs they used to update the tree
18:37 < petertodd> jtimon: in a sharded system, it means you can 51% attack some *subset* of the (U)TXO space, likely with less than 51% of hashing power
18:37 < gmaxwell> jtimon: your own coin could only be modified by you, but all the neghboring branches can be modified by the holders of 2^levels-up coins.
18:38 < petertodd> jtimon: nope. Miners will lose money if they mine invalid blocks, so we can trust them not too do that 95% of the time, and it's in your incentive to very quickly mine the longest chain so you're not wasting your time...
18:38 < petertodd> jtimon: and if tx's can provide proof that they are valid to include in a block, all the better!
18:38 < jtimon> you're trying to explain me the problem of relying on archive nodes
18:39 < petertodd> jtimon: or hell, imagine some scheme where we're using SCIP moon magic so that miners can prove their blocks *are* valid
18:39 < petertodd> jtimon: roughly speaking, but it's really even deeper than that
18:39 < jtimon> I thought that wasn't a problem with maaku's latest updatable utxo design
18:40 < petertodd> jtimon: no it is, it's just not as likely to be an actual problem as some sharded blockchain scheme.
18:40 < petertodd> jtimon: mainly I'm interested in solving that because I think it's an important part of making consensus schems more scalable
18:40 < jtimon> miner 1 receives all the proofs it needs from regular users to update from UTXOn-1 to UTXOn
18:41 < jtimon> he sends the mined block and all those proofs to all miners
18:41 < jtimon> I'm still missing the problem
18:42 < petertodd> it's simple: what forces him to actually send those proofs to other miners? they can mine just fine without them, and have incentives to skimp on doing proper validation
18:42 < jtimon> you said it yourself " Miners will lose money if they mine invalid blocks"
13:56 < petertodd> Yeah, then the proof-of-bitcoin-sacrifice version of namecoin basically removes the "coin" part of namecoin.
13:57 < amiller> so the attacker is assumed to have a bounded budget *in bitcoins*
13:57 < petertodd> Exactly
13:57 < amiller> and namecoin transaction fees are paid in bitcoins?
13:58 < amiller> and they are paid to miners who sacrifice their own bitcoins in return for the transaction fees such that those balance out?
13:58 < petertodd> Well... there aren't really transaction fees in this model. Blocks are then just lists of keys and values, potentially with signatures if make a system where the initial key-value setting includes a pubkey for additional settings. (as namecoin does)
13:59 < petertodd> It also means the blockchain can be organized as a directed acyclic graph, with priority given to key-value entries in block with the highest total sacrifice.
13:59 < amiller> well what is the attackers budget related to/
14:00 < petertodd> Because each block is associated with a sacrifice, the attackers budget is to outspend all the sacrifices already made for the existing blockdag.
14:01 < amiller> what is the incentive for creating a sacrifice?
14:02 < petertodd> Doing so lets you make a block with key-value associations.
14:02 < petertodd> What's interesting, is the amount of sacrifice can be set low until an attacker comes along.
14:02 < amiller> is there no incentive for sacrifice?
14:03 < petertodd> Ha, yes, other than outspending an attacker!
14:03 < petertodd> *Socially* the system really needs ways for interested parties to easily get together and create a sacrifice.
14:03 < amiller> so it would be a bit like bitcoin without mining fees
14:03 < amiller> without blockreward
14:03 < amiller> just blocks and pow and no reward
14:03 < petertodd> Like an assurance contract, but that's tricky
14:03 < petertodd> Yup
14:04 < amiller> ok
14:04 < amiller> so the fundamental difference really isn't about substituting work for coin, but substituting incentives for no-incentives
14:05 < petertodd> For instance, if I were to register petertodd.zookv, I'd probably sacrifice 1BTC because, why not? Now in doing so, I'd make all prior blocks 1BTC more difficult to re-write.
14:06 < petertodd> See, namecoin is interesting here. Why would a miner mine namecoin? To get namecoins which will hopefully be valuable in the future because they can be used to register names.
14:06 < petertodd> There was a *lot* of speculation going on in the namecoin space...
14:06 < amiller> could i do something like
14:06 < amiller> sacrifice 0.00000001 btc for a ton of names
14:06 < amiller> and then one 10 btc block on top
14:06 < amiller> and then it would take 10btc to reverse any of the names
14:07 < petertodd> Exactly
14:07 < petertodd> See, you can also do key-value without a blockchain, where what is the canonical mapping is simply the highest sacrifice.
14:07 < petertodd> But I suspect that has bad social properties...
14:08 < amiller> so lets say i buy a name soc1024.com
14:08 < amiller> for a 0.1 or something
14:08 < amiller> if someone else buys it for 0.11
14:08 < amiller> i still lost my 0.1 right
14:08 < amiller> it was sacrificed in bitcoin and so gone forever
14:08 < petertodd> Yeah, in a non-blockchain version of k-v that's exactly what happens.
14:09 < amiller> what if auction sites worked that way
14:09 < amiller> like on ebay
14:09 < amiller> you can bid on an item
14:09 < amiller> and you lose that much money even if you get outbid
14:09 < petertodd> In a blockchain version, you'd have a rule where the first k-v created includes a pubkey, and subsequent modifications require a valid signature. (up to some expiration time or something)
14:09 < amiller> and every time you bid higher you lose the sum of all of your bids
14:09 < petertodd> There's gotta be a whole whack of economic analysis on that kind of auction...
14:09 < amiller> doesn't it seem like a horribly perverse auction
14:10 < amiller> i don't know how to say specifically what is wrong though
14:10 < petertodd> It does, which is why I think a blockchain/dag based system where you build on each others sacrifices is the only sane way to do it.
14:10 < amiller> ok let me try to understand how that would work
14:11 < amiller> (i'm trying to piece together the parts above where you mentioned it, but please start again on explaining the dag version?)
14:12 < petertodd> The dag version just has a rule where if two blocks have a set of k-v settings that don't conflict, they can be merged back together to form canonical history.
14:13 < petertodd> Because these are sacrifices, it's good to ensure that people won't lose their sacrifice just because someone else made one at the same time.
14:13 < amiller> i see
14:14 < petertodd> The other key detail, is that building on each other's sacrifices gives a strong incentive to broadcast them.
14:15 < amiller> if i pretend that there's no latency and nothing happens at *exactly* the same time then the dag isn't any different than the first way
14:15 < petertodd> Sure, the dag is just to get around the fact that there is latency involved. Potentially multiple blocks worth of latency in the case of announce-commit sacrifices.
14:16 < amiller> so if it has some undesirable economic property even with no latency it's still present even with the dag
14:16 < amiller> i'm trying to think of how to approach analyzing this economically...
14:16 < amiller> normally in auctions the design is to get the best price for the auctioneer
14:17 < amiller> and people participating in the auction usually make a decision like
14:17 < petertodd> Ok, so think of it this way: we want the system to provide the best rewrite security, especially over time, for the purchaser of the k-v map.
14:17 < amiller> basically they have to have a maximum amount of money they would pay to own the item
14:18 < amiller> and then the system lets them express that
14:18 < amiller> because if the price of the item is above what they'd pay then they don't get it and they don't lose money
14:18 < amiller> if it's below or equal what they pay then they might get it
14:19 < petertodd> Yes, excellent! So by including a rule where k-v maps only come into affect after n blocks, you just need to watch the blockchain, and if it looks like someone else is trying to rewrite history you can stop them with a further sacrifice.
14:20 < amiller> i wouldn't bother if i think it's probably someone else's problem and it's not wroth it to me, there's a public good contribution thing going on there
14:21 < petertodd> Yup, and it's easy to determine if it's someone elses problem too. Yet if that someone else further upps the sacrifice amount, they've helped you anyway.
14:21 < amiller> how might i decide how much it's worth it to me
14:21 < amiller> like
14:22 < amiller> maybe i get some kind of income for every day that the name points to me
14:22 < amiller> like if someone hacked my business url then i'd sue for lost business damages proportional to how many days it was broken or something like that
14:22 < petertodd> Well, if you're running silkroad.zkv...
14:25 < amiller> hm
14:25 < petertodd> What's really interesting, is if the dag structure ensures that only conflicting key's in conflicting blocks are ignored, but the rest of the mapping is left untouched, if, say, the system gets used and early on silkroad.zkv is registered, a later rewrite history attempt can replace it, but every other mapping will have been strengthened by the attack.
14:26 < amiller> oh so
14:26 < amiller> so i buy soc1024.com for 0.1
14:26 < amiller> a few days later 100btc in total have been sacrificed *on top* of that
14:26 < amiller> so now the cost to an attacker to rewrite me should be 100.1 and i'm pretty safe
14:26 < amiller> *but*
14:27 < amiller> the attacker could *just* rewrite mine for 0.11 and merge along with everything else
14:27 < amiller> so it would only cost him 0.11 to rewrite me? in that case i'm not very safe
14:28 < petertodd> Nope, the attacker would have to spend >100.1 BTC to rewrite yours, but if he does, any k-v setting that he didn't try to rewrite now takes >200.2 btc to rewrite.
14:28 < amiller> could i just register all the names all at once
14:29 < amiller> maybe it would be helpful to make a simulation or demo of this
14:29 < amiller> a board game
14:29 < petertodd> Of course you could. You probably want, at least initially, for the rules to include a namecoin-like minimum sacrifice amount.
14:29 < petertodd> Like 0.1BTC per k-v initial setting.
14:29 < amiller> my intuition is that this is an absolutely horrible idea but i'm trying to be methodical :p
14:30 < petertodd> Heh, my intuition is that this is an absolutely horrible idea, but the alternatives may be worse.
14:30 < amiller> that *there are worse alternatives* i'd agree with :)
14:30 < petertodd> lol
14:31 < amiller> i still have high hope though for something really good
14:31 < petertodd> I really don't like how namecoin became mainly a speculative thing, but such is life.
14:31 < amiller> yeah, same
14:31 < amiller> i think it's really important
14:31 < amiller> it's actually the best other-than-money application i can think of for public crowdsource networks like generalized bitcoin
14:31 < petertodd> For sure, and not just for DNS names.
14:32 < amiller> i guess it's not a good sign if i can't even think of a clear way to say that this scheme is deficient in some way
14:32 < amiller> this is really tricky to analyze
14:32 < petertodd> I think the thing is froma  *technical* point of view it obviously works. But does it work socially? Hard to say.
14:33 < petertodd> Speaking of, something I didn't say to you is blocksize - I think there needs to be a mechanism where blocks in the scheme are either directly limited in size, or for the data to get progressively less important as the size goes up somehow.
14:34 < petertodd> Also the sacrifice should be calculated per byte consumed.
13:38 < adam3us> gmaxwell: well a base point could be generator of the full group, i think (if they chose it that way?); and that may explain the 8s that appear in the verification relationship perhaps.
13:54 < maaku> gmaxwell: what's the context of "expensive validation" - my script musing on #bitcoin-dev?
13:54 < gmaxwell> maaku: yea
13:55 < maaku> well in some of the applications i'm imagining it could be more efficient to validate a message signature than a transaction
13:56 < maaku> so, you could sign the transaction itself as a message, efficiently proving you have the inputs, and then get gray-listed if the actual validation fails
13:57 < maaku> e.g. the script is "if real-transaction then <complicated covenant code> endif <standard pubkeyhash script>"
13:58 < maaku> i would like a better method though
14:00 < maaku> you could require something like the above if the (explicit) instruction count is greater than some normal-use threshold
14:02 < maaku> pigeons: ;;cjs
14:02 < maaku> ;;cjs
14:02 < gribble> Coinjoin Status: There is no currently open session. Visit https://www.wpsoftware.net/coinjoin/ or http://xnpjsvp7crbzlj3w.onion/ to start one.
14:02 < maaku> andytoshi: but it'd be nice if there was an announcement when a new session started
14:05 < adam3us> gmaxwell: so i was musing an analogous argument to pegged side-chain security (cant inflate supply of main chain) could be used to introduce SNARKs + committed-tx or some variant of it in a zero-coin like zerotrust mixer on the main chain
14:06 < michagogo|cloud> Anyone have a link to andytoshi's cj client?
14:06 < adam3us> gmaxwell: or perhaps more simply, just make a zerocash snark as a reference example of a pegged-side chain (though i note even green put a disclaimer in his talk that this is a bit bleeding edge and could have problems)
14:06 < EasyAt> maaku: Couldn't I send a bogus TX that has a ton of operations to verify to chew through processing power?
14:07 < adam3us> gmaxwell: which seems kind of ironic (proposing to integrate zerocash in the pattern in which zeroin was proposed), now that zerocash is proposed as an alt.  (and I and Hal were more excited about moving zerocoin into its own alt)
14:08 < EasyAt> You would have to do a ton of ops before you realize the TX isn't valid
14:09 < maaku> EasyAt: yes, which is why as I said above you might require that the owner provide a quick-verifying signature over the transaction of the expensive inputs
14:09 < maaku> so you know the transaction came from him
14:09 < adam3us> anyone how big is the UTXO set if compacted now?
14:09 < maaku> and then gray-list the inputs if the validation fails
14:09 < maaku> adam3us: gettxsetinfo or something similar
14:10 < maaku> EasyAt: then it at least becomes expensive to perform DoS
14:11 < michagogo|cloud> [off]test
14:12 < michagogo|cloud> Oh, are the logs not live?
14:12 < EasyAt> maaku: What do you mean by gray list?
14:12 < maaku> e.g. only pay attention to transactions with inputs that have less than 20 instructions, *or* transactions enveloped with a less-than-20-ops signature for the expensive inputs
14:13 < maaku> gray list would be a list of inputs you no longer relay transactions for, maybe for a period of time or require higher fees
14:14 < andytoshi> michagogo|cloud: source is at https://github.com/apoelstra/cj-client
14:14 < andytoshi> michagogo|cloud: windows build at http://download.wpsoftware.net/bitcoin/cj-windows.zip
14:15 < michagogo|cloud> thanks
14:15 < gmaxwell> andytoshi: about 300 mbytes.
14:15 < gmaxwell> oops
14:15 < gmaxwell> adam3us:
14:15 < michagogo|cloud> "cj-windows.zip is not commonly downloaded and could be dangerous."
14:15 < andytoshi> gmaxwell: !!!! ;)
14:15 < gmaxwell> bitcoind  gettxoutsetinfo
14:15 < gmaxwell> { "height" : 280494, "bestblock" : "00000000000000024c41edbc27cb0d093b593a47030b886fade01f9d19b8047a", "transactions" : 2597060, "txouts" : 8350183, "bytes_serialized" : 293414423, "hash_serialized" : "ca53e5d3a59fc7a3dca134cce6942c2af5d85c2ce21d985c8b06526e795faf74", "total_amount" : 12262214.79395749
14:16 < gmaxwell> }
14:16 < andytoshi> michagogo|cloud: populism is not security, your browser uses faulty assumptions
14:16 < michagogo|cloud> andytoshi: I know
14:16 < michagogo|cloud> I wasn't ascribing any meaning to that thing
14:16 < michagogo|cloud> Just wanted to let you know Chrome was flagging it
14:16 < gmaxwell> what a shitty thing
14:16 < andytoshi> ok, good to know
14:16 < andytoshi> chrome should really be flagging windows..
14:16 < gmaxwell> I bet if you throw the same binary on github you get no warning.
14:17 < michagogo|cloud> btw, I assume it uses RPC?
14:17 < michagogo|cloud> Which calls?
14:17 < michagogo|cloud> (i.e. can it work on 0.8.6?)
14:17 < andytoshi> michagogo|cloud: listunspent, createrawtransaction, decoderawtransaction, signrawtransaction, getaddress, walletpassphrase
14:17 < andytoshi> i think those are fine
14:18 < gmaxwell> also gettxout
14:18 < andytoshi> oh, gettxout, dumpprivkey
14:18 < gmaxwell> you might want to use getrawchangeaddress  but I think its git-only.
14:18 < gmaxwell> perhaps try getrawchangeaddress and if it isn't there, use getnewaddress?
14:18 < michagogo|cloud> In about 7 minutes when my 0.8.6-compatible blocks and chainstate finish copying over I'll see
14:19 < andytoshi> gmaxwell: what is the difference?
14:19 < gmaxwell> andytoshi: change addresses get hidden in the transaction list. But perhaps not. actually nevermind that if you do that people will spazz.
14:20 < gmaxwell> though .. actually you really should have a feature to let the user specify recipent addresses for the CJ outputs. (Personally I send my CJ outputs to offline wallets!)
14:21 < andytoshi> gmaxwell: agreed, my original UI sketch had such a thing
14:21 < andytoshi> but it's hard to design a UI for that non-intrusively
14:21 < michagogo|cloud> andytoshi: Hm, it doesn't seem to be launching
14:22 < michagogo|cloud> The process is ther, but just sitting at 164K of memory
14:22 < michagogo|cloud> there*
14:22 < andytoshi> michagogo|cloud: any output?
14:22 < michagogo|cloud> and not visibly opening anything
14:22 < andytoshi> my guess is that it's stalled pinging my server..
14:22 < michagogo|cloud> Oh, that's why
14:22 < michagogo|cloud> I don't know why it took so long to show up
14:22 < michagogo|cloud> "Our information on this file is inconclusive."
14:22 < andytoshi> oh, weird, it's quick for me (and i'm a good 2500km from the server)
14:23 < michagogo|cloud> "We recommend not using this file unless you know it is safe."
14:23 < gmaxwell> well it does connect to the remote server at startup.
14:23 < andytoshi> oh fuck windows
14:23 < michagogo|cloud> andytoshi: Nah
14:23 < michagogo|cloud> Not Windows, security software
14:26 < adam3us> gmaxwell: so that is 275MB vs 13GB for utxo vs txo about 2%
14:27 < gmaxwell> more like vs 16G.
14:28 < adam3us> gmaxwell: oh i thought jgarzik said his torrent was 13G
14:28 < gmaxwell> adam3us: sipa did some charts a long time ago, utxo size looked to be ~log() the blockchain size.
14:28 < gmaxwell> the torrent doesn't take it up to tip.
14:29 < adam3us> gmaxwell: (sending email cc green re contact from the other crypto guy mentioned in PM, i thought I'd take the opp to correct his 16GB bitcoin vs 1.2GB zercocash claim;)
14:36 < michagogo|cloud> andytoshi: eww, always-on-top?
14:37 < nsh> you don't get anywhere in the dog-eat-dog world of windowing systems by ceding your platform
14:39 < andytoshi> michagogo|cloud: what is always on top?
14:39 < michagogo|cloud> The cj client
14:39 < andytoshi> really?
14:39 < michagogo|cloud> Yes.
14:40 < maaku> who doesn't like it on top
14:40  * michagogo|cloud
14:40 < andytoshi> oh, oops, i had gtk_window_set_keep_above () in there
14:40 < andytoshi> i didn't notice because i don't use a floating WM
14:40  * gmaxwell xmoand user unaffected
14:40 < michagogo|cloud> ;;google xmoand
14:40 < gribble> [Arena PvP] Xmo and Xtk 2v2 - Forst Mage/Mage pt 1 - YouTube: <http://www.youtube.com/watch?v=jHdT36vjQN0>; Xmo and Xtk TCB Double Frost Mage 2v2 Arena Part 1 - YouTube: <http://www.youtube.com/watch?v=YFMWKyYmioY>; Xmo and Xtk 2v2 Act II Double Frost Mage 2v2 Arena Part 1 - YouTube: <http://www.youtube.com/watch?v=hmH8F2MiSog>
14:41 < gmaxwell> yea, srsly. y'all use a floating window manager? sucks to be you.
14:41 < jtimon> xmonad?
14:41 < andytoshi> ....and a thought gmaxwell had a floating WM :P
14:41 < michagogo|cloud> And
14:41 < michagogo|cloud> Ah*
14:41 < andytoshi> michagogo|cloud: thanks much for testing, you are the first person with a normal system to have done so
14:41 < gmaxwell> No, I use xmonad.
14:41 < andytoshi> i'll refresh the build
14:42 < jtimon> hehe, I tried some tiling VM but I left it due to a lack of time for config
14:42 < gmaxwell> (I was happy I didn't need to report problems with the tiling wm, I guess I know why now)
14:42 < jtimon> I will definetely try again though
14:42 < gmaxwell> jtimon: to configure xmonad is very simple.
14:42 < gmaxwell> You join #haskell and nice people do it for you.
14:42 < jtimon> I shouldn't had started with ratpoison, but the name was so cool
14:42 < nsh> senate judiciary hearing on NSA started 10m ago
14:42 < michagogo|cloud> andytoshi: Is there a way to cj on testnet?
14:42 < nsh> http://www.c-span.org/Live-Video/C-SPAN3/	 http://www.judiciary.senate.gov/hearings/hearing.cfm?id=32caee8082f9297f0e7df6280b369172
14:42 < jtimon> the two I used more were i3 and qtile
14:43 < michagogo|cloud> ;;tcjs
14:43 < gribble> Error: "tcjs" is not a valid command.
14:43 < michagogo|cloud> ;;cjst
14:43 < gribble> Error: "cjst" is not a valid command.
14:43 < andytoshi> michagogo|cloud: yeah, there is a cjconfig.conf file
14:43 < nsh> (Cass Sunstein currently summarizing review panel findings)
14:43 < gmaxwell> nsh: what did they find?
14:43 < andytoshi> in cjclient/, wherever Bitcoin/ is
14:43 < michagogo|cloud> andytoshi: What's the URL for the testnet page?
23:41 < petertodd> andytoshi: also the real importance of chainstate is being able to product compact proofs that rules were violated
23:42 < gmaxwell> andytoshi: if the chainstate is commited then you could have a full validating node without even storing the chainstate, but at the cost of txns having to carry chainstate proofs. (just hashtree fragments)
23:42 < andytoshi> ok, i see, did not realize that bandwidth would be hit so hard -- i was looking at "download 20gb of old transactions and validate them" as being much more overwhelming
23:43 < gmaxwell> and its orthorgonal to if you hot-started or not. If you hotstart without something like a snark proving chainstate faithfulness you reduce full nodes to SPV security
 e.g. miners could potentially inflate the coin.
23:43 < andytoshi> well, you might keep the last few weeks of actual blocks so that miners would need to outcompute the network for a long time to do that
23:43 < gmaxwell> and using a snark to prove a full chainstate fidelity isn't technically feasable yet, I think. though perhaps we're close if you skip the script evaluation.
23:45 < gmaxwell> andytoshi: but keep in mind in doing that you change the incentives completely. so the analysis isn't simple. E.g. if non-miner full nodes didn't check the generated amount, would miners just all set their generated coins to 100 and leave them there?
23:45 < grau> checkpoints skip script evaluation
23:45 < gmaxwell> grau: we're going to remove that in bitcoin-qt almost certantly after headers first, and even there there is a commandline switch to reenable.
23:46 < gmaxwell> and miners don't set checkpoints.
23:46 < andytoshi> gmaxwell: presumably at all times non-miner full nodes have the past ten days or so of blocks (and they'd be dropping them), so there'd never be a window when people weren't validating the latest blocks
23:46 < gmaxwell> Basically the point there is that if miners can get themselves a blank cheque its a very different set of incentives than we currently have.
23:48 < grau> I think it will be miner keeping check on each other not user
23:48 < gmaxwell> andytoshi: sure, you just have eluria and ghash.io and slush (>>50% of the network) agree to do a 10 day reorg that harms nothing but gives them 10x the coins. Why not? it's tricky. And then why would people keep 10 days?  0 days is enough until the attack actually happens. Let someone _else_ take the cost of preventing the attack.
23:48 < gmaxwell> BlueMatt [~BlueMatt@unaffiliated/bluematt] has quit [Ping timeout: 260 seconds]
23:48 < grau> user will move to SPV, even merchants may
23:48 < gmaxwell> oops missate there.
23:48 < andytoshi> grau: then there's an incentive to conspire/collaborate and this leads to pool centralization
23:49 < andytoshi> ah, now i see the incentive problem with what i suggested
23:49 < gmaxwell> grau: there are only two or three people in the world required to achieve >50% control of hashrate.
23:49 < gmaxwell> (and one of them (the cex.io guy) has physical control of most of his hashrate directly)
23:50 < andytoshi> ugh, this is so frustrating, i had this massive blind spot in my analysis of pruning schemes
23:50 < andytoshi> if only i could convey that feeling to the alt-chasers..
23:50 < gmaxwell> grau: trusting miners is a pretty terrible idea, far worse than trusting the fed
 at least the fed has a sea of regulations and public identity regulating its behavior.  Miners are anonymousish, fully self selecting, unregulated, etc.
23:50 < grau> gmaxwell: assuming 2-3 would and use it to inflate coins. This could be surfaced by anyone and would destroy trust in the currency and that possibility would keep them from doing that.
23:51 < gmaxwell> and if you regulate them, the you just undermine the system in a differnet way.
23:51 < gmaxwell> Instead they can be regulated _naturally_ by the system how it was designed: but not trusting them any more than the absolute minimum needed.
23:51 < gmaxwell> (by having full nodes that impose the rules)
23:51 < Luke-Jr> BlueMatt: anyhow, maybe you misread what I said. I said you *are* a bitcoin dev..
23:51 < BlueMatt> ahh, ok
23:53 < grau> collaborating between miner to change rules is the same dilemma as in "selfish mining", whort term incentives against long
23:54 < grau> *short
23:54 < petertodd> grau: relying on incentives of a small number of quite-possibly non-rational people is crazy
23:54 < grau> if you have an other choice
23:55  * gmaxwell out
23:55 < petertodd> grau: well we do: design crypto-currencies where pools aren't possible, and be ready to deploy them if it becomes an issue (as an example)
23:56 < Luke-Jr> petertodd: if pools aren't possible, then you get worse alternatives (hosted mining)
23:56 < grau> design a migration policy of welth also if you are that
23:56 < petertodd> grau: that's the easy part actually
23:56 < gmaxwell> Luke-Jr: hosted mining is made insecure by the same things that break pools (though perhaps no one cares, which was the argument I gave before: easier to break pools than hosted mining)
23:57 < petertodd> Luke-Jr: basic physics fortunately encourages decentralization of hashing power
23:57 < gmaxwell> oh yea I'm not here
23:57 < Luke-Jr> that's why it's better to make decentralised pooling as cheap as possible, cheaper than hosted mining
23:57 < grau> petertodd: why that? bigger plants should have better ratios of energy/hash
23:58 < Luke-Jr> ^ + bulk orders of hardware get better prices
23:59 < petertodd> grau: nope, the basic unit of production is the chip + power supply, and for that your economy of scale is making them. otoh your costs to run the hardware has a huge component of getting rid of waste heat, which incentivizes decentralization
23:59 < petertodd> grau: e.g. "a bitcoin miner in every water heater"
--- Log closed Sun Jan 05 00:00:55 2014
--- Log opened Sun Jan 05 00:00:55 2014
00:02 < grau> petertodd: thereby you would raise production cost of e.g. water heater. Competition in water heater would eliminate that.
00:02 < petertodd> grau: if crypto-coin mining has a value, and heating water has a value, then you're cost for doing both at once is less than separating the two activities
00:04 < grau> You assume that water-heater mining is profitable to the extent that it ever amortizes the added production cost. That is not given.
00:06 < petertodd> grau: my point is if bitcoin mining is profitable, it'll be more profitable if you can use the waste heat for something useful. using waste heat for something useful is easier with more decentralization than less
00:08 < grau> There are places where getting rid of heat is not a big issue. I think you engage a bit in wishful thinking. We should rather think hard of how to deal with centralized mining.
00:09 < petertodd> grau: yes, and those places are always decentralized! it's just the basic physics of heat: surface area scales by x^2 and volume x^3
00:10 < grau> iceland
00:10 < petertodd> grau: obviously bitcoin mining will tend towards more northern places, but there's a whole lot of those around
00:11 < gmaxwell> 21:07 < NomZ> You all will love this one. The dogecoin blockchain split after someone submittted a 500M transaction.
00:11 < petertodd> grau: my parents live in a place significantly colder than iceland...
00:12 < grau> petertodd: wow, send them some boxes to mine :)
00:13 < petertodd> grau: yeah, I've done the math on that, it actually makes quite a lot of sense. furthermore in communities north of them the high cost of electricity is *not* a factor because the electricity generation is all diesel anyway, and diesel's more expensive (slightly) than fuel oil
00:13 < grau> gmaxwell: tomorrow you'll have lots of journalists asking if this could happen to BTC
00:15 < brisque> grau: not having scrollback to refer to, can you give me a one line summery of what you're referencing?
00:15 < gmaxwell> http://www.reddit.com/r/dogecoin/comments/1ufl1e/much_concern_dogecoin_block_chain_has_split/cehm0yw
00:16 < brisque> gmaxwell: ouch. I suppose that's what you get when you have inexperienced developers managing a bitcoin clone.
00:16 < petertodd> gmaxwell: heh, yeah warren noticed that awhile back
00:17 < andytoshi> petertodd, warren: oh? what is special about this 500m tx?
00:17 < Luke-Jr> lolwut @ font
00:17 < petertodd> andytoshi: it triggers some sanity limits that they recently removed
00:17 < brisque> andytoshi: the title of the thread has the details. some clients accept larger amounts in blocks than others.
00:17 < warren> andytoshi: competence
00:18 < brisque> "Ten days ago, the developers made a change to the Dogecoin client that raised the limit of coins in a block from 500 million to 10 billion. So now some folks are running Dogecoin clients without that change, because they are older, and some folks are running newer clients. In block 42279, a transaction that broke the rule -- containing more than 500 million
DOGE -- has prevented these older clients from advancin
00:18 < warren> did the pools upgrade?
00:18 < gmaxwell> .... wtf they didn't stage the change?!@#
00:18 < andytoshi> holy shit, this is so incompetent i can't believe it, even from doge
00:19 < brisque> presumably one pool updated, then the big TX made it into a block and the chain forked
00:19 < gmaxwell> well we learned nothing then, as we've succesfully made a number of changes that would have been forking if not staged.
00:20 < brisque> warren: from looking, there's some on one fork and some on another. presumably anybody on the old client has been left behind and that's the majority at this point.
00:20 < andytoshi> it appears they just pushed a forking change in a routine update? what the fuck?
00:20 < nsh> my hilarity sense is tingling...
00:20 < warren> three forks exist?
00:20 < warren> not sure how
00:20 < warren> but it's hilarious
00:21 < nsh> oldyellercoin....
00:21 < brisque> they might have changed the TX limit previously without making it a staged change.
16:55 < petertodd> Well the resolution protocol can easily have the blockchain be a directed acyclic graph instead where non-conflicting transactions in different forks on the graph can be merged back together later.
16:56 < petertodd> The incentive to broadcast your blocks (which can be just a single transaction) would then be to prevent rewriting by being on a part of the graph with maximal sacrifice.
16:56 < petertodd> Problem is how do you distribute the coins in the first place?
16:57 < petertodd> It'd also have ugly problems if transaction volume was low, because you're only safe from a rewrite once more coins have been sacrificed by *others* than your transaction was worth.
16:57 < petertodd> Hard to bootstrap that...
16:58 < petertodd> It is interesting though how it suggests that a proof-of-stake cryptocoin is probably more viable if there isn't a block reward.
17:01 < petertodd> Not much more viable mind you: it's still the fundemental problem of how do you know time has moved forward without a random beacon. (IE signing for a bunch of stake is something I can only do once - after that more signatures are meaningless, yet there's no good way to decide on what % ofthe outstanding coins should participate)
--- Log closed Wed Jul 03 00:00:07 2013
--- Log opened Wed Jul 03 00:00:07 2013
06:05 < sipa> :o
06:06 < gmaxwell> you were out!
06:06 < gmaxwell> oh no!
06:06 < petertodd> ...we need a -wizards archive...
06:07  * sipa demugglifies
06:08 < gmaxwell> you totally missed me being an idiot and taking like .. an hour to understand what petertodd was talking about with "proof of possession" and application to proof of sacrifice identity.
06:08 < petertodd> Lol, well I can cut that part out from the archive...
06:08 < petertodd> Though really it's a subtle point, albeit one that you should grok. :P
06:11 < gmaxwell> well in my defense I joined midconversation and didn't read the backscroll.
06:11 < petertodd> ...and if you look you'll notice I changed some of my arguments a bit because I had come up with that idea on the spot nearly.
06:21 < gmaxwell> I still think that even the less secure form of tearable data is interesting until there is actually a problem with people accepting blocks without seeing the good stuff.
06:37 < petertodd> I think the issue there is once you've got to the trouble of having tearable data, why not have proof-of-posession?
06:38 < petertodd> Remember that the nonce can be the previous block hash to keep performance requirements minimal.
06:40 < gmaxwell> two blocks back, so you're not latency threatened perhaps
06:41 < gmaxwell> but I think I proposed this when people were really worried about the 1txn miner and miners without the utxo set. And it was pointed out that people could just advertise the roots.
06:41 < gmaxwell> (I'd proposed a kind of proof of possession to prove you had the utxo set so you couldn't mine without it)
06:41 < petertodd> Sure, and add a system where you can use that proof-of-posession to spend certain designated fees as your payment.
06:42 < petertodd> Heh, yeah, and I kinda reinvented that with my idea for doing low-bandwidth zero-validation cooperative P2Pool...
06:42 < gmaxwell> a general argument against needing that is that if there are sacrifices going on, you'll _want_ to know about them so you would be disinclined to accept blocks that have hidden them.
06:43 < petertodd> Well I'm assuming this would be just another part of a UTXO proof system so there's no way to hide anything.
06:45 < gmaxwell> I'm just saying that something simpler may be more adequate than you're giving it credit for.
06:46 < petertodd> I'm just saying once you've done a soft-fork you're 90% of the way there...
06:46 < petertodd> Really simplier would be to do it as a pure merge mined chain.
06:46 < petertodd> (or a non-soft-fork)
06:47 < gmaxwell> merged mined.. uh
06:47 < gmaxwell> warning: absense of incentive detected
06:47 < gmaxwell> :P
06:48 < gmaxwell> well, I suppose my argument applies: if this merged mined thing teaches you about valuable transactions
06:48 < gmaxwell> then there is an incentive to particiate.
06:48 < petertodd> indeed, but without actual proof-of-posession you are relying on nothing more than people just using the defaults
06:48 < petertodd> that may be a much weaker assumption in the future...
06:49 < petertodd> Yeah, or if it's mined with some kind of proof-of-stake from people with a vested interestin the data itself.
06:50 < petertodd> *interest
06:50 < gmaxwell> how do you detect those people?
06:50 < petertodd> Heck, fidelity bond participants to pay rewards after some amount of merge mining...
06:50 < gmaxwell> the one who announced it isnt the useful one to mine it.
06:51 < petertodd> No, but for, say, a fidelity bonded bank thing you mind find a banks competitors proving that the fraud proof ledger is well distributed to discourage anyone from committing fraud, a bit weak sure, but at least the cost is pure bandwidth + some storage.
06:52 < petertodd> (remember the bitcoin blockchain can be used as a random beacon to keep the merge mining moving forward)
06:55 < petertodd> interesting thought: a bank might want to prove that their *clients* had been participating in some visible fraud proof storage system, so that if the bank gets sold one day the consent of the clients to the state of the fraud proof ledger is known and thus a proof disclosed after the fact can be declared invalid
06:56 < gmaxwell> petertodd: we're in cycles, we stumbed on this when talking about the IRC stuff: the irc bank could prune its transaction records once the customer provided a no-fraud ping.
06:56 < gmaxwell> because if they claimed fraud later you wouldn't have to prove them wrong, you'd just show their no fraud ping. :P
06:57  * gmaxwell predicts "what is a segmentation violation" in a minute.
06:57 < petertodd> Ah, I forgot about that bit... nice example of how it's a continuum of visibility options.
06:58 < petertodd> heh...
11:13 < adam3us> now you guys woke up: i was thinking the outcome is the miner will win the proportion of his own (and other peoples) sacrifice to miners in relation to his share of the network power
11:14 < adam3us> so that being the case, why not just pay to the set of miners (over some rolling transaction history) in proportion to how often they've been winning
--- Log closed Thu Jul 04 00:00:10 2013
--- Log opened Thu Jul 04 00:00:10 2013
14:49 < adam3us> petertodd: not afk? about your proof of sacrifice somewhat resistant to miner inside attack, not sure if you saw my additional thought
14:50 < adam3us> petertodd: i think it averages out to pay to miners in proportion to their mining power, so you could more simply achieve the same effect by paying to miners in proportion to their rolling average proportion of nework power (with some signature annotation saying this is a proof of donation to miners)
15:22 < petertodd> But that's not a sacrifice without a solid way to pick the lucky miner randomly.
15:24 < petertodd> ...and that doesn't work because there is no way to commit the funds such that if a miner is picked that you do not want the funds to go to the funds will go to them anyway - Bitcoin just can't do that in the scripting system.
16:29 < adam3us> petertodd: but what is special about giving it to a random miner in (chances biased in proportion to their power) vs just giving it to the miners in proportion to their recent demonstration of power (eg last month).  if they keep running for another month the effect in terms of what they receive will be basically the same right?
16:30 < adam3us> petertodd: I dont know why you would not want the funds to go to a specific miner, but the approach you discussed recently doesnt prevent that either, because well a random miner will win, you have no control
16:54 < petertodd> We're talking about sacrifices; if the destination of the funds can be controlled it's probably not a true sacrifice.
16:57 < adam3us> petertodd: my point is the approach you proposed a few days ago, it has the property that funds are given to miners, with some randomness, but presuming lots of people make proofs of sacrifice over time that will average out anyway, so the net result is that miners (all of them) receive funds in proportion to their percentage of network power, agreed?
16:59 < adam3us> petertodd: and is so, you can simplify and achieve the same effect by just paying to miners in proportion to their wins over the last month (pay to all of them, a multiple output); you would need some special annotation to indicate this is not just a payment to miners, its a sacrifice to miners and that will be validated by other full nodes against the
correct proportion being paid to the miners against the validated average network power
17:01 < petertodd> But doing that in Bitcoin is impossible if you want to ensure the person making the sacrifice can't direct it to themselves.
17:01 < petertodd> If you don't ensure that, it's not a true sacrifice.
17:02 < petertodd> What you are proposing would be at minimum a soft fork involving a lot of complex code with no advantage over a random model - it all evens out in the end.
17:04 < petertodd> Not to mention what you really want is anyone-can-spend outputs that remain locked for long enough that even if a pool has, say, 40% hashing power and is willing to play dirty and make sacrifices knowing that 40% of the time they'll mine the fees anyway it is unknown to them if they'll be in business by the time the output is spendable. IE sacrifices that
only go back to miners after multiple months.
17:04 < adam3us> petertodd: i am not saying the sacrificer can spend to themselves, they can only spend to the miners during the last month, in proportion to the power (1GH = 100 satoshi sacrfice or whatever ratio), and if the sacrificer pays to the wrong proportion or to the wrong users, it will be rejected by all validators (full nodes)
00:05 < warren> what's wrong with p2pool's approach?
00:05 < warren> p2pool implementation has scalability problems and payouts are too often in too  small dust, but that's a current implementation issue.
00:07 < amiller> well p2pool's approach is based on the same technique that makes hosted mining feasible/attractive
00:07 < amiller> (despite the fact that no one does it yet)
00:08 < warren> I mean, if users were more concerned about the risks of mining centralization, they would use p2pool-like approaches, there could be multiple of them.
00:08 < warren> p2pool needs to be a lot more efficient than it is now.  We hope to throw a few thousand dollars into its development.
00:08 < amiller> well see the thing is the risks of mining centralization aren't felt by individual users acting in self interset
00:09 < amiller> it's kind of like a social cost
00:09 < warren> amiller: p2pool miners can earn more than centralized pool mining
00:09 < amiller> warren, i am not talking about centralized pool mining
00:09 < amiller> i'm talking about hosted mining
00:09 < amiller> where you rent cpu power from a miner warehouse somewhere in the cool fjords of sweden
00:10 < amiller> where the hydroelectric power is cheapest
00:11 < jgarzik> Alydian is doing that
00:11 < jgarzik> $0.5 million for a petahash or three
00:11 < amiller> ah, thanks jgarzik
00:11 < jgarzik> though not necessarily in sweden
00:11 < jgarzik> knc and a couple others are doing hosted mining
00:11 < amiller> are there threads panicking about this
00:12 < jgarzik> and well over a year ago, "Vladimir" on the forums sold hashes in this manner.  you paid for a certain amount of hashes (GPU at the time).
00:12 < jgarzik> nope, it's already been explored
00:14 < amiller> already been explored? what conclusion did they come to? (i'm searching for such threads)
01:17 < gmaxwell> nanotube: amiller's plan to foil cloud mining is like julian assange's plan to use leaks to undermine secrecy. :P
01:18 < gmaxwell> I don't think anyone has explored foiling it through clever techno-economic hacks.
01:19 < gmaxwell> (nor do I think amiller's ideas would ever go anywhere, but they may someday turn useful should bitcoin fail to centralization)
01:19 < gmaxwell> (so that the $next_thing, in 100 years when people will finally trust a next-thing, won't have the same flaw)
01:21  * amiller can wait
01:21  * nanotube also plans on being around in 100years.
01:22 < nanotube> assuming we don't have a major cataclysm, seems within the realm of possibility
01:23 < gmaxwell> amiller: I can defeat your approach. :(
01:24 < gmaxwell> I have some independant hardware maker build my hardware with an odometer, and the hardware gets audited by people with electron microscopes (at random, which I can afford because I'm mega cloud)
01:25 < nanotube> we just need to make bitcoin asic coffeemakers and spaceheaters.
01:26 < nanotube> and have them default-set to mine solo.
01:26 < gmaxwell> yea, I've argued that before: for low level waste heat decentralization is actually more cost effective... but deploymens seem to suggest that I'm wrong.
01:26 < gmaxwell> er deployments.
01:26 < nanotube> once we have millions of these out there, no need to worry about it.
01:26 < nanotube> there are deployments?
01:27 < gmaxwell> alternatively, I just run my cloud business such that I pay the average expected payout regardless of the actual payout, and I hire trained assassins to patrol my datacenter to catch theiving techs.
01:27 < gmaxwell> nanotube: there are a number of big online highly centeralized deployments, e.g. asicminer and the 200TH mine that most of the bitfury parts went to.
01:28 < nanotube> gmaxwell: well yes, but there are no deployments of relatively cheap consumer hardware that mines automagically with no user intervention.
01:28 < gmaxwell> cointerra's original business plan was that, but the club to the head that they need to sell stuff was strong enough, but I don't know if they were just delayed or really deflected, see: http://cointerra.com/about/ "Our mission is to become a reliable and trusted node for transaction clearing on a stable and flourishing Bitcoin network."
01:28 < gmaxwell> no no right.
01:29 < gmaxwell> I'm saying that my theory that decenteralized is more efficient than centeralized because the waste heat is more productively disposed of may be wrong.
01:29 < gmaxwell> because I'm seeing lots of centeralized deployments and there is no bitcoin coffeewarmer.
01:29 < nanotube> hmm
01:30 < gmaxwell> I dunno why it's wrong, I certantly lived it in VA. with substantially free power in part of the year because mining completely replaced heating costs.
01:30 < gmaxwell> (realistically the heatpump was probably 2x more power efficient, still... half price power is good)
01:31 < nanotube> maybe because nobody's gonna buy a 3000-dollar spaceheater. :P
01:31 < nanotube> the bfl jalapenos could have been it... but bfl fscked up, as we all know.
01:32 < gmaxwell> well the actual cost of building these things is ... not that high. I titter a bit at the forum people "why would they sell them when they could mine!"  "because you morons will pay a kings randsom for the hardware!"
01:32 < nanotube> hehe
01:44 < Luke-Jr> lol
01:45 < petertodd> Why mine when you can sell the hardware and make debt payments now?
01:46 < Luke-Jr> petertodd: and make a nice profit until you actually ship!
01:46 < petertodd> heh
01:46 < Luke-Jr> bah! Qt 5 requires Perl 5.16
01:46 < petertodd> <shudder>
01:46 < Luke-Jr> not sure I want to upgrade to testing perl
01:46 < petertodd> awful, horrible language
01:47 < Luke-Jr> Perl is lovely.
01:47 < Luke-Jr> I think I prefer to stick to stable versions though
01:48 < Luke-Jr> OH! That's how I can get the election by a landslide!
01:48 < Luke-Jr> "I know Perl. =_="
01:48 < petertodd> I don't vote for the mentally ill.
01:48 < Luke-Jr> :P
01:48 < petertodd> well, at least *that* kind of mentally ill...
01:49 < Luke-Jr> Perl is the kind of thing where you hate it until you're familiar enough with it. :P
01:50 < petertodd> yeah, I got familiar with it then went to art school...
01:51 < Luke-Jr> I wrote an emulator in Perl once! :P
01:52 < petertodd> heh, of what? line noise?
01:52 < Luke-Jr> it was one of my toy MIPS emulators I think
01:52 < petertodd> I hope you ported perl to it
01:52 < Luke-Jr> :D
01:53 < warren> I don't know who to vote for.
01:53 < petertodd> I wonder what's the longest chain of emulators ever emulated?
01:53 < warren> There's no Clinton on the ballot.
01:53 < petertodd> I was hoping to vote for the other lizard.
01:54 < phantomcircuit> petertodd, well someone wrote a Z80 emulator for a Z80 and then ran it on x86
01:55 < petertodd> phantomcircuit: I was more thinking Arthur Ganson's "Machine with Concrete" - https://www.youtube.com/watch?v=5q-BH-tvxEg
03:15 < petertodd> Random number generator: https://www.youtube.com/watch?v=a6aicIcQJvc
03:15 < petertodd> and sublime work of work
03:16 < petertodd> ganson is a genius
15:53 < gmaxwell> amiller: am I correct in beleving that just having basic pairing operators (gt* gt/ g1^ g1+ gt= and loads of g1 types) is all we'd need to verify pinocchio in script?
16:05 < amiller> gmaxwell, yes definitely.
16:07 < amiller> gmaxwell, i think it would be easy to implement using PBC
16:08 < amiller> pinocchio requires a few specific twist curve
16:09 < amiller> they have two curves basically
16:12 < gmaxwell> amiller: In the SCIP they mention they have selected a curve with a particular efficient endomorphism, I assumed this was just distortion map optimization and would already be in pbc.
16:12 < gmaxwell> (I guess its a requirement that the curve and its quadratic twist have the same embedding degree?)
16:14 < gmaxwell> In any case, I was just musing on what the minimal cryptographic extensions to script were to achieve the widest increase in applications.
16:14 < sipa> OP_X86
16:15 < Luke-Jr> P2SH-for-SCIP would be useful
16:15 < amiller> i don't actually know any details about how pairing based crypto works, i only understand it at the bilinear map layer
16:19 < amiller> i may end up trying to learn it in a hurry and implement the pinocchio verifier myself :/
16:19 < amiller> of course for efficiency it's always hard to find the right abstraction
16:24 < amiller> https://crypto.stanford.edu/pbc/manual/ch08s08.html this are the BN curves y^2 = x^3 + b i think pinocchio uses
16:26 < gmaxwell> ah, okay, yea, I would have assumed it was though out of the ones in PBC. I still don't exactly understand how the pairing operation isn't slow as @#$@# for k=12 but apparently its not.
16:46 < amiller> the pinocchio guy said a similar thing once, that they picked a specific curve and used a lot of curve-specific implementation optimizations
16:46 < amiller> but maybe it's just this distortion map thing you're mentioning
19:44 < gmaxwell> So
 perhaps this was obvious, but I realized that a sensible way to go about establishing the usefulness and correctness of a new scripting system for bitcoin is to implement it, and embed it in a harness that uses it as the controlling criteria in a signing oracle.
19:45 < gmaxwell> e.g. you take your script, hash it, compute a new public key from the oracle's well known public key. Then do things where you want the oracle to sign with that key... then go present the oracle your script and when it accepts it signs for you.
19:46 < gmaxwell> so then you could make any new application for your new bitcoin script opcodes you want, with the limitation that you depend on a trusted oracle.
19:46 < gmaxwell> But if the usefulness of the improved script is established then thats the on-ramp to making it part of the distributed system proper.
19:56 < amiller> that's a neat idea.
19:57 < amiller> that would work e.g. for zerocoin
20:04 < phantomcircuit> this is driving me insane
20:05 < phantomcircuit> i cant get the block header that cpuminer is finding from the info stratum provides
14:25 < maaku> So question for the other -wizards': are there hard-fork changes which would make identity management easier?
14:26 < maaku> s/hard-fork/hard or soft fork/
14:34 < gmaxwell> maaku: being able to prove an output was created in the chain with a smaller proof (which doesn't include a whole transaction) would be nice.
14:35 < maaku> so merkleized transactions, presumably?
14:39 < gmaxwell> yes. Then you'd probably also want lockable outputs.
14:40 < maaku> lockable meaning can't be spent for X blocks, or until block X?
15:18 < gmaxwell> Either would work for SINs, the latter is probably more generally useful... the former may be better for SINs.
16:54 < gavinandresen> High-quality thoughts on selfish mining happening here:	https://bitcointalk.org/index.php?topic=327064
17:34 < MC1984> i dont know. Weve already seen we cant wholly rely on positive incentives to maximise desireable behavior (like simply making sure your mining setup is bloody working properly and keeping it so)
17:34 < MC1984> whos to say we can wholly rely on negative incentives to minimise undesireable behavior.
17:35 < MC1984> ki mean, if that were true democracy would actually work right...
17:36 < MC1984> even wholly/substantially. Especially if a rumour or urban myth goes round amongst the plebs of a way to mine more coins for free or somthing even if its actaully killing bitcoin
17:37 < maaku> hrm. SIN and namecoin are very similar mechanisms, are they not?
17:38 < gmaxwell> maaku: namecoin expects the network can do lookups for you. sin expects the user to extract a proof and provide it.
17:38 < gmaxwell> You can verify sin without speaking the bitcoin protocol at all (with some security discussion because you're "blind SPV").
18:02 < michagogo|cloud> What goes on in this channel? (found it thanks to the mailing list)
18:03 < gmaxwell> A muggle1
18:03 < gmaxwell> !
18:03 < gmaxwell> burn him!
18:03  * amiller put on his robe and wizard hat
18:03 < gmaxwell> michagogo|cloud: we talk about far out technical stuff instead of pragmatic near term bitcoin things. It's kind of a cryptonerds bitcoin-dev-offtopic.
18:04 < michagogo|cloud> Hmm, sounds interesting
18:05 < sipa> amiller: http://bash.org/?104383 ?
18:05 < maaku> stuff that's longer-term than the next release cycle
18:05 < pigeons> maaku: are you mining the -wazards for feature ideas to solve problems to add to freimarkets?
18:05 < pigeons> ;)
18:05 < amiller> bloodninja yeah ;p
18:05 < maaku> hah sometimes. that's what my question bout SIN was for
18:07 < maaku> but it's relevant since we can actually experiment with this stuff on a live network there
18:07 < michagogo|cloud> SIN/
18:07 < michagogo|cloud> s|/|?|
18:08 < maaku> michagogo|cloud: https://en.bitcoin.it/wiki/Identity_protocol_v1
18:09 < sipa> someone should write an identity protcol v2
18:09 < sipa> so we can talk about the Original SIN
18:10  * michagogo|cloud wonders if he's missing something
18:11 < amiller> "A SIN ("System Identification Number") is the unique record identifier by which this identity will be known."
18:12 < michagogo|cloud> I saw that
18:12 < michagogo|cloud> sipa: Is that a reference to something?
18:13 < maaku> michagogo|cloud: an oppressive catholic education
18:13 < maaku> http://en.wikipedia.org/wiki/Original_sin
18:14  * michagogo|cloud glances at the nick list, between kinlo and maaku
18:32 < adam3us> why do we want identities again?
18:37 < adam3us> ok skimmed bitcoin.it/.. identity_proto..  for issuer signed attestations brands is the most flexible blind signature protocol
18:38 < adam3us> there are also some protocols for serial anonymous use, where if you get banned you lose your access token, but not your anonymity
18:50 < gmaxwell> adam3us: right, for anti-trolling/spamming/etc.
18:56 < adam3us> gmaxwell: yes, the interesting thing is it turns out to be possible to be serially anonymous (as distinct from pseudonymous) while reusing a single authorization
18:57 < gmaxwell> adam3us: yea, e.g. via chaining blind signatures. Are there other ways?
18:57 < adam3us> gmaxwell: at some earlier point people supposed you could not be anonymous and yet anti-trolled
18:57 < gmaxwell> e.g. present an identiying sync, get a chaum token.. chain it forward..
18:57 < adam3us> gmaxwell: yes the actual approach was something simple like that
18:58 < gmaxwell> s/sync/sin/
--- Log closed Fri Nov 08 00:00:41 2013
--- Log opened Fri Nov 08 00:00:41 2013
06:31 < adam3us> anyone tried to figure out if ed felten is right?
06:32 < adam3us> i posed the question similarly in my comments to the selfish-miner paper authors (on bitcoin-dev): https://bitcointalk.org/index.php?topic=327064
06:33 < adam3us> wrong link http://sourceforge.net/mailarchive/message.php?msg_id=31612133
06:33 < adam3us> "It is also not clear what will happen if multiple selfish miners compete with each other.  A selfish miner cooperating as a peer to increase percentage runs risk of mutual sabotage - he has to announce his private block to his co-conspirator, and the co-conspirator may publish, or collude with another non-selfish miner."
06:34 < adam3us> felten claims the answer to that q. is selfish mining is unstable so wont persist
06:35 < adam3us> (well a selfish pool composed of multiple smaller pools or powerful miners, is unstable is his claim)
10:39 < amiller> adam3us, ian michael miers sent ed an email about this
10:40 < amiller> it would be pretty straightforward for the pool operator to enforce/discourage fairweather-mining
10:40 < amiller> for example if you don't keep up the pace, you get kickedo ut
10:41 < adam3us> amiller: yes i thought it was an interesting question, and posed it also, but i am not sure ed's gut reaction is necessarily right or properly checked
10:41 < adam3us> is that public email? on a list?
10:42 < amiller> it was a private email, instigated by a public twitter conversation
11:44 < adam3us> amiller: i guess the fair-weather guy could also sell information or be in collusion with or be a larger unselfish miner; then he can switch to the previous block at random, and the selfish miner wont know which block to mine (do this reactively when the selfish miner gets ahead)
11:45 < adam3us> amiller: as soon as the selfish miner is > 1 block ahead (which happens 1/9 of the time with 33% power), the unselfish miner has already lost so he loses nothing new by this strategy
11:47 < amiller> did you switch from fairweather miner to unselfish miner?
11:48 < adam3us> amiller: no
11:48 < adam3us> amiller: fairweather is someone who attacks the selfish mining pool from within, unselfish is someone who is running the normal protocol
11:49 < adam3us> amiller: my point is the unselfish miner can sabotage the selfish mining game, and to the selfish miner he'll just look ridiculously unlucky which he will notice soon enough
11:50 < adam3us> amiller: but if he cant find anyone who wont do that to him, he cant do the attack unless he amasses 33% himself
11:50 < amiller> i have no idea what you're saying actually ;/
11:51 < amiller> you're saying fairweather miners can undetectably leak information to some other unselfsih miner?
11:52 < adam3us> amiller: correct, they can participate in the selfish mining in hashrate, but sabotage it, but it will be noticed statistically that the selfish pool is not doing as well as expected
13:30 < adam3us> seems like it could be useful to extend timelock to be a scrit function rather than a tx property so you can do before, after, ranges, and do in one tx rather than multiple interlocked tx
14:08 < gmaxwell> adam3us: the creates freaky problems where a transaction which falls out of the chain in a reorg can't be put back in.
14:10 < adam3us> gmaxwell: yes you'd have to have it confirmed (timestamped) within it validity period or you're out of luck
14:11 < gmaxwell> adam3us: not just that, it can be confirmed.. and then the chain gets reorged.. and it can never be put back.
14:11 < gmaxwell> The security of all coins decended from that one arguably reduced forever.
14:23 < adam3us> gmaxwell: well a coin reorg that excludes it is not much different to putting zero fees and not getting in the first time
14:25 < gmaxwell> adam3us: it is
 because you know when its never been in. This is the same kind of fungibility problem that coins derrived from coinbase txn have, which is why they have a 100 block settling time.
14:26 < gmaxwell> I'm not saying no-never... but it has tradeoffs which make me uneasy.
14:45 < adam3us> gmaxwell: yes.  maybe an addendum could be to authorize belated adding if previously confirmed in an orphan within th required block/time
14:49 < amiller> i don't get how it's different
14:49 < amiller> if the chain gets reorged, one conflicting transaction can replace the other
14:50 < amiller> everything descending from the tree is affected, if the fork goes back that far
14:50 < adam3us> amiller: he means that if its < timelock, nd the time has passed you're out of luck
14:50 < amiller> yeah
14:50 < adam3us> amiller: whereas now timelock is only > timelock so you just resend it
14:50 < amiller> it's still caveat emptor, i don't see how that should matter
14:50 < amiller> or to put it another way, if you receive a bitcoin from someone, who just received it from someone else, it's still not fungible
14:51 < adam3us> amiller: yes that is somewhat true; if a big enough reorg occured to undo 6 blocks, never mind 100 you've got other problem, you're vulnerable to full-on 51% attacks
14:52 < adam3us> amiller: but gmaxwell is right that mined blocks are treated with more suspicion in terms of confirmations at least in the qt client
14:52 < amiller> perhaps they shouldn't be?
14:53 < amiller> anyway i think coinbase maturity is a bad rule because of economic blah blah incentive-compatible but that's a dead horse
14:53 < adam3us> amiller: well there could be an argument that honest reorgs would preserve the transaction order
14:53 < amiller> honest reorgs is a weird model but sure
13:30 < adam3us> petertodd: isnt that enough
13:31 < petertodd> Right, but the issue is a 51% attack against some subset of the blockchain data.
13:31 < petertodd> Like, if other miners *didn't* build upon your part of the blockchain via timestamping, this wouldn't be a big deal.
13:33 < adam3us> petertodd: yes its another aspect of the one-true chain model (must be up to 7 dependencies by now) it ensures that once your block is burried even one block other miners have an incentive to mine it ot avoid being orphaned
13:34 < petertodd> Yup
13:34 < adam3us> petertodd: i think i had the analgous problem you are talking about with complex incentives for the "thicket" of block chains approach
13:35 < petertodd> Sure, although I think the biggest issue is just the really fundemental one about how you need to be sure the blockchain data is in the hands of more than one person.
13:35 < adam3us> petertodd: at that time i concluded it was enough alone to kill it - simplicity is good etc but this variant has additional advantages so maybe we can still get back to a net win eventually
13:36 < petertodd> Yup. Like, suppose we could make the assumption that the majority of hashing power would be mining all shards in one go, then that majority would have the data, and there'd be no issue at all. But we can't assume that.
13:36 < adam3us> petertodd: its not inherently interesting to someone to censor your shared block hash, they have to want to present a different version of it with a different spend
13:36 < adam3us> petertodd: right - thats the 7th dependency - super-entangled design when you get to all of the dependenices
13:36 < petertodd> Economically interesting no, but if their goal is to destroy the system then you're in trouble.
13:37 < adam3us> petertodd: yes, and you have defend against that
13:37 < petertodd> Yup. I dunno, maybe it's the case that fundementally you can't? But I'd sure hope you could at least do better.
13:37 < adam3us> petertodd: in my thicket thought experiment (unpublished) i was supposing some modest reward bonus for being the first to pull in a shard-hash
13:38 < petertodd> what do you mean by "pull in"?
13:38 < adam3us> petertodd: or a share of the fees in it (hash it as an input another shard hash)
13:39 < adam3us> petertodd: i think you need to have some list or merkle hash of shard-hashes so that as time-progresses each hashed block includes everything else if you explore down the tree a bit
13:40 < petertodd> See, my thought experiement is a little different: for a given committed transaction input, we should be able to calculate the total work done by all miners with that transaction input in their dataset. (assuming the pow scheme does proof-of-data)
13:40 < adam3us> petertodd: (each shard-hash includes all other shard hashes in a best effort sense, motivated by a share of the fee and/or reward)
13:41 < petertodd> Yeah, although maybe at this point it'd be better to leave reward out; I think in a inflationary system we can reward people simply by taking their coins away unless they mine in porportion to the coins they own.
13:44 < adam3us> random non-tech thought about the "what is bitcoin" virtual commodity, etc .. its a crypto/math geeks stamp collection
13:44 < petertodd> heh
13:45 < adam3us> see in hashcash in the mail context they were stamps and i have a page with a stamp collection; they are rare because they ar eexpensive, and a math/crypto/computer geek can admire and appreciate the beauty (or waste) in finding a number with 15 leading 0 hex digits so they have math aesthic value too
13:46 < adam3us> http://hashcash.org/stamps/ one of those was 48 bits eve years ago
13:46 < petertodd> yeah, bitcoin is special in figuring out how to take those stamps and assign them owners with global consensus
13:46 < petertodd> heh, meanwhile we've got, what, 68 zero sha256^2 pre-images now?
13:46 < adam3us> right; it wouldve been easy to give a hashcash a public key, just include a pub key in the hash (as bitcoin does), and i thought about it for mail apps even (prove a reputation)
13:47 < adam3us> yes
13:48 < adam3us> actually i calculated it here: https://en.bitcoin.it/wiki/Hashcash
13:48 < adam3us> its 60.6 bits right now
13:48 < adam3us> or 61.6 bits of security (there are 2 hashes per try so +1)
13:48 < adam3us> more secure than 56-bit DES :)
13:48 < petertodd> ha
13:50 < gmaxwell> adam3us: well I don't think you get to count the ^2 ... I mean, sha256 is much slower in hardware than DES and you're not counting that.
13:50 < adam3us> the guy etienne gervais wrote his own openCL hashcash-sha1 miner just to get leaderboard on that page :)
13:50 < petertodd> Interesting thought: so, in my txin commitments scheme, what you need to keep "up-to-date" with, in terms of the blockchain, is the part of the blockchain with the still un-revealed txouts that your wallet contains. IE, the important part of the txin space is still "zeroed" up until you want to spend it to someone else.
13:50 < adam3us> gmaxwell: yes it is a question of what counts as an op in O(2^n) notation grey area
13:51 < petertodd> Not brilliant, but it is a bit of a security improvement in that targetting you specifically to make your coins unspendable is hard if you keep those txouts a secret.
13:51 < adam3us> gmaxwell: if it was computing DES unlike eff des cracker which computed one des decryption in 56hrs, bitcoin network can do it in < 12 sec
13:51 < gmaxwell> you could instead use some transistor toggle metric.
13:52 < adam3us> gmaxwell: vaguely recall knuth might've had some complexity metric based on a styled pseudo assembly code :) even with cycles or instructions depends on cisc, risc etc
13:53 < gmaxwell> adam3us: art's (who you didn't get to interact with, early bitcoiner who went away) fpga mining farm could do a full des search in ~24 hours and I think that was just a 40GH bitcoin farm.
13:54 < adam3us> gmaxwell: its interesting in that des cracker was built in 1998 for $250k but if it was sha256 instead of des it'd still be respectable and maybe profitable for bitcoin i think (have to check calc)
13:55 < gmaxwell> adam3us: DES is especially weird, becaues the sboxes yield especially compact combinitorial logic.
13:55 < adam3us> it was doing 280 TDes/sec
13:55 < adam3us> for $250k
13:59 < adam3us> gmaxwell:  something seems wrong
 bitcoin hashrate = 3 ExaH/sec if deepcrack was 280, it'd be only 10x slower, but thats not true; yet 2^56/56/6/1000^4 = 280 hhmm (deepcrack could do 2^56 in 56hrs)
14:00 < adam3us> gmaxwell: oh bitcoin hash rate is now 4 Exah (33% increase as of a  few days) jeeze
14:10 < petertodd> adam3us: suppose we ensured that mining some portion of the blockchain required the consent of the majority of the owners of the coins in that portion, do you think the data hidng problem would be sufficiently solved?
14:10 < petertodd> (ignore practical difficulties here)
14:16 < sipa> adam3us: what is Exah?
14:16 < sipa> per what time?
14:17 < sipa> it's 3.8 petahash/s
14:17 < sipa> where hash = double-sha256
15:36 < HM2> Android has improved its security further by adding support for two more cryptographic algorithms. Elliptic Curve Digital Signature Algorithm (ECDSA) support has been added to the keystore provider improving security of digital signing, applicable to scenarios such as signing of an application or a data connection. The Scrypt key derivation function is implemented
to protect the cryptographic keys used for full-disk encryption
15:36 < HM2> Android adopting Scrypt is pretty big crypto news I guess
15:40 < sipa> ooh nice
15:42 < HM2> yeah, not sure whether they make that available via the general crypto APIs
16:45 < adam3us> sipa: better that explains my error
17:19 < sipa> amiller: ?
17:19 < sipa> ah!
17:20 < amiller> haha, my phishing attack is complete
17:20  * gmaxwell is confused
17:20 < amiller> i'm approximately authenticated as adam back
17:20 < amiller> as far as sipa is concerned
17:21 < gmaxwell> Well, a people all look the same.
17:22 < sipa> my authentication scheme is based on H(nick[0])
17:42 < amiller> ugh question about colored coins again
17:42 < amiller> to determine if a txoutput has the color
17:42 < amiller> do you have to trace just a *path* through the transaction tree down to the genesis of the colored coin/
17:42 < amiller> or do you have to trace the whole tree?
17:43 < amiller> someone convinced me it was just the tree
17:43 < amiller> er just a path
17:43 < amiller> but now i think it's the entire tree, because you have to establish the color value of *every* txinput, which is then recursive
17:44 < gmaxwell> amiller: I'm not following the distinction. If you recieve a colored coin and someone tells you the respective genesises you can just connect them and ignore unrelated parts of the history.
17:44 < gmaxwell> I suspect most people flapping their lips about this stuff have never picked a random coin on the network and tried to extract its whole history.... :P
17:45 < gmaxwell> (it's pretty normal for something to be tainted against a singnificant fraction of all past transactions)
17:45 < amiller> what is the unrelated part of the history though?
17:45 < amiller> it would be nice if, for example, if i only cared about this current txout, then i have to look backwards to at most one txinput ineach transaction
17:45 < amiller> thus a linear path from the txout in question to the genesis
17:45 < gmaxwell> amiller: if you know which coins were the genesis you can trace forward and back and meet in the middle.
17:46 < gmaxwell> amiller: you only can do that if you already know the path (e.g. someone else already traced it)
17:46 < gmaxwell> if you know the genesis and the rule is setup right you can trace forward with one output per transaction.
17:46 < gmaxwell> but backwards alone is exponential.
17:47 < amiller> i don't see how to go forward with one txout per transaction
17:47 < amiller> can you recommend a link with code for this
18:15 < jgarzik> adam3us, TBH it's not just laziness.  Even if my bitcoinj-based Bitcoin Wallet was [hopefully] updated to reuse addresses tomorrow, you still have a problem of address reuse being practically mandated by circumstance, in the other direction:
18:15 < adam3us> sipa: when presented with a key though
18:15 < jgarzik> miner payouts, salary payouts, etc.
18:15 < jgarzik> no good way exists to give a payment stream a set of addresses
18:15 < sipa> adam3us: they could reveal that key
18:15 < TD> lol
18:15 < TD> wallet author lazyness
18:16 < TD> adam3us: you can follow HD wallets in bitcoinj development work here: https://code.google.com/r/hearn-bitcoinj/source/list?name=keychain
18:16 < TD> as you can see lots of code has been going in for the past 6-7 weeks
18:16 < adam3us> jgarzik: yes indeed.  well there is a mix of like wallets that only support one address supposedly? and then there are real problems.	signature lines, biz cards, etc they are truly simpler to use and understand and in some use-cases hard to avoid!
18:16 < Luke-Jr> jgarzik: HD wallet spec has stuff for that
18:16 < TD> adam3us: design doc is here, to give you a flavour of how complicated the work is: https://code.google.com/r/hearn-bitcoinj/source/browse/designdocs/Deterministic%20wallets.txt?name=keychain
18:17 < am42> lol
18:17 < am42> guys...
18:17 < jgarzik> Luke-Jr, yes, any derivation scheme fits the use case
18:17 < adam3us> jgarzik: "no good way exists to give a payment stream a set of addresses" well like Luke-Jr said shared subwallet chain-code should work for stream
18:17 < jgarzik> as long as it is standardized
18:17 < jgarzik> and private
18:18 < jgarzik> the whole world doesn't need to track my salary
18:18 < Luke-Jr> but it's so fun! <.<
18:19 < jgarzik> I would love to find a solution for mass payouts killing privacy.  the solution seems to be "send a bunch of little TXs", which is network-unfriendly.
18:19  * TD shrugs
18:19 < TD> the point of bitcoin is to move money, well
18:19 < TD> that's why we need to scale the tech
18:20 < TD> so we're not afraid of making little transactions if that's what it takes to give good privacy
18:20 < TD> adam3us: anyway if you're feeling non-lazy you're welcome to help chip in with the implementation .....
18:20 < adam3us> TD: scary looking spec there.	btw relatedly petertodd was saying that bloom is not that private with default parameters
18:20 < TD> :)
18:20 < TD> yeah current bitcoinj has a default very low false positive rate and a few bugs
18:21 < TD> ways the remote node can trick you into revealing whether you own a particular key, stuff like that
18:21 < TD> we experimented with a higher FP rate in this dev cycle but it wasn't usable on 3G connections. so we need to add a notion of bandwidth modes to the API
18:21 < TD> then if we're on wifi we can ramp it up, etc
18:21 < TD> either that, or some kind of auto measurement/adaptation, but that's harder
18:21 < sipa> well, as long as bitcoinj wallets reuse addresses by default, there's little point in trying to protect privacy using bloom filters )
18:22 < TD> yeah - that's why i'm working on HD wallets at the moment and not bloom filtering :)
18:22 < adam3us> TD: still i wonder if its more private still than the prefix idea prefix leaks to all and interacts badly with existing statisical network analysis
18:22 < sipa> yeah, i know, not commenting there
18:22 < am42> guys i want to buy safe bTC wia Western Union
18:22 < am42> or MoneyGram
18:22 < TD> but as you can see from the design doc ..... well, bitcoinj wallet class got a lot of features over the years, so making sure none of them break and the upgrade is smooth, takes a lot of work
18:22 < adam3us> sipa: ha ha
18:22 < am42> how to do that safe?
18:23 < sipa> am42: not here, try #bitcoin
18:23 < wallet42> td: will bloom filters work with stealth addresses?
18:23 < adam3us> jgarzik: "I would love to find a solution for mass payouts killing privacy." this seems like a coin control issue.
18:23 < TD> i don't know. i haven't really worked through the details of ... lets call them "routing addresses
18:23 < adam3us> wallet42: i think not
18:24 < TD> but yeah there's an obvious conceptual issue there - bloom filters are intended to hide what the node should be looking for. but with stealth/routing addresses, the client doesn't know what it's looking for either, in a way
18:24 < adam3us> TD: i was suggesting unlinkable static (vs the current static aka reused).
18:24 < TD> with the payment protocol it might be different because then you don't have to find payments only via the chain
18:25 < TD> adam3us: yeah but i think "static" is jargony
18:25 < adam3us> TD: exactly.  the client would have to give the node a private key to scan with.  and that scanning is like heavy
18:26 < TD> if the payer submits the tx directly to the payee via bluetooth/http/other payment protocol methods that issue goes away of course
18:26 < TD> but then you have to be online
18:26 < adam3us> TD: and then i think there's no ambiguity left for bloom to work with.  unless you upload a few other peoples private key also
18:26 < TD> or have a dropbox of some kind
18:26 < adam3us> TD: yes.  i guess we cant or dont want to accept that as an assumption  and also one or other part could get lost.
18:27 < adam3us> TD: routing address is not bad.
18:28 < adam3us> jgarzik: didnt petertodd write something called dust be gone that swept up all the tiny tracking spam payments into a corner so your wallet doesnt auto grab them?  or coin control to not use them until you run out of bigger coins.
18:32 < TD> i think it paid dust outputs to miner fees
18:43 < EasyAt> I don't understand the use of these tracking outputs.  Is it because if the TX is to me I will relay it, whereas if it isn't mine I'll drop it because it's dust?
18:44 < adam3us> EasyAt: apparently they send tiny payments to lots of people, then watch them be respent.
18:44 < EasyAt> Can't I just track outputs from a target address without tagging it
18:44 < adam3us> EasyAt: your wallet just grabs random inputs from whats in the wallet, "coin control" is not clever yet apparently.  its like someone giving you marked pennies.
18:45 < adam3us> EasyAt: well not if someone is not reusing addresses so much.
18:45 < EasyAt> Yea, but once they target my address they can just watch all outputs and the chain of TXs following?
18:46 < maaku> EasyAt: these addresses are one-use only
18:46 < adam3us> EasyAt: i guess you could say its a way to force someone to reuse an address against their wish... send them unsolicited dust to their address.
18:46 < maaku> oh n/m
18:47 < sipa> i really prefer a model where you have to ask for every transaction you have to send first
18:47 < sipa> but it seems the bitcoin economy hasn't evolved that way
18:47 < adam3us> EasyAt: your wallet contains like 100 addresses and the wallet tries to not reuse them.  so they know this particular address is yours for some reason.  maybe the point is the dust payment is to the same address, and may get used in a different payment (even tho its the same address its a different txout)
18:48 < EasyAt> adam3us: Is it in the hopes that you will spend the dust with another output from a different address, thus leaking some info?
18:49 < adam3us> EasyAt: its not automatic that all payments from the same address would go in the same payment.  its not balanced based so each txout is spent separately.  if they see one of those dust payments respent with an address of yours they didnt know was  yours, they do now
18:49 < adam3us> EasyAt: but i dont know who would care enough to waste btc dust to find out really.  maybe some academics doing analysis or something?
18:50 < EasyAt> adam3us: Indeed, I follow you
18:50 < EasyAt> tainting people
18:50 < EasyAt> Or address grouping, I suppose
18:51 < EasyAt> sipa: In your model I would need permission from the receiver?
18:52 < adam3us> EasyAt: yes probably the latter.  yes his model is that and would work, in an older version there was sent via IP which could've been more perission based as there was an interactive link anyway
18:53 < EasyAt> Interesting, thank your for the input
18:54 < adam3us> in an ideal world we'd have better privacy so people could send you small payments and it wouldnt matter.
18:55 < sipa> EasyAt: i would like that yes
18:55 < sipa> EasyAt: that you could not send coins without permission from the receiver
18:56 < EasyAt> How would cold wallets receive funds in that case
18:56 < sipa> nothing prevents it from being presigned
18:57 < EasyAt> Hm, then wouldn't I need prior knowledge of the TX?  How about a cold wallet used for donations?
19:00 < adam3us> EasyAt: maybe there could be a separate key for permission to send sig than for spending.  (like the chain-code being in an online computer and the private key in the offline)
19:01 < adam3us> sipa: it would also solve address reuse.  new address on each signed payment permission
19:03 < EasyAt> Or, maybe a way to publish a ruleset in the blockchain for acceptable payments to an address
19:04 < EasyAt> Though, by doing so I am giving up my pubkey... I think
19:04 < EasyAt> Well, I can't think of a way not to give it up
19:05 < sipa> adam3us: well, it's exactly what the payment protocol intends to bring back
19:09 < adam3us> sipa: yes.
19:21 < jcrubino> was a rename decided for stealth addresses?  I would like to propose "quiet addresses" or "silent address"
19:23 < adam3us> jcrubino: i think we have a winner from jeremy spilman "reusuable address"
19:23 < jcrubino> sounds good
19:23 < gmaxwell> I like reusable address.
19:24 < maaku> very nice
19:25 < adam3us> gmaxwell: yea me too.	i am not sure of the level of enthusiasm for this all being a done deal tho "I have high hopes for this feature. The war *against* address reuse may soon be a distant memory." (Jeremy on bitcoin-dev list)
19:25 < adam3us> gmaxwell: seems to me there is a big open question about SPV compatibility.
12:15 < adam3us> hm2: then everyone is a user (who uses it) but zerocoin is slow, bloated coins, and only one denomination (imagine paying $10k in 1c coins)
12:16 < HM2> i'm sure sipa could cook up something with hash trees
12:16 < adam3us> hm2: if you can follow chameleon hash argument u could grok it
12:16 < HM2> everything in bitcoin is solvable with another tree of hashes
12:16 < sipa> HM2: gmaxwell and petertodd are far more experts at using hashes for everything :)
12:16 < adam3us> hm2: funny u should say that committed transactions potentially hide a lot from the public are also just hashes
12:17  * sipa just implements
12:17 < adam3us> hm2: a different privacy model, where the only people who see who is paying who and how much are the people in the history of the payment (not the public at large)
12:21 < HM2> sipa, it's better for your sanity i'm sure
12:26 < adam3us> someone who knows something about hashes, trees, and tries ought to do something about bitcoin scalability; something concrete like a bip and an implementation
12:27 < adam3us> if bitcoin doesnt scale people will do something stupid offchain eg centralized micropayments with trust me bitcoin backing and when dust reaches $10k all bitcoin transactions will be offchain
12:27 < adam3us> that would be a very rubbish end to bitcoin ecash
12:33 < adam3us> you've got to wonder if accumulators could help also rather than trees, gives a kind of commutative hash tree so it can be rebalanced without changing the root hash
12:35 < sipa> hash(sort([h0,h1]))
12:36 < sipa> ha:
12:36 < adam3us> sipa: thats the effect you'd get but without the sort implication of needing the serializations available
12:36 < sipa> Please remember - don't hoard TestNet coins or try to sell them. TestNet coins are worthless, but useful. They are useful because they are worthless. If you will add value to them, they will be useless, therefore worthless.
12:37 < adam3us> sipa: lol
12:37 < sipa> (from tpfaucet.appspot.com)
12:37 < adam3us> sipa: a(h1,h2)=a(h2,h1) and a(h1,a(h2,h3)) = a(a(h1,h2),h3) etc
12:38 < adam3us> sipa: and what more you can prove hn is in the tree in O(1) space and work rather than O(log2(n)), thats the real bonus
12:38 < sipa> over my head :)
12:39 < sipa> anyone has a testnet address and wants some coins? i need a test
12:39 < HM2> i wonder if anyones managed to trick anyone in to buying testnet coins thinking they're mainnet coins
12:41 < adam3us> sipa: its simple really; just a=g^h1 mod n and to add another hash a2=a^h2 = g^(h1*h2) and repeat user2 can keep g^(h1*h3) (ie with h2 missing) then user 2 proves he's in the accumulator by showing A'=g^(h1*h3)^h2 == A ie A'^h2 = A
12:41 < sipa> oh
12:41 < adam3us> sipa: it only works because its in an RSA group so you cant compute 1/h1 its mod phi(n) which no one knows
12:41 < HM2> except bruce schneier
12:41 < sipa> got it
12:42 < K1773R> sipa: mz1iravK75FhNCyinytJhNCVqxmhFddohn
12:42 < sipa> bruce schneier can recite pi backwards
12:42 < HM2> ;)
12:42 < adam3us> hm2: is this the bruce schneier = crypto chuck norris meme :)
12:42 < adam3us> hm2: he does look a bit like norris
12:43 < HM2> except politically more agreeable
13:03 < adam3us> amiller: about byzantine general and Aspnes et al "exposing computationally challenged byzantine impostors" it occurs to me that bitcoin should not actually need to quite solve the byzantine general problem
13:04 < adam3us> amiller: because you dont really care which tx is first from a set of double spends, just that one is chosen, even at random; maybe that leaves some scope for improvement over the general version of the problem where they actually want to know the correct answer
13:18 < maaku> adam3us: i'm working on the hash-trie thing
13:18 < maaku> and yes, we need it for scalability, especially an address/script indexed tree
13:19 < sipa> that makes non-anonymous non-validating wallets that only maintain a balance and no transaction history indeed scale easily
13:21 < sipa> and with an txid-indexed index, allows validating clients to skip replaying history, assuming they trust it in an SPV way
13:24 < maaku> well, they can validate backwards from the current set, allowing a choice of security in the spectrum between SPV+ and full
13:25 < sipa> if undo data is available over the network, yes
13:27 < amiller> adam3us, so yeah the standard byzantine consensus requires a property like Unanimity, which says the thing chosen is the *one everyone wants* in some sense, but there are a variety of different options people commonly use
13:27 < amiller> one is that it only matters if everyone begins wanting the same thing
13:27 < amiller> another is that it only matters if there are no faults and everyone is honest
13:27 < amiller> another is that the chosen one with high probability has to be close to the plurality
13:28 < amiller> what it means for bitcoin is that if you allow the adversary to always influence the block
13:28 < amiller> a block with no tx's in it is a valid block
13:28 < amiller> so just consensus without some unanimity-like condition would mean you couldn't get a transaction included
13:28 < amiller> something that's bugging me is this concept of, what if you had a transaction that could only be accepted on an even 1000th block
13:29 < amiller> should bitcoin guarantee that you'll get it in quickly?
13:29 < amiller> if the (sub-50%) attacker gets to influence one out of a thousand blocks like that then it could keep that pathological transaction from even getting in
13:54 < maaku> sipa: I suggest commitment of undo blocks in addition to hash roots
13:54 < maaku> and, eventually, some way of querying that data over the network
14:05 < maaku> amiller: I would think that pathological case is the user's fault
14:10 < adam3us> amiller: so what about if the vote is just which transaction is included not whether a tx is included
14:11 < amiller> well there's that edge case where like, you basically can never prove someone *didn't* hear something
14:11 < adam3us> amiller: eg you mine on your own public key to gain voting rights and reward (as a miner) then you exercise those voting rights to say which transactions u like and if there are any dups the highest or th elowest wins
14:11 < amiller> so bitcoin's design is very tolerant of miners pretending they didn't hear a transaction
14:11 < amiller> you never get misbehavior for ignoring a message or playing dumb and not being aware of a tx, etc
14:12 < adam3us> amiller: yes but if the vote is which you like or prefer if there is a dup, an absense of a vote is an abstention, not a dislike
14:12 < adam3us> amiller: attackers can abstain all they like (in fact they're encouraged to)
14:13 < amiller> well if everyone includes all the transactions they've heard...
14:13 < amiller> i dunno, this is tricky, but basically even in the reference client there's miner policy about which valid transactions to include, sort by fee/priority etc
14:13 < amiller> so you don't your transaction in if the miners are all too full and they like others better than yorus
14:14 < adam3us> amiller: i believe its only because of the one-true-chain model to making near 50% attacks difficult (to eventually chose a winning fork if there is a simultaneous block)
14:15 < adam3us> amiller: yes but the concept of a single block as a unified winner is due to a random winner taking 100% of vote
14:17 < adam3us> amiller: if multiple people can vote its more like proportional representation, and all non-dup tx are in by default; and which dup is used is based on the highest (or lowest) voted dup... the vote is mostly for avoiding dups
14:18 < adam3us> amiller: and it doesnt even matter which dup to use, just a random one will do fine (even one chosen by the attacker)
14:19 < amiller> are you saying you'd merge votes
14:19 < amiller> like if i cast 1 vote for {A,B} and you cast 1 vote for {B,C} then that counts as 2 votes for {A,B,C}?
14:20 < adam3us> well the idea is include anything that is not a dup
14:20 < adam3us> so the vote is irrelevant unless there is a dup
14:21 < adam3us> if there is a space limitation take the n highest voted until you're full
14:21 < adam3us> it does have to be somehow consistently serialized however which is the hard part
14:24 < adam3us> adam3us: its only if there are votes (A,B1) and (A,B2) and (B3,C) you need to use the votes to see which of B1,B2,B3 triple spend to use
14:26 < adam3us> adam3us: hypothetically say voting rights are accumulated in one round, to be used during the next round to arbitrate which blocks to include; the hard part is to consistently arrive at the same view of transactions and votes everywhere; maybe the guy who wins the block reward, gets to define the serialization but must provide the vote proofs to justify
his decision, or his block serialization is defined as invalid
14:29 < adam3us> amiller: "well there's that edge case where like, you basically can never prove someone *didn't* hear something" well if its in a trie or sorted binary tree you can efficiently prove he received it or not
14:30 < adam3us> amiller: and if you use committed transactions the miners and voters dont know what they're voting on as the sender, recipient and amount is hidden; then ll attacks degenerate to random DoS or blocking all tx but their own
14:35 < adam3us> committed transactions description is https://bitcointalk.org/index.php?topic=206303.15
14:37 < amiller> well committed transaction doesn't mean the transaction is valid
14:37 < adam3us> it does mean its not double spent however
14:37 < amiller> i think i would like the most if you were able to accept zero knowledge proofs of validity without having to learn anything else about the transaction
14:37 < adam3us> which is bitcoins main challenge
14:38 < adam3us> (the users validate the value from the spend history)
14:38 < adam3us> (which is not particularly spv friendly but there you go, maybe maaku & tries could help that)
12:23 < adam3us> jtimon: the firewall is its not plausible for bitcoin main to consider accepting transfers back from a side chain (2-way peg) unless there is assurance that fraud or security bugs on the side chain can cause holders of bitcoin main coins to be dilluted or lose btc
12:23 < jtimon> petertodd: another is demurrage BUT why would you expect not to have any in-chain transactions? off-chain transactions cannot be p2p currencies
12:23 < adam3us> jtimon: /can/can not/.  fortunately that seems possible to assure, hence 2-way peg excitement
12:23 < petertodd> Keep in mind, it's not that I disagree with TD's hope's of people playing nice, it's that if you're depending on that you've got a system with much weaker security guarantees than one that doesn't need honesty.
12:24 < petertodd> jtimon: why pay for an on-chian tx when an off-chian one works well enough? it's simple, less demand for on-chian tx's means less fees, and thus less security
12:25 < adam3us> petertodd: yes.  i think 51/33% attacks, incentive in btc main, and merge mined alt & sidechains is far from a done thing.  r& d community need to figure  out the optimal game-theory and protocol strategies
12:25 < jtimon> petertodd: if an off-chain system has all the properties bitcoin has, why should we fight to maintain a less efficient system?
12:25 < petertodd> jtimon: e.g. suppose fairly secure DRM w/ remote attestation was being shipped to consumers: you can easily turn that into a pretty good off-chain tx system with pretty good security that will get used a lot. That'll take a lot of money away from miners, reducing the security of the underlying system.
12:25 < petertodd> jtimon: because plausible off-chian tx systems *require* bitcoin to exist under the hood
12:26 < adam3us> jtimon: in this side-chain model bitcoin main is the sole home of reward mining.  its the hub at the center.
12:26 < petertodd> jtimon: without bitcoin they don't work
12:26 < jtimon> DRM needs proprietary software, which means we can't trust it
12:26 < jtimon> proprietary soft/hardware
12:26 < petertodd> jtimon: so what? trust isn't a binary thing
12:27 < jtimon> oh, I see "nbecause plausible off-chian tx systems *require* bitcoin to exist under the hood" this is what I was missing
12:27 < petertodd> jtimon: if I can trust it *enough* I can use it for less valuable payments and save the more expensive on-chian tx's for more valuable stuff
12:27 < jtimon> freimarkets private blockchains don't need public chains to work
12:27 < petertodd> and if bitcoin still exists, I can use techniques like fidelity bonds to make cracking the DRM system a lot less attractive
12:27 < adam3us> petertodd: there's a guy making offline bitcoin stuff using TPM cards that are microsd sized (via encrypted exchange of private keys) some people see to be excited enuf to be making him non-trivial btc onations
12:27 < jtimon> they can just interoperate with them
12:28 < adam3us> jtimon: is it drazan?
12:28 < jtimon> of course they don't have all the properties bitcoin has
12:28 < petertodd> adam3us: indeed, I'm thinking of buying a pair to support him
12:29 < adam3us> jtimon: drazvan https://bitcointalk.org/index.php?topic=319146.msg4494688#msg4494688
12:29 < adam3us> jtimon: its kind of cool.  not secure at the limit, but maybe it works for low value offline tx.  its only the users that lose if it goes wrong, nor online btc holders
12:29 < jtimon> so your concern is that off-chain systems relying on bitcoin are so useful that nobody uses in-chain transactions
12:30 < petertodd> jtimon: doesn't have to be "nobody", just has to be sufficiently less demand for on-chian that total fees doesn't pay for enough security
12:31 < jtimon> well, since I'm not against credit, I'm fine if people use other-things-than-bitcoin offline, so these kind of things don't excite me that much, I haven't read the thread yet though
12:31 < adam3us> petertodd: or maybe some trust/certification/ripple stuff sneaks in and mining contribution is reduced
12:32 < jtimon> petertodd I tend to worry more about "too much security" in the chain than about "too little of it"
12:32 < petertodd> my rough guess is something like 0.1% to 1% of the total value of all Bitcoins should go to PoW security per year. Satoshi should have let that happen with either never-ending inflation, or better yet, explicit demurrage. Doing mining that way give a very simple and stable security guarantee, and importantly works regardless of how many on-chain tx's are done.
12:32 < adam3us> jtimon: they are bitcoins, just transfered by encrypted exchange of private keys, in the model that the user doesnt know the private key and the TPM microsd card wont give it to them (or moare accurately tries to prevent cloning, you can load and unload them)
12:32 < petertodd> jtimon: "too much" just means you're wasting money - not a big deal.
12:32 < petertodd> jtimon: too little and some malicious 51% attacker destroys the whole system and we're fucked - big deal
12:32 < adam3us> petertodd: but he should do NFC or QR code, not SMS :(
12:32 < petertodd> jtimon: 0.1% to 1% are pretty low numbers that can be ignored as "rounding errors"
12:33 < petertodd> adam3us: isn't that just a software detail? the hardware itself isn't what does SMS
12:33 < adam3us> petertodd: sure
12:33 < jtimon> maybe I'm too hippy or something, too much you're wasting resources, destroying more nature than you need and all that
12:33 < adam3us> petertodd: nfc/qr = network privacy. sms=privacy leak.
12:34 < petertodd> jtimon: well, meh :) I'm sure conventional transaction systems tend to spend at least similar amounts of money per year on security, likely usually much more than that
12:34 < petertodd> jtimon: I mean, hell, I'm sure with credit cards the numbers are about that *per transaction*
12:34 < jtimon> well, I'm pretty sure 2PC ripple doesn't waste more resources than it needs
12:34 < petertodd> jtimon: wastes a lot of human brainpower on person-to-person trust relationships
12:35 < jtimon> credit cards need to feed fat cats, thus their high fees, but that's another story
12:35 < petertodd> jtimon: that's a shitty way to talk about the situation and makes you sound like an occupy activist
12:36 < jtimon> petertodd I disagree on that I don't have to think a lot when a friend of mine wants to borrow 10 eur
12:36 < petertodd> jtimon: well I think you're dead wrong there :)
12:37 < petertodd> more to the point, if you can only borrow 10 eur from each friend, then actually using ripple for any large tx gets tough
12:38 < jtimon> whatever, I can say it more correctly but it's just takes longer
12:38 < jtimon> was just laziness
12:38 < jtimon> credit cards are a very unefficient system for multiple reasons, I was talking about efficient systems like @PC Ripple
12:38 < jtimon> 2PC
12:38 < jtimon> petertodd: you see I believe in both counterpartyless money and credit monies complementing each other
12:40 < jtimon> to me, people that plainly reject credit as an exchange toold often sound like braindeath cultists goldbugs
12:40 < jtimon> just like people plainly rejecting counterpartyless money and only accepting mutual credit sound like fanatic
12:40 < petertodd> jtimon: You see, I belive in "This Bitcoin thing just requires me to install an app on my phone. This ripple things requires me to dick around convincing my friends to extend credit relationships to me and sounds like a shit-load of work."
12:40 < jtimon> that's just to me
12:41 < petertodd> jtimon: "Also, it's gonna be really awkward to turn down Bob because of his gambling problem."
12:41 < jtimon> petertodd: organizing a ntework of mutual credit local currencies is even more work
12:41 < petertodd> jtimon: "Nice guy, but still hasn't paid me back that $1000 I gave him when he got fired three years ago and needed to pay rent."
12:41 < petertodd> jtimon: "But I'd rather not bring that up again...."
12:42 < jtimon> I agree that a ripple-like network has harder critical mass problem than bitcoin
12:42 < petertodd> jtimon: Meh, software can do that automatically, and more likely we'll have schemes where the exchange rates don't float.
12:42 < petertodd> jtimon: It's orders of magnitude harder.
12:43 < jtimon> luckily it can start with other currencies like backed currencies, bonds, coupons, shares...
12:44 < petertodd> it's totally irrelevant what currency ripple works on, the problem is the social dynamics of it
12:44 < jtimon> maybe it never goes beyond that, but I think coupons can be more imporant than many expect in the future
12:45 < jtimon> if you have a pub and people accept some of your "I owe you a beer at my pub" currency, why wouldn't you do that?
12:46 < petertodd> *if* people accept it
12:46 < petertodd> if they don't, then you've put a lot of effort into a system that never got used
12:47 < jtimon> mutual credit is widely used right now
12:47 < jtimon> much more than you think
12:48 < jtimon> I just want to give this systems a plattorm to securely inter-operate
12:48 < petertodd> I know, it's why I've said before that ripple is much more likely to catch on for b2b transactions given that 30-day-credit relationships are extremely common
12:49 < petertodd> but fundementally you have to ask why you would use the ripple *technology* to manage those relationships? if transaction fees are sufficiently low, there isn't necessarily a compelling reason to bother
12:49 < jtimon> yeah, b2b, so called "barter networks" (they're really just another currency), coupons, local currencies...
12:50 < jtimon> to interoperate with others
12:50 < jtimon> to be able to pay with your spanish local currency in germany
12:50 < petertodd> well, again, what does ripple bring to the table? the ability to do cut-thru credit relationships, what does that do for you? potentially reduces transaction fees
12:50 < petertodd> if fees are low enough, why bother?
12:50 < jtimon> you just need a market path from the spanish local currency to the germany one
09:48 < adam3us> sipa, gmaxwell: so maybe there is a way to force the brute force to work on full preimage and not birthday via the structure of the p2sh calculation
09:49 < gmaxwell> adam3us: sure, you can make life linearly harder by using a 'vanity p2sh address'.
09:50 < adam3us> gmaxwell: as is its yet-another-consideration for the catalog of how-to safely use things (eg dont use p2sh for hashlock)
09:51 < gmaxwell> adam3us: I don't think you can say don't use p2sh for hashlock. But, certantly, you should understand the tradeoffs.
09:52 < adam3us> adam3us: yes, its another place to think about the use-case and think is it strong enough for the time-frame what are the incentives; i think its nicer to say its bullet-proof, knock yourself out for a building block
09:52 < gmaxwell> e.g. if you make the guy that will provide H(x) for the hashlock do so before the public key(s) in the hashlock script are generated, then can he can't search for a p2sh.
09:53 < adam3us> gmaxwell: are you sure? the network doesnt care what you agreed offchain, just that the spender can provide s' st AH(s') = addr, and provide inputs that make s' return true
09:54 < adam3us> gmaxwell: so that only applies to inputs already on the blockchain (i think coinswap does 4 block chain tx, so that maybe the case)
09:55 < adam3us> gmaxwell: eg lets say p2sh = RIPEMD160-128(y=SHA256(s))||y[0..31]
09:55 < adam3us> 128-bit truncate, and expose 32 bits from the inner hash
09:56 < adam3us> gmaxwell: not though hard about but that might screw over the birthday attack
 that kind of direction anyway
09:56 < adam3us> gmaxwell: otherwise just 256-bit script hash fixes...
09:56 < gmaxwell> adam3us: You are going to pay to   {something} + preimage of HX.    You are concerned that if the provider of HX gives you the p2sh address for "{something} + preimage of HX" he'll know another p2sh script that lets him redeem without revealing HX.
09:57 < gmaxwell> adam3us: if you say "Tell me HX, I'll tell you the {something} and we'll use that" then the attack doesn't exist.
09:57 < gmaxwell> (under that kind of protocol, at least)
09:57 < adam3us> gmaxwell: i guess HX better be 256-bit hash output also (yes)
09:58 < adam3us> gmaxwell: err no its irrelevant for hashlock if the committer knows two preimages
 if either is shown, the other party can unlock with it...
09:58 < gmaxwell> adam3us: doesn't actually matter!
09:58 < gmaxwell> yep.
09:58 < adam3us> gmaxwell: right
09:59 < gmaxwell> well for hash interlock, it matters for some other things.
09:59 < gmaxwell> E.g. it matters for this one: https://en.bitcoin.it/wiki/User:Gmaxwell/why_hash_locked
10:04 < adam3us> gmaxwell: btw i think the above p2sh = RIPEMD160-128(y=SHA256(s))||y[0..31] doesnt work
 probably just screen for 32-bit match then O(2^32)*O(2^64)=O(2^80), the only solution i see is a bigger hash
10:05 < adam3us> maybe you can create for similar cost two public keys Q, Q' AH(Q)=AH(Q') and do some mischief to some other script assumptions, eg an expensive way to create signature malleability
10:10 < gmaxwell> adam3us: yea, thats what I meant by a linear cost increase by using a vanity address. Cute idea to use inner agreement.
10:12 < adam3us> gmaxwell: if you revealed RIPE160(y=SHA256(s))||y[0..31] i think that'd do the trick :) and actually its smaller than using 256-bit output
10:13 < adam3us> gmaxwell: (right idea, wrong parameters a few up)
10:14 < adam3us> gmaxwell: kind of like a 2nd, inner, address checksum
10:55 < adam3us> gmaxwell: about coinSwap you mentioned blind sigs but is that necessary?  if each user connects using tor to submit the new address he'd like, and then all users only sign the n of n if their undisclosed but self-chosen address is in the output?
10:59 < adam3us> gmaxwell: starting to have doubts about RIPE160(y=SHA256(s))||y[0..31] isnt that a blackbox 196-bit hash and so attackable with O(2^88).. ignoring the validation method (to check last 32-bits are coming from the inner hash) - its generically blackbox birthday attackable surely!
11:12 < gmaxwell> adam3us: where did I mention blind sigs?
11:12 < gmaxwell> you mean coinjoin.
11:13 < gmaxwell> The reason you (may) need blind sigs is to prevent denial of service attacks. If you do as you describe a trouble maker can continually jam any join operation at basically no cost.
13:32 < adam3us> gmaxwell: no i meant coinswap "It's possible to construct cryptographically-blinded CoinJoins where _no one_ learns whose output is whose (except for each output's owner). CoinSwap results in the participants knowing the linkage."
13:36 < gmaxwell> adam3us: ah, in the coinswap I was comparing to coinjoin. My response applies. :) The reason you (may) want to use blind signing in establishing coinjoins is so you can figure out who is DOSing the join so you can ban them.
13:37 < adam3us> gmaxwell: ah.. duh that was a cross ref to coinjoin, and not coinswap per se
13:50 < gmaxwell> adam3us: the coinswaps are inherently 2-of-2, and so they can't be internally blind (the players still know that the coins are linked).
13:50 < gmaxwell> e.g. you don't know anyones IPs, but you know the connection between this coin and that coin that the swap is intended to conceal.
14:23 < adam3us> gmaxwell: but isnt the coin n of n general case?
14:28 < adam3us> gmaxwell: i was thinking (after coinjoin, before coinswap) that maybe you can p2p coinswap (but didnt get around to trying to figure out how) but that maybe you can chain it, so you get your recipient involved, and you dont learn their address, yet your signature approves it
14:28 < gmaxwell> yes, it should be chainable, but your probablity of failure goes up, and I'm not sure that you can identify the cause of the failure.
14:37 < adam3us> gmaxwell: well eg so in coinjoin A enlists C's help to pay B but A learns B's address.  if C was doing this for multiple users in parallel I was thinking maybe A can blind sign B's payment address, and to th extent there are multiple parallel protocol runs there would be an anonymity set
14:39 < adam3us> gmaxwell: but the hashlock value X being chosen by B and disclosed as part of the payment completion links the payments; however perhaps if C could choose X and use the same X for all the parallel protocol runs unlinkability within the anonymity set could be restored
14:54 < adam3us> gmaxwell: btw (reading coinjoin about zerocoin problems) "Uses an accumulator which grows forever and has no pruning" I think accumulator is fixed size, just 3072-bits.  The users just have to run full nodes and keep updating w_j=g^(x_1*
*x_{j-1}*x_{j+1}*..>*x_n), (omitting x_j which is theirs) so they can prove w_j^x_j==A mod n
14:55 < adam3us> gmaxwell: (but the rest of the critiques I agree, its impractically inefficient)
15:00 < amiller> adam3us, it's not the accumulator which grows unbounded
15:00 < amiller> it's the list of spent serial numbers
15:01 < amiller> you literally have to check a list of serial numbers that have already been spent every time
15:01 < adam3us> amiller: thats true, I expect thats what Greg meant presumably
15:01 < amiller> you can put them in an ever growing tree but eh
15:08 < gmaxwell> Indeed, thats what I mean there. I didn't actually mean the RSA accumulator, I chose my words foolishly. :)  Just that it has an evergrowing database that you can't forget until all the coins are out.
15:08 < gmaxwell> (and if you don't have a way to close off adding new coins, never.)
15:09 < gmaxwell> there are ways around it, e.g. have accumulator's which must have all their coins removed by height whatever or they're forever unrecoverable.
15:10 < gmaxwell> In any case, I wasn't trying to pan zerocoin only highlight that there were non-trivial costs: that its not magic.
20:03 < HM2> hmm NIST reviewing their crypto process
20:03 < HM2> good news i guess
--- Log closed Sun Nov 03 00:00:14 2013
--- Log opened Sun Nov 03 00:00:14 2013
08:57 < adam3us> btw i was misinterpreting https://blockchain.info/q/hashrate as in GH rather than the correct TH in my comparison a few days ago of network has to eff des cracker ($250k, 56hrs to break one O(2^56) des key)
08:58 < sipa> gribble has a ;;nethash command that gives a good estimate in GH/s
08:59 < sipa> (it's pulled from my site)
08:59 < sipa> oh, you're not in #bitcoin-dev ?
08:59 < adam3us> so.. bitcoin is actually doing O(2^71) work puzzles (or O(2^72) if you count each of the double hashes) per 10mins, and if bitcoin was attacking DES (which is probably easier than 1 SHA256 round as DES is ASIC  friendly) could do in 9.4ms per DES key to deepcracks 56hrs
08:59 < sipa> that reasoning is flawed IMHO, as the current ASICs cannot do DES at all
08:59 < adam3us> and if focussed on skipjack (80bit previously secret NSA cipher in clipper) it could break one of those every 2 days
09:00 < sipa> yes, it would cost the same of less to produce a similar amount of ASICs that could do DES
09:00 < sipa> but contrary to Bitcoin mining, it does not pay for itself
09:00 < adam3us> sipa: yes its a what if and gmaxwell noted DES is actually more ASIC friendly
09:00 < sipa> i'm sure it is
09:00 < sipa> but i don't think that's very relevant
09:01 < sipa> unless you just want a "how much would it cost to crack DES" computation
09:01 < adam3us> sipa: sure; i just think its interesting to express security of the hash in O(2^k) for comparison and ... 72-bits is a surprising amount for 10mnis
09:01 < adam3us> sipa: (eg for comparison to the birthday attack on p2sh addresses which is itself O(2^80) + tmto)
09:02 < sipa> it's 2**51.85 double-SHA256 per second
09:02 < adam3us> sipa: that makes the RIPEMD160 birthday attack not entirely theoretical
09:02 < adam3us> sipa: err that sounds like my previous gh calc
09:03 < adam3us> https://blockchain.info/q/hashrate = 3983800.965092061
09:03 < sipa> we're at 2**73.5 double-SHA256 in total, ever
09:03 < adam3us> and thats TH so basically 4 PH
09:03 < sipa> i refuse to look at b.i
15:25 < gmaxwell> maaku: sure, if your output sizes are not equal, and you exclude the possibility that users aren't doing fun things like paying eachother with imbalanced transactions... then you get some probablity mass for any output that it came from any one of the inputs.. and the distribution isn't flat.
15:25 < gmaxwell> e.g. it couldn't have come from any initial parties that had less coin than it
 as the first example.
15:26 < gmaxwell> if you have a chain of transactions then you can say "it could have come from A or B, if and only if Z didn't come from A or B, if Z did then it came from B or C"
15:28 < maaku> Although coinjoin payments throw a muck in that
15:29 < maaku> The anonymity set is bounded by the number of participants, obviously
15:29 < gmaxwell> yea, or fancier things.. like do a CJ transaction where you put in 2 BTC, and I put in 1 BTC...  and I walk away with 2 BTC and you walk away with 1 BTC.  You just paid me 1 BTC... and someone trying to deanonymize with values got an exactly opposite result.
15:30 < maaku> When you limit yourself to standard sizes, you limit yourself to the people actually participating at that level
15:30 < maaku> Whereas if you allow any random output amounts, then there's even mixing between "levels" going on
15:30 < gmaxwell> yea, I don't like _forcing_ sizes, but obviously you get better privacy if you make use of size alignment where it exists.
15:31 < gmaxwell> especially if people are doing things like pay-to-payment where 2,1 becomes 1,2 ... making value analysis unrelable.
15:32 < maaku> I haven't formalized this, by my intuition is that if we let output sizes be a random walk based on availability, or even guided to "equalize" the distribution of outputs, you'd get maximal anonymity that way
15:32 < maaku> Much better than standardizing on fixed sizes, which actually hurts you relative to the anonymity you could achieve
15:33 < gmaxwell> sort of would make an interesting payment protocol addition.	"pay me xxx BTC to yyy, oh yea, and add these extra inputs too
 I'll worry about getting them signed"
15:33 < maaku> Yeah that would be a good addition
15:34 < gmaxwell> lets you handle dust consolidation too.
15:40 < phantomcircuit> maaku, the output sizes would then be largely set by the meeting point then right?
15:41 < petertodd> gmaxwell: got a name for that concept? good addition to the payment protocol for sure
15:41 < gmaxwell> its sort of the opposite of change.
15:41 < maaku> phantomcircuit: my design allows participants to set allowed ranges, and the joiner / meeting point decides the actual output sizes
15:42 < maaku> it's fully p2p so all clients spend some time participating in other proposed joins, some time organizing their own
15:43 < phantomcircuit> oh using blinding and what not?
15:43 < phantomcircuit> maaku, are you relying on being able to get tor to give you a new hidden service locally? because it's unpossible to make it do that
15:44 < phantomcircuit> i actually tried to add it as a control instruction but it doesn't seem to work except during initialization
15:44 < phantomcircuit> didn't investigate why though
15:45 < andytoshi> can you do it with two fixed hidden services?
15:45 < maaku> andytoshi: no the anonymous revelation is one-use-only
15:46 < maaku> phantomcircuit: I find that hard to believe, unless I'm misunderstanding what you're saying
15:46 < maaku> all you need is one new circuit to broadcast the revelation message
15:47 < phantomcircuit> maaku, im asking if you need the individual clients to have their own hidden service address
15:47 < phantomcircuit> or whether you have a central meeting point with it's own fixed address
15:48 < phantomcircuit> if you need to generate a hidden service endpoint on the clients side
15:48 < phantomcircuit> you're gonna have a bad time
15:48 < maaku> no you do not
15:49 < maaku> clients have fixed endpoints, but there is no central server
15:49 < maaku> the revelation message only needs to be broadcast on a new circuit
15:49 < phantomcircuit> ok
15:49 < maaku> but it doesn't need a hidden service for that
15:49 < maaku> but it's a complicated question because it's getting into low-level details that could change
15:49 < phantomcircuit> you'll need them to setup the hidden service manually still but at least that is a one time setup
15:50 < maaku> for example I've propsed implementing it over bitmessage, which may or may not need a full hidden service; i don't know
15:51 < maaku> but in principle, you just need to connect over a new circuit and broadcast to a random selection of peers the revelation message, and wait to hear the same message arrive at your normal fixed hidden service port, then disconnect and dissolve the circuit
15:53 < maaku> but to andytoshi's point you certainly don't want the 2nd connection to be fixed, because then you could link successive joins to the same person, under some circumstances at least
15:58 < gmaxwell> maaku: there is a bunch of data that you actually need to make sure are consistent for all the players, or you have a risk of the server deanonymizing people even with multiple real players.. though these things could be addressed with the same mechnism I suggested for address reuse.
15:59 < gmaxwell> but I don't know if it matters all that much just due to the risk that the attacker makes all your counterparties sybs.
15:59 < phantomcircuit> oh and something to keep in mind
16:00 < phantomcircuit> if you're using public derivation with an hd wallet then they can figure out if you're using the same chain by just generating them
16:00 < gmaxwell> phantomcircuit: huh, no
 only if you give them an extended public key, and why would you do that?
16:00 < phantomcircuit> gmaxwell, lazyness?
16:01 < phantomcircuit> im pretty sure i've seen at least one person suggesting it
16:03 < gmaxwell> I used a crazy rhetorical stunt on the OTR mailing list today and I think it worked.
16:04 < phantomcircuit> gmaxwell, link?
16:04 < phantomcircuit> or is it postman
16:04 < phantomcircuit> stupid postman
16:04 < gmaxwell> Some guy was arging that MPOTR shouldn't have non-non-repudiation (the OTR denyability property) because it's hard and because people will believe totally unauthenticated transcripts anyways, so the non-non-repudiation buys you nothing.
16:05 < gmaxwell> I responded, and in my response I edited the quotation so that he was saying he was a state sponsored shill.
16:05 < BlueMatt> heh
16:05 < gmaxwell> To which he responded perfectly "It's also unethical to silent change my quote to read something I didn't say."
16:05 < gmaxwell> To which I responded, "Do you mean to suggest that you actually have an ability to refute a
16:05 < gmaxwell> non-cryptographically attested transcript? And that someone might
16:05 < gmaxwell> believe your claim that it was forged?  Interesting."
16:05 < andytoshi> ha!
16:06 < gmaxwell> and ... he seems to have now softened his position! O_o
16:06 < BlueMatt> heh, nice
16:07 < nsh> gmaxwell, could summarize the current status of MPOTR? are there workable algorithms/libraries/architectures?
16:07 < nsh> *could you
16:07 < nsh> that would be a nice thing for everyone to have about now...
16:08 < gmaxwell> nsh: I haven't kept up with it. There is a paper published on it, I read it when it came out, and concluded it sounded sensible and forgot it.
16:08 < nsh> ok
16:08 < gmaxwell> Actually implementing it is hard because the obvious way of achieving it has a consensus problem burried into it.
16:08 < gmaxwell> (fortunately not an anonymous consensus though)
16:09 < nsh> hmm
16:09 < nsh> what is consensuated?
16:09 < gmaxwell> basically you divide the chat into arbritarily short epochs and when everyone agrees an epoch has ended you publish the authentication keys so that all parties could fake the transcript.
16:10 < nsh> hmm
16:10 < gmaxwell> You need a consensus that an epoch is over, or someone could trick you into disclosing your authentication key prematurely, and then create forged messages from you for anyone else who doesn't believe the epoch is complete.
16:10  * nsh nods
16:11 < gmaxwell> This is all a problem because you want the property that no chart participant can pretend to be any other in realtime, but later any party can create a forged transcript.
16:11 < gmaxwell> s/chart/chat/
16:11 < gmaxwell> If you don't care about the people pretending to be each other there are a bunch of simple things to do.
16:12 < nsh> hmm
16:12 < gmaxwell> OTR does the same thing, but 2 party consensus is trivial. :P
16:12 < nsh> aye
17:00 < jrmithdobbs> you can't "get it out"
17:01 < jrmithdobbs> erm, wrong channel
17:43 < phantomcircuit> jrmithdobbs, lol @ no context
19:01 < gmaxwell> andytoshi: ... bad luck on that thread on bitcointalk.
19:02 < Luke-Jr> luck? O.o
19:08 < andytoshi> haha
19:08 < andytoshi> i think i made him look like enough of a tool that people will hesitate to use his software
19:09 < andytoshi> (not that people who need encryption would be searching bitcointalk anyway)
19:09 < jrmithdobbs> andytoshi: still waiting on that to work with tux
19:24 < BlueMatt> are there any serious or semi-serious proposals for how to fix an altcoin 1:1 to bitcoin without a large cost to bitcoin miners given some hardfork changes to bitcoin?
19:26 < gmaxwell> if not for the disabled operators you could probably do it without hardfork changes to bitcoin, though you would only have SPV security in the altcoin-bitcoin direction.
19:27 < BlueMatt> even getting spv security in the altcoin-> bitcoin direction is non-trivial, no?
19:27 < BlueMatt> (given hardfork to reenable opcodes)
19:27 < BlueMatt> you'd have to have the whole chain history, or some subset starting from the time of the bitcoin->altcoin transfer
19:28 < BlueMatt> well, whole block-header-chain-history
19:28 < gmaxwell> yea, you just write a script that can do a spv validation and then takes a chunk of headers of a prespecified sufficient difficulty.
05:10 < gmaxwell> if not they may be for a helluva ride as the hashrate majority when I looked _appeared_ to be on the acceptable-to-all fork
05:11 < gmaxwell> who the heck knows what happens if you upgrade to code that imposes a checkpoint you've long since violated and you don't reindex.
05:12 < brisque> the commit only checkpoints two very late blocks, but I'm not really sure how the behaviour works
05:12 < brisque> https://github.com/dogecoin/dogecoin/commit/dab72582b657395a25e25f4ea367b8b8990db460
05:13 < brisque> in the first commit they only checkpoint the later block *after* the fork, but wisely added a checkpoint for the forking block later on.
05:13 < gmaxwell> this sounds like a bad idea, if the hashrate majority is on the old stuff, they'll keep on trucking. If its on the new stuff, they didn't need the checkpoint at all.
05:15 < brisque> from their IRC (signal to noise was off the chart, it was hard to tell) the older branch had the majority and was overtaking the newer clients with the forking change. as the original instructions from the developer were to upgrade at all costs, I guess they just went with it.
05:15 < gmaxwell> also if you upgrade a node already past the checkpoint on the non-checkpointed chain, it's not going to reorg on its own unless you do a reindex.
05:16 < gmaxwell> seems like a really bad plan to me, since they won't know for sure if they'll actually get the majority to switch fast.
05:16 < gmaxwell> so it might make a huge reorg days later...
05:19 < brisque> I'm not sure it was thought through that much, from talking to the developer before he was certainly trying to grapple with what was going on, but doesn't have that much experience with the finer points.
05:20 < gmaxwell> my strategy would have been to revert the change, set the change to trigger in the future, checkpoint the chain everyone can accept. release and nag everyone to upgrade to that.
05:21 < brisque> sounds familiar.
05:21 < gmaxwell> that would avoid any (further) reorgs assuming the hashpower majority was already on the generally acceptable chain.
05:21 < gmaxwell> it's even _better_ than when we did it in bitcoin, if the hashpower majority is on the generally acceptable chain most of the time.
05:22 < gmaxwell> (bitcoin was screwed because there was a decisive hashpower majority on a chain the majority of nodes would reject)
05:24 < brisque> handled with relative grace given the circumstances. it would have been harder with a majority p2pool, but significantly easier now that we have two pools with a majority hashrate.
05:26 < gmaxwell> well it wouldn't have happened at all really with p2pool. majority of nodes were not on the fork creating version we would have just gotten a _single_ orphan block out of it and probably not noticed the event. :( (if thats good or bad it's unclear!)
05:27 < gmaxwell> it's actually an interesting question if the BIP50 fork actually happened earlier and we missed it because the old chain got ahead fast enough.
05:28 < brisque> the 0.8 chain was from a single pool wasn't it?
05:29 < brisque> wouldn't they have notice the sudden increase in orphaned blocks?
05:29 < gmaxwell> no, its was from two primarily.
05:29 < brisque> BTCGuild and Slush, got it.
05:29 < gmaxwell> brisque: I mean in a hypothetical world where hashpower wasn't consoldated at a big pool...
05:30 < gmaxwell> the trigger was pretty hard to hit, we went for months before triggering it again after the large blocks were allowed again.
05:30 < gmaxwell> I think we've triggered large numbers of unpatched 0.7 nodes to misbehave only twice since.
05:30 < brisque> so 0.7 clients without a modified database configuration are permanently orphaned now?
05:30 < gmaxwell> no because its non-determinstic.
05:30 < gmaxwell> the last time apparently got a lot of them though.
05:31 < gmaxwell> I'd bet you could sync a new one from start successfully now though.
05:32 < gmaxwell> if instead the <0.8 nodes solved two blocks before the 0.8 only chain got a second, it would have just been orphaned and probably no one would have noticed, since that orphan producing 0.8 node would likely have not triggered it again with its next block.
05:32 < gmaxwell> (as some portion of its txn would have been included on the <0.8 chain.)
05:33 < brisque> I've a few 0.7.99 clients at the current highest block, so you're likely right with that.
05:34 < gmaxwell> 0.7.99 = 0.8 for this purpose.
05:35 < michagogo|cloud> 12:26:40 <gmaxwell> well it wouldn't have happened at all really with p2pool. majority of nodes were not on the fork creating version we would have just gotten a _single_ orphan block out of it and probably not noticed the event. :( (if thats good or bad it's unclear!)
05:36 < michagogo|cloud> B
05:37 < michagogo|cloud> Gah, I hate when that happens
05:39 < michagogo|cloud> But wouldn't the transactions have ended up in the mempools of the upgraded nodes, getting remined again at each block that an upgraded node mined?
05:41 < gmaxwell> michagogo|cloud: yes, creating single height forks which wouldn't continue (far) if they were in the minority, and would stop if they restarted, and would stop if they switched to the latest build. and since they were already running the latest code, there is a prior probablity that they're likely to upgrade.
05:45 < michagogo|cloud> gmaxwell: Sure, but it wouldn't just be a single block, it would be a bunch of 1-deep forks, and I think "oh, I stopped getting doges for my mining" would have lead to it being noticed
05:50 < gmaxwell> michagogo|cloud: I think you're splicing two discussion now.
05:50 < gmaxwell> not being noticed was a comment on the bitcoin pre-0.8 vs 0.8 hardfork
05:50 < michagogo|cloud> oh
05:50 < gmaxwell> which wouldn't have likely retriggered.
05:50 < michagogo|cloud> ...right, sorry
05:51  * michagogo|cloud rereads
05:51  * michagogo|cloud goes back into his corner
07:47 < adam3us> i liked jtimon's use of the word scamcoin to cover param-tweaks.  i do think we need a clear tone setting term for param-tweaks vs actual alts, the scam coins are unduly dirtying even the concept of alts; alts with actual innovation could be useful things;  as we've discussed btc pegged side-chains are good for some types of things, but actualy experiments
in proof of work, economics may not be possible fit into that model
07:49 < brisque>  adam3us: what do you call things like Primecoin and NXT? they're not parameter tweaks, but still not sane things to be promoting. as soon as you create differentiation you end up encouraging one over the other.
07:49 < adam3us> (and btc pegged side-chains have some technical and game-theory open questions, though its' an idea I find interesting and perhaps of great value to bitcoin ecosystem so eg we can run bitcoin 0.x and bitcoin 1.x in parallel, or competing bitcoin 1a.x and bitcoin 1b.x
07:50 < adam3us> brisque: yes i do wonder about that.  as i said on a private chat prime coin is pretty close to another scam coin.  the paper talking about the scientific method is not credible.  it doesnt benefit the world to search for pairs of mid-sized priimes any more thn searching for hashcash stamps for the bitcoin stamp-collection
07:51 < sipa> i also believe not all "silly" altcoins are intended as scams
07:51 < brisque> I'd have to check, but I'm sceptical that their prime searching thing is reliable as a hash too.
07:52 < adam3us> you know i think momentum PoW might actual have some utility, the paper describing it is undefined/ambiguous on most of the critical issues; but i think reverse engineering it it might actually be an interestingly step towards a memory hard pow that doesnt require memory to verify (despite failing multiple other features he set himself)
07:53 < brisque> sipa: it might not be intended that way, but anybody looking at the Alternate Cryptocurrencies subforum should certainly be able to work out what's going on.
07:53 < adam3us> sipa: yeah scam might be the wrong word.  i just think we owe like jtimon & maaku credit for having a non scamcoin, and just ranting against alts unfairly taints their freicoin economic experiement
07:54 < sipa> there are really many cases
07:55 < sipa> of coutse, a ton of silly alts (just tweaking some parameters)
07:55 < adam3us> brisque: there can be a difference between ooh make-money-fast, missed the bitcoin bubble, maybe i too can get some small early-adopter mining/premine mentality which isnt exactly a scam (otehr than egregious premine) but an attempt to get rich now that the proof has been given over 3 years of high uncertaint with bitcoin bootstrap that crypto currencies can bootstrap
07:55 < sipa> there are some that try to address a different problem (namecoin, datacoin)
07:56 < sipa> some are failed experiments on their own (litecoin as gpu-resistant pow perhaps)
07:56 < sipa> ppcoin was interesting, but flawed imho
07:56 < adam3us> and it can be somewhat hard to untangle.  like if coingen succeeds in squelching param tweak,s maybe the people who can use a compiler enough to not need a hosted compiler will then just try harder to make a story
07:56 < brisque> adam3us: yes, but that said you don't want to be promoting NXT. it isn't a parameter swap but it's ridiculously insecure.
07:56 < adam3us> sipa: that probably becomes the new min-bar for "innovation"
07:57 < adam3us> brisque: very true.
07:57 < sipa> i've long been thinking about creating my own altcoin
07:57 < adam3us> see we have like "moron coins" and "good coder but crypto/distrbitued system incompetent" coins and usually a lot of greed and a bit of scam mixed in
07:57 < sipa> to fix all things that are wtong in bitcoin :)
07:58 < sipa> but time...
23:21 < gmaxwell> they create malicious blocks, okay fine.  Does this chain of malicious blocks have the most total POW of all the chains you can see.
23:21 < Taek42> (not that I think it's a realistic attack - just having fun)
23:21 < gmaxwell> ?
23:21 < Taek42> start from the gensis block
23:21 < Taek42> connect to the 'internet' (which is actually controlled by the NSA)
23:22 < Taek42> so every block you see has been manipulated
23:22 < Taek42> by your upstream attacker
23:23 < gmaxwell> Yea, okay. You're talking about an isolation attack.
23:23 < Taek42> yeah
23:23 < Taek42> sorry still learning the terms
23:24 < gmaxwell> So, a couple defenses: any client software should have the total work of the real network at the time of its creation coded into it, so a rewrite from genesis attack reduces to being able to get honest software. (unless the attacker has enough hashpower to overcome the network throughly)
23:25 < gmaxwell> If thats the case, then they can only isolate you relative to a recent forking of the network
 which means unless they have very significant hashpower they can only create blocks slowly.
23:25 < gmaxwell> Because you're validating blocks they can only create an apparently valid chain
 only spend their own coins on you (or newly mined coins, but those can't be spent until they've produced >100 blocks)
23:26 < Taek42> wait that last part - newly mined coins can't be spent right away?
23:26 < gmaxwell> no, not for 100 blocks.
23:27 < Taek42> didn't know that
23:27 < Taek42> I'd like to see a currency (soon) that could realistically support blocks every few hundred milliseconds
23:28 < wyager> Why?
23:28 < Taek42> so that bitcoin could be used in stores and be as fast as credit cards
23:28 < gmaxwell> Taek42: ...
23:28 < wyager> It already can.
23:28 < wyager> You don't *need* to wait for a confirmation
23:28 < Taek42> with the help of a centralized party
23:28 < Taek42> or if the store owner takes a risk and doesn't confirm
23:28 < gmaxwell> complete misunderstanding there. Bitcoin transactions are already instant, their irreversability takes time.	Credit card transactions are reversable for _months_.
23:28 < wyager> conventional wisdom tells us waiting a few seconds for a double spend is "good enough"
23:28 < gmaxwell> wyager: uhhhh
23:28 < wyager> Which is true
23:29 < wyager> (to be clear: Wait 5 seconds to make sure no one sent out a competing txn, then you're good)
23:29 < gmaxwell> wyager: thats really not true, not at all. It depends on the specifics of your situation and doesn't generalize. In some cases it's perfectly fine, in others its not.
23:29 < wyager> OK, true
23:29 < Taek42> credit card transactions are reversible under a set of rules that are trusted by the centralized system we use today
23:29 < wyager> Don't do that for expensive transactions. But if you're buying milk and eggs at the store, I'd say it's fine.
23:30 < gmaxwell> Taek42: no they're not, call up your credit card company. They will reverse _any_ transaction. You just have to ask.
23:30 < gmaxwell> (and of course tell them some yarn about how it couldn't have been yours)
23:30 < wyager> ^It's true. You don't even need to sign anything.
23:30 < wyager> And the *only* time the CC companies side with the merchant is if the merchant has an ink imprint of your physical card and a physical copy of your signature
23:30 < Taek42> yes but for the most part store owners don't have to deal with large enough losses
23:30 < wyager> which no one ever does
23:31 < wyager> They certainly do
23:31 < gmaxwell> Taek42: the merchant gets told and of course could sue you or ban you from their store. But they could do the same with a bitcoin transaction if their security procedures were setup for it.
23:31 < wyager> most stores pay chargeback insurance
23:31 < gmaxwell> Taek42: in any case, you cannot have a bitcoin like system with 100ms blocks, it wouldn't be reliably convergent.
23:31 < Taek42> right but we'd like a system where you don't need all of that fuss
23:31 < gmaxwell> Taek42: already in bitcoin with our moderately sized blocks we get 90% propagation taking a couple seconds.
23:31 < Taek42> well, I don't think you could have a single global blockchain
23:32 < Taek42> I'm here to talk about what types of changes might make it feasible
23:32 < wyager> Then how do you know your blockchain is correct?
23:32 < gmaxwell> if the mean time between blocks falls below the network radius the system will stop converging. (e.g. orphan rate tends to >100%)
23:32 < Luke-Jr> nevermind credit cards, lots of stores take personal checks..
23:32 < gmaxwell> Taek42: you could have a control loop to control orphan levels, the result wouldn't bee 100ms.
23:33 < gmaxwell> not unless the network collapsed to excluding miners outside of a few geographically close and well connected data centers.
23:33 < Taek42> well let's relax it to 5 seconds then
23:33 < Taek42> actually
23:33 < Taek42> let me think for a minute or so
23:33 < gmaxwell> Taek42: great, so then you have times when the first confirmation takes 50 seconds due to variance.
23:33 < Luke-Jr> Taek42: more often blocks = lower difficulty = less security per block
23:33 < Taek42> true
23:34 < Luke-Jr> there's simply no need for blocks faster than 10 minutes
23:34 < Taek42> why not?
23:34 < gmaxwell> seriously, expecting a blockchain consensus to be instant is foolish and unnecessary. There are plenty of ways to secure payments for instant transactions which doesn't involve centeralizing things.
23:34 < kyrio> lol
23:34 < Taek42> what if imgur wants to switch to a system where people pay in bitcoins before downloading an image from their servers?
23:34 < Taek42> a true micropayment system?
23:35 < Taek42> gmaxwell people would have said the same thing about bitcoin 10 years ago
23:35 < Taek42> and still say the same about it today
23:35 < gmaxwell> Taek42: then they can't use direct bitcoin payments for every item regardless because of scalablity. Bitcoin is a global broadcast network. People in china don't care about imgur's dust payments.	They could use a micropayment channel, for example, however.
23:35 < gmaxwell> and those increment instantly.
23:36 < Taek42> how do micropayment channels work?
23:36 < gmaxwell> seriously, please spend some time researching before showing up asking to redesign a system you aren't fully up to speed on yet.
23:36 < Taek42> I've spent lots of time researching
23:36 < Taek42> but there's lots to look at
23:37 < Luke-Jr> Taek42: there's no need for blocks faster than 10 minutes, because TODAY, 10 minutes is INSANELY FASTER THAN EVERYTHING ELSE
23:37 < kyrio> lol
23:37 < gmaxwell> kyrio: can you say anything else?
23:37 < Luke-Jr> credit cards take 6+ months to confirm
23:37 < Luke-Jr> personal checks, you don't even know if the person has the money!
23:37 < Taek42> Luke-Jr that's a bit of a poor argument. Just because it's better than everything that currently exists doesn't mean that it's better than what is maximally useful
23:37 < gmaxwell> Luke-Jr: Yes, though you may need some additional things to give bitcoin credit card parity, depending on the application.
23:38 < Luke-Jr> gmaxwell: caselaw is the only thing that comes to mind <.<
23:38 < gmaxwell> Taek42: reducing the block time is has a lot of collateral effects, however, and can never guarantee "instant" on its own.
23:39 < gmaxwell> Luke-Jr: well, for example, digital ID that will allow a defrauded merchant to sue the cheating customer in the case of a reversal. (for items of value great enough to bother doing that)
23:40 < Luke-Jr> gmaxwell: merchants could easily require scanning your photo id to accept bitcoin payments
23:41 < gmaxwell> Taek42: e.g. say you have an orphan rate targeting thing and you ignore the node and client operating costs. What will it's speed be if you're targeting <10% orphans or whatever?  median time to network saturation is a few seconds, so
 needs to be 1/ some multiple of that, say 10 seconds.  Which means you're going to get 1+ minute confirmation times
pretty often, and a single confirm is not terribly persusive esp in a network with ...
23:41 < gmaxwell> ... 10% orphans.
23:41 < gmaxwell> Luke-Jr: sure. some do.
23:43 < gmaxwell> Taek42: for something which is a true micropayment system, some semi-decenteralized but not trustless  clearing house probably does provide a pretty optimal tradeoff.  Because you can have instant processing, and the trust exposure is minimal since you're talking about very small values...
23:44 < Taek42> sounds reasonable to me
23:44 < gmaxwell> e.g. you assign coins to a bank run by 5 entities such that it requires 3 out of the 5 to spend the coins, then the 5 entities cooperate to operate a micropayment system.
23:44 < gmaxwell> bitcoin's multisignature transactions directly facilitates that.
23:44 < gmaxwell> and then you can reasonably have deeply subsecond payments for very tiny amounts.
23:44 < Taek42> I've tried reading about the multisignature transactions, and I get a bit confused
23:45 < Taek42> my friend said there's a limit of like 3 signatures?
23:46 < Luke-Jr> just to use the public infrastructure
23:46 < Luke-Jr> up to 20 if you make private arrangements
23:47 < Luke-Jr> and that's to spend, not to receive
23:47 < gmaxwell> No. Distinction between IsStandard() and the rules of the system. Basically unusual transactions are not relayed by the network to prevent them from being used for DOS attacks... IsStandard doesn't need to be consistent across the network and is easily changed in updates.
23:47 < Taek42> ok
23:48 < Luke-Jr> IsStandard isn't centralised either - any miner can change it for himself
23:58 < Taek42> gmaxwell (and everybody), what altcoins do you think are most interesting?
23:59 < Luke-Jr> Tonal Bitcoin, Namecoin, and Freicoin are pretty much all
23:59 < wyager> Primecoin, but I don't trust that prime finding difficulty will stay significant
--- Log closed Tue Jan 07 00:00:00 2014
05:01 < gmaxwell> where the website isn't scraping their keys, where its rng isn't weak, where they actually manage to memorize a key that attackers with big fpga farms won't guess, but don't then manage to forget it. ... and then later they come back to collect their coins and don't mess up a copy and paste on the destination, and finally don't manage to send all their coins to fees.
05:02 < gmaxwell> And in the interm hopefully there wasn't an ECDSA or RIPEMD160 break that left them behind in some hard forking update that was easily handled by normal software wallets, but not by specific keys people have memorized.
05:02 < Emcy> yeah bitcoin has a lot of ways to ensure you spend your retirement in the dosshouse.....
05:03 < Emcy> tbh im really really scared about when the time comes to move what coins i have again
05:03 < wumpus> to be fair, storing a large amount of value in any physical commodity is just as risky
05:04 < Emcy> im waiting for you to finish HD wallets.....then wait some more incase theres some atrocious bug.......
05:04 < wumpus> I hardly even dare to touch the wallet code, apart from fixing bugs or small code movements :p
05:07 < Emcy> yeah bitcoin development, 4 guys squatting digging up a landmine because it has to be moved over there to make room for the snake pit
05:08 < wumpus> hah
05:24 < adam3us> gmaxwell, Emcy: yes i worry about bitflips - we saw the first hand 2x in mozy (50Pb cloud store) bitflip twice in ECC ram that were detected
05:26 < adam3us> gmaxwell, Emcy: if you do something enough on enough servers, you will get a bitflip in data (or code); that was in ram between upload and store to disk (a short period of time), and they made  it more robust by reading back from disk and checking the hash again if i recall
05:27 < Emcy> 2 bits in 50pb? thats safe as houses
05:27 < adam3us> i would not recommend moving more than 5% of money in one tx on a big tx really - i think the bitstamp moving 195k coins = $150m were nuts
05:57 < wumpus> Emcy: remember that most consumer tech is not quite as reliable as servers
06:07 < midnightmagic> yikes(bitflips in ecc ram)
06:08 < midnightmagic> i've seen it happen on 24tb storage arrays
08:21 < adam3us> Emcy: safe as houses; hmm basically its relatively safe, but not quite - if its an amount of money you cant afford to lose i think its better to do it in stages (5% per time) and/or to add extra double checks
08:25 < adam3us> Emcy: already bitcoin has 32-bit truncated sha256 checksum included in the address format, but if the address got bit-flipped before going to the network.  maybe other nodes would consider a invalid checksum address as invalid.  does the checksum even exist at the wire level? or is that a human encoding only thing.
08:25 < adam3us> Emcy: otherwise sooner or later as transaction volume grows that WILL happen to someone
08:45 < andytoshi> adam3us: there are indeed no checksums at the wire level
09:09 < andytoshi> gmaxwell: just saw your response to that encrypt-to-address thing
09:10 < andytoshi> yikes, why did he think it was responsible to release encryption software when he didn't know how it worked?
09:11 < andytoshi> oh, i see, it's a bit more subtle than that..
09:19 < andytoshi> i read "what is the nonce" and thought uh-oh
11:43 < adam3us> andytoshi: there is probably an implied checksum on any signed tx, the recipients addr is signed by the senders private key; if any bits are flipped (in recipient addr, or sig, or pub key, or output values) the sig is invalid so the tx is ignored
12:06 < gmaxwell> adam3us: we do have a checksum on the wire.
12:06 < gmaxwell> not that it really matters that much since all the important data is authenticated.
12:10 < Luke-Jr> sigh
12:10 < Luke-Jr> gmaxwell: well, it does with the anti-DoS stuf
12:10 < Luke-Jr> gmaxwell: without a checksum, peopel would get banned for corruption
12:35 < maaku> adam3us: there isn't any checksum protecting the data from the time the transaction is created to the moment it is signed
12:35 < maaku> a not insignificant amount of time if you are getting signatures from offline devices, for example
12:36 < Luke-Jr> perhaps we should be creating and signing every transaction twice
12:36 < Luke-Jr> with a comparison
12:36 < andytoshi> maybe this is something to think about for version 2 transactions..
12:37 < andytoshi> also have a way to indicate if outputs are blinded
12:37 < andytoshi> so that createrawtransaction would deal with them
12:46 < maaku> I think this is a higher-level problem
12:46 < maaku> We just need an interchange format that includes checksums
12:47 < maaku> Of which there are probably multiple bips I am not familiar with
12:50 < maaku> The raw transaction apis should be working with these enveloped transactions
12:51 < andytoshi> yeah, i agree .. hopefully there is a bip about this
12:52  * maaku reviews the bip list and is surprised that there isn't one covering this
12:52 < andytoshi> damn, there's probably too many usecases to consider
12:53 < maaku> Well I'm not sure that matters. It could literally be as simple as "strip all signatures, calculate 4-byte checksum, append checksum & prefix version, base58 encode"
12:53 < maaku> Then internally, that checksum could be checked before signing
12:55 < helo> can it be validated after it is signed?
12:55 < Luke-Jr> andytoshi: you sockpuppet!
12:55 < andytoshi> Luke-Jr: haha, i was gonna bug you about that..
12:55 < helo> a lot of pre-signing bitflips would cause the tx to fail normal verification
12:55 < andytoshi> then i realized that obviously nothing you or i say would help
12:55 < maaku> yeah, but safety check - you don't want signatures to exist for transactions you didn't mean to sign
12:55 < maaku> helo: but there are some which won't
12:56 < maaku> e.g. bitflip in the pubkey-hash
12:56 < helo> right... so valide those after signing?
12:56 < maaku> you could do that ... but is that solving a problem?
12:57 < helo> not afaict :)
12:58 < andytoshi> maaku: i'd like a transaction envelope which can have some or all signatures available..
12:58 < maaku> andytoshi: sure it can include the signatures
12:58 < maaku> but the checksum has to be sig-less
12:59 < andytoshi> ah, i see
13:02 < andytoshi> would there be any point to having a MAC as well?
13:02 < andytoshi> i'm thinking about the reasons that people pass raw transactions around today..
13:02 < andytoshi> i guess, an optional mac, if it were required then the checksum would accomplish nothing..
13:04 < andytoshi> hmm, actually any authenticating tokens would have to be negotiated outside of this format anyway
13:04 < maaku> well the authentication purpose of the MAC is covered by the signature, no?
13:04 < andytoshi> yeah, when you have a signature -- but if, say, i was submitting an unsigned transaction for long-term storage for some reason
13:04 < maaku> well maybe there's a use case involving third parties I'm not thinking of
13:05 < andytoshi> but i think that problem should be solved on still higher a level
13:06 < andytoshi> a checksum would cover innoculous corruption, that's pretty-much all we could prevent with the information associated with an unsigned transaction
13:29 < petertodd> handed in my resignation at work: http://0bin.net/paste/TW-j6eQy8SPX6KOW#W6xba/5CVZcf8xpA/YLtz+cGcjb8CMYNhfE7lNdbuwU=
13:30 < petertodd> I thought PGP-signing it would be appropriate; hilarious that there's a hard-copy of that now with my pen-and-paper signature on it too
13:46  * nsh raises a glass to commemorate petertodd's career transition
13:47 < gmaxwell> nsh: is that ... hemlock?
13:48 < nsh> oops, wrong party
13:48 < nsh> :)
13:48 < gmaxwell> petertodd: congrats
13:54 < michagogo|cloud> petertodd: how is that hilarious?
13:59 < petertodd> Thanks!
13:59 < petertodd> And ha, I manged to get the date wrong... it's January 24th that I leave, Feb 1st is the start date with mastercoin.
13:59 < petertodd> *managed
13:59  * michagogo|cloud doesn't find that funny
14:00 < petertodd> michagogo|cloud: that's because you're a pseudonym :p
14:00 < petertodd> brb, meeting
14:00 < michagogo|cloud> petertodd: huh?
14:01 < michagogo|cloud> Why is it funny to PGP-sign and pen-on-paper-sign the same document? o_A
14:01 < michagogo|cloud> s/A/O/
14:23 < petertodd> michagogo|cloud: it's a bit redundant IMO, or really, calls into question the whole idea of "signing" things
14:23 < petertodd> michagogo|cloud: shows how all the paperless office stuff just hasn't taken off too
14:23 < michagogo|cloud> Sure
14:23 < michagogo|cloud> But I, personally, don't find it funny...
14:24 < petertodd> well, as I said, you're a pseudonym utterly dependent on PGP :P
14:24 < michagogo|cloud> I am?
14:24 < gmaxwell> Don't worry, I found it funny.
14:25 < petertodd> gmaxwell: heh, HR found it hilarious, and also impressively knew exactly what the PGP signature was too!
14:25 < phantomcircuit> the redundant department of redundancy and redundant things
14:27 < petertodd> phantomcircuit: funny that that department is known for analyzing and reducing redundencies... but only external to it
14:28 < phantomcircuit> electronics designer? does that mean you make the things pretty
14:29 < petertodd> phantomcircuit: yes, I make beautiful artworks that sadly have an exceptionally small audience of admirers
14:29 < phantomcircuit> petertodd, i've never known an HR department that added value to the companyt
14:30 < petertodd> phantomcircuit: I actually think HR where I am adds value to the company, and more generally I've got a lot of praise for management
14:31 < andytoshi> damn, i like these PR guys... i should apply for your job
14:32 < andytoshi> maaku: regarding a transaction envelope, it should have a way to indicate that outputs (or anything) are blinded
14:32 < andytoshi> so that, e.g. if i have people submitting stuff to my joiner, i know which outputs i need to have unblinded before collecting signatures
14:32 < maaku> andytoshi: I think that's a different problem...
13:27 < petertodd> TD: "If people
s privacy is being protected via other means, then CoinJoin becomes a
help thieves hide their stolen money
 system which reduces incentive to take part, increases legal risk even further and would make people wonder why their wallet apps were asking them to pay fees simply in order to shield people whom they most likely think are
bad." <- you say multiple times that coinjoin is legally questionable. I'm pointing out why ...
13:27 < petertodd> ... they both can be considered legally questionable.
13:27 < petertodd> TD: also, that quote is implying that coinjoin requires extra fees, which isn't true, so please fix that
13:28 < TD> merge avoidance doesn't help anyone hide stolen money, though. it is just irrelevant to that.
13:28 < Emcy> TD if he did then try him
13:29 < Emcy> but theyve charged others because they had actual evidence they did it, but not him because they dont and wont
13:29 < petertodd> TD: absolutely it does: it makes it harder to link thefts together to a single person, and in general makes it harder for people to link transactions together, making the job of investigators harder
13:29 < petertodd> TD: for instance it obscures the amount of funds moved per transaction, valuable information for tracing a theft and distinguishing it form other transactions
13:30 < TD> i don't think so, but we'll see.
13:30 < petertodd> TD: and again, please fix your article, if you don't then reasonable people would certainely conclude you are being delibrately dishonest
13:30 < TD> what is your rationale for saying coinjoin does not require extra fees? that you expect people to only do joins when they want to make a payment?
13:30 < TD> i have a feeling the term "coinjoin" has become overloaded to mean different things to different people
13:31 < TD> which makes it inherently hard to write about
13:31 < petertodd> TD: yes, that's what I've been proposing for pervasive two-party-mix support. and of course it means different things to different people: it's a bag of techniques - currently simple and automatic two-party-mixes is where development effort is being focused
13:31 < TD> i already pointed out the implementation difficulties with trying to do it "just in time", but i can clarify that last sentence to say it's explicitly talking about the asynchronous form
13:32 < Emcy> actually my little story about twitter harassment is another example of how fucked up things get when people just assume *convenientdigital ID* = a person and an action
13:32 < Emcy> IP address in that case
13:32 < petertodd> TD: then fix that. better yet, leave that off: as I say, merge avoidance costs more in fees so the comparison is rather odd
13:32 < Emcy> he even told them about exoneraTOR :/
13:33 < maaku> TD: I'd *really* like to see a bip 32 extension of the payment protocol
13:33 < TD> Emcy: which is correct for the vast majority of the time that people don't run Tor. I think Tor is a good example of what can go wrong with Bitcoin, really. the abuse keeps it small, which means the people who do choose to run it have bigger problems. a new parallel onion network that re-uses tor software but which requires anonymous IDs/passports to use and
made it super easy for network operators to report/tackle abuse,
13:33 < TD> useful
13:34 < TD> maaku: yeah me too but again, after v1 is done :)
13:34 < petertodd> maaku: reminds me, a generalized standard for "here's how I want you to build the scriptPubKey" that could do things like bip32+multisig or ECDH stealth addresses would be useful
13:34 < TD> petertodd: fees are dominated by the inputs/outputs and as you note yourself, you need to use similar techniques for coinjoin to really work. so i am not convinced fees required would end up much different.
13:35 < TD> as the total number of inputs/outputs would be similar
13:36 < petertodd> TD: no, like I said above you end up needing fewer inputs and outputs because you achieve privacy by matching the other parties values. (or txin combinations) CJ gives you much more flexibility with how you expand your anonymity set.
13:36 < petertodd> TD: and indeed, just using CJ with no value match avoidance at all is cheaper in terms of fees, and stll provides some privacy benefit
13:37 < midnightmagic> it's possible to get merge-avoidance-like inputs by mining in p2pool with an address randomizer; i have also written a simple perl tool which builds rawtx. it looks like a few p2pool'ers are already doing a rudimentary form of merge-avoidance right now, which I've discovered is limited mostly by how many addresses payment-accepting people are willing to give me at once.
13:37 < maaku> ... and how much hashpower you have to throw at it
13:38 < nsh> TD: "anonymous IDs/passports.... super easy.... tackle abuse"   until the abuser gets a new anonymous ID, N minutes later, right? or do we have way of anonymously banning people on some effective and enduring basis these days?
13:38 < petertodd> nsh: you fidelity bond the ids
13:38 < nsh> oh okay, right anything's possible when you have to have money to play
13:38 < nsh> :)
13:39 < petertodd> nsh: you can also tie them to real-world passports or similar things with certain cryptographic techniques
13:39 < nsh> mm
13:39 < TD> nsh: right the whole idea is to make it expensive.
13:39 < TD> nsh: which is all banning IPs does anyway
13:39 < nsh> the problem is that what is a trifling loss to most people in the "developed world" is a substantial barrier to entry for everyone else
13:40 < TD> nsh: it doesn't help for the super serious stuff where you get your door kicked down because of something your IP address did, but tor kind of sucks to use because of all the low level abuse, not so much that stuff
13:40  * nsh nods
13:40 < TD> nsh: yeah. you could combine various techniques. like, use a SNARK proof that your e-Passport is from India, and then require a sacrifice that's much smaller as a result. but all this is quite advanced.
13:41 < nsh> right, i can conceive of such a hybrid system being somewhat universally and equitably applicable, but it seems quite far on the horizon atm
13:41 < nsh> baby steps, though :)
13:41 < TD> well, maybe a few years
13:41  * nsh nods
13:41 < petertodd> nsh: good example: decentralized CJ will most likely use tx fees as the anti-spam, which ahs the nifty security property that a sybil attacker has well-defined costs that can be reasoned about
13:41 < TD> for now an onion network only usable by rich people, is still better than one that's only usable by hard-core anonymity freaks who don't mind having a half-broken internet
13:42 < nsh> right (x2)
13:42 < petertodd> nsh: e.g. if tx fees were what miners lived on, and everyone used CJ, you could get security as good as the 51% security of bitcoin itself against sybils
13:42 < nsh> interesting
13:42 < TD> petertodd: ok i need to read more/ponder more about value matching as you describe, to understand your argument about fees being lower. once i get mentally awake enough to do that i will add a comment or update the article. actually if you have a twitter account you could also comment on that part of the article directly.
13:42 < petertodd> TD: cool
13:43 < nsh> could the bitcoin foundation provide a stipend to one of the people who makes those neat visualizations on e.g. informationisbeautiful to have the patience to sit with a technically-minded person and have something like CJ dynamics explained well-enough to illustrate graphically
13:43 < nsh> i feel the comprehensive enfranchisement of the bitcoin community would benefit drastically from such an arrangement
13:43 < Emcy> i dont think they want anything to do with anything like that
13:44 < nsh> well, some nice people with deep wallets :)
13:44 < petertodd> nsh: there is a catch though: what I proposed re tx fees isn't something anyone has figured out how to do perfectly, the best I've come up with is to attach nLockTime'd transactions to your CJ-related messages that pay fees in the future, which proves that you will either pay tx fees now spending those txouts, or they will be spent by the nLockTime'd tx,
but that only applies to a single output
13:44 < nsh> hmm
13:45 < nsh> that's just an efficiency problem at worst though?
13:45 < petertodd> nsh: yeah, the technique approximates perfection :)
13:45  * nsh smiles
13:45 < petertodd> nsh: fancy crypto could probably help, but I try to avoid anything I can't explain to actual wallet developers :P
13:46 < nsh> wisely, i'd say :)
13:48 < TD> sucky parental internet
13:48 < nsh> andytoshi, are you still logging here?
13:49 < petertodd> nsh: his logbot died a little while ago today I thought
13:49 < petertodd> nsh: I've got logs
13:49 < nsh> aye, can't see it
13:49 < nsh> (was just in case TD/outpingers wanted to catch up their buffers)
13:50 < andytoshi> nsh: shit, no
13:50 < TD> i should set up an irc proxy again
13:50 < andytoshi> i didn't see it die
13:50 < TD> no matter
13:50  * andytoshi-logbot is logging
13:50 < petertodd> nsh: I really gotta get around to implementing decentralized IRC... lol
13:50 < andytoshi> thx, my perl script does not notice being unhooked for some reason, it is supposed to reconnect
13:50 < nsh> petertodd, didn't you have notes on that?
13:50 < petertodd> nsh: meh, I'll just write a whitepaper on it instead...
13:50 < nsh> aye, that's the way
13:50 < nsh> implementation is for grad-students
13:51 < petertodd> nsh: hehe, "My favorite programming language is English."
13:51 < TD> secure irc (not decentralised) exists, cryptocat
13:51 < TD> though not sure there's any point encrypting irc :)
13:51 < TD> of course it's not really irc
13:51  * nsh smiles
13:51 < nsh> what's the latency on pond?
13:51 < TD> high
13:51 < petertodd> nsh: high
13:51 < nsh> ok, nm
13:51 < TD> it's meant for email like uses
13:52 < nsh> right
13:52 < maaku> nsh: there's built in delays on pond
13:52 < TD> multi-user chat OTR like chat is what cryptocat is for
13:52  * nsh nods
21:49 <@gmaxwell> he continued in his response: " I have friends that have been using bitcoin for years and they use the same address because it's very convenient for peer-to-peer transmission (you don't have to ask a new one all the time). Heck, I'm working on a project (not this one) right now and that's reusing addresses in certain cases.
21:49 <@gmaxwell> If this is as important as you've made it seem, this needs to be a lot more prominently communicated to the general public, explaining all the risks of not changing addresses with every outgoing transaction."
21:49 <@gmaxwell> which I think is probably fair enough.
21:50 <@gmaxwell> It's not communicated well, especially since there is some wallet software that basically forces reuse.
21:50 <@gmaxwell> (e.g. multibit)
21:50 < BlueMatt> we need a much, much, much better bitcoin intro for devs
21:50 < BlueMatt> and bitcoin wallet on android :(
21:51 <@gmaxwell> We're also failing to use the existing software as an educational tool. There really should be some warning emblem that comes up on transactions that reuse addresses.
21:52  * BlueMatt desperately wants to have a good bitcoin library that provides nice apis to encourage proper use
21:52 < BlueMatt> but, sadly, that requires lots of effort...
21:53 < adam3us> gmaxwell: i think Luke-Jr is on the right track with eligius policy there ;) just need wider adoption of his patch "why is my transaction not completing"... well did u read the doco? no address reuse
21:53 <@gmaxwell> well, there is A bitcoin library, bitcoinj but basically um.. all (?!) its users are not so good on the best practices front
21:53 < Luke-Jr> there's also libbitcoin
21:53 <@gmaxwell> I don't think you can both provide enough flexibility to really be a toolbox without making it easy to abuse.
21:54 < Luke-Jr> gmaxwell: well, bitcoinj goes very far in making abuse easy
21:54 < BlueMatt> gmaxwell: even bitcoinj fails to get it right by far
21:55 < BlueMatt> (hell, all the apps that use it reuse the hell out of addresses)
21:55 < BlueMatt> gmaxwell: easy to abuse != easy to use right and possible to abuse
21:55 <@gmaxwell> okay, thats a point.
21:55 < BlueMatt> Luke-Jr: does libbitcoin do an actually good job here?
21:56 < Luke-Jr> BlueMatt: not sure
21:56 < BlueMatt> oh, well if we're just listing bitcoin libraries...there's millions
21:56 < Luke-Jr> there are?
21:56 < BlueMatt> theres the one in go, theres ones (multiple) in python
21:56 < BlueMatt> theres another one in java
21:56 <@gmaxwell> well if you limit them to c-callable...
21:57 < BlueMatt> theres bitcoin js theres bitcoin-ruby.....
21:57 < BlueMatt> gmaxwell: meh, you can call pretty much all of those from c with the right wrappers
21:57 < adam3us> i kind of like the public public derivation method (sender multiply Q by r and encrypt r for recipient, plus some bloom filter hint to reduce that below full node trial decrpt all payments) for this reason - safe to reuse because the uncompressed address is randomized during payment
22:26 < adam3us> jgarzik: proof of $somethingelse... doesnt proof of stake give a reward bias to those with lots of btc?
22:29 < adam3us> jgarzik: interesting result for efficiency, and self-interest to not damage the network, but side-effect an ongoing mining advantage to large btc holders
23:06 < Luke-Jr> adam3us: only if subsidy is on those blocks..
23:06 < Luke-Jr> proof-of-stake without subsidy might be interesting
--- Log closed Thu Dec 19 00:00:08 2013
--- Log opened Thu Dec 19 00:00:08 2013
00:53 < nanotube> gmaxwell: http://qdb.us/64573 about that riddle. :)
00:55 < Emcy> http://it.slashdot.org/story/13/12/18/2122226/scientists-extract-rsa-key-from-gnupg-using-sound-of-cpu well shit
01:23 < maaku> adam3us Luke-Jr: there are interesting applications of proof-of-stake if it can be divorced from mining reward
01:24 < maaku> imho proof of stake should never have been tangled up in block generation or mining subsidy
05:30 < adam3us> gmaxwell: btw much further up, about gpg noise attack, mentioned bitcoin signature is not timing resistant, yet another reason for non-address reuse; however chain-codes weaken that, exfiltrate the chain code from network computer, and timing/sound recover one public or private derived key to the point of recovery, and game over.
05:31 < adam3us> gmaxwell: at least the public & private derived HD sub-keys are probably randomized enough via HMAC that accumulative timing attack seems unlikely; also the whole thing yet another argument for Bernstien's EdDSA (aka EC Schnorr) as it has no timing attack (no private key dependent branches), though deterministic DSA also fixes that
06:19 < adam3us> about the 1:1 peg discussed yesterday, so far it seems like because btc2->btc1 flow is authorized by spv proof, that the entire alt is only good to spv security level.  can this be improved to full node security?  seems to imply full nodes need to be on both networks.
06:20 < adam3us> also if there is no native reward whats the motive to merge mine the btc2 - only btc2 network tx fees.  isnt that vulnerable to incentive attacks as fees are 2-3% of reward.	like ghash.io level pool could be paid to forge spv and succeed enough of time to make that an economically rational theft attack
07:31 < Hunger-> hi
07:37 < adam3us> hi
11:23 < andytoshi> http://crypto.stackexchange.com/questions/12425/why-are-the-lower-3-bits-of-curve25519-ed25519-secret-keys-cleared-during-creati
11:38 < phantomcircuit> adam3us, iirc that requires you to do a lot of private key ops
11:46 < TD> the latest academic paper on bitcoin leaves a lot to be desired
11:47 < TD> http://eprint.iacr.org/2013/829.pdf    - i sent them some corrections
11:48 < andytoshi> i read the first few paragraphs and decided to ignore that one ... thanks for the vigilance
11:49 < phantomcircuit> TD, sorry to be annoying but can you check that pm
11:50 < TD> i didn't see it actually, poor irc client ui my end it seems ..
12:01 < helo> have altcoins implemented many items from https://en.bitcoin.it/wiki/User:Gmaxwell/alt_ideas ?
12:02 <@gmaxwell> helo: For the most part altcoins don't implement ideas. They search and replace strings.
12:02 < TD> sometimes, for added excitement, they search and replace hash algorithms or fee schedules.
12:02 < TD> but that's rare
12:02 < helo> those are some really neat ideas... it's a shame
12:03 < TD> with proof of stake and prime coin being notable exceptions
12:04 <@gmaxwell> TD: good email. ... I did learn one thing from the paper, although even in that it was wrong: They pointed out that if you send funds to a reused address it identifies your change.	... which isn't correct because some clients reuse their change addresses (doh), but igoring that its another example of how one person's reuse can thwart someone elses good
practices that I hadn't considered.
12:04 < helo> i doubt most of the altcoin devs have the skill to implement them correctly (i doubt i do either), but it seems like they'd at least try
12:09 < petertodd> gmaxwell: speaking of, I think as a general principle we want to encourage address re-use for any application where public info allows for address linkage anyway; address re-use is a way of letting others easily know the address is *not* private
12:10 < petertodd> gmaxwell: e.g. for coinjoin you can better protect your privacy sometimes by avoiding joins with parties that have re-used addresses in some cases.
12:11 <@gmaxwell> I dunno, public info isn't equally distributed. I'd rather be deanonymized by a forum post than data in the blockchain.
12:11 <@gmaxwell> But I see your point.
12:11 < petertodd> Depends on the attacker - my suspicion is the type that will do detailed tx linkage analysis will also have databases of forum posts and p2pool share data.
12:12 <@gmaxwell> with blockchain.info my grandma is an attacker, though not a terribly effective one.
12:13 < petertodd> yeah
12:13 < petertodd> Would be nice if there was a way to mark a scriptPubKey as "We've made this unique, but the info required to link it is something the <TLA> could find."
12:14 < petertodd> Where TLA \in (Cyber Grandmas of America, FBI, NSA, etc.)
12:23 < andytoshi> helo: IMO it'd be really frustrating to make big changes to bitcoind (though every day the devs make more progress toward modularity -- thanks guys!), so if you wanted to implement some serious ideas you'd be better off writing from scratch
12:23 < andytoshi> so there's not really anything between "zero work" and "a ton of work"
12:25 <@gmaxwell> meh, a number of those ideas would be quite selfcontained.
12:25 < helo> there is at least a similarly prohibitive steep gradient from "zero understanding" to "sufficient understanding"
12:26 <@gmaxwell> andytoshi: two additional features that might be interesting in your coinjoiner. The ability to give it an input with a threshold. E.g. join this if and only if you get at least 4 other things to join with... if I'm paying a fee to join I really don't want it to be some two party thing with some address reusing fool. :P
12:27 < andytoshi> gmaxwell: oh, good idea
12:27 <@gmaxwell> andytoshi: the other is that you probably should convert submitted signatures to canonical form... as differences in signatures might be privacy reducing to participants.
12:27 < andytoshi> right now i'm depending on "if you're ok using rawtx's, probably you aren't clueless"
12:28 < andytoshi> yes, good call, that also gels well with my true goal of "learn rust and understand bitcoin encoding in detail"
12:28 <@gmaxwell> In partcular the s/2 thing is enforced by bitcoin git but not 0.8.6 so their signatures are somewhat distinguishable.
12:28 <@gmaxwell> (for now it might be wise to randomize the s/2 characteristic, but later after 0.9 is out you should conver things to the canonical form)
12:29 <@gmaxwell> I'm not sure if anyone would submit to you padded r/s values or negative r/s values, but they might
 some of the web signers in the past were broken. best to fix that.
03:51 < gmaxwell> Hopefully this is at least about something other than that thread.
03:52 < gmaxwell> That thread was metal "lost" in the mail. Insurance wouldn't cover it. coingenuity actually sent the guy replacement metal out of his own pocket, but the guy really wanted the bitcoins returned (the price of bitcoin went from $10 to $100 shortly after the sale)
03:53 < petertodd> ha
03:53 < gmaxwell> coingenuity believes (rightly or wrongly) that the guy was just trying to scam him into giving the coin back after he had regrets about the price going up.
03:54 < gmaxwell> and, as a result took forever to resolve it, I suppose something you could rightfully fault him for... in general a number of people have complaints about his services' timelyness, though having had a lot of discussion with coingenuity I'm generally pretty sympathetic.
03:56 < Luke-Jr> I seem to recall him saying he was having problems with banks though
03:56 < Luke-Jr> hopefully it didn't blow up into something
03:59 < Luke-Jr> gmaxwell: I do think the insurance refusing to cover it was ridiculous though
04:01 < Luke-Jr> (not that I doubt the insurance did something ridiculous)
04:01 < gmaxwell> Luke-Jr: yea thats been part of whats been causing him delays, you've heard that lots of people have had banks randomly closing accounts of people who mention Bitcoin. Now imagine that you're in a business moving hundreds of thousands of dollars of precious metal for bitcoin and dealing with banks...
04:04 < Luke-Jr> I hadn't heard that about banks (closing personal accounts who mention Bitcoin..)
04:04 < gmaxwell> amiller: FWIW, I think I originally proposed the hashlock for binding cross chain.
04:06 < gmaxwell> Luke-Jr: yea, us bank, capitol one, bank of the west, and chase are known to have closed random personal accounts on account of bitcoin activity.
04:06 < gmaxwell> Commercial accounts have had an even harder time.
04:18 < gmaxwell> amiller: in any case, please feel free to go post how awesome you think that transaction pattern is on the coinswap thread. petertodd likewise, posting some smart things would be nice.
04:18 < gmaxwell> Otherwise the thread may start off with derping people.
04:21 < adam3us> gmaxwell, Luke-Jr: you need a real bank, not one of those pennyante us jobs; credit-suisse/UBS with an actual swiss account, then any stupidity has to be approved by swiss court, and they dont take 'please do this' even from the US, they demand verifiable proof before they act; 'course you dont get one of those without $500k min deposit, but thats the
correct approach - disclose it on your tax forms, etc but you're outsourcing due-process to
04:22 < Luke-Jr> adam3us: do they do business with US citizens still? :o
04:22 < Luke-Jr> adam3us: and do they take initial deposits via wire? :p
04:22 < adam3us> luke-jr: fuck no
04:22 < Luke-Jr> aka bitcoins
04:23 < Luke-Jr> so not really an option
04:23 < adam3us> luke-jr: well i guess I jest, I think they would, though they will insist on disclosure
04:26 < adam3us> luke-jr: but seriously there is no sane reason anyone with > $500k liquid assets would keep a red cent in the US (or most other wesetern countries) .	I am half swiss so i might be biased (mother is from Zurich)
04:27 < Luke-Jr> adam3us: I'm not sure US citizens really have a choice anymore. :/
04:27 < adam3us> luke-jr: it has zero to do with tax avoidance (do NOT do that, especially in the US) and everything to do with ensuring legal due diligence in any third party decisions about your wealth, and US is 100 yrs behind .ch in legal system impartiality & political independence, due process, etc
04:29 < Luke-Jr> I'm sure, but last I heard the US made it pretty much impractical for any non-US banks to do business with citizens
04:30 < maaku> some, not all
04:30 < maaku> there's some carribian banks that haven't felt the pressure yet
04:31 < adam3us> luke-jr: as I understand it, the result was .ch min deposit and min annual fee went up - they dont want to deal with US related admin costs unless its worth it
04:31 < Luke-Jr> I guess the hard part, if they really want $500k min deposit, will be getting a single $500k withdrawl from some exchange :/
04:34 < adam3us> luke-jr: its probably etiquette to go there with your passport for acct setup, zurich is a nice place, they are not offering anonymity, just the application of swiss banking confidentiality (pseudonymit with them holing your real id in escrow) - anything illegal by their laws, and with proof a swiss court has verified will be disclosed/seized; but the bar
is pretty high: proof of tax evasion, extortion, organized crime, terror is what its me
04:35 < Luke-Jr> I don't have a passport.
04:35 < petertodd> !
04:35 < maaku> Luke-Jr: if you can show assets (walk into a UBS branch with documentation), then they will work with you to handle the deposit over multiple transactions
04:35 < maaku> and get a passport
04:35 < Luke-Jr> adam3us: btw, your lines keep going over freenode's limit and getting cut off
04:36 < Luke-Jr> yeah, I should get a passport. but that's so much trouble.
04:36 < adam3us> luke-jr: there are other AAB+ rated swiss only banks (no branches or personnel outside .ch) that are more immune to real-politic foreign influence; the UBS problems a few yrs back were because of pressure the US could exert because UBS had US branches
04:37 < adam3us> luke-jr: i dont think the US actually has any literally any AAB+ rate banks period; if you want your money to still be there in 100 years, its the only option; i think the smart money is in these swiss only banks
04:38 < maaku> Luke-Jr: on the other hand, St. Vincent is only an hour or two away from you, doesn't require a passport, and has stricter secrecy laws than .ch
04:39 < adam3us> maaku: yes but i doubt st vincent has any AAB+ banks either, so if you are paranoid about the safety and continuity of your wealth (think Allen Stanford carribean bank scam), .ch is the gold standard
04:40 < adam3us> maaku: i know a guy here in malta, who's dad lost his shirt in the Stanford ponzi scam, the Stanford guy had put a lot of effort into building a credible bank profile and reputation
04:41 < Luke-Jr> no government lasts forever, not even .ch
04:41 < adam3us> luke-jr: they lasted longer than yours so far :P
04:41 < Luke-Jr> adam3us: which is all the more reason they might fall first :p
04:42 < adam3us> luke-jr: and they're politically neutral, armed to the teeth, and are holding 1/3 of the worlds offshore wealth, no one, not even the nazis wanted .ch to fail - politicians dont piss where they have their money hidden
04:42 < Luke-Jr> that was 50 years ago
04:43 < Luke-Jr> frankly, if I lived almost anywhere in Europe today, I'd probably be taking up arms against the government
04:43 < adam3us> luke-jr: they still have 1/3 of the worlds offshore money thats a big chunk of real-politic leverage
04:43 < Luke-Jr> maybe
04:44 < adam3us> luke-jr: .ch is also not politically part of .eu - they had a referendum and the citizens were against it
04:44 < Luke-Jr> adam3us: but they ratified the UN CRC
04:46 < adam3us> luke-jr: i think their focus as a country is to retain their gold standard banking status, because their livelihood depends on it, they have no natural resources other than cheap hydro, and they are almost the wealthiest country per capita in per capita income, they dont want to screw that up
04:46 < Luke-Jr> yeah, it might be good enough for just holding money
04:46 < Luke-Jr> but still, I'll have to figure out this passport nonsense first
04:47 < maaku> Luke-Jr: you can do it by mail. is there something holding up your case?
04:47 < adam3us> luke-jr: it aint that bad, get somebody to do the paper work for you - i hate paper work also
04:47 < Luke-Jr> maaku: pretty sure you can't here
04:47 < Luke-Jr> I think you have to go in and get fingerprinted and all sorts of garbage
04:49 < Luke-Jr> and yeah, I expect trouble with my case because of past legal problems with a certain insane State too
04:50 < adam3us> btw about this mintchip thing for bitcoin private keys, offline etc; i think the guy is missing to know about observer protocols, this can be done with an 8-bit smartcard CPU, not read coinswap yet is there another thread
04:50 < maaku> well unless it's a child support issue or your have outstanding warrants, i don't think they have the right to deny you
04:50 < maaku> sucks about the situation though, hope it gets sorted out
04:51 < Luke-Jr> maaku: yep, it's a child support issue
04:51 < adam3us> luke-jr: if you were serious about account, i do not think its a hard requirement to visit switzerland to setup an account, you'd have to ask them to check that is still the case (was about 10 yrs ago for sure)
04:52 < Luke-Jr> Nebraska thinks my wife and I should pay child support to the State for our children, because they kidnapped them for 3 years
04:52 < maaku> wtf.. jesus. that is fucked up, and yet not suprising. my condolances.
04:53 < Luke-Jr> (which is a big part of why I have zero tolerance for the UN CRC which purports to do away with parental rights entirely)
05:00 < petertodd> Too bad organizations like http://www.parentalrights.org seem to be all coming from the "strict parental rights" side of things - myself I'm in favor of something more like a third option where for many issues neither the state nor the parents should have rights over their children. (IE access to contraceptives should be something neither the state nor
parents should be able to prevent)
05:02 < Luke-Jr> contraceptives should be blanket illegal for everyone in all cases
05:02 < petertodd> ha, I thought Catholic thinking on that subject had been relaxed these days?
05:02 < Luke-Jr> Catholic teaching is perfect and thus never changes.
05:03 < petertodd> Don't you mean our records of the past teachings of the Church must be wrong?
05:03 < Luke-Jr> no.
05:03 < petertodd> (aka, the 1984 doctrine :P)
05:04 < Luke-Jr> I have no idea what you're talking about.
13:14 < petertodd> sipa: OpenPGP actually does have some limited signing bits that you can use for that kind of thing. Poorly understood as you say.
13:14 < sipa> s/GPG/PGP/
13:15 < petertodd> sipa: Heck, jdillon signed my key back, and signed the photo packet... if he verified that, I have a stalker.
13:16 < petertodd> jgarzik: Sounds great, but how will you boil it down to something really simple for the algorithms? Do you think a key-value store is sufficient?
13:16 < jgarzik> petertodd, That's the tough part.  Where/how to store this decentralized identity database.
13:17 < jgarzik> petertodd, That's why I was looking into miner sacrifices
13:17 < jgarzik> If you associate a cost to identity creation, hopefully flooding is prevented
13:17 < petertodd> jgarzik: Yeah... too bad gmaxwells bytecoin doesn't exist.
13:17 < jgarzik> and if flooding is prevented, then it is likely easier to convince people to P2P-share the database
13:18 < jgarzik> a la blockchain
13:18 < petertodd> jgarzik: Of course, key-value in the blockchain has been suggested over and over, and aside from bloat it's a reasonable idea as all you need to know is that someone else can't claim they have the most recent pair.
13:19 < jgarzik> It would be nice if adding new merge-mined chains was easier
13:19 < petertodd> I dunno, I'm skeptical about merge-mining stuff like that, because the incentives to actually do it are weak.
13:20 < jgarzik> petertodd, miners and pools definitely respond to "easy additional income, for the same amount of work" incentives
13:20 < petertodd> I have the same problem distributing fraud-proofs for fidelity-bonded banks: you have to be able to prove that a fraud proof *wasn't* made in the past, and the only way to reasonably do that is have a data storage service with consensus on it's contents.
13:20 < jgarzik> yep :/
13:21 < petertodd> jgarzik: Which is the problem. The incentive can just as easily be "PGP-CA blockchain isn't used that much, lets kill it for the lulz"
13:21 < petertodd> jgarzik: It wouldn't be an issue, except for the fact that you need to be able to sell fidelity bonds if you've been honest to solve the "service own retiring" problem, and selling them is only reliable if you can be sure it's not a tainted identity.
13:21 < jgarzik> I really think this decentralized identity project could be huge, though.  Create an identity, create a market, trade, dispose of market.  Coalesce, exchange, disperse.  Automatic markets, anywhere, anytime.  The main linking factor is your identity.
13:22 < jgarzik> yeah
13:23 < petertodd> Possibly. I mean, the bigger question si what exactly is being bought and sold? Now digital goods are an option, but lots of classes of stuff really does need real-world identities.
13:23 < petertodd> for instance really general colored coins for real-life business stocks seems kinda crazy to me
13:23 < petertodd> (other than just an accounting system)
13:24 < jgarzik> If you have a SIN, you can collect endorsements (digital signatures) from third parties, proving your real world identity
13:25 < jgarzik> But each SIN holder chooses what endorsements to add, which to publish, which to keep private
13:25 < petertodd> Heh, get governments in on it and some of the endorsements can be pretty damn direct...
13:26 < jgarzik> Just need a central root point for each identity, to digital sign (for example) permission-to-see-my-identity
13:26 < jgarzik> indeed
13:26 < jgarzik> Just thinking about how to export it over the Internet, in a secure fashion
13:26 < jgarzik> Your SIN, your crypto-identity, should be able to securely link to other identity systems
13:27 < petertodd> Well, I mean if you can get a consensus on a big, timestamped, H(key)-H(value) table the actual transport can happen in a lot of ways - the receiver will always know they either got the true key-value by checking that H(key) H(value) matches.
13:28 < jgarzik> agreed
13:28 < petertodd> With that, transport on systems like DHT is a *lot* more acceptable.
13:28 < petertodd> It's too bad cryptographic accumulators don't quite work the way we want them too here...
13:29 < petertodd> Unfortunately I think you're basically forced into a blockchain here.
13:29 < petertodd> Albeit one that only needs 32+32=64 bytes per UTXO entry.
13:29 < petertodd> ...and what blocksize? (ducks)
13:29 < jgarzik> hehehe
13:30 < petertodd> Actually, seriously speaking, I'd namespace it to (semi)-solve that problem.
13:30 < jgarzik> petertodd, explain?  not sure what you mean
13:31 < petertodd> By namespace I just mean separate it into multiple blockchains, so that you can prune all but what you are actually interested in.
13:31 < jgarzik> ah, indeed
13:31 < petertodd> You still have to deal with bandwidth for all k-v pairs though, or you won't know if the POS's used to create them are valid.
13:32 < petertodd> (IE, that's the equivilant of an invalid block in the system)
13:32 < jgarzik> yep
13:32 < jgarzik> thus, The Difficult Part
13:32 < jgarzik> if it can be solved, decentralized identity Will Be Big
13:33 < jgarzik> PoS might also be needed/used for changing, not just identity creation
13:34 < petertodd> Well, do it hiarchical, with a top-most k/v store, with the k's being the state of the next level of k/v store.
13:34 < petertodd> See, basically you want to be sure you haven't missed any updates.
13:34 < petertodd> ...although, no, that still doesn't work, because of withholding attacks...
13:35 < petertodd> Yeah, I'd be inclined to do PoS for every update basically.
13:36 < petertodd> Oh, and here's another mental model: see what you have with this database, is the ultimate cryptographic accumulator that works the way you want it too: arbitrary checking if p in S
13:39 < petertodd> Your block header algorithm can actually be kinda interesting too... so you need to do on-chain Bitcoin POS transactions right? Make those transactions in a way that is distinguishable - IE you can tell if a given tx may have been part of the chain - and have your best block selection be the sum of all sacrifices.
13:40 < petertodd> Now if someone does a withholding attack, it's still ugly, but at least you can sacrifice more Bitcoins than the PoS's whose contents you *don't* know about and be sure your now on the best chain. Your incentive, assuming the system is used, is to then broadcast your data widely so others sacrifice on top of your sacrifices.
13:41 < petertodd> Basically the 51% attack is now sacrifice more Bitcoins than the sum of all Bitcoins sacrificed. Not great, but at least it's easily measurable security.
13:41 < petertodd> Does have ugly issues if Bitcoin's value crashes...
13:42 < petertodd> But maybe that doesn't really matter, the Bitcoin PoW would be vulnerable anyway.
13:44 < petertodd> This whole scheme does depend on independent miners: the fact you're "mining" this blockchain is easily visible by the fixed namespace ID's. You may find a 51% majority conspiring to block your foo-k/v namespace for whatever reason.
13:45 < amiller> for the PoS thing you're talking about, the way to solve my objection with it (that there's nothing at stake) is to make it so the sacrifice is a sacrifice even if the block containing the sacrifice isn't selected
13:45 < amiller> if you do work on a PoW fork attack, your work is wasted if you fail
13:46 < amiller> meaning if your attack fork doesn't end up being taken as the main chain
13:46 < jgarzik> petertodd, yeah, if bitcoin dies we're fucked anyway ;p
13:46 < petertodd> amiller: Absolutely. It *must* be a genuine Bitcoin sacrifice, like an announce/commit sacrifice or anyone-can-spend coinbase output.
13:46 < amiller> so maybe you could fix that by saying that your best selection is the sum of all sacrifices, such that the transaction sacrifices are valid on every chain even the ones you didn't select?
13:46 < jgarzik> petertodd, BTW, what is the current favorite anyone-can-spend?
13:46 < amiller> ok sure anyone-can-spend coinbase
13:46 < jgarzik> OP_TRUE or somesuch
13:47 < petertodd> jgarzik: anyone can spend coinbase is shortest, for general use w/o miner help I haven't come up with anything better than announce/commit
13:47 < petertodd> amiller: ooh, that's a very good idea
13:48 < jgarzik> amiller, interesting
13:48 < jgarzik> a bit of a variant on total work
13:48 < petertodd> amiller: and your "block headers" are very similar to what merge-mined alt-coins carry around anyway
13:51 < petertodd> oh, and with anyone-can-spend coinbase output, the priority block # is obviously just the block #, however with announce-commit that's trickier
13:52 < jgarzik> I need to collect this into a wiki page somewhere
13:52 < petertodd> well, actually, maybe it doesn't matter... priority is independent per k-v pair, so if your announce commit means some of your k-v block was invalidated by a later update, it doesn't matter that much
13:53  * jgarzik wishes there was a crypto-wiki, rather than stuffing everything on en.bitcoin.it.  I suppose a github .md or gist will suffice.
13:53 < jgarzik> There definitely needs to be very high priority k-v's, and then secondary ones.  the primary, high prio ones are the root for other attestations/proofs/signatures
13:53 < petertodd> also, before I forget, actually pure k-v isn't really enough for most things, you probably need signatures so that once you establish that you own a k-v pair, you can update it with a signed update
13:53 < warren> Wow.  BFL sent me a refund after 1 day.
13:54 < jgarzik> Tempting to say that ultra-high-prio ones simply cannot be changed.  Create an identity with a certain number of immutable k-v's.
13:54 < petertodd> and on top of this, so don't forget you can use a merkle sum tree with your k-v pairs if you want a system where each pair has an individual sacrifice amount
13:55 < jgarzik> Some services, I imagine, would want that.  A third party service might require a specific sacrifice, or real world protocol of some sort.
13:36 < petertodd> But the point is, those anonymous businesses are associated with industries where the customers don't seem to care as much, and in addition the anonymity means their backend stuff is often very obscured. (I'm sure someone is timestamping log files for something, but good luck ever figuring out who they are)
13:38 < gmaxwell> uh, what the heck were you proposing where such a business needs generic worldwide visiblity unjammablity?
13:38 < petertodd> Announce/commit sacrifices are the cannonical example.
13:39 < petertodd> Fraud proofs are another, that's a case where the existance of a "fall-back" way of ensuring global visibility is really valuable even if you have lesser means like merge-mined chains.
13:39 < gmaxwell> But they dont
 they need visiblity to the interested parties.
13:40 < gmaxwell> I'm struggling to come up with something which needs visiblity to _disinterested_ parties.
13:40 < gmaxwell> (esp since you can't, you know, make people who don't care pay attention)
13:40 < petertodd> The problem is the only way to prove visibity is by proof-of-work or proof-of-stake, and the former gets really scary fast due to the large pools out there.
13:41 < gmaxwell> but that isn't solved by making things clear-visible in the blockchain.
13:41 < petertodd> The latter is ugly because it's active, and can tightly couple finance into a system where the attack is losing money if the data is made public.
13:42 < gmaxwell> e.g. so you put data in the clear in the blockchain, but thats no proof that anyone who mattered actually noticed it there even if they had the data available to them.
13:42 < petertodd> Sure it is: if it's in the Bitcoin blockchain I can be damn sure that anyone who was interested could have seen it. If it's a merge-mined chain with low hash rate it would be very easy for that data to be hidden by an attacker.
13:43 < gmaxwell> In fact, you've already proved it
 you've made all kinds of weird transactions which people could have redeemed and either didn't or took a long time to do so. (or required you pointing them out at least)
13:43 < petertodd> Right, but in any system actually using this stuff the interested parties will look if it matters, and if no-one is interested, so what?
13:44 < gmaxwell> at least the merged mined thing actually creates evidence of seeing it by someone who (programmatically) cares.
13:45 < gmaxwell> We could also introduce a general mechenism for this kind of thing which doesn't create any perpetual storage, I suppose.
13:45 < petertodd> Take the example of a fidelity bonded bank where you want to sell your bank, but also want to be sure that no-one has committed fraud but withheld the fraud proof: you wan to be able to say "if it's not in some blockchain, the fraud never happened"
13:46 < gmaxwell> and, yet, you can still do that just in terms of sum difficulty of a merged mined chain.
13:46 < petertodd> Sure, and you can do that if, for instance, we have UTXO posession proofs as part of the proof-of-work function, and they you would show via UTXO proofs that the data existed in the UTXO set and people posessed it, but they can drop it after the fact. (need a hard fork due to some details obviously)
13:47 < petertodd> gmaxwell: Of course, my point is any merge mined chain will always be inferior to Bitcoin because it will always have a lower hash rate, *or* the system has effectively become part of Bitcoin anyway.
13:47 < gmaxwell> (or sum-stake, or signed by some trusted observer or all of the above)
13:48 < petertodd> Basically have some data in a transaction that you don't need to proove the transaction is valid, but you do need to temporarily posess to fufill your proof-of-posession PoW.
13:48 < gmaxwell> petertodd: okay, let me grant that: but being part of bitcoin itself isn't the same thing as sticking all data at the root level.
13:49 < gmaxwell> As it is today there is no way to do finite lifetime data in bitcoin, and everything you're talking about needs _at most_ finite lifetime.
13:50 < petertodd> Of course, but that's where my temporary forced storage scheme is useful, but that's a soft-fork at minimum and more likely people with the need will just keep stuffing their data into the blockchain.
13:51 < gmaxwell> okay, welll certantly, you can say that a mechenism for temporary storage is virtuious even if we still hold the view that forced non-currency-data storage is wrong and should be technically defeated where possible.
13:53 < petertodd> Exactly. Point is figure out those technical solutions and make them work - don't go whining about social responsibility and "consent" as Luke does because the whole point of Bitcoin is to replace social mechanisms with technical ones, so work within that paradigm.
13:54 < petertodd> Not to mention how bizzare it is to be complaining about people creating prunable data, yet we won't say a thing about low-values transactions. The technical impact of both types of data is exactly the same - the archival blockchain gets bigger. (UTXO bloat is of course another matter, but that's solidly a design flaw)
13:55 < gmaxwell> hah. It's not like the technical stuff appears whole cloth in a vacuum. First it must justify our social responsibility. Absent consent the security of the technology is paper thin.
13:56 < gmaxwell> "won't say a thing" uh, we just nuked very tiny output creation.
13:56 < gmaxwell> And
 low value txn is pretty tricky: we don't know where the dividing line is.
13:57 < petertodd> Yes, and I did say that UTXO bloat is a design flaw; nuking tiny output creation is an example of a patch to try to fix that design flaw.
13:57 < gmaxwell> Vs it's easy to say Bitcoin is not a @#$@# storage locker for your nuddies or whatever. :P
13:57 < gmaxwell> harder to actually stop it, but at least agreeing on the goal is easier.
13:57 < petertodd> ...but then is it ok to use bitcoin as a proof-of-visibility for your financial application?
13:58 < gmaxwell> Not really, for one
 it just won't work. Limited channel capacity will make that unpredictably fail for you.
13:59 < petertodd> Limited channel capacity makes the entire *system* fail unpredictably by that logic.
13:59 < petertodd> There are *lots* of applications where the fact that the channel capacity is limited is not only acceptable, but actually kind of a good thing.
13:59 < gmaxwell> It makes the future system's scale uncertian. But bitcoin doesn't just fail because it becomes slow to make transactions, your financial application certantly might.
14:00 < gmaxwell> kind of a good thing
 sure, and bitcoin itself is one of them. But the challege there is limited channel where the capacity gets eaten up by _something else_ is not so obviously a good thing.
14:01 < petertodd> Any financial application will need to make transactions; you can easily design your need for data bandwidth to correspond to your need for transaction bandwidth.
14:02 < petertodd> Part of that design is of course determining how resistant you want to be to efforts to stamp out data in the blockchain, but you can always get some amount of data in there so the option always exists.
14:03 < gmaxwell> Okay, well we go back to my comment earlier that some small sidechannel
 like 32 bytes per transaction
 is probably something we can tolerate because there are just too many useful things that cannot be done without it. So figure out how to fit into that model and _MAYBE_ you have something that is still viable, maybe. Not certantly: since if the whole
world was using bitcoin it isn't clear that any particular user would be able to get
14:04 < gmaxwell> But anything more than that, and it's not clear that it wouldn't trivially be stampped out by the first persistant effort to really cram in some nasty stuff in the broadcast channel.
14:04 < petertodd> But that's the thing: a sidechannel of any size just puts a price on the data relative to a transaction. We can push that price one way or another, but we know we want make that price infinity - there are just too many ways to stuff data in transactions.
14:04 < gmaxwell> I mean. jesus, don't design business plans that can be shut down by a bored 12 year old.
14:05 < gmaxwell> petertodd: we can make anything that has uxto storage be a hash preimage.
14:05 < jgarzik> hehe that says it all ;p
14:05 < petertodd> I'm not talking about UTXO storage, I'm talking about in-blockchain data.
14:06 < petertodd> UTXO storage is something we can go very far in preventing, up to having to perform partial hash collisions, but in-blockchain data isn't something we can stop - you can always play games with pubkeys.
14:08 < gmaxwell> petertodd: oh, well I'm actually far less concerned with that, as you can simply puncture the validation rules. There is a balance that provides adequate pratical security.
14:08 < petertodd> puncture the validation rules?
14:08 < gmaxwell> There are plenty of people who think it would be perfectly sane to just forget all the spent txo before height 210000 or whatever.
14:08 < petertodd> Ah, yeah, which for the proof-of-visibility application is completely fine.
14:09 < gmaxwell> Not just in a pruning sense, but completely.
14:09 < jgarzik> I still like the idea of modifying my OP_RETURN patch to permit standard, spendable transactions || size <= 80
14:09 < gmaxwell> Depends on what you're trying to prove visible to who.
14:09 < jgarzik> gmaxwell, in this case, https://en.bitcoin.it/wiki/Identity_protocol_v1
14:09 < petertodd> Sure, but you can always prove your data was as visible as any other blockchain data in the time period, and that's all you need frankly.
14:09 < jgarzik> (that was the genesis of this whole proof-of-visibility discussion)
14:10 < jgarzik> indeed
14:11 < petertodd> jgarzik: ...and I strongly think OP_RETURN should be slightly cheaper at stuffing data in the blockchain than the P2SH+multisig games that we can-not stop, as a harm reduction measure
02:22 < gmaxwell> (they don't attack their bitcoin daemons because the attackers can't reach them)
10:10 < adam3us> btw people seemed to prefer hidden tx to committed tx as a descriptive name, but i chose the name originally as it is using a bit-commitment
10:10 < adam3us> (re conversation yesterday with gmaxwell, jtimon, maaku and a few others)
16:20 < gmaxwell> http://www.forbes.com/sites/kashmirhill/2013/11/13/sanitizing-bitcoin-coin-validation/   ... sigh.
16:21 < sipa> as long as they can do their job, our privacy isn't good enough
16:21 < gmaxwell> Right.
16:22 < gmaxwell> Making privacy better will be harder when people have made a business out of undermining it... though perhaps there will be more interest in improving it.
16:22 < sipa> so maybe that does provide a useful service''' making people realize that privacy needs actual work
16:23 < gmaxwell> Indeed. I guess we'll see how the harm
 investment in screwing up privacy and promoting that privacy must be removed
 balances against the benefit
 making people realize that privacy is a problem.
16:46 < adam3us> man what a bad idea
16:47 < adam3us> (coin alidation)
16:48 < gmaxwell> maybe they'll pull a mastercoin next and raise a million dollars to fund their attack on bitcoin's fungibility? :P
16:48 < adam3us> need to figure out some way to compact committed tx without revealing
16:48 < adam3us> msc = moral hazard
16:50 < gmaxwell> Another interesting element to this risk:  If we don't fix the bitcoin ecosystem to make these businesses impossible it becomes more likely that some bitcoin clone which fixes them out of the box (perhaps just using things we could 'easily' deploy) will replace bitcoin.
16:51 < adam3us> gmaxwell: well so far we didnt figure out a fix - if we do i might start to soften my anti-alt stance if it was the only way to do it, but i think i'd go for staging method
16:51 < gmaxwell> adam3us: I think we have adequate fixes already.
16:51 < adam3us> gmaxwell: it seemed for a while there was actual interest in making an all zc alt for example; hal finney thought it was a cool idea
16:52 < gmaxwell> E.g. if all wallets were automatically doing coinjoins and coinswaps then such a business wouldn't be vilable.
16:53 < gmaxwell> you don't have to have perfect anonymity to throughly break that kind of business.
16:53 < adam3us> gmaxwell: yes.  it's clearly an improvement.  but i'd really like to see if anyone can figure out some crypto enforced fungibility
16:54 < gmaxwell> it's hard to even deploy that though, esp with funded attacks on privacy. The nice thing about things that don't change the network is that people can say "well, there is nothing we can do about that".
16:54 < adam3us> gmaxwell: if u could get clients to upgrade, they may work harder on analysis however - its like crap 1st gen security, it engenders an arms race of heavily funded 2nd gen attacks etc (sat tv content scrambler story)
16:55 < adam3us> gmaxwell: true, you are "just" using core features
16:56 < gmaxwell> adam3us: the security provided by coinjoins and coinswaps is not pretextual though. So yea, more powerful analysis weakens user privacy but but even assuming an optimal attacker, they do improve privacy.
16:56 < gmaxwell> a
16:57 < gmaxwell> adam3us: dunno if you played with the ZC codebase a lot... it ... doesn't seem too easy to integrate in a sane way.
16:57 < adam3us> gmaxwell: "hard to even deploy... esp with funded attacks on privacy."
16:57 < adam3us> gmaxwell: meaning? the network needs distribution or the anti-privacy lobby tries to shut it down early?
16:58 < gmaxwell> E.g. Peter Vessenes attacking bitcoin privacy at the conference .. until some folks pulled him aside and pointed out the fungiblity problems.
16:58 < adam3us> gmaxwell: no i didnt look at zc code
16:59 < gmaxwell> adam3us: the problem with changing the network is that you can't (safely) use the changes until some super majority of nodes, including jumpy business participants like mtgox, deploy the changes. There is a coordination problem there, and no real way to ease into it.
16:59 < adam3us> gmaxwell: here's my versoin of what could be done, i think you reache similar tec conclusions: full anon fungibiity, opaque pricvacy (user knows who's paying) rest as now; then you can subpoena recipient
17:00 < adam3us> gmaxwell: yes; maybe staging helps.. then they are bicoins and you can step in and out of them via p2p exchange
17:00 < gmaxwell> The people who see themselves as "working with" regulators can very easily be pushed into a corner where they oppose this stuff. Good luck deploying a soft fork with the foundation opposing it.  So thats why I think at least within bitcoin privacy features can't be driven by the network.
17:00 < adam3us> gmaxwell: if gox doesnt take staging, swap them for bitcoin main coins first
17:02 < adam3us> gmaxwell: mere thought of foundation opposing on political grounds (cringe).  the fork threat may not be enough ebcause of all these bitcoin businesses f the users depend on the businesses more than the biz depends on users
17:03 < gmaxwell> right.
17:04 < adam3us> gmaxwell: ok, but we can play games too; work out minimum required and otherwise useful enabling chnges, wait 6months, start using them
17:04 < gmaxwell> (In general thats why I've been really skeptical about "businesses will run full nodes!" as an argument for long term preservation of the system invariants... historically business interests tend to be very short term, and they haven't done a good job driving good monetary policy in other economicies)
17:04 < adam3us> gmaxwell: eg say coinjoin could work so much better if you had useful change x that also has useful biz value... etc you get it
17:06 < adam3us> gmaxwell: biz cant see past the next quarter, 2yrs if you're lucky; and unfortunately most suits dont much think or care about user/community interests - i mean this stuff could have society level implications if screwed up by a few ignorant/selfish suits
17:08 < adam3us> anyway put your thinking cap on :) this problem must be fixed
17:09 < adam3us> another opportunity btw is the scaling point  if offchain tx are needed, biz will be desperate to use them, devs figure out how to do it, implement it, fix a few ills along the way
17:13 < adam3us> (forbes article)"
t want to be the sheriff of the Bitcoin community. We just want to create an ecosystem of clean addresses.
 ... if anyone needs motivation to figure out some crypto fungibility before they defacto royally screw fungibility - what next - deals with miners to block the unclean one?
17:15 < gmaxwell> adam3us: no, step (2) is everyone rushing to pay for subscriptions to their feeds so that they don't accidentally accept an unclean coin and thereby make their own coins unclean.
17:15 < gmaxwell> step (3) is miners block them, saving everyone else the trouble.
17:15 < gmaxwell> :P
17:15 < gmaxwell> (or
 even to prevent their fees from being declared dirty)
17:15 < adam3us> they are bitcoin scourge
17:16 < gmaxwell> Well, presumably they haven't thought this through.
17:16 < adam3us> i mean seriously - its  horrendous directin
17:17 < adam3us> outright destructive - 10x worse than satoshi dice.  if anyone knows those devs/tech guys they should reach out
17:18 < gmaxwell> I think I'm a little less shocked than you because I expected this (and we've seen it proposed by newbies enough times
17:18 < adam3us> this is the kind of thing i was taking about fungibility introducing costs into the transactionlayer and pulling it down to the level of status-quo networks, its all wron
17:19 < adam3us> its also architecturally wrong - you need identity agnostic fungibility, and optional certified identity (required or not by the recipient by a peer choice)
17:20 < adam3us> and some transaction encryption really
17:20 < gmaxwell> adam3us: yea. identities are useful and don't require fungibility destruction or public privacy elimination.
17:20 < adam3us> so thats the design requirements in my view; the next challenge is how, its damn har
17:20 < adam3us> precisely
17:22 < adam3us> it maybe necessary to technologically disabuse them of their wrong headedness in the short term.  i mean if their service was used by any bitcin biz or miners at any scale, that could be a serious problem for fungibility
17:25 < gmaxwell> adam3us: more precisely, we can't get privacy measures adopted if there is too much important infrastructure which demands they don't exist.
17:25 < gmaxwell> or says my logs:
17:25 < gmaxwell> 13:47 <gmaxwell> yea, no idea. In any case, I'm glad for anyone to be
17:25 < gmaxwell> working on some of this stuff.  I worry if some of the stronger financial
17:25 < gmaxwell> privacy tools are not im plemented and widely used soon we'll grow too much infrastructure that assumes they don't exist.
17:25 < adam3us> yes, this is why the architecture is wrong - the biz people are making defacto architecture decisions
17:30 < sipa> i wish we had never stopped using pay-to-IP :(
17:31 < gmaxwell> petertodd: so, I realized last week that coinjoin and the replace-by-fee mutually assured destruction have a negative interaction potential.
17:31 < sipa> (and improved it with authenticated rather than replace it with pay-to-pubkeyhash)
17:31 < gmaxwell> petertodd: e.g. you CJ with someone to pay. And then your CJ party doublespends not paying your recipent. Then your recipent freaks the heck out and issues a destructive child...
17:39 < MC1984> the biz people are making defacto architecture decisions
17:40 < MC1984> whoops
17:41 < adam3us> i never got what replace-by-fee MAD was - petertodd wanted to be able to revise fees in case transactions got stuck, ok that has new problems for 0-confirms, then he proposed most things must remain as is, just the fee increase from a new input i presume, but how is that MAD?
17:41 < TD> sipa: what difference would that make?
17:42 < TD> sipa: the transactions are all still public
06:11 < warren> <---- yes, it's true, and that doesn't actually matter
06:11 < adam3us> warren: really whats the example of already happened?
06:12 < adam3us> petertodd: now you can give x to the smart card and H to the wallet/phone and the issuer can do the a=kG work, so the wallet only has to do r1=cx+w mod n
06:12 < warren> adam3us: at the simplest level, we exposed bugs in several components before they were merged into bitcoin-0.9.  More complicated: we influenced the recent security releases with our own research meant to protect the bitcoin network.
06:13 < warren> adam3us: there remains more we are not disclosing to the public because it would risk to the bitcoin network
06:13 < warren> adam3us: the recent lively discourse about NODE_BLOOM remains unresolved and is related to one of those issues
06:13 < adam3us> petertodd: the extended EC schnorr sig is a, r1, r2
06:14 < adam3us> warren: ok, thats v. interesting and good to know, but i still prefer bitcoin-staging if it could be got off the ground
06:14 < warren> adam3us: good luck
06:16 < warren> adam3us: I'm not married to litecoin.  I just looked at the state of things in March when I joined, found Litecoin to be "unmaintained, totally broken and without political opposition to fixing things" so I used that as a means to learn the codebase.  I've been increasingly branching into fixing things in Bitcoin.
06:16 < adam3us> warren: re scrypt(1) apparently ROMix (also by colin percival) is provably memory-hard, memory hardness (freedom from time-memory tradeoffs) was not a design requirement of Scrypt(1)
06:16 < warren> adam3us: I began coin dev in May 2013, all of the failures you're talking about were long before my time.
06:16 < adam3us> warren: bitcoin armory is using ROMix for key derivation rather than Scrypt for this reason
06:18 < adam3us> adam3us: eg if you like you can make an scrypt implemntation (hardware or sofware) that is using mem=128kB parameter, but 16kB ram or 1kB ram - just more inner round repetition
06:18 < warren> adam3us: i'm fully aware of the TMTO thing, and i don't care.
06:18 < adam3us> warren: someone should try that, maybe you can mine scrypt faster on a gpu or fpga that way => profit
06:18 < warren> adam3us: people have tried
06:18 < warren> and I don't care what users do
06:19 < adam3us> warren: would be curious what the optimal scrypt tmto params were for diff hw
06:19 < warren> adam3us: the standard GPU miners use a 50% memory TMTO which seems to maximize performance for scrypt on that hardware.  there's apparently FPGA and ASIC's hapening soon too.
06:20 < adam3us> warren: yes i hear the asic rumor will be interesting to see how that compares perf
06:20 < warren> adam3us: like I said earlier, the failure of the original scrypt parameters has nothing to do with the soundness of the network and its ability to defend itself
06:21 < warren> adam3us: I personally would be more concerned about the coins that invite regulatory hazard through properties like centralization
06:23 < adam3us> petertodd: so the observer conclusion is its a special form of 2 of 2 sig where the smartcard cant even tell which sig it contributed to (privacy) and yet can prevent double spending (up to hw tamper resistance) the observer is the smartphone/computer the card connects with which can prevent inflow/outflow subliminal channels
06:23 < warren> adam3us: I had already spent months testing a hybrid of 0.8 and 0.9 with Litecoin, so I reused most of that work in a Bitcoin branch with fixes and features.  https://bitcointalk.org/index.php?topic=320695  Exposing more bugs before 0.9 while bringing some features to users sooner.
06:23 < adam3us> warren: agreed on both fronts, that was my motivation for committed transactions
06:23 < petertodd> adam3us: right, so explain in 30 seconds what's the big advantage of schnorr? is it flexibility? privacy?
06:24 < adam3us> petertodd: both
06:24 < petertodd> adam3us: ok, so what's the list of what it'll make possible? (remember, I need to explain this to a pool op, for instance)
06:24 < adam3us> petertodd: efficiency, flexibility, privacy, O(1) vs O(n) compactness of k of n sigs
06:24 < petertodd> adam3us: not clear enough
06:25 < petertodd> Like, give me a really simple example of something I can't do now, but will be able too.
06:25 < adam3us> petertodd: so you can make k of n sigs where the public key is a single public keya nd the private key is split into n pieces so you can have k of n sigs
06:26 < adam3us> petertodd: you can also after-the-fact combine your public key with another user to create an after the fact 2 of 2 (or n of n) that is represented by a single public key on the transaction
06:26 < petertodd> My inner Joe Public is saying "Huh?"
06:27 < adam3us> petertodd: so this results in smaller n of n sigs and privacy of how many people even are behind an address
06:27 < petertodd> huh?
06:28 < adam3us> petertodd: if n of n or k of n become widely used the sigs are smaller .. one sig vs n which saves block chain space, and makes chain validation n times faster
06:28 < petertodd> why are you fucking up Bitcoin? Bitcoin is perfect already, all hail Satoshi!
06:28 < petertodd> why all this complexity with n's and k's when you have bitcoin addresses and my balance!
06:29 < adam3us> petertodd: the primary risk for bitcoin is centralization and scalability, if that fails, bitcoin fails when dust becomes $10k and everyone switches to using lame trust me centralized "offchain", everyone shoudl care about this :P
06:30 < petertodd> The wiki says Bitcoin scales to VISA levels! Says so! Why change what already works!
06:30 < adam3us> petertodd: u need n of n for like type2/type3 exchanges, escrow situations etc so I expect them to become more common over time
06:31 < adam3us> petertodd: yeah right - i also can say something scales (with the unstated assumption that i can invent, implement and deploy not yet invented innovations that may not even be mathematically feasible) :D
06:31 < petertodd> type2/type3 exchanges? why do we want exchanges? decentalized exchanges is what we need like localbitcoins!
06:31 < adam3us> petertodd: u run a nice devils advocate line btw
06:31 < petertodd> heh
06:32 < petertodd> or in this case, devils mouth-breathing southern cousin :/
06:32 < warren> well, I give up, I cant' actually test mac builds/runtime so I can't fix this.
06:33 < adam3us> petertodd: u want type2/type3 because they are trustless - they cant steal your bitcoins, but they can green color tx so that settlement is faster allowing you to onwards trade and avoid volatility risk
06:33 < adam3us> petertodd: thogh i am also a fan of p2p atomic trade (must go reread those protocols and see if they are actually secure from abort/extort attacks)
06:33 < petertodd> heh, even I don't know what "type2/type3" exchanges are...
06:34 < adam3us> petertodd: type2 is like what bitalo is now working on, exchnge escrows fiat, but only does a2nd 2 of 2 sig n the transfer to finalize it; the actual ownership and authority is with users, a time lock ensures the user retains their bitcoin even if the exchange goes down without warning
06:35 < warren> I looked into installing a hackintosh VM to test this, but the amount of time needed to do it appears more than the time value of just buying a mac.
06:35 < adam3us> petertodd: type3 is if you have blockchain tradeable assets like litecoin vs bitcoin, or colored usdcoin from an issuer vs bitcoin or goldcoin; then the xchange isnt even escrowing fiat
06:37 < petertodd> right, I've never heard those terms myself
06:40 < adam3us> petertodd: probably cooked up in offline colorcoin discussions - to save having to describe a paragraph worth just give them a ame
06:40 < petertodd> huh, you gotta admit though, that's politically going to be seen as a very niche reason to change stuff
06:40 < adam3us> petertodd: sounds cool to VCs too ;)
06:41 < petertodd> you ever looked at the bitcointalk archives re: p2sh? just getting that was horribly painful
06:42 < adam3us> petertodd: probably scalability changes and decentralization are far higher priority however as far as I see its mostly an open research question if anything fundamental (non-incremental) can be done with scalability
06:42 < adam3us> petertodd: i didnt, but i think i got it; maybe i am missing something though?
06:44 < petertodd> one ugly thing with scalability is it's just as likely that bitcoin won't scale with regard to verification, so we'll see centralization, and rather than fix that the alternative instead will be people start using other systems that also don't scale, but have sufficiently low usage that they work in practice
06:44 < adam3us> petertodd: most people on the scalability idea exploration end up reinventing consensus ripple, and finally realizing how bitcoin defends against sybil and then "oh now i get it" :)
06:44 < petertodd> huh? who is even working on scalability other than myself and gmaxwell?
06:46 < adam3us> petertodd: multiple people think distributed offchain/scalability magic is the holy grail and are queueing up to pay for it to happen
06:46 < petertodd> such as?
06:46 < adam3us> petertodd: i'm not saying they got anywhere technically, i am saying they magically wish it could happen... and see $ for whoever could deploy it first
06:47 < petertodd> inputs.io and coinbase, among others, have actually deployed it, and it works just fine
06:47 < adam3us> petertodd: thats not distributed
06:47 < petertodd> it's dead simple and trading off counter-party risk is perfectly acceptable to a lot of people.
06:48 < petertodd> you mean decentralized, and so what? centralized solutions built on top of decentralized ones mean you've always got the decentralized system to fall back on
06:48 < adam3us> petertodd: well if that goes to its logical conclusion in 5 years and everyone is using trust me big 10 offchain bitcoin is dead for its assumed value/purpose of auditability, zero trust
01:46 < amiller> i started thinking about whether general/unbounded recursion can be implemented using snarks
01:47 < gmaxwell> amiller: I can imagine that code with the right "periodic" structure could be...
01:47 < gmaxwell> But it would be the same code that you could also prove its result in closed form.
01:47 < gmaxwell> And so, why not just put in the closed form code? :P
01:49 < amiller> well an example is like a list with unknown bound
01:49 < amiller> say a sum over such a list
01:50 < amiller> that would ordinarily require unbounded size input to the circuit which doesn't work
01:51 < amiller> but you can give it the root digest of a hash chain list and then that's obviously fine
01:52 < amiller> but still a circuit that just checks hashes would still have to check a bounded number of hashes
01:54 < gmaxwell> right sure, the challenge there is making something which is secure against a prover key generating oracle. otherwise, you would just rig the decisions to only check the right places.
01:55 < amiller> i think what i should do is show that iterations reaches a fixpoint somehow
02:21 < amiller> normally the possible configuration space of a turing machine is infinite
02:22 < amiller> because it can run for an unbounded amount of time and have add one more element to its unbounded tape at each step
--- Log closed Tue Aug 27 00:00:44 2013
--- Log opened Tue Aug 27 00:00:44 2013
10:54 < amiller> yeah so
10:54 < amiller> the only obstacle to implementing a snark verifier within a snark program
10:55 < amiller> is that we don't have any simple C code that implements the bilinear pairing needed to make pinocchio work
12:36 < gmaxwell> So I've been talking with Iddo in private about a bunch of SCIP things and came up with a cute idea you all may enjoy.
12:37 < gmaxwell> In some of the SCIP versions the prover produces a large number of locally testable points, then builds a hashtree over them, and the hash tree tells them which points to sample to show the verifier.
12:38 < gmaxwell> This can achieve reasonable security because the local tests depend on the other local tests, and a bad one is unlikely to pass with junk inputs.
12:39 < gmaxwell> But you still need to have many tests to achieve reasonable security, because the prover has a verification oracle (e.g. he can just simulate the oracle and keep trying junk inputs until he finds one that passes, unless you have many sampled points)
12:39 < gmaxwell> So I suggested this idea:  You create the large SCIP proof with all the locally testable points, with its hash root in a transaction, and you give the whole big thing to a miner.
12:40 < gmaxwell> The miner uses its own randomness to test it (an interactive proof, no verification oracle)... and happy that its valid the miner mines a block.
12:40 < gmaxwell> Now you use that block hash to ultimately select which parts of the locally testable proof to transmit along with the block.
12:41 < gmaxwell> So a verification oracle now would have to have some large multiple of the whole bitcoin network's computational power.
12:41 < gmaxwell> Morover, as the block becomes further burried, later blocks can perform additional selection to further trim down the proof.
12:41 < petertodd> define "verification oracle"?
12:41 < gmaxwell> Until the proof is nothing more than the hashroot, security provided by POW burrying.
12:42 < gmaxwell> petertodd: A magic black box that you give a proof to and it tells you if the verifier would accept the proof.
12:42 < petertodd> gmaxwell: Hmm... ok so you want the verification oracle to have to have hashing power so you can't just use it to create fake proofs?
12:44 < gmaxwell> Right the idea behind these hash tree committment proofs is that they're non-interactive
 the hash of the proof tells you the random elements to test... but unless you make the function that selects the points you sample very expensive a dishonect prover can potentially create a fake proof.
12:45 < gmaxwell> My idea is to introduce a weak kind of interaction, interaction with the bitcoin network, to create a verifier which is at least as strong at getting "oracled" as the bitcoin network is against overpowering attacks.
12:46 < gmaxwell> I had a weaker form of this idea earlier where you make the tranasactions two phase
 first make a txn that commits your proof, then a second transaction which provides the selection... but I just today realized that you can have the miner do this, and it eliminates the need for two transactions.
12:47 < petertodd> Ok, so another way of describing it, is to just say that miners are making a non-interactive proof, but the selection process within that proof relies on the incredibly high cost of selecting blocks to avoid the invalid parts of the proof as opposed to a more general "picking only invalid requires 2^n hash ops"
12:47 < petertodd> Or really, by being multistage the "2^n hash ops" is achieved by multiplying the ops by the ops required to find a block.
12:47 < gmaxwell> petertodd: yea exactly. But in particular, it requires a multiple of the bitcoin computing power, whatever that is.
12:47 < petertodd> Kinda like I was talking about for UTXO posession proofs before.
12:48 < gmaxwell> Also, it fits with a general idea that as a block gets burried (more POW) you could use the subsiquent blocks to throw away more and more of the proof... So the network starts out as zero-trust validation, but the deep history is just POW-consensus validation.
12:49 < gmaxwell> if transactions were structured so that you could elide scriptpubkeys this could also be used to compress regular bitcoin transactions burried far in the history.
12:49 < petertodd> Heh, so you could describe it in terms of "including all the subsequent blocks, the proof would require n hash ops to have p probability of finding a fraudulent proof"
12:51 < amiller> i wonder why it should matter if you have old proofs
12:51 < amiller> like
12:52 < gmaxwell> also, if you generalize this to cover the validation of whole old blocks (e.g. by making hte chain a hash tree itself) and the fall off in proof size is exponential with more work, it means that the data required to sync the historical chain is some constant.
12:52 < amiller> if you have a proof that the nth block is valid and contains a proof that the n-1th block is valid and contains a proof etc etc
12:52 < amiller> why is it necessary to demonstrate posession of old history
12:53 < amiller> the only reason i think is to tolerate forks
12:53 < gmaxwell> amiller: It's not, assuming you have these proofs. (and forks, but forks don't _pratically_ apply to _old_ data, for some definition of old, or the system is already doomed)
12:54 < amiller> then the work could probably be used on something more meaningful
12:55 < amiller> hm
12:55 < gmaxwell> I fully welcome someone going out and building UTXO checkpoints that prove faithful validation... thats likely a big engineering challenge however.
12:55 < amiller> i have been doing a lot of work with the pinocchio guy, which is tinyram's competitor basically
12:55 < amiller> we are trying to implement hashes and merkle trees in pinocchio
12:55 < petertodd> gmaxwell: Yeah, with the fraud % stuff I was talking about before you could use the PoW hash to select some subset of transactions/txouts to show proofs for, which as you say keeps the sync data required constant.
12:55 < amiller> pinocchio is a small C compiler but it has no ram unlike tinyram, so we have to approximate it with merkle trees
12:55 < amiller> he says that it's impractical for the time being to implement the recursive checker
12:56 < amiller> even though it's constant size it is a big constant
12:56 < amiller> we'd basically have to port the whole GMP library and bilinear pairing operation to this and it's just expensive
12:56 < amiller> but i'm really convinced now that recursive composition will work in a straightforward way
12:56 < petertodd> gmaxwell: The fraud possible would then be a function of literally some % of total outstanding UTXO value - though it really should take age into account given lost coins would then make the economic % of fraud possible go up.
12:56 < gmaxwell> amiller: there is a lot thats _possible_ but the engineering work and runtime requirements are still just too insane.
12:57 < petertodd> gmaxwell: (assuming the numbers work out so that the % is even meaningful)
12:57 < amiller> it's engineering yeah but it might be worthwhile in this case
12:57 < amiller> even the cost of building the proofs diminishes if it can be parallelized/distributed
12:57 < amiller> which it can
12:58 < gmaxwell> petertodd: So I even wonder if the worrying about subsetting single blocks makes sense when you could just subset out whole blocks. So long as you could produce a locally testable proof of a single block (which we can, if we have a comitted utxo).
12:59 < gmaxwell> petertodd: so the idea is that for the old history you forget whole blocks forever, selected by the hash of new blocks... and just retain some fraction along with the locally testable proof (uxto fragments that let you validate the block).. would be interesting to work out the cheating economics.
12:59 < petertodd> gmaxwell: We don't even need comitted utxo really: in your proof just provide the txouts spent by that block a level deeper.
13:00 < gmaxwell> petertodd: hm. it's true, you just need the SPV fragments for all the inputs.
13:00 < petertodd> gmaxwell: It'd all work especially well for the simplier interactive case where you're just trying to make sure the UTXO set a peer gave you is actually valid - best of all if we screw up we can change the algorithm without even a soft-fork.
13:01 < gmaxwell> Yea, in the interactive case this is all a lot stronger. But if we want to make historical storage a constant interactive is out.
13:01 < petertodd> Sure, but point is we can engineer that *first*, and learn from it prior to doing the non-ineractive version.
20:26 < petertodd> That PRNG was used in a *lot* of corporate applications, it's easy to discount how much it was used because public open source stuff knew better.
20:27 < jrmithdobbs> still.
20:27 < jrmithdobbs> now that we KNOW the traffic is being archived for statistical analysis?
20:27 < petertodd> RC4 still hasn't been broken fully...
20:27 < jrmithdobbs> it's been broken enough for the scale of collection we're talking.
20:27 < jrmithdobbs> since the early 90s
20:27 < petertodd> and unlike before, we can argue against RC4 on the "maybe it's actually fully broken" angle without being labeled as paranoid
20:28 < petertodd> we can also argue that opinions of people who argue otherwise should be discounted because we *know* that there are NSA plants out there
20:29 < jrmithdobbs> petertodd: ya and what about new software being implemented using things like cram-md5 because there's just no standards that point them at anything sane?
20:30 < petertodd> bbl
20:30 < jrmithdobbs> petertodd: when we start adressing real problems ... :(
20:38 < gmaxwell> jrmithdobbs: pre-snowden a lot of tech people were letting themselves believe that only ${muslim terrorists} were being targeted with this stuff, snowden leaks show that basically everyone is, including the leaders of allied countries. Compartmentalization kept most people from knowing the scope though they might have guessed they could easily convince
themselves that they're paranoid.
20:39 < gmaxwell> jrmithdobbs: there was a massive shift in the IETF, all new standards for at least the next couple years will have people insisting
 and winning in their insistance
 on opportunistic encryption as mandatory.  The people who used to combat that stuff with "waa waa you're paranoid, and waa waa we need higher speed for commercial purposes" have lost.
20:40 < adam3us> gmax: right; conveniently now the paranoid are proven righ and get a wildcard to fix stupid problems and dismiss stupidity as likely sabotage (and there probably was and remains real sabotage at ietf committee, internal company design, code, NIST on nist side and nsa side and so on.
20:40 < gmaxwell> They stand at the mic and say these things still, but then people put snowden slides up on the projectors and those people sit down.
20:41 < gmaxwell> (This happened in both the webrtc working group and http2.0 working group in the last IETF, and I expect to see more of it in vancouver week after next.
20:41 < gmaxwell> )
20:42 < gmaxwell> adam3us: yea. exactly. The pro-crypto people have a free pass, and they're making some use of it.
20:45 < adam3us> gmax: updated chameleon hash thread with the ecdsa version, found and fixed a few problems, and realized its actually got an extra property - bob cant forge at all if alice reveals the contract
20:47 < adam3us> the other extremely nice thing about the snowden leaks and shaming of NSA for illegal dangerous to society and democracy behavior is it finally swept away the last of the 911 security vs privacy which was a break on privacy tech startup activity; anyone interested in privacy tech has the moral authority for the next decade, and thats a fantastic asset
20:49 < adam3us> it puts the shoe on the other foot; its no longer but wont criminals or terrorists hide; rather its like i was saying the types of tings hal was saying - the onus is n the opposer to explain why they want to bypass the mechanism for exercising of legally protected rights of freedom of speech & association
20:51 < adam3us> and the trump card is lost: they cant say trust us thats only used for terrorists; we know it was used for everyone, and even abused in clearly non-terror cases as an undisclosed source (with some fabricated cover story of accidentally stumbling upon the "crime") judges were not amused to find that, and already there are some decisions informing the accused
20:51 < petertodd> It's also a money thing too: the leaks have shown you can't trust US companies and US cloud computing services, which is already having a very real impact, for instance IBM hardware sales to China have dropped by about 40% already.
20:52 < petertodd> This kind of things sends money to companies that aren't as suspect, and in turn reduces US influence on standards and hardware.
20:53 < adam3us> all the political lobbying and real or faux reaction from euro politicians: i think they should just funnel  a few bil euro of their r&d framework towards end2end encrypt everything (the eur r&d budget is a scary thing - they spend billions and billions on academic / industry demonstrators and "applied research" most of which is crap)
20:54 < petertodd> A similar situation is with the ITAR controls on things like gyroscopes: at work I have to have an ITAR security clearance because we use missile guidance grade gyroscopes, and the system we're building is itself an ITAR controlled good. But the ITAR requirements are sufficiently onerous enough that it's making this tech available from non-itar-signatory
countries; we'll soon be able to ditch a lot of our US-made equipment for Russian-made, and even Iranian-made in some cases. (!)
20:54 < petertodd> Push money into non-US hardware companies and you'll be able to buy fully-Chinese made hardware, and setup systems where both the US and China would need to co-operate to break it.
20:54 < adam3us> yes its a bad day to be a us cloud company, and probably a bad day to be  cloud company at all: it has shown the cloud cant be trusted, at least not without end2end encryption which only properly works for dumb storage without efficient FHE (tahoe-lafs is probably about as smart as secured cloud can get without fhe)
20:55 < petertodd> adam3us: yup. Trusted computing can change that of course, and as I said above, we'll hopefully get competing US and Chinese and others implementations of it.
20:57 < adam3us> i am wondering if chinese made cpus, chipsets and network gear is better in fact - the chines dont have anything against me, they're just interested in supressing domestic political agitation and the odd bit of industrial espionage; apparently stallman uses some chinese cpu laptop
20:58 < adam3us> everything i'm doing that i care about is open source and open spec anyway so the chinese have no interest and even seem neutral on bitcoin. vs the us is not to be trusted
20:59 < adam3us> petertodd: problem with trusted computing is trusting the manufacturer, though there are interesting things you can do with it, eg people were talking about a tpm secured remailer, its a toolkit for making arbitrary multi-party-computation
21:00 < petertodd> for sure, and it doesn't need to be better, just different. Even if the US and China were co-operating, it'd be easy to imagine situations where layering both techs would result in unbreakable systems. For instance, a US and Chinese PRNG may be broken by either, but in such a way that the combination can't be broken by either.
21:00 < adam3us> petertodd: which is really hard to do efficiently directly, whre with a tpm you can use remote attestation and tpm key management, trusted non debuggable agents, sealed disk storage and ring -1 protected ram to protect it
21:01 < petertodd> adam3us: I need to write up a paper on my thoughts on how to make useful open-source remote attestation capable gear; I do think it can be done with auditing schemes and careful hardware design.
21:01 < petertodd> too many projects...
21:01 < adam3us> petertodd: and the tpm's are going deeper, on to the cpu die, the embedded mmu, and i presume on the fly encrypted RAM (rather than the external mmu curtain on ring-1)
21:02 < petertodd> adam3us: yup, intels' next gen stuff is going to look like that
21:02 < petertodd> adam3us: basically I think you can make stuff that's just as secure form physical tampering, and make it in such a way that you can still take the device apart and verify the hardware did what it claimed to do.
21:03 < adam3us> petertodd: if one could do those things (open source hw tpm) or mix of chinese & us implementations in a strengthening enforcing way maybe could build a multi party RPOW with bitcoin inflation control :)
21:03 < petertodd> adam3us: for sure, and with such devices you can make my fidelity bonded banking stuff work in practice.
21:03 < adam3us> petertodd: that can solve many problems if the tpm can enforce hard to enforce issues, efficiently, scalably and without broadcast
21:04 < adam3us> petertodd: one generic problem is its hard to defend hw security where the enemy is the hw owner & operator, as DeCSS found out the harway
21:05 < petertodd> adam3us: yup, and with care, you don't need TPM's that are 100% unbreakable, just ones that have useful lower-bounds on how expensive it is to break any individual TPM
21:05 < petertodd> adam3us: right, and manufacturer and assembler should be added to that list too
21:06 < adam3us> petertodd: tpm-world is like a corporate firewall, if the nsa gets its nose inside there via a forged TPM signing key which is actually running in software what was supposed to be in hw, its a squishy insecure interior
21:06 < adam3us> petertodd: i am hoping instead we get fast enough FHE that people can build custom chips to do it in usable speed
21:07 < petertodd> adam3us: yeah, so the trick is build hardware where a third-party can take a whole production run of the hardware, tear some devices apart, verify they do what they claim to do, and sign the rest as authentic
21:07 < adam3us> petertodd: they clearly need something useful to do with 6.2bil transistors of the latest 2816 core amd offering
21:07 < petertodd> FHE?
21:07 < adam3us> fully homomorphic enc
21:07 < petertodd> ah
21:07 < petertodd> FHE can't do things like verify that Tor nodes aren't logging though
21:08 < adam3us> petertodd: it might be able to
21:08 < petertodd> how?
21:09 < adam3us> petertodd: there are some mind bending what ifs if you had it, eg could it do remote attestation, could it do ZKP of what code it ran (SCIP)
00:37 < amiller> generated by the verifier (the person who's about to accept a connection if the puzzle is responded correctly)
00:37 < gmaxwell> and what happens next?
00:38 < gmaxwell> (what does the responder do with the challenge?)
00:38 < amiller> you use that challenge as seed to a prf to generate random plinko paths down the tree
00:38 < amiller> the responder returns with some k number of merkle tree branches each long n
00:38 < amiller> log n*
00:38 < gmaxwell> great and you do that and you conclude that you should end up at ID 8
00:38 < gmaxwell> and then you compute H(verifierID || 8)
00:39 < gmaxwell> Where is your storage hardness? :P
00:39 < amiller> you need to produce the whole merkle branch
00:39 < amiller> that's really hard unless you've precomputed and stored it
00:39 < amiller> maybe it should be H(verifierID || proverID || i)
00:39 < amiller> so that multiple peopel can't share the same disk to sybil connect you
00:39 < amiller> but still the point is you make the leaves easily computed
00:40 < gmaxwell> amiller: nah, I can compute the data once, and just store the top N levels of the tree. (just a few hashes)
00:40 < amiller> but you make it so you basically need nearly all of them to answer a response
00:40 < gmaxwell> then I get a 2^N speedup in computing the answer.
00:40 < amiller> i see and then recompute some of them
00:40 < amiller> hm.
00:40 < gmaxwell> (I actually have a solution to this, I'm toying with you to see if you come up with it too, I was surprised at how long it took me)
00:40 < gmaxwell> (or if you come up with another one)
00:41 < amiller> uh, well, the next thing i usually think of is where each leaf depends on the previous so you actually have to compute them sequentially
00:41 < amiller> but that's hard to verify efficiently (at least i don't know how)
00:41 < gmaxwell> yea, but then how does the verifier not have to do the same
00:41 < gmaxwell> exactly.
00:42 < gmaxwell> okay, I give you my solution: https://bitcointalk.org/index.php?topic=310323.0  (when you care to look, it's simple)
00:42 < amiller> there might be trapdoor kind of things where the verifier has a shortcut but the prover has to do it sequentially
00:42 < amiller> that kind of thing is generally much easier in this interactive setting
00:44 < gmaxwell> amiller: yea, I came up with something which followed that description pretty exactly using fully homorphic encryption.  (Basically the challenger asks the prover to run a secret sequential function, saving the intermediate results.. and with knoweldge of the function the challenger can instead run an algebraically simplified version) but FHE = yuck.
00:45 < gmaxwell> fortunately there is a simpler way.
00:46 < amiller> i've read that three times (at various times in the last two weeks) and haven't gotten it
00:46 < gmaxwell> wow, sorry. :(
00:46 < amiller> but now that i've paged in all the other naive ideas i can probably close the gap now
00:46 < amiller> "The server then can periodically pick a random index and perform log2(size) hash operations to determine the value at that index and then can challenge the client to provide the corresponding index for that value.
00:46 < amiller> "
00:46 < amiller> could you write that part out?
00:47 < gmaxwell> H(verifierID || proverID) is the seed to a tree structured pseudorandom function.  E.g. you have efficient random access to this pseudorandom function.
00:47 < gmaxwell> the prover hashes the leaves of this function and stores the results.
00:48 < gmaxwell> The verifier picks a random leaf, computes its hash, and challenges the prover to tell it the matching index.
00:48 < amiller> i get how {Left, Right} = H(seed) is used to construct the tree the first time
00:49 < amiller> ohhh..... you sort the leaves when you're done
00:49 < gmaxwell> Right.
00:50 < amiller> can't you estimate the path for a value pretty closely
00:50 < gmaxwell> I'm asking you to have performed precomputation for a preimage attack on this function.
00:50 < gmaxwell> If you only know the seed and I ask you "What index leaf value begins with 0xDEADBEEF" what do you do?
00:51 < gmaxwell> There is nothing to estimate, its strongly pseudorandom, you couldn't do better than decoding sequentually until you find 0xDEADBEEF
00:52 < amiller> okay i think i get it
00:52 < midnightmagic> gmaxwell: It's computed on-the-fly as the server asks for it?
00:52 < midnightmagic> (first time rather)
00:53 < gmaxwell> midnightmagic: first time, I suppose. But the idea is to pick parameters where if you don't store the result you'll be wasting a ton of computation recomputing the whole thing for every challenge.
00:53 < gmaxwell> Where otherwise it would be just a couple IOs to find the right answer.
00:53 < amiller> it takes n log n setup time
00:53 < amiller> where n = 2^k
00:54 < midnightmagic> gmaxwell: I imagine th eguard time to allow the client time to compute would be spent just idling?  What happens before the table is finally computed?
00:55 < gmaxwell> midnightmagic: if you made the seed H(your ip || peer's IP) you could actually compute it offline before ever trying to connect to them.
00:55 < gmaxwell> (argument against actually using IPs is nats, alas... more pratically you could connect, get your challenge and get kicked off, then come back later with your table built)
00:55 < midnightmagic> gmaxwell: In order for the server to verify that, it would also need to do it, but it doesn't know in advance who's going to connect?
00:56 < gmaxwell> midnightmagic: nope, the idea here is that the server doesn't need to do anything expensive to verify.
00:56 < gmaxwell> The function is fast to run in one direction, but not the other. :)
00:56  * midnightmagic reads it again..
00:57 < midnightmagic> ah.
00:57 < gmaxwell> The server picks an index at random, and then does log2(N) hash operations to find the leaf value at that index. (thats cheap)
00:57 < gmaxwell> then it gives you the leaf value and asks you for the index.
00:58 < midnightmagic> I guess Evil Server sits and listens for 50,000 incoming connections, has the client do single lookups, and disconnects without actually being a bitcoin node?
00:59 < gmaxwell> midnightmagic: perhaps. The way I envision this is that you'd have a server you already like, and you do this protocol with it to get yourself a privleged connection slot. So if the server gets dos attacked you don't get punted.
00:59 < midnightmagic> so we're talking one-way trust in that case. client knows the server is happy, server doesn't know the client is happy.
01:00 < gmaxwell> so if nodes are doing this only with servers they already like, the evil server attack isn't so concerning... but indeed, thats a point.
01:00 < midnightmagic> makes sense, I like it.
01:00  * midnightmagic files away conceptual technique for application to other things
01:01 < midnightmagic> the tahoe people were trying to do proof-of-storage to try to prevent servers from claiming they had data but actually not having it at all, and misleading clients into thinking the file was safe.
01:01 < midnightmagic> (without transferring the files)
01:05 < gmaxwell> this only works, sadly, with random data... but the reason for that is it requires the verifier to have never done the work. if you don't mind the verifier having had the data at one time, you can do this easily.
01:05 < midnightmagic> i wonder if the prng seed could be used to build an un-precomputable path through the blockchain
01:08 < midnightmagic> i guess that doesn't increase resources more than every bitcoin node already has.
01:08 < gmaxwell> sure but you'd have that same data for all peers, so it wouldn't stop you from connecting to 100k nodes successfully.
01:09 < gmaxwell> (otherwise, yea would be best to make the data bitcoin data, since the verifier already has that, and it's in our interest to copy it)
01:34 < amiller> gmaxwell, https://gist.github.com/amiller/7131876 http://codepad.org/Nzp2Vdsk
01:34 < amiller> seems fine to me now, i buy it
01:44 < amiller> i don't know why no one has done that before but i don't think i've seen anything like it
01:44 < amiller> really cool
01:52 < amiller> hrm it kind of isn't such a great tradeoff because there's a long setup time
01:52 < amiller> i mean, the setup time is the time to fill the disk, plus to sort it
01:52 < amiller> you would want like a btree kind of sort anyway which would be kind of slow
01:52 < amiller> i guess that's where the idea left off
02:00 < amiller> it would be really good to reduce the I/Os by the k factor
02:01 < amiller> the merkle tree based solutions have that problem too, pretty much
02:01 < amiller> well not exactly because you can go straight to the data which can be large than the index
02:32 < gmaxwell> amiller: did you see my similarly structred idea for lamport keys? I've still not seen anything like that either, they're kinda related.
02:32 < amiller> gmaxwell, no
02:35 < gmaxwell> amiller: so, you have a firm mental model for lamport right.	And that you can put your public key in a hashtree and use the root.. when you sign you reveal the preimages selected by the message bits and then only the minimum necessary set of tree fragments to show that your preimages came from the right public key
02:35 < gmaxwell> e.g. you can send less than hash_size * 2 hashes because of common branch compression in the pubkey.
02:37 < gmaxwell> So take the same idea and use the same kind of tree csprng to expand a single secret value to all your secret values.  Now when signing you can do the same kind of tree compression of the hash preimages! you selectively reveal chunks of the tree-csprng state so that the verifier can recover the preimages you were required to reveal and no others.
02:38 < gmaxwell> this is actually far more powerful for things other than lamport though.
02:38 < gmaxwell> It has powerful applications to making protocols for secure permutations (e.g. voting) use less bandwidth.
12:29 < adam3us> gmaxwell: i mean in principle if u dont know the key, you learn nothing other than you dont have the key whether the resulting point is on the curve or not?
12:29 < gmaxwell> adam3us: go see petertodd's stealth address post in bitcoin-dev
12:29 < adam3us> gmaxwell: yes i read that at the time.
12:30 < gmaxwell> He proposed, in passing, to encrypt the nonce used in the transaction with e.g. H(stealth address). This is bad because if you have a large list of stealth addresses you can test transactions to see if they might be related to one stealth address or another.
12:33 < adam3us> gmaxwell: ok so nonce is the wrong term i guess; he said "payor generates nonce keypair P=eG" less confusing to call that an emphemeral keypair.  the only nonce in DSA could arguably be k.
12:39 < petertodd> adam3us: basically something like 1 in 256 arbitrary 33 byte strings are valid ECC pubkeys, so decrypting and checking gives you a lot of statistical info that it shouldn't
12:39 < adam3us> petertodd: i did not find the encrypt with H(addr) so I dont know what you are encrypting yet, but if you are encrypting with something unknown to the attacker i do not see the attack
12:40 < petertodd> adam3us: well the stealth address is known to our attacker in my attack model
12:41 < adam3us> petertodd: doesnot the stealth address S=dP=eQ ie unknowable if u do not know d or e
12:42 < petertodd> adam3us: we're talking about the sender emphemerial pubkey, the one that goes into a OP_RETURN txout, I suggested encrypting that data so that it wasn't obvious if the transaction was or was not a stealth tx
12:42 < petertodd> adam3us: gmaxwell's point is that the encryption leaks info because you can trial decrypt, and if the result is a valid pubkey, you know you have a high probability of having guessed the right stealth addr
12:42 < adam3us> petertodd: ok as far as that goes i why dont you use one of the input addresses as the emphemeral pub key
12:43 < petertodd> adam3us: because that leaks info to the receiver about which txin did the money come from, and also makes assumptions about how you fund the tx
12:43 < adam3us> petertodd: still if its proper encryption with a key unknown to the attacker you can trial decrypt until the heat death of the universe ;) and only explore which are on the curve and not, which has a known probability distribution... and so what?
12:44 < petertodd> adam3us: the thing is in this case the attacker *does* know the key, only the weaker attacker doesn't
12:44 < petertodd> adam3us: the weak attacker is worse off, but the not so weak attacker is much better off - bad tradeoff
12:45 < adam3us> petertodd: how did u arrive at a threat model where the attacker knows your decryption key?
12:45 < petertodd> adam3us: because it's in the stealth address itself
12:52 < adam3us> petertodd: so you are talking about encrypting P the ephemeral pub key, using the hash of the stealth pub key S (presumably a diff hash than the one used to compute the stealth address as that is also public).  now S=dQ and Q is the recipients static receive addess.  and S=eP, and P=dG d is nly known to the sender.  But e is known to the recipient Q=eG.
so the recipient has a catch 22 he doesnt known d so he cant compute S=dQ, and he knows
12:52 < adam3us> petertodd: seems stuck in circular dependency
12:54 < petertodd> adam3us: the point is to hide the transaction from weaker attackers who *don't* know the stealth address, which is a valuable thing. but it's not worth it if it makes it easier for attackers who do know; there's no circular dependency there
12:55 < petertodd> adam3us: read my post again and you'll see what I mean
12:55 < adam3us> petertodd: the original post or one of the 5 followup posts? (i didnt find it yet)
12:55 < petertodd> adam3us: my original
13:01 < adam3us> petertodd: ah ok so u want to encrypt it with H(Q) not H(S).  gmaxwell had said "you suggested in your message that the nonce could be encrypted with H(stealth address)" ok so the stealth address is Q, not S, and actually I see you changed to Q' in the write up over previous IRC here.	fine.  yes gmaxwell is right.
13:02 < adam3us> petertodd: but why do you want to encrypt ephemeral pub key P at all?	to obfuscate that ths is a stealth payment?  who else makes 0 value payments to invalid addresses?
13:05 < adam3us> petertodd: "the [ephemeral] keypair [P...] is included in the transaction in an additional zero-valued output: RETURN <P>" what is that an ignored, UTXO compactible, 32 byte message?
13:29 < gmaxwell> adam3us: he wanted to obscure that it was a stealth payment maybe share anonymity set with a timestamping thing.
13:30 < gmaxwell> But no joy.
13:30 < adam3us> gmaxwell: ok hence the elligator thread.
13:32 < adam3us> gmaxwell: it a classic steganography requirement.  all decryptions must be equally plausible.	alternatively he could send P+Q and hash2curve his timestamp hashes :)
14:01  * nsh looks at this twister.net.co thing
14:33 < nsh> libboost-dev is 60Mb....
14:33 < nsh> (with all the attendant repocruft)
14:36 < nsh> wait, another 139Mb for libboost-all-dev
17:40 < gmaxwell> https://soundcloud.com/rdlmitedu/140113_0001-wav Matt Green presents Zerocoin/Zerocash at Real World Crypto 2014
17:45 < Luke-Jr> gmaxwell: is it practical now?
17:46 < petertodd> gmaxwell: they released a paper yet?
17:46 < jron> petertodd, no paper yet afaik.
17:47 < nsh> has anyone looked at how twister is using the blockchain/PoW and to what degree it's sane/scalable?
17:47 < petertodd> nsh: it's aweful, for instance there is a per-tx PoW, yet the difficulty for that PoW is hard-coded
17:47 < nsh> mm
17:48 < nsh> it is viable in principle though?
17:48 < maaku> gmaxwell: anything new presented at that talk?
17:48 < nsh> seems to be very early alpha, so maybe all kinds of silly parametric decisions/hacks
17:48 < petertodd> nsh: no, there's no incentive built into the system other than the ability to spam other users with messages... and no way to guarantee the messages will be shown in the UI
17:48 < nsh> :/
17:49 < gmaxwell> maaku: I haven't listened to it yet, I peppered jron with some questions.
17:49 < maaku> k
17:49 < petertodd> jron: pity
17:49 < jron> Luke-Jr, it sounds like the only thing they add to the blockchain is 288 bytes
17:49 < petertodd> nsh: it should have used an existing name thing like namecoin
17:49  * nsh nods
17:50 < petertodd> jron: small enough it doesn't need to be a separate chain, although my understanding is they're making it one
17:50 < jron> petertodd, correct. they are calling it "zerocash"
17:50 < gmaxwell> jron: Oh, I'm pretty sure its a bit more complex than that. At a minimum it should be their proofs plus one or two additional hash trees.
17:50 < petertodd> jron: and totally separate PoW right?
17:50 < gmaxwell> jron: Did they say anything about recovering space from old completed transactions? (e.g. analogous to pruning in bitcoin)
17:51 < jron> petertodd, there was no mention of their PoW function.
17:51 < gmaxwell> I had a couple ideas for how to achieve pruning in a zerocash like system but they all were kinda ugly and had tradeoffs I didn't like.
17:52 < petertodd> jron: heh, hopefully they'll take my advice from last summer and do a proof-of-sacrifice or bitcoin timestamped+pos for proof-of-publication
17:52 < jron> gmaxwell, there was no talk of pruning that I heard.
17:52 < gmaxwell> jron: :(
17:52 < jron> petertodd, I assume proof of sacrifice is destroying btc?
17:52 < petertodd> jron: yup
17:53 < jron> I was thinking about that on the drive home.
17:54 < petertodd> jron: basically you need to be able to securely order the transactions to solve double-spending, which is easy, and also come to consensus about what chain has the most "users" in a sense. pow is a really simple way to do both, but is vulnerable to attack.
17:54 < nsh> that soundcloud recording is 600% reverberation by weight
17:54 < nsh> :/
17:54 < petertodd> nsh: I hear it was held in a big church :/
17:54 < nsh> shame
17:54 < gmaxwell> jron: can you go compare zerocash with zerocoin for the channel?  (I know some things from private conversations that I haven't told people here which were probably disclosed in the talk, but it'll take a couple hours before I can listen)
17:58 < Luke-Jr> anyone have any legal contacts with Google?
17:58 < maaku> Luke-Jr: as in with Google's lawyers?
17:58 < Luke-Jr> maaku: yes, or anyone who can help me get Nest thermostats GPL compliant :p
17:59 < jron> I need to relisten but it sounds like they ripped out a lot of the code from libzerocoin. They also cut the proof size down from about 4KB to 288 bytes and the verification time down milliseconds.
17:59 < maaku> holy cow, $3.2 billion for a thermostat?
17:59 < Luke-Jr> maaku: it's a smartphone inside
18:00 < Luke-Jr> and right now it gives the company complete control over your home temperatrue :/
18:00 < jron> the trade of for the verification time is it takes about 2 minutes to perform a transaction in addition to the confirmation time.
18:01 < petertodd> jron: 2 min on what kind of machine?
18:01 < jron> petertodd, single core current gen
18:01 < petertodd> jron: not bad, is the computation parallelizable?
18:02 < jron> petertodd, he didn't say. I assumed it was but that is a great question.
18:02 < maaku> Luke-Jr: most effective, but asshole method for compliance is to get a blog post calling them out on the front page of HN
18:02 < maaku> it'll be fixed within hours
18:03 < petertodd> jron: if the computation can be outsourced in any way would be really interesting too
18:03 < jron> he also mentioned a large blog that is required to spend coins. the size is about 1.2 GB.
18:03 < maaku> jron: 2 minutes to *verify* a transaction, not sign?
18:03 < jron> large blob*
18:03 < petertodd> jron: is the 1.2GB akin to a private key, or some shared data structure everyone just needs?
18:03 < maaku> ok n/m reading fail
18:03 < jron> maaku, verification is sub second.
15:43 < gmaxwell> adam3us: but then you're demanding that every single fininacal transaction ibm engage in be globally visible. every hardware purchase, every paycheck, every invoice.
15:43 < gmaxwell> "uhh"
15:44 < adam3us> gmaxwell: dont forget about homomorphic encrypted value for commercial confidentiality
15:44 < gmaxwell> And of course they could just say that they're going to be issuing against this seperate account and please pay to it, because they won't ship you your hardware if you don't do as they say. Who's going to argue with that.
15:44 < gmaxwell> just seeing the volume of transactions in total is a big confidentality leak...
15:44 < adam3us> gmaxwell: i am not saying anyone can try to do all that now i am sayig i thnk that is the future for fiancial networks, putting mre and more of it under apriori rule enforcement to reduce systemic risk
15:45 < adam3us> gmaxwell: encryoted value, it has to happen, bitcoin is not suitable for commercial confidentiality (or even private confidentiality - a few people get paid in bitcoin it leaks far too much)
15:46 < gmaxwell> adam3us: okay sure. Every layer of this you add though you move it further away from something which even sounds remotely pratically achievable today. I'm happy to move in that direction, but one of the reasons I think cypherpunk vision failed almost completely in round one (save for keeping strong crypto from being outlawed) is because the bridge building
failed. I'm happy to think one or two steps a head, but I think you're going ...
15:46 < gmaxwell> ... too far for me to care. :)  I just want fungible flexible highly trustworthy ecash. :)
15:47 < adam3us> gmaxwell: sure, step 1 fungibility
15:47 < adam3us> step 2 maybe distributed security for share issues
15:48 < adam3us> DBC (colored coins, though not necessarily using coloring nor bitcoin nominal value payments)
15:48 < gmaxwell> (and, as an aside, I'm worried about fungiblity measures in bitcoin being politically difficult if we don't get them in fast... e.g. if we get norms around blacklisting naughty coins and such, then any fungiblity measure will be a tool of evil.)
15:49 < adam3us> mostly explaining why i think it matters to have bearer and distributed enforcement for stocks, often the directoin things take is a side effect of interim decisions
15:50 < adam3us> gmaxwell: yes... i was starting to think maybe i am missing some aspect of committed tx, maybe committed tx plus more efficient homomorphic value, can do something interesting zc ike but without the overhead
15:50 < gmaxwell> well there are ways to do ZC with reduced overhead.
15:50 < adam3us> gmaxwell: ie dont check the inputs match the outputs, check all inputs add to all outputs
15:50 < gmaxwell> but uh  you might not like the security tradeoffs. :P
15:50 < adam3us> gmaxwell: ok that'll work too :
15:50 < adam3us> oh
15:51 < adam3us> gmaxwell: i had one more idea too but i didnt crack the crypto yet, to make a blind proof of work
15:52 < adam3us> gmaxwell: then you can prove your tx is confirmed, the depth of the confirmation, that it adds up (encypted value) basicall bitcoin in zero knowledge!
15:52 < amiller> the blind proof of work still has pretty unclear benefit even if you just assume abstractly you have free ZK
15:52 < maaku> the ZC bloat is in the scriptSig though, right?
15:52 < gmaxwell> for example, there is a pairing crypto way to do the accumulators which is much more space efficient. :P  There is also a fiat-shamir way where you can use the blockhash to do a cut-and-choose to compress your proof.
15:53 < adam3us> gmaxwell: zc uses fiat shamir transform in their cut-and-choose already right
15:53 < gmaxwell> maaku: not only, you need to have a growing anti-doublespend list.
15:53 < gmaxwell> adam3us: I know, but I'm pointing out that you can use the blockchain to compress it further. :P
15:53 < maaku> o_O !!
15:53 < adam3us> gmaxwell: ok, every bit helps
15:53  * maaku goes to read the paper, finally
15:53 < adam3us> gmaxwell: feel free to write that up sometime on bct
15:54 < gmaxwell> I did. uh, in some random thread.
15:55 < gmaxwell> The point is that you can do an interactive hashtree proof where you interact with the network. E.g. you give the miner a big proof, and the block hash tells it how to subset the proof. Because the block hash requires 2^lots work, creating a false proof is at least as expensive as mining many blocks and throwing them away.
15:55 < adam3us> amiller: point of blind pow is you could then prove in zero knowledge that your transaction is validated
15:56 < adam3us> amiller: its not enough by itself, lots of other detail level issues arise but its an interesting direction towards fungibility motivated anonymity
15:57 < adam3us> amiller: but its kind of moot so far as i cant seem to make an efficiently verifiable blind proof of work
15:57 < gmaxwell> the weird thing about my blockhash stuff is that in the common models of analyizing the security of fiat-shamir it adds nothing, because you normally assume that taking the proof commitment and turning it into random validation queries is O(1).
15:57 < maaku> "and check that S does not appear in any previous transaction" <-- I see.
15:58 < maaku> I somehow missed that before. So space wise this isn't actually an improvement over straight chaum ecash, is it?
15:58 < gmaxwell> maaku: yea, so if you don't want it to suck you have to have lifetime limits on ZC pools.
15:58 < gmaxwell> (so you could 'prune' off the anti-replay lists)
15:59 < gmaxwell> the network could also potentially outsource the anti-replay list storage by storing them in trees and having update proofs for them with the transactions.
15:59 < gmaxwell> which then makes the system more like PT's MMR-coin stuff, conceptually.
15:59 < adam3us> gmaxwell: interesting, seems to be somewhat related to the merkle pow for reduced variance
16:02 < gmaxwell> https://bitcointalk.org/index.php?topic=284194.0  < I mention it as a throwaway comment at the bottom here.
16:03 < gmaxwell> though I wrote it up on a long PM conversation with iddo. (I was suggesting it in the context of improving the scalablity of the SCIP stuff based on the locally checkable code stuff.)
16:08 < gmaxwell> (basically in that post I show how to make cut-and-choose random encrypted shuffles use log(security) bandwidth, and then point out that you can do the block hash thing because I thought I should put the idea out in public in case some shithead comes along and tried patenting it :P )
17:06 < jtimon> gmaxwell adam3us I still fail to see why traceability implies revocability
17:07 < jtimon> even with centralized redemption, I don't see how IBM shares are more revocable than bitcoins
17:08 < jtimon> basic colored coins do not provide support for KYC compliance
17:08 < gmaxwell> jtimon: because IBM can be ordered to ignore shares tracable from some point, and to credit some other shares instead.  You can trade these shares still, but without IBMs future support they only have novelty value. :P
17:09 < jtimon> but why would be IBM be ordered to break his contract?
17:09 < maaku> jtimon: legal pressure
17:09 < jtimon> I don't see the example
17:10 < maaku> maybe response to theft, trying to reverse a ponzi scheme, etc.
17:10 < jtimon> so Bob steals from Alice and sells to Carol, who sells to David...why should Z be punished for Bob's crime?
17:12 < jtimon> I'm assuming non-authorized assets where the the issuer doesn't knows the bearers identity
17:12 < Luke-Jr> gmaxwell: how about this argument: if IBM runs its own stock exchange, it needs to make sure only licensed investors buy in; with coloured coins, supposedly there is no way to require IBM to do this
17:13 < jtimon> Luke-Jr freimarkets supports KYC compliance, but it's of course optional
17:14 < Luke-Jr> KYC isn't related to this
17:15 < Luke-Jr> this is "if Joe isn't a licensed investor, he is not allowed to purchase shares"
17:15 < jtimon> well, by authorized assets I mean all those limitations
17:16 < jtimon> a closed list of licensed investors is the same as a closed list of authorized users (previously identified by the issuer)
17:16 < Luke-Jr> anyhow, it's silly to do this with a public blockchain
17:16 < jtimon> the way we do it is actually pretty stupid but very flexible
17:17 < Luke-Jr> as long as people are complying with the restrictions anyway, they should just host their own stock registry
17:17 < jtimon> require an "authorizer" to sign all transactions including that asset (but yes, it's stupid in almost all cases)
17:18 < jtimon> yes, if you're going to sign everything, the only reason not to run your own off-chain ledger is to provide more transparency
17:19 < jtimon> I know a local currency designer that needs this, although I don't think his "100% transpoarent currency" is a good idea
17:20 < maaku> Luke-Jr: I agree it's stupid, but it's something people ask for, to achieve regulatory compliance...
17:20 < Luke-Jr> maaku: using a blockchain instead of hosting it at the company, does not help regulatory compliance
17:20 < Luke-Jr> you can disclose your private "blockchain" if you want transparency
17:21 < maaku> ? no i meant the KYC/authorized accounts
17:21 < jtimon> would bitstamp be issuing in ripple if they didn't had a non-scalable version of this?
17:21 < maaku> doesn't matter if it's on public chain or private server
17:21 < maaku> as to using the public chain for asset issuance, i see very limited uses for that
17:22 < jtimon> the most obvious one are small issuers who can't run their own server and don't want to trust a server
17:22 < jtimon> but shares is also interesting
17:23 < jtimon> are
17:23 < jtimon> even if redeption is centralized, there's zero trust in accounting and exchange
17:24 < maaku> IBM, for example, would probably contract out to another company that handles hosting the gateway exchange and KYC compliance (making sure transactions only involve registered securities professionals, etc.)
18:03 < gmaxwell> jron: sounds like he actually didn't give a lot of technical details.
18:04 < jron> gmaxwell, it was a basic overview.
18:04 < Luke-Jr> maaku: HN?
18:04 < gmaxwell> This is annoying, because I actually can answer all of these questions.
18:04 < michagogo|cloud> Luke-Jr: Hacker News
18:05 < michagogo|cloud> Luke-Jr: So I'm guessing you already saw https://nest.com/legal/compliance/ and it's incomplete?
18:05 < gmaxwell> well, in any case, I don't think I'm giving anything away that I hadn't guessed at before I'd talked to them. They're using a ZK-SNARK based on the GGPR 2012 paper,	this is the CRS-assumption pairing crypto knoweldge of exponent assumption for quadratic arithemetic programs stuff that is used in pinocchio and the tinyram papers.
18:06 < jron> petertodd, he descibes the 1.2 GB dataset as a large set of public params required to spend coins.
18:06 < gmaxwell> The proving side of this system is pretty highly paralizable. I don't know the size of the proving key, since it's polylogarithmic in the size of the circuit being proved.
18:07 < Luke-Jr> michagogo|cloud: it's missing build/install stuff
18:07 < gmaxwell> The verification key and proof sizes are just dependant on security, and you can see figures on them in the vntinyram paper: http://eprint.iacr.org/2013/507
18:07 < michagogo|cloud> ah
18:08 < gmaxwell> But presumably they wouldn't use tinyram for this, they don't need turing complete to prove some anonymous transactions. Instead I expect them to prove hashfunctions and equality, and so a custom circut could be a lot smaller.
18:09 < gmaxwell> (a straighforward implementation of SHA256 has 30k AND gates
 but most (90%?) of these are in 32 bit adders, and a 32 bit adder in a QAP takes just a couple gates instead of 65 in a boolean circuit)
18:10 < jron> they did mention the use of SHA256 and SNARK to achieve the proof size
18:12 < maaku> jron: did they go into any detail about how the public params were derived?
18:13 < jron> <jron> he did mention two possible options. the first was finding as many willing and "trusted" participants to create it in a semi-distributed fashion.
18:13 < jron> <jron> the second was writing software to do it p2p but he didn't go into specifics on how that could be pulled off.
18:14 < gmaxwell> ^ that was from when I asked in #zerocoin
18:15 < gmaxwell> So yea, the problem with the GGPR ZK-SNARK is that there is a set of asymetric encryption keys and if _anyone_ knows them or finds them, then that party can trivially make false proofs.
18:16 < Alanius> I think I know what I'm reading tomorrow :-)
18:16 < Luke-Jr> gmaxwell: does someone *need* to know the private key?
18:16 < maaku> Luke-Jr: you need the private key to create the public params
18:16 < Luke-Jr> else, have lots of N people pick entropy to produce a public key for which there is no known private <.<
18:16 < maaku> so you need to trust that someone diddn't keep a record
18:16 < gmaxwell> it has to be known temporarily to generate the public keys.  At least unless you invoke some multiparty computation unicorn.
18:16 < maaku> or MPC
18:16 < Luke-Jr> so the public key can't be generated without the private key? :<
18:17 < nsh> someone needs to be trusted to forget something...
18:17 < Luke-Jr> Bernanke can do it!
18:17 < gmaxwell> At which point we're starting to recursively nest unicorns, since most efficient MPC stuff being written about works by using ZK-SNARKS to prove the players aren't cheating.
18:17 < nsh> lol
18:17 < gmaxwell> Basically the whole GGPR scheme works by reducing proving the correctness of program execution to proving you know the roots of some polynomials meeting some constraints.
18:18 < gmaxwell> What happens is that you find these polynomials and then encrypt them with the public keys produced in a prior initilization phase, and then also encrypt your roots.. And the cryptosystem has the right kind of homorphism that the encrypted roots are still roots of the encrypted polynomial.
18:18 < petertodd> gmaxwell: pity, although I'll bet you the average person won't blink an eye at the "founders could fuck it all up" problem
18:18 < maaku> gmaxwell: wait, it's a valid question - is there some way you can just use random junk for the public portion, like say the first sequence of PI bits which satisfies whatever constraint is necessary?
18:19 < gmaxwell> maaku: no.
18:19 < maaku> k, fair enough :)
18:19 < gmaxwell> Since you have no freeking clue what points the polynomial is being evaluated at, you can't generate a fake polynomial that will pass the test. but if you have the secret data you know the points and its trivial to generate a fake proof.
18:19  * maaku demonstrates is ignorance of pairing crypto
18:20 < gmaxwell> maaku: basically you can pick random keys, but they won't agree with each other, since you need to both encrypt your roots and the polynomial in such a way as the result can still be tested.
18:20 < jtimon> https://groups.google.com/d/msg/bitcoinx/EntSAsMLFck/X-7h5sgnMNoJ
18:22 < petertodd> jtimon: pragmatic, but computational crypto-coins are admittedly a lot more interesting solution to that problem
18:22 < gmaxwell> in any case, I'd really suggest sitting down and reading the vntinyram paper,
 skipping over the mathy parts as you see fit.
18:23 < gmaxwell> Because the scipr-lab.org people have a public maining list, and I have an existance proof now that they respond on it. :)
18:23 < gmaxwell> (linked here: http://www.scipr-lab.org/ )
18:23 < jtimon> petertodd: I don't think I understand you
18:23 < gmaxwell> while they probably don't know anything about zerocash, they do know the backend cryptosystem.
18:24 < jtimon> petertodd: what problem you mean exactly?
18:25 < jtimon> petertodd: and what do you mean by "computatuional crypto-coins"?
18:26 < gmaxwell> Oh I linked the wrong paper earler, the vnTinyRam paper is http://eprint.iacr.org/2013/879 and it has all the benchmark figured (and I strongly believe that the verfier numbers will apply to any zerocash proposal)
18:27 < petertodd> jtimon: basically, people have proposed much more sophisticated scripting languages, to the extent that the txin scriptPubKey could constrain txout scriptPubKey's, meaning that a txout with a scriptPubKey of a specific form would be proof that the txin scriptPubKey also had the correct form all the way back to some genesis txout, thus, colored coins
18:28 < jron> someone posted some of the key points from the zerocash presentation here: http://pastebin.com/Dd60ZaT7
18:28 < gmaxwell> petertodd: Zero knoweldge computational crypto coins are even better for that.
18:29 < petertodd> gmaxwell: of course, after all, you write about coin covenents on trolltalk
18:29 < petertodd> gmaxwell: s/write/wrote/
18:30 < gmaxwell> jron: thanks!
18:30 < petertodd> gmaxwell: directly interpreted consensus systems can be upgraded to ZK systems after the fact
18:31 < gmaxwell> Yea, okay, so they point out there that the ZK based construction allows them to encrypt values to.
18:31 < gmaxwell> s/to/too/.
18:32 < gmaxwell> This is really important because it means that the anonymity set size is all transactions, not just all transactions with plausable values for you.
18:32 < gmaxwell> But it has some crazy consequences.
18:32 < gmaxwell> Like there becomes no way to even roughly gauge the size of the economy anymore.
18:33 < gmaxwell> It also interacts very poorly with the security assumptions... In zerocoin someone who compromised the magical RSA number could drain out an accumulator and steal all the coins in it. Which is bad but:
18:33 < jtimon> petertodd: I'm not sure I understand your claim yet thought, you're just saying that you prefer other colored coins schemes over this one https://bitcointalk.org/index.php?topic=253385.0?
18:34 < gmaxwell> In a system with hidden values under ZK proof a CRS compromise gives unbounded undetectable(*) inflation.
18:34 < Alanius> you could estimate roughly the size of the economy by monitoring the transaction fees
18:34 < petertodd> jtimon: no, I'm saying I prefer schemes that allow for totally generic colored coins, or anything else you might want to do
18:34 < gmaxwell> (*) well, I suppose once you personally end up with more coins in your wallet than should exist you will then believe there has been a cryptosystem compromise.
18:34 < jron> gmaxwell, hah!
18:34 < maaku> Alanius: txn fees have nothing to do with txn values..
18:34 < gmaxwell> Alanius: perhaps! but you couldn't tell if a transaction was for 1 coin or 100000 coins.
18:35 < maaku> petertodd: what does "totally generic" mean?
18:35 < Alanius> sure, but it would be pretty stupid to fee 10 coins for 1 coin's worth of actual transfer
18:35 < Alanius> hence, "roughly" :)
18:35 < maaku> it'd be a lower bound ... but probably a very low lower bound
18:35 < gmaxwell> Alanius: normally in bitcoin like systems the fees are just proportional to the data size of a transaction, since that reflects the networks actual processing cost.
18:36 < maaku> but i think you understand that :)
18:36 < gmaxwell> maaku: you could force fees to be related to value.. I suppose, though that would be an information leak, plus it would be u. You can't have it both ways, I think. :P
18:36 < sipa> Alanius: when fees are free-floating and there's an actual market around, i suppose to some extent
18:36 < petertodd> maaku: if a scriptPubKey can restrict redemption to transactions with txouts with scriptPubKeys of forms that propagate those convenants, then you can create generic limitations on how the coins can be spent
18:37 < gmaxwell> heck you could even force a kind of value information leak from transactions. E.g. force under the zk proof for you to generate a randomly fuzzed version of your txn value which you make public. And then people could gauge the average economy size without any specific transaction giving away its size... but its not clear to me if being able to size up the
15:15 < petertodd> adam3us: ha! though it was a good learning experience re: worse-is-better
15:15 < amiller> i think it's a plausible idea
15:15 < Luke-Jr> maybe whoever-posted-that's problem is that they're only looking at ex-googlers
15:16 < amiller> would be hard to show it works for x86 without really well identifying x86
15:16 < amiller> you could do something where anything other than the given architecture uses slightly more power or something
15:16 < adam3us> petertodd: well i just think timestamping is a cleaner and simpler problem and bitcoin could do with dependencies untangling if its at all possible because the heavy cross design links make it nearly impossible to change anything significant
15:16 < petertodd> adam3us: WTF? the current POW algorithm already makes botnets unprofitable compared to ASICs :(
15:17  * Luke-Jr notes making a x86 POW effectively makes the entire x86 spec part of the bug-for-bug bitcoin protocol
15:17 < petertodd> adam3us: yes, although you have to be careful to make sure your system doesn't need proof-of-publication, or that to the extent it needs it, you have the incentives right so that POP is actually working
15:17 < adam3us> x86 mining: i tried to interest schnieir and kocher and kelsey and gilmore (people who worked on DES EFF cracker from some years back) if they would like to collab/ comment on making ASIC unfriendly design
15:18 < petertodd> Luke-Jr: and x86 POW becomes more and more attractive to ASICS as more features are added to x86, reducing the amount of silicon you are actually exercising...
15:18 < Luke-Jr> why are people obsessed with making this "ASIC unfriendly"?
15:18 < Luke-Jr> ASIC is the ideal
15:18 < petertodd> Luke-Jr: because if you are ASIC frieldly control of bitcoin is centralized in the hands of about 2 to 3 companies
15:18 < adam3us> x86 mining: kocher had some comments which were similar to this x86 concept basically do a lot of dynamic things relying at bit-level on x86 execution so the end result needs to understand that cpu
15:18 < Luke-Jr> petertodd: it's more centralised if it's ASIC unfriendly.
15:19 < petertodd> Luke-Jr: in theory, no, but those 2 to 3 companies are going to be rather unhappy to stop shipping commodity hardware for the sake of srewing over bitcoin
15:20 < petertodd> Luke-Jr: Government has a much harder time telling Samsung "from now on, RAM chips are a controlled good" than "yeah, just no more SHA256d ASICs unless they have the know-your-customer hardware in them"
15:21 < adam3us> this was kocher on something similar (email): "Of the various options for avoiding the "problem" of ASICs outperforming regular CPUs, the obvious option (ala litecoin at least to some degree) is to use a computations that utilize the full resources of a typical PC (e.g., DRAM intensive, use the multiplier a lot, large code image, etc.)  This tilts the
equation away from dedicated hardware boards, but still favors people who are willing to ha
15:21 < Luke-Jr> petertodd: in all cases where government is the enemy, government wins by default.
15:22 < adam3us> luke-jr: thats why cryptography is good: its an immovable object they cant bend it to their will anymore than redefine pi to 3 (and they tried that too apparently)
15:22 < petertodd> Luke-Jr: right, so lets just give up... that's not a good position, especially when it looks like ASIC-resistant is viable
15:22 < petertodd> adam3us: that kind of thinking seems to often result in over-optimization for PC design now, rather than what it may be in the future; hard-forks are hard!
15:23 < Luke-Jr> petertodd: it doesn't look that way.
15:23 < Luke-Jr> ASIC-resistent is impossible in theory
15:23 < Luke-Jr> you can *always* specialise anything
15:23 < adam3us> luke-jr: " it's more centralised if it's ASIC unfriendly." that is an equally plausible argument - it just depends on how available ASICs are	- i think they suffer from market forces where anyone capable of making them miners them rather than sell (or are incompetent like butterfly)
15:24 < Luke-Jr> adam3us: don't forget that  self-mining is inherently competing against yourself
15:24 < petertodd> Luke-Jr: again, ASICs will always be some epsilon better, but we can live with it if the ratio is small - just makes transactions that people want to censor more expensive. 2x or 3x is reasonable, 1000x isn't
15:24 < adam3us> kocher contd: "miners occasionally unearth the right to publish puzzles to other miners (with rewards to those who solve these puzzles, as well as rewards to the puzzle issuer if puzzle solutions are neither too hard nor too easy)."
15:25 < Luke-Jr> selling mining hardware is more economically rational
15:25 < petertodd> Luke-Jr: I pointed out above how FPGAs may already meet that criteria w/ litecoin scrypt, and while assuming FPGAs are available is a weaker anti-censorship assumption, it's not an unreasonable one.
15:26 < adam3us> luke-jr: yes thats true (self-mining compete with self) but I am going to be super-pissed if when my march 2013 ordered miners turn up finally with adifficulty making it hard to recoup $5k spent, that they look burnt in with butterfly "test" keys preinstalled with 6mo of mining on the addresses
15:27 < Luke-Jr> adam3us: I expect the mining landscape to look very different a year from now.
15:27 < petertodd> adam3us: heh, I checked, butterfly hasn't shiped me any hardware that looks like it was tested at all :P
15:28 < adam3us> kocher last: " It'd also be entirely possible to design a new algorithm with extremely ASIC/FPGA-unfriendly elements, such as a gigantic piles of auto-generated code (= and growing faster than FPGAs) that gets changed periodically."
15:29 < adam3us> luke-jr: if he supply problems are smoothed out so anyone can place money and get working efficient 28nm hardware by return of post, I will be very happy as that is a valid (and simpler) solution
15:29 < Luke-Jr> adam3us: one time I pondered a POW that defined the subsequent POW from interpreting its hash a certain way
15:29 < Luke-Jr> adam3us: and the difficulty adjusted between the different POW algos by trying to make them equally rare
15:30 < petertodd> adam3us: fwiw I switched my 65nm outstanding order to 28nm monarchs
15:30 < Luke-Jr> yes, I think 28nm hardware available near cost to ship within a week, is a realistic expectation after difficulty catches up
15:30 < adam3us> luke-jr: the people on bitcoin forum who PM'd me with their 16 AES, 16 SHA3 finalist approach had some idea like the hash to use is derived from hash outputs and things like that
15:31 < adam3us> petertodd: is that butterfly?
15:31 < Luke-Jr> it'd be interesting to try some of these experiments in BFGMiner at some point
15:32 < Luke-Jr> woo, 20 GB of null data deleted XD
15:33 < Luke-Jr> problem is, as soon as anyone implements a new POW, the scammers jump on it
15:36 < adam3us> petertodd: think that is worth doing?	I have 130GH ordered (2x 50GH 2x 5GH) and could swap it to 600GH (it approx the same price) but it'll come later its "only" 4x faster / $ approx and maybe difficulty will jump by that in the period?
15:36 < adam3us> petertodd: they have a comically bad record at not shipping within 6mo-year of when they estimate which is punitive in mining terms with diffulty adjustment at super-moore's law rate
15:36 < petertodd> adam3us: my thinking re: mining is long-term, and 28nm is going to make break-even for longer I think
15:37 < petertodd> adam3us: they have a record of shipping late, but given that I work in the hardware industry I have a lot of symapthy for that :P
15:37 < adam3us> petertodd: well its getting longer term by the day thats for sure
15:37 < petertodd> adam3us: yup, right now 64nm has a payback time of ~1 year
15:37 < Luke-Jr> adam3us: 1 time does not make a record
15:37 < adam3us> petertodd: eg maybe i think it would've paid itself in a month at beginning i dont even know ok 1 year thats long
15:37 < Luke-Jr> unless we're talking in terms of "world record"
15:38 < adam3us> luke-jr: didnt they do that several times? their previous gen people were bitching about too?
15:38 < Luke-Jr> 1 year isn't long for most things
15:38 < Luke-Jr> adam3us: they've always been late, but not 6 months
15:38 < petertodd> adam3us: probably longer in practice. Which FWIW is still very good for most businesses, it's jut not the crazy profitability people are used too.
15:38 < Luke-Jr> adam3us: FPGA minirig was only like 1-3 weeks IIRC
15:38 < Luke-Jr> FPGA singles were a month or two IIRC
15:38 < adam3us> well i orered 17 mar the 50GH singles
15:38 < adam3us> and i havent seen it yet
15:39 < Luke-Jr> yeah, not doubting they screwed up big time with SC
15:39 < Luke-Jr> I'd expect a few weeks for Monarch personally
15:39 < adam3us> no sorry 17 april
15:39 < Luke-Jr> (late)
15:40 < adam3us> luke-jr: they said end of year, that might be ok
15:41 < petertodd> adam3us: oh, I ordered hardware in early march, so you're going to get that soon... but even then I'd still consder going to 28nm
15:41 < petertodd> adam3us: depends on what your cost structure is; I value quiet energy efficient hardware
15:42 < petertodd> Also, I'm not in it expecting to make money... mainly I have hardware because it's useful at times.
15:42 < adam3us> petertodd: their own page is even self-contradictory "However, we aren't shipping anytime soon.  This is a Pre-Order product, so if you're uncomfortable waiting an indeterminate length of time for the final phase, do NOT pre-order this product. With that in mind, our current schedule is on track for shippments to begin towards end of year.	" and higher up "jan/feb 2014"
15:43 < adam3us> petertodd: i figure for 6mo of the year you're gonna need a space heater anyway in canada, and your electricity is cheap also
15:43 < petertodd> adam3us: just means they don't have the units built and ready to ship - shit happens!
15:44 < petertodd> adam3us: exactly, and my parents live in the far north where the heating season is 8 months of the year
08:22 < jtimon> but they can just use a simple timestamping server that functionally acts as blind signer for the commit
08:23 < adam3us> jtimon: so it seems to me you can use chaum blind cert to have the issuer create you a issuer blind but transferable proof, and traceable proof
08:23 < jtimon> I was under the impression that you couldn't transfer chaumian cash conditionally, but since I was confusing chaumian cash with blind mac...no I'm notsure
08:25 < jtimon> also fellowtraveller confirmed me jsut that: you cannot atomically trade assets in different servers
08:26 < adam3us> jtimon: the mechanism bitcoin is using to generalize a signature into a script is to augment the verification step in a way that is hashed into the sending address
08:27 < adam3us> jtimon: as the issuer doesnt even see your sending address during the issue process it can be whatever you wish
08:27 < adam3us> jtimon: rather than H(Q) it could be H(y=H(x) and ECDSA(Q))
08:28 < adam3us> jtimon: and i presume your atomic method uses some script referring to cross chain activities that the verifier must monitor
08:29 < jtimon> yes, or just conditional to a centralized timestamper that signs the hash of the tx before expiry
08:29 < adam3us> jtimon: well i think OT does not include an external timestamp maybe it is possible but they did not so far try to explore in that area
08:29 < adam3us> jtimon: so then yes i dont see that a certified blind sig is any differnt other than there is no coinbase issue, just issuer issue
08:30 < adam3us> jtimon: and the issuer issue is verified by checking the bldin certificate signature (and the signature made by the certified key on the transaction)
08:31 < jtimon> and this could be all implemented in a pow chain, no?
08:31 < adam3us> jtimon: after its transfered normal block chain rules apply, unless you aim to refresh the blinding by refresh (redeem and immediately reiussue)
08:31 < adam3us> jtimon: i think so
08:31 < adam3us> jtimon: why schnorr blind sig is interesting is that can even use bitcoin style keys with the same curves
08:32 < adam3us> jtimon: i didnt find an efficient simple ecdsa (there is a moderately efficient but ridiculously complex and experimental grade crypto assuption method involving homomorphic additinon in damgard-jurik extnesion to paillier but i would not touch that)
08:33 < adam3us> jtimon: blind schnorr cetificate is basically brands certificate with 0 attributes
08:35 < adam3us> jtimon: btw p5 and p6 give the chaum and schnorr blind sig
08:35 < adam3us> http://www.di.ens.fr/~pointche/Documents/Slides/1996_asiacrypt.pdf
08:36 < adam3us> jtimon: i think EC schnorr is probably preferable for size, security etc and compatibility with bitcoin while still a simple protocol with no hard to implement crypto
08:36 < adam3us> jtimon: eg you need 3072 bit blind RSA for same security as 256-bit blind EC schnorr
08:38 < adam3us> jtimon: also i propose generally bitcoin should add schnorr as a new signature type, because it has many flexibility, space and performance improvements in addition to supporting simple blinding where ECDSA does none of those things
08:39 < jtimon> so functionally this would allow secure off-chain transfers in adition to in-chain conditional transfers, no?
08:40 < adam3us> jtimon: i think it should allow everything you can do with non-blind sigs, though i am not sure how the security of your off-chain transfer works
08:41 < adam3us> jtimon: btw with brands credentials you can do "secure"  offline transaction even (where the double spender is later detected and loses their anonymity) probably of limited use in a "trust no one" model but interesting property
08:42 < jtimon> in freimarkets off-chain transfers are just transfers in "private chains", you have to trust the accountant
08:42 < adam3us> jtimon:  guess it should work then.  is the issuer also the accountant/transaction server?
08:43 < jtimon> if you trade assets in different private servers, you make the whole transaction conditional to a 3rd party centralized timestamp or to a transaction in a public chain before block Exp
08:43 < adam3us> jtimon: makes sense
08:46 < jtimon> I definetely need to study chaumian cash better
08:46 < jtimon> thank you
08:46 < jtimon> I'm going to eat now
08:47 < adam3us> try out the credlib library
08:47 < adam3us> the api is optimized for simplicity
08:47 < adam3us> there is an example program
08:47 < adam3us> using either chaum or brands
08:48 < adam3us> think of blind schnorr as basically brands with 0 attributes
08:48 < adam3us> http://www.cypherspace.org/credlib/
09:01 < adam3us> btw i lied and it seems i didnt actually get around to implement chaum credential support in credlib, though i was thinking of it, its been a few years since i worked on it so forgot status -- you need to replace the serial in libchaum.c with hash of your public key, or script hash
09:03 < adam3us> there are chaum signatures/cash but not chaum credential (were you can sign with the key certified in the credential) see above change
12:12 < michagogo|cloud> 01:49:09 <gmaxwell> (the closest I could find was ILS but it was fixed to the israel lira, which was fixed to the ukp, which was fixed to the usd (!), which was previously fixed to gold)
12:12 < michagogo|cloud> IIRC, it's slightly more complicated -- you had the Lira, which started as fixed to the GBP, but was unfixed at some point, then that became the Shekel, 10 Liras to 1 Shekel, and then the Shekel became the New Shekel, usually referred to as NIS here in Israel, but the currency code (ISO?) is ILS
12:13 < michagogo|cloud> 04:39:54 <gmaxwell> what a mess.. you hardware fractionalized and sold to people with no control over it.. who then mine at a single enormous pool which is full of these miners that can't vote with their feet.
12:13 < michagogo|cloud> IIRC, they can sort of vote with their feet -- I think I remember reading that if you have a certain number of GH/s credits on cex.io, you can "redeem" them and they'll ship you an equivalent miner
12:13 < michagogo|cloud> 05:21:57 <petertodd> double-spend warnings are going to make this really interesting given that gavin's planning on implementing them by broadcasting the whole tx
12:13 < michagogo|cloud> Hmm, I hadn't heard about that -- where can I find more information?
12:15 < petertodd> michagogo|cloud: IRC logs
12:15 < petertodd> #bitcoin-dev IIRC
12:15 < michagogo|cloud> Got a timestamp?
12:15 < michagogo|cloud> Well, if not -dev, then no accessible-to-me logs
12:16 < sipa> i think it was here
12:17 < petertodd> #bitcoin-wizards actually, 13-11-01
12:17 < michagogo|cloud> In that case, there aren't public logs
12:17 < michagogo|cloud> (or, shouldn't be according to freenode policy, since there's no link in the topic or join message)
12:18 < petertodd> well anyway, it's not rocket surgery: to prove a double-spend you have to relay the whole tx, so gavin wants to add code to relay the first double-spend seen for every tx in the mempool
12:19 < petertodd> ...which makes bandwidth DoS attacks hundreds of times cheaper in the best case
12:20 < michagogo|cloud> Hmm? Hundreds of times?
12:20 < michagogo|cloud> Why not twice?
12:20  * michagogo|cloud is sure he's overlooking something
12:20 < petertodd> yup, basically the double-spend could be a 100K transaction, while the original was just ~200 bytes or something
12:20 < sipa> and you only pay for the one that gets merged
12:20 < michagogo|cloud> Oh, right
12:20 < michagogo|cloud> of course.
12:21 < petertodd> yup. Beats me why gavin doesn't understand that, but whatever.
12:21 < michagogo|cloud> What are his counter-arguments?
12:21 < petertodd> He didn't have any.
12:21 < michagogo|cloud> Also: I assume he'd leave the "mine the first one you saw" rule?
12:21 < petertodd> yup
12:21 < petertodd> anyway, what's nifty about that, is it makes adopting replace-by-fee really easy for miners - no need to find peers that use that rule
12:22 < petertodd> heck, because the double-spend will be checked fully, the singaturs might even be in the sigcache...
12:22 < michagogo|cloud> What's the sigcache?
12:23 < petertodd> just a cache of checked signatures - makes tx validation, and hence block validation, go faster
12:23 < michagogo|cloud> And yeah, sure -- there are plenty of reasons that relaying double-spends would be a good thing
12:24 < petertodd> I'm pretty dubious about the DoS potential - lots of fun things you could do with strategically slowing down propagation.
12:24 < michagogo|cloud> Ah, so if a transaction is relayed, the sig will be cached as valid, so that when it makes it into a block the sig won't need to be verified again?
12:24 < petertodd> Equally though, if you reducethe priority of double-spend notifications, then you can DoS to get away with a double-spend...
12:24 < petertodd> michagogo|cloud: correct
12:25 < michagogo|cloud> Yeah, the DoS is definitely problematic -- what about restricting the size of the double-spend relative to the original?
12:25 < michagogo|cloud> Or the fee, or the fee/kB?
12:25 < petertodd> The only way to do that is to restrict the size of transctions in general.
12:26 < petertodd> If you restrict by fee, then the value of the notification is lost. (unless miners adopt replace-by-fee semantics!)
12:26 < michagogo|cloud> What's wrong with "don't relay a double-spend more than X times the size of the original"?
12:26 < michagogo|cloud> Oh, I see
12:26 < petertodd> heh
12:26 < michagogo|cloud> I was just thinking about it in terms of replace-by-fee
12:26 < petertodd> Reality is, zero-conf is dangerous and we're stupid to try to do anything about that.
12:26 < michagogo|cloud> Right, there's also the "warn the merchant" use case
12:27 < michagogo|cloud> I disagree with the last part
12:27 < petertodd> Now see, *with* replace-by-fee it does make sense to relay double-spends with identical fee-per-kb to warn merchants, but that's it.
12:27 < petertodd> (that lets them use scorched-earth properly)
16:30 < amiller> in fact if the input space is bounded, as is the case with bitcoin, there's a nonzero chance that there's *no solution* and the blocks are jammed
16:31 < amiller> this doesn't matter because there's less chance of that happening than finding a collision
16:31 < amiller> a design requirement it's important that the nonce + merkle root range is sufficiently large that is very unlikely to happen
16:33 < amiller> this basically just fits into my point that there's no existing definition for "proof-of-work" that actually describes what's important for bitcoin
16:34 < amiller> the more important point is that if t is the number of steps needed to find a solution with probability 1 or nearly 1 or whatever, even taking just a small number steps should give you a solution with approximately probability 1/t
16:34 < amiller> that's the main thing that's obviously essential for bitcoin and *isn't even close* to part of anyones definition of proof-of-work
16:36 < gmaxwell> its interesting that you mention it, there was a nice argument with adam back on the forum where he was arguing that bitcoin should be using a proof of work scheme which had cumulative small work
16:37 < gmaxwell> and people arguing that it wouldn't work for bitcoin, basically because it actually broke up the stochastic lottery behavior and that we actually need it.
16:40 < amiller> yeah, there's lots of papers with "perfect proof of work" puzzles that take exactly t units to solve and any less has zero chance of success, and that's obviously no good
16:40 < amiller> it shouldn't be hard to modify the definition so that it's like
16:41 < amiller> you put in t units of work, you get.... well the equivalent of t lotto chances, binomial distribution, whatever
16:41 < amiller> subdivided down to whatever asymptotically small little chunk
--- Log closed Sat Sep 21 00:00:01 2013
--- Log opened Sat Sep 21 00:00:01 2013
16:37 < gmaxwell> http://www.smbc-comics.com/?id=3119#comic   "Use one-time signatures"
17:41 < gmaxwell> amiller: Can you help me understand why these extractability assumptions are required for 1-round and public verifier NP argument systems?  Why is it not sufficient to just argue that compromising these systems requires finding a collision for the one way hashes (for public verifyable, and PIR 1 round) or breaking the PIR privacy (for the PIR ones).
17:42 < amiller> gmaxwell, the extractibility argument is the only commonly-accepted way of defining what it means to "find" a collision
17:42 < amiller> the point is that it rules out obfuscation
17:43 < amiller> if you could obfuscate the hash function then you could do something that's "like" finding a hash collision, but the hash collision is hidden, and since it's obfuscated you can't get it out, so is it really even there
17:47 < gmaxwell> I guess I'm missing how it connects.	Say I have a PCP system for my NP language which is complete, and with X queries is exponentially unlikely to accept falsely.  I construct a hash tree over it, and I use the hashroot to select a random verifier. Which runs, checks its X points and accepts. So this should be computationally sound for some X, as the
prover would have to do retries exponential in X to get false acceptance.
17:48 < gmaxwell> So I don't see where I need to invoke anything stronger than the collission resistance of the hash function to make this work.
17:51 < gmaxwell> (also, as an aside, I don't really get the focus on deletgated computation: any of these schemes have a effort blowup of far beyond 2x for the prover, if I don't trust my cloud provider I can just run my computation N times on N providers. :P   all the real applications I can think of for designated validator don't really need succinctness in the
validation. ... succinctness is interesting in the publicly verified cases simply ...
17:51 < gmaxwell> ... because the verification will be done many times)
18:16 < amiller> gmaxwell, i'm pretty sure there are some pcp schemes for NP that are 1 round and only rely on collision resistance, and aren't succinct
18:17 < amiller> hm, i'm not sure actually, maybe that's not possible except with 2 rounds
18:17 < amiller> i know that a big thing in this area are the impossibility proofs that show that something like an extractibility assumption has to exist
18:18 < gmaxwell> Yes, I've seen that mentioned but don't understand why.  A bunch of stuff is also about the PIR-based 1-round systems, which I don't give a shit about because they're designated verifier. (though I think the idea of using PIR to do compression of a PCP is pretty cool)
18:19 < gmaxwell> amiller: but intutively, you have some PCP system where X random queries on it make it sound. You commit to it. Then the verifier does his X random queries checking the hashtree to make sure the prover can't adapt.  There you have a sound two round system.
18:21 < gmaxwell> If you replace the verifier's randomness with some function on the hash root, then a cheating prover can only reduce the soundness by whatever amount he can iterate, assuming the hash function is strong. And since the PCP system's soundness is exponential in the number of queries, adding a few more quries should be enough to achieve soundness against a
computationally bounded prover.
18:21 < gmaxwell> So obviously I'm missing something but I'm not sure what.
18:24 < gmaxwell> Wading through papers is somewhat slow because I don't have a huge background in this field, and because I don't care about the succinct designated verifier stuff much, and it's like 3/4 of the papers. (since for bitcoin we either need public verification (e.g. for script or for bitcoin itself), or
 for things like my contingent payment protocol, we can
have a designated verifier, but we don't care if its succinct)
18:25 < warren> I didn't vote in the election yet.
18:25 < warren> Any thoughts?
18:33 < amiller> you really need succinct public verification don't you
18:34 < amiller> i mean, designated verifier is almost always easier
18:36 < gmaxwell> Right. We need reasonably succinct public verification (secure against verifier oracle, in particular, though if push came to shove we can do a quasi-two-round public verification) for using this stuff for script, or for validating bitcoin itself.
18:37 < gmaxwell> (quasi-two-round: in some schemes we could reduce the size for a given soundness by using future block hashes for a committed proof to throw away part of the proof)
18:39 < gmaxwell> And yea, designated verifier is easier. I was just commenting that for the applications I have for designated verifier, I don't really give a crap about succinctness, except in so far that succinctness also seems to make it easier to be confident about zero knoweldge for the cases where that matters.  I think the whole delegated computing idea is kinda dull.
18:40 < gmaxwell> warren: did you listen to / read the debate with the finalists?
18:41 < warren> gmaxwell: I missed that, searching
18:42 < amiller> gmaxwell, well this is the paper associated with that impossibility proof http://eprint.iacr.org/2010/610.pdf
18:42 < amiller> i don't understand it at any deep level though
18:43 < petertodd> gmaxwell: re: wealth: just make sure you use the right isotope
18:43 < gmaxwell> amiller: ah, thank you!
18:43 < gmaxwell> I note right away:
18:43 < gmaxwell> "The work of [Mic94] showed that such arguments can also be made fully non-interactive in the random-oracle
18:43 < gmaxwell> model. However, this leaves the question whether succinct non-interactive arguments (SNARGs) may exist in the standard
18:43 < gmaxwell> model."
18:44 < gmaxwell> Mic94 is the one that described the PCP scheme above where the commitment is the verifiers randomness. What a slog of a read that paper is.. its like 30 pages just to get to that simple system. :P
18:44 < gmaxwell> So perhaps this is all just not wanting to depend on the random-oracle model? pfft.
18:44 < amiller> yes definitely
18:44 < amiller> okay so the extractibility stuff
18:44 < amiller> is strictly weaker than a random oracle
18:45 < amiller> collision resistant hash -> extractable hash -> random oracle
18:46 < gmaxwell> Considering that pratically all digital signature algorithims in industry deployment have proofs that depend on random oracle,
 though ones that don't exist
 I am suddenly less concerned.
18:46 < amiller> the hope is that something like extractability is a more limited assumption and maybe somethings atisfies it
18:47 < amiller> so when it comes to building security proofs of these things
18:47 < amiller> basically if you know a thing is extractable
18:48 < gmaxwell> I've read the paper that shows that things which are sematically secure under random oracle are not necessarily secure under _any_ realizable scheme but I felt it was pretty contrived.  I guess the thing that I was missing was just that extractable was supposted to be a more limited assumption than random oracle.
18:48 < amiller> then you get to say, suppose any arbitrary adversary produces a valid proof, then i can run an extractor on that adversary that produces the actual hash collision, and that extractor is only polynomially than the original adversary itself
18:48 < amiller> for a proof with the random oracle, you basically get to look at the oracle queries directly
18:50 < amiller> so logically it's almost as good, except that the extractor can get really big if you apply extractability over and over again to work backwards
18:50 < amiller> so extractability sucks, basically
18:50 < amiller> it's the worst of both worlds
18:50 < amiller> it turns what would be simple in the random oracle world into a really frustrating counting argument that doesn't seem to even increase security
18:51 < amiller> but it's still a really strong assumption anyway and non-falsifiable etc etc
18:54 < gmaxwell> amiller: thanks. Okay, I both understand this better now, and realize that I previously understood more of it than I thought.
19:50 < gmaxwell> Hm. I wonder if it's possible to get mintchip to do a hashlocked transaction.
19:50 < gmaxwell> If it could you could do secure btc/mintchip.
19:52 < phantomcircuit> gmaxwell, secure ish
19:53 < gmaxwell> well unless it could do timelock you'd have holdup risk.
23:27 < gmaxwell> In which I attempt a trustlessness smackdown: https://bitcointalk.org/index.php?topic=355016.msg3802226#msg3802226
--- Log closed Tue Dec 03 00:00:27 2013
--- Log opened Tue Dec 03 00:00:27 2013
00:08 < cork2> hey
00:15 < cork2> o________0
00:17 < Mike_B> gmaxwell: that's a very good post
00:25 < cork2> so how do I go about integrating a simple game to make a new alt coin
00:25 < Mike_B> has anyone in here looked carefully at the ripple architecture?
00:25 < Mike_B> i'm very interested in how consensus works vs proof of work
00:25 < Mike_B> i'm curious if it's possible to come up with the same sort of system but that doesn't require XRP and all that
00:29 < pigeons> Mike_B: probably not. The knock I've seen from people like amiller is that it may not work despite XRP
00:29 < pigeons> XRP is just a anti-abuse mechanism, not a part of the ripple consensus process
00:30 < Mike_B> well, a few things
00:30 < amiller> i've started trying to give ripple a thorough analysis with sample code experiments and such
00:30 < Mike_B> 1) i'm trying to figure out if XRP is really necessary to prevent abuse in the consensus process. i doubt it; seems likes they shoehorned it in
00:30 < Mike_B> 2) are you saying consensus itself is broken? if so, how?
00:31 < pigeons> its not to prevent abuse in the consensus process, its to prevent abuse of shared resources like ledger space and transaction capactiy
00:31 < amiller> i'm really sure the consensus system is broken and totally preposterous
00:32 < amiller> it's not so much that it's broken, but that it only works under exteremely optimistic conditions, which specifically amount in this case to "everyone uses the official validators list"
00:33 < gwillen> I am not sure sure the consensus system is preposterous
00:33 < gmaxwell> Mike_B: https://bitcointalk.org/index.php?topic=144471.0
00:33 < gwillen> but it's not clear they will ever switch to using the consensus system
00:33 < gwillen> from what they have right now, which is purely centralized
00:34 < amiller> they are "using" the consensus system
00:34 < amiller> it's implemented in their code, they're running the code
00:34 < gmaxwell> Mike_B: read more than just the intial message
 I answered my own question and had a nice debate about their consensus system with one of their main developers.
00:34 < gwillen> can we just come up with a scheme to merge-mine an old-ripple-like consensus system into bitcoin
00:34 < gwillen> and then use that to kill off new-ripple by outcompeting it
00:34 < gmaxwell> gwillen: there is no need to have a consensus system for ripple!
00:34 < gwillen> er, old-ripple-like system, rather
00:34 < amiller> gwillen, that sounds reasonable to me
00:34 < gmaxwell> that was part of the attraction, the need for consensus was minimal to none.
00:34 < Mike_B> pigeons: how does bitcoin not have the same issue? transaction fees? i don't understand that
00:35 < amiller> gwillen, that's essentially what "Freimarkets" is
00:35 < gwillen> gmaxwell: well, the old ripple was purely centralized
00:35 < Mike_B> gmaxwell: thanks, i'll read
00:35 < gwillen> gmaxwell: I guess it's true that you do only need local knowledge of balances for the most part
00:35 < gwillen> gmaxwell: so you should be able to design a system that doesn't need centralization or consensus
00:35 < gmaxwell> gwillen: right, route finding doesn't need to be consistent, and the actual transaction only needs to involve the involved parties.
00:35 < gwillen> hmmm.
00:36 < gwillen> you do sort of want the actual transaciton to be atomic
00:36 < amiller> i don't think you're right about the transaction only involving the involved prties
00:36 < gwillen> that might require some sort of commitment mechanism
00:36 < pigeons> gwillen: the ideas like that were here http://archive.ripple-project.org/Protocol/Protocol?from=Protocol.Index
00:36 < gwillen> if you don't care about atomicity then it doesn't really need one
00:36 < amiller> the whole point is you can change the ledgers of people who aren't online
00:36 < gmaxwell> gwillen: yes, the atomic kill is the complicated part.
00:36 < gmaxwell> amiller: then you could still have distributed 'proxies' who can play your role when you are not online, but again
 without requring a global consensus.
00:37 < amiller> i'm pretty sure there's a good use for global (or at least somewhat larger scale) consensus even with that but what you're suggesting is still reasonable for the most part
00:37 < gmaxwell> gwillen: the atomic part is being able to unwind a transaction which has only partially completed.
00:38 < gmaxwell> amiller: I'm not saying you couldn't add one, but adding one makes scaling fundimentally harder. Global consensus should be avoided where its at all possible to do so.
00:39 < gmaxwell> gwillen: e.g. you're flowing credit  alice -> bob -> carol -> sue  and before it's established carol goes offline. And now you need to unwind the alice -> bob  reservation in order to setup a new path to sue.
00:41 < gwillen> gmaxwell: I guess you don't really need any atomic primitives for that.
00:41 < gwillen> local atomicity of operations on the links is fine
00:43 < pigeons> aw too bad jtimon isnt on at the moment, he had an intersting proposal for ripple transaction processing "2 phase commit model" or something
00:43 < gmaxwell> gwillen: it's somewhat tricky. So you're tearing down alice -> bob but then carol comes back online
00:44 < gmaxwell> It's solvable, I mean if its solvable globally its certantly solvable locally.
00:44 < gwillen> gmaxwell: at any given moment there is some participant who is 'furthest along' in the chain, and they know whether they are currently setting up or aborting
00:44 < gwillen> so it seems pretty doable
00:44 < amiller> i think that's a really bad solution
00:44 < amiller> i guess someone should implement it that way first, at least it's decentralized
00:45 < gmaxwell> Having to back it out the opposite way is somewhat inefficient.
00:45 < amiller> you basically get all your liquidity tied up in trades that aren't likely to complete
00:45 < gmaxwell> But yea, workable.
00:45 < Mike_B> phew, this is a very large thread
00:45 < gwillen> but yeah, offline functioning would be nice
00:45 < amiller> you also get people able to lie when they offer exchanges
00:45 < Mike_B> i'll read the whole thing before asking more questions
00:45 < gwillen> and since we have this distributed consensus ledger right here
00:45 < gwillen> seems like we might as well use it ;-)
00:45 < amiller> in other words if i offer to exchange 1 of your IOUs for any 1.5 of someone else's, i shouldn't be able to cause those trades to abort
00:46 < gmaxwell> amiller: hm? you can be reasonably confident that it's likly to compelte.. and if someone lies you should be able to lrove it.
00:46 < amiller> that's the advantage of having the orders committed into the ledger where they can be executed automatically
00:46 < amiller> no way you definitely can't prove it
00:46 < gwillen> yeah, I was mostly thinking of old-ripple
00:46 < gwillen> the trades and stuff in new-ripple require more machinery
00:46 < amiller> old ripple always involved trades
00:46 < amiller> you would set up a willingness to exchange one IOU for another
00:46 < amiller> maybe old ripple never actually had that :/
00:46 < gmaxwell> amiller: yea great, except when there isn't room in the ledger.
00:47 < amiller> you don't necessarily need a huge ledger
00:47 < gmaxwell> amiller: did old ripple have you only do trades against XRP to avoid the N^2 problem? but also thereby letting anyone with a trillion xrp walk away with all the IOUs? :P
00:47 < gwillen> old ripple didn't have XRP, or trades, or currencies
00:48 < amiller> no it didn't, but current ripple actually has that functionality implemented corretly in their api
00:48 < gwillen> under old ripple, everybody issued their own IOUs that were all pegged to USD
00:48 < gwillen> old ripple was more or less entirely unlike new ripple, relaly
00:48 < pigeons> you don't have to trade against XRP in new ripple
00:48 < amiller> whether their web front end presents that to the user is kind of different, and i don't think they made the worng decision tehre necessarily
00:48 < amiller> they've done a thoroughly good job on the api, it's only the *whole underlying consensus mechanism* that doesn't work
00:48 < gmaxwell> pigeons: IIRC when I looked at some of their prerelease code all trade was really against xrp on the backend.
00:49 < pigeons> gmaxwell: it isnt
00:49 < pigeons> i construct my own paths
00:49 < gmaxwell> interesting. Is there actually enough usage of it that thats workable now?
00:50 < pigeons> recently they like to push that "hey you can just trade against XRP so you don't have to worry about all the combinations of pairs" but you can construct paths just as well that dont use XRP, and the pathfinding doesnt give preference to XRP
00:50 < pigeons> well enough usage is kind of subjective, but you can get rather large complicated paths now
00:51 < amiller> pigeons, you should make a walk through of this somehow, like a forum post
00:51 < pigeons> they've improved the server pathfinding engine a lot finsally but you can implenment your own and submit your own paths to be excuted
00:51 < amiller> i don't think anyone else is using it or knows how
00:51 < pigeons> right but then they would do the arbitrage trades i'm doing
00:52 < pigeons> but look at the ripple_path_find api, and kind of chain and brute force it to every issuer the destination accepts
00:52 < pigeons> and every currency code
00:52 < pigeons> let me ask if i can share my friend's custom client with you
19:48 < petertodd> gmaxwell: ah, well that's a better argument come to think of it.
19:49 < petertodd> gmaxwell: although like I say, for the KDF use-case you might as well just make a whole bunch of them, targetted to specific cpu's
19:49 < petertodd> gmaxwell: use whatever one the user happens to have
19:50 < petertodd> gmaxwell: and... might as well make it memory-hard too, and get that extra 20W
19:52 < gmaxwell> petertodd: the premise under scrypt is really two fold: memory technology is uniform decreasing the attackers advantage, and that computers have a lot of gates as memory. Counter arguments are that once you are talking about power memory for a cracker might not be as uniform as thought, and when talking about power a computer doesn't actually have that much memory.
19:54 < petertodd> gmaxwell: yes, I'm not claiming that's a good premise, I'm claiming that in the case of a KDF *because* you have so much algorithm agility (make it a library!) optimal is to use a per-cpu-arch algorithm like your suggestion and make it depend on memory as well
19:54 < petertodd> gmaxwell: which means the salsa20 core in scrypt probably should be replaced by a series of algorithms that do well on simd
19:55 < petertodd> gmaxwell: dunno if you noticed but I did change my mind there :P
19:55 < gmaxwell> yea, sure, I don't think anything I've argued suggests that using memory is terrible, just that it may not be as automatically good as it seemed.
19:55 < petertodd> anyway, my *main* argument is that neither of us knows much about digital logic technology so...
19:56 < gmaxwell> sort of troubling that it seems no one has explored the energy cost angle on this. :-/
19:56 < gmaxwell> would be ironic if the recommended scrypt parameters lowered attack costs.
19:57 < petertodd> meh, wouldn't be the first time
20:46 < phantomcircuit> huh that's interesting
20:46 < phantomcircuit> gmaxwell, i think cex.io moved all their hardware
20:47 < gmaxwell> phantomcircuit: interesting!
22:38 < _ingsoc> Does anyone remember that guy who talked about rewarding miners for putting energy into the grid?
22:45 < justanotheruser> _ingsoc: seems interesting, but not sure how you can prove you put energy into the grid
22:47 < _ingsoc> That was the problem if I remember correctly, needed some physical layer.
--- Log closed Thu Jan 23 00:00:53 2014
--- Log opened Thu Jan 23 00:00:53 2014
04:27 < _ingsoc> So, get a hold of this Ethereum!
04:27 < _ingsoc> Thoughts?
07:32 < gmaxwell> adam3us: schnorr multisignature seems to be naturally sidechannel busting.
07:32 < gmaxwell> adam3us: e.g. you do 2-of-2 with the hardware wallet signing first... and the final R,S could be anything.
07:33 < gmaxwell> and avoids the other complexities with the device knowing what its signing when the signature is blind.
07:33 < adam3us> gmaxwell: yes.  i mentioned two variants of the wallet observer thing on https://bitcointalk.org/index.php?topic=428494.new#new
07:34 < adam3us> gmaxwell: the basic one that brands talks about uses blind sig so the wallet has no subliminal channel
07:34 < adam3us> gmaxwell: but using brands ZKP issuing protocol, you can also prove to the wallet what it is blind signing, so it can show it on screen for approval with a hw wallet with screen like trezor, and STILL not have a subliminal channel
07:35 < adam3us> gmaxwell: i'm sure brands covered that somewhere in his thesis, the guy is exhaustively inventive.
07:36 < adam3us> gmaxwell: but yeah the subliminal channel freedom is  beautiful thing to have as a building block
07:37 < gmaxwell> adam3us: Right but I believe that a regular 2 of 2 threshold signature has the same sidechannel elimination effect without requring the ZKP proof of what its signing.
07:38 < adam3us> gmaxwell: ah gotcha.  yes that appears to be true also :) and nice and simple
07:52 < adam3us> gmaxwell: btw other than adding cc other authors, about the private key issue, another step could be to make an ID / RFC on EdDSA as a complement to the safe curve focused ID that Watson Ladd on IRTF CFRG is doing.  i thnk the lowest 3 bits=0 is just a optimization, I dont immediately see why that cant be removed and multiply by 8 somewhere in the verification
relation, and the bit 254 I think is just defensiveness
07:53 < adam3us> gmaxwell: ie bit 254 is not necessary for security, just that the montgomery ladder start at bit 254 whether its 0 or 1 to avoid a timing side-channel.  thats all if anyone had time/energy for an RFC process but it would be a natural way to extract feedback from the algorithm authors
12:25 < jtimon> maaku,what if we start with the private chains? http://freicoin.freeforums.org/freimarkets-t717.html#p6913
12:25 < jtimon> not sure if wrong forum or not...I'll say the same on #freicoin just in case
14:12 < petertodd> lol twister: https://groups.google.com/d/msg/twister-dev/h2ukT1msggc/Jbh-UPYPGiIJ
14:12 < petertodd> "May someone suggest a good free captcha generator for text that is OCR
14:12 < petertodd> resistant?"
14:12 < petertodd> apparently they have a namesquatting problem...
14:13 < petertodd> they also have implemented ripple-style soft-consensus to prevent rewrite attacks
14:13 < gmaxwell> uh.. how does that work with anonymous participation?
14:14 < petertodd> good question!
14:14 < petertodd> that's the lead dev suggesting that!
14:15 < petertodd> they don't even use namecoin-style two-stage commit-reveal, so an attacker can watch the network for new name registrations and register all new names for themselves
14:15 < gmaxwell> lol
14:16 < Luke-Jr> facepalm
14:16 < petertodd> I almost want to fire up some ec2 instances and 51% the network with empty blocks just to see how they'll react - it's a social experiment at this point
14:17 < Luke-Jr> I think I like how with namecoin, if two people register the same name concurrently, both lose their coins ;)
14:17 < gmaxwell> I take it this isn't merged mined?
14:17 < petertodd> gmaxwell: nope
14:17 < gmaxwell> sha256 pow?
14:17 < petertodd> gmaxwell: and they changed the block header so standard scryptminers don't work, but with some effort you can still modify litecoin scrypt miners to mine it
14:18 < gmaxwell> ah. scrypt.
14:18 < petertodd> gmaxwell: they added CBlockHeader.nHeight
14:18 < gmaxwell> and just made the header a bit longer or?
14:18 < petertodd> but they left nVersion=2 and the supermajority code in for nVersion=2!
14:18 < petertodd> gmaxwell: yup
14:18 < gmaxwell> that probably actually won't break the gridseed asics, the work generator is apparently microcoded.
14:18 < petertodd> gmaxwell: I haven't looked into how hard it'd be to adapt a scrypt miner to that
14:19 < petertodd> gmaxwell: oh nice!
14:19 < gmaxwell> (they have an on chip work generator and increment logic which is apparently all microcoded)
14:20 < petertodd> gmaxwell: amir was trying to convince them to just use namecoin
14:21 < gmaxwell> namecoin codebase is nearly unmaintained. :(
14:21 < petertodd> twister codebase is worse than unmaintained
14:23 < gmaxwell> hopefully once scrypt mining asics exist in large enough quantities to have driven everyone off gpu mining people will go back to making merged mined things.
14:23 < petertodd> meh, merge-mining is no perfect solution either - just makes it easy to be attacked early on
14:24 < gmaxwell> petertodd: changes who can attack, for something which isn't compeating with bitcoin it's probably fine.
14:24 < petertodd> gmaxwell: you can be in trouble by competing with another merge-mined system you realize...
14:25 < gmaxwell> perhaps, but it's not clearcut. if 60% of your hashrate is really bitcoin miners who totally don't give a shit about any of these things attacking becomes hard.
14:25 < gavinandresen> gmaxwell: I think scrypt mining asics will just drive people to a wakier-proof-of-work-coin (Quark maybe).
14:26 < petertodd> gmaxwell: easy to start offering people >100% paying shares to quickly buy hashing power for an attack
14:26 < gmaxwell> gavinandresen: Thats a point!   "DDD coin's Proof Of Work involves ringing peoples doorbells and running."
14:27 < gavinandresen> gmaxwell: lol
14:33 < petertodd> gmaxwell: anyway, I think I've got my "tree-chains" concept in decent shape: blockchian is a sharded tree, each node in the tree has left and right leaves that are half the difficulty of the parent node/chain. have participants have consensus about the contents of the blocks in the parent chain, and the blockheaders for left and right. the rule for left
and right child chains is that full-diff PoW solution "locks" the order of the chain, so ...
14:33 < petertodd> ... re-ordering takes 51% with respect to the parent work. However contents are subject to 25% majority. You solve the "lost-data" problem by allowing the mining of a challenge - a tx that you want to see mined - and that tx must either be proved to be not minable (e.g. succinct MMR TXO) or prove that the tx was mined. If nothing happens, eventually the
child chain can be re-orged.
14:34 < petertodd> Security guarantees are resistant to 50% attack for re-ordering transactions, 25% for censorship - however you can pay higher fees/work to force a tx to get mined. Done recursively you *will* get to the point where the PoW effort is too low to be secure, but at least that's an adjustable parameter.
14:34 < petertodd> It looks like merge-mining in a sense, but the challenge rule improves the security guarantees.
14:35 < petertodd> Dunno yet how you'd spend coins from one multi-level deep child chain to a different one - easy to think of cases where you allow inflation attacks.
14:37 < petertodd> gmaxwell: Note how all this is easiest to think about with per-tx work - IE one block == one tx. Also easiest to think about it in practice as a token transafer system - how you'd use it with unrestricted values is an interesting question given the inflation issue.
17:17 < arbart> what is the state of the art of enabling microtransactions?
17:37 < gmaxwell> no
 I mean, you're not supposted to give away any keys at all. and its pointless to do so, and I was pointing out that it was pointless to do so.
17:40 < michagogo|cloud> Oh
17:40 < michagogo|cloud> Ah, I see.
17:41 < michagogo|cloud> You were saying that the channel is non-transferable because even if you did give me your private key it wouldn't prove anything?
17:42 < gmaxwell> right, the _authentication_ is non-transferable. It convinces me, but not anyone else even if I give them everything I know.
17:42 < michagogo|cloud> Right, since you can't prove that you didn't create this message, only you can know for a fact that that's the case
17:43 < gmaxwell> yea, it's even stronger than that though
 a ring signature gets you that too. e.g. either X or Y created the message (assuming X and Y kept their private keys private)
17:43 < michagogo|cloud> (well, I guess you could if you get into the realm of trusted hardware, e.g. a device that generates a key and logs everything done with it)
17:43 < michagogo|cloud> Or is that not the case?
17:44 < gmaxwell> with a auth via ECDH	the message is the same as plaintext.
17:44 < andytoshi> i think this notion of "non-transitive information" is one of the weirder things to come out of modern cryptography
17:45 < gmaxwell> even with trusted hardware because you can't even verify anything at all without one of the private keys.
17:45 < michagogo|cloud> (As you may have noticed, I know ~nothing-very little about cryptography
17:45 < michagogo|cloud> )
17:51 < gmaxwell> andytoshi: well it's usually the color of the bits which is non-transitive rather than the information itself.
17:53 < andytoshi> gmaxwell: well, i can prove to you in zero knowledge that (say) i have a 3-coloring of a graph, and therefore that such a coloring exists
17:53 < andytoshi> and the existence of a coloring is a "solid" bit of information
17:53 < gmaxwell> different definition of 'color'.
17:54 < gmaxwell> required reading if you have not read: http://ansuz.sooke.bc.ca/entry/23
17:54 < andytoshi> hmm, yeah.
17:54 < andytoshi> i have indeed, a very useful article
18:00 < andytoshi> i'm not convinced that the existence of a 3-coloring is merely color though. it is a color on the bits of the actual coloring, sure, but the original graph is public knowledge and the fact of whether or not it is 3-colorable constitutes real context-independent information about it.
18:01 < gmaxwell> hm. you're right.
18:01 < gmaxwell> if we have a NIZK proof that the 3-coloring exists we clearly have information (1 bit, if your prior was uniform!)
18:02 < gmaxwell> and if we are the verifier in an interactive protocol, then we clearly have 1 bit too, because its exactly the same as the prior case.
18:02 < gmaxwell> but if we are not the designated verifier, then we know nothing at all.
18:02 < gmaxwell> And thats weird.
18:04 < andytoshi> very. and we are deriving this bit of real information (the graph has a coloring) from the color of the 3-coloring (which the prover has but verifier doesn't). so there is also a sort of level-crossing between meta-information and information, and we see in eg the goedel theorem that this level-crossing leads into all sorts of Weird Things happening
18:05 < andytoshi> ordinarily these kind of comments are just philosophical masturbation but with bitcoin we are assigning actual value to information and this blurring of categorical boundaries might have actual implications for how we ought to think about it
18:06 < gmaxwell> warning wank field detected.
18:06 < andytoshi> that's a really vague thing to say, sorry, i'm just spitballing
18:06 < gmaxwell> ;P
18:06 < gmaxwell> hehe
18:06 < andytoshi> :P
18:07 < gmaxwell> nah no need to apologize, I find myself contemplating interesthing things like that often and thinking "hm this really should have some deeper consequence" but it often doesn't have any I can find.
18:07 < jron> gmaxwell: thank you for posting the hearing cap.
18:07 < nsh> and cloak of comprehension
18:19 < helo> gmaxwell: you're going to be one of the panelists tomorrow in NY, right?
18:20 < helo> otherwise there's no way we can make up for the litecoin "creator"
18:22 < jtimon> I read he said in miami that some people call him "satoshi lite"...still eager to watch his intervention...
18:23  * andytoshi would never be so vain as to take satoshi's name..
18:24 < sipa> recently a colleague asked me whether i was satoshi
18:24 < sipa> perhaps i shouldn't have answered in japanese
18:25 < brisque> andytoshi: that your nick is an anagram of satoshi is not a coincidence?
18:25 < sipa> anagram?
18:25 < c0rw1n> magarna
18:25 < gmaxwell> Ohayou asadimaska
18:26 < sipa> hajimemashite, satoshidesu
18:26 < gmaxwell> helo: they are doing more of this tomorrow?  And no
 while I'm comfortable with public speaking I generally have the good sense to stay the heck away from official proceedings.
18:29 < helo> gmaxwell: yeah, there are three sessions tomorrow
18:30 < maaku> sipa: "If I was Satoshi with $1bn to my name, would I still be working here?"
18:30 < helo> the litecoin guy couldn't really even stay on topic... seemed like he just wanted to impress them with info overload
18:33 < Luke-Jr> sigh
18:34 < sipa> maaku: ha
18:35 < midnightmagic> maaku: I would. :)
18:35 < maaku> midnightmagic: wish I had your job :)
18:35 < midnightmagic> maaku: Oh, I don't mean my official job. I meant *in here*.
18:36 < maaku> oh heh, yeah
18:36 < midnightmagic> :-D
18:36  * michagogo|cloud wonders if there'll be recordings of the streams tomorrow as well
18:37 < jtimon> but sipa's colleague is from his official job, no?
18:37 < sipa> yes
18:38  * Luke-Jr thinks it's obvious who Satoshi really is, but *shrug*
18:38 < michagogo|cloud> Luke-Jr: o_O
18:38 < c0rw1n> obvious, really
18:38 < sipa> really?
18:39 < maaku> Al Gore, obviously
18:39 < tacotime_> I always knew he was a time travelling Japanese cat from the 42nd century.
18:39 < sipa> oh, right
18:39 < Luke-Jr> well, Sirius was the only developer "besides" Satoshi for a long time, and he was committing from the start of the git history..
18:39 < Luke-Jr> and left at the same time
18:40 < gmaxwell> please don't speculate about that kind of stuff.
18:40 < c0rw1n> gwern has an interesting, abandoned investigation on satoshi
18:40 < gmaxwell> if someone convinces people that you are satoshi, then you get the security costs of shithead nutbags thinking that kidnapping your family might be a great way to get an anonymous billion dollars.
18:40 < Luke-Jr> at all? this channel is still private, right? O.o
18:41 < maaku> Luke-Jr: this channel is now logged
18:41 < gmaxwell> and If you are _not_ actually satoshi, then the cost of security against that threat is really intolerable.
18:41 < Luke-Jr> meh
18:41 < Luke-Jr> maaku: I don't see that in the topic
18:41 < gmaxwell> Besides, we all know Satoshi was a time travelling Japanese cat from the 42nd century
18:41 < Luke-Jr> so it shouldn't be
18:41 < andytoshi> the logs are non-nonrepudiable fwiw
18:41 < Luke-Jr> gmaxwell: s/cat/doge/
18:42 < gmaxwell> Luke-Jr: though fwiw, the bitcoin history started on sourceforge and was imported into git.
18:42 < andytoshi> to Luke-Jr's point, the logs really should be mentioned in the topic
18:42 < andytoshi> i'm happy to strike anything that people request but people should be aware of it
18:42 < gmaxwell> so put them there, most of you are ops here.
18:43  * Luke-Jr kicks ChanServ
18:43 < Luke-Jr> :p
18:43 < gmaxwell> (I took the top N people by number of messages sent and made all of you ops, for N=10 or something)
18:43 < c0rw1n> if there are public logs i'd love to read them indeed, this being the most interesting #bitcoin-* i've found
18:44 < tacotime_> http://download.wpsoftware.net/bitcoin/wizards/
18:44 < c0rw1n> ok thx :)
18:44 < tacotime_> I would prefer it continue to be logged, as I read these regularly when my VPS dies.
18:45 < tacotime_> It's a lot of the more interesting Bitcoin related discussion.
18:48 < justanotheruser> jtimon: not really what I was looking for. A f2f network doesn't do much in terms of lack timing attacks and lack of knowledge of the network
18:50 < maaku> justanotheruser: it's probably the closest thing out there though ... as I said earlier, I wish there was a community of cryptographers & security people willing to work on adding those features to retroshare-like apps
18:50 < maaku> (hint hint)
18:52 < justanotheruser> maaku: Basically what I'm looking for is a network that is resistant to timing attacks (RS fails), doesn't require full network broadcasting (RS passes), doesn't give info about who you know (RS fails), and doesn't require the trust of your peers (RS fails somewhat)
18:52 < justanotheruser> I believe those criteria would make the ultimate anonymity layer
18:55 < maaku> justanotheruser: I think if you swapped out the retroshare crypto for stuff with forward secrecy, added pond-like random message delays, and use Tor with fixed message sizes you could get most of the way there
18:57 < justanotheruser> maaku: I was thinking everyone just sends 1kb out every 3 seconds. Most of the time your node should have something useful to broadcast, if not then you can temporarily leave the network (or maybe theres a better solution)
19:04 < andytoshi> justanotheruser: probably you want to broadcast random data so that even if there is no traffic it is hard to do analysis
19:06 < brisque> andytoshi: chaffing your connection would be difficult though. if you limited yourself to 0.3kb/s that's a ceiling you can't easily go past. as soon as you go above that it's fairly apparent that you're doing /something/. same issue as before.
19:06 < brisque> andytoshi: if you ramp up the chaff data to a useful level, you're suddenly burning terabytes a month for no real purpose.
19:07 < andytoshi> yeah, maybe there is a way to have chaff based on a rolling average of actual data usage
14:36 < eristisk> ...anonymous system architecture, but wouldn't such a large change in the protocol be extremely difficult?
14:36 < gmaxwell> Well, not just selling. I don't mean that there is room for pretext... that I think if you optimize for scalablity OR privacy you end up with the same system.
14:37 < eristisk> You'd also make RMS happier.	:)
14:37 < gmaxwell> eristisk: In practice everything is difficult.
14:37 < gmaxwell> s/pretext... that I think/pretext... I mean that I think/
14:38 < gmaxwell> e.g. in either case you end up with a system that does state commitments and then succinct proofs that the state updates were faithful.
14:39 < eristisk> In my admittedly imperfect understanding of how that might be implemented exactly, it would seem that the blocks would have 'metadata' about the transactions to proove that they were valid instead of transaction data itself.
14:39 < gmaxwell> and you learn nothing about the details of the transactions, except that which is disclosed by the final state as compared to the prior state... (meaning you lose all the information about transactions chains that happened entirely in a block)
14:40 < iddo_> with headers-only sync, Bitcoin blocks also wouldn't contain transactions, just txid hashes ?
14:41 < gmaxwell> eristisk: No, they don't... :)
14:41 < gmaxwell> iddo_: no, headers are just the 80 byte bitcoin headers.
14:41 < gmaxwell> no txids.
14:42 < iddo_> gmaxwell: but we could have blocks only with the txids, and miners keep locally the txns themselves (and transmit txns to peers upon request) ?
14:42 < gmaxwell> eristisk: so some quick background. It's possible to construct cryptographic proofs that a given output was the faithful product of running a specified program on a specified input (along with additional private inputs, optionally).
14:42 < gmaxwell> iddo_: filtered blocks can do that, via the bloom filter stuff with just a trivial set.
14:43  * eristisk goes back to study the byte map of transactions to try to figure out what could realistically be ommitted in a state outsourcing system
14:43 < gmaxwell> eristisk: everything can be omitted.
14:43 < eristisk> I suppose so... kind of the point of hashing algorithms.
14:44  * nsh is dubious
14:44 < iddo_> gmaxwell: is it the devs plan to incorporate filtered blocks to Bitcoin in the future?
14:44 < gmaxwell> iddo_: it's already there, for over a year.
14:44 < iddo_> oh?
14:45 < iddo_> satoshi client already sends blocks without txns? and txns separately upon request?
14:45 < gmaxwell> iddo_: it's not used for fetching between bitcoind nodes, someone ought to do some testing to show if its actually faster once you consider the overhead of sending txids and the roundtrip latency.
14:45 < gmaxwell> iddo_: it can, if you ask it to.
14:45 < iddo_> cooool
14:45 < gmaxwell> eristisk: if you finish the prior block with a commitment to
 say, in bitcoin today,
 the UTXO set.  Then you can have a program that takes in a prior utxo root hash as a public input, and then a bunch of transactions and utxo fragments as private inputs.. and it gives a public output as the new root hash of the utxo set.
14:47 < gmaxwell> and then a proof of this program's execution can be attached to the blocks. (and proofs can be constructed which are sublinear in the programs execution
 even constant just constant depending on the security parameters)
14:52  * nsh frowns
14:52 < nsh> there's a catch
14:52 < nsh> i'm pretty sure there's a catch...
14:53 < eristisk> ...essentially replacing the bulky transaction data itself with different data in the blocks containing the proofs of the cryptographic solution in the form of the new root hash to be used as public input for the next unsolved block?
14:55 < gmaxwell> eristisk: right. plus the extra data needed in the final state. e.g. if this was dones directly to bitcoin today it would be new utxo created, and the data required to remove the old utxo. But intermediate ones (created and destroyed within a block) are not ever communicated.
14:56 < eristisk> Very large pools could analyse and save significant amounts of transactions in secret, however.
14:56 < gmaxwell> There have been some proposed blockchain redesigns that would reduce that further.
14:56 < gmaxwell> eristisk: perhaps, but you still don't know whats happening in blocks created by other parties.
14:57 < gmaxwell> (these same techniquies can be applied to transactions themselves, and then you get what the zerocoin people are going to propose in their update. I'm just raising the level you do the proofs at to the whole block instead of the transactions.
14:57 < nsh> gmaxwell, i'd sure like to see some toy model of SNARK proof verification in aciton over a distributed system
14:58 < nsh> because i just can't shake this niggling feeling that there's a catch...
14:58 < gmaxwell> nsh: go grab the pantry stuff then.
14:58 < nsh> pantry stuff?
14:58 < gmaxwell> nsh: oh there are all kinds of _pratical_ engineering catches right now.
14:58 < gmaxwell> But the only fundimental catch is that you only get cryptographic soundness, not perfect soundless like bitcoin has now.
14:59 < nsh> modulo what assumptions?
14:59  * nsh checks https://github.com/srinathtv/pantry/
15:01 < gmaxwell> nsh: you can construct these things out of serveral different cryptographic assumptions. Including ones that basically just depend on the existance of one way functions. (though those do not achieve optimal effiency so far)
15:01  * nsh nods
15:02 < nsh> ;;google knowledge-of-exponent assumption
15:03 < nsh> http://crypto.stackexchange.com/questions/6117/how-much-do-we-trust-kea1-assumption
15:05 < gmaxwell> nsh: the real catch in the system used behind that has nothing to do with KEA1 (and really what you'd need to ask about is just crypto in bilinear groups more than N-th power KEA)
15:06 < nsh> hmmm
15:06 < gmaxwell> it's that it's only publically verifyable in the CRS model
 e.g. there is a trusted magic value that everyone needs to be using.
15:06  * nsh reads amiller's post http://comments.gmane.org/gmane.comp.file-systems.tahoe.devel/7942
15:06 < gmaxwell> But as mentioned, it's possible to build such systems without that limitation. (though the proofs are not as insanely small in the things people have been coming up with)
15:07  * nsh nods
15:09 < nsh> can you formalize the argument that privacy is in some way proportional to communicative efficiency in a system of distributed ledger (or more generally a distributed many-party-input dataset)?
15:10 < nsh> it makes sense intuitively that there's an overhead to bearing deanonymising information
15:10 < gmaxwell> nsh: probably. I mean, I gave the adhoc outline of the argument... right.
15:10 < nsh> but it's be nice to think about it more mathematically perhaps
15:11 < nsh> oh, i wonder
15:11 < nsh> if you can apply a thermodynamic analysis to the system
15:12 < nsh> with information that can be destroyed/discarded without affecting the security of the system being analogous to waste heat
15:12 < gmaxwell> there is a counting argument.
15:12  * nsh nods
15:13 < gmaxwell> There are many ways to get from state A to B. An anonymous system doesn't care which one you take, an non-anonymous system does.
15:13 < nsh> right
15:14 < nsh> all we care about is certain rules about the traversal from the space of A to the space of B
15:14 < nsh> not the exact paths
15:15 < nsh> so the compression/succinctness is a product of symmetries defined by our agnosticism
15:15 < gmaxwell> probably easier to just compute the entropy of the deanonimizing information and say you save that.	Though it's a little more complicated:	if a coin used these states and proofs approach it would also compress away a bunch of non-anonymity related overhead.
15:15 < gmaxwell> And so you'd just get the anonymity savings as a side effect
15:15 < nsh> oh, hmm
15:16 < nsh> what other overhead is saved?
15:16 < jtimon> gmaxwell it seems to me that Peter todd's proposal for an inputs-only chain would be both more scalable (because miner's validations become simpler) and more private (because no miner gets full transactions)
15:16 < jtimon> at least more "spherically scalable"
15:16 < gmaxwell> jtimon: it's orthorgonal! ideally you combine these things. The proofs prevent linear complexity from signatures, the MMR stuff keeps the state space minal.
15:16 < jtimon> but the problem remains, why would miners mine in such a system
15:17 < gmaxwell> (thats also why I kept qualifying above as "if we were to do this as bitcoin is today")
15:17 < jtimon> yeah, I mean combining his proposal with full-block snark
15:17 < jtimon> I se
15:17 < jtimon> e
15:17 < gmaxwell> nsh: e.g. there are 2^big ways to satisfy a typical scriptpubkey.
15:17 < gmaxwell> nsh: which of those you used would be hidden.
15:17 < nsh> oh, right
15:18 < nsh> there are advantages to script transparency though
15:18 < nsh> for contracts, etc.
15:18 < gmaxwell> nsh: sure, but you can make them transparent directly between the users.
15:18 < nsh> right
15:19 < gmaxwell> No system that discloses the transactions can have better than linear scalablity in the size of new blocks for full nodes. ... 'cause you recieve data per transaction.
15:19 < gmaxwell> instead you use some snark and you end up with sublinear communications and validation complexity. The larger the system the bigger the advantage.
15:20 < nsh> but there is some preprocessing cost, or something
15:20 < gmaxwell> there are constants.
15:20 < jtimon> yeah, that would be the scalability vs centralization tradeoff
15:20 < gmaxwell> jtimon: I don't think there is.
15:21 < jtimon> you say the bigger the system the bigger the advantage
15:22 < jtimon> wouldn't a system that processes 1 M tx per snark block imply more centralization than one that only processes up to 100 tx/block?
15:22 < gmaxwell> jtimon: I don't see why?
15:23 < gmaxwell> just talking about the miner's computational costs?
21:22 < petertodd> adam3us: yeah, that's an interesting question: you really want a nothing-up-my-sleeve source of non-compactable random data!
21:22 < adam3us> petertodd: we've got one :) the block chain
21:22 < petertodd> adam3us: interesting problem to get bulk nothing-up-my-sleeve numbers - good opportunity for being overely cute
21:22 < petertodd> I was gonna say...
21:23 < petertodd> though even then you'd probably want to encrypt the blockchain with a CBC cipher to properly randomize it
21:23 < adam3us> petertodd: relatedly i proposed on CFRG using the block chain to proof NUMS / uncooked Elliptic curve paramter generation
21:23 < petertodd> ha nice
21:23 < adam3us> petertodd: i think its actually much better than the alternatives and the current state of the art which is quite gamable
21:24 < petertodd> adam3us: what's the state of the art?
21:24 < adam3us> petertodd: that soeone makes up a nice story about how they didnt cheat, like they publish the generation algorithm, code, and then feed it a seed like pi or a quote and say see "tada we couldnt have cheated"
21:25 < adam3us> petertodd: except there are 100s of bits of choices hidden in there..
21:25 < adam3us> petertodd: which means the choices could've been ground (doh!)
21:25 < petertodd> adam3us: oh right
21:25 < petertodd> adam3us: well don't they usually pick the *first* bits of pi?
21:26 < adam3us> petertodd: yes but i mean the code itself, the endian choice, the order the options are considered etc
21:26 < adam3us> petertodd: http://www.ietf.org/mail-archive/web/cfrg/current/msg04019.html
21:26 < adam3us> petertodd: (its quite short and bitcoin amusing)
21:26 < petertodd> adam3us: sure, but not that many bits there...
21:27 < adam3us> petertodd: i reckon you could find quite a few if you tried  see you are selecting curves on lot of complex rules, so which rule you reject first, that affects the choice
21:27 < petertodd> adam3us: ah, yeah I'll admit using the blockchain to prove you didn't try the whole process twice is nice
21:27 < adam3us> petertodd: many arbitrary decisions = grindability
21:28 < petertodd> adam3us: though don't make it double sha256, do it timelock crypto style so that to brute-force select would take longer than a block interval :P
21:28 < adam3us> petertodd: the certicom guy was saying hash like nasdaq closing prices, but hten after the fact its not as convincing.  blockchain is like a transferable irrefutable self contained proof!
21:28 < petertodd> yup
21:29 < adam3us> petertodd: i like it :) i mean its actually a useful improvement
21:30 < petertodd> adam3us: I think I posted that on the cryptography mailing list, or if not that my "add together n previous blockhashes" idea that averages them all together
21:31 < petertodd> timelock works really well in this case because you don't care how long it takes to verify the process
21:33 < petertodd> adam3us: might be interesting to do some timelock crypto competitions with the memory-latency-hard technique - encrypt a private key of course and first to decrypt gets to spend it
21:33 < adam3us> petertodd: oh yeah i think i remember that post now you mention it.. maybe it stuck in my subconscious
21:33 < petertodd> adam3us: be nice to get some lower-bounds there
21:33 < petertodd> adam3us: I'm pretty sure there's nothing with better latency for large amounts of ram out there than commodity hardware
21:33 < adam3us> petertodd: out comes the watercooled monster box :)
21:34 < petertodd> adam3us: yup
21:34 < petertodd> adam3us: which reminds me: one of the hard things about all this asic-hard stuff is PoW doesn't need to be reliable, while even the worse consumer hardware is fairly reliable
21:34 < adam3us> petertodd: my cpu is good (4.8ghz hex core) but i didnt splash for fancy ram
21:34 < petertodd> adam3us: that costs you speed
21:35 < adam3us> petertodd: exactly, yes.  (reliability argument) i think one of the asic hw people commented on that
21:35 < petertodd> with a big enough bounty it could be a good way to test the "single round of foo hash" idea
21:35 < petertodd> adam3us: butterfly labs for one implements that
21:35 < petertodd> adam3us: though we *are* lucky that overclocking is still popular
21:38 < adam3us> petertodd: oc is cost effective.  that 6-core sandybridge is faster than i think just about any single socket xeon for 3x the price (or worse if you go for dual socket costs)
21:39 < adam3us> petertodd: ghz*core speed assuming parallelizable tasks.
21:39 < petertodd> heh, it'd be hilarious if all our efforts at ASIC-hard PoW just leads to more hardware designed for overclockers :P
--- Log closed Fri Jan 17 00:00:09 2014
--- Log opened Fri Jan 17 00:00:09 2014
01:10 < maaku_> petertodd: that wouldn't be a bad outcome
01:11  * maaku_ dreams of commodity supercomputers
01:57 < CodeShark> opinions? https://github.com/CodeShark/bitcoin/compare/coinparams_new
02:21 < wumpus> CodeShark: I'm ok with moving more chain-specific configuration (such as MoneyRange) to chainparams, but adding all those redundant hashing algorithms isn't going to make it into mainline imo
02:21 < CodeShark> right, I realize that - I was considering a plugin model
02:22 < CodeShark> scrypt.so, hash9.so, etc...
02:23 < wumpus> hmm I don't know
02:23 < CodeShark> or perhaps a compiletime flag to statically link to a particular hash function
02:23 < wumpus> I'm all for making the source more modular, and making it into libraries, but loadable libraries brings a lot of problems of their own
02:24 < CodeShark> what are your concerns?
02:25 < wumpus> security mainly, incompatibility, general so/dll hell
02:25 < wumpus> for now I'd more like a modular approach based on libraries (which can get statically linked into the end product)
02:25 < CodeShark> so then perhaps a way to specify a list of static modules to link at compiletime
02:26 < wumpus> or make it possible to install the bitcoin core as a library, so that actual implementations/daemons can compile and link against it
02:27 < wumpus> or other applications that may need the bitcoin consensus stuff for their own purposes
02:28 < wumpus> anyway, lots of options, but: no altcoin specific stuff in bitcoin/bitcoin please
02:28 < CodeShark> for other applications I'm thinking more of a service-oriented architecture, with a core engine providing runtime services to other processes
02:29 < CodeShark> yeah, the intention wasn't to merge the altcoin specific stuff in bitcoin/bitcoin
02:29 < CodeShark> just to expose the ability to customize the core engine
02:29 < wumpus> okay
02:30 < CodeShark> the inclusion of scrypt and hash9 in particular is a total hack at this point, just intended to test the basic idea
02:34 < CodeShark> I'm also thinking that rather than trying to parametrize things like block reward and retargetting rules it would be better to also use a statically linked module approach
02:41 < wumpus> let's move this to #bitcoin-dev
08:20 < adam3us> amiller: when you're awake about fractional blocks, I am wondering if there is an incentive issue.  if a 0.1 block collects .1 of fees and is easily orphanable by a powerful miner, what motive do they have to not selfishly orphan it to collect the other 10% of the fee.
09:39 < _ingsoc> andytoshi: Where are the -wizards logs again?
09:40 < andytoshi> _ingsoc: http://download.wpsoftware.net/bitcoin/wizards/
09:41 < _ingsoc> Ty.
09:41 < michagogo|cloud> (That really belongs in the topic...
09:42 < andytoshi> no worries, i'm afraid you'll have a lot to scroll through, the last three days have been obscenely busy on this channel
09:42 < michagogo|cloud> )
13:36 < gwern> I believe we were discussing ethereum before? might be of interest: https://bitslog.wordpress.com/2014/01/17/ethereum-dagger-pow-is-flawed/ http://www.reddit.com/r/ethereum/comments/1vgqa7/ethereum_dagger_pow_function_is_flawed/
13:36 < Ursium> hi gwern, yes i saw that
13:37 < Ursium> i believe the founders are aware as i remember reading about this very issue a while back.
13:39 < petertodd> Ursium: that's not a very good analysis: sequential memory hardness isn't all it's cut up to be for real-world hardware designs
13:40 < Ursium> petertodd: i see!
13:40 < petertodd> Ursium: not to say his point is necessarily invalid, but what needs to be done is to get an *actual* hardware engineer on board rather than just a bunch of software people theorizing about what makes something asic hard
13:41 < Ursium> makes sense. Will be interesting to follow for sure
13:42 < sipa> (upcoming ad-hominem) the author suggesting x86 as script code doesn't inspire much confidence
13:42 < petertodd> sipa: +1
13:43 < maaku> i think there's a valid technical point in that ad-hominem
13:43 < Ursium> sipa: i believe they suggest C-like scripting which converts back to a very limited set of opcodes - so only interactions with the blockchain etc. What do you guys think?
13:43 < sipa> maaku: yes, but it's irrelevant to the issue being discussed
13:44 < maaku> Ursium: see the logs for the past few days. we've had some interesting discussions about what you can do with a more powerful script
13:44 < maaku> mostly related to covenants
13:44 < petertodd> Ursium: the idea of extrospective scripts is a good one, how to implement them is another issue
13:44 < maaku> you would *not* want to do so using an ad-hoc CISC language, however
13:45 < petertodd> maaku: speaking of: you realize that for colored coins and many other covenants, you actually only need to look *backwards*, so they aren't really covenants and have no issues
13:45 < maaku> you'd need something amenable to static analysis (e.g. a strongly typed stack language)
13:45 < petertodd> maaku: or a single type :P
13:46 < maaku> petertodd: ? for CC you need to look at the outputs of the current transaction to avoid inflation
13:46 < maaku> well, functions/combinators are types...
13:47 < maaku> michagogo|cloud: I'm allowed to op, but not change the title for some reason. Is that a different permission?
09:30 < amiller> gmaxwell, that trnasaction was made by the authors of the paper
09:30 < jtimon> iddo someone asked me yesterday for an atomic transaction in which one party gets a decryption key for a file, is that possible?
09:30 < jtimon> because I said no
09:30 < gmaxwell> jtimon: it's possible.
09:30 < jtimon> what's the coin toss protocol?
09:31 < gmaxwell> I described the required protocol a couple years ago.
09:31 < gmaxwell> jtimon: https://en.bitcoin.it/wiki/User:Gmaxwell/why_hash_locked
09:33 < jtimon> but the password gets revealed for everyone right?
09:35 < gmaxwell> jtimon: uh, it can be just a password for a one time encryption for that recipent, no one else gets the encrypted data.  Alterantively, you can apply the "CoinSwap" encoding, so that the only txn that shows up in the blockchain is a 2 of 2 escrow, so long as the participants cooperate.
09:36 < gmaxwell> (basically in coinswap we show how to take any script releasable escrow traction and keep the real release details a secret, so long as the players play fair
 if they don't play fair the details get leaked but the funds still go to the right place)
09:36 < jtimon> I see, you can encrypt to certain public key
09:38 < jtimon> well, extro24 wanted to use it for authors to "sell content", DRMed content, I don't like the idea
09:39 < jtimon> but it seems it would be actually possible
09:39 < jtimon> what other use cases do you find interesting?
09:41 < gmaxwell> well it's not usually that interesting for "sell drmed content" since you don't really have a machine test that you'd like the content or something. So you're stuck trusting the seller that the key he gives you is a key for something you want.
09:41 < jtimon> oh, yeah, that's actually what I told him
09:41 < gmaxwell> for things that you can test with a machine my protocol could be used.
09:42 < gmaxwell> For example, "I'd like to buy the master key that cracks the drm scheme on these books"
09:42 < jtimon> how the networkknows that the secret decrypts the content without actually revealing the content to everyone?
09:42 < gmaxwell> jtimon: you prove it out of band.
09:42 < jtimon> with snark/scip no?
09:43 < gmaxwell> Basically I prove to you that X is the hash of the key you want, out of band.  Using some kind of ZKP, doesn't have to be a SNARK but thats one way of course.
09:43 < gmaxwell> Then you make a transaction that can be redeemed if the person reveals a value that hashes to X.
09:44 < jtimon> this is the "I'd like to buy the master key that cracks the drm scheme on these books" use case?
09:44 < jtimon> no, in general
09:45 < gmaxwell> In general.
09:45 < gmaxwell> go read the webpage. :)
09:45 < iddo> gmaxwell: so do you think that it's possible to do a refund txn for a txn that had inputs of both Alice and Bob, i.e. the refund txn redeems (with locktime) both the coins of Alice and the coins of Bob, or Alice can cheat because Bob only sees the hash of what he signs?
09:45 < jtimon> yeah, sorry
09:47 < gmaxwell> iddo: it can be done, but its messy.
09:47 < iddo> how? :)
09:48 < gmaxwell> iddo: bob makes a transaction moving his coins. But doesn't annouce it. He tells alice the txid. ...
09:48 < gmaxwell> iddo: alice writes a txn spending those coins and hes but doesn't announce it,  she writes a refund and gives the refund (only) to bob and has him sign it.
09:48 < gmaxwell> then after he does she gives him her escrow. and if he likes it, he announces his original move.
09:49 < iddo> ahh
09:49 < iddo> not too messy
09:50 < iddo> but more txns that would need to be broadcasted if both parties are honest, that's true
09:50 < gmaxwell> well, not on paper it's not. The problem is that any time you add an extra level of interaction you really make implementation in the real world messier. e.g. more round trips that can time out that you have to handle. :) and yes, more tx data.
09:50 < jtimon> hehe "because we're computer geeks we have no friends who can act as trusted mediators"
09:54 < epscy> gmaxwell: what are your thoughts on Quark?
09:58 < gmaxwell> epscy: that moronic altcoin that just uses every hash function out there? Well. moronic. doing that confers no specific advantage.
09:59 < gmaxwell> Even if you were to say asic resistance was desirable, it doesn't have that result, it increases the NRE but not the marginal costs, which makes an asic monopoly more likely (or a successful attack by a powerful entity who could eat the nre)
10:06 < jtimon> gmaxwell, this is very cool, I'm thinking voluntary computing, what limitations has the function H ?
10:06 < petertodd> gmaxwell: I noticed those txn's ages ago; I hadn't figured out what they were doing however
10:07 < gmaxwell> jtimon: it just has to be able to run inside your proof enviroment.
10:09 < jtimon> like a BOINC program? I doubt gridcoin has a p2p issuance solution, but it would be interesting
10:15 < gmaxwell> jtimon: it doesn't really make sense for boinc though, because the proof systems have quite high overhead. A lot of the theoreticians writing about snarks talk about delegation applications, but as far as I can tell they're on drugs. :)
10:15 < gmaxwell> (e.g. your problem was slow enough you needed to delegate it, so first you embed it in a proof system that makes it 1000x _more_ expensive
10:15 < jtimon> yeah, that's what I was asking for with the limitations of H
10:16 < jtimon> ok, it doesn't pays
10:16 < gmaxwell> it works in cases where you have a NP search and you want to pay people for the answer, not the work.
10:16 < gmaxwell> In which case the verification of the answer is fast, but not the search.
10:17 < jtimon> mhmm, maybe scientist could code their voluntary computing programs in a way that people serach for those answers and only prove them when they find them
10:18 < gmaxwell> I suppose, indeed, you can POWize any program by just defining some answers as distinguished.
10:18 < jtimon> but each case would be different, in some cases you won't be able to code those incentives
10:18 < gmaxwell> not necessarily.
10:19 < TD> gmaxwell: the why_hash_locked + scipr protocol should maybe be on the contracts page. as that seems like a very general approach to contracts
10:19 < jtimon> hmm POWize ANY program?
10:19 < TD> gmaxwell: would you mind if i copied it or linked it from the contracts page? any preference as to which?
10:22 < gmaxwell> TD: You can go ahead and link it. There are a bunch of links to it elsewhere, and I don't want to maintain two copies.  I should probably go move it to [[Zero Knoweldge Contingent Payments]] or something like that, and then the original will at least have the move redirect.
10:22 < TD> ok
10:23 < TD> i suppose this is conceptually similar to oracle payments, except if the function you wish to gate the money on is pure then you can avoid the third party
10:27 < gmaxwell> if the oracles inputs are either untrusted or authenticated, then you basically run the payee run the oracle for you and prove he did it right.
10:29 < TD> yeah. but often you want to access some external state. if the state is signed (+timestamped?) then this construction is indeed better. otherwise the third party is still needed.
10:29 < TD> i really wish TLS had an ability to sign traffic streams. sigh.
10:30 < jtimon> gmaxwell we could issue freicoin foundation funds as bouties for "scientific solutions" this seems perfect for the job
10:30 < gmaxwell> Right, an interesting point is that you could seperate out the authentication and computation parts. E.g. have a trusted third party who connected to the site and signed the results.
10:30 < TD> right. that's true.
10:30 < TD> a generic TLS signing gateway would be useful for many things, like the p2p exchange thing too.
10:31 < TD> i guess you quickly get back to the tor issue of how do you stop people abusing you as a generic anonymizing proxy for wiki abuse and things
10:31 < TD> but perhaps simply restricting to HTTP GET fixes 90% of that
10:31 < TD> you don't need POST if you do a login out of band, and then simply do GETs with your cookies to obtain provable statements of things, and http responses already contain timestamps
11:00 < michagogo|cloud> 15:33:42 <gmaxwell> phantomcircuit: shesek has legal advice that says its not an escrow. Who knows.
11:00 < michagogo|cloud> If it matters, I understand he's based in Israel
11:56 < TD> gmaxwell: the pay to certificate idea seems like it can open up a whole bunch of interesting areas, like decentralised insurance schemes ...
11:56 < TD> where actuaries are replaced with market-based mechanisms instead.
11:56 < TD> the only human component becomes actually verifying that a specific event did take place in the real world.
11:58 < TD> pay-to-proof feels like a whole talk waiting to be given, actually
12:01 < gmaxwell> TD: yea, but not with open questions: no one wants to answer the question that will arise when someone points out that decentralised insurance schemes requires a is-someone-dead oracle. And that an assination market and an life insurance market are /very/ nearly the same thing.
12:01 < TD> but those things can be done in the centralised model too. as andy greenberg has shown.
12:03 < TD> i wonder if there are more efficient special case protocols for ZKProving signatures and cert chains
12:03 < TD> than snarks
12:03 < gmaxwell> Its true, I don't actually worry about those uses much
 people are actually less evil than we worry they are in general, any case
  but it just makes for some awkward conversations esp if you find yourself in a room that contains people who think that such an application would be a good use.
12:03 < TD> i expect assassination markets to shrivel up once the people running them notice bounties on their own heads ...
12:04 < TD> that's a double edged sword for real, aye
12:04 < andytoshi> i always assumed an assassination market would be set up by a rogue bot
12:04 < andytoshi> not even in a terminator-style encounter, just some stupid bug
17:22 < gmaxwell> andytoshi: one somewhat annoying thing about the fee/donation stuff is that it makes it impossible to go from round inputs to round outputs.
17:23 < gmaxwell> andytoshi: hm. also, can you perhaps have some ajax reloader thing, and perhaps play a chime or popup an alert when its time to sign?
17:23 < andytoshi> oh, sure
17:23 < andytoshi> i guess i should whitelist my own domain on noscript.. :P
17:24 < gmaxwell> maybe just have it display a countdown... and when it hits zero. popup a window/play a beep.
17:24 < gmaxwell> I missed the testnet one I threw coins into earlier. :P
17:25 < andytoshi> i think, i'll have the "there are XYZ seconds until whatever" displays count down everywhere, and i'll see about playing a beep
17:25 < andytoshi> whenever i google for things like "how to play sound using javascript" the forum posts that come up are so sad...
17:26 < andytoshi> fwiw, these never expire, you can F5 the 'sign.php?session=whatever' page for ever and ever
17:26 < gmaxwell> "Sorry, but this session has been invalidated. Probably there were not enough transactions to do a merge."
17:26 < andytoshi> ah
17:27 < andytoshi> that'll happen regardless of how closely you follow it, unless you submit multiple transactions yourself
17:27 < andytoshi> maybe i should extend the window rather than invalidating transactions?
17:27 < andytoshi> i don't want it to happen that somebody submits a transaction, nobody else does for a day or two, and then when finally people use the coinjoiner, it's got some forgotten transaction poisoning the pot
17:28 < gmaxwell> just document.write a tag... <audio autoplay><source src="http://foo.wav" type="audio/wav"></audio>
17:29 < gmaxwell> yea, you don't really want a old transaction jamming it.
17:30 < gmaxwell> What you could do is split off the old pot and start a new pot. The old pot can still get more txn added, but only if someone gets directed to it by ID.
17:30 < gmaxwell> e.g. I could add a txn to the pot, and email you a link directly to the pot. and it fails because no one else adds... and 24 hours later you can add a coin to it, then it'll go into signing X time after.
17:32 < andytoshi> yeah, that's a good idea, and it takes literally no code to implement..
17:32 < andytoshi> i just have to commend out the "set status = invalid" line in the cronjob :P
17:32 < gmaxwell> you might want to have it check if the inputs are unspent and set it to invalid if any of them are spent.
17:34 < gmaxwell> e.g. if I put a coin in, send you a link. Then you don't notice the email, and I give up and join another session .. and my coin is spent.. later when you load the link it won't invite you to add more coins to a dead one.
17:34 < andytoshi> yeah, it should
17:35 < andytoshi> there is code which does that before it switches to signing mode
17:35 < gmaxwell> (or even just: if a coin is spent, you remove it from the mix, and if the count goes to zero the mix is invalidated)
17:37 < andytoshi> cool, done
17:38 < andytoshi> i should also add code so that if outputs are spent during the signing phase, that also invalidates things
17:38 < andytoshi> inputs*
17:41 < gmaxwell> just check on every load of the signing page, perhaps?
17:43 < andytoshi> nah, the pageloads are handled by PHP, i'm trying to avoid doing any real work in there..
17:44 < andytoshi> i have a perl script which transitions to the next session, it does all the merging and validation checks
17:47 < andytoshi> well, that's not true, when you submit a transaction PHP does a spot check
17:50 < gmaxwell> not critical, but checking there would save some time signing a doomed transaction.
17:55 < andytoshi> i think i'll run the perl script every minute or two
17:56 < andytoshi> it should really know how long a session is supposed to be alive..
18:46 < amincd> 20.
19:19 < andytoshi> gmaxwell: i think i've got the coinjoiner working, with the ding and the autorefresh and the frequent checking of transaction validity
19:19 < andytoshi> i still have not updated the tiebreaker code for most popular output to take into account roundness of numbers..
19:21 < andytoshi> i'm really happy with how this is turning out, i do wish there was a nicer UI than "run these rawtx commands"
19:23 < michagogo|cloud> andytoshi: You could make a script or set of scripts for assorted languages to use the rpc interface to make a nicer UI
19:31 < gmaxwell> andytoshi: well, next step can be to write a client for it. :P
19:31 < nsh> use predicates
20:14 < maaku> gmaxwell: "The general idea is that the merging party can just make a list (blindly) mapping their inputs to outputs, give the list to all players, and commit to the list so that all players know they got the same list." <-- that's how I always understood the protocol, and what the one I'm working on does
20:14 < maaku> I guess I don't understand phillipsjk's attack?
20:16 < gmaxwell> e.g. you and I want to coinjoin and both of us want to pay 1 BTC to 1wikileaks (perhaps among several other outputs we want).
20:16 < maaku> ok
20:17 < gmaxwell> in the most straight forward construction the merging host could have just 1	1BTC output to 1wikileaks,  and if you and I don't know about each other we'd inspect the transaction and each say "yep, 1btc payment to wikileaks, good to go"
20:18 < gmaxwell> meanwhile the merging host had just added in an extra 1btc payment to themselves.
20:19 < maaku> so in the version I'm working on, the merger (I call him the joiner) makes a proposal by referencing offers signed by each participant
20:19 < maaku> so we could, in principle, check that each others requirements were met and not double-count the donation
20:19 < maaku> but yes, I understand the problem now and I hadn't considered it
20:20 < maaku> my naive implementation would have just checked the user's own requirements and could fall victim to that
20:20 < gmaxwell> yea, it's perfectly solvable.
20:21 < maaku> hrm.. but this is maybe semantically ambiguous - what if I really only care that 1 btc was sent to 1wikileaks?
20:21 < gmaxwell> I give two ways to solve it
 one constrains an output pubkey, the other requires an extra communications roundtrip.  I dunno if there are better ways. The communications round trip might just be necessary for anti-dos reasons regardless.
20:22 < gmaxwell> maaku: then you could signal that, I suppose... one is a superset of the other.
20:22 < maaku> in freimarkets for example, we have private servers that condition transactions based on whether an output matching a certain template makes it on the block chain
20:23 < gmaxwell> for transaction fees (which you can think of as being a 'reused address') it might actually be the case that you only care that X amount goes to them and you don't give a darn regardless.
20:23 < maaku> in which case you're using it as a semaphore ... but it's not really a problem if more money ends up there, and I assume that requiring both outputs is the better default
20:23 < gmaxwell> maaku: right, and what I'm saying is that the ability to accept such a case is a subset of the ability to detect that you're in such a case.
20:24 < maaku> yeah
20:24 < maaku> sorry, just thinking outloud
20:24 < gmaxwell> I'd actually like it if CJ things could merge outputs, e.g. 1 WL, 1 WL -> 2 WL.. but because of the triggers you'd want to actually communicate your willingness to accept.
20:25 < gmaxwell> (merging matching outputs is always equal or better for privacy, and its more efficient)
20:27 < maaku> yeah
20:28 < gmaxwell> andytoshi: I assume when you put this up for real you put it behind ssl?
20:33 < andytoshi> gmaxwell: yeah, definitely
20:34 < andytoshi> actually, i have been meaning to put my entire site behind ssl for a long time.. is there such a thing as a	good cheap cert provider?
20:34 < gmaxwell> startssl
20:34 < maaku> startssl
20:35 < gmaxwell> at least in one of your dimensions its infinitely good.
20:35 < andytoshi> thx guys :)
20:35 < adam3us> andytoshi: all certs are equal, buy the cheapest :) (its an openssl design side effect - weakest link in chain defines system security)
20:36 < gmaxwell> not quite equal, since there is some inequality in support in older browsers, but I think for your stuff you don't care.
20:36 < maaku> adam3us: well, you need to make sure it's a widely deployed root cert (e.g. built into mobile browsers)
20:36 < maaku> but startssl is, and it's free ... kinda hard to beat that :)
20:36 < andytoshi> well, i meant 'good' in a moral sense.. for example godaddy supported SIPA, they act like scammers, they look sleazy, etc
20:37 < gmaxwell> If you don't pay them it's less morally ambigious. :)
20:37 < adam3us> maaku: some of them have a chain file you have to use, because they are subcas, which works but makes the cert response over the wire larger
20:37 < andytoshi> yeah, i buy that :)
20:37 < adam3us> maaku: free eh? thats pretty good
20:38 < maaku> well for the lowest level of verification ... as if verification actually meant anything
20:39 < maaku> unfortunately they require verification if your domain gets flagged as high-risk (e.g. monetize.io :( )
20:39 < andytoshi> lowest level is fine, at least people can't read your traffic with tcpdump..
20:39 < maaku> but even then, it's still the cheapest
20:39 < adam3us> maaku: yeah thats a new one to me, used to be like $7 - $10 cheapest
20:41 < gmaxwell> andytoshi: so wrt output values.  Maybe instead of just the most popular output, when there is more than one output with exactly equal values, you list all of them.	E.g. If you have 10.1 1 5.3133	you list 1 (roundest most popular output),   and if later you have 10.1 10.1 1 5.3133 you list 10.1.  and if later you have 10.1 10.1 1 1 2 2 5.3133  you list
10.1, 1, 2.  It makes the txn more identifyable but you'd almost certantly learn ...
20:42 < gmaxwell> ... the same stuff by just continually polling the most popular output as it changes.
20:53 < gmaxwell> andytoshi: I got
18:15 < andytoshi> note that the idea about just wrapping a hard-to-verify PoW in a snark encourages centralization because the snarking step is hard to do but only has to be done once per block. so the more hashing power you have the smaller the percentage of power is "wasted" just proving that you did what you claimed. plus you can start building on that PoW before the
proof is complete, but others don't get to see
18:15 < andytoshi> what to build on until you publish the proof
18:16 < maaku> andytoshi: not to mention incentives
18:16 < maaku> having a snark step delays annoucement as you have to build the snark proof
18:17 < andytoshi> maaku: yeah, i had several false starts trying to describe the incentive situation :P it's really confused
18:19 < andytoshi> the snarkchain model gmaxwell suggested is requiring SHA256(SNARK_PROVE(SHA256(utxo updates + nonce))) < TARGET, which avoids all these problems while also incentivize snark optimization work
18:21 < gmaxwell> whats this about linear pcps?  The general problem with using PCP constructions directly is that they have insane expansion of the proof, so like the proof ends up being larger than the universe, which is generally regarded as a bad thing.  If the proof is a linear function, however, like one structured as a hadamard code  there is a way to effectively
work with the proof in a transformed domain that makes operations compact. So you ...
18:21 < gmaxwell> ... don't actually have to instantiate the whole proof.
18:23 < gmaxwell> 14:35 < tacotime_> And that the parameters file must arise from a trusted source.
18:23 < gmaxwell> ^ not quite
 Thats how the GGPR'12 pairing-crypto SNARK stuff works.  But its not inherent to verifyable execution.
18:24 < gmaxwell> The GGPR stuff has an advantage of being the most developed and currently most efficient approach.
18:25 < tromp__> gmaxwell, you missed my discussion with petertodd on Cuckoo Cycle. i was wondering if you had read the paper and had any feedback on it?
18:25 < gmaxwell> A not really accurate way to understand it is that it reduces the problem of verifying execution to testing the roots of some polynomials and testing some ratios of polynomials. ... then it instantiates a kind of homorphic cryptosystem so you can do all this in an encrypted domain.
18:25 < gmaxwell> tromp__: I saw the discussion but I didn't participate because I haven't read the paper.
18:26 < tromp__> ic, gmaxwell. anyway, i hope you have a chance to read it. i'd like to have your opinion on it
18:27 < gmaxwell> tromp__: I think petertodd's concers in the first half the the discussion were taking the wrong approach.  I understand
 without reading the paper
 that the approach sounded like its based on finding a  kind of structured multicollission?
18:28 < tromp__> yes, a combined 42-way collission if you like
18:28 < gmaxwell> Generally collission finding POWs give you asymetric memoryhardness but they have time/memory tradeoffs (e.g. using rho cycle finding). And generally multicollisions have more tradeoff available not less, so I'm interested in how you solve that but I should read the paper.
18:28 < tromp__> the key insight i think is that the edges must be processed in sequential ortder
18:29 < tromp__> it's not a collission of many to one
18:29 < tromp__> it really requires following long chains of pointers
18:30 < gmaxwell> The later half of PT's discussion is a more meta point which is some new thinking.  I now believe (and have been talking some with Colin Percival some about) that the security analysis in the scrypt paper was significantly flawed. :(
18:30 < tromp__> which is what prevents those rainbow table/bloom filter collission shoirtcuts
18:31 < gmaxwell> Basically if you model a typical big computing cracking effort, for example, over the whole task of the computation, power costs can come out to something like 95% of the total cost (e.g. on 28nm)
18:32 < tromp__> cuckoo does about 5x more random memory accesses than hashing ops, so it should do well on power
18:32 < gmaxwell> So what can happen when you try to make a memory hard KDF is that you increase the silicon costs (part of the 5%) by
 say 10 fold or what have you
 but if in doing so the power costs to the attacker (for a users tolerance budget) goes down.. that may be a loss.
18:32 < tromp__> the latency will slow down the rate at which you can hash
18:33 < gmaxwell> yes, and I'm concerned thats actually bad.
18:33 < tromp__> in what way is a latency dominated pow bad?
18:33 < gmaxwell> e.g. you make the 5% 10x (say) more expensive but you make the 95% 1/4th as expensive then the result is a net loss.
18:34 < gmaxwell> tromp__: shifting cost to silicon over power potentially favors optimized hardware infrastructure.
18:34 < tromp__> but the power use will be limited by the relatively huge cost of dram
18:36 < tromp__> imagine how much memory is needed for its power-use to equal that of all sha256 asics in use now
18:36 < tromp__> it wld probably be more than all memory in existence
18:37 < tromp__> also, most power use in memory is due to high bandwidth ops
18:38 < tromp__> if you know you only need to fetch 32bit words, and dpn't fill cache lines with adjacent words, then power cld drop a lot
18:38 < gmaxwell> tromp__: Well we have an existance proof
 TCO wise the gridseed scrypt asics are a bigger improvement over GPUs than sha256 was.  I _believe_ that increasing the memory size would actually make that worse, though I'm trying to talk to gridseed engineers about it but chineses/english language barriers are fun. :P
18:39 < gmaxwell> tromp__: I don't think you are following my argument there. I'm not quite sure how to state it more clearly.
18:39 < gmaxwell> I don't actually know how it pans out for different parameters, it's also pretty process sensitive, the last few process nodes scaled transistor density better than they scaled dynamic power.
18:39 < tromp__> i think scrypt has a LOT more parallellism in it than cuckoo
18:40 < andytoshi> tromp__: an attacker can amortize his hardware costs because he is generating shitloads of keys, and he benefits from lower power. an honest user of a KDF is hit much harder by latency costs and doesn't care about power because honest users don't generate many keys
18:40 < tromp__> are any scrypt asics in the hands of miners yet?
18:41 < gmaxwell> I have one sitting in front of me, they aren't widely available to the public yet.
18:42 < tromp__> the crucial question is, how many scrypt attempts does the chip run in parallel?
18:42 < maaku> gmaxwell: is it an asic, or an fpga prototype board
18:42 < gmaxwell> tromp__: but in this case the lack of parallelism helps the attacker. Thats why I was saying that more memory appears to actually make scrypt worse (for actual attack cost) relative to commodity hardware. Though there may be inflection points in the tradeoff.
18:42 < gmaxwell> maaku: an asic.
18:43 < tromp__> how much memory is on the scrypt asic?
18:45 < gmaxwell> tromp__: not sure, still trying to extract data from the people who made it.	Each instance of scrypt needs 128k, unless you use a minor TMTO but I'm pretty sure they aren't.
18:46 < tromp__> right; so they'll be able to run 8192 instances with 1GB of on chip mem
18:47 < tromp__> now with cuckoo, you can set the memory requirement at 1GB, or 4GB.
18:47 < gmaxwell> It's in a super cheap QFN package, whole chip costs about $1.25 to make, they've been putting 5 of them to a proto board, which (including regulator losses) draws a bit less than 8 watts, and does 300KH/s which compares not too unfavorably to a year old / middle tier GPU.
18:47 < tromp__> and they won't be able to run more than a few instances
18:47 < gmaxwell> thats irrelevent sadly.
18:48 < tromp__> furhtermore, i don;t see how each instance can run mush faster than with a cpu hooked up to std RAM
18:48 < gmaxwell> tromp__: did you see andytoshi's illustration of the concern?
18:48 < tromp__> no, gmaxwell, where can i see it?
18:48 < gmaxwell> tromp__: oh you can get incredible speedups if you can avoid chip external (pin-count and frequency limited) long busses.
18:49 < gmaxwell> just the point above:
18:49 < gmaxwell> 15:40 < andytoshi> tromp__: an attacker can amortize his hardware costs because he is generating shitloads of keys, and he benefits from lower power. an honest user of  a KDF is hit much harder by latency costs and doesn't care about power because honest users don't generate many keys
18:49 < gmaxwell> Basically these analysis must consider both the operating costs and the upfront costs. The hardware cost is amortized.
18:50 < gmaxwell> unfortunately a total cost model is much harder to do because its much more dependant on the physical instatiation than just trying to count transistors.
18:50 < tromp__> but amortization requires parallellization
18:51 < tromp__> no-one has proposed a viable way of parallellizing cuckoo?!
18:52 < gmaxwell> tromp__: Everything can be parallized. E.g. the attacker acts as two miners. Within the algorithim you are not parallel sure, but there is a maximum scope to this or you lose progress freeness, which is essential for consensus-POW.  (maybe it doesn't matter for a KDF)
18:52 < andytoshi> no, amortization just requires you to run for a long time.
18:52 < gmaxwell> and yes, as andytoshi points out, just continuting to run for a long time is where the amortization comes from.
18:53 < gmaxwell> tromp__: I'm not sure what background you have in POW-consensus, do you understand what I mean about progress free being a requirement?
18:53 < tromp__> andytoshi, you can only run cuckoo for EASYNESS many nonces,, there are only a small number of cycles to be found in that time
18:53 < gmaxwell> tromp__: you don't just run it once and throw your hardware out, of course.
18:54 < tromp__> right, you need to use your 1GB of memory for, say, 10secs, and have some small prob of finding a 42 cycle
18:54 < tromp__> and keep repeating that
21:53 < midnightmagic> in essence, the retarget can be rewound as though no retarget has happened yet because a heavier subtree exists that hasn't reached retarget.
21:54 < maaku> midnightmagic: the reorg code doesn't care squat about retargetting, as far as I am aware
21:54 < gmaxwell> any limit creates a potential for an unresolvable fatal partition in the network if there is a reorg right at the boundary. So you argue "boundary X is safe because making a reorg that deep is infeasable" I respond "boundary X is pointless because it defends against an attack you just told me can never happen" :)
21:54 < midnightmagic> i don't know if it matters, was just thinking of possibilities.
21:54 < gmaxwell> midnightmagic: yea, I dunno if thats especially concerning subtle things to think through for sure.
21:56 < midnightmagic> maaku: I guess the retarget boundary may not be relevant, but it looks like a heavy subtree can make the main chain length *shorter*..
21:56 < phantomcircuit> gmaxwell, "checkpoints are a performance feature not a security feature"
21:57 < gmaxwell> phantomcircuit: hm? yes.
21:57 < maaku> midnightmagic: it extends the length of the sub-tree, i don't see how it reduces the length of the main chain
21:58 < gmaxwell> maaku: well for security you actually care about the relative distance to the next best tree that doesn't include your txn.
21:58 < gmaxwell> since thats the amount of work required to change the decision.
21:58 < midnightmagic> maaku: It is possible that mining could indefinitely create a reorg which switches back and forth between two trees without actually extending the main chain length.
21:59 < midnightmagic> I don't think a 51% attack right now could do that. I think it must *extend* some tree in order to increase main chain length.
21:59 < gmaxwell> midnightmagic: I dunno that that matters though. I worry more about details like how the heck do you make sure that everyone actually agrees on longest.
22:00 < andytoshi> gmaxwell: well, if boundary X is there to try and keep nodes from getting DOS'd, even if it is infeasible to split the network that far back it is a useful boundary
22:00 < maaku> yes, a problem here is that you no longer have global knowledge about how much weaker a distant subtree (which you're ignoring due to DoS considerations) is, until it overtakes you
22:01 < maaku> but it would take the nuclear 51% for the subtree to have any effect, which is why it's not a very weighty concern from where I'm sitting...
22:01 < gmaxwell> andytoshi: header flooding alone isn't really an interesting dos though, esp as you don't forward them
22:02 < andytoshi> well, it could be interesting if you've gotta keep them all in memory at once
22:03 < Mike_B> hey btw gmaxwell - did you ever find that hashcash paper?
22:03 < Mike_B> i'd really love to read it if you did.
22:03 < andytoshi> i thought that was the crux of this "diff-1 flood" attack we are discussing
22:03 < gmaxwell> Mike_B: haven't had a chance.
22:03 < Mike_B> gmaxwell: do you remember the title? i was searching stuff like "hashcash progress-free" on google but without much luck.
22:06 < gmaxwell> Mike_B: if I did I would have just given you the result.
22:06 < midnightmagic> ah, footnote #10 was what I was looking for
22:07 < gmaxwell> andytoshi: I haven't been following the discussion here, and don't have time to.
22:09 < gmaxwell> andytoshi: but with a 'sutiable' headers first implementation diff-1 flooding basically reduces to a boring "peer can send me unwanted packets" problem... though I don't know if anyone would ever bother with the really dos hardened version since incrementing the minimum difficulty (and then fixating the old chain as a one time thing) is a simpler thing to do.
22:10 < gmaxwell> (if you don't mind potentially fetching fork headers multiple times you can basically bound the space uning a hierarchy of bloom filters to accept headers for inspection)
22:13 < andytoshi> hmm, i'd have to think about what a 'suitable' headers first implemetation would look like, since if you are weighing entire trees you can have a situation where two peers each have half the tree
22:13 < andytoshi> but neither is aware of the other half
22:15 < gmaxwell> oh if you're talking about that fast blocks paper, I think it destroys every anti-dos mechenism for block flooding I'm aware of (other thain incremeinting the minimum diff)
22:15 < andytoshi> oh, i am :P i think we have been talking past each other
22:15 < gmaxwell> well okay other than that, and other than SNARKs for membership in a chain of some total diff.
22:16 < maaku> andytoshi: which is totally fine...
22:16 < gmaxwell> e.g. you could build a snark for summing the diff of a chain which commits to a hashtree of headers. And then you can prove each header incrementally is a member of a chain with some sum diff.
22:17 < gmaxwell> maaku: it's fine? really? if you end up with half the hashrate on one subtree and half on another subtree..  thats not good. what triggers resyncing the missing blocks to make them ever converge?
22:17 < maaku> gmaxwell: reverting to IBD mode when one tree is longer, which it will be eventually
22:17 < andytoshi> right, my concern is that no node can make a snark because nobody individually has a heavy enough subtree
22:17 < andytoshi> but together, their subtrees could add up to a lot, so you have to listen to them all
22:18 < gmaxwell> maaku: I don't follow but I think I'm too worn out to think now.
22:19 < maaku> gmaxwell: the point is the question amounts to "assume a situation only possible as the result of a 51% attack, here's a problem" - and my response is "that problem will sort itself out, and beyond that is not worth thinking about because you're assuming a devistating attack"
22:20 < gmaxwell> maaku: I don't see that.  assume the network ends up in a state where half the nodes know fork blocks ABC and half know DEF and as a result you have half hashpower on each subtree and they stay tied. What makes them eventually converge?
22:21 < maaku> gmaxwell: block generation being a stochastic process. they will diverge from each other randomly
22:21 < phantomcircuit> maaku, they *might* but you have no guaratee
22:21 < phantomcircuit> we like those
22:21 < gmaxwell> maaku: sure, but there are three extra blocks on each side. how long until one gets three ahead when they have an even split of hashpower?
22:22 < gmaxwell> and how much hashpower does it take to maintain that state?
22:22 < gmaxwell> (by adding extra orphans)
22:22 < maaku> i'm not sure i follow - why the magic number 3?
22:22 < gmaxwell> I just picked a number.
22:22 < Luke-Jr> obviously the Holy Trinity
22:23 < gmaxwell> 1, 2, many.  Three is the smallest many.
22:23 < maaku> gmaxwell: well you just need a single block more on either chain
22:23 < andytoshi> once one half of the split gets one block ahead, that should be enough to draw hashpower toward it
22:24 < andytoshi> which is the way that their "eventually you always reconverge" theorem works
22:24 < gmaxwell> anyways, point I'm trying to make is I think you can put this system into a state where it will probably never converge, even without an (active) attacker.
22:24 < maaku> and chances are you'll get that ... unless the attacker is >51% of the network and censoring his own blocks, in which case :shrug:
22:24 < andytoshi> i think maaku is right, but only when everybody is sharing all the available blocks -- and then i think we have DoS potential
22:24 < gmaxwell> maaku: hm? no the nodes with the A B C orphans need the D E F orphan chain to be 4 blocks longer before they think its longer.
22:25 < gmaxwell> andytoshi: but _how_ do you share all blocks? how do you actually know if you have them all? how do you know if you don't to go get them? and how doesn't any anti-dos not mess that up?
22:26 < maaku> gmaxwell: ah ok i misunderstood your description of the initial state
22:26 < andytoshi> well, you have a master chain, and if you say, ignore any blocks more than 10000 behind the head of the chain, that would be an anti-DOS which doesn't affect this business of reconvergence
22:26 < andytoshi> unless you get a 10000-deep split, and then you're totally screwed
22:27 < andytoshi> but 10000 blocks ago the diff should be high enough that spamming blocks is impossible
22:27 < gmaxwell> you know for sure you have all the blocks normally, because of the linked list structure of the chain, but this stuff creates relationships which are not unidirectional. E.g. newer orphans make older blocks (which are later in the chain) better.
22:27 < maaku> gmaxwell: getting ahead (or behind) 3 blocks would take a while, but it will happen - and i should point out the chance of it happening is the same as getting into that state in the first place
22:27 < maaku> since you're presuming the forks have equal hash power, but somehow one has 3 more proof of works than the other
22:28 < gmaxwell> right 3 will happen buy may take a long time. .. a semi-active attacker with fairly modest hashpower who keeps mining more orphans only on the shortest subtree could prolong that.
22:29 < maaku> but "in reality" there will be some miners which only have one orphan stored - and they will jump ship first
22:30 < maaku> i think you're still balancing on a pin to set this up
22:32 < gmaxwell> maaku: but its a balance that could even happen without an attacker
 which I agree is unlikely, and attacker could make it happen for sure. wait for a natural split, buy a burst of hashing power to build two blocks and give them in a censored manner... repeat as needed to keep it imbalanced. I don't know that its fatal, but its a whole class of attack
that doesn't exist in the current system because we have jamming resistant ...
22:32 < gmaxwell> ... communication of blocks
22:32 < midnightmagic> I guess building additional orphans is less of a good idea than building ones that are likely to become canonical due to coinbase payments.
22:32 < gmaxwell> midnightmagic: someone breaking the system is short coins and doesn't care about the coinbase payments.
22:32 < midnightmagic> hrm
22:33 < midnightmagic> joker effect.
22:33 < gmaxwell> "byzantine failure"
22:34 < gmaxwell> though perhaps its sufficient if miners commit to all the blocks they're using to contribute to the difficulty they're using ... maybe that gets it back to the same communications model.
22:34 < gmaxwell> e.g. if blocks get censored you'll know it if you hear the tip.. and then you can go looking for the contributors.
22:34 < midnightmagic> well it's pretty neat they did this paper, it's a cool idea. i wonder if it can work in a p2pool-like sharechain where orphans themselves could count towards the whole.
22:34 < maaku> gmaxwell: if the attacker is in a position to buy more than the entire hashpower of the network, there's a lot more they can do than just that
22:34 < maaku> are you saying they can do it without maintaining that hash advantage?
22:34 < gmaxwell> maaku: only for a brief window? no way. I'm saying they don't have to maintain a hashing advantage.
22:35 < gmaxwell> as you note, once its on-the-head-of-a-pin its unlikely to converge by chance... so they just have to keep proding it to equlibrium if its gets out.
22:35 < gmaxwell> they could have an average hashpower a small fraction of the networks and make the split continue to diverge.
22:36 < gmaxwell> e.g. 10% of the network hashpower they're adding 1 block to the smallest subtree per 10 blocks added to the network.
22:37 < maaku> gmaxwell: i'm not certain of that ... it's not explained how they're able to maintain this partition of knowledge about the orphans
22:37 < andytoshi> maaku: i think the idea is, the nodes don't think to ask for the missing orphans, because they don't see any new blocks referencing them
22:37 < gmaxwell> it's not knoweldge, they're making them and handing them out
22:38 < maaku> gmaxwell: i mean the orphans which resulted in the split in the first place
22:38 < maaku> andytoshi: a GHOST client would benefit from gossiping about orphans
22:40 < maaku> midnightmagic: i'd edit your post. it is perfectly possible to rewind past a difficulty retarget. we don't want to be spreading misinformation to the people who read that
22:41 < midnightmagic> maaku: It's a sub-point of stripping blocks off head..?
22:41 < maaku> midnightmagic: you can have a two-block reorg when the difficulty retarget was 1 block ago
22:42 < maaku> (and have a different retarget as the result, due to different timestamps)
22:42 < midnightmagic> maaku: Yes but after that reorg the head work count is not shorter, correct?
22:42 < maaku> correct
22:43 < maaku> but you post states "This includes rewinding back past a difficulty retarget, which is currently impossible"
22:43 < maaku> that *sounds* like diff retarget == checkpoint
22:43 < maaku> whether that is what you meant or not
22:43 < midnightmagic> I am editing the post, but that is a semantic difference of the meaning of the term "rewind" which I'd hoped was made clear by the fact I'd put it as a subpoint of *stripping off blocks from head without replacing them.*
22:45 < midnightmagic> That is, you have to replace it with a *greater* amount of work, and thus substitute one reorg for another. I'm assuming by now you know what I mean and just don't think the vocabulary I'm using is appropriate.
22:47 < maaku> midnightmagic: correct
23:59 < gmaxwell> yo dawg, i heard you liked vanity https://people.xiph.org/~greg/qr.png
--- Log closed Mon Dec 09 00:00:42 2013
--- Log opened Mon Dec 09 00:00:42 2013
00:32 < amiller> lol.
02:41 < wumpus> hahaha nice gmaxwell
03:31 < wumpus> gmaxwell: so does that actually generate keys, convert to an address, create a qr code, and match to some target image or so?
03:33 < wumpus> or is the actual information in the qr code not important and it just makes use of the redundancy in the representation?
03:43 < maaku> wumpus: i would assume it's making use of redundancy, just from visual inspection
03:46 < wumpus> maaku: it seems that way,  just found the paper: http://dl.dropboxusercontent.com/u/12405967/qrsem.pdf
03:47 < wumpus> I suppose that if one generated vanity keys one could get even closer to the target image, but it's not needed for the effect at all
03:48 < maaku> yeah that's why i figured it was redundancy
03:48 < maaku> it could have been a cleaner image without
03:48 < maaku> er, with a vanitygen approach
06:00 < michagogo|cloud> gmaxwell: Nice. (my phone couldn't read that, but zxing.org could)
14:18 < gmaxwell> hm. An interesting point about cryptocurrencies with perfect anonymity and fungibility is that they have
 assuming spherical cryptography
 fundimentally better scalablity.  not having privacy means communicating more information.
14:19 < gmaxwell> you could imagine a cryptocurrency based on encrypted commitments and state outsourcing where a block doesn't communicate transactions at all, just the final state commitments and proofs that they're correct.
14:20 < iddo_> what is spherical cryptography ?
14:21 < gmaxwell> iddo_: I mean with tools that achieve everything we know is theoretically possible, "spherical cow", without pratical considerations or constant factors.
14:21 < iddo_> ahh
14:21 < gmaxwell> e.g. imagine a block that doesn't carry transactions, it just commits to the final state after all transactions were applied, and proves that the updates met the rules.
14:22 < iddo_> so with anonymous cryptocurrency, you mean that it's less communication complexity, but more computational complexity locally?
14:24 < gmaxwell> well I'm ignoring the complexity of the proof systems, in theory SNARKS can give quasi linear work on the prover, and constant communication and verifier complexity or similar efficiency.
14:24 < iddo_> gmaxwell: why did you say several days ago that Bitcoin mining power is about 2^74 now? i see about 64 leading zeros in the PoW hash of blocks now, isn't that 2^64 complexity?
14:24 < eristisk> So, a distributed blockchain model where the data contained within the blocks would be of much smaller size because of the the intentional absence of the bulk of the transaction data... wouldn't miners that solved the block still see the entire contents of the transactions?
14:24 < gmaxwell> iddo_: aggregate vs each blocks.
14:25 < gmaxwell> eristisk: sure, but only the block they produced.
14:25 < iddo_> gmaxwell: aggregate means what in this context? all the work that has been done since the genesis block?
14:25 < gmaxwell> Maybe my point was too abstract, but I'm only pointing out that the theoretical limits of cryptocurrency efficiency can only be achieved if the cryptocurrency is anonymous... because adding identifyable information increases that communication complexity to at least linear.
14:26 < gmaxwell> iddo_: correct.
14:26 < iddo_> cool
14:26 < gmaxwell> 74.63 right now.  Smalleast hash so far is 000000000000000000028c32e6952731326747bae4be8db0f832d6eea0362050
14:26 < eristisk> Right, you'd have to have widespread miner collusion to consistently publish or backhandedly share the data in order to get all data.  The other important part you brought up is something I'd personally like to see in Bitcoin (and other "complete blockchain" altcoins) itself anyway, which is encrypted commitments.
14:28 < gmaxwell> eristisk: well, there are ways to construct this stuff so that its anonymous even against miners. Doing so has pratical engineering challenges today, but they're solvable. It also has significant political challenges.
14:28 < gmaxwell> But perhaps the point I'm making eases the political challenges: anonymity is pretty much a mandatory outcome of optimal efficiency.
14:29 < iddo_> politicians care about efficiency ? :)
14:29 < zooko> Uh, did you just say "spherical cryptography" ?
14:29 < zooko> What's that?
14:30 < zooko> Oh, someone already asked.
14:30 < eristisk> It could be argued that there is space enough for a model as Bitcoin exists today (accelerating technological burdens of the large distributed data set notwithstanding) as well as an altcoin which successfully implements fully encrypted transport streams between nodes as well as transactionless blockchains as you are speaking of.
14:31 < gmaxwell> like a spherical cow, sorry. :) I just am talking about the theoretical asymptotic efficiency. The pratical implementations of the required tools are not there yet.
14:31 < gmaxwell> eristisk: money likes a monopoly.
14:31 < eristisk> More like: people like a money monopoly  :P
14:32 < gmaxwell> And confidence in cryptocurrencies probably depends on a reasonably high degree of stickyness.  "Why do I want your foo coins when next year bar coins will be the new hotness?"
14:33 < iddo_> thing about zerocoin is that CRS is exactly the kind of thing that people who are attracted to zerocoin don't like... i already see thread on that http://www.reddit.com/r/ZeroCoin/comments/1rxwvh/zerocoin_has_a_master_key/
14:33 < gmaxwell> So yea, sure alternatives can and will exist... but I suspect that in enough time, as the engineering tradeoffs mature and stop being tradeoffs anymore it will just become a no-brainer to do thing like use snarks to compress bitcoin... and at the limit you end up making it anonymous even if that wasn't your goal.
14:33 < gmaxwell> iddo_: yea the CRS stuff is ... not good. But it's not fundimental.
14:34 < gmaxwell> we know from theoretical work that publically verifyable non-CRS sub-linear communication cost SNARKs can exist.
14:35 < iddo_> yes:)
14:35 < eristisk> Ah I see.  Well, encrypted commitments could be added to Bitcoin with reasonably smaller fundamental changes in comparison to rewriting the protocol spec to remove transactions from the blockchain data.  I get your point about "selling" it under the premise of solving the spiralling problem of storing such an increasingly massive distributed dataset whilst
simultaneously arriving at a more...
23:42 < amiller> the thing is businesses benefit from this social awareness that all businesses are safe because they're regulated
23:42 <@gmaxwell> E.g. for a centeralized system you can point at all these RISKS that the regulations stop, ... and that there are reasons that the regulation is inexpensive.
23:42 < amiller> it's like a license to cater to stupid consumers
23:43 < amiller> decentralized means you're really on your own and don't expect a court to sort out your problems
23:43 < petertodd> depends on the model, the silk road benifits from the awareness that it isn't and isn't going to get shutdown on a whim
23:43 <@gmaxwell> petertodd: It means something, not in and of itself, but it means that people we might have expected to do otherwise didn't.
23:43 < amiller> ripple.com seems to be advocating the worst of all possible worlds
23:43 < petertodd> gmaxwell: FinCEN trying to fight bitcoin head on, and early, would have been *better* imo.
23:43 < amiller> by recommending that you join the system by "HIRING" a gateway "BUSINESS" to "trust" you
23:44 <@gmaxwell> amiller: in general this plays into the thinking I've been having lately about how our systems should try to minimize the best case and the worst case, regardless of their average case.
23:44 <@gmaxwell> E.g. if we can't prevent an attack almost completely
 we should make it trivial and automatic.  No surprises.
23:44 < amiller> where you trust in the gateway is predicated on their contracts being enforceable by STATE LAWS which by the way no one expects to pay for because w/e
23:44 < amiller> gmaxwell, yeah better encourage the smaller attacks to happen right away
23:44 < amiller> fail fast fail early fail often?
23:44 < amiller> fail small
23:44 < petertodd> gmaxwell: indeed that's actually a big failing of the idea of fidelity bonded banking running on secure hardware you know
23:45 < petertodd> gmaxwell: fidelity bonds are going to be very, very, very tricky to get right, and the hardware lets you punt an issue that you probably shouldn't
23:45 < amiller> social collateral isn't free
23:45 <@gmaxwell> Not just right now
 but it's a line of thinking about how people relate to each other. I think there is evidence that people can prosper under many kinds of system for making agreements
 but whats important is that you can know what you're actually buying into.
23:45 < amiller> the fact that it seems scary and unusual to make formal relationships with friends where relationships can get hurt and damaged... that fear / discomfort you feel is how you know it's working
23:46 < petertodd> The rate of huge hacks hasn't changed much, yet the community seems to panic less on each one...
23:46 <@gmaxwell> E.g. if a kind of transaction is only 90% safe, I think people are better off if it's 0% safe.  Because the 10% oh-fuck-I-got-ripped-off is 110% of the cost of it being completely unsafe.
23:47 <@gmaxwell> I boggle at the hash, ozcoin has been throughly hacked three times now. Slush 2.5 times.  I don't see any evidence of either changing their business practices or the users really caring much.
23:48 < petertodd> but what exactly have their users lost anyway?
23:48 < petertodd> specifically, how much compared to the profits?
23:48 <@gmaxwell> In the case of ozcoin people are actually out money now. But indeed "easy come, easy go"
23:48 <@gmaxwell> I think the ops don't care much because they're mostly gambling with other people's money and what money of their own they lose was too easily won, and perhaps that applies to the users too.
23:49 < petertodd> no-one is getting sued for being a negligent op
23:49 < amiller> something that's funny to me is just how little of the ecommerce problem that bitcoin solves
23:49 < amiller> the silk road is a perfect example
23:49 < petertodd> which is sad when better software, multisig, multiple implementations etc. can make attacks orders of magnitude harder
23:50 < petertodd> what do you see as flawed in the silk road?
23:50 < amiller> it's a centralized script kiddie php/mysql database
23:50 <@gmaxwell> Seems like zero interest. The only pool security innovation that I'm aware of is eligius' coinbase payments, which were not created for security purposes initally (Luke's goal was to avoid running afoul of regulations by not handling third parties money)
23:50 < amiller> its' the weak link in a chain of two properly (sorta) decentralized miracle systems
23:50 < petertodd> amiller: with a damn good record in practice, and the central wallet is essential to privacy
23:51 <@gmaxwell> Well, I think SR does okay considering that people with high competence have many reasons to avoid it.
23:51 < amiller> essential - no.... damn good record... sure, and of course it gets first mover advantage and a ton of novelty
23:51 <@gmaxwell> petertodd: they have managed to disclose their IP .. twice.
23:51 < amiller> there's no better alternative i guess
23:51 < amiller> also bitcoin-otc is awesome and yet decentralized
23:51 < petertodd> gmaxwell: are you sure they actually disclosed their IP? with sites like that misdirect is good
23:51 < amiller> i want to see the real black market in my lifetime!!!
23:51 <@gmaxwell> well lemon market in any case.
23:52 < petertodd> silk road and it's ilk have the unique problem where competitors might be LEA honeypots
23:52 < amiller> ripple/^H^H^H^ excuse me social collateral solves a much larger problem than just bitcoin too
23:52 <@gmaxwell> petertodd: it's possible but I think pretty unlikely that it was a misdirection.  (in particular, in one case the site was also accepting connections from the public internet ... and based on latency... it wasn't just a tor gateway to it)
23:52 < amiller> the quantities you formally transact with don't just have to be about currency trades it can be about shipments etc
23:53 < petertodd> amiller: thinking social collateral solves problems usually discounts the very real cost of thinking about social collateral
23:53 < amiller> thus it generalizes bitcoin, bitcoin-otc, and yes the silk road
23:53 < amiller> shit changes yo
23:53 < amiller> i thought i'd never see an irc room full of people checking each other's gpg keys
23:53 < amiller> gmaxwell informed me at one point that they still get scmamed constantly on bitcoin-otc because of... well not checking each others gpg keys
23:54 < petertodd> gmaxwell: absent evidence that they've actually been caught it may not mean much. Anyway, their IP is just as likely a VPS under a fake name.
23:54 < amiller> so maybe i have rose colored or purple-green trippy glasses or w/e but still
23:54 < petertodd> amiller: bitcoin-otc has a central database with no way to avoid trusting it - ugly
23:54 < petertodd> amiller: it's a nice hack, but it's so far from a good solution
23:54 <@gmaxwell> nanotube wants to fix the database issue, there is a whole irc channel for people nattering about that.
23:55 < amiller> totally that's why the future-bitcoin-that's-not-just-silly-gold will be largely about maintaining a decentralized reputation ledger!
23:55 < petertodd> good, -otc needs to be passing around actual bits of signed data, which sadly probably means a pile of custom software
23:55 < amiller> that's the sort of thing we should be figuring out how to encode in some kind of scripting language and figure out how to pay for with fees that make sense
23:55 <@gmaxwell> The data in that database is pairwise in any case, the way I recommend people use it is that they use it as a directory to find people they know that know the potential trader.
23:55 <@gmaxwell> so all the database could really do is DOS.
23:55 < amiller> the point is people are using it - it's a proof of concept that the social / too-hard-to-think-about problems can be overcome
23:56 < amiller> there's interest, people adapt
23:56 < petertodd> yes, which really gets down to how -otc is more about just bringing people together in a chat room, the ratings system isn't as important as you'd think
23:56 <@gmaxwell> The ratings system actually turns out to be .. well more useful than I expected and I am generally a dyed-in-the-wool reputation system hater.
23:57 <@gmaxwell> Though I guess that also means my expectations were low. :)
23:57 < amiller> the magic-database-in-the-sky is the revolutionary new technology of the decade :3
23:57 < petertodd> well, I've used -otc mainly to co-ordinate local trades, so there's a lot more going on than some PGP-based rating there
23:58 < amiller> i gave a guy a 2 when i should have given him a -1
23:58 < amiller> i feel really bad about it
23:58 <@gmaxwell> 0_o
23:59 <@gmaxwell> I'm pretty stingy with ratings, also the rating system has been good for me to consider my operational practices. E.g. I realized there were people that I was not willing to rate highly but I'd run code from them they'd given to me without auditing it. (and vice versa)
--- Log closed Thu Apr 25 00:00:11 2013
--- Log opened Thu Apr 25 00:00:11 2013
--- Day changed Thu Apr 25 2013
00:00 < petertodd> heh, as inflammatory as it was I kinda liked jdillons point about how he trusts Mike with all the coins on his android wallet
00:01 <@gmaxwell> Yea, esp since android has silent push updates.
00:01 <@gmaxwell> You guys see the ozcoin  /  strongcoin drama?
00:02 < petertodd> also interesting to consider how the strongcoin 'coin movement' would be trivial to do on an off-chain tx system, yet at the same time with fraud proofs implemented doing so could be suicide (absent the still present client software vulnerabilities)
00:03 < petertodd> strongcoin got away with it, to the extent they have anyway, because humans are in the fraud detection loop
00:03 < petertodd> a regulatory issue too: "Um, you see if I return the funds this source code is going to declare me a fraudster and my clients will instantly stop using my service..."
12:51 < adam3us> cant say i like that direction very much - dsa itself is devoid enough of security proofs, and how do we prove the signature is immutable (once the encoding and known mutations are addressed) - it a novel security assumption that the mathematical crypto guys have not spent the last decade+ thinking about unlike basic dsa or schnorr
12:53 < gmaxwell> adam3us: it's just software engineering. How do you know your buffers don't overflow. :)
12:54 < gmaxwell> oh you mean just inside DSA. point.
12:54 < adam3us> yes dsa mathematical assurance
12:54 < adam3us> i do buy your rigid non openssl based deterministic encode/decode argument
12:54 < gmaxwell> It's worse because if you give me a discrete log solving oracle I know I can give you infinite signatures.
12:55 < gmaxwell> but I don't know that I can reduce it to that being sufficient, almost certantly not since DSA itself has no such reduction.
12:55 < adam3us> i am for example thinking of a DSA attack i made on a server compute offload system for DSA by markus jakobsson
12:56 < adam3us> it was surprisingly malleable
12:56 < adam3us> despite the unknown k^-1 values
12:56 < adam3us> (slightly different situation, but...)
12:57 < gmaxwell> There are other signing algorithims which I except would be easiy to prove where unique. E.g. I think a pairing short signature only has one signature just on information theoretic grounds... no such joy for DSA.
12:58 < adam3us> do you mean weil pairing based? zss? i wouldnt touch it with a barge pole ;)
12:59 < adam3us> weil pairing is too new, people are finding special curves to be avoided, fresh news now and then so i am scared of the parameter choices, people maybe making bad ones that'll get mathemtically broken presently
12:59 < adam3us> but yes non-malleability would be nice
13:00 < adam3us> i think schnorr is otherwise a rather nice signature scheme as its more flexible for eg k of n threshold, brands style boolean formulae, limited show even
13:01 < adam3us> limited show is very nice - you can force the signer to make one signature only ever on a given document (on pain of disclosing his private key via simultaneous equation)
13:02 < adam3us> of course disclosing private keys is less critical than usual in bitcoin as you only have to get there first, subsequent signatures are ignored
13:02 < gmaxwell> and because your private key has low value or at least can have low value.
13:03 < gmaxwell> since our privacy requires that you can have more for free. :)
13:03 < adam3us> eg re weil paring dangers, http://ellipticnews.wordpress.com/2013/05/22/joux-kills-pairings-in-characteristic-2/
13:03 < gmaxwell> adam3us: Yea, well, I wasn't recommending it, but just saying... :)  It's not so bad with curves though, I mean, most of the stuff being broken is the low embedding degree stuff that was known to be not a great idea.
13:03 < adam3us> he pretty much destroyed some parameters that people actually proposed not that long ago
13:04 < gmaxwell> adam3us: yea, but you can find publications eons ago about characteristic 2 being weak... ::shrugs::
13:05 < adam3us> the danger is this isnt the end of the story we dont know how far new mathemtical attacks go towards currently considered secure parameters
13:05 < adam3us> anyway kind of a tangent :)
13:05 < adam3us> what are the known mathematical mutabilities? is r,-s it?
13:05 < gmaxwell> Sure. though, as you noted
 DSA is not provable secure in the standard model. :)
13:06 < gmaxwell> adam3us: r,-s is the only mathmatical one I know of.
13:06 < adam3us> yes and in that sense the best we can do is use old conservative assumptions that are secure in the sense only that no one broke them yet
13:07 < gmaxwell> My confidence in that class of assumption goes down every day. :)
13:07 < gmaxwell> (there are a lot of weaknesses we've fixed in bitcoin that could easily have been exploited
 even profitably in some cases
 but just no one did!)
13:08 < adam3us> maybe the interest would go up if we had zerocoin levels of privacy
13:08 < gmaxwell> e.g. I don't think anyone has used the r,-s malleability yet, they've used DER encoding ones.. confusingly one is where you code s as a _negative number_ e.g. not the same as -s mod order but just a sign bit that openssl ignores.
13:09 < gmaxwell> adam3us: I think that part of it is that if the attacks are sophicated, the people smart enough to pull them off can find better things to do with their time that they can still brag about. :P but who knows.
13:12 < adam3us> i think mostly that is true, though there are a few grey hats i've come across with the "if its broken it deserves to be exploited" mentality, that they seem to deeply internalize and see no moral problems with
13:14 < gmaxwell> Yea, but even those can find more interesting things to do, I think? Dunno I'm waving my arms, I can only say that I've observed a lot of stuff not getting exploited.
13:15 < gmaxwell> E.g. there is a lot of people using unconfirmed txn that would be jammed up by someone just making mutants in order to jam things up.. and no one seems to be doing that _generally_, only against satoshi dice, and I dunno if thats happening anymore.
13:19 < adam3us> maybe the bets are too smal
13:19 < adam3us> ok i think i have a mathematical argument for you;)
13:20 < adam3us> if (r,s) is a signature, then so is (2r,2^-1s) because that is (r',s') = dsa with k replaced with k'=2k which you can do even though you dont know k
13:21 < adam3us> and you can replace 2 with any invertible number in the range of n
13:21 < adam3us> so there are probably 2n or thereabout possible mutations
13:21 < sipa> with n = ?
13:22 < adam3us> order of curve
13:22 < sipa> ouch
13:22 < gmaxwell> I was trying to think about that before and thought there was some issue with it because Xr may not even be on the curve.
13:22 < adam3us> i think it works because (r,s)=([-kG]x,k^-1(H(m)+rd)
13:23 < adam3us> sorry that should be (r,s)=([kG]x,k^-1(H(m)+rd)
13:23 < sipa> gmaxwell: even if now, justbelow 2^255 values are
13:23 < sipa> so the odds of hittinga valid r are almost 50%
13:24 < gmaxwell> easy enough to try.
13:24 < adam3us> so  (r',s')=([kG+kG]x,2^-1*k^-1(H(m+rd)
13:24 < sipa> this sounds like malleability is unsolvable?
13:24 < adam3us> eek not quite.. internal r
13:24 < adam3us> retract
13:25 < gmaxwell> yea, I don't think this is true.
13:25 < adam3us> (let me try some more tinkering)
13:25 < gmaxwell> If its true we just broke DSA
13:26 < gmaxwell> because we would have created a way of recovering K that looks like a collision search on a K multiple sequence, like how you solve the discrete log.
13:26 < adam3us> well not necessarily because you can only create a new signature of a known value (except that you cant so far othe than (r,-s)
13:27 < adam3us> i'm not sure about that... some of the other DL algorithms are reblindable or whatever you call it
13:27 < adam3us> eg elgamal
13:27 < adam3us> thats a related encryption algorithm version of near infinite mutuability
13:37 < gmaxwell> I don't think this works because the order is prime. But I'm in a meeting right now and haven't been able to just try it.
13:45 < adam3us> I think the EC version of elgamal will still be publicly reblindable
13:49 < adam3us> another interesting question would be if you have (r,s) and (r',s') two different signatures with different k values but on the same H(m) can you create a third signature (r",s")   (ignoring the (r,-s) approach)
13:51 < gmaxwell> well I don't mind create two different signatures the signers could always create infinite more.
13:51 < gmaxwell> "Don't sign the same message multiple times" is simple enough, esp if people switch to derandomized dsa. (As I think all should)
13:53 < sipa> i don't see how you could compute s"
13:53 < sipa> unless the two k values are related
13:59 < adam3us> what's your email address sipa?  i'll send you an unpublished attack relating to a server offload version of DSA which shows mathematically how manipulable this is
13:59 < gmaxwell> sipa: the idea there is to blindly swap K values on a signature.
14:00 < adam3us> note i said two real signatures (diff k values) on the same H(m)... thats going to be more manipulable
14:01 < sipa> adam3us: pieter.wuille@gmail.com
14:01 < sipa> gmaxwell: hmm, i'll have to think longer about it
14:02 < gmaxwell> I'm not saying it works, but I see vaguely how it might. I'd want to just try it.
14:03 < warren> petertodd: I'm in favor of getting rid of free tx's entirely.
14:06 < adam3us> sent mail
14:07 < adam3us> who's going to bitcoin in amsterday thurs-sat?
14:08 < sipa> i'm not, this time
14:09 < adam3us> the lesson from that server aided DSA attack is knowing any relation at all about k values is usually fatal
14:09 < MoALTz> warren: one suggestion i've said in passing before is to have a new field in the block header: minimum accepted fee; the block is only valid if all the tx contained with-in have at least that fee. on it's own that doesn't seem helpful, but consider the effect: if you want to know how long a tx will take to get onto the blockchain you look back over an arbitary
number of blocks and see how many it would have made it int
14:09 < MoALTz> o (%age-wise)
14:10 < MoALTz> avoids hardcoded values too
14:11 < gmaxwell> MoALTz: people pay fees to miners in many different ways, not just tx fees.
14:11 < gmaxwell> e.g. today people will pay fees via child transactions that have high fees, or via special txouts paying a specific miner, or via external agreements.
14:12 < gmaxwell> MoALTz: so in your model miners would keep signaling 0 but then actually imposing higher fees.
14:13 < MoALTz> hmm. suggests some other contraint is needed as well
14:15 < MoALTz> for the "in-kind" payments i could see refunding the tx fee being done (coinbase). but yeah, it still needs more incentive for miners be give correct values for the mintxfee
00:40 < jgarzik> l very relevant to corruption prevention, just in different ways.
00:40 < maaku> left hand, meet right hand
00:40 < petertodd> well HP is a hollow shell of it's former self
00:41 < jgarzik> filesystems and block all go through page cache, even if write-through
00:41 < jgarzik> if you have PCI-express (PCIe) super-fast storage, even kernel page locking can become a relevant factor.
00:41 < petertodd> jgarzik: sucks that pages are so big, though for the average person 4KiB/transaction is not going to hurt you
00:42 < jgarzik> petertodd, indeed.  That is one the annoying bits, for us.  Our commits are likely well under 4k
00:42 < jgarzik> much less 8k
00:42 < petertodd> jgarzik: 64KiB is enough for anything right? :P
00:42 < jgarzik> ;p
00:43 < maaku> if you want to get clever, you can fill the extra space with error correction of previous writes
00:44 < petertodd> maaku: if you want to get overly clever, you would run a testnet node in parallel and also write your wallet data to the testnet blockchain
00:44 < petertodd> maaku: or maybe just a scamcoin that you don't like
00:44 < jgarzik> gmaxwell, upload the master public key to bitcoinkeyserver.net ;p
00:45 < jgarzik> gmaxwell, create a really slow, clunky mirror at bp.mit.edu
00:45 < gmaxwell> I do think supporting some kind of integrated backup system would be nice.
00:45 < gmaxwell> "we store our wallet backups encoded as fake public keys in the pgp key servers"
00:45 < jgarzik> "the cloud"
00:45 < petertodd> "the caves"
00:46 < petertodd> "the salt mines"
00:46 < maaku> jgarzik: gmaxwell: you do that, and people will start "logging into their account" on a friend's client
00:46 < petertodd> maaku: ooh, sounds useful! very 2.0!
00:46 < jgarzik> gmaxwell, heh, well, petertodd and I were discussing how SIN (an ECDSA key, after all) might look inside OpenPGP packetizing
00:46 < petertodd> maaku: can I login with my facebook account?
00:46 < jgarzik> gmaxwell, might be fun...
00:47 < gmaxwell> jgarzik: openpgp land is a little brain damaged, they'd likely just have some silly robot that sees your sin and signs for you. (see cacert's signer for an example) :(
00:47 < petertodd> gmaxwell: what's cacerts signer do exactly? sign for email identity?
00:48 < petertodd> gmaxwell: PGP runs a bot that does that
00:48 < jgarzik> gmaxwell, openpgp source code and packetization both leave a both to be desired.  but ah well, it's The Standard.
00:48 < gmaxwell> petertodd: if you have two cacert certifications of your identity their robot will sign a pgp key for you, so long as the name matches exactly.
00:49 < jgarzik> everybody forks the same 1960s era codebase.
00:49 < jgarzik> I'm pretty sure OpenPGP was originally fortran, auto-translated to C
00:49 < gmaxwell> jgarzik: yea, and it covers a LOT of usecases. sometimes I get irritated and want to rewrite it, and then I remember it does a ton of stuff I don't even completely understand.
00:49 < petertodd> gmaxwell: oh, that's not so bad, though it'd be better done with a cert sig notation
00:49 < gmaxwell> "You can write fortran in any language"
00:50 < gmaxwell> petertodd: yea, it's just a sig0 user signature from some random key.
00:50 < petertodd> jgarzik: you mean the gnupg codebase?
00:50 < gmaxwell> buggers up the WOT because most things don't know to ignore it.
00:50 < petertodd> jgarzik: there's no OpenPGP codebase
00:50 < petertodd> gmaxwell: huh? all WoT tools require you to explicitly state your trust at every step, at least what I've used
00:52 < gmaxwell> petertodd: e.g. pathfinder tools will follow hops through that stupid key.
00:52 < gmaxwell> or at least some of them will.
00:54 < petertodd> gmaxwell: right, but pathfinder tools don't do what you really want anyway, because they don't let you specify anyones keys as trusted or untrusted
00:54 < gmaxwell> I know.
00:54 < petertodd> gmaxwell: equaly, they give you all the distict paths, so just pick one that doesn't use that key
00:54 < gmaxwell> I also recently realized that my own trust database is all 2#$@#@#$@ up, as well as my signature levels are all wrong.
00:55 < petertodd> Main thing is we need off-line versions of those things that use your trust settings.
00:55 < petertodd> how so?
00:55 < gmaxwell> at some point a gpg update switched me to the mode where it doesn't ask what level of verification you did, and just issues all sigs as sig0.
00:55 < petertodd> oh, you were local-signing keys?
00:56 < petertodd> likely gnupg changed because they wanted to simplify things, although IMO that's just a failing of non-existant tools to actually use the WoT
00:56 < gmaxwell> and most of my sigs are actually sig2/sig3.
00:56 < gmaxwell> and you can't change them without redoing the sigs. So now I'm probably not going to fix it until I scrap my old 1024 bit key.
00:57 < petertodd> right, because of how gnupg doesn't let you resign a key, although you can revoke the signature, minimize/clean the key to get rid of the revoked sigs, and resign, it's just not obvious
00:57 < petertodd> *obvious how
00:57 < gmaxwell> I know, but a PITA. and it will gunk up the keyservers with more signatures.
00:58 < gmaxwell> also, why the @#$@ must all your keysigning be with your master identity key?
00:58 < petertodd> the OpenPGP standard has trust signatures which let you specify a secondary key to do signing on your behalf
00:59 < gmaxwell> petertodd: yea but it looked like it would be treated as a differnet key id.	E.g. I want a key which is signed by everyone, which delegates to a key signed only by it, which goes and signs everyone.
00:59 < gmaxwell> and everyone sees that as just the same as the master key signing everyone, unless I revoke the delegated key.
01:00 < petertodd> gmaxwell: I'd have to double-check, but I'm pretty sure that subkeys can have the cert bit set
01:00 < gmaxwell> gpg ui wouldn't let me do that at least. hm. that would be nice.
01:01 < petertodd> yeah, myself I just have hardware PGP keys, and keep my master key on one that I leave offline
01:01 < petertodd> my day-to-day subkey is in the second smartcard
01:01 < gmaxwell> you still need to interact with it to sign people. which is what I'd like to avoid.
01:02 < petertodd> well, done on a secure computer, esp if air-gapped, that's still pretty damn good
01:02 < gmaxwell> yea, but I update my master key once every couple years. I sign more often than that, so it should be seperate.
01:03 < petertodd> indeed, but as I say, I do think the standard supports what you want to do
01:03 < gmaxwell> cool. I'll have to give it a shot again, I only looked briefly.
01:04 < petertodd> anyway, without timestamping a lot of this stuff isn't as useful because sigs aren't trustworthy once keys are compromised
01:05 < phantomcircuit> jgarzik, in general relying on sector size writes being atomic doesn't seem like a great solution
01:05 < petertodd> IMO the more important thing for OpenPGP is to be able to know exactly when signatures were created, and be able to issue revokations as applying to after certain times
01:05 < gmaxwell> petertodd: have you thought about defining a signature packet that says "this key is timestamped" with blockheader stuff?
01:05 < petertodd> gmaxwell: yes, in fact last night I changed my GPG setup to use blockheader hashes as random beacons - only half the problem, but interesting how simple it was (uses signature notation data)
01:06 < petertodd> gmaxwell: I've looked at it carefully, and I think defining timestamping as a new signature algorithm is the right approach
01:06 < petertodd> OpenPGP already has a "this sig is a timestamp" bit
01:11 < gmaxwell> petertodd: though validating a bitcoin timestamp is not quite stateless... since you need to know some of the network.
01:12 < petertodd> gmaxwell: yeah, that'll be a first for OpenPGP
01:12 < gmaxwell> though I guess you can have a minimum difficulty... which is now almost 60 bits.
01:12 < gmaxwell> log2(267731249.48242110)+32 = 59.996
01:14 < petertodd> for validation of old sigs it's interesting how you could just ship a "official" set of block headers
01:14 < gmaxwell> well, it could be a --recv kind of thing to get the headers.
01:14 < gmaxwell> and show it as an untrusted signature if you don't have the headers or something.
01:16 < petertodd> yeah, though that's actually ignoring the bigger issue, which is that for user acceptance you have to have a way of timestamping that happens instantly or near instantly
01:17 < gmaxwell> not for key identification you don't.
01:18 < petertodd> gmaxwell: even for that people won't be happy - you need a scheme where you can upgrade the timestamp as more data is known
01:19 < petertodd> gmaxwell: one interesting idea is to put support for it into keyservers
01:20 < gmaxwell> I'd think the thing to do would be just for one of us to run it for the whole world.
01:20 < gmaxwell> just being able to get evidence that a key is as old as it claims to be is very useful once old is somewhat-old.
01:20 < gmaxwell> you might even intentionally delay publishing new timestamps since they're not useful when they've very new.
01:21 < petertodd> well, speaking of, a 1 second MMR timestamp chain is very useful there, so that timestamps *can* be made immediately
01:21 < petertodd> the problem is you want that chain to be a: reliable, and b: spam resistant, and c: still useful even if some big attacker wants to shut it down
01:30 < jgarzik> phantomcircuit, in general, relying on any generalization is unwise ;p
01:30 < phantomcircuit> jgarzik, heh
01:30 < jgarzik> phantomcircuit, the bottom line is always "know your hardware", but sadly many users fail that ;p
01:30 < phantomcircuit> jgarzik, fucking hdds do tons of random stupid shit
01:30 < jgarzik> know your hardware, and tune your software to match, I mean.
01:30 < phantomcircuit> hurr durr flying writes
01:31 < jgarzik> phantomcircuit, I think it's more the software on top in this era
22:40 < petertodd> amiller: Yeah, the meta-protocol/constitution really is then "what is the protocol for convincing other people to use my protocol/continue to use it"?
22:41 < petertodd> gmaxwell: Right, but remember I'm assuming no explicit transaction rate limits, so at some point something goes to infinity.
22:41 < petertodd> gmaxwell: Which means at some point one of the low value chains isn't secure.
22:42 < petertodd> amiller: As for incentives, I think any of these systems *must* work even if all participants are only short-term rational, and should work even if what the participants goals are varies hugely.
22:42 < petertodd> amiller: for instance we must be able to deal with data-spam with technical, rather than sociological measures
22:42 < amiller> we don't yet have a satisfactory explanation for the circular value argument of currency tokens as money
22:43 < amiller> the appeal of the commodity value money is that it starts somewhere
22:43 < amiller> here the simplest explanation is you can use the money to pay tx fees
22:43 < petertodd> amiller: sure we do, Rai stones are heavy!
22:43 < amiller> that just shows that there's a social demand/benefit for some mechanism of exchange
22:43 < amiller> it doesn't actually help you design an optimal system
22:44 < amiller> we're still making models of gold at this point
22:44 < petertodd> amiller: I think the more interesting question is what happens as tx fees rise/how much are people willing to pay for security?
22:44 < amiller> they're valuable because you can bribe miners with them and you can bribe miners with them because htey're valuable
22:45 < amiller> yeah there's that whole paying-for-system-security-is-eveyrone-else's-problem
22:45 < petertodd> proof-of-work is ugly because the total cost of the work needs to be some small % of the total value of the system, but in Bitcoin that means destroying it costs a small % of the total value of the system... systems incorporating proof-of-stake could in theory be better, requiring up to the total value of the system to destroy, but it's unclear how to actually build them
22:45 < amiller> yeah i agree with that
22:45 < gmaxwell> #include <unworkability_of_pos.h>
22:46 < petertodd> gmaxwell: I'm actually thinking that proof-of-stake can be used in conjunction with proof-of-work, especially if you have a jam-free network available
22:46 < amiller> my intuition is that there's a great theorem in here somewhere that you *have* to burn something of *objective* value, i.e., computational energy, in order to defend against an anonymous attacker
22:47 < gmaxwell> amiller: I agree.
22:47 < petertodd> gmaxwell: *relatively high bandwidth jam-free network
22:47 < amiller> if you have a proof of stake then it's a guarantee that there's a trusted party lurking somewhere
22:47 < gmaxwell> petertodd: yes, also, make me god of the universe and all this can work too... lots of things are easy when you can just pick preconditions. :)
22:47 < petertodd> amiller: Yes, but can we divise a system where you burn computational energy from the past, or *must* it be computational energy you burn *now*?
22:48 < amiller> i think it can't be from the past i think it has to be a present decision where you have the option of not burning it but benefiting it
22:48 < petertodd> amiller: Because if it can be computational energy you burn in the past, you can defeat 51% attackers by sacrificing your own coins in opposition.
22:48 < gmaxwell> petertodd: only if you have a perfect system for accounting for stored value, which we don't have as we're trying to build one.
22:48 < petertodd> amiller: IE replace-by-fee scorched earth applied to whole blockchains
22:48 < amiller> yeah you can sacrifice your own current coins by buying hashpower now
22:48 < gmaxwell> and yea, the works too.
22:49 < gmaxwell> thus checkpoints-in-txn-that-gate-fees.
22:49 < petertodd> gmaxwell: Yes, the chicken-and-egg problem is ugly but... with a infinite bandwidth jam-free network it certainely could be done, as you'd always know what coins got sacrificed by the defenders.
22:49 < petertodd> amiller: yes, but that's slow
22:49 < amiller> no it isn't?
22:49 < amiller> it's immediate
22:49 < gmaxwell> petertodd: Also works if you first covert me into a computer program, then convert all mass in the solar system for me to run on, and then upload everyone else into me. I promise. It'll be great.
22:49 < petertodd> amiller: It'd take at least a month or two to defend bitcoin from a 51% attacker by buying hashing power - factories have leadtimes.
22:50 < amiller> you don't defend against a 51% attacker, you prevent a 51% attacker from existing
22:50 < gmaxwell> petertodd: transaction fees with checkpoint-in-txn are buying hashing power instantly. people constantly buying hashing power to get mined is the protection.
22:50 < gmaxwell> what amiller said.
22:51 < amiller> since you don't control the attacker, you have to go fundsraising and bulk up the size of the network
22:51 < amiller> by offering free candy and big prizes for participants
22:51 < petertodd> amiller: 51% attackers come in a few types: those who have the majority of hashing power capacity, those who can temporarily obtain more, and those who have enough to rewrite the whole chain.
22:51 < gmaxwell> I wish pos would work, but like amiller I suspect that its deeply impossible.  Sure you can make it work if you have jamfree communication between all parties. I don't think thats possible, however... because it would have to be infinite bandwidth.
22:52 < petertodd> amiller: We're best off if we can reduce the pow effort to the point where someone launches a 51% attack, they get stopped, and then the community responds by buying more physical hashing power.
22:52 < petertodd> amiller: Right now on the other hand we're flying blind and have no idea if we have enough - we're just hoping to god that an attack doesn't happen.
22:52 < amiller> you never have an idea if you have enough
22:52 < amiller> how much money should we spend on defense against aliens
22:52 < gmaxwell> ^ I certantly agree with that concern. We have no way to set the price, security is a lemon market.
22:52 < amiller> or on the military generally
22:53 < petertodd> amiller: Yes, and that's really inefficient! You want an attack to not be an end-the-world scenario, that is, you should be able to burn value to temporarily stop it.
22:53 < gmaxwell> worse, a viable strategy for an attacker is to try to convince you that you don't need so much security.
22:53 < petertodd> gmaxwell: that too
22:53 < amiller> any money spent on military that's sucecssful as a deterrent appears as a waste because the attacker didn't hsow up
22:54 < petertodd> There's probably nothing we can really do (fully decentralized) that can stop a "rewrite the whole chian" attacker, but against the "has the majority of hashing power" and "temporarily rents a majority" we can probably succeed.
22:54 < gmaxwell> petertodd: so interesting. lets say you have a relatively jam free network.  A bad chain shows up. You issue transactions that burn all your coin, checkpointed so they can only exist in the bad chain.  How do nodes know when they've seen enough of that to start ignoring that chain?
22:55 < petertodd> gmaxwell: Basically if burned coins == pow mined coins, the chain with the burned coins is considered to be the longest and wins.
22:55 < amiller> temporarily rents an infinite hashpower  is fine as long as it's temporary
22:55 < amiller> you can only rewind so many blocks then everything goes on as usua
22:55 < amiller> "has the majority of the hash power forever" is not an attack worth defending against!
22:56 < amiller> figure out the size of your attacker's military and then build 1+ more than that!
22:56 < petertodd> gmaxwell: Note how this doesn't suffer as much from the direct "nothing at stake" aspect of proof-of-stake, because you're not directly gaining from the sacrifice.
22:57 < amiller> if you want to cut costs by being optimistic that your attackers aren't going to be so powerful then great
22:57 < petertodd> amiller: if P=
 and t=0 then we're safe, maybe :P
22:57 < amiller> lets just hope no one can afford 6 blocks, since that's what all the gold sells for (i think)
22:57 < petertodd> amiller: Yeah, as I say, so long as finding out we're wrong is something that can be fixed before the value of the coin plummets sufficiently that the whole system collapses we're good.
22:58 < amiller> sure just give the attacker what he wants
22:58 < gmaxwell> amiller: nah, the gold will notice a reversal dozens of blocks later, as I believe they check preshippment.
22:58 < amiller> then 24 hours or w/e?
22:58 < gmaxwell> amiller: but within 24 hours you'll hear that shit is busted.
22:59 < gmaxwell> and manually halt shipments.
22:59 < petertodd> amiller: well, that's an interesting thing, because the reversal attack can be handled with replace-by-fee scorched earth: wallets don't want the chain to go backwards, so they can respond by saying "well, if we have this chain, I'm happy to burn the money I received to increase the apparent work done by the "valid" chain"
22:59 < gmaxwell> petertodd: keep in mind the threat of people shorting the assets.
22:59 < petertodd> gmaxwell: yeah, lots of second order effects
22:59 < amiller> petertodd, if everyone burns 10% of their income
22:59 < amiller> petertodd, then no one has lost anything
22:59 < amiller> this doesn't work with fiat money
23:00 < amiller> (by fiat money i mean bitcoin, money not a commodity, the whole fiat=state thing is a misnomer, but sorry)
23:00 < gmaxwell> presumably only those fucked by the fork would burn money.
23:00 < petertodd> gmaxwell: I suspect in reality we'll never get a system that won't result in a few hours to days of chaos, but societies recover from that kind of thing all the time.
23:00 < amiller> petertodd, what you're saying is you want a cheap defense
16:59 < jgarzik> Then, the IRC bot would just ask for the user's identity token, verify that via ECDSA message, and proceed to add a new user to the bot-bank (or permit that user to access their existing account)
16:59 < jgarzik> i.e. makes identity separate from the service itself
17:00 < jgarzik> separate from the fidelity bonded banks itself, but an IMO necessary component
17:00 < jgarzik> anyway, should be straightforward, just wondered if anybody had done this before
17:02 < petertodd> Ah, cool, yeah seems reasonable.
17:05 < petertodd> jgarzik: Was my stuff on fee's useful?
17:06 <@gmaxwell> jgarzik: make sure you familarize yourself with what mozilla persona is doing wrt email bounded network identity.
17:08 < jgarzik> gmaxwell: will check it out
17:09 < jgarzik> petertodd: Basically, I was considering burning money as public proof that you "made an effort" to create this network identity
17:09 < jgarzik> and as such, those transactions might be fee-only sometimes, if there is no change
17:09 < petertodd> jgarzik: Right, sounds like fidelity bonds exactly.
17:09 < petertodd> fee-only sometimes?
17:10 < jgarzik> petertodd: if the proof (to be paid as fee) is 0.01 BTC, and you have only a 0.01 BTC coin, then (in theory) you have 1 input, 0 outputs
17:10 < jgarzik> but that is not permitted, and zero-value outputs are non-standard.
17:10 <@gmaxwell> jgarzik: I don't think a zero output txn is valid.
17:10 < jgarzik> gmaxwell: hence "that is not permitted"
17:11 < jgarzik> gmaxwell: and "(in theory)"
17:11 < jgarzik> Thus, what I want is not permitted, and a workaround must be found
17:11 < petertodd> So why not add a second input to the transaction?
17:12 < jgarzik> petertodd: it needs an output, not an input
17:12 <@gmaxwell> So, lets permit txn that have a single output, which is zero value, and the output is OP_RETURN (or whatever we want the prunable type to be)
17:12 < jgarzik> gmaxwell: that would work
17:12 < petertodd> jgarzik: The second input to get more funds, so the output is not zero valued.
17:12 <@gmaxwell> basically a UTXO cleaning transaction.
17:12 < petertodd> Or is the output supposed to not be spent or something?
17:13 < jgarzik> petertodd: the purpose -- burn money -- is all I need
17:13 < jgarzik> petertodd: therefore, no outputs are needed
17:13 <@gmaxwell> petertodd: the problem is that if you can have other outputs means that I can't tell you sacrifice from a regular txn fee.
17:13 <@gmaxwell> s/you/your/
17:13 < petertodd> Yeah, and fees in general can be gamed by miners anyway, you really need a publish-wait-confirm sequence.
17:14 < petertodd> Why not just use the fidelity bond protocol directly?
17:14 < jgarzik> still have to digest it, and see if it fits the irc-bot use case
17:14 < jgarzik> I also think a cross-service network identity would be useful
17:15 < petertodd> Well, for the identity case, it's basically proving in a very robust way the fees attached to some hash, so I think it should be fine.
17:15 < petertodd> And if fidelity bonds become a thing, you'll be able to buy them easily enough, and securely, with a tx signed by multiple parties.
17:15 < jgarzik> basically attaching a cost to creating a network identity (though obviously a more centralized service might just charge a fee)
17:15 < petertodd> Well, you know I really think fidelity bonds solves that one very well.
17:16 < jgarzik> your writeup is open in my browser ;p
17:16 < petertodd> Best case possible is you need three tx proofs, proof of publish, proof of txin, and proof of the txout sacrificing the fees.
17:22 < jgarzik> It might also help to describe the use case I was thinking about
17:22 < jgarzik> I obtain a network identify U12345678 (and can pay for any number of network identities)
17:23 < jgarzik> U12345678 messages the Foo Bank Network, which maintains a provable, shared ledger of accounts
17:23 < jgarzik> messages are signed with keys associated with U12345678 network identity
17:24 < jgarzik> messages are "open account, withdraw, deposit" etc.
17:24 < jgarzik> Foo Bank Network might be one entity, but hopefully it is multiple entities
17:24 < petertodd> Right
17:24 < jgarzik> off-chain transactions are then possible, everything is digital signed and secured, and not 100% centralized
17:24 < petertodd> So why do you need to make the client's identity expensive to get?
17:25 < jgarzik> because identity is decoupled
17:25 < petertodd> from what?
17:26 < jgarzik> so you don't need a new login for each service
17:27 < petertodd> Sure, but again, why does the identity have to be expensive?
17:27 < petertodd> (if it's just for banking)
17:37 < HM> I think I prefer Schnorr signatures to DSA
17:37 < jgarzik> I want a semi-decentralized database for the identities, so there needs to be some cost for creating 1,000,000 identities
17:38 < petertodd> Ah, yeah that's totally reasonable
17:38 < jgarzik> another part in this is a layer where you may message easily between two network identities
17:38 < jgarzik> a _little bit_ like bitmessage
17:38 < petertodd> Do you want an identity to essentially give you the right to message a given amount of traffic per day, or what?
17:38 < jgarzik> the identities have some permanance
17:39 < jgarzik> petertodd: at the moment, just "the right to message" is sufficient, but that needs more thinking
17:39 < jgarzik> anyway, gotta tour some real estate, bbiah
17:39 < petertodd> Have fun, say hi to the kid for me. :)
18:21 < HM> actually I don't think you can do public key recovery on Schnorr signatures
18:25 < HM> In DSA you rely on the fact that 'r' can be used to determine kG (to within a few possibilities)
18:25 < HM> under Schnorr you lose r in a hash function
18:27 < HM> it's also cheaper to compute
18:28 < HM> (by one bigint division)
19:03 < HM> bollocks i was right the first time
19:03 < HM> you can recover public keys
19:04 < HM> wait, i have to make my mind up on this for good
19:06 < HM> nope, i was definitely right the 2nd time
19:08 <@sipa> i don't see how you could do key recovery with Schnorr signatures
19:08 < HM> thank you
19:08 < HM> lol
19:08 < HM> what I did was arrange for validation assuming you knew the public key
19:08 < HM> then sub back in the result and arrange for that public key :|
19:10 < HM> twice
19:10 < HM> basic algebra beat me twice
19:12 < HM> ah well, i've done it now. You can arrange for sG in both DSA and Schnorr and show you need to solve the DLP to fake a signature
21:44 < jgarzik> petertodd: MerkleBitcoinTx uses block number rather than block hash.  why?
22:00 < petertodd> jgarzik: The blockchain is linear, so the block hash doesn't let you prove anything.
22:00 < petertodd> jgarzik: Granted, if it wasn't linear, like some sort of merkle skiplist or merkle mountain range, then a hash would make more sense.
22:01 < petertodd> jgarzik: Maybe just a premature optimization... submit a pull req, lol.
22:09 < jgarzik> petertodd: <shrug> maybe just being pedantic.  the text said 'just like CMerkleTx', which is slightly incorrect
22:09 < petertodd> Hey, it's a spec, be pedantic.
22:10 < petertodd> Where did I go wrong?
22:10 < jgarzik> petertodd: "This is the same data that the CMerkleTx class contains"
22:11 < jgarzik> petertodd: CMerkleTx includes block hash not block index
22:11 < petertodd> Yup, you're right, I'll fix it.
22:15 < petertodd> alright, I'll push to the server when I'm back from work and have access to my gpg keys...
22:18 < jgarzik> petertodd: any demo code?
22:19 < petertodd> Not yet sorry; I wanted to add unit tests and better ways to create transactions to pynode, and got distracted...
22:20 < petertodd> BTW: re: cython, I found a compiler bug in it, which kinda scared me off for now...
22:30  * jgarzik ponders.  N bots, cooperating but separate, independent entities (such as managing my identity service).  Service must accept bitcoins from users, and therefore, any one of N bots must be able to generate a "you are authenticated; send X bitcoins to address 1YYY..."
22:31 < jgarzik> Can such a botnet survive a cheater?
22:31  * jgarzik tries to think of ways to centrally generate and share bitcoin addresses
22:31 < jgarzik> and prove a bot is cheating in short order
22:33 < jgarzik> on the other end, need to share service fees to each bot, dividing up service revenue without cheating
22:47 < nanotube> as to using irc bots as money keepers... keep in mind that you also have to trust the irc server operators (and irc server security, and bot security, but these two are obvious)
22:48 < nanotube> an irc oper can send and/or modify and/or block any messages coming through.
23:04 < jgarzik> nod
23:05 < weex> those deterministic wallets should work, the one where you have a public seed and private seed
23:09 < weex> or you just have the head bot sign each address
23:10 < jgarzik> need N-of-M security
23:10 < weex> like shamir's secret sharing?
23:10 < jgarzik> head bot == centralization, not distributed consensus
23:10 < weex> http://en.wikipedia.org/wiki/Secure_multi-party_computation
23:11 < weex> i want to watch this tech talk on it again sometime  http://www.youtube.com/watch?v=LRAN_w1_qmw
23:20 < jgarzik> ok, more generally
23:20 < jgarzik> you have The Fund
23:21 < jgarzik> (a pool of bitcoins)
23:21 < jgarzik> You must generate new bitcoin addresses, to hand out to end users, from The Fund
23:21 < jgarzik> and The Fund must pay out according to pre-described rules
23:22 < jgarzik> The Fund is managed collectively by N parties, cross-checking each other.
23:22 < jgarzik> Can cheating by 1 party be prevented, in either of the two tasks (obtain new btc addr for customers, pay out to investors)
23:24 < jgarzik> One could hand out MITM BTC addrs, but that would be noticed as cheating when the party wanted to claim a payment has entered The Fund
23:25 < jgarzik> But creating the BTC addrs themselves... you still have the problem of private key distribution (or seed)
16:38 <@petertodd> That's really useful actually: means you can provide constantly updating refund scripts, that check for some given state of the txout set of something.
16:39 <@petertodd> Without having to screw with on-chain state.
16:40 <@petertodd> So, my bonded bank could say "Here's the script you need to run to get your coins back, but it's only good as long as the refund txouts I'm going to fund it for exist, but I can give you another one later."
16:40 < BlueMatt> but if you can specify any script that is signed, how is it different from just requiring the signature?
16:40 < BlueMatt> because you could otherwise just specify a OP_TRUE script that is signed
16:40 <@BlueMatt> its interesting in that you could give a 3rd party a signed script then they could spend that
16:41 <@petertodd> Because the script itself can check for constantly changing conditions so it can invalidate itself in the future.
16:41 <@petertodd> I was thinking of a crappy version of this with transactions that dependened on special txouts; spend the txout and the transaction is now invalid.
16:41 <@BlueMatt> but in that case, why not just send the coins to them?
16:42 <@petertodd> Because it's for refunds. You want the general case to be done off-chain, with on-chain possible.
16:43 <@petertodd> Basically the bank would control the state of the refund scripts with a single special txout, and then spend it or whatever to invalidate a whole swath of refunds pending in one go.
16:43 <@petertodd> (I'm assuming something like a ISTXOUTUNSPENT opcode)
16:43 <@petertodd> (which has other implications...)
16:43 <@gmaxwell> yea, yuck. :P
16:43 <@petertodd> Hey, give me more than 30 seconds to come up with a use-case... :P
16:44  * BlueMatt isnt sure of all the stuff we are building this on, but I was assuming the standard scripts-only-access-themselves stuff we use now
16:44 <@BlueMatt> maybe I should read scrollback longer....
16:44 <@petertodd> It is important to keep in mind what Satoshi said ages ago about always allowing transactions to get reorged and accepted into the chain later though.
16:44 <@petertodd> BlueMatt: no, we're getting way more wizard than that.
16:45 <@BlueMatt> thought so...Ill shut up now
16:45 <@petertodd> Nah, just smoke some of this and you'll be good.
16:45 <@BlueMatt> heh, ok
16:45 <@gmaxwell> BlueMatt: well mostly I created this channel for the rocket science which is two steps removed from current Bitcoin. So what bitcoin currently does is only slightly relevant
 except to the extent that there is a good reason for it to be done that way.
16:46 <@petertodd> Basically we're gonna create SCAMCOIN and stuff all our dreams into it.
16:46 <@BlueMatt> ok, ok
16:46 <@gmaxwell> I find this stuff important and interesting, but sometimes this discussion floods bitcoin-dev, and I'm concerned that people who are only interested in bitcoin shouldn't get denied access to monitor #bitcoin-dev due to the flood of cryptocoin dreaming.
16:47 <@BlueMatt> thats fair
16:47 <@petertodd> Like, I've contributed maybe 5 lines of code to Bitcoin proper, and 10k lines of dreaming to bitcoin-dev
16:47 <@gmaxwell> plus some of the ideas that the crazy stuff results in are directly applicable to the current system, and we can then bring those back from the mountain tops as required.
16:48 <@petertodd> Lots of this stuff can be done as a soft-fork...
16:49 <@gmaxwell> 'can'... well. Kinda. You can change the script system as a soft fork, but if your change results in 100kb scriptsigs ... thats not a softfork.
16:49 <@gmaxwell> that's not even really 'just' a hardfork, it requires changing the security model.
16:49 <@BlueMatt> anyway...back to the point, if we are accessing outside state, being able to provide signed scripts would be interesting..."either spend this within the timeframe to get out of X, or dont and then you are locked"...assuming signed data can enforce a spend time limit
16:50 <@petertodd> Oh, reminds me, if we define a CHECK_SCRIPT_VERSION type opcode, to be used with new stuff in if endif blocks, we can really change anything but the else if, endif, "invalid even in a block" and finally data encoding opcodes.
16:50 <@BlueMatt> though thats probably not pie-in-the-sky enough...
16:50 <@petertodd> Basically, we're not gonna run out of opcodes.
16:51 <@gmaxwell> BlueMatt: maxtimes create some weird incentives, though I wish I knew the full reasons satoshi didn't want them.
16:51 <@petertodd> gmaxwell: Absolutely, 10k limit on scripts for these dreams...
16:51 <@petertodd> maxtimes?
16:51 <@petertodd> oh, right
16:51 <@BlueMatt> gmaxwell: yea, breaks reorgs sometimes, but I dunno, get the time spent signed by oracle
16:51 <@petertodd> See, my understanding is Satoshi mainy was against the reorg breaking problem.
16:51 <@BlueMatt> s/by oracle/by an oracle/
16:52 <@petertodd> I dunno, I gotta agree with him there.
16:52 <@BlueMatt> (hopefully oracle isnt your oracle......)
16:52 <@petertodd> You could wind up invalidating everything, on the other hand, tx maleabilty also breaks reorgs...
16:52  * petertodd wonders if satoshi realized tx's were maleable from the beginning
16:53 <@BlueMatt> I dont think that was on purpose, if he did
16:53 <@sipa> i don't think he realized the problems with malleability
16:53 <@gmaxwell> I don't know, he must have known that you could stuff in extra opcode.. I doubt he knew the signatures themselves were malleable.
16:53 <@sipa> he also didn't consider hardforks to be a problem :)
16:53 <@gmaxwell> they would have been less of a problem two years ago.
16:53 <@BlueMatt> to be fair, early in bitcoin's life they werent
16:54 <@gmaxwell> Right.
16:54 <@sipa> indeed
16:54 <@petertodd> He did have the mindset of "one true client" is my understanding.
16:54 <@gmaxwell> That makes hardforks less bad.
16:54 <@sipa> one true full client, atleast
16:54 <@petertodd> He wasn't the one who added RPC right?
16:54  * BlueMatt 's head spins with the amount of cross-client cooperation that would be required for a hardfork now
16:55 <@gmaxwell> BlueMatt: Dunno, the software that is actually maintained is not that long a list. :(
16:55 <@BlueMatt> gmaxwell: even still...
16:55 <@BlueMatt> and its getting better quite quick, too
16:55 <@sipa> bitcoind, bitcoinj
16:55 <@BlueMatt> jgarzik's stuff
16:55 <@sipa> anything else?
16:55 <@sipa> bitsofproof maybr
16:55 <@BlueMatt> not used, but at least maintained
16:56 <@gmaxwell> bitcoind, bitcoinj is all I'm aware of that I believe is complete and maintained right now.
16:56 <@petertodd> jgarzik's stuff has broken scripting too - various really major bugs
16:56 <@sipa> libbitcoin may be still alive
16:56 <@petertodd> (which I need to fix...)
16:56 <@sipa> libcoin too
16:56 <@gmaxwell> bitsofproof,cbitcoin,jeff are incomplete but maintained. then libbitcoin, libcoin, bitcoinjs are complete and unmaintained
16:57 <@BlueMatt> oh, random question, how do people feel about implementing upgradability in bitcoinj so that spv clients can semelessly upgrade to full nodes?
16:57 <@gmaxwell> and purecoin, pybitcoin is incomplete and unmaintained,
16:57 <@petertodd> Even non-mining full nodes scare me
16:57 <@petertodd> Until there are multiple network implementations, propagation bugs can effectively cause forks
16:58 <@gmaxwell> BlueMatt: sounds good?  One thing I'd like to see happen with the validation support in bitcoinj is badness proof support. There are three main kinds I'd like to see, and two are possible today.
16:59 <@petertodd> https://github.com/mb300sd/Bitcoin-Tool/ <- this is new too
16:59 <@BlueMatt> gmaxwell: elaborate?
17:00 <@BlueMatt> actually, bbl
17:00 <@gmaxwell> e.g. you're a regular spv node, someone then gives you a message that says <block XXX is bad, here is a transaction and a fragment, run your script checker and you'll see>
17:00 <@petertodd> https://github.com/mb300sd/Bitcoin-Tool/blob/master/Bitcoin%20Tool/Scripts/Script.cs <- C# script implementation
17:00 <@BlueMatt> Ill read scrollback
17:01 <@gmaxwell> BlueMatt: so then you check the fragment and verify the transaction is in the block .. then run your script checker... and the script fails validation. Then you broadcast the message to all your peers, and add thta block to a blacklist that makes you forever reject it.
17:01 <@gmaxwell> The three kinds of proof that I think are most interesting:  Proof that a script doesn't validate, proof that the blocks contain a double spend (just two fragments, the later and earlier spends),  and proof that the coinbase took too much subsidy.
17:02 <@gmaxwell> The last can't be done without a protocol change, preferably a hardfork. :(
17:02 <@gmaxwell> but it's really easy with a hardfork.
17:04 <@gmaxwell> In any case, the point of all this is: (1) in a world where most people run SPV nodes, if we have this then even a full honest full nodes would provide strong protection. (2) it would allow reduced nodes to participate in validation some. e.g. check 1% of signatures.
17:07 <@petertodd> "Proof that a script doesn't validate" <- any script proposal that allows for queries of any type needs to take the requirements of SPV proof for those queries into account very carefully.
17:07 <@petertodd> For instance, "Does UTXO exist? (but we're not spending it)" requries the UTXO set proofs.
17:08 <@petertodd> Ugly
17:10 <@petertodd> Easy to force really large proofs too...
17:14 <@amiller> i don't see what you mean easy to force large proofs
17:17 <@petertodd> Consider the scriptPubKey: "UTXO_EXISTS <DIGEST>", 33 bytes, yet each proof for each digest will be hundreds of bytes long, if not even more
17:17 <@petertodd> It's a big multiplier
17:17 <@petertodd> (even worse if the proof has to include the whole script...)
17:17 <@petertodd> (er, I mean transaction)
17:18 <@petertodd> like UTXO exists and it has some given output
17:18 <@amiller> gmaxwell, chanserv op add me so i can massage the channel topic?
11:29 < adam3us> luke-jr: but one sided properties are commonly in the users interests, because the merchant commonly has more power
11:29 < adam3us> luke-jr: eg payer anonymous ecash is more popular than payee anonymous (or double anonymous) its something analogous
11:30 < HM2> hmmm
11:30 < adam3us> luke-jr: the merchant should not be able to go rogue and out everyone''s ebook purchases or get hacked for the same info
11:30 < Luke-Jr> huh? I've never seen a person<->company contract that's in the person's favour
11:30 < adam3us> luke-jr: and thats a good thing?
11:30 < Luke-Jr> no, but I don't think reversing it is the solution :p
11:31 < adam3us> luke-jr: my point is it is in the users interests to have a chameleon hash signature
11:31 < adam3us> luke-jr: i dont think the merchant loses anything, he's receiving irrevocable bitcoin ecash
11:31 < Luke-Jr> I suppose in this case
11:31 < adam3us> luke-jr: its obvious he got his part of the contract
11:31 < HM2> Why not just take a hash of the contract and sign it. If Bob screws you you can show the world the contract and signature.
11:32 < HM2> err get Bob to sign it rather
11:32 < Luke-Jr> but it wouldn't make sense for long-term contracts
11:32 < adam3us> hm2: thats not a bad idea
11:32 < HM2> if Bob can't prove that there ever was a specific contract, what's the point in getting Alice to sign anything?
11:33 < adam3us> hm2: an interesting question.. maybe gmaxwell's argument is unravelling!
11:34 < adam3us> hm2: absent ecash component youd think bob needs to have an authenticated order or someone could tamper with it or change it
11:34 < HM2> I mean, you're basically after a 3rd party/publicly verifiable signature only when you know 1) the people involved, 2) and the hash of the terms. That just sounds like vanilla Schnorr signature to me.
11:34 < adam3us> hm2: but that could be more easily done, eg encrypt and MAC the message consisting of he order, and the bitcoin payment
11:35 < adam3us> hm2: and send it to bob, job done, no chameleon hash in sight
11:35 < adam3us> hm2: (and upfront demand bob sign the order details as a condition of paying him)
11:36 < adam3us> hm2: well you're also trying to prevent bob proving to third parties what his customers bought for their privacy
11:37 < adam3us> hm2: but it seems unecessary per above to use a chameleon hash, like you said get bob to sign it, then use integrity protection and encryption to prevent order tampering
11:37 < adam3us> hm2: i suppose that doesnt bind the contract to the receipt of the payment
11:37 < HM2> If Bob can't prove that Alice signed an order to someone else, what's to stop someone impersonating Alice and making orders?
11:38 < HM2> Alice can easily prove she did sign something, but how can you prove you didn't if Bob claims she did?
11:38 < adam3us> hm2: well on top of that alice is paying bob binding the hash to bobs payment address
11:39 < adam3us> hm2: alice is not revealing her identity
11:39 < HM2> I'm not following it at all
11:39 < adam3us> hm2: she is just binding a payment to	a contract pseudonymously, so she could prove afterwards that she made this payment, and bob knew the contract terms
11:41 < adam3us> hm2: i mean its like ebay a bit alice pays bob for the ebook, he doesnt deliver or the connection mysteriously 'fails" she gets annoye and posts at least evidence that she paid for the book, and tht bob accepted the money so also saw the order details and accepted them by taking her money
11:42 < HM2> ok
11:42 < HM2> I think I'm with you now
11:43 < adam3us> hm2: i think if we did it the other simpler way, where bob signs the order, bob could deny all knowledge
11:43 < HM2> If a seller has a private key 's', and you have some contract c = Hash(terms). the buyer can pay to c*sG
11:43 < HM2> the buyer then has to know c*s to claim the funds
11:43 < adam3us> hm2: eg no alice owed me $2 personally that payment is unrelated to this disputed ebook as the two re not bound together
11:44 < HM2> at any pointer the seller can publish "terms", c, and sG and prove it
11:44 < HM2> why the complexity?
11:44 < HM2> i got buyer and seller around the wrong way, but still
11:45 < adam3us> hm2: i think you need to bind the things together so bob cant start to tell tall stories about how the payment he did receive (he cant deny as the payment is public) was for something else
11:45 < HM2> how could he?
11:46 < adam3us> hm2:well if there was no chameleon hash sig, just a normal sig from bob on the contract, bob could say "yes, and she never paid for it", and "oh that payment was for something else, i lent her money the other ay"
11:46 < HM2> I guess it becomes public that Alice sends a payment to c*sG so privacy is lost
11:47 < adam3us> hm2: no that can be ok eg c is H(r=random, contact)
11:47 < adam3us> hm2: without either party disclosing r thats indecipherable
11:47 < HM2> but both parties need to know r
11:47 < adam3us> hm2: yes thats where the risk comes because then bob could disclose it and alice doesnt trust him
11:47 < HM2> the contract is really decided by the seller and accepted by the buyer
11:48 < adam3us> hm2: so with the chameleon hash bob can change c after the fact
11:48 < HM2> hmm
11:48 < adam3us> hm2: c is fixed but he can find new r' and contract' that still add up t c because he has the private key so its not very convincing when he says look this payment was for ebook1
11:48 < adam3us> hm2: and then alice says no thats a lie it was for ebook2
11:49 < HM2> right
11:49 < adam3us> hm2: and as everyone presumes alice doesnt have bobs private key, they presume bob is lieing
11:49 < adam3us> hm2: so it seems that it does hang together though its a bit complicated!
11:50 < adam3us> hm2: and if you find another way to do it that has the same properties u probably have invented yet another chameleon hash - apparently there are multiple mechanisms
11:52 < HM2> I'm not convinced
11:54 < HM2> If one party can say "no this transaction wasn't for X, it was <insert anything>!" then they lose the ability to prove it was for any specific thing and the other party can screw them by sending them something else
11:54 < HM2> the burden of proof is then on the sending party to prove they sent the right thing
11:55 < HM2> but if they refuse to do so there's basically no come back
11:55 < HM2> if they screw say 1% of people nobody will find it suspicious
11:55 < HM2> they'll just think the party that can't prove the specific contract terms is the shifty one
11:56 < HM2> even though that may not be the case
11:57 < HM2> surely it's just easier if both parties remain pseudo-anonymous to one another and all contracts are verifiable by all
11:59 < nanotube> <HM2> I can't remember if it was one of the BC books or Cryptonomicon that had the offshore data haven project <- it was cryptonomicon. :)
12:00 < HM2> it appears there are a lot of Neal Stephenson fans in bitcoin :P
12:01 < HM2> who'dve thunk it
12:02 < nanotube> hehe
12:04 < HM2> talking of contracts
12:04 < HM2> i foolishly sold a TV on ebay the other week and the guy picked it up and paid cash. I gave him a receipt but i never got one from him
12:04 < adam3us> hm2: if only bob can forge contracts, whatever alice says is true
12:04 < HM2> no problems yet but he could potentially screw me
12:05 < adam3us> hm2: because there should not exist two contracts unless bob is playing games
12:06 < HM2> I actually offered to accept bitcoin and he looked at me strangely
12:06 < adam3us> hm2: i mean technically bob could change the contract to something of higher value and alice cold then falsely claim that equally plausibly but thts against bobs interests so he probably wont do it
12:09 < adam3us> hm2: "surely it's just easier if both parties remain pseudo-anonymous to one another and all contracts are verifiable by all" yes but unfortunately bitcoin is not payer anonymous
12:10 < adam3us> hm2: otherwise alice could create a new identity for the transaction, as is bitcoin largely links all payments to the true name for anyone who touches an exchang or a physical delivery purchase ever
12:10 < HM2> it is if you establish 2 wallets and don't transfer between them
12:10 < HM2> you just need to figure out a way to create closed loops
12:10 < adam3us> hm2: yes, but hwere are you going to get the money from
12:10 < HM2> I don't know
12:10 < adam3us> hm2: i agree if you have two pseudonyms that are isolated you can do it
12:10 < sipa> obviously from the bitcoin internal economy
12:10 < sipa> without any exchanges involved
12:11 < sipa> (i'm only half joking)
12:12 < HM2> a blind token system wouldn't be that hard to introduce would it? in a new protocol.
12:12 < HM2> withdraw a coin, deposit it a few days later, it's blind so nobody can connect the 2
12:12 < adam3us> sipa: i'm yet to get paid in bitcoin... but yes for bitcoin to become more self sustaining it could have more internal commerce, and a high enough number of people using it, that its easy to do in person cash in / cash out.. eg if everyone knows someone else in their extended friends family with bitcoin
12:13 < adam3us> sipa: i mean to get past a point where it would run fine even if most exchanges went offline, there is a point past which that can happen i think
12:13 < adam3us> sipa: i wonder how far out... a few years?
12:13 < sipa> adam3us: i have no clue
12:13 < sipa> bitcoin may grow there rapidly, or perhaps it runs into scaling issues before we get remotely close to that
12:13 < adam3us> hm2: the anonymous mixes are a bit restricted by the size of the anonymity set
12:14 < sipa> or some other non-technical issue appears (legal?) that pretty kills interest in it
12:14 < adam3us> hm2: you're only as anonymous as the number of other users minus nsa plant traffic
12:14 < HM2> well that goes for current pseudoanonymity as well
12:15 < adam3us> hm2: one idea is to run zerocoin as an alt-coin... nothing but zerocoins
12:15 < HM2> zerocoin is too far outside my knowledge range
04:54 < gmaxwell> I'm pretty sure I know how to boost such a proof to arbritary soundness using an error correcting code... but the POW might end up being rather large (tens of kb) for 128 bit security.
04:54 < petertodd> gmaxwell: Yeah, I came up with that idea myself, and as far as I could tell you get into a situation where "fraud" in the NI proof is what allows you to parallelize the problem.
04:55 < petertodd> gmaxwell: I don't know anything about error correction though.
04:55 < petertodd> sipa: Yes! Like my example of a consensus currency system where you just write transactions down on post-it-notes and hope everyone is honest...
04:55 < gmaxwell> petertodd: yes, thats always the problem you get unless you have a local test of the proof with probably of detecting fraud of at least p=0.5, once you have that you can boost up to make fraud simply infeasable.
04:56 < petertodd> gmaxwell: So how do these error correcting codes work?
05:00 < gmaxwell> petertodd: by expanding the state with additional binary relations e.g. parity checks which also must be true if the data is valid (it's easy to see how you can do that for a simple greater than or equality relationship). If you expand enough with the right structure the probablity of a random test (e.g. reading out one spot and the other values in the
proof it is the parity of) failing can be made 0.5. Once you achieve that, ...
05:00 < gmaxwell> ... fiat-shamirizing a couple dozen of these tests makes fraud infeasable.
05:00 < gmaxwell> easier to explain with a whiteboard.
05:01 < gmaxwell> sipa: the sleep makes me think of http://weknowmemes.com/wp-content/uploads/2011/10/i-am-not-a-clever-man-comic.jpg  somehow.   "YOU MADE A POW FUNCTION THAT CALLS USLEEP?" "I AM NOT A SKILLED CRYPTOGRAPHER"
05:02 < petertodd> gmaxwell: Hmm... we're getting dangerously close to leaving joe-random in the dust; I'm going to have to do some reading.
05:03 < petertodd> gmaxwell: I take it no-one has even attempted to do a dumbed down explanation of that stuff yet right?
05:04 < gmaxwell> petertodd: I can explain it to you, but there is no dumbed down explaintion of it. Worst, most things talking about are talking about building proofs for arbritary poly-time (or NP) languages.
05:04 < gmaxwell> one for this set of values is a sorted list would be much simpler, like I could reason that one out on a whiteboard without much trouble.
05:05 < petertodd> Yeah, I don't really know what an "arbitrary poly-time language" is :/
05:05 < petertodd> Sorted list sounds more promising. :)
05:11 < gmaxwell> lemme try the short explination over IRC,   here is an example image representing an error correcting code http://www.spiral.net/hardware/graphics/tanner.gif  message bits on the bottom, you feed them in and the wires just do xor, giving you those parity bits.
05:12 < gmaxwell> When you use them for communications you do things like take an errored message + parity bits, and construct the most likely message using some efficient decoding algorithim. But thats not relevant for using them in proofs.
05:13 < gmaxwell> if I gave you a message + parity, you could go and check all the edges and tell me easily if it was a non-errored  message (and paritity),  "A valid codeword for the system"
05:14 < gmaxwell> Thats straight forward.  Turns out that if you construct a parity check matrix with the right graph structure (and a long enough ratio of parity bits to message bits),  that if the codeword is invalid if you just just one or two bits (and their edges)  that you'll have a 50% chance of detecting the error.
05:15 < petertodd> huh
05:15 < petertodd> and 50% iterated soon gets to nearly 100%
05:15 < gmaxwell> Right.
05:15 < petertodd> what kind of ratios are we talking about?
05:17 < petertodd> by "their edges" you mean the bits going into the XOR operation right?
05:17 < gmaxwell> yes.
05:17 < petertodd> which looks rather like a merkle tree...
05:17 < gmaxwell> Right, so there are graph transformations that take any existing error correcting code and expand it into the kind with the probablistically checkable structure. Generically they have quadratic growth, I believe, so they get big but they're regular.
05:17 < petertodd> "regular"?
05:18 < gmaxwell> repeated, e.g. you don't need to go and seralize out the whole thing. it's not a random graph.
05:19 < gmaxwell> so what you do is you write out a little set of booleian circuts to test your constrant and then outputs its truths, e.g. little binary comparitors.. And take this is a kind of degerate error correcting code. E.g. you've got inputs and then a bunch of 'true' outputs. And the constraints are all satisfied if and only if your data is good.
05:19 < gmaxwell> Then you take that graph and pass it through the transformation to one of these probablistically checkable graphs.
05:19 < gmaxwell> and then construct a merkle tree over it... and use the root of the tree to select your tests.
05:20 < gmaxwell> (because a parity check graph is just a satistifaction problem you can convert any program execution into one of these, but it gets inefficient fast)
05:21 < petertodd> so dumb question time: how do you know the circuits actually tested the constraint you thought they did? (given the partial information youre given)
05:22 < gmaxwell> validator knows the graph, it's fixed for the statement being proven. .. and all the state is under the proof.
05:22 < petertodd> right, because it's structure is regular?
05:22 < petertodd> (like a merkle tree would be)
05:23 < gmaxwell> so it gets point 2394892384 and it knows that it should be equal to 12319831 xor 32849284 xor 589583 xor 5837485743	(or whatever), and it gets those too.
05:23 < gmaxwell> right. or at least if you want this to be feasable it better damn be regular. :)  The expansion itself is regular, but the whole thing is only regular if the thing you're checking is really trivial.
05:27 < gmaxwell> petertodd: it may help your understanding a bit to know that these are also called holographic proofs. :)
05:27 < petertodd> Hmm... lets try a toy problem, heck, a toy toy problem: So I have a list of bits, and I want to know if they are all zero. I construct my merkle tree over all the bits, and pick random samples. By that p=0.5 thing you said before, I can very quickly determine that at least half the bits are false with overwhelming probability, correct?
05:28 < petertodd> Now, the error corecting code business is basically taking that toy problem, and using binary relations in ways that "spread" out my tests to actualy have better coverage than one-test-one-bit.
05:28 < petertodd> Like a hologram where you're checking if the low-resolution fragment looks roughly right...
05:29 < gmaxwell> petertodd: yea, and actually a trivial code should work for that, i think. Repetition. like you virtually repeat your data enough times that you have a 50% chance of hitting any message bit with a single test.
05:30 < petertodd> Huh, so how do you "virtually repeat" the data?
05:31 < gmaxwell> hm. no straight reptition doesn't work (now that I write it out. :P oh  duh right)
05:32 < gmaxwell> okay so initially you have p=1/s  in finding your bad bit in a single test.
05:32 < gmaxwell> (s is size)
05:33 < petertodd> right
05:38 < gmaxwell> petertodd: so my brain isn't working since I don't remember the transform trick to get high success rates without looking it up :P   I can show you how to increase it.
05:39 < petertodd> ha, better than nothing!
05:39 < gmaxwell> petertodd: e.g. take your s bits in your message and create s^2  pairs (all the pairs).  Probablity of detecting a bad bit in the new data is 2/s  instead of 1/s. :)
05:40 < petertodd> create a s-bit tuple and we can make the probability 1!
05:41 < petertodd> though I'll admit that s^2 pairs has less bandwidth to prove :P
05:41 < petertodd> there is something neat about that...
05:41 < gmaxwell> e.g. for s=4	 you start off with 1/4 probablity.   but in the s^2 form you have p=7/16.
05:42 < petertodd> hmm, very close to the p=0.5 threshold
05:45 < petertodd> now, I guess if we can fairly choose our PRNG seed still, we don't need to calculate all s^2 pairs right? like, if we did the merkle tree of, say, just s and then used it to pick pairs
05:52 < gmaxwell> ah dur, for that trivial example:
05:52 < gmaxwell> s=4  {0 1 2 3}
05:52 < gmaxwell> 01 01 02 03
05:52 < gmaxwell> 10 12 12 13
05:52 < gmaxwell> 20 21 23 23
05:52 < gmaxwell> 30 31 32 30
05:52 < gmaxwell> P=0.5
05:53 < petertodd> ?
05:53 < gmaxwell> those are the pairs if you count up the number of each number in the grid, you'll see there are 8 of each, and 16 total pairs.
05:54 < gmaxwell> had to replace the moronic XX diagonal with repeats of the neghbor code.
05:57 < petertodd> So seems to me we could do merkle(s), use that as the PRNG seed, then sample random pairs of from s by just picking pairs of (PRNG(i), PRNG(i+1)
06:00 < gmaxwell> totally OT but I have a puzzle that will blow your mind.
06:00 < petertodd> oh yeah?
06:01 < gmaxwell> Say there is a contest. You sipa and I  are each going go be given a hat.  The hat will be red or blue, assigned totally at random (by coinflip).  We can't see our own hats.
06:02 < gmaxwell> We get sent into a room where we can see each others hats but we are permitted no communication _at all_. Then we leave the room seperately.
06:02 < gmaxwell> Each of us then must write down.  Either Pass  or  the color of our own hat Red or Blue.
06:03 < gmaxwell> If at least one of us is correct and none are incorrect (e.g. correct pass pass is fine). Then we all win a million dollars.
06:03 < gmaxwell> What is the ideal strategy for us to use, and what our are chances of winning this game.
06:03 < HM2> 2 write down red, 1 writes down blue
06:04 < sipa> can we assume that we all have the same purpose?
06:04 < sipa> (winning)
06:04 < gmaxwell> we all want to win. and We ALL win. if  at least one of us is correct and none are incorrect.
19:45 <@gmaxwell> I thought I mentioned x could be not on the curve! I think his code actually tests though.
19:47 < adam3us> gmaxwell: ok. just his response to your explaining that was "an invalid nonce means the attacker sends an x that's past p but less than 2^256." which is not the point at all!
19:47 <@gmaxwell> oh I didn't even notice that.
19:47 <@gmaxwell> (that he responded to that point)
19:48 < adam3us> gmaxwell: #11 - is it locked because he did that as the thread starter?
19:50 <@gmaxwell> No. I locked it because it was becoming a totally stupid war. If you'd like to post I can unlock it.
19:50 <@gmaxwell> I've been talking to the guy in PM and woah lots of misconceptions.
19:50 <@gmaxwell> adam3us: do you like my attack?
19:51 < adam3us> gmaxwell: yeah dont worry.  it was him creating the flame war.
19:52 <@gmaxwell> Is there any client that has a "message" field that autosubmits the message to bc.i?
19:53 <@gmaxwell> guy in PM is telling me that his desktop client has a "message" field that he thought showed up on bc.i.
19:53 < BlueMatt> probably, but dont know which
19:53 < BlueMatt> probably like the bc.i desktop client
19:53 < BlueMatt> "my browser is my desktop!"
19:55 < adam3us> gmaxwell: your attack, IECS R=rPQ, k1||k2=KDF(R), send R.x, c=E(k,m), MAC(k2,c); but i take it he used ctr mode for AES for E
19:55 < adam3us> gmaxwell: oops R=rQ rather
19:56 <@gmaxwell> Yup. he used counter mode and a 64 bit MAC.
19:56 <@gmaxwell> (at first I thought he used a 32 bit MAC and I was going to post a demonstration, alas... by random chance it wasn't quite that weak)
19:58 < adam3us> gmaxwell: actually that was also was wrong R=rQ, k1||k2=KDF(R) but send S.x from S=rG, c=E(k,m), MAC(k2,c) .. thats better
20:03 < adam3us> gmaxwell: ok so then you send S.x, c'=0, m=counter, and increase counter until it passes the mac.  consequently you get c=p xor E(k1,ctr0) and c'=p' xor E(k1,ctr0) and therefore c xor c' = p xor p'; and you know p' because the oracle told you so p = c xor c' xor p'.  qed :) nice
20:09 < adam3us> gmaxwell: btw i presume you are aware of http://eprint.iacr.org/2011/615.pdf because you mentioned the RSA problem, they provide a security argument for shared-key ECIES & ECDSA though unless there is some burning reason to reuse keys like you said that is a generically bad idea
20:09 < adam3us> gmaxwell: (we may even have discussed that paper here... i forget)
20:11 <@gmaxwell> Ah, I didn't recall any argument for shared-key ECIES & ECDSA... I didn't even look for one, because considering the state state of security proofs for ECDSA I didn't expect to find any.
20:11 <@gmaxwell> I don't think it's pratically insecure of course, but ... I was just pointing it out as a generally good pratice.
20:14 < adam3us> gmaxwell: agreed.  i would be worried about that argument and any assumptions it makes; sometimes proofs are artificial.  it seems inherently dangerous/fragile inviting people to ask you to answer challenges involving the same d as used in ECDSA - we know how fragile ECDSA is already without deterministic DSA! wouldnt take much to push it over the edge,
just single bit here and there
20:16 <@gmaxwell> yea, esp with a small mac potentially allowing you to use a decryption thing as a multiplication oracle of some sort. ... though the hash and AES certantly help.
20:16 <@gmaxwell> the guy is busy arguing with me about address reuse in private message now.
20:17 < BlueMatt> :(
20:17 < BlueMatt> bitcoin.org/bitcoin.pdf
20:17 <@gmaxwell> Already cited.
20:17 < adam3us> gmaxwell: well even just at the asymmetric level.  eg say you could get timing from mac failure vs success or something.
20:17 < BlueMatt> iirc there's a section on that...
20:17 <@gmaxwell> Section 10. It's like a keyboard reflex.
20:17 < BlueMatt> heh
20:19 < adam3us> gmaxwell: u know on sci.crypt there was this annoying guy very young, school kid; some of the regulars clubbed together and sent him some crypto books, evidently he read them and eventually wrote a quite well regarded crypto library and got crypto employment if i recall.  http://libtom.org
20:20 <@gmaxwell> Yea, I read sci.crypt religiously throught the 90s.
20:21 <@gmaxwell> endless "I have made an ultimately secure cipher because none of you can break it!"
20:22 < adam3us> gmaxwell: sometimes noob status + enthusiasm leads somewhere :)  altoz tendency to /ignore forum handles not giving criticism in the way he like might not help his learning curve tho!
20:22 <@gmaxwell> yea, well, I've been responding to the guy. but ouch.
20:23 <@gmaxwell> lots of earnest enthusiasm, but also layered cluelessness. :) He seems to respect me (the fool!) so at least my conversation with him is having forward progress.
20:24 < BlueMatt> hey, I havent failed out of bitcoin yet (despite repeated efforts), so maybe he can prove useful :p
20:24 < BlueMatt> too
20:26 < adam3us> gmaxwell: the sci.crypt ones i enjoyed most were the new factoring methods :) but yes the "i challenge you to break my new cipher" were endlessly amusing also
20:30 < andytoshi> gmaxwell, adam3us: those factoring posts were still happening as of 3-4 years ago..
20:30 < andytoshi> also thx gmaxwell for posting your break, i'll check it out
20:38 < andytoshi> gmaxwell: on https://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Counter_.28CTR.29 it says
20:38 < andytoshi> By now, CTR mode is widely accepted, and problems resulting from the input function are recognized as a weakness of the underlying block cipher instead of the CTR mode.[18]
20:39 < andytoshi> i read that to suggest that altoz was safe from attacks such as yours
20:39 <@gmaxwell> ha ha
20:39 < andytoshi> which obtain a ciphertext which can just be xor'd with the desired message
20:39 < andytoshi> (not that i would go implementing such a system based on 30 seconds of wikipeiaing)
20:40 <@gmaxwell> nah, thats just what countermode does, turns a nice pretty blockcipher into a stupid stream cipher. :P
20:40 <@gmaxwell> I am personally not a fan of CTR mode. It is widely used and respected, and you can certantly get yourself into trouble with blockcipher modes too.
20:40 < andytoshi> huh, that's what it looked like to me
20:40 < andytoshi> but "one of two block cipher modes recommended by Niels Ferguson and Bruce Schneier" suggested i was being naive
20:40 < adam3us> gmaxwell: i reckon some of nsa $250m proto sabotage budget went into touting ctr mode... fragile & dangerous
20:40 <@gmaxwell> But this case is a nice example of how CTR mode can contribute to a cryptosystem being brittle.
20:41 < andytoshi> cool, i'll definitely work through your attack to make sure i know what's going on
20:41 < andytoshi> but my next flight is boarding, i gtg for now
20:41 <@gmaxwell> adam3us: okay, I feel better to hear you say that. I _think_ these sorts of things, but I try to not say them. :P
20:41 < adam3us> andytoshi: scroll up i did the math
20:42 < adam3us> gmaxwell: ctr mode seems like the dsa of cipher modes - inexplicably optimized for fragility
20:43 <@gmaxwell> well I know a lot of people (esp hardware people) just really would prefer stream ciphers.
20:43 < maaku> adam3us: in what way?
20:43 <@gmaxwell> GCM's popularity surprises me.
20:44 <@gmaxwell> maaku: fails totally completely to key/iv reuse and any amount of known plaintext.
20:56 < adam3us> gmaxwell: exactly any single reuse breaks it wide open; and there is no clear in-standard defined way to robustly avoid reuse so everyone does their own crappy time, counter, guid iv thing with semi public input or influencable input; similar to dsa, even the original dsa specified rng had enough bias that bleichenbaker figure out how to recover the private key in 1mil msgs
21:04 <@gmaxwell> Did a matonis or someone write some article extolling "DAC" lately, IRC seems to be getting flooded with jabber about them?
21:04 < Luke-Jr> DAC?
21:05 < jgarzik> gmaxwell, Vitalik is writing software for it as part of Dark Helmet^WWallet
21:06 < jgarzik> gmaxwell, Bitcoin Magazine did a series of articles, and Jerry Brito recently wrote http://reason.com/archives/2013/12/16/the-coming-robotic-world
21:07 < Luke-Jr> LOL @ Dark Helmet ref
21:07 < Luke-Jr> jgarzik: poke, never got a response on Fedora UNIX group for USB devices :P
21:08 < adam3us> jgarzik, gmaxwell: i think its more useful to call it a self-funding bot
21:09 < pigeons> DAC is the term protoshares/bitshares is using to mean "future app that will make our altcoin useful"
21:09 < adam3us> though i suppose they are hypothesizing about share-holder votes so there could be human owners; i think its more fun for a money making bot to go rent its own VPS with its own profit and own itself (right up until it hacked and loses its bitcoin stash:)
21:10 < Luke-Jr> wasn't it bitshares' guy who was recently proposing a license that forbids any usage of software by anyone who consents to copyright law? -.-
21:10 < adam3us> pigeons: yeah i saw DAC on invictus site, some of their rhetoric was cringe worthy
21:10 < jgarzik> DAC = Distributed Autonomous Corporation, AFAIK, which does not necessarily equal autonomous agent
21:10 < jgarzik> Some people appear to be using the term simply for an extranational / virtual corporation
21:10 < adam3us> jgarzik: this is true
21:11 < warren> Luke-Jr: to enforce that license you need to enforce copyright, rendering yourself unable to use your own software?
21:11 < Luke-Jr> warren: you don't need a license to use your own software :?
21:11 < Luke-Jr> :/
21:12 < adam3us> the alt story: step1. make useless alt; step2. make up some BS buzz about why its cool; step3 premine/postmine the heck out of it; step4 profit.
21:12 < warren> well, the point is you need copyright to enforce such a license
21:13 < adam3us> corollary to alt story: screw up just about every param choice, mining function choice that you possibly can; and yet inexplicably still profit (protoshares!)
17:41 < petertodd> Yup, instawallet is already known to have a cold storage with about a million dollars in it.
17:42 < petertodd> Anyway, regardless of proving they have funds, even just the merkle-sum-tree of account balances is a big improvement.
17:42 <@gmaxwell> on a total tangent
 talking about the existance of micropayment systems. It would sure be nice if all these systems had a way to discover that they can use a system to system transfer vs a bitcoin payment for random user provided addresses....
17:42 <@gmaxwell> and if they could do so without disclosing what service owns which addresses in advance.
17:43 < petertodd> Yeah, I'm thinking an email-like basic address sytem is a good idea, and ensure that all payments are encrypted or signed or somesuch, so only the recipient holding the seckey can do anything.
17:43 < petertodd> trustbits:pubkey@example.com?
17:52 < jgarzik> a nice identity system, mayhap ;p
17:53 < jgarzik> perhaps one that requires cost to acquire an identity
17:53 < petertodd> ....that's what the pubkey is for, to ensure that we don't need an identity system!
17:53 < petertodd> basically it should act kinda like a cheque, so that only if the receiver can then actually prove they have the seckey does the sender relase the fudns
17:53 < petertodd> *fudns
17:53 < petertodd> *funds
17:53 < petertodd> IE, if the DNS is hacked.
18:10  * jgarzik wants a global SIN (system id number) system.  Anyone may acquire one anonymously.  Perhaps it costs money, paid to a bot network, perhaps it requires a sacrifice.  The main point is to -not- be able to generate millions of these identity records a day.
18:10 < jgarzik> Attach bitcoin addresses (for signmessage verification), GPG fingerprints/pubkeys, etc. to a SIN
18:11 < jgarzik> or anything else, like a nickname or fingerprint
18:11 < petertodd> I like the idea; can we call it garzik-sins?
18:11 < petertodd> Or garzik's sins?
18:11 < jgarzik> The act of obtaining one could be SIN'ing
18:11 < petertodd> This can be the public in-joke we tell the press, instead of the one about puppies...
18:55 <@gmaxwell> petertodd: well what I'd like is something like  "I want to pay 1 BTC to 1jgarzik. So I consult a distributed hash table (ahh!) to find the public key for 1jgarzik, pJgarzik.  Then I post to 1jgarzik E(pJgarzik, I am instawallet, reach me at xxy || I also can make mtgox payments || bitcoin_txn_paying_1btc). Then the controller of 1jgarzik responds back
and says "oh, hi instawallet, I instead of this bitcoin payment, you can make a ...
18:55 <@gmaxwell> ... payment to mtgox account foo --pJgarzik"
18:55 <@gmaxwell> petertodd: so the idea is that any time you want to pay someone you can privately send them a proposed transaction and they can respond back, "no thanks, pay me some other way instead"
18:56 <@gmaxwell> and no one but the recipent learns of this offer.
18:56 <@gmaxwell> And unless they accept the offer you don't learn what their alternative accounts are.
18:56 <@gmaxwell> And the offer comes with a real transaction so you can't make fake offers to people to uncover their mtgox account numbers.
18:57 <@gmaxwell> (though even better: when jgarzik gets that offer he asks mtgox for a one time use account number and thats what he responds with)
19:47 < jgarzik> offer spam
20:08 < jgarzik> anyway, besides SIN'ing
20:10  * jgarzik wonders if anybody has come up with a good way to charge for an overlay network/darknet usage, i.e. a decentralized private network that is self-supporting (provided there are interested users who pay)
22:20 <@sipa> a*P + b*G: 110us !
22:49 < jgarzik> it also strikes me that bitcoin-enabled bots, SIN'ing all over the place, would want a market for automatically bidding on things like storage space, CPU resources, ...
22:49 < jgarzik> (thus could reliable providers have well known SINs that grow respected over time)
22:50 < jgarzik> the market -- buyers, sellers and items being bought/sold -- are as private, or not, as you like
23:20 <@gmaxwell> jgarzik: so one way to do your decentralized private network thing is to have a whole bunch of not-decenteralized bitcoin denominated micropayment systems. And then people advertise which kinds of micropayments they accept... including supporting trading between two accepted kinds so that you can interwork two hosts that don't mutually trust a common micropayment system.
23:27 <@gmaxwell> sipa: so an interesting node... a script that says  PUSH_DATA_TO_BE_SIGNED LSHIFT_AND_PUSH_BIT_OFF_END IF{push R1_1}{push R1_0} POP LSHIFT_AND_PUSH_BIT_OFF_END IF{push R2_1}{push R2_0} POP... RETURN TRUE  when used as an AST-P2SH encodes a lamport checksig. 0_o
23:27 <@gmaxwell> s/node/note/
23:27 <@gmaxwell> using 'no computation' just the AST branches.
23:29 <@gmaxwell> (the data being signed tells you which script-branch preimages you must disclose.
23:29 <@gmaxwell> )
--- Log closed Sun Mar 10 00:00:47 2013
--- Log opened Sun Mar 10 00:00:47 2013
03:03 <@gmaxwell> On the subject of Moon-rocket P2SH,  a proposed solution to uneconomical to spend utxo is this thing I just put on my alt_ideas page (inspired by some talk in #bitcoin-dev):
03:04 <@gmaxwell> * Transaction cost prepayment: One problem is that it's possible to create UTXO that are unprofitable to redeem.
03:04 <@gmaxwell> ** Instead make every output specify a max_size, which is the maximum marginal increase in size from redeem this txout in a new transaction.
03:04 <@gmaxwell> ** max_size serialized as an unsigned variable length int minus whatever the smallest credible max_size is, (e.g. something like 40 for bitcoin)
03:04 <@gmaxwell> *** This makes sure people aren't incentive to write unspendable txn, perhaps a larger minimum max_size should be used, e.g. the size of the smallest secure TX_IN.
03:04 <@gmaxwell> ** Then for the 'cost' of a transaction use  cost = MAX(size-sum_inputs(max_size),minimum_viable_txn_size) +  sum_outputs(max_size)
03:04 <@gmaxwell> ** In order to economical align cost the blocksize limit should be based on it rather than size.
07:37 <@gmaxwell> lol https://en.bitcoin.it/wiki/User:Gmaxwell/alt_ideas#Coin_of_the_moonmen
08:58 <@gmaxwell> oh amiller
08:59 <@gmaxwell> amiller: Get this. POW = H(header || nonce || H(utxo_lookup(nonce))).   With this pow: Validation _is_ mining.
08:59 <@gmaxwell> if you have utxo lookups to perform, you are mining in the process. If you've run out of lookups to perform you just do ones at random.
10:28 < HM> hmm interest gmaxwell
10:29 < HM> gmaxwell: the problem i see with that is the hash rate will be abysmal
10:29 < HM> gmaxwell: perhaps 2 nonces with some mathematical relationship, so miners only have to do the lookup one in every X nonces
10:31 < petertodd> HM: the absolute rate of a PoW function is irrelevant
10:33 < HM> true, but once you have db i/o in there it's no longer a function of raw computation
10:33 < HM> keeping it dominated by one type of bottleneck is ideal
10:34 < HM> if it was 50% i/o and 50% computation then you have a more volatile rate
10:35 < HM> or perhaps not, but it complicates things
10:41 < petertodd> db io is just a type of computation
10:44 < HM> bah
10:44 < HM> all i'm saying is a pure number crunching like a hash doesn't depend on the i/o capabilities of the host.
10:45 < HM> your scheme renders avalon boxes useless for instance because the utxo queries will dominate
10:45 < HM> that's not necessarily bad, i would just suggest reducing the ratio of 1:1 hash:utxoquery
10:46 < HM> on the other hand maybe higher i/o keeps ordinary people in the game longer
10:50 < petertodd> it's meant to be an alt-chain, not an extension to bitcoin
10:50 < petertodd> and it's gmaxwell's scheme
10:53 < HM> indeed
10:54 < HM> I think memory hardness is the way forward
13:09 <@gmaxwell> odd that hm doesn't realize that I'm describing a memory hard pow.  Should I have called it TrendyPow(tm) instead? :P
13:16 < jgarzik> RE decentralized network and micropayments:  given a network, how to compensate each node, in miniscule micropayment amounts, for work they perform relaying?
13:16 < jgarzik> i.e. the old how-to-prove-you-did-work problem
13:18 < jgarzik> I guess you could ask the same question about bitcoin:  presuming the existence of an off-chain microtransaction system, could there be some provable compensation method for people who simply run full nodes?
13:18 < jgarzik> You can test and sample, I suppose
13:35 <@sipa> 110us for a*P+b*G; 12us for key decompression; 26us for the scalar inverse in ECDSA (@&$*# slow OpenSSL); 11us for converting X to affine coords
13:35 <@sipa> total: ~160us for a full signature validation
13:36 < jgarzik_> Heh, maybe we can drop openssl dep soon
13:36 <@sipa> which means around 500k cycles, or only 2x as much as Ed25519
13:37 <@sipa> the same thing in naive OpenSSL is around 600us
13:37 < jgarzik_> How much validation code can be reued by signing code, if any, I wonder
13:37 < jgarzik_> *reused
13:37 <@sipa> most
13:38 <@sipa> signing is just a lot simpler
13:38 <@sipa> but for signing you actually want other algorithm, which don't leak key information via timing
13:39 <@sipa> that 26us for the scalar inverse should be doable in 3us or so, i have no clue why OpenSSL is so slow at that (it's the few parts of my code that still rely on OpenSSL, but it can easily be changed to GMP or so)
13:57 < HM> good work sipa
13:57 < HM> jgarzik_: dropping openssl is unlikely, you'll need something for SSL/TLS
13:58 < jgarzik_> Not for all apps / libs :-)
13:59 < HM> true
14:02 < jgarzik> Android IRC client is not too bad
14:04 < HM> Yaaic?
14:05 < HM> sipa: your numbers make me feel better about this rpc implementation i'm testing
14:05 <@sipa> HM: i'd be very glad to drop SSL/TLS and tell people to use stunnel if they really want to expose an RPC port to an untrusted network
14:05 < HM> 30,000 synchronous calls over localhost tcp / second
14:06 < HM> so 34us, won't be a bottleneck
20:02 < maaku> e.g., it's so expensive to get a security clearance that a contractor would rather hire someone that is already cleared than go through the process of getting someone new
20:02 < petertodd> maaku: exactly, people who like stability are least likely to jump ship and reveal secrets
20:03 < maaku> they're also more responsive to the b.s. legal arguments made to keep them from paying attention to this stuff
20:03 < petertodd> maaku: while the "hard to get new people" thing is a problem, because it means institutionally the system is biased to ignore warning signs
20:03 < jrmithdobbs> maaku: aye
20:05 < maaku> when the wikileaks stuff happened, we were being told that even reading 2nd-hand newspaper articles summarizing it would be violating clearances, even if it wasn't something you were cleared for in the first place
20:05 < petertodd> Air force pilots tend to have the same thing, because training is so horrendously expensive. I've got a family member who's a military pilot, and he said there's a bit of an inflection point during training where it changes from "drop them now because there's lots of expensive training coming up" to "don't drop them, because they've cost us a mint already"
20:05 < maaku> in other words "pay no attention or you will be fired and go to jail"
20:06 < jrmithdobbs> maaku: you got told that too? ;p
20:06 < jrmithdobbs> maaku: was the weirdest fucking conversation ever with my boss
20:06 < adam3us> blumatt, petertodd: i used that kind of search and if fail show closest miss for one of the offloadable kdf things
20:06 < jrmithdobbs> and i wasn't even working for the dod directly (not even contracted to them!)
20:07 < petertodd> jrmithdobbs: ha, good job. Maybe it's just a function of what kind of TLA people I meet, but I get the sense there's a lot of hatred for that crap, especially with snowden showing people are being lied to about the ramifications of what they're doing.
20:08 < petertodd> jrmithdobbs: (part of the discussion I had with that TLA agent was how I needed to know that the work I was doing would lead to ethical outcomes, and he agreed it's not a given)
20:09 < gmaxwell> petertodd: snowden leaks resulted in at least two people I worked with before quitting because they finally believed that the stuff they were working on was being used unethically.
20:09 < adam3us> sadly (for them) the IT security/crypto people in NSA even if now disgusted realizing the risks NSA were creating for society, if they quit are probaby somewhat unemployable as everyone will think they re an NSA mole or double agent, and nothing they say can be taken at face value
20:09 < jrmithdobbs> gmaxwell: oh you left?
20:10 < petertodd> gmaxwell: doesn't surprise me at all. possibly I was getting recruited because they've lost the smart people who tend to understand the bigger world - they need those people.
20:10 < gmaxwell> jrmithdobbs: (Juniper)
20:10 < jrmithdobbs> gmaxwell: ya didn't realise you had
20:11 < gmaxwell> jrmithdobbs: yea, I work for mozilla now.
20:11 < jrmithdobbs> oh nifty
20:11 < petertodd> adam3us: yup, and if you quit sooner rather than later, you miht at least be able to say "I didn't know, and quit the moment I did"
20:11 < jrmithdobbs> petertodd: but sooner was 2004ish
20:12 < petertodd> jrmithdobbs: yeah... though 2013 is still better than nothing
20:12 < jrmithdobbs> we've had 'good enough' evidence that far back.
20:12 < Luke-Jr> petertodd: if you didn't, you might get by keeping the job while you look and say you've been looking since you found out
20:12 < Luke-Jr> otoh, I guess anyone like that would be stupid if they didn't have savings to be able quit right away..
20:12 < jrmithdobbs> Luke-Jr: 9 years?
20:12 < petertodd> jrmithdobbs: see, if you quit now, and people hire you and you act like a paranoid fucker trying to build systems that insiders can't break, well, then maybe you'll keep your job :P
20:12 < jrmithdobbs> heh
20:13 < Luke-Jr> jrmithdobbs: oh, I thought we were talking about when Snowden disclosed whatever
20:13 < jrmithdobbs> Luke-Jr: that was the final confirmation that got everyone paying attention but first leaks re: this were in 2004
20:13 < petertodd> Luke-Jr: heh, the logic at these agencies is simultaneously "fire people who have financial problems
20:13 < petertodd> " and "distrust people who have no financial worries at all"
20:13 < Luke-Jr> jrmithdobbs: yeah, I never figured out why Snowden's stuff was such a big deal
20:14 < jrmithdobbs> Luke-Jr: i'm just saying if you truly took 9 years to figure out the leaks in 2004 were 'true' and you were inside the agency, you were obviously not very important or not very smart
20:14 < jrmithdobbs> so you're stuck there
20:14 < Luke-Jr> heh
20:14 < jrmithdobbs> pretty much how gov jobs work
20:14 < petertodd> Luke-Jr: unlike previous disclosures it was far reaching, and had a clear response from the US government showing it was totally true
20:14 < jrmithdobbs> not isolated to tech
20:15 < jrmithdobbs> Luke-Jr: his leaks were very important though because of exactly how much was confirmed at exactly the same time from the same source, with evidence for all the claims
20:15 < jrmithdobbs> not that it's doing anything.
20:16 < petertodd> jrmithdobbs: IMO it's doing a huge amount, people are quitting at the agencies, and the tech industry is responding with technical measures
20:16 < jrmithdobbs> petertodd: like?
20:17 < petertodd> jrmithdobbs: HTTP v2.0 is likely to have mandatory encryption for instance
20:17 < jrmithdobbs> noone's responding with crap that they weren't already responding with so there's a handful of people doing some good stuff but it's the same people
20:17 < petertodd> jrmithdobbs: people are finally getting rid of the PRNG that was shown to be backdoored
20:17 < jrmithdobbs> these are technical problems and some of them are very hard, after all
20:18 < jrmithdobbs> petertodd: after it was said to be during it's confirmation process, ya, how effective that was!
20:18 < petertodd> jrmithdobbs: yes, but it's not impossible to make widespread ubiquitous survailance impossibly hard
20:18 < jrmithdobbs> petertodd: don't you DARE hold anything about that situation up as an example.
20:18 < jrmithdobbs> including the response.
20:19 < petertodd> jrmithdobbs: indeed, but now that we *know* that the NSA does exactly that, people feel confident enoiugh to stop using it without getting called paranoid! that's a *huge* change
20:19 < jrmithdobbs> petertodd: no but recent events haven't done anything to advance the work
20:19 < jrmithdobbs> and if they do it will be years before practical applications come from it
20:19 < petertodd> jrmithdobbs: proof that you're not a paranoid nutter is a huge change - this stuff now seems reasonable
20:19 < petertodd> jrmithdobbs: practical has already happened, again, people have switched PRNGs as an example
20:19 < jrmithdobbs> ya well, i knew i wasn't, i guess it's nice for the general public to agree now but i wasn't exactly screaming from rooftops about the subject either ;p
20:20 < petertodd> jrmithdobbs: archive.org is one of many sites that have switched to always https, wikipedia too
20:20 < jrmithdobbs> ya but we've had the good people at tor, ssl obsv, etc working with people on that for years now
20:21 < jrmithdobbs> saying it took a completely povable verifiable catastrophy to get people to listen is not a good thing.
20:21 < petertodd> jrmithdobbs: yes, working on, but it's always had pushback and hasn't been all that successful, proof on the other hand is a big boost to those efforts
20:21 < petertodd> meh, people tend to respond to catastophies...
20:21 < petertodd> human nature
20:22 < jrmithdobbs> yes well, we've had proof thanks to ioerror/etc's work from inside syria/china and other place mapping these things for ~3-4 years as well
20:22 < petertodd> yes, and that's syria and china, this is local
20:22 < jrmithdobbs> petertodd: the fact that some actually mostly unrelated leaks convinced them is not exactly a good thing
20:22 < petertodd> this is also on mainstream news, time and time again
20:22 < jrmithdobbs> petertodd: we've had the confirmation locally since about the time we had it in china ?
20:22 < petertodd> good or not, it's worked
20:22 < jrmithdobbs> (2004ish)
20:22 < jrmithdobbs> ;p
20:22 < petertodd> again, that's china, it's not the US!
20:23 < jrmithdobbs> no it's the us
20:23 < petertodd> how so?
20:23 < jrmithdobbs> us companies, writing software for us companies, covered by us patents, being sold for us dollars
20:23 < jrmithdobbs> how the fuck isn't it the us?
20:23 < jrmithdobbs> (cisco)
20:24 < petertodd> right, but that was being done in china. Snowden's leaks prove to US people that they are a target, that's a huge difference, and they did it in a way that got attention on a wide scale.
20:24 < jrmithdobbs> no
20:24 < jrmithdobbs> it was publically deployed in china
20:24 < jrmithdobbs> it was done in the us.
20:24 < jrmithdobbs> and this has been known.
20:24 < petertodd> Yes, publically deployed against Chinese citizens. That's the difference
20:24 < jrmithdobbs> the distinction is important.
20:25 < petertodd> Snowden made US citizens worried, and made it clear that what the NSA was doing was definitely something that should be illegal.
20:25 < jrmithdobbs> yes and they're not going to look to expand their markets?
20:25 < jrmithdobbs> in what world do you live in?
20:25 < jrmithdobbs> heh
20:25 < petertodd> People find it easy to assume they won't expand their markets locally - that's the difference between a normal person and someone with a touch of paranoia.
20:26 < jrmithdobbs> let's talk when practical results come besides discontinuing a prng that had been in use less than a year to any degree at all
20:26 < jrmithdobbs> and was never even available in most implementations of the spec it was in
20:26 < jrmithdobbs> can we talk about google still advocating rc4?
--- Log closed Sat Sep 28 00:00:22 2013
--- Log opened Sat Sep 28 00:00:22 2013
--- Log closed Sun Sep 29 00:00:25 2013
--- Log opened Sun Sep 29 00:00:25 2013
--- Log closed Mon Sep 30 00:00:27 2013
--- Log opened Mon Sep 30 00:00:27 2013
--- Log closed Tue Oct 01 00:00:31 2013
--- Log opened Tue Oct 01 00:00:31 2013
22:06 < SpaceBlankey> helloooo
--- Log closed Wed Oct 02 00:00:35 2013
--- Log opened Wed Oct 02 00:00:35 2013
12:44 < HM3> Silk road guy should have invested in determistic wallets.
12:44 < HM3> ho ho ho
13:12 < gmaxwell> hm?
13:13 < gmaxwell> HM3: why do you say that?
13:32 < sipa> HM3: you incremented!
13:34 < jgarzik> heh
14:30 < HM3> Indeed
14:32 < HM3> gmaxwell, i mean hierarchical wallets
14:32 < HM3> meant*
14:34 < sipa> HM3: why do you say that?
14:34 < HM3> Well it would have given him an opportunity to release keys so people can unlock their money
14:34 < HM3> the Feds likely have all the keys at this point
14:35 < HM3> If he was a pirate he'd have dumped the source code to the site and enough cryptographic info for people to reclaim their funds (and only their funds). It's all very sloppy.
14:38 < HM3> SR gave users the option to register an address where they would receive their funds in the event of a shutdown, it seems ideal scenario for a script of some kind
14:38 < HM3> Chances are all the users will get screwed all the same
14:53 < gmaxwell> it sounds like their systems have been compromised for a long time.
15:07 < midnightmagic> I wonder who "FriendlyChemist" was and what data he actually has.
15:28 < HM3> It wouldn't surprise me if none of the messages were encrypted
15:28 < HM3> people exchange a lot of addresses
15:28 < HM3> probably a lot of secondary busts gonna go down
15:29 < jgarzik> Prediction:  MtGox US-side funds will be unlocked within 12 months
15:30 < HM3> yeah, good thinking
15:30 < jgarzik> (yes, this is on topic...)
15:53 < Luke-Jr> jgarzik: any reason?
15:54 < Luke-Jr> does that include withdrawl to US accounts?
15:54 < jgarzik> Luke-Jr, yes
15:54  * jgarzik has no inside info, just supposition based on close reading of public posts and documents
16:15 < jgarzik> In the SR indictment, it is the first time that bitcoin mixers were explicitly linked to money laundering charges, I think.
16:15 < jgarzik> or a "tumbler" as they call it
16:18 < Luke-Jr> kinda annoying to hear SR has been spamming us with "tumbling"
16:19 < sipa> what's tumbling?
16:20 < bizoro> I wonder what the US/FBI will do with the btc they have now, maybe solve the crisis...
16:20 < jgarzik> sipa, mixing
16:21 < gmaxwell> the complaints says that they were running transactions through a series of steps in order to conceal their origin.
16:22 < Luke-Jr> bizoro: huh?
16:22 < gmaxwell> e.g. A -> B -> C -> D -> E -> F   and b,c,d,e are the same person in reality.
16:22 < bizoro> Luke-Jr, the FBI seized some btc...
16:22 < bizoro> not a lot I think =P
16:22 < Luke-Jr> bizoro: what crisis? how would it solve anything?
16:22 < Luke-Jr> more than I have at least, IIRC
16:23 < bizoro> I mean, pay some public eployees
16:24 < bizoro> anyway... you know how they got to the SR guy, was it tor's fault or he tried to sell the btc?!
16:25 < sipa> he posted a question on stackoverflow, under his real name
16:25 < bizoro> lol... no way
16:25 < sipa> this one: http://stackoverflow.com/questions/15445285/how-can-i-connect-to-a-tor-hidden-service-using-curl-in-php
16:26 < sipa> but changed his username shortly afterwards
16:26 < jgarzik> According to the Silk Road wiki, Silk Road's tumbler "sends all payments through a complex, semi-random series of dummy transactions, making it nearly impossible to link your payment with any coins leacving the site."  [...]
16:27 < jgarzik> "Based on my training and experience, the only function served by such 'tumblers' is to assist with the laundering of criminal proceeds"
16:27 < jgarzik> gmaxwell, ^
16:27 < sipa> "leacving" ?
16:27 < bizoro> everytime they block services like this, it gets stronger
16:28 < jgarzik> I was transcribing at high speed from PDF manually
16:28 < sipa> pl
16:28 < sipa> ok
16:28 < jgarzik> *leaving
16:28 < gmaxwell> he prefaced everything with that.
16:28 < gmaxwell> :P
16:28 < gmaxwell> Apparently having a captca before you get access to a site == criminality. (doh)
16:29 < sipa> heh?
16:29 < sipa> also, why is this wizards material?
16:31 < gmaxwell> because it's certantly not bitcoin-dev material! :P
16:31 < jgarzik> lol, pretty much
16:31 < jgarzik> #bitcoin-low-noise-but-OT-for-dev
16:32  * sipa suggests: #bitcoin
16:33 < jgarzik> too craptacular
16:33 < gmaxwell> currently flooded by druggies trying to get their coins back. :P
16:33 < jgarzik> mixing is an interesting nexus of tech and social and legal
16:33 < jgarzik> and economic
17:30 < HM3> apparently he bought the site from the previous owner. so the technical side is probably not all his work
17:31 < HM3> I do believe the entire piratebay infrastructure is open source these days
17:32 < HM3> it's a shame we won't get the same chance with SR, although I don't suppose the Bitcoin side of things was terribly interesting
17:33 < gmaxwell> HM3: where does that come from?
17:34 < HM3> where does what come from?
17:34 < gmaxwell> "he bought the site from the previous owner"
17:34 < HM3> apparently he isn't the first DPR. he did an interview with the mainstream media some time ago
17:40 < BlueMatt> he claims he isnt, the fbi disagrees, so....
17:40 < BlueMatt> afaict
17:43 < HM3> I just think it's ironic he protected his customers by paying bribes and organising hits (if the court complaint is true), but not through technical means like exploiting the capabilities of the coin
17:43 < HM3> well, protected his income
17:43 < gmaxwell> that all sounded really weird.
17:44 < gmaxwell> there were a couple things in the complaint that I think were outright untrue. god knows.
17:45 < HM3> I guess using scripts in the blockchain for escrow or failsafes would make identifying SR transactions too easy
17:48 < sipa> gmaxwell: such as? i only looked briefly
17:49 < gmaxwell> sipa: e.g. it claims (on page 10) that the site had a section for listing hitmen. they was some low essay about how violence was wrong and how they wouldn't list weapons and such. I've checked with a couple people and as far as I can tell it just isn't true.
17:53 < HM3> Well even if the hitman thing is bollocks, they have his emails supposedly of him organising a hit
17:53 < HM3> I think than in itself is a crime if you go so far as to make payment
17:58 < gmaxwell> I think it will be impossible to prosecute him on that.
17:58 < gmaxwell> He asked the _victim_ for referral. They'd have to argue that he was both a moron _and_ a criminal mastermind.
17:59 < gmaxwell> I assume he'll argue that he knew that the other person was also the blackmailer.
18:00 < HM3> So much drama in the webcurrency
18:04 < Luke-Jr> gmaxwell: he paid the blackmailer off more than he asked?
18:04 < Luke-Jr> actually, less I guess
18:04 < gmaxwell> a lot less.
18:04 < Luke-Jr> I'd think they'd at least TRY?
18:06 < gmaxwell> they'll no doubt add it to the list of charges that they'll go after him with if he doesn't plead guilty.
18:07 < Luke-Jr> eh
18:07 < Luke-Jr> if they don't charge him upfront, won't his lawyer tell him "they don't think they can prove that, so ignore it"?
18:08 < Luke-Jr> I guess the harm in doing that is, they can't prosecute later if they find more evidence
18:08 < Luke-Jr> but Canada could :P
18:08 < Luke-Jr> actually, I wonder if the US *can* prosecute a MFH in Canada? :o
18:09 < midnightmagic> sorry "MFH"?
18:09 < Luke-Jr> Murder For Hire
18:10 < gmaxwell> Luke-Jr: nah, standard procedure in federal cases is that they initially charge you with a couple things, and then if you fight the charges they can add more... and they will literally add 100 more charges.
18:10 < Luke-Jr> midnightmagic: DPR paid $150k to have someone killed who threatened to leak names
18:10 < Luke-Jr> gmaxwell: but to omit MFH? that'd be like the biggest charge, no?
18:10 < Luke-Jr> I sure hope drug conspiracy is nothing compared to MFH
18:11 < gmaxwell> Luke-Jr: if someone had been killed it would have been, ... but can they even provide any evidence that they didn't just make the whole thing up?
18:12 < gmaxwell> I suspect that in general that may be part of the challenge here... what physical evidence will exist that shows that this guy was the right guy?  Not just persusaive evidence but "beyond a reasonable doubt"
18:12 < Luke-Jr> gmaxwell: the evidence *against* it seems to assume it took place at the victim's residence..
18:12 < Luke-Jr> gmaxwell: surely his PC has the private key for SSH?
18:12 < Luke-Jr> if not code
18:12 < gmaxwell> Maybe! I guess we'll find out.
18:13 < Luke-Jr> otoh, if they arrested him earlier than planned, maybe he got wind of investigation and deleted stuff
18:14 < gmaxwell> I can go create a forum account with "Luke Jr." as my name and then go posting some stuff advertising some online drug market place.	e.g. how would you distinguish DPR being this guy from DPR being _me_ and me deciding to frame this guy?  I think that only evidence found during the arrest could help them there.
18:14 < Luke-Jr> hmm
18:16 < Luke-Jr> where'd his income come from? ;)
18:16 < Luke-Jr> if he was framed, he'd have to have some other income
18:16 < Luke-Jr> it didn't sound like he did
18:16 < gmaxwell> right. But it also didn't sound like he was living it up either.
18:17 < Luke-Jr> of course not, that'd be beyond foolish
18:17 < Luke-Jr> if I were doing something crazy like that, I'd be saving up for a cruise ship to move out of the US
18:17 < Luke-Jr> :p
18:17 < gmaxwell> hah, as if everything else wasn't?  I mean, as I normally say about criminals: not generally people who are making great life decisions.
18:17 < gmaxwell> (like ... wtf was he doing still in the US?)
18:18 < Luke-Jr> everything else was merely foolish
14:33 < andytoshi> ok, i'll keep thinking about it
14:34 < andytoshi> with the current "submit rawtx" interface it is really not clear to me how i can tell 'all outputs are unblinded, ok to collect sigs'
14:35 < andytoshi> because i'm thinking, i'll probably extend the transaction-submission window to a few days or a week, because if people want quick coinjoins, they're much better served by a fully automatic joiner like yours
14:36 < maaku> I have a different protocol for serializing join offers and proposals
14:36 < michagogo|cloud> Gah, I don
14:36 < michagogo|cloud> 't like thread necromancers
14:36 < michagogo|cloud>  Took me a while to notice that https://bitcointalk.org/index.php?topic=2699.0;all was from 2011...
14:36 < phantomcircuit> petertodd, HR that limits itself to generic stuff is useful
14:37 < phantomcircuit> petertodd, HR that tries to manage is seriously negative value
14:37 < phantomcircuit> petertodd, an HR department that does things like makes sure payroll works correctly and makes sure to get a group health insurance that fits everybody's needs is very valuable
14:38 < phantomcircuit> it's just that most of them try to make business decisions they aren't even remotely qualified to make :/
14:39 < phantomcircuit> (this is the typical engineers snide remarks about hr lol)
14:39 < andytoshi> maaku: and your protocol can badger people to unblind their stuff without identifying themselves?
14:39 < maaku> well, they have to reconnect with a new tor identity
14:39 < petertodd> phantomcircuit: yup, and HR where I am is the good type. Also remember that HR is very useful as a way to give employees a route to raise issues other than their managers.
14:40 < andytoshi> maaku: right, so if they don't do this on time, can you detect it?
14:40 < petertodd> phantomcircuit: e.g. if there's say, abuse or harrassment going on you need HR as a neutral third-party to fix the issue
14:40 < phantomcircuit> maaku, the only way to guarantee that is to monitor tor circuits
14:40 < maaku> andytoshi: people can reveal their blinding factors (thereby identifying themselves)
14:41 < maaku> if it appears that the join has failed
14:41 < phantomcircuit> by default the client has a minimum reset time for new identities to prevent people from DDoSing the relays with the guard flag
14:41 < andytoshi> ok, i see .. i don't think i can use the same strategy for a very-high-latency protocol
14:41 < phantomcircuit> unfortunately the control port will reply with OK even if it didn't actually cycle the identity
14:41 < maaku> ?
14:41 < maaku> this is designed for a high-latency protocol
14:42 < maaku> I don't think it'd scale very well to real time
14:42 < andytoshi> "if it appears the join has failed" could be after people have spent a day submitting transactions, then spent a day unblinding stuff
14:42 < maaku> the bids and proposed joins have round durations built into them
14:42 < andytoshi> and then one guy misses the window, doesn't want to identify himself, so he walks away and ruins it
14:43 < phantomcircuit> maaku, iirc older versions of the tor client are fairly aggressive with keeping hidden service circuits open
14:43 < andytoshi> so, right now i have a round duration for the submit-transaction phase, but then the signing phase can last forever
14:43 < gmaxwell> phantomcircuit: you use two distinct hidden services.
14:43 < maaku> phantomcircuit: that's completely unacceptable... i'll have to talk with some tor devs about this
14:43 < phantomcircuit> gmaxwell, ah yeah that would work
14:43 < maaku> but yes, it's distinct hidden services
14:43 < maaku> oh ok
14:44 < gmaxwell> yea, if you use two distinct hidden services you'll get the properties you want.
14:44 < phantomcircuit> maaku, the new identity feature doesn't even disconnect open circuits
14:44 < andytoshi> hey, cool .. with two hidden services i can refuse to merge transactions until they have been submitted in the clear to one, and unblinded by the other
14:44 < maaku> that's really bad...
14:44 < phantomcircuit> it just marks them as not to be reused
14:44 < phantomcircuit> it only works well with web browsers really
14:44 < andytoshi> wait, that still links inputs to outputs (for me)
14:45 < andytoshi> (sorry, i'll stop thinking out loud, have to eat anyway)
14:45 < gmaxwell> maaku: whats really bad?
14:45 < maaku> andytoshi: the protocol is this: if all blind signatures are submitted, but not all unblind messages received by the expiration, *everyone* involved who does not reveal their output gets DoS banned
14:46 < phantomcircuit> gmaxwell, im assuming there is an anonymity issue with signing every permutation of the outputs for a coinjoin
14:46 < maaku> gmaxwell: that "use new identity" doesn't actually stop using the old identity, if what phantomcircuit is saying is correct
14:46 < maaku> doesn't affect this application though, but bad in general
14:46 < gmaxwell> phantomcircuit: yes, because obviously you'd not sign the ones with your inputs but without your outputs!
14:46 < phantomcircuit> gmaxwell, right
14:47 < andytoshi> maaku: ok, i don't want to dos-ban people because i'm working over a few days and people get distracted or forget
14:47 < gmaxwell> maaku: the use new identity makes it expire the circuits it pegs up to exits, but I dunno what it does with hidden services; probably best to just use two.
14:47 < andytoshi> i'd rather a system where people who don't fully participate just don't get included
14:47 < gmaxwell> andytoshi: in a realtime / near realtime automated protocol those issues go away.
14:48 < phantomcircuit> gmaxwell, but lets say there is a client with coinjoin implemented in such a way that it's continuously doing it through various meeting points
14:48 < phantomcircuit> entirely transparently to the user
14:48 < maaku> andytoshi: that's the system I described ... your client will automatically broadcast your blinding token after the expiration, preventing you from being banned
14:48 < phantomcircuit> would resistance to withholding not be worth the reduced anonymity
14:49 < maaku> it's only people who don't reveal their outputs, and therefore can't prove that they did which get DoS points
14:49 < gmaxwell> phantomcircuit: you can resist witholding by just abandoning doing any blinding, and if someone withholds the server just drops them and asks everyone to retry... you could do several attempts per second or whatever, and you're banning the withholders ago you go.
14:50 < gmaxwell> and as maaku says, there is a relatively straight forward protocol that allows you to ban witholding parties and still keep the stronger privacy.
14:50 < phantomcircuit> gmaxwell, how do you ban anonymous parties? :)
14:50 < phantomcircuit> tell me and we'll get rich running a tor irc network
14:50 < warren> especially over tor
14:51 < phantomcircuit> wait what
14:51 < gmaxwell> phantomcircuit: trivially.
14:51 < phantomcircuit> s/get super annoyed/
14:51 < gmaxwell> By banning their inputs.
14:51 < phantomcircuit> gmaxwell, except they're witholding the outputs not the inputs
14:51 < petertodd> Anyone else planning on going to the real world cryptography conference next month in NY? https://realworldcrypto.wordpress.com/
14:51 < gmaxwell> phantomcircuit: yep no problem.
14:51 < phantomcircuit> so you'd have to be able to link the inputs and outputs to figure out which inputs to ban
14:51 < maaku> Well, it turns into an arms race where I don't think I'd say there's a "trivial" solution
14:52 < phantomcircuit> gmaxwell, if the join is cancelled you just ask everybody to reveal their input/output link and ban the input of the person who withheld
14:52 < warren> one doesn't need the privkey to propose someone else's inputs right?
14:52 < gmaxwell> petertodd: that sounds pretty good.
14:52 < phantomcircuit> then everybody generates a new key for the next round for their output
14:52 < gmaxwell> phantomcircuit: yep
14:52 < maaku> warren: they do in my design
14:52 < phantomcircuit> gmaxwell, i could see that potentially leaking info though since people do reuse addresses no matter how much we tell them not to
14:52 < maaku> proposals are signed by the inputs they provide
14:53 < petertodd> gmaxwell: bah, just noticed they're "sold out" - free event but registration required
14:53 < gmaxwell> phantomcircuit: the details are a bit hard to get right.
14:53 < gmaxwell> phantomcircuit: but there isn't anything fundimentally hard.
14:53 < phantomcircuit> petertodd, something tells me if you call them and ask they'll magically find room
14:54 < petertodd> phantomcircuit: yeah, gonna give that a go... zooko will be there so I'll give him a shout too
14:54 < gmaxwell> hm. wish I'd thought of it earlier.
14:55 < gmaxwell> I'm going to be on the east coast from the 17th to the 21st for the MIT mistery hunt already... don't think kat has booked tickets yet, so I could perhaps swing by nyc first.
14:55 < petertodd> gmaxwell: cool!
14:56 < gmaxwell> phantomcircuit: basically the bitcoin network itself already gives us a scarce resource we can blacklist: existance of a txout. ... if that turns out not to be enough we could have things like SINs that are required to play, which can be blacklisted using the same protocol.
15:00 < phantomcircuit> gmaxwell, SINs?
15:01 < petertodd> gmaxwell: sending an email to the organizers; want me to ask if you can get a registration as well?
15:01 < gmaxwell> phantomcircuit: expensive to create pseudonoymous identities, created by throwing away coin.
15:02 < gmaxwell> petertodd: yes please. If it turns out I can't come it shouldn't be a huge issue.
15:02 < phantomcircuit> ah
15:03 < andytoshi> petertodd: me too? (though i have no credentials, i understand if i'd just be weighing down your request)
15:03 < phantomcircuit> gmaxwell, yeah but nobody would want to do that if it was automated since they'd end up getting banned because they're on wifi at the airport or whatever
06:36 < sipa> if you see N sick monks, you will expect that they kill themself after N days
06:37 < sipa> if they don't, you have to assume you are the N+1'th
06:37 < sipa> so technically there is a communication channel: observing whether your peers stay alive
06:38 < gmaxwell> so this is a riddle from http://www.ocf.berkeley.edu/~wwu/riddles/hard.shtml	but its not actually hard:
06:38 < gmaxwell> An evil king has 1000 bottles of wine. A neighboring queen plots to kill the bad king, and sends a servant to poison the wine. The king's guards catch the servant after he has only poisoned one bottle. The guards don't know which bottle was poisoned, but they do know that the poison is so potent that even if it was diluted 1,000,000 times, it would still
be fatal. Furthermore, the effects of the poison take one month to surface. The ...
06:38 < gmaxwell> ... king decides he will get some of his prisoners in his vast dungeons to drink the wine. Rather than using 1000 prisoners each assigned to a particular bottle, this king knows that he needs to murder no more than 10 prisoners to figure out what bottle is poisoned, and will still be able to drink the rest of the wine in 5 weeks time. How does he pull this off?
06:38 < gmaxwell> ---
06:38 < gmaxwell> You'll all solve that right away.
06:38 < petertodd> sipa: note though how the monks need to be able to put themselves into a sequence for that strategy to work
06:38 < gmaxwell> petertodd: nah, they don't.
06:39 < gmaxwell> petertodd: its a quroum sensing thing. They all commit suicide at once.
06:39 < sipa> indeed, they don't
06:39 < sipa> from each point of view, he himself is the N+1'th
06:39 < petertodd> gmaxwell: if there are 8 monks, 4 of which are sick, the remaining 4 have no way of not all killing themselves, so it's never optimal
06:39 < sipa> but others will see that differently
06:39 < sipa> petertodd: eh sure, after 4 days they see the sick ones dead and everyone is happy
06:40 < HM2> gmaxwell, divide in to 10 x 100 bottle sets, blend each set
06:40 < HM2> you waste 10% of the wine
06:40 < HM2> but after 5 weeks you can drink the other 90%
06:40 < sipa> but he doesn't want to waste any wine except the poisoned one, i assume?
06:40 < gmaxwell> HM2: "that even if it was diluted 1,000,000 times, it would still be fatal"
06:41 < HM2> gmaxwell, and?
06:41 < petertodd> sipa: ok, so on day 4, when monks decide to kill themselves, how do the healthy monks know if they should kill themselves or not? all they know is that someone should
06:41 < gmaxwell> sipa: and yea, assume he doesn't waste.
06:41 < HM2> gmaxwell, the poison is only in one 100 bottle set
06:41 < sipa> petertodd: i don't understand; as soon as you see all originally sick people having killed themself, you know you can't be sick yourself
06:42 < HM2> gmaxwell, does the king need all the wine after 5 weeks? or is he happy with a steady supply?
06:42 < gmaxwell> HM2: I see what you're saying, but no, he's EVIL he wants all his wine (Except the poisoned bottle)
06:42 < sipa> good question
06:42 < sipa> without the 1-month delay it was easy :)
06:42 < sipa> oh
06:42 < sipa> got it
06:43 < petertodd> sipa: ok, so if exactly one person is sick it works nicely: I know someone is sick, everyone else I look at isn't sick, therefore it must be me. If there are two people sick though every monk sees one or two monks... and I got it finally. :P
06:43 < HM2> well if a prisoner dies on day N, you know the poison bottle was from day N-30
06:43 < HM2> (assuming 30 days is the kill time)
06:45 < HM2> you essentially have 30 x 10 = 300 bottles on hold, but after 30 days you've only covered 30% of the bottles
06:45 < HM2> so you have to mix the wine somehow during the process
06:45 < sipa> you can know which bottle is poisoned after exactly 30 days :)
06:47 < sipa> petertodd: :)
06:47 < HM2> i don't see how you can preserve 999 bottles if you have to mix the wine
06:47 < sipa> oh
06:47 < sipa> didn't take that into account
06:47 < HM2> on the other hand, i can't see a way to do it without mixing the wine
06:47 < sipa> you need to be able to take a sample from every bottle in any case
06:47 < gmaxwell> HM2: they can drink some from each bottle, they only need a drop.
06:48 < gmaxwell> We'll just imagine this doesn't spoil the wine.
06:49 < HM2> could you still do it (in a  longer period of time) with 1 prisoner?
06:49 < sipa> no
06:49 < gmaxwell> sipa: so the really hard version of this that Kat and I independantly came up with and solved:  What if, instead, you know exactly two bottles are poisoned. How many prisoners do you need?	  But we don't have a proof our solution is optimal.
06:49 < gmaxwell> HM2: well in a really long time, sure, sip from one bottle per month.
06:50 < gmaxwell> (and hope he doesn't die of natural causes first)
06:50 < sipa> gmaxwell: impossible with less than 19 prisoners
06:50 < sipa> though i don't have a contructive proof :)
06:50 < sipa> i think i can prove it's impossible with 18
06:51 < HM2> Ok, i have an idea
06:51 < gmaxwell> I can prove its impossible with less than 20.
06:51 < HM2> take 4 bottles per day
06:51 < HM2> give prison A samples from bottles 12, B gets 13, C gets 24, D gets 34
06:51 < gmaxwell> sipa: since prisoners are integers. you can't have .9 a prisoner.
06:51 < HM2> when the poison gets them, 2 prisoners will die
06:51 < sipa> gmaxwell: there are 1000*999/2 potentials outputs
06:51 < sipa> each equally likely
06:52 < HM2> but you're still only doing 4 bottles per day
06:52 < gmaxwell> sipa: where are you getting the /2 from?
06:52 < sipa> gmaxwell: the order of the poisoned bottles doesn't matter
06:52 < gmaxwell> sipa: oh indeed. 19 then.
06:52 < gmaxwell> (but yea, our solution is not at that bound)
06:52 < gmaxwell> (alas)
06:53 < sipa> #bitcoin-riddles
06:56 < HM2> you can do 6 bottles per day with a mixing strategy
06:56 < HM2> when 2 die you can determine which bottle on that day was poisoned
06:56 < sipa> 6 bottles per day?
06:56 < HM2> because there are 6 combinations of 2 in 4
06:56 < HM2> yeah
06:57 < sipa> where do you get that number?
06:57 < HM2> Prisoners A,B,C,D. Bottles 1-6. A = 125, B = 136, C = 246, D = 345
06:57 < HM2> 1 bottle is poisoned, 2 prisoners die
06:57 < HM2> always determinable
06:58 < petertodd> Lol! Someone claiming to be a Mastercoin investor just offered me a Bitcoin in exchange for giving them some pointers on their transaction encoding troubles - they still don't seem to have figured out that Bitcoin doesn't check if multisig pubkeys are actually real ECC pubkeys. :/
06:58 < HM2> but that still only gets you 30 x 6 = 180 bottles tested after a month
06:59 < HM2> you can't do better on combinations in 4 either
06:59 < HM2> 6 is centre of pascals triangle
07:00 < HM2> so I must be barking up the wrong tree
07:02 < HM2> wait a minute
07:02 < HM2> there are 10 prisoners not 4
07:02  * HM2 facepalms
07:07 < HM2> so you can test 252 bottles a day? :|
07:08 < HM2> because there are 252 combinations of 5 in 10
07:08 < HM2> so after 30 days, 5 prisoners will die
07:09 < HM2> you can determine which of the 252 bottles you mixed was poisoned on the day in question
07:09 < HM2> so total time is 34 days
07:09 < HM2> given a precise 30 day lag time on the poison
07:10 < gmaxwell> you can solve this even if the timing is unreliable.
07:11 < HM2> :P
07:11 < HM2> is it?
07:12 < gmaxwell> Lets just say that it is somewhat unreliable, but enough to meet your deadline.
07:14 < HM2> well since my solution only takes 4 days, you can just space the test days out. Test, no test, test, no test, test, no test, test
07:14 < gmaxwell> the party is in 5 weeks however.
07:14 < HM2> that gives you +/- 24 hour margin and takes 7 days on top of your existing 1 month/4 week deadline
07:14 < sipa> not sure how timing is of any relevance
07:14 < sipa> but i haven't actually followed
07:14 < HM2> for 5 weeks total
07:14 < gmaxwell> sipa: it's not, HM2 is deftly evading the intended solution.
07:15 < HM2> it's a solution nonetheless?
07:15 < HM2> how many prisoners die in your solution?
07:15 < sipa> on average 5
07:16 < sipa> binomially distributed
07:16 < HM2> mine always kills 5
07:16 < sipa> you're so deterministically evil
07:17 < HM2> and wastes err
07:17 < gmaxwell> HM2: and you identify the unique bottle?
07:17 < HM2> sure
07:18 < sipa> oh, you're giving different mixer to the same prisoner before they die?
07:18 < sipa> *mixes
07:18 < HM2> yeah
07:18 < HM2> overlapping mixtures
07:18 < gmaxwell> and timing the death.
07:18 < sipa> got it; yeah that way you can use the timing
07:18 < sipa> but it's unnecessary :)
07:19 < HM2> I give up :)
07:19 < gmaxwell> HM2: yea, so imagine instead all poisoned die on the first of the month regardless of when they drank.
07:20 < sipa> or all prisoners will be beheaded in one month + one hour anyway
07:20 < gmaxwell> yea, he's evil afterall and they drank his wine!
07:20 < HM2> gmaxwell,	i don't follow
07:20 < sipa> HM2: assume you cannot observe when a prisoner dies
07:21 < sipa> you only get to check back right before the party in 30 days
07:24  * sipa food
07:28 < HM2> what
07:28 < HM2> so the solution has to be diluting the wine
07:28 < HM2> hmm
07:28 < HM2> if you can dilute the poison below the deadly threshold
07:28 < HM2> then it may be possible to have a different mixing strategy
07:29 < HM2> such that the mixtures becomespoisonous again when combined
07:29 < HM2> (since realistically it should be an absolute of poison that's deadly, not a ratio of wine:poison)
07:30 < gmaxwell> how about another approach. You'd get the most information from a prisoner if he was 50% likely to live/die, right?  (this was the kind of thing you pointed out for the hats problem)
07:31 < HM2> sure
07:31 < gmaxwell> do you have a scheme that results in each prisoner being 50% likely to live?
07:31 < HM2> ensure they sample half the wine
07:31 < HM2> 500 bottles
20:21 < gmaxwell> maaku: I think its really simple to implement and understand. If you pretend that all nodes are always online then _no one_ needs to store any third party data at all. Each wallet stores its own proofs.  Walletless nodes and miners store nothing (just log2(history) hashes)
20:21 < gmaxwell> In the real world where not all wallets are online all the time, you'd need some archive nodes that store proofs for other wallets, they'd have storage like a bitcoin full node (a little worse due to tree ineffifiency but no worse than a full history archive)... they could be paid for the service of providing historical proofs for wallets who haven't kept up to date.
20:22 < gmaxwell> (e.g. I write my spend without the required proof, but it also pays you... now you can go provide the proof to make it a valid spend)
20:23 < maaku> i suppose.. i need to think about it
20:23 < maaku> it just intrinsically seems very odd to desire pushing work off of the miners onto the wallet apps..
20:26 < gmaxwell> maaku: The key point is it's not "the work", it's "your own work".
20:26 < gmaxwell> Or at least kinda.
20:26 < warren> maaku: in our case we're thinking about this as a way to make expired coins spendable, which may reduce opposition to expiration
20:27 < warren> allowing the UTXO set to stay small and for old blocks to be pruned
20:28 < gmaxwell> maaku: there is no reason that such a scheme couldn't be coupled with all full nodes also providing the service of storing some of the utxo too.
20:28 < warren> hmm
20:29 < warren> gmaxwell: can this possibly create incentive to run full nodes?
20:29 < warren> the network needs that
20:29 < gmaxwell> This would create an incentive to run "archive" nodes. It would make running a full (verifiying node) dirt cheap.
20:30 < gmaxwell> (storage wise at least, perhaps not bandwidth)
20:34 < warren> well, we do need incentive to run archive nodes
20:35 < gmaxwell> in any case, I'm not sure that bitcoin could ever be evolved into this idea... but its an interesting idea regardless.
20:36 < gmaxwell> the prevelance of spv nodes which would become at least somewhat more expensive in this system, alone would make it hard.
20:52 < sipa> it is a very extreme form of pushing full node computations to clients
20:53 < gmaxwell> sipa: except it changes the scaling order at the same time.
20:53 < sipa> but making full nodes dirt cheap is certainly good for decentralozation
20:54 < gmaxwell> Instead of making all full nodes do work/storage proportional to the number of clients (/txouts/transactions/etc), it makes all clients do ~O(1) work/storage.
20:55 < sipa> right, full nodes are replicated
20:55 < sipa> clients aren't (typically)
20:56 < sipa> so any work moved from full nodes to client may be up to N times more expensive (with N the number of full nodes)
20:57 < petertodd> gmaxwell: remember that in the real world log2() scaling is bounded by k*256, as the universe is finite
20:58 < petertodd> gmaxwell: In addition wallets can always spend their old coins to reduce the size of the proofs, as a MMR isn't log2(history) for proof size, but log2(age)
20:58 < petertodd> gmaxwell: or to be exact, log2(age)*log2^2(history), but the latter term isn't very important
21:01 < petertodd> Something else I'd like to see in such a system is to make all transactions in a block be required to only spend transactions in previous blocks, not the current one, and then create a fixed ordering for txouts in the block. This would let you cheaply prove H(txout) existance, and in addition can be used for sharding. Spending unconfirmed coins is mainly
used because you want to pay multiple people in one block interval, and that can always be replaced with transaction re-writing.
21:03 < petertodd> (basically proving that H(txout) exists or doesn't exist in n blocks now costs n*log2(m), not brilliant sure, but that's still fairly cheap and doesn't require full nodes to maintain txout indexes)
21:04 < petertodd> *expensive txout indexes
21:04 < maaku> gmaxwell: my point iswhy pay an external proof-generating service *in addition to* the miners transaction fees?
21:05 < petertodd> maaku: because specialization - why should operating specialist mining equipment and validation also be tied to having huge archives of old block data?
21:06 < petertodd> For that matter, why should fully validating to check for miner fraud be tied to having huge archives of old block data?
21:06 < petertodd> We want validation to be as cheap as possible to keep everyone honest, and we want validation to also have no barriers of entry.
21:07 < petertodd> IE for 1% of the cost, I should be able to validate 1% of the data.
21:07 < maaku> petertodd: miners just need the utxo set, not the full archive
21:07 < petertodd> maaku: The UTXO set can grow without bound, and likely will.
21:08 < maaku> yes, but still "utxo set" != "achives of old block data"
21:08 < petertodd> maaku: With MMR TXO commitments we can stop hassling every idiot who bloats the UTXO set, and for that matter, they aren't idiots anymore...
21:09 < petertodd> maaku: the UTXO set needs to be stored in full to be useful, so it's a bigger ultimate burden than old block data archives which can be partially stored and still be useful
21:09 < maaku> petertodd: no, it doesn't. you can do a proof-updatable version of the utxo indices
21:09 < maaku> where transactions come with proofs-of-inclusion for their inputs, and update proofs for their outputs
21:10 < petertodd> maaku: But without UTXO existance proofs you still need full nodes to store the UTXO set, and at that point MMR TXO commitments are much simplier.
21:10 < maaku> you can do utxo existence proofs though. that's what i was asking gmaxwell about - MMR vs UTXO-with-updatable-proofs
21:11 < petertodd> Yes I know - I thought of that idea ages ago myself, as did many other people. MMR TXO commitments are simpler is what it comes down too.
21:13 < maaku> meh, i'm not so sure about that. the index bip i'm working on is rather simple, and indexing offers additional benefits... what i'm trying to figure out is if there are things you can do in MMR which you can't in UTXO-with-updatable-proofs
21:13 < petertodd> The things you can't do are obnoxious things, like making parasitic consensus systems able to take advantage of the UTXO indexes to easily store their data.
21:15 < maaku> i think you can do the same in MMR
21:16 < maaku> as far as I can tell, the MMR tree is the same as the UTXO index, just (1) keyed by insertion order, and (2) spent outputs are left in place, right?
21:16 < petertodd> Nope, in MMR they either can't at all, because you implemented it without sorting at all, or they need to scan the chain.
21:16 < maaku> well it depnds on the app. you can still make proofs showing data inclusion, which is what I thought you meant
21:17 < petertodd> Yes, and on disk you literally end up with a huge file that you append too, and modify in place, and once enough outputs are spent you can drop sections of the file. Remarkably you can implement it with sparse files!
21:17 < petertodd> maaku: with UTXO proofs + what people want for SPV wallets getting my data is as simple as asking the next full node "hey, what txouts match <prefix>?"
21:17 < petertodd> maaku: (specifically I'm talking about what you're implementing)
21:20 < petertodd> Anyway, the key thing is can you do a UTXO commitment scheme, where you can expire old UTXOs? Because I couldn't figure out an efficient way to do the updates; maybe you can.
21:21 < amiller> i don't understand how you use mmr as a utxo
21:21 < petertodd> Like, if 99% of my UTXO's are long dead, can I still generate the UTXO tree efficiently, and still be able to throw away the majority of the data?
21:21 < amiller> i keep reading the page and i don't get it
21:21 < amiller> how do you prove it's still unspent if it isn't removed?
21:21 < petertodd> amiller: You prove that it hasn't been marked as spent.
21:22 < maaku> petertodd: yes, basically the same scheme with transactions carrying their own proofs, updated by owners or archive services for a fee
21:22 < maaku> the update itself requires no level-compression of the hash calculations
21:22 < maaku> but you can still store level-compressed tree on disk
21:22 < maaku> and just expand the skip-list into a sequence of internal nodes
21:22 < petertodd> maaku: Right, but to insert a new TXO in a radix tree I still need a lot of intermediary digests.
21:22 < maaku> so a 256-bit key requires 256 hash operations to authenticate
21:23 < amiller> petertodd, so it requires log n digests/modifications to mark it as spent?
21:23 < petertodd> maaku: Whereas for a TXO MMR appending a new TXO is cheap.
21:23 < maaku> yes, although it's also O(1) ... just with a constant factor of 256
21:23 < petertodd> amiller: correct
21:23 < petertodd> maaku: appending is O(1), with a constant factor of 1
21:23 < petertodd> (in MMR TXO commitments)
21:24 < amiller> who cares if appending is cheap if updating is log n anyway?
21:24 < amiller> i guess it's nice..
21:24 < petertodd> Also in MMR TXO commitments in the general case, where your spending recent coins, the proof size stays small, whereas in UTXO radix trees the proofs get much larger.
21:24 < maaku> petertodd: given the availability of CPU-accelerated sha256, and/or GPU acceleration, i'm don't give much weight either way
21:24 < petertodd> amiller: But it's not, it's log2(age), which is much cheaper than log2(total # of transactions)
21:25 < petertodd> maaku: bandwidth is what matters, and MMR TXO keeps bandwidth down
21:25 < petertodd> maaku: CPU/GPU whatever is completely irrelevant compared to bandwidth
21:26 < petertodd> For instance if I respend a TXO that confirmed 4 blocks ago, my proof size is only k*2!
21:26 < maaku> petertodd: yes, i'm in agreement on bandwidth vs processing
21:26 < maaku> but log2(age) is not necessarily cheaper than log2(# *unspent* transactions)
18:56 < midnightmagic> jgarzik: There are some excellent talks at..  28c3 I think.. with textual fingerprinting and analysiss, and open-source tools anybody can use. Very impressive to see what academics think is the state-of-the-art.
18:56 < jgarzik> Far beyond that -- statistics can read your mind ;p
18:57 < gmaxwell> indeed.
18:57 < HM3> i'm going to 30C3 this year
18:57 < midnightmagic> equally impressive is their assertion that newbs who know their text is being analyzed can fool the tools without any training.
18:57 < jgarzik> I read about an image recognition demo.  Once you trained the model w/ a subject inside fMRI machine, the models were able to guess what the subject was visualizing
18:57 < jgarzik> you don't have to know how the brain works at all, to apply statistics
18:58 < HM3> jgarzik, but only things that have already been trained, surely
18:58 < jgarzik> computers are just too damned good at pattern matching
18:58 < jgarzik> HM3, today.. correct
18:58 < HM3> then I'll be dead before they get through my tinfoil house
18:59 < gmaxwell> people are good at pattern matching.. but each computer is like having a million kinda dumb people working on your problem. They really do change the power dynamics.
19:01 < HM3> reminds me of this computerphile video, where the guy reasons that useful AI is putting a pretty dumb machine in a carefully controlled environment, not making smart AIs to cope with complex environments
19:02 < HM3> like captcha processing. throwing a neural network at it works really well after a stack of bespoke preprocessing
19:02 < HM3> here we go  https://www.youtube.com/watch?v=hcoa7OMAmRk
19:06 < jgarzik> "How DPR Got Caught", summarized from the criminal complaint: https://medium.com/p/d48995e8eb5a
19:06 < jgarzik> (nothing that hasn't already been said here
 just a useful summary)
19:07 < gmaxwell> jgarzik: notice the gap on 2? how'd they get the siezed webserver?
19:08 < HM3> 1.5 is seizing his email account
19:08 < HM3> what kind of private VPN keeps logs :S
19:09 < jgarzik> what percentage of VPNs are really honeypots...
19:09 < gmaxwell> HM3: what kind of underground drug markets keep logs?
19:10 < HM3> well messages need to be kept until they're read
19:10 < jgarzik> gmaxwell, definitely some handwaving in the complaint, glossing over compromise of the servers in some foreign country
19:10 < HM3> when you buy something on silk road the process involves messaging through the site, to give the seller your address, and get updates etc.
19:10 < gmaxwell> HM3: yea, but there are a bunch of extra logs apparently!
19:10 < HM3> yep. should have had the rack rigged with thermite :P
19:11 < jgarzik> IIUC, Tor has around 7000 relays.  It seems well within existing technology and the ability of the NSA -- known to monitor the Internet at junctions all over the globe -- to observe all 7000 relays, and figure out which set of relays "bursts" during a observed Silk Road visits.
19:12 < HM3> jgarzik, you could be an optimist and say the intermediate steps are omitted because they're routine and don't actually add to the evidence
19:12 < jgarzik> and it seems doable to classify a node a "busy"
19:12 < jgarzik> pick up enough of these strands, and you can probably locate a popular Tor hidden service
19:14 < HM3> that's like tracing bitcoin transactions to IPs by making as many connections as you can, or tracing Bittorrent DHT queries by running a load of nodes in the DHT
19:16 < gmaxwell> HM3: I've heard from people running ISPs that they have had people trying to purchase IP space in a large number of /8s in order to do bittorrent dht poisoning.
19:16 < HM3> the protocol, like most of bittorrent, was fairly rushed
19:26 < midnightmagic> gmaxwell: A friend of mine was already doing that for TimeWarner, as of perhaps 10 years ago. I haven't personally witnessed him doing that, but he's getting a paycheque and lives in.. Japan right now I think.
19:45  * HM3 debates porting some parsing code written in Boost xpressive to Boost Spirit X3
20:48 < gmaxwell> great... bitcointalk hacked.
21:01 < midnightmagic> jesus
21:01 < midnightmagic> smf is way holier than i thought
21:12 < Luke-Jr> gmaxwell: really? :o
21:12  * Luke-Jr is uncertain if that is good or bad
21:14 < gmaxwell> and defaced by some moron
21:14 < Luke-Jr> who might be stealing cookies to run against the real site?
21:22 < HM3> How frequently is it hacked?
21:22 < HM3> Seems like a bad day for the largest bitcoin forum to go down
21:22 < HM3> Conspiracy ;P
21:23 < gmaxwell> it's been similarly defaced once before.
21:46 < jgarzik> The "murder for hire" was indeed a sting, 100% fake: http://www.baltimoresun.com/news/maryland/crime/blog/bal-silk-road-owner-ross-william-ulbricht-allegedly-tried-to-arrange-witness-murder-in-md-20131002,0,5476223.story
21:46 < Luke-Jr> jgarzik: both?
21:47 < jgarzik> $80k
21:47 < Luke-Jr> "rivals" - huh? blackmail isn't rival :P
21:54 < gmaxwell> jgarzik: holy @#$#@
21:54 < gmaxwell> that is actually about the 80k hit!
21:54 < gmaxwell> Their chats took a turn when one of Ulbricht's employees got arrested in January after one of their arranged transactions. Authorities say Ulbricht worried that the employee would blow his cover and asked the undercover agent to have him killed.
21:54 < gmaxwell> Ulbricht said he had
never killed a man or had one killed before, but it is the right move in this case,
 an agent wrote in court papers.
21:54 < gmaxwell> The agent led Ulbricht to believe that the killing had been carried out, including sending staged photos of the employee being tortured, and on March 1 Ulbricht wired $80,000 from an account in Australia to an account controlled by authorities.
21:56 < jgarzik> $80k first one staged, $150-300k second one not staged [by LEA]
21:57 < gmaxwell> yea.	crazy. well so much about my idea that the 150k one was DPR just intentionally playing along with the blackmailer to scare him off..
21:57 < gmaxwell> the fact that he really did think he had someone killed previously drastically lowers my probablity assessment of that.
22:01 < HM3> dumb question
22:01 < HM3> since it's 3AM
22:02 < HM3> S1 xor P1 = S2 xor P2
22:02 < HM3> if you know S1 and S2, xoring them together = P1 xor P2, right?
22:04 < HM3> yeah duh
22:04 < HM3> Christ, time for bed
--- Log closed Thu Oct 03 00:00:37 2013
--- Log opened Thu Oct 03 00:00:37 2013
02:48 < wumpus> so much for his ideological spiel about a world without violence
02:49 < warren> You see, under the non-aggression principle you only have to worry about governments.  Voluntary actors and corporations (merely pooled capital of voluntary actors) have no reason to be violent.
02:50  * warren read all that crap for a paper this past semester.
02:51  * Luke-Jr notes Roger Ver considers DPR to be a hero after all this <.<
02:51 < gmaxwell> platonic politics for spherical cows.
02:51 < gmaxwell> Luke-Jr: you should point roger to the MD charges.
02:51 < wumpus> usually when people say that they mean 'only my agression' or, 'only my group's agression'
02:52 < Luke-Jr> MD?
02:52 < gmaxwell> Luke-Jr: I pointed genjix to them and he said he'd have to reconsider his position (he too was going on about the hero stuff)
02:52 < gmaxwell> Luke-Jr: http://www.baltimoresun.com/news/maryland/crime/blog/bal-md-drug-attempted-witness-murder-charges-against-silk-road-owner-document-20131002,0,258931.htmlpage
02:53 < gmaxwell> apparently the $80k hit meantioned in the NY complaint's emails was actually a MD sting operation.
02:53 < Luke-Jr> is there a PDF of that?
02:53 < gmaxwell> and in that case my "well maybe DPR knew he was talking to the blackmailer all along" doesn't at all apply.
02:53 < Luke-Jr> gmaxwell: I did mention the MFH stuff, and the posters on Roger's page went on about "no proof" :/
02:53 < gmaxwell> DPR wired 80k USD to some law enforcement in DC to have one of his staff members killed after he learned the staff member had been arrested. :(
02:54 < gmaxwell> Luke-Jr: http://s3.documentcloud.org/documents/801151/silk-road-owner-charged-in-md-with-drug.pdf
02:54 < Luke-Jr> thanks
02:54 < gmaxwell> This sounds much more solid than the incident in the NY one.
02:54 < gmaxwell> :(
02:55 < gmaxwell> I'm now honestly angry that they let this sonofabitch walk free for 8 months and gave him enough time to try to put out a hit on a second person!
02:57 < gmaxwell> and I suspect that the "success" of that first assassination is why he seemed so strangely eager to use it as a solution to his blackmailer problem.
03:09 < Luke-Jr> gmaxwell: no kidding
03:10 < gmaxwell> maybe someone actually is dead now because of it.
03:10 < gmaxwell> ... though I think thats unlikely.
03:13 < Luke-Jr> gmaxwell: on another note, I think it's awesome how the Maryland indictment uses past tense for SR :D
03:14 < Luke-Jr> hey, Maryland got "difficult to track" right (instead of anonymous)
04:13 < midnightmagic> say DPR wanted to prove he thought in advance, something was going on, and that he felt in advance there wasn't any hit happening. He could write various self-serving versions of it which conform to expected possible outcomes, and datestamp some hashes for each one, very nearly undetectable from one another using various namecoins. Then, depending on
what actually happens, he magically whips out the most self-serving theory
04:13 < midnightmagic> which "proves" that in advance, he "knew" the cops were cops and no wrong-doing was happening.
04:13 < midnightmagic> how do the cops prove he wrote a dozen or a thousand of them?
04:19 < gmaxwell> thats why you couldn't use that sort of thing as a defense.
04:20 < gmaxwell> one of the reasons cops want money in these cases is to do kinda the opposite.
04:21 < gmaxwell> midnightmagic: I suppose if he timestamped one of those things with say, a $80,000 transaction fee... then you would have an argument which would convince _me_ that the timestamped thing was unique-ish, though selectively disclosed.
02:52 < gmaxwell> nah, this stuff is easy to improve in wikipedia, no one cares about it. :P
02:53 < gmaxwell> In any case, it's not exponential but indeed, it might be interesting.
03:07 < gmaxwell> in any case the short short of the rho algorithim: say you're looking for two hashes with the same 32 bit prefix. You pick a random starting value then truncate the hash output to 32 bits and use that to obtain your next point to check
03:08 < gmaxwell> then you keep going. Eventually you will loop. You can detect the loop in a bunch of different ways. Once you've looped you have a collision.
03:09 < Luke-Jr> hm
03:10 < gmaxwell> but the fact that you have to recompute part of your loop to actually find the other value, as well as the work required to detect the loop means this is slower than if you had the memory (and access to the memory were free).
03:10 < gmaxwell> There are schemes in between memorylessness and full memory that let you choose your tradeoff.
14:02 < amiller> ugh, i'm stuck on atomic cross chain transactions again
14:03 < amiller> https://en.bitcoin.it/wiki/Atomic_cross-chain_trading
14:03 < amiller> does this one work?
14:04 < amiller> it just uses timeouts and refunds and the whole hash of a secret thing
14:04 < amiller> so that a transaction that claims a reward on one chain must necessarily involve publishing enough information to claim the amount on the other chain
14:05 < amiller> and there's a longer timeout on the second chain
14:09 < jgarzik> amiller, as is self-evident, there is nothing really atomic there
14:10 < jgarzik> IMNSHO
14:10 < amiller> i'm willing to assume that the chains are *loosely* synchronized so that 48 hours doesn't elapse on one chain before 24 hours elapses on the other thouhg
14:13 < amiller> i can't come up with any way that one transaction could be completed and the other not
14:18 < amiller> i guess this requires a locktime though
14:19 < jgarzik> yeah
14:19 < amiller> i can't figure out if this would work with existing locktime
14:26 < amiller> gahh, i think this is just unreadable
14:26 < amiller> i can't interpret what "A creates TX1: "Pay w BTC to <B's public key> if (x for H(x) known and signed by B) or (signed by A & B)"
14:26 < amiller> A creates TX2: "Pay w BTC from TX1 to <A's public key>, locked 48 hours in the future, signed by A"" would actually be as a transaction
14:32 < amiller> if then else ops currently work nonstandard, right?
15:19 < amiller> https://gist.github.com/amiller/6923910/raw
15:19 < amiller> i think this works out.
15:19 < amiller> it's different than luxgladius.
15:19 < amiller> i don't know why i didn't come up with this one before while thinking through the luxgladius one though
15:34 < amiller> https://bitcointalk.org/index.php?topic=193281.msg3315031#msg3315031
15:34 < amiller> i can't tell if i'm currently out of my mind or just was previously out of my mind, it's tricky
16:02 < gmaxwell> So here is a fun POW idea:   for each UTXO  compute  X_n = H(UTXO_n || H(header) || nonce)  and then search two X_n such that X_n_1 - X_n_2 < target.  it's UTXO semi-hard (time/memory tradeoff) but has a compactly checkable proof (just two UTXO fragments)
16:07 < gmaxwell> (oops one side needs to have a nonce of 0 or its not utxo hard, darnit, I had that right initially and then revised my message and broke that)
16:32 < maaku> gmaxwell: why is it valuable to tie UTxO with PoW?
16:34 < amiller> because otherwise there's not much incentive to actually store the UTXO
16:34 < amiller> especially as the UTXO gets much bigger, people might elect not to store it at all
16:35 < amiller> why buy an extra hard drive to hold the utxo, it doesn't help you mine and you could just buy another miner
16:35 < amiller> this isn't as much of a problem as long as the UTXO stays pretty small, which it seems to be doing so far
16:35 < amiller> but this is especially a prerequisite for any altcoinish idea that involves a larger UTXO
16:35 < amiller> and it doesn't hurt to use the mining incentive to incentivize storing the UTXO
16:37 < maaku> hrm, ok is there any reason to have a UTXO-POW if you have UTXO commitments?
16:39 < amiller> yes
16:39 < amiller> even if you odn't need the whole utxo to validate merkle-branch proofs
16:39 < amiller> you still need lots of people to construct/serve those proofs, cheaply
16:40 < amiller> those people can be the miners
16:40 < amiller> use the mining fee to subsidize some of the expense of validation (preparing the proofs)
16:41 < maaku> ok what i mean is if there is soft-fork commitment of the utxo hash to the coinbase
16:41 < maaku> (which is the current plan, i hope)
16:41 < maaku> then they are incentavised to have the UTXO set - their blocks will be ignored otherwise
16:42 < gmaxwell> maaku: imagine you have that.. and people go "ouch, these things are expensive to compute.  Oh look, bob will generate them for us for only 0.01% of our mining income, we just need to connect to him to get the latest value".. and you get massive centeralization as a _result_ of your commitment.
16:42 < gmaxwell> but if the POW is UTXO hard then the communications bandwidth required to use bob is proportional to hashrate and prohibitive.
16:43 < maaku> but - different tack here - aren't you then requiring any full node to also maintain the whole utxo set to validate?
16:44 < gmaxwell> maaku: what I described can be validated against a utxo commitment (e.g. in the prior block)
16:45 < maaku> ok
17:00 < maaku> gah, i completely forgot about committing hashes of undo files
17:24 < amiller> does anyone have any idea wtf adam3us is describing
17:24 < amiller> i think it's good but i don't understand it
17:25 < amiller> i understand the idea of having homomorphic commitments to values (like instead of zerocoin, where you have to do one transaction per fixed-unit of currency)
17:27 < amiller> but i can't figure out what it has to do with proof of work
17:28 < gmaxwell> amiller: oh good, its not just me.
17:28 < gmaxwell> well actually I think I have a better idea of what it is than that.
17:30 < gmaxwell> Consider, you can do digital cash via blind signatures... so long as you can trust the blind signing guy to not double sign. So what if your POW were a blind signing algorithim? and the ability to double sign is removed by the difficulty in creating a block and the desire to not have your block invalidated via double signing.
17:30 < gmaxwell> I think thats what he is trying to describe.
17:39 < gmaxwell> amiller: i dunno why you say that "since pooled mining is *not* a systemic threat to decentralization in the same way" ... I think it is one, it's just one of lower magnitude, but not different degree.
17:39 < gmaxwell> the magnitude difference comes from the fact that miners can't vote with their feet, but we see in practice that they already vote with their feet super slowly with pools.
17:39 < gmaxwell> (e.g. stupid dos attacks are visible in the global hashrate)
17:39 < amiller> that's really not inherent to pooling thouhg
17:39 < amiller> just an implementation of it?
17:40 < gmaxwell> yea, you could pool for payments only, and that wouldn't have that risk.
17:40 < gmaxwell> But the cost of running a full node, varrious intelletual friction, etc. are also pro-centeralization.
17:41 < amiller> agreed, sure
17:41 < gmaxwell> but okay, fair point, your idea kills even the least harmful kinds of pooling.
17:41 < gmaxwell> e.g. just pooling payments.
17:42 < amiller> (edited to weaken my apparent endorsement of pooled mining :o)
17:51 < gmaxwell> amiller: https://bitcointalk.org/index.php?topic=309073.msg3315837#msg3315837
18:00 < Luke-Jr> I don't see how that would stop people from outsourcing mining
18:01 < Luke-Jr> on the contrary, it would just make it worse since the companies doing it would be less likely to give their clients any direct control over the miners
18:07 < amiller> i don't follow
18:09 < gmaxwell> Luke-Jr: the idea is that it makes it so the cloud company can easily and invisibly rip off their investors.
18:09 < Luke-Jr> they already can
18:09 < gmaxwell> The motivation may not be obvious to you because they can already do that, amiller is assuming a future world where the investors demand proof.
18:09 < gmaxwell> which they can currently provide.
18:10 < gmaxwell> e.g. if you buy x TH/s of mining the cloud can send you shares to prove that they're mining in a way that will pay you.
18:10 < Luke-Jr> i c
18:10 < Luke-Jr> so basically his idea makes it impossible for them to provide proof :P
18:10 < gmaxwell> Of course, no one does this, or even asks for it. But amiller assumes they will, and proposes to break that. Right.
18:11 < amiller> unbuild it and they wont come
18:11 < gmaxwell> their proof would be worthless because the solutions they find would be rebindable to pay them instead without anyone knowing who did it.
18:11 < Luke-Jr> imo not worth a hardfork <.<
18:11 < amiller> Luke-Jr, time will tell
--- Log closed Fri Oct 11 00:00:25 2013
--- Log opened Fri Oct 11 00:00:25 2013
--- Day changed Fri Oct 11 2013
00:33 < jgarzik> bye bye Dwolla, we hardly knew ye
00:52 < maaku> jgarzik: ?
00:53 < jgarzik> maaku, they are stopping anything related to virtual currencies as of Oct 28
00:54 < maaku> ah
21:24 < HM3> :)
22:14 < amiller> :)
22:15 < gmaxwell> :-/
22:53 < jgarzik> !!!
23:12 < HM3> https://www.imperialviolet.org/2013/07/18/hashsig.html
23:12 < HM3> great blog post on Lamport signatures
23:13 < HM3> I just found out agl (the above blogger) implemented the 'donna' plain-C impl of djbs curve25519
23:14 < HM3> been reading his blog for a while, so it was a nice collision of interests
--- Log closed Sat Oct 12 00:00:03 2013
--- Log opened Sat Oct 12 00:00:03 2013
11:53 < nanotube> so my bitcoind node is averaging total connections in the 120s (out of 128 total), with 40-50 through tor. only one data point, but seems to suggest that open network slots are relatively few.
11:53 < jgarzik> indeed :/
04:01 < warren> gmaxwell: and board markup can be within that, parsed within the signed message box, but raw text for manual verification
04:02 < gmaxwell> this way people using their own gpg signatures on messages aren't a nusance adding kilobytes of base64 data to everyone's screens.
04:02 < gmaxwell> yea, exactly.
04:02 < gmaxwell> so it doesn't break markup either.
04:03 < gmaxwell> warren: rails?  Not go? :P
04:03 < warren> gmaxwell: whatever can be rapidly developed and is reasonably securable
04:04 < gmaxwell> most of the dynamic languages have been security disasters of various degrees. :(
04:04 < gmaxwell> rapidly developed and is reasonably securable ... = Java.
04:04  * gmaxwell ducks
04:04 < warren> haha
04:06 < warren> SMF has the ability to grab avatars from arbitrary URL's
04:06 < warren> I'm not sure how someone thought that was a good idea.
04:06 < warren> there is no reason a forum should be able to make outgoing connections
04:06 < warren> also ... bitcointalk's outgoing e-mail is spam binned or blocked at many ISP's
04:07 < warren> because spam is sent in PM's
04:07 < warren> forum TNG needs a egress spam filtering with moderation
04:10 < gmaxwell> warren: it should use tor for that. :P
04:10 < gmaxwell> oh a feature I want: block @#$@#@ third party images in posts.
04:11 < gmaxwell> It's crappy that anyone on the forum can get the IPs of anyone who reads their threads by inlining an image!
04:11 < warren> yeah
04:11 < gmaxwell> I bet it even works in PMs too, but I haven't tried it.
04:11 < warren> I'm curious why that's allowed at all.
04:11 < gmaxwell> it will be awesome beyond belief if there is another browser PNG remote code bug...
04:11 < gmaxwell> (there have been ones in the past)
04:11 < warren> gmaxwell: ooh... let people upload images ... but that's a premium feature
04:12 < warren> no privacy problem that way
04:12 < gmaxwell> sounds fine to me. also would reduce fucking stupid meme images, which I think is ducky but others may not agree.
04:12 < warren> they can use stupid meme images, if they pay
04:12 < warren> pay to pollute
04:13 < gmaxwell> yea.
04:13 < gmaxwell> I wish there were a way to distinguish normal signatures from advertising ones. I wish I could block only the advertising signatures (though I guess they're a good way to identify idiots)
04:13 < warren> people will bitch about losing the feature, but easy to explain with "privacy"
04:14 < warren> gmaxwell: ooh, Ignore button only for signatures
04:14 < gmaxwell> it has that already, in fact.
04:14 < gmaxwell> oh but it's not per user.
04:14 < warren> huh
04:14 < warren> oh
04:14 < gmaxwell> ah, also, might be interesting if you could subscribe to other users ignore feeds.
04:15 < warren> hahahaha
04:15 < warren> that would be awesome
04:15 < gmaxwell> Or be able to do things like	ignore this if 2 out of {warren, theymos, gavin} has ignored.
04:16 < warren> don't want the logic to become too slow
04:16 < gmaxwell> (in theory you could replace a lot of banning with a default ignore subscription, though if mods were ignore subscribed, I'd want seperate personal and moderaor ignore lists.. as I ignore people pretty freely)
04:16 < warren> gmaxwell: would folks like a slashdot-like meta-moderation system?
04:16 < warren> good posts bubble up
04:16 < gmaxwell> I think slashdot has been an uniform disaster and I wouldn't use any forum that worked that way.
04:17 < warren> reddit is a disaster too?
04:17 < gmaxwell> I think my net karma in /r/Bitcoin is negative.
04:18 < gmaxwell> Because I've posted things like expressing concern about people centeralizing on popular web wallets or saying that I didn't think the promotion of illegal activity was good for bitcoin.
04:18 < gmaxwell> And I got groupthough downvote bombed.
04:19 < gmaxwell> (my reddit karma overall is very high, it's not like I do poorly in reddit in general... but it punishes strong voices who aren't in with the flow)
04:21 < gmaxwell> Now, ... a per subforum mode that let do a reddit style thing might be interesting.
04:21 < gmaxwell> E.g. press subforum would probably be neat with reddit ranking instead of most recent post bumps.
04:57 < midnightmagic> post bumps make me angry
04:57 < midnightmagic> aaaaangry
04:58 < midnightmagic> no..  wait, that's steven harper that makes me angry..  aaaaangry
06:19 < warren> gmaxwell: mind if we act as guinea pig for gmaxwell:external_ip?
06:26 < warren> gmaxwell: I'm going to make a bitcoin-0.8.5 branch with the large pile of stuff I backported/tested in litecoin-0.8.x too.
06:34 < petertodd> gmaxwell: make the forum have an underlying usenet-like architecture, so those interested can mirror whole copies. Prevent DoS w/ trusted signature schemes of the "maste server" and/or proof-of-sacrifice stuff
06:35 < warren> petertodd: with client-side encrypted warez ...
06:36 < petertodd> warren: heh, yup
06:36 < petertodd> warren: obviously moderators can handle that...
06:37 < warren> petertodd: can they? they have no idea what is stored there...
06:38 < petertodd> warren: right, and having no idea is grounds for them banning the message. (or not allowing it in the first place)
06:39 < warren> censorship!
06:39 < petertodd> allowership!
06:40 < petertodd> no seriously, I'm thinking you have what if fundementally a flood-fill, but use signatures to filter
06:40 < petertodd> *what is
06:40 < petertodd> and really, usenet is probably 95% of what we need...
06:42 < petertodd> heck, looks like there's some existing web-based usenet readers
06:43 < warren> ship it with monster truck sized training wheels
06:44 < petertodd> Exactly! it's totally ok if ther's still "bitcointalk.org", and if what it's usually doing is generating a PGP key on your behalf that it signs your posts with.
06:44 < petertodd> Also, you can still have ads: add them to messages the same way that bitcoin-development does in a separate mime bit. (you can have two sigs even...)
06:45 < petertodd> or just leave the ads on the http version - the usenet version doesn't have too
06:46 < petertodd> (kinda sad that my first thought with an awesome fully decentralized forum is how can we stick ads on it...)
07:26 < warren> gmaxwell: https://github.com/wtogami/bitcoin/commits/0.8.5-externalip  backported your patch to 0.8.5.	It seems to run ... no idea if it is working.
07:27 < warren> petertodd: any idea how to test if this is working?
07:27 < petertodd> warren: logs? tcpdump?
07:28 < warren> maybe a logprint when it transmits an advertisement?
07:29 < MoALTz> petertodd: figure out how to reward website operators for offering a service without using ads? not sure if there's a good way to do this though
07:29 < petertodd> yup
07:30 < petertodd> MoALTz: nah, real easy: we want to pay mods because they do useful moderation work, and we want to pay server operators because servers cost money
07:30 < petertodd> MoALTz: the latter is easy with http web stuff, just use ads! with nntp, charge for the service. For moderators, attach the ads to the messages they moderate if you want, or take money out of the other two categories.
07:35 < petertodd> crazy scheme: so moderators/forum operators are good for DoS attack control. Make people pay for that service by using a forgable digital signature, specifically one where between two parties, the receiver knows the sig is valid, but it's constructed in such a way that the receiver themselves can fake the signature. Thus when people stop paying for their
feed, stop signing the data. Works best with a broadcast encryption scheme, though I don't know enough about the details of how to actually do that.
17:27 < warren> https://github.com/litecoin-project/litecoin/pull/81   we're going to guinea pig the externalip thing
17:27 < warren> anything else you want tested on <that other network>?
18:31 < adam3us> gmaxwell: less OT here it seems to me a pederson commitment can be used as a chameleon hash also have to check, maybe its well known - not sure
18:32 < gmaxwell> I was trying to come up with a way to use ECDSA as one (on the basis that people already have ECDSA code), but failed... I could only get one that worked for two messages and only if you knew them in advance.
18:33 < adam3us> yeah schnorr is just more flexible ... dsa is a bad algorithm
18:33 < adam3us> gmaxwell: pederson commitments are like two discrete logs and generalizes to many discrete logs called representation problem
18:38 < gmaxwell> adam3us: interesting, yea, I didn't think any of the other chameleon hashs failed to leak the private key. That was indeed also the claim of that paper.
18:44 < adam3us> gmaxwell: maybe its wrong... i find it hard to imagine i just invented two new chameleon hashes given how easy it was
18:45 < gmaxwell> it wouldn't surprise me, it's not the most in-demand cryptographic construct, and it's highly related to ZKPs, which you've been thinking about lately.
18:45 < adam3us> gmaxwell: check thread, but a=kG+mQ is hash, modified hash is a=k'G+m'Q which recipient can calc as he knows dG=Q, and k'=k+md-m'd
18:46 < adam3us> gmaxwell: u know there is a lot of interesting and practically useful stuff below what the academics call MPU minimum publishable unit
18:48 < adam3us> gmaxwell: its an interesting q if you can force that to be a valid ECDSA sig, would be like an existential forgery (sender) vs a real sig (rceipient) but i am not sure if an existential forgery can communicate anything other than a random number in place of a msg
19:31 < adam3us> gmaxwell: yeah i dont see how to make that work with ecdsa either.. oh maybe you can do this
19:33 < adam3us> gmaxwell: R=kG, r=R.x, s=k^-1(H(m)+rd) dsa sig = r,s (normal so far) a verify relation is sR =? H(m)*G+rQ
19:35 < adam3us> gmaxwell: so work backwards, choose r random, compute R=[r,f(r)], then H(m)*G, calc T = H(m)*G+r*Q
19:35 < adam3us> gmaxwell: ok now chose random s compute sR = T (ie s^-1*T = R)
19:36 < adam3us> gmaxwell: so far the R value is random and wrng and doesnt match r
20:16 <@petertodd> On the other hand, with opaque transactions, again, what's to stop the bank from creating inflated ones? But if you can audit that, they someone can just troll through the balance sheet and find them all out anyway.
20:16 <@petertodd> (though granted, movements would be harder)
20:17 <@petertodd> It's funny too how balances that sit untouched, can be relatively safely taken by the ledger in fraud/balance expiry.
20:17 <@gmaxwell> petertodd: I don't follow. The bank pays you 100 btc it doesn't have. You check your balance. Is the root correct? if so, then someone elses root will not be correct.
20:18 <@gmaxwell> well such a system would likely fund itself by periodic fees on inactive accounts, this also prunes the account database.
20:18 <@gmaxwell> (it would make txn paying itself from users
20:18 <@gmaxwell> and yea, it could rob inactive users and use that to pay other users... though they'd eventually be able to prove it.
20:19 <@petertodd> I guess that's basically my complaint: it relies on users checking for fraud 100%, and each user has to play their part.
20:19 <@gmaxwell> or rather, challenge it and the bank would be unable to prove it didn't.
20:19 <@petertodd> See, I'd say don't worry about balances, just do a straight up unspent txout list as usual.
20:20 <@gmaxwell> yea, but thats less private and also not so scalable. Proving that the bank has the funds to back itself and proving that it hasn't just randomly taken your money is probably the biggest concerns.
20:20 <@petertodd> Merkle sum the txout of course, but leave it at that.
20:20 <@amiller> i'm interested in something which is that normally there's no incentive to communicate information in a p2p network but in bitcoin there sort of is
20:20 <@gmaxwell> Consider the bank like things that put people's money with pirate.
20:20 <@amiller> in the sense that you want to publish proofs because it makes it easier for other people to build on your block rather than undermining it
20:20 <@amiller> same as wanting to obtain the proofs so you can be sure your'e working on a valid block
20:21 <@amiller> it's obvious how by encoding validation rules / proof of work puzzles you can incentivize both storage and computation
20:21 <@amiller> it's less obvious but still seems plausible that you can incentivize communication this way
20:21 <@petertodd> "Consider the bank like things that put people's money with pirate." <- ?
20:22 <@petertodd> Oh, wait, you mean the funds that took peoples money, and forwarded it to pirate.
20:22 <@gmaxwell> petertodd: when pirate poofed a bunch of other stuff poofed too.. bitcoin businesses and such, that has investors money, even an exchange like thing...
20:22 <@gmaxwell> Yep. Even when they were saying that they hadn't done that.
20:22 <@petertodd> Yeah, I see what you mean, you want to audit the backing funds first.
20:22 < HM> i take it nobody got their money back?
20:22 < HM> last i heard he was actually paying some back ?
20:23 <@gmaxwell> people who were paid before the implosion got paid.
20:23 <@petertodd> HM: he kept saying that to keep people hoping, and not suing him.
20:23 <@gmaxwell> and yea ^ that.
20:23 <@petertodd> (post implosion)
20:24 <@gmaxwell> petertodd: in any case, I think thats the biggest sorts of concerns. The UTXO thing would be better but also more complicated less scalable.
20:24 <@petertodd> gmaxwell: Yeah, I'll agree with you on that. Basically, build a client that makes checking for fraud periodically, and ensure people use it, and you're probably doing pretty well.
20:25 <@gmaxwell> so one thing to do would be for every account to be based on two keys, an encryption key for antifraud, and a signing key for spending.
20:26 <@gmaxwell> the system could public all the antifraud proofs, encrypted.. so that it can't tell whos paying attention.
20:26 <@gmaxwell> Moreover, people could hand over copies of their anti-fraud decryption keys to friends that they don't mind losing some privacy to.
20:26 <@gmaxwell> So the burden of checking could be shared.
20:27 <@gmaxwell> ALTERNATIVELY. the system could pay users to check.
20:27 <@petertodd> How so?
20:27 <@gmaxwell> e.g. you get an inactivity fee if you're not checking.
20:27 <@petertodd> Ah, so if the server doesn't get the occasional query?
20:27 <@gmaxwell> right. if the server doesn't get queries from you it deducts your balance until your balance is gone.
20:28 <@petertodd> So, the signing key can be ECC, and then the encryption key should be a private key, so the bank can't publish your details behind your back.
20:28 <@gmaxwell> If you're still querying though you keep a balance. Rather than prevent the theft we instutionalize it. :)
20:28 <@petertodd> And further more, the ledger should also publish the hash of the current anti-fraud proof, so you can always just give someone the proof, and they can verify it.
20:29 <@petertodd> Ha, I like the institutionalizaiton... Standard expiry time thing.
20:29 <@gmaxwell> Well, one way to prevent theft is to give people an honest way to get the same (averaged) gain permissably and within the rules. :)
20:29 <@petertodd> For sure
20:29 <@gmaxwell> but since everyone knows how it works, they can behave accordingly.
20:30 <@gmaxwell> if the bank can rob you if you don't check
 make it permitted to do so. (slowly)
20:30 <@petertodd> Also, note how if the leger is purely balanced based, we actually can do chaum tokens still.
20:30 <@petertodd> A chuam transaction just means an increment in the special outstanding token balance, followed by a decrement.
20:31 <@gmaxwell> right, there could be special accounts for outstanding chaums of different sizes.
20:31 <@petertodd> Yup, powers of two would be good.
20:31 <@gmaxwell> and the chaum validation key could be public. Though you couldn't prove that they weren't overprinting chaums.
20:32 <@gmaxwell> but only users with chaum in hand would have that risk.
20:32 <@gmaxwell> well I suppose you could, but were back to the registering thing. :)
20:32 <@petertodd> Yes, they'd be at risk the second every outstanding chaum token gets redeemed.
20:33 <@gmaxwell> I think people are not that uncomfortable with banks that themselves are single privacy points of failure though. I mean
 we have that for everything except cash. Use the bank via tor.
20:34 <@petertodd> Probably true really.
20:35 <@gmaxwell> mostly I'd like to see this on testnet, just as a tool to get more people to dork around with testnet... though if the code were available some fool would run it for real. :P I wish them luck.
20:35 <@petertodd> Oh, and it's interesting: withdrawls can be handled just fine using the "non-backing" store of value basically, in the reverse of deposits. So really without a lot of collusion you'd never figure out where coins are going on-chain.
20:35 <@petertodd> Yes, I think "release the code" is a very, very good model...
20:36 <@gmaxwell> yes, thats a good goal and I'd realized that too.
20:36 <@petertodd> Good.
20:36 <@gmaxwell> it also, again allows for more efficient withdraws.. batched, mtgox code, chaum tokens with some other system.
20:37 <@gmaxwell> The only think provable is that the bank holds a certian amount of money, and technically even that proof would only be available to balance holders, you'd make the txids of the holding txn part of the proof hashtree.
20:37 <@petertodd> That also gets you five types of transactions: in-system, proxy-withdrawl, proxy-deposit, real-withdrawl, real-deposit, with the latter two basically only ever happening for the ledgers main account.
20:38 <@gmaxwell> right. Well, and because the in-system traffic is only checked by the system and the involved users you can have whatever complicated rules you want.  In system escrow txn? no problem.
20:38 <@gmaxwell> Reoccuring payments?!@# no problem.
20:39 <@petertodd> You know, you can just give the user a way to sign that they accept the balance on their account too, so you can expire old tx history.
20:39 <@petertodd> With part of that signature being over the master hash.
20:39 <@gmaxwell> indeed, then it actually converges on a consensus system.
20:40 <@petertodd> Include a bitcoin proper blockchain hash, and a timestamp, and you can constrain the time quite nicely too so you can do tx history expiration.
--- Day changed Sat Mar 02 2013
12:18 < HM> but the advantage of a stack was scriptSigs and scriptPubkeys are easy to combine
12:18 < HM> and evaluate
12:18 <@sipa> which means it can be merkleized: you associate a hash with every node, and by just having the root hash, you can prove that a particular path through the tree belongs to it
12:18 <@sipa> HM: in practice, that is not the case anymore by far
12:19 <@sipa> plus it is hard to analyse
12:19 <@sipa> and actually terribly complicated to write actually useful complex scripts
12:20 < HM> wait, how does one path on an AST prove anything/
12:20 < HM> ?
12:20 <@sipa> ok, so imagine you had in your script AST language a construct "if BOOL then X else Y", where X and Y are subtrees
12:20 < HM> how would you do multisig for example as an AST
12:21 < HM> that should be a simple example
12:21 <@sipa> you could have a node that requires a valid signature as input (input just becomes a list of values, and the AST refers to specific elements in it)
12:22 <@sipa> combine two such nodes with an AND, and you have 2-of-2
12:22 <@sipa> combine it with an OR, you have 1-of-2
12:22 <@sipa> use a COUNT operator to compute the number of valid signatures on top of 3 such sigchecks, and compare it with >=2, and you have 2-of-3
12:23 < HM> i'm struggling to see how you refer to vin provided values in a script
12:23 <@sipa> ok, so scriptSig just gets replaced by a list of values - no script or anything fancy
12:23 < HM> sure
12:24 <@sipa> our language has these nodes: DATA(X), with X an integer, returns the input value number X
12:24 <@sipa> AND(X,Y), requires X and Y both to evaluate to true
11:53 < jgarzik> it gets ever more expensive to set up a full node
11:53 < jgarzik> and all of them are unpaid
12:01 < jgarzik> Satoshi predicted bitcoin would eventually devolve into miners running the only full nodes
 that would be disappointing
12:13 < nanotube> bitcoind is also using roughly 500MB of ram. I've got 2G here, so i could up the connection count to like 512 and see how it likes it.
12:26 < nanotube> anyone checked out http://academiccommons.columbia.edu/catalog/ac:110756 ? i just found it, seems like if it would work for tornodes, it might also work for bitcoin nodes?
13:07 < jgarzik> nanotube, the no-wallet mode should help
13:10 < nanotube> personally i'm not hurting for ram on this vps, but yea the less ram it uses, the lower the barrier to running a node.
17:57 < gmaxwell> 09:01 < jgarzik> Satoshi predicted bitcoin would eventually devolve into miners running the only full nodes
 that would be disappointing
17:58 < gmaxwell> especially since there are only like 5 miners. :(
18:00 < gmaxwell> nanotube: I've had some ideas about a lottery to pay people that runs nodes... but I'm somewhat concerned that once you've gone down that path it's not hard for someone to outbid you with "My lottery pays 10% more, but you have to run this special node software which is detectable as special only to me that does <???>" (e.g. sends logs of all transactions
back to a mothership, imposes new network rules, etc)
18:00 < warren> fully verifying or archival with all blocks?
18:00 < warren> miners don't even need full blocks...
18:01 < gmaxwell> warren: that assumption wasn't that it would be out of necessity. Once you've got a business that has you supporting the bitcoin network, .. having a few hundred gigs of diskspace for it isn't that big a deal.
18:02 < gmaxwell> so at least as the network rules are now, I don't think access to the historic blocks is the greater problem.
18:03 < gmaxwell> (ha, well I say that, but currently none of my nodes could spare more than 100gb for bitcoin... my standalone nodes are on 120gb SSDs, and I only have 270 gb free on my laptop.)
18:06 < warren> I suppose it's more important to have more listening fully verifying nodes than to have archival nodes.
18:06 < sipa> archival nodes can just be gttp servers
18:06 < sipa> or dropbox
18:07 < sipa> *http
18:07 < sipa> there is nothing hard about them, except storage and bandwidth
18:07 < gmaxwell> I really really don't like this bimodal thinking that some people are developing wrt a bright line between full vs archival. I think it's a receipy for disaster, because it provides no way to contribute partially: just a binary "enormous amounts of bandwidth and storage" or "not enormous".
18:07 < warren> would the future client automatically enforce integrity of that bootstrap.dat by keeping the checkpoints?
18:07 < sipa> right
18:07 < maaku> gmaxwell: an altchain using your utxo-pow, plus cross-chain trade exchanging altcoins for bitcoins?
18:08 < gmaxwell> recipe*
18:08 < sipa> heh, i want to get rid of checkpoints altogether
18:08 < warren> I know
18:08 < warren> hence I asked if there's any safe way to automatically enforce bootstrap.dat integrity without it
18:09 < gmaxwell> yea, checkpoints need to go, they're a huge cognitive landmine. :(
18:09 < warren> how so?
18:09 < gmaxwell> warren: they enforce it by having verified the chain.
18:09 < warren> aside from an excuses from the broadcast checkpoint people
18:09 < sipa> why would bootstrap.dat need to be integral?
18:09 < warren> isn't that what you meant by http or dropbox?
18:10 < sipa> no, i meant that there is nothing hard about archival
18:10 < sipa> it doesn't need spexial software
18:10 < sipa> it doesn't need low latency
18:10 < sipa> it dpesn't need trustable nodes
18:11 < warren> so it doesn't matter if it is corrupted or provided by a hostile entity, because it won't verify and come in sync
18:11 < sipa> yeah
18:11 < gmaxwell> warren: Because the notion of a decenteralized consensus is really alien to people, and so they flail around looking for a traditional trust model inside bitcoin. Then they find checkpoints and they say "aaahhh.. Now I finally understand how bitcoin really works" but really they don't understand it at all. Bitcoin has failed if the prodution networks
consensus is ever set by checkpoints.  The result is people constantly making lame ...
18:12 < gmaxwell> ... insecure proposals and then excusing them with "sprinkle more checkpoints on them!" which doesn't really solve anything because .. what? are we going to add another blockchain to chose these checkpoints-that-would-actually-matter? and what would secure that one?
18:12 < gmaxwell> warren: plus you can do a light validation of it that just checks its hashes... and then you compare the best block hash to your own chain on your own node, and then you are 100% sure that the bootstrap.dat is correct.
18:13 < sipa> people have somehow accepted that you don't need signatures before the checkpoints
18:13 < sipa> which is true, once you trust the checkpoints
18:14 < sipa> but it really is just a shortcut to avoid a trivial mislead-a-syncing-client attack, if we'd just disable sig checking for old blocks
18:14 < gmaxwell> And of course that stuff closes off thinking optimizations which are not so hostle to a trust free model: things like randomly verifying and alerting people on any violation.
18:14 < gmaxwell> s/thinking optimization/thinking about optimization/
18:15 < sipa> they're an evil necessity once you accept the compromise of not checking all sigs
18:16 < sipa> with headersfirst syncing, you can safely disable sigchecking without checkpoints
18:16 < sipa> well, safely... not less safe than what we have now
18:16 < sipa> it's still a compromise
18:17 < gmaxwell> and there are more degrees available.
18:17 < gmaxwell> e.g. checking 1:1000 signatures in the historic chain is virtually as fast as checking none at all. But with many nodes, you are virtually assured that someone will notice any cheating ... drastically reducing the incentive to create a long fork that would be needed to attempt it.
18:17 < warren> "someone will notice" assumes others are not asleep to hear the warning
18:18 < warren> we have thousands of clients still running old versions that have perma-alerts ... asleep
18:18 < gmaxwell> warren: keep in mind you're already talking about that being predicated on an attacker replacing months of the chain.
18:19 < warren> true
18:19 < warren> ok
18:20 < gmaxwell> warren: I don't think it's worth the risk/code complexity at least in the short term but the response there could be automated ultimately.
18:20 < warren> are you thinking to do random sig validation, and also PoW validation?
18:21 < sipa> PoW + utxo everywhere, sigchecks after last checkpoimt: that's what we have now
18:22 < gmaxwell> warren: e.g. each node checks all the sigs for the blocks within the last two months of POW at current difficulty. And before that they check only 1:1000. (and if you have automatic response) if they find an invalid signature they could announce it, and the network could relay that announcement, and blacklist the block in question. (this last bit I don't
think is worth doing in the short term)
18:22 < gmaxwell> (but I think it would be worth doing someday after utxo in blocks, with SPV nodes doing some randomized validation of their own)
18:23 < sipa> we could have something like pow + utxo everywhere, between 1 year and 1 month of PoW worth of burying and increasing % of sigchexks, and in the last month worth of PoW check everything
18:23 < sipa> my phone typing skillz are weak
18:24 < gmaxwell> This could be made stronger if it didn't just check the signatures in the last N POW-months of blocks, but also always checked all of them after a reorg.
18:24 < sipa> hmm?
18:25 < gmaxwell> sipa: e.g. say you check the last month of blocks. Then someone does a 1.25 month deep reorg. You'd still check all of those. So then a reorg could never insert invalid signatures. You could only get invalid signatures on startup... so an attacker could only trick new nodes, and his trickery would end as soon as everyone else got ahead.
18:26 < gmaxwell> basically it reduces an attacker issuing invalid signatures to isolation attacks instead of actually getting the network to accept an invalid signature as valid.
18:30 < gmaxwell> making that gate stateful kinda sucks. It could be better stated.  "You will check all blocks higher than X, if you are aware of a header valid fork at X or prior which has at least Y work more than X", where Y could be something like a days worth.
18:31 < gmaxwell> so normally a new node would check only the last (say) POW-month's worth of signatures. BUT if that node is not isolated and sees a long fork at 1.25 months, it will check since 1.25 months ago.
18:32 < gmaxwell> I am very happy with this. I think the result is that it is only a bootstrapping time compromise. E.g. there could be a conspiracy of bitcoin users to have broken the rules in the past, but nothing worse than that. And that can be substantially closed with random checks before the cutoff. (the conspiracy would only work if it could be kept secret).
18:42 < jgarzik> http://www.wired.co.uk/news/archive/2013-10/12/us-internet-control
18:42 < jgarzik> sad side effect will be greater localization of data inside more represssive regimes
18:43 < sipa> perhaps more on-topic in dev?
18:43 < sipa> or rather, less offtopic
18:50 < nanotube> gmaxwell: as to your concern for "i pay you more to run my special node" <- how does that become /more/ of a concern than now? currently, someone can say "i'll pay you to run my special nodes" and users will be comparing "run bitcoin nodes for no compensation" to that.
18:50 < nanotube> i don't see how compensating our nodes could make that problem any /worse/
12:27 < TD> (figure 1 shows lots of bouncing arrows between verifier and prover)
12:29 < gmaxwell> yea, okay, I hadn't seen their paper, just the code. Without looking I'm going to guess that their "contribution" was some interactive thing, but their source code appears to include basically pinocchio with the missing parts restored. (the pinocchio source code is incomplete: they used some microsoft internal pairing crypto library which they didn't release)
12:30 < TD> ah yes
12:30 < amiller> pantry seems to be based on an earlier protocol they built zataar which is pinocchio from scratch
12:30 < amiller> i think they mostly only used the c-to-circuits compiler frontend from zataar
12:31 < gmaxwell> I spent 5 minutes looking at their code ... didn't get as far as trying it because of the insane dependencies.
12:52 < amiller> from the paper it looks like there's only one round of interaction because all the pcp queries are in a batch, but it is private coin so you wouldn't be able to trust someone else's transcript
12:52 < amiller> that's way lamer than pinocchio unfortunately
12:52 < amiller> so tinyram is better yeah
13:53 < realazthat> amiller: mmm interesting
13:53 < realazthat> I'll look at it
13:54 < realazthat> TD[away]: I am not sure if tinyram base code is ready yet
13:54 < realazthat> but it is supposed to be available
13:54 < realazthat> I am unsure on licencing
13:54 < realazthat> you can mail eli
15:22 < sipa> petertodd: maybe better here
15:23 < petertodd> sure
15:31 < petertodd> sipa: parasitic consensus systems are going to be interesting, it's so damn easy to make them SPV compatible.
15:33 < petertodd> w/ TXO commitments, it'd be worth it to mak sure such systems have nice blockchain interaction libraries, that do some validation while they get their data, and can spit out approprite fraud proofs.
20:23 < gmaxwell> Damn. I really wish all those OP codes weren't disabled.
20:24  * sipa enabled OP_TURINGMACHINE
20:25 < sipa> *enables
20:26 < gmaxwell> (per Murphant on the forum)  you could construct a transaction where alice pays to one of {alice in two weeks (nlock refund), alice + bob, bob but only if the signature provides a spv proof that a specifc transaction was mined}
20:26 < gmaxwell> such a proof would be pretty easy to construct with the splice operators. and not terribly huge by any means.
20:27 < gmaxwell> The idea being that alice pays bob to make publically disconnected transaction paying mallory. And if bob does, alice+bob sign and there is no linkage.  If bob tries to cheat alice times it out and gets the refund. If alice tries to cheat bob blows her privacy by revealing he kept up his side of the deal.
20:30 < gmaxwell> It only needs script powerful enough to verify a SPV proof. e.g. provide txid X  such that H(X|| non-public nonce) = Value in script, then a SPV proof that X was mined.
20:31 < gmaxwell> (of course with an AST script you wouldn't even reveal that the untaken branch of the script had a reveal-verifier, so no one could even tell that there was an airgapped payment made.
20:31 < gmaxwell> )
20:59 < gmaxwell> I wonder how awful it would be if we added a hashtree opcode.
21:01 < gmaxwell> inputs: [hash] [tree size] [position of hash in tree] [bunch of branch hashes packed up] ... and it emits a root.
21:02 < gmaxwell> it could be used for spv-secure cross chain transactions. With an extra opcode to check a header against the chain, it could be used to do proof of another transaction to allow those airgapped transfers.
21:10 < amiller> script powerful enough to do spv-secure is the basic idea of P2PTradeX
21:13 < gmaxwell> I know. (if you noted in that thread I wasn't all that excited about that, over what you can do with a simple two-hashlock transaction)
21:14 < gmaxwell> I suppose there is a hashlock version of the an airgap payment too.
21:29 < gmaxwell> amiller: whos ya daddy? https://bitcointalk.org/index.php?topic=318122.msg3431242#msg3431242
21:32 < amiller> whoa
21:32 < amiller> that's neatttttt
21:34 < gmaxwell> (I just made some tweaks to make it more readable)
21:47 < gmaxwell> petertodd: https://bitcointalk.org/index.php?topic=318122.msg3431242#msg3431242  < can we try this protocol sometime? I believe I owe you some coin. :)
22:20 < amiller> i guess i don't see what the point of it is exactly, if you had an ordinary trusted mixer to use you could send the thing to own fake address and then to bob
22:21 < amiller> i guess it reduces the cost of using a mixer that way
22:21 < amiller> er reduces the time by one transaction
22:21 < gmaxwell> amiller: there is no linkage in the transaction graph between alice and bob at all. They can be forever completely disjoint.
22:21 < amiller> although there are still transactions just one is an escrow
22:21 < amiller> they both interact with carol
22:22 < amiller> carol can use different addresses but this is true of any mixing service
22:22 < gmaxwell> e.g. no amount of coin-flow analysis would show coins from alice end up at bob.  Sure. But carol doesn't need to be trusted, and presumably carol keeps her funds seperated.
22:23 < gmaxwell> amiller: yea, compared to j-random-mixer the mixer cannot steal (which means that the mixer can be strongly anonymous, which makes it less vulnerable to coercion: log or we break your fingers)
22:23 < gmaxwell> compared to coinjoin the transaction flow can be completely disconnected.
22:23 < amiller> so i can use this to mix with myself
22:24 < gmaxwell> yea, you could be alice and bob.
22:24 < amiller> i have to trust the mixer for anonymity but yes it can't steal my funds
22:24 < gmaxwell> Downside compared to coinjoin is that you can't blind the mixer, it learns the linkage.
22:24 < gmaxwell> since the transaction pattern is identifyable your anonymity set can't be bigger than all the people using similar transactions, alas.
22:26 < gmaxwell> (CJ has the benefit that the transactions are not distinguishable, except to the extent that they have unusual values or numbers of inputs/outputs... disadvantage that it can't produce a truly disjoint graph ... though arguable this doesn't either unless widely used)
23:04 < warren> petertodd: jdillon wrote to me.  I'm still not convinced he's a real person.
23:06 < gmaxwell> I wondered for a bit if he might not be DPR until he seems to have showed back up.
23:07 < warren> huh.  He did indeed disappear for a while.
23:08 < Luke-Jr> is it PGP signed? :P
23:08 < warren> PGP signed and encrypted
23:10 < Luke-Jr> anyone can encrypt :p
23:10 < warren> yes, signed
23:10 < warren> perhaps someone else got his key with the $5 wrench attack
23:10 < warren> to ask me if petertodd and gavin are the same person
23:11 < warren> *Some parts of the above are a joke.
23:12 < gavinandresen> ok, ok, I'll fess up.  I am peter todd and jdillon and satoshi.
23:12 < gavinandresen>
 hired an actor to PRETEND to be peter at the bitcoin conference....
23:12 < Luke-Jr> :P
23:12 < gmaxwell> hm. Have I ever seen gavin and PT at the same time?!?
23:12 < warren> gavinandresen: must be very confusing to keep all the opposing positions straight.
23:12 < Luke-Jr> gavinandresen: it'd be more belivable if the actor was playing Gavin <.<
23:13 < gavinandresen> warren: gets easier all the time, this project will make you crazy
23:13 < warren> gavinandresen: too late...
23:13 < gmaxwell> HAH
23:13 < gavinandresen> good point, you have to be crazy from the start to seriously consider getting involved
23:13 < warren> it turns out that gluing together coin control and watchonly isn't easy.
23:15  * warren quotes gavin on twitter.
23:15 < Luke-Jr> gavinandresen: wait, you're not warren too?
23:15 < gavinandresen> Luke-Jr: no.  But I am RealSolid.
23:15 < warren> wow, I knew it!
23:16 < gmaxwell> We knew that.
23:16 < Luke-Jr> gavinandresen: then you're slacking. I haven't heard from you as RealSolid in a few weeks.\
23:16 < gavinandresen> lol
23:16 < gmaxwell> Next time get brad pitt to play you in the conference too.
23:17  * Luke-Jr wonders if RealSolid ever finished his rewrite of SolidCoin/MicroCash/whatever-it-is-now
23:17 < warren> Luke-Jr: his exchange is too profitable to waste time on yet another coin
23:17 < warren> I expect one day everyone's deposits will be stolen when he disappears.
23:18 < warren> Or is arrested for some unrelated reason.
23:18 < Luke-Jr> heh
23:19 < warren> Would Bitcoin people sue for copyright infringement if he's ever identified?
23:19 < gmaxwell> Maybe RS is a social expirement I'm conducting in how disreputable a counterparty can appear before people will stop giving him their money. Current (revised) hypothesis is that it's unbounded.
23:19 < Luke-Jr> warren: doubt it
23:20 < gmaxwell> warren: poor guys has enough of his own problems.
23:20 < warren> Luke-Jr: I mean ... why not?  You sue people with deep pockets.
23:20 < Luke-Jr> although that'd be entertaining to see
23:20 < Luke-Jr> warren: he has deep pockets? :p
23:20 < warren> Luke-Jr: have you seen his exchange recently?  omgwtfbbq.  very clever how he attracted a ton of deposits and grew to a massive size overnight.
23:21 < gmaxwell> well technically a pocket with a hole in it has no bottom.
23:21  * Luke-Jr wonders if any MIT licenses have been in court as a plaintiff
23:21 < gmaxwell> warren: what did he do?
23:21 < Luke-Jr> warren: I actually didn't know he *had* an exchange
23:21 < Luke-Jr> actually, I vaguely remember him asking me if I hacked it or something a few months ago
23:21 < Luke-Jr> but I never bothered to figure out what exchange he started
23:22 < gmaxwell> Luke-Jr: yea.. :( I was shocked to find this out about a month ago when he started posting around telling people to change their passwords, I ... though he was trying to trick people into giving up their passwords or something.
23:22 < Luke-Jr> so what exchange is it? :o
23:22 < gavinandresen> RealSolid and Zhou Tong both have exchanges, supporting gmaxwell's hypothesis
23:23 < gmaxwell> Luke-Jr: mcxnow
12:23 < petertodd> adam3us: and I proposed just mixing in the previous block hash for the same reason
12:24 < petertodd> adam3us: no, I mean an address book on your offline wallet that you enter in manually by a manually verified process (letter in the mail) simple and easy
12:24 < petertodd> adam3us: people *do* do that
12:24 < adam3us> petertodd: yes so the problem is its one use, you have to enter a new one each time
12:24 < petertodd> adam3us: yes, and add some trivial bit of derivation and you're done.
12:25 < adam3us> petertodd: sounds like a sub-wallet and chain code
12:25 < petertodd> adam3us: my point is anything *beyond* that, say you want to verify a payment request, is better handled by a PGP extension tot he payment protocol
12:25 < petertodd> adam3us: exactly, as I say, it's not hard
12:29 < adam3us> petertodd: see i the mid-term, once the bad-actors jump up over the next speed bump of payment request + client side trezor/offline wallet, some exchange or bitcoin processor is going to go under or lose its entire hot wallet, or have attackes redirectiong payments because they assume a web server is not remotely compromizable
12:29 < adam3us> petertodd: we know thats just-not-true, and as the biz level increases and the bitcoin price increases, people will happily burn a collectio of 0-days to disabuse them of that notion
12:30 < adam3us> petertodd: then the answer 'oh well they should've secured their site better' is no a clever answer - its a systemic risk from irrevocability and if we dont fix it the merchants will by adding revocability...
12:31 < petertodd> adam3us: so? put your payment protocol SSL key elsewhere - IIRC Gavin specifically made it use a subdomain for that reason
12:31 < petertodd> adam3us: the thing is we *can't* fix this for people in a sane way
12:33 < adam3us> petertodd: my argument is you can :) just assume (longer term) everyone is using some hardware wallet/token.  now what do you do to help people authenticate one-use addresses in a simple native way. to say oh just make an HD sub-wallet and chain-code per recipient isnt fantastic as I dont think you can introduce them
12:34 < adam3us> petertodd: like i cant refer that to you, because its a point to point shared secret
12:34 < petertodd> adam3us: so is a HD sub-wallet and chain code
12:34 < petertodd> adam3us: sorry misread that
12:35 < petertodd> adam3us: right, but anything you try to do to refer someone else to me has you as a MITM... and OpenPGP WoT already puts tonnes of effort into solving that
12:35 < adam3us> petertodd: so if we replace shared secrets with identities i can tell you offline, yes look this is the static payment identity for this vendor
12:36 < adam3us> petertodd: but sub-wallet and chain code doesnt even help us if we're sitting side by side (in the end 2 end payment security view)
12:36 < petertodd> adam3us: yes, and a OpenPGP key is a static payment identity... don't re-invent the wheel
12:37 < petertodd> adam3us: it's also *way* more useful, because the infrastructure already exists to use it for other stuff, like send a PGP-signed email to customers
12:37 < adam3us> petertodd: i dont think you want to import pgp or x509 into bitcoin
12:37 < adam3us> petertodd: your trezor doesnt understand pgp wot nor x509
12:37 < petertodd> adam3us: we're not importing anything "into bitcoin" - we're using stuff for it's intended purpose
12:37 < petertodd> adam3us: why not? they're moderately high-end arm processors
12:38 < petertodd> adam3us: *not* supporting it just means that users are going to fuck up on the manual verification bit
12:38 < adam3us> petertodd: i am not even talking about wot even, just that there ought to be a published static address (payment identifier) and one-use payment addresses can then be signed by them
12:38 < petertodd> adam3us: published where? how?
12:39 < petertodd> adam3us: signed by what?
12:39 < adam3us> petertodd: but if you call that the recipient account number, its no more complex to understand than a credit card check digit
12:39 < adam3us> petertodd: the underlying one-use addresses no longer need to be displayed to the user
12:39 < petertodd> adam3us: add a new type of UID to OpenPGP called your bitcoin chain-thingy-whatever
12:40 < adam3us> petertodd: app-level signatures from the app context can sign their stuff, and leave the basic is this a valid one-use address (transactio number) from this merchant to en2en
12:41 < petertodd> adam3us: sign where? how?
12:41 < adam3us> petertodd: i think what you're saying is the architectural equivalent of having sendmail sign your key fingerprint
12:42 < petertodd> adam3us: somehow the verification has to happen *on the trezor* and you have to get a fingerprint of a key securely *to that trezor*. If you don't use CA's, people will validate fingerprints on their compromised box, if you don't use PGP, same deal.
12:42 < petertodd> adam3us: if you do use CA's or PGP, then you've made the whole ecosystem more useful for everyone, especially the PGP option
12:42 < petertodd> adam3us: signing stuff is easy, verifying keys is what's hard
12:43 < adam3us> petertodd: i claim its a layering violation to think of the payment request msg as a proof that the address is owned by the merchant, so in the app context there is a payment request say, it signs a one-use address, and some informtion abot what you're buying; but the underlying one-use address is signed by the merchant identity address (the base public
key of the offline HD wallet)
12:44 < adam3us> petertodd: i am not saying dont use CAs i am just saying the architectural equivalent of dont use ssl transport on SMTP as an argument for not using PGP (end to end vs app level transport)
12:45 < adam3us> petertodd: the web app level and browser level is the payment request, x509 or other sig; the payment level uses differrent transport and has more secure key management
12:45 < petertodd> adam3us: and I'm saying the concept of a separate "merchant identity address" just introduces a whose new layer of exploits because users can't and won't have any way to verify that identity address other than CA's and PGP, so don't create separate systems.
12:45 < adam3us> petertodd: and no online app or client to attack
12:46 < petertodd> adam3us: yeah, and the payment protocol already supports separate keys by how it expects a cert for a subdomain
12:46 < adam3us> petertodd: the point is right now you have no way at the payent layer to validate the address is owned by the merchant.  the payment request doesnt prove its owned by the merchant: it proves the merchants web scripting language signed it, but maybe from time to time compromised.
12:46 < petertodd> adam3us: now if you want to strengthen that, maybe make a third subdomain to sign for a long-term root or something, but don't make it a separate "merchant identity address" that the user will ever see (except in paranoid situations where they enter fingerpritns in manually)
12:47 < adam3us> petertodd: i dont think its unreasonble to see an account number and check its correct off your last paper bill or whatever
12:47 < petertodd> adam3us: you don't deal with users...
12:47 < adam3us> petertodd: pretty much all credit card bill pyment, online banking etc works tht way
12:48 < petertodd> adam3us: *could* work - no-one actually does that.
12:48 < adam3us> petertodd: the payent identifier is a simpler concept that more closely matches their banking understanding - it is the merchants ACCOUNT NUMBER
12:48 < adam3us> petertodd: err when you set up a payment ivia online banking you probably either type of cross check the account number
12:49 < adam3us> petertodd: this just slightly tweaks the bitcoin concept to more closely match user expectation, and improve verifiability
12:49 < petertodd> adam3us: yeah, and it always gets back to how did you get that account number... which in turn ges back to *you need to make the trezor support CA's and/or OpenPGP anyway* so use that mechanism rather than writing yet more code
12:49 < adam3us> petertodd: i am not saying dont do those parts, but i am saying they are best effort app level/browser level things.
12:50 < adam3us> petertodd: to avoid paying the wrong person you need a stable account number analog and this is it
12:50 < petertodd> adam3us: no, for the average user they are absolutely critical to support directly in the trezor
12:50 < petertodd> adam3us: the majority if transactions aren't going to be done by checking account numbers
12:50 < petertodd> adam3us: you *must* do as good a job as possible on that common case in a way that users actually use
12:51 < petertodd> adam3us: since you must do that work, re-use the end result for the paranoid case...
12:52 < adam3us> petertodd: thing is if you look at eg armory or bitcoin-qt there is a list of one-use adresses, these are transaction numbers, but users confuse them for addresses, all i am saying, and i dont see why its controversial, is the address should be signed by the hd wallet root that generated them
12:52 < adam3us> petertodd: then that thing - the hd wallet root address is the account number, nd you can display in conventional accounting format: account number, transaction number, merchant deescription, product description, units, cost
12:53 < petertodd> adam3us: it's controversial because it's useless :)
12:53 < adam3us> petertodd: foo youre just not appreciating the difference between layering it seems to me:|
12:53 < petertodd> adam3us: ok, account number == pgp fingerprint
12:53 < petertodd> adam3us: now you've re-used useful code and have a chance of getting better overall integration
12:54 < petertodd> adam3us: rather than Yet Another Signing System
12:54 < adam3us> petertodd: es but what use is a pgp fingerprint to a trezor or offline wallet, dont tell me you want to add that to the bitcoin source code
12:54 < petertodd> adam3us: damn right I do, because you have to for the common case
23:24 < warren> gmaxwell: the "mcxfee" are sort-of like preferred stock entitled to a proportion of fees paid by customers.  You can buy and sell mcxfee's as yet another BTC/something pair on his exchange.  A portion of the mcxfees were sold to finance interest payments on deposits in the exchange.  Interest coming from that pseudo-equity sales made people feel that it
isn't a ponzi scheme.  So in came a ton of deposits and lots of crypto/crypto pair tradin
23:24 < warren> g.
23:24 < gmaxwell> Luke-Jr: https://mcxnow.com/exchange/SC < how you can tell
23:25 < Luke-Jr> lol
23:25 < warren> The exchange is notorious for "excitement" of pump and dumps, and payban ... pay a fee to make someone unable to talk in the trollbox for a duration of time.
23:27 < warren> Hence, deep pockets.  It's a good time to identify and sue him for copyright infringement, as he has something to lose now.
23:27 < warren> and it would be very entertaining
23:27 < Luke-Jr> warren: afaik he ceased
23:27 < warren> Luke-Jr: how long did he infringe after notice?
23:28 < gmaxwell> https://coinjar.io/ < zhoutong,
23:29 < Luke-Jr> warren: no idea
23:31 < gavinandresen> I'm a happy coinjar.io customer, by the way-- cheapest / most convenient way to sell bitcoins here in Australia right now.
23:32 < Luke-Jr> >_<
23:39 < gmaxwell> Plus you get bonus chinese antiques absolutely free!
23:41 < Luke-Jr> this guy wants to do CPU mining on an average PC, using javascript throttled to not make the computer slow.
23:41 < Luke-Jr> am I being fair estimating longer than Earth's existence for $10 worth?
23:43 < warren> Luke-Jr: if enough people do it, Earth's habitable duration might shorten, complicating your calculation.
23:45 < Luke-Jr> I mean past existence.
--- Log closed Tue Oct 29 00:00:56 2013
--- Log opened Tue Oct 29 00:00:56 2013
00:18 < petertodd> warren, gavinandresen: whoever jdillon is there's a lot of publicly verifiable proof-of-work and proof-of-sacrifice that's been involved to establish that identity :P
00:18 < petertodd> gmaxwell: we can tell if it's DPR by watching to see if his ideas get more or less intelligent now that the FBI is the puppet master
00:19 < petertodd> gmaxwell: so what opcodes do we need enabled?
00:20 < petertodd> warren, gavinandresen: BTW if anyone wants to establish intelligent-sounding sock-puppets, I'm willing to sell original, unpublished, crypto-coin theory for 1BTC a page, 0.5BTC if half-baked...
00:21 < gmaxwell> petertodd: none, I came up with a formulation that should work on the existing network. See link.
00:24 < petertodd> huh, I think I get it...
00:24 < warren> There's apparently a new DPR now.
00:24 < warren> The old one should sue for trademark infringement.
00:24 < petertodd> warren: oh yeah? mind, that's the whole point of that name...
00:25 < petertodd> warren: I'm also not going to be as surprised as I should be if the government can't prove their case; digital evidence is deeply untrustworthy. :(
00:26 < petertodd> gmaxwell: can you add some actual scriptPubKeys to your description?
00:39 < gmaxwell> petertodd: sure, this sound sane to you?  This is the pubkey in the first transaction (ignoring the alice+carol branch)
00:39 < gmaxwell> scriptPubKey: [ OP_DUP OP_ROT OP_RIPEMD160 OP_EQUAL OP_VERIFY OP_ADD OP_RIPEMD160 PUSH_H(HX+Q) OP_EQUAL OP_VERIFY PUSH_CAROLPUBKEY OP_CHECKSIG ]
00:39 < gmaxwell> and this is what the scriptsig looks like:
00:39 < gmaxwell> [SIGNATURE PUSH_Q PUSH_X PUSH_HX]
00:43 < gmaxwell> and Carol's scriptPubKey towards bob is:  [OP_RIPEMD160 PUSH_HX OP_EQUAL OP_VERIFY PUSH_BOBPUBKEY OP_CHECKSIG ]  and the redeeming signature is [SIGNATURE PUSH_X]
00:43 < gmaxwell> (again ignoring the alternative carol+bob refund branch)
00:44 < petertodd> working on it...
00:45 < gmaxwell> so basically, to get paid bob must publish X for ripemd160(X) = HX.	Carol can either get paid by alice's consent, or carol can instead use the knoweldge of X to redeem alice's payment, but that makes the alice/bob relationship public.e
00:47 < gavinandresen> gmaxwell: That OP_ADD is adding HX and Q ?
00:48 < petertodd> I was just about to say...
00:48 < petertodd> ADD is numeric
00:48 < petertodd> I think you want CAT which is disabled
00:48 < gavinandresen> ADD (and all the rest of the arithmetic ops) are crippled to only work on 32-bit numbers right now, too.
00:49 < petertodd> yup
00:49 < gmaxwell> aw crap, I forgot about that. @#$@#$@#($8324
00:49 < gmaxwell> (for some reason I thought it did bignum adds on hash outputs.)
00:49 < petertodd> gavinandresen: we're going to curse you until the end of time for doing that. (or until script v2.0, which ever comes sooner)
00:50 < gmaxwell> gavinandresen: and yea, it just needs some way of modifying the value that gets hashes because you can't disclose HX directly in the scriptpubkey
00:50 < gmaxwell> (if you want to keep the transaction private)
00:50 < gmaxwell> e.g. add, xor, cat, any of that would do.
00:51 < gavinandresen> mmm.   Wish satoshi hadn't disabled the xor, that seems like it would be safe (never creates results bigger than inputs) and would be darn handy.
00:52 < petertodd> though OP_XOR was affected by the sign extension bug
01:01 < petertodd> gmaxwell: interesting how OP_EVAL could have worked here too, or OP_MAST_EVAL
01:14 < gmaxwell> petertodd: so I have a way of making it work I think but it's kinda awful.
01:14 < petertodd> gmaxwell: hang on, why not have Alice pay into 2 <ALICE> <CAROL> 2 OP_CHECKMULTISIG, and then require alice to sign a transaction spending that txout to RIPEMD160 H(X) EQUALVERIFY <carol> CHECKSIG prior to carol creating the txout for bob? it's almost as trust free
01:14 < petertodd> yeah?
01:15 < gmaxwell> because thats not private.
01:15 < gmaxwell> oh I see!
01:15 < petertodd> sure it is, carol only publishes the transaction if needed, the normal case is alice then signs her part of the checkmultisig with SIGHASH_NONE|ANYONECANPAY
01:15 < gmaxwell> Yea, you hide the alternative redemption by never announcing it instead of branching.
01:16 < petertodd> carol can spend at will
01:16 < petertodd> yup
01:16 < gmaxwell> Indeed. That works. Also makes the transaction look more indistinguishable! awesome.
01:16 < gmaxwell> So here is what I was going to point out.
01:16 < petertodd> ?
01:18 < gmaxwell> if you replaced the addition with Q	with a cascasde of RIPEMD160 or HASH160 with IFs.. e.g. 64 x {RIPEMD160 or HASH160} then 'q' becomes a sequence of 64 trues or falses you send in to pick which mixture of hashfunctions to apply.
01:18 < petertodd> ha, yeah, I thought of that, and thought it too awful to contemplate
01:18 < gmaxwell> E.g.	 R(H(H(H(R(R(H(R(H(R(H(R(R(H...(HX))))) = constant in the transaction.
01:19 < gmaxwell> petertodd: in any case you solved it, go post. :P
01:19 < petertodd> heh
01:19 < gmaxwell> Yours is an improvement anyways, makes the transaction smaller, makes it indistinguishable from other kinds of escrow transactions on alice's side.
01:20 < gmaxwell> (in the case where alice doesn't cheat, of course)
01:20 < petertodd> yeah, I should write an app for this...
01:20 < petertodd> surely that's deserving of a coinjoin bounty reward, even if it's not coinjoin!
01:21 < gmaxwell> Yea, it's sort of interesting to compare this with coinjoin, it has different properties. I think both are complementary.
01:21 < petertodd> yup
01:23 < gmaxwell> petertodd: in CJ we can arrange so that _no one_ learns the input/output matching, which we can't in this.  But in this we can make it so that the coins have fully disjoint history. .. of course, this isn't secure until malleability is fixed.
01:24 < gmaxwell> (since you could announce a mutant, break the precomputed refunds, and then perform a holdup attack)
01:24 < petertodd> yeah, but alice is trusting carol to pay bob anyway, so carol waiting until the first tx confirms isn't a problem
01:24 < gmaxwell> petertodd: alice isn't, in fact, if alice makes carol write a refund transaction before alice announces the escrow payment.
01:25 < petertodd> I mean, I guess you're right that carol could run with the money, but carol is the party that's easiest to fidelity bond here
01:25 < gmaxwell> no need to!
01:25 < gmaxwell> this is trust free if everyone has refund transactions.
01:25 < petertodd> yes, but since we can't have 100% secure refund, fidelity bond carol :)
01:25 < gmaxwell> oh because of malleability, yea but that'll get fixed.
01:26 < petertodd> maybe... I can write this app this weekend!
01:26 < gmaxwell> it has a lot of states.
01:26 < gmaxwell> alice writes the escrow payment demands an nlocked time refund before announcing it. Alice announces. Carol demands a bob-secret release transaction before paying bob.
01:26 < petertodd> sure, but something that can be run by hand shouldn't be too bad
01:27 < gmaxwell> Carol writes the bob paying transaction but demands a nlocktimed refund before paying him.
01:28 < gmaxwell> that in hand carol pays bob. Then it confims asks alice to pay up. If alice is unresponsive carol uses the stashed bob-secret release. or if bob doesn't redeem, she just gets her money back.
01:28 < gmaxwell> petertodd: got a better name for this than "airgapped payment"?
01:34 < petertodd> ooh, actually I think you could do a system where in the general case Carol's payment to Bob is a normal looking transaction too...
01:35 < petertodd> hmm... teleported payment?
01:37 < gmaxwell> petertodd: how?
01:38 < gmaxwell> I was trying to figure out if there was some way to abuse ECDSA but haven't come up with one yet.
01:39 < petertodd> have carol create txout 2 <carol'> <bob> 2 CHECKMULTISIG, and then sign her part of the txout with a transaction paying to HASH160 <hx> EQUALVERIFY <bob> CHECKSIG, Carol gives that partially signed tx to Alice, who then knows Bob can redeem the output via that tx at worst, while normally Carol would, once her payment is confirmed, just sign her part of
the txout with a SIGHASH_NONE|ANYONECANPAY
02:39 < gmaxwell> e.g. You want me to permute some ballots but don't want me to cheat and replace them.
02:39 < gmaxwell> I produce 200,000 permuted sets and commit to a hashtree of them.
02:40 < gmaxwell> The hash tells me which ballot is the one ballot we're going to use,	and then I reveal the log2(n) secrets required to recover all 200,000-1 other ballot sets and check my root.
02:41 < gmaxwell> so now we can do a secure shuffle and only send 2*log2(security parameter)+few  hashes
02:50 < gmaxwell> it's an idea I'd like to publish but I just don't have the free cycles to actually determine if its been published before.
02:50 < gmaxwell> There are a bunch of little protocols you can get out of using tree-structured-secrets.
16:32 < midnightmagic> gmaxwell: I thought of a reason why proof-of-blockchain storage would still be useful. One could prevent access from all non-archival storage nodes who are connecting just to connect. You can be more sure they are at least helping store the blockchain, even if they may not necessarily do things like relay tx and just act as listening-post black holes.
16:33 < midnightmagic> plus ongoing validation could be if not guaranteed, at least tested for.
16:48 < Luke-Jr> sipa: cannot reproduce after make clean :<
16:52 < sipa> good!
16:54 < Luke-Jr> not really
16:54 < Luke-Jr> means there's some subtle bug in the build system *sigh*
16:54 < Luke-Jr> test_bitcoin seems to still be broken too :<
16:54 < Luke-Jr> (or again?)
16:59 < Luke-Jr> .. or am I running a stale bin :/
19:55 < HM2> I love this channel
19:55 < HM2> I never feel dumber just idling here and reading the scrollback like some of the others on freenode
--- Log closed Fri Oct 25 00:00:42 2013
--- Log opened Fri Oct 25 00:00:42 2013
00:29 < adam3us> musing (again) about whether there is an inherent need to order transactions via miner voting and longest chain algorithm
00:31 < adam3us> that is because the semantic is defined as first transaction is correct (and there is not really a first in a distributed system with unreliable network and untrusted nodes) so then voting and longest chain creates a proxy for first with a sequence of votes from block lottery winners
00:33 < adam3us> consider an alternate semantic: absence of a double spend implies validity, presence of double-spend implies invalidity, transaction aborted, and eg sender loses money sent (and fee)
00:34 < adam3us> in a network with that semantic, security relies on unjammability
00:34 < adam3us> but bitcoin already relies on that (otherwise hacked routers that can selectively delete packets in front of big pools can create problems)
00:34 < adam3us> no one awake huh?
00:38 < Luke-Jr> adam3us: and what of a double spend that occurs hours later?
00:38 < adam3us> yeah so i guess that would be defined as invalid
00:38 < Luke-Jr> retroactively invalidating the current transaction?
00:38 < adam3us> it doesnt give as much user choice of how many confirms to expect
00:38 < adam3us> no ignored as too late
00:38 < Luke-Jr> "too late" won't come to a consensus
00:39 < adam3us> well i was thinking if the spend is mined into a block as now, then you have a timestamp on the spend
00:39 < adam3us> then say both parties agree to 6 confirms
00:40 < adam3us> and so long as there are no double spends on the network in that time the transaction is deemed valid
00:41 < adam3us> so rather than different views of which transaction came first in a double spend triggering orphans (if the conflicting blocks happen close enough to at the same time)
00:41 < adam3us> they are valid, they just invalidate the conflicting transaction (if hey happen within 6 blocks of the original transaction) say
00:43 < adam3us> the next block mined on top refers to both branch hashes, as they are no longer considered to conflict
13:10 < jgarzik> gmaxwell, amiller, anyone played around with CP-ABE + bitcoin, that we're aware of?
13:12 < sipa> cp-abe?
13:12 < petertodd> adam3us: re: double-spends, remember that the blockchain serves as proof-of-publication: by defining the blockchain as where transactions are stored, participants can use their knowledge of the blockchain to be sure they know of every valid transaction in existance, and thus they know about all double-spends.
13:13 < petertodd> adam3us: dealing with attacks via information hiding is something I'm been thinking about a lot lately re: ideas to "shard" the blockchain data so you only have to keep up to date with part of it
13:17 < petertodd> adam3us: (by "they know about all double-spends", remember that you could make a bitcoin-like system where double-spends *are* allowed in blocks, but are invalid and are just useless data! it's only an *optimization* that the bitcoin protocol doesn't allow double-spends to be in the blockchain!)
13:17 < jgarzik> sipa, https://en.bitcoin.it/wiki/Distributed_markets#Pay_to_policy_outputs
13:19 < adam3us> petertodd: well maybe (about optimization), tho Luke-Jr said well what if the spend comes in later, when do you declare it too late to add a double-spend (invalidating a transactoin)
13:20 < amiller> jgarzik, i don't know of anyone that's used it, no
13:20 < amiller> jgarzik, i think i understand it pretty well and it's not too complicated
13:20 < amiller> i mean i don't see any obstacle to using it except you'd have to support a diff signature type
13:21 < amiller> you'd have to have a trusted issuer anyway though
13:21 < petertodd> adam3us: oh, your proposing something where both transactions are invalid?
13:21 < amiller> so i can't imagine the setup model is something anyone would buy
13:22 < adam3us> petertodd: well musing about the implications of that model yes, if there would be any advantage to be had by exploring it
13:22 < amiller> it's a lot of extra effort and complexity for having a trusted third party that could just be online and sign the transactions anwyay
13:22 < adam3us> why is a block so big anyway that 1MB starts to be a problem?	doesnt it refer to the txids rather than include the text of the tx?
13:22 < petertodd> adam3us: right, problem there is it lets you grief anyone getting paid by the transaction. I've proposed stuff kinda like that, but only in the context of fidelity bonds
13:22 < jgarzik> amiller, true
13:22 < jgarzik> amiller, I was thinking of it in context of oracles and agents
13:23 < adam3us> cant a block therefore refer to a huge number	of txs relatively compactly in a merkle tree? w
13:23 < petertodd> adam3us: with a better scripting language you could have a system where proof-of-double-spend can be used to destory the bond
13:23 < adam3us> yes thats true
13:23 < sipa> adam3us: a block's size refers to header + tx body
13:23 < sipa> adam3us: that doean't mean it needs to be traferred that way
13:24 < sipa> but the rule for limiting block sizes uses that
13:24 < jgarzik> I want to play with sending block header + list of TXs via UDP
13:24 < jgarzik> er, header + coin base + list
13:24 < petertodd> adam3us: Yes, but miners still have to have the bandwidth to process every transaction; this leads to what I call the censorship problem: if mining can't be done in a low-bandwidth way, mining has to be done out in the open, hence it gets regulated. We can design Bitcoin so multiple low-bandwidth participants can collectively validate the blockchain,
but unless they can colabborate to also mine blocks transactions can be censored.
13:24 < adam3us> petertodd: there are signatures that are one-show, show two signatures you reveal the private key, that might be some discouragement (though a one use private key is inherently fairly harmless once its spent)
13:26 < adam3us> sipa: so why the discussion of limiting block sizes to 1MB if its just a compact collection of references to already sent transactions?
13:26 < petertodd> adam3us: yeah, lots of possibilities. Note w/ fidelity bonds that they actually need a real-time proof-of-publication system - if you don't have that, you can't know if the total amount of transactions being done right now attempting to defraud people (guaranteed by the bond) greatly exceeds the value of the bond. :(
13:27 < sipa> adam3us: because the rule already exists, and changing it is a hard fork
13:27 < sipa> adam3us: btw, the current p2p mechanism does in fact send a block in full
13:27 < petertodd> adam3us: remember too that currently there's way to do partial validation of blocks, or to product short proofs that a block is invalid/fraudulnet. If the blocksize is much larger, it won't be possible to valiate the blockchain at all without a low-bandwidth internet conenction because you won't be able to keep up.
13:27 < adam3us> sipa: does that mean data gets sent over the wire twice?
13:27 < sipa> but it's not an actual requirement, and changing the protocol is easy
13:27 < sipa> adam3us: yes
13:28 < sipa> but even if the protocol is changes not to send duplicates (like bip37 does), the hard rule remains defined over the actual block size
13:28 < adam3us> sipa: doh :) but changing that would mean blocks can be as big as you want practically and so maybe reduce this need for mining fees, though other than block size, its also about throttling spam (low value tx)
13:28 < petertodd> adam3us: sending full blocks has some advantages though in that it removes incentives to play games with propagation to disadvantage smaller miners. makes the system more reliable too as the worst-case and average-case propagation times are closer
13:29 < sipa> i am very uncovinced that the p2p tx broadcast mechanism will remain the primary way of delivering transactions to miners
13:30 < petertodd> sipa: sadly your probably right... out-of-band payments is really nasty this way, because it could be a strong incentive for pools to remain large :(
13:30 < sipa> yup
20:54 < jgarzik> sipa, thus the proposed "just email your draft to XXX, and the rest will happen"
20:54 < jgarzik> for the git-scared
20:54 < jgarzik> Linux kernel always had a process for people who did not want to touch git at all (sometimes it was necessary for legal reasons).  You can always just email a patch against a tarball.
20:56 < gmaxwell> I do think we should have clear seperation from "crap random person produced" and something that has had some public support.
20:56 < jgarzik> commit access can be anybody trusted, even outside dev team.  mainly must fulfill rule "BIPS editor + backups in case he goes crazy or gets hit by a bus"
20:57 < gmaxwell> E.g. no BIP number for things that are just submitted.
20:57 < jgarzik> indeed
20:57 < gavinandresen> jgarzik gmaxwell sipa: I'm thinking of cleaning up pull requests by closing anything with a merge conflict more than X months old.  I'm wasting time constantly re-reading old requests....
20:57 < jgarzik> gavinandresen, my standard is "rebased has been requested, and not responded to after X months"
20:57 < jgarzik> *rebase
20:58 < jgarzik> gavinandresen, kinder gentler to request a rebase first
20:58 < gmaxwell> gavinandresen: fine with me. To avoid bruised feelings you can say that it can be reopened with a new patch if someone would like to continue it.
20:58 < gavinandresen> I'll definitely say "reopen after rebase"
20:59 < gmaxwell> gavinandresen: note that random people can't actually reopen themselves (IIRC only people with commit access can)
20:59  * gmaxwell hops onto an airplane
20:59 < gavinandresen> gmaxwell: ok, I'll definely say "open a new request after rebase"
21:00 < gavinandresen> (they can link to discussion in old request, if it is relevant)
21:00 < gavinandresen> Wading through long discussions in old pull requests is a time-sink, too
21:00  * jgarzik wonders if github supports close-with-boilerplate
21:00 < gavinandresen> What do we like for X months?
21:00 < jgarzik> 2-3
21:01 < jgarzik> *poof* hops on the baby bedtime bus.
21:01 < gavinandresen> good deal, prepare for a flurry of closes....
21:02  * sipa prepares by closing his eyes
21:02 < sipa> zZzZ
21:04 < Luke-Jr> I seem to have a PR rebase/fix period of about 3 months with my current workload :<
21:04 < Luke-Jr> too bad github doesn't make it possible for the author to reopen things
21:25 < petertodd> sipa: if we ever made a standard transaction type with scriptSig's with single byte pushes, then yes, the current ref implementation would reject it
21:26 < petertodd> sipa: point is if you do scriptSig << single-byte in the C++ code, it gets added with a PUSHDATA always
21:28 < petertodd> sipa: "< sipa> i git-sign all github merges i do now :)" <- careful, I *will* call you out on that if you ever don't :P
--- Log closed Mon Oct 21 00:00:28 2013
--- Log opened Mon Oct 21 00:00:28 2013
00:52 < sipa> petertodd: i certainly sometimes won't; i don't always have access to my gpg key
00:53 < sipa> petertodd: right, i think i got that, but at some point lost that comment on github; is there any reason why we can't just fix that singke byte push at the same time?
00:54 < sipa> petertodd: i understand that functionally, it is not required now, as any transaction to which it applies is already non-standard
00:55 < sipa> but i'd rather just have a single version, which can later be moved from IsStandard to a network rule
00:59  * Luke-Jr wonders if we should start deploying some form of gmaxwell's antispam addresses in 0.9 so there's some overlap time
01:02 < sipa> given that the majority of clients don't even support sending to P2SH, i really doubt any will be implementing a new and less convenient one, as long as there are no clear benefits
01:03 < Luke-Jr> sipa: there are clear benefits, becoming more necessary every day it seems
01:04 < sipa> for the network, obviously
01:04 < sipa> not for them
01:07 < sipa> you don't have to convince me of the benefits, i'm just very skeptical whether the community would adopt a new address scheme in the first place
01:08 < sipa> with something like the payment protocol, this woukd be significantly easier
01:08 < sipa> but even in a best-case scenario, far from every transaction will use that
01:15 < Luke-Jr> hm
01:15 < Luke-Jr> does the payment protocol support something like this already? :/
01:16 < sipa> no, it can't
01:16 < sipa> as it needs non-transparent client support
01:17 < sipa> but with a payment protocol, it's just client authors that needs to adopt it
01:17 < sipa> rather than everyone
02:29 < petertodd> sipa: right, so go off an update your pull-req to make that change :P
02:30 < petertodd> Luke-Jr: I'm kinda skeptical of P2SH^2 right now, given that my TXO commitments makes the UTXO set size much less worrying, and embedding data in the chain via pubkeys is still possible there
03:32 < sipa> petertodd: but it's an order of magnitude more invasive
03:33 < sipa> do you really think bitcoin could be converted into someday
03:33 < sipa> ?
03:34 < sipa> i consider it an idea worth exploring in an aktcoin, at least initially
04:04 < petertodd> sipa: invasive? I dunno, I think it's less invasive than UTXO commitments - the code is simplier for one.
04:04 < petertodd> sipa: Remember that TXO commitments with txin proofs scale in that you can always store some or all of the UTXO set to reduce bandwidth.
04:05 < petertodd> The main thing is to have a protocol where you can ask your peer for proofs of txins that you yourself don't know about, allowing you to drop UTXO's you don't think are going to be spent. (preferably even fully selectively)
05:05 < sipa> petertodd: i mean compared to transferring an address preimage along with transactions
05:06 < sipa> they're just so different degrees of 'different', that saying that one isn't necessary because the other fixes it in a better way isn't very relevant
05:06 < sipa> in a theoretical from the ground up cryptocurrency you are right of course
05:07 < sipa> but bitcoin has an actual economy and community around it that every change can be hard
05:08 < petertodd> oh, right, yeah, I agree that's invasive
05:09 < sipa> put otherwise: i see address preimages as something that is still bitcoin and can be integrated
05:09 < petertodd> Still I think TXO commitments have so many long-term advantages for scalability that they're worth it on that alone.
05:09 < petertodd> And I disagree with the idea that they're "not bitcoin"
05:10 < sipa> what is bitcoin can change over time of course
05:10 < sipa> but change likely needs to be gradual
05:10 < petertodd> And actually... maybe you can make the argument that TXO commitments are less invasive than P2SH^2 - they're only a validating node change, not a client-side change.
05:10 < sipa> huh?
05:10 < sipa> maybe i misunderstood it then
05:11 < petertodd> Hmm... and actually, I'll argue the TXO commitments are more gradual too, given they're a mining soft-fork.
05:11 < petertodd> sipa: TXO commitments is just taking a hash of a merkle mountain range of the TXO set, spent and unspent.
05:11 < sipa> but the sender needs to construct that, no?
05:11 < petertodd> no!
05:12 < petertodd> anyone between the sender and the miner can make the proof; initially senders would likely not bother implementing it, and everyone would be forced to have near-complete UTXO sets
05:12 < petertodd> but that can change gradually
05:12 < sipa> right, ok
05:13 < sipa> but the idea was to move storage away from validation nodes?
05:13 < petertodd> basically an implementation strategy would be 1) implement hashing code, 2) do soft-fork, 3) start adding networking protocol rules to be able to use proofs, 4) start working on fraud proof stuff, 5) eventually start using them to store less data
05:14 < petertodd> changing clients only really has to happen at the very end
05:14 < petertodd> potentially never
05:14 < sipa> i still consider it a far more invasive change :)
05:14 < sipa> but maybe that's because i understand it less
05:14 < petertodd> there's a lot more client code out there; lots of stuff assumes addresses have specific forms
05:15 < petertodd> besides, we need TXO commitments for scalability and fraud proofing in the long run.
05:16 < sipa> i find that an odd statement
05:16 < petertodd> why?
05:16 < sipa> would you have said that before you knew about that possibility?
05:16 < sipa> of course anything that improves scalability is an improvement
05:17 < sipa> but needing makes it sounds like it is the only possibility
05:17 < petertodd> yes, I got Gavin to agree months ago that fraud proofs w/ UTXO sets were a pre-condition to changing the blocksize for instance, and I still wanted them even if we didn't to make fidelity bonded banks more auditable
05:17 < petertodd> UTXO commitments are the other option, but they don't let you avoid storing the whole UTXO set
05:18 < petertodd> keep in mind that MMR TXO commitments are a form of UTXO commitment that just happens to also commit to all transactions ever made by accident :P
05:19 < sipa> i'm weighing the difficulty of change vs the scalability improvements over time
05:20 < petertodd> well Mike's view is that we'll magically apply enough social pressure that the UTXO set remains small so P2SH^2 isn't needed :P
05:20 < sipa> if you look at a longer time span, more scalability is likely worth it
05:21 < sipa> but that doean't mean we don't have short term problems that need fixing first
05:21 < sipa> like having a client that doesn't corrupt its database all the time for some people
05:22 < petertodd> but, is some data in the UTXO set a big enough problem in the next few years that we have to go off and change every bit of bitcoin-related software that assumes addresses are of a certain form?
05:22 < sipa> it's more about setting the right economic incentices than an actual short term problem i guess
20:08 < gmaxwell> (coinswaps require there to be two parties, one that wants altBitcoin and has bitcoin, one that wants Bitcoin and has altBitcoin...  nice little trading business... but you need the bulk moves in order to not be constantly going broke on one side or the other)
20:09 < gmaxwell> and yea, in that case requiring 100 headers would be fine.. (but damn that would really bet nicer with a snark than 8kb++ of header data in the txn)
20:19 < andytoshi> arguably, this is exactly the way to experiment with snarks
20:19 < adam3us> andytoshi: unless its your bitcoins in the alt :)
20:20 < andytoshi> :P that's right, i keep forgetting these things are so valuable
20:23 < gmaxwell> IMO SINs are the best snark expirment. :P
20:25 < gmaxwell> BlueMatt: some extra points you might have already realized: the altcoin itself can do the "coinjoin". You make a tx there with a special ToBitcoin Txout and it adds a scriptPubKey to a list maintained by miners, and every {interval} that list is published in the block in a location that makes the proof for it really compact (e.g. at the top of the hashtree)
and it has all the values and scriptpubkeys that need to move over.
20:25 < BlueMatt> yep
20:26 < BlueMatt> wait...can you do rolling outputs to the alt?
20:26 < gmaxwell> The next is that point I made about the redeem transaction being temporarly locked and 'reversable' via a longer chain means you don't need to have a long proof.. just a couple headers to prevent a dos attack, if someone cheats someone will unsteal the coins with a longer proof.
20:26 < gmaxwell> thats rolling outputs from the alt to bitcoin.
20:27 < BlueMatt> ie the alt always has one and only one output to it (if its in the standard form, anyone can create the next txn) that keeps track of all the outputs to the alt, and then to spend, you have to provide spv proof from the previous roll to the currnet chain?
20:27 < gmaxwell> yea thats what I was imagining the whole time.
20:27 < BlueMatt> ahh, ok, yea
20:28 < BlueMatt> somehow I was only picturing individual outputs and arbitrary spv proofs back some fixed distance
20:28 < BlueMatt> gmaxwell: some of us are slow :p
20:28 < gmaxwell> nah, then you get into granularity problems. :P sorry.
20:28 < gmaxwell> darnit I had one more idea and now I'm forgetting it.
20:29 < BlueMatt> yea, it seemed to not scale...
20:29 < maaku> BlueMatt: give altcoins an annual demurrage rate of 50%
20:30 < gmaxwell> oh, how they pay their miners? I figured miners in the alts would be purely paid by transaction fees.. in bitcoins.
20:30 < BlueMatt> gmaxwell: yes, thats something I was largely ignoring for complexity reasons...needs thought
20:30 < BlueMatt> maaku: hmm?
20:30 < amiller> that's a neat question, BlueMatt.
20:31 < gmaxwell> BlueMatt: oh ohoho  the other point wrt security.... nothing stops bitcoin miners from also validating the altchains, they're just not required to. So if they do see a bogus proof they can just ignore it unless it gets into the chain.
20:31 < maaku> was reading the log; that's for experimentation in an altcoin without threatening bitcoin as a store-of-value
20:31 < BlueMatt> maaku: well, there are plenty of ways to accomplish it, I just wanted to do it while allowing good scaling/storing value in btc in altchains
20:32 < BlueMatt> gmaxwell: hmm, yes
20:32 < BlueMatt> fun
20:32 < gmaxwell> though I think since we're willing to tolerate long release times, the ability to unsteal with a longer header is pretty good.
20:33 < BlueMatt> yup
20:58 < valek1024> hello
20:59 < valek1024> can someone point me in the right direction for selling my 2011 first month of mint casascius bitcoin with the error in the hologram. the error is a misprint in the background of the hologram the casascius is missing the middle s
21:00 < BlueMatt> terribly, terribly wrong channel
21:01 < valek1024> ty bluematt i understand i am in the wrong place but as wizards should't you be able to help?
21:01 < maaku> ebay?
21:02 < BlueMatt> valek1024: no, we cant help, go elsewhere
21:02 < maaku> valek1024: we could design you a secure multi-party cryptographic auction protocol
21:03 < maaku> but finding buyers is your job ;)
21:03 < maaku> maybe #bitcoin
21:03 < valek1024> see that is helpfil
21:03 < valek1024> helpful
21:04 < midnightmagic> No. #bitcoin-otc for selling goods.
21:04 < valek1024> there is and was no reason to be rude sir, i was simply asking for help
21:04 < midnightmagic> #bitcoin will boot for that.
21:05 < BlueMatt> (we should too)
21:41 < adam3us> gmaxwell, BlueMatt: suggest to write this up and get further details and efficiency worked out.  i think its potentially very useful to combat the remaining rationale for the existence of alts (other than enriching their creators, preminers and early rented vsp early miners before their no real transaction bubble bursts)
22:34 < gmaxwell> adam3us: it also adds to the scalablity dialog... but perhaps what we should do is just do a trial implementation.
22:35 < BlueMatt> gmaxwell: yes!
22:35 < BlueMatt> you should totally find time to do that
22:36 < adam3us> fantastic :) i can maybe help out in some way
22:37 < BlueMatt> keyword *you*
22:37 < gmaxwell> Tweedledee coin, and tweedledum coin.
22:40 < BlueMatt> heh, yup
22:41 < andytoshi> are the currently available snarks viable for a trial implementation?
22:41 < andytoshi> don't these proofs take days to generate?
22:47 < amiller> andytoshi, you can download pinocchio and use it now
22:48 < adam3us> andytoshi: if at all possible i would suggest to start with seeing how efficient it can be made without dependence on snark, bitcoin has simple & conservative crypto assumptions so far and that is a feature
22:48 < amiller> andytoshi, it unsurprisingly relies on a windows binary kernel to run the actual fast crypto, but most of their actual work is in python and they're almost done making it fully open
22:48 < amiller> andytoshi, it takes 15 seconds on a single core to prepare a proof about SHA1 on a small input
22:49 < amiller> andytoshi, you can also use pantry, it's fully open but has baffling dependencies and i haven't personally gotten past that
22:50 < andytoshi> awesome, i'll check them both out
22:50 < andytoshi> adam3us: i think you are missing the point :)
22:51 < adam3us> andytoshi: to not lose bitcoins and enable alts to respect the 21 mil digital scarcity?
22:51 < andytoshi> no, to be a wizard ;)
22:53 < adam3us> andytoshi: homomorphic encryption is cool too, but impractically inefficient.	snark is cool and related and practically efficient, but has some newer crypto assumptions in my view.	you dont want an alt to go up in smoke if someone finds a mathematical flaw in the deployed pairing params (eg)
23:01 < amiller> in my view, the effort of trying to optimize an implementation of traditional homomorphic encryption is almost certainly an overoptimization
23:02 < amiller> er premature optimization
23:03 < andytoshi> well, that'd be a research project in itself
23:09 < andytoshi> hey, pantry was developed partially here at UT austin
23:09 < andytoshi> i can track these people down and ask how to build it :P
23:11 < Luke-Jr> andytoshi: wait, you're in Austin? :o
23:12 < andytoshi> Luke-Jr: i started my ph.d. here this september
23:13 < andytoshi> i'm usually from vancouver
23:13 < Luke-Jr> andytoshi: doh, I was just there last week XD
23:13 < Luke-Jr> coulda met up
23:14 < andytoshi> oh! damn
23:15 < andytoshi> if we had a picture together, that'd show altoz that i'm not a sock puppet..
23:16 < Luke-Jr> altoz is silly, complaining that we're being rude(
) when his posts are the only ones that strike me as particularly rude O.o
23:16 < andytoshi> yeah, i read through yours just to be sure, and that's my interpretation too
23:16 < andytoshi> all i did was post a link and say "don't be rude" :P
23:17 < Luke-Jr> about the rudest thing I did IMO was decide I wasn't responding to some stupid comments of his <.<
23:18 < andytoshi> "
23:18 < andytoshi> I am using ECIES, I think. I would need a more experienced cryptographer to examine the code to make sure, but it's fairly straightforward."
23:18 < andytoshi> this is his latest resposne to "are you using ECIES?"
23:19 < andytoshi> imo you should've been much ruder :P
23:20 < Luke-Jr> lol
23:27 < gmaxwell> andytoshi: only the pinocchio (without the pairing crypto backend. :( ) and the pantry system are available
23:30 < andytoshi> you mean the zk-snark stuff is not public?
23:34 < amiller> pantry and pinocchio are both zk-snarks
23:34 < amiller> there are three zk-snark implementations, pantry, pinocchio, and tinyram, of these tinyram is not yet available
23:36 < andytoshi> oh, i see, thanks
23:37 < andytoshi> i have only read the first couple pages of this latest paper, i think it talks a lot about the background
23:37 < andytoshi> so i'll try to get straight what's been happening in this field
--- Log closed Wed Dec 18 00:00:05 2013
--- Log opened Wed Dec 18 00:00:05 2013
02:31 < gmaxwell> well pinocchio is only kinda public, the circuit generator is public, but without the underlying crypto libraries, it's not useful.
02:34 < gmaxwell> amiller: oh have they made the resot of pinocchio public now?
02:35 < gmaxwell> in any case, I think the obvious thing to do with pinocchio/friends is make a blind sin proof. Though I don't see how to do it without having an ecdsa verification under the proof... which is probably going to hurt a bit.
02:36 < gmaxwell> s/verification/signature/ in fact.
02:38 < gmaxwell> e.g. You make a proof of the statement    X  is the hash of a determinstic-signature of data Y, using a key, committed to by a SIN transaction paying >=Z in fees, spv connected to header Q.
02:39 < gmaxwell> Feed in the name of a site in Y "bitcoin talk" and X is an identity you use to log into the site that can be banned, and replacing it costs you Z bitcoin.
13:54 < gmaxwell> HOLY CRAP THAT TOOK TOO MUCH TIME
13:54 < gmaxwell> Here is the post I was looking for: https://bitcointalk.org/index.php?topic=20171.msg255631#msg255631
13:55 < gmaxwell> (I also, apparently, posted the same thing in response to claims that security could be paid by "assurance contracts": https://bitcointalk.org/index.php?topic=157141.msg1665607#msg1665607 )
13:56 < gmaxwell> amiller: in any case, we've very close to the coin burning race with this thinking.
13:57 < gmaxwell> amiller: the "if someone double spends you, you make a child transaction that sends all the coins to fees just to make sure the dude double spending you can't turn a profit"
13:57 < amiller> quick offtopic (on topic?) question
13:57 < amiller> does theymos maintain rigours backups of the forum
13:57 < amiller> does anyone else help provide backups of it?
13:58 < gmaxwell> amiller: yes and yes.
13:58 < amiller> maybe bitcoin foundation would want to sponsor archival backups of resources like the wiki and the forums because there's tons of valuable data there
13:58 < amiller> ok
13:58 < gmaxwell> there are backups, encrypted to some set of keys. Some of the global mods have copies.
13:58 < gmaxwell> It would also be nice if the forum merkelized all the posts, and could publish roots that could be timestamped.
13:58 < gmaxwell> Some of the posts may be important in the furture to twarting patent attacks.
14:01 < petertodd> gmaxwell: would it be possible to make public post archives something that can be mirroed directly?
14:02 < petertodd> (in the clear)
14:02 < gmaxwell> You've got me.
14:02 < petertodd> I can certainely write the code to merklize/timestamp it all
14:02 < petertodd> ?
14:03 < midnightmagic> just love how merkle trees are going into everything these days
14:04 < gmaxwell> petertodd: it would probably be a relatively minor modification to the backup procedure to produce a hash root that could be spit out with the backup and timestamped to allow someone with the backup to do selective reveals.
14:04 < amiller> i bought merkletrees.org from namecheap (with bitcoins)
14:04 < midnightmagic> structured storage types would allow data mining if the data were public, too, based on timestamp and username.. forum-wide diffing would be cheap
14:05 < midnightmagic> amiller: glorious :)
14:05 < petertodd> gmaxwell: What form are posts stored in? I assume a mutable database right?
14:05 < gmaxwell> midnightmagic: I don't know that we (or at least theymos) necessarily wants to enable that.
14:05 < gmaxwell> petertodd: I assume. You know as much as I do.
14:06 < midnightmagic> merkle tree + timestamp, username, + link to forum individual message?
14:06 < gmaxwell> My only extra knoweldge of the forum is that I'm a subforum mod in two sections, .. and that means I have access to the staff and donor areas and have talked to theymos a bit more than $random_person. But I don't actually know that much.
14:06 < gmaxwell> Warren probably knows more about how the forums work than I do now.
14:06 < midnightmagic> SMF puts it all into a backend database like mysql.
14:06 < grau> lets be consequent and commit the merkle root of bitcointalk.org to the blockchain :)
14:06 < petertodd> gmaxwell: The 312668.msg3357169 bit in the URL's implies we've got sequential numbers to use.
14:07 < midnightmagic> petertodd: they are sequential numbers.
14:07 < gmaxwell> petertodd: In any case, the backups would obviously seralize messages in some order, so that could get treed.
14:07 < gmaxwell> posts can be edited. so any timestamp really needs to be "as of some backup".
14:08 < midnightmagic> the main drawback of SMF is prior-edits are wiped unless theymos is running something special to version them
14:08 < midnightmagic> (or a logged database backend I suppose)
14:08 < gmaxwell> Can someone else confirm that the forum is hacked again?
14:08 < gmaxwell> Reload as a non admin on the main page or something.
14:08 < gmaxwell> (someone reporting this in #bitcoin)
14:09 < petertodd> gmaxwell: Yeah, well maybe the absolutel easiest would be to just use opentimestamps - I've got code that can do a merkle mountain range where you feed it arbitrary digests, and it gives you top-level-digests to timestamp.
14:09 < sipa> gmaxwell: haven't visited the forum in weeks
14:09 < petertodd> gmaxwell: I'm not seeing anything.
14:09 < sipa> gmaxwell: how do i recognize it being hacked?
14:09 < grau> normal
14:09 < gmaxwell> sipa: some kind of javascript animation? :P
14:09 < gmaxwell> okay, crazy user.
14:09 < gmaxwell> thanks. I wanted to get a confirmation before I called theymos. :)
14:09 < sipa> don't see naything
14:10 < petertodd> gmaxwell: Basically this would give you a database of digests where you can easily extract a tiemstamp proof for an arbitrary digest.
14:14 < amiller> forum seems fine to me?
14:14 < gmaxwell> amiller: thanks, seems like the user has some weird dns issue.
14:14 < midnightmagic> forum is fine here also
14:15 < gmaxwell> petertodd: wrt signed advertisements, I'd assume that you'd sign all of them, and have some priority flag for addresses you consider most credible.
14:16 < petertodd> gmaxwell: that works
14:18 < petertodd> gmaxwell: huh, seems that SMF stores every single post in the database, so it should be easy enough to write a script to dump the posts, hash them, and timestamp them that way
14:19 < gmaxwell> petertodd: sure, I expect it to do that. I was just suggesting that it would go along with the backup data (since you'll need the posts too)
14:20 < petertodd> gmaxwell: yup. Anyway, the only obstacle is getting a copy of the data to work on. I suspect this could be a weekend project otherwise.
14:33 < jgarzik> sipa, gmaxwell: speaking of resetting testnet...  new blocks are appearing every few seconds.	some fool ASIC miner probably aimed his machine at it.
14:34  * midnightmagic suddenly wants to run on testnet.
14:56 < HM2> :}
18:21 < HM2> Hmm, I don't think anyone is going to write a JSON Spirit replacement in Spirit X3 yet
18:21 < HM2> it's riddled with odd behaviour and possible bugs
18:47 < warren> wait huh
18:47 < warren> forum hacked?
18:48 < sipa> not again
19:09 < Luke-Jr> which forum?
19:10 < pigeons> bitcointroll.org is up
19:17 < Luke-Jr> abitcoin.org is too
19:18 < sipa> someone claimed bitcointalk was hacked again, but that seemed incorrect
19:19 < warren> btc-e's top news from today is "Urgent! bitcointalk.org was hacked! Change your password ASAP!"
19:20 < warren> yesterday btc-e was down for a few hours they claim due to a DDoS attack
20:03 < gmaxwell> petertodd: So the MMR UTXO-LOG stuff.
20:03 < gmaxwell> petertodd: ISTM that the transaction sizes would grow forever. Because the spendability proofs would be log2(utxos ever) since you cannot do a storageless rebalance of a MMR.
20:04 < warren> MMR?
20:05 < gmaxwell> merkelized mountain range it's a kind of authenticated binary tree that has ~O(1) append. Its a petertodd neologism.
20:06 < gmaxwell> https://github.com/opentimestamps/opentimestamps-server/blob/master/doc/merkle-mountain-range.md
20:09 < gmaxwell> warren: petertodd figured out how to make a mostly storageless bitcoin. But there is a trade-off: wallets have to actively monitor the network to process updates to their own utxo proofs or they will lose the ability to spend their coins.
20:10 < warren> that's a bit of a tradeoff =)
20:10 < gmaxwell> But full nodes and miners need basically no storage. (just ~log() hashes with respect to the size of the transaction history, and maybe block headers)
20:11 < gmaxwell> Wallets need storage ~log(total history size) * number of utxos they own.
20:12 < gmaxwell> Transactions must carry utxo update proofs, which are ~log(total history size) * UTXO spent (maybe somewhat smaller if the utxo are near each other in history) in size.
20:13 < maaku> gmaxwell: is this the updatable proofs that we had discussed earlier, if we remove PATRICIA level-compression
20:13 < maaku> ?
20:13 < gmaxwell> maaku: this is a simpler idea that is more general.
20:14 < gmaxwell> warren: if you had a cold storage wallet, for example.. to spend the coins you'd need to get current proofs for it... if you were not tracking them yourself, perhaps you could go find a kind node who has tracked all of them (requiring storage similar to bitcoin full node)... perhaps they'd sell you this data if you show then that your spend would pay them a fee.
20:14 < gmaxwell> maaku: Here is how I'd express the idea.  Forget the UTXO tree stuff.
20:14 < warren> gmaxwell: we talked about this as a way to spend expired coins in the future after litecoin implements expiration
20:15 < maaku> hrm.. i'll study it. lack of a storageless rebalance seems like a big tradeoff :\
20:15 < gmaxwell> maaku: imagine we have just a regular blockchain, and we append new txouts to it as they are created.   We compute a binary tree over this whole thing... using a tree update scheme that has ~O(1) append. (thats the mountain range link above)
20:16 < gmaxwell> When someone wants to spend a coin, they give you a proof that shows you the coin is in the tree. Which is also the same data you need to replace that coin with a "deleted coin" entry and update the root.	(by the same reason we can compose non-compressed proofs)
20:17 < gmaxwell> so miners and full nodes just need to store the leading edge of this tree (log2(history)) hashes. and any transactions they recieve will have enough data to let them mark the inputs elsewhere in the tree as spent.
20:18 < maaku> ok, so it's a perpetually growing tree, although you can safely prune branches that are fully spent
20:18 < maaku> what is the advantage over a proof-updatable index?
20:19 < gmaxwell> Right. and it grows with log() so.... thats no so bad.  Also, proofs for spending recent coins would be smaller. So the proofs for old coins grow.. but recent coins would stay small.
17:19 <@sipa> #bitcoin-wizards: smoking cryptographic hasj since 2013
17:19 <@amiller> you can smoke trees and you can smoke hash, but only the bitcoin-wizards smoke hash trees
17:20  * petertodd slow claps
17:20  * amiller passes out
17:20 <@sipa> oh, it's hashish in english; even better
17:20 < weex> oh it's THAT kind of party :)
17:20 <@sipa> amiller: haha
17:25 <@petertodd> Say, everyone heard of that paper due to be released in another month or something on implementing chaum tokens within Bitcoin?
17:25 <@petertodd> Anyone managed a sneak peak of it?
17:25 <@amiller> yeah
17:26 <@amiller> those students came and hung out with me for a while
17:26 <@petertodd> Nice? How does it work?
17:26 <@amiller> my current advisor/host pays their advisor
17:26 <@amiller> well it's got an impractical thing about it
17:26 <@petertodd> ?
17:26 <@amiller> first of all it's a global pool of tokens
17:26 <@amiller> one for the whole chain
17:26 <@amiller> second, in order to avoid double spends, they maintain an already-spent lit
17:26 <@amiller> lsit
17:26 <@amiller> list
17:27 <@amiller> which has to be checked in order to validate each spend.
17:27 <@amiller> that's worst-case O(N) which is horrible
17:27 <@amiller> it would only be O(log N) if they just maintained a balanced merkle tree but that still sucks
17:27 <@petertodd> Yeah, but doable
17:28 <@petertodd> So, there basically the already spend list becomes a consensus thing?
17:28 <@amiller> yes
17:28 <@petertodd> Do they just make the list so big you can pick a coin at random from it?
17:29 <@petertodd> (I mean, the set of !in the list)
17:29 <@amiller> no it's basically like
17:29 <@amiller> uh well basically you can't see the list of things included in the accumulator
17:30 <@amiller> i'm not sure how to answer your question
17:30 <@petertodd> Ok, so there is a global accumulator though, and each transaction increments or decrements it?
17:30 <@petertodd> (this is sounded just like fidelity-bonded ledgers...)
17:31 <@amiller> so basically you deposit an ordinary coin into the accumulator
17:32 <@amiller> a blinded token gets added to the accumulator
17:32 <@petertodd> ok
17:32 <@amiller> now when you want to withdraw a coin, you provide an unblinded token and a proof that your unblinded token corresponds to _one of_ the blinded tokens stored in the accumulator
17:33 <@petertodd> Ah, and there is some crypto magic that lets you prove that?
17:33 <@amiller> yeah
17:33 <@petertodd> (wizardry beyond my beginner wizard level)
17:33 <@amiller> apparently they spent christmas break poring through the complete giant catalog of cryptographic accumulators looking for one
17:33 <@petertodd> I assume then that accumulator can grow to be quite large?
17:33 <@amiller> well the accumulator is just some wacky number field thing
17:34 <@amiller> so basically i don't think it grows at all
17:34 <@amiller> it's almost like folding hashes into hashes
17:34 <@petertodd> Hmm... weird, dunno how that would work.
17:34 <@petertodd> I mean, there is the clever trick of "what's the merkle hash of a 2^256 long string of zeros" but...
17:35 <@amiller> http://www.cs.jhu.edu/~goodrich/cgc/pubs/accum.pdf
17:35 <@amiller> this is one of the popular kinds of accumulators based on RSA numbers
17:41 <@petertodd> Hmm... I'm gonna have to read that very carefully...
17:41 <@BlueMatt> gmaxwell: ahh on the spv side, yes ok that is something Id like to do eventually
17:42 <@petertodd> Now, I assume if you have n items in this accumulator, the size of the underlying data must scale by n somehow right?
17:42 <@petertodd> Or do you accept some small possibility of collissions or something?
17:42 <@BlueMatt> gmaxwell: hmm...actually maybe Ill do that as my next project
17:42 <@petertodd> Oh wait, I found it, page 10: O(n) space
17:44 <@petertodd> Because basically, for fidelity-bonded banks/ledgers, I need to be able to have some audit log thing, and have a similar accumulator so any outsider can see that every token purchase and redemption was valid. Although ideally, proofs that they were invalid would be short too...
17:50 <@amiller> there's gotta be better accumulators than that
17:50 <@amiller> i don't see the point of an O(n) size one
17:51 <@petertodd> Well, presumably that can give you a 100% guarantee against collisions. IE there will never exist S1 and S2 such that A(S1) == A(S2)
17:51 <@amiller> something like that
17:52 <@gmaxwell> BlueMatt: there are two other kinds of proofs I forgot to mention (1) double spend alerts, which might fit into the same framework, and (2) proof that a block spends a txn which wasn't it the prior block's utxo set (which we can't do currently)
17:53 <@petertodd> Ok, lets see if I get the concept right: So one possible accumulator would be to construct a merkle tree of a bit field with one bit for every integer between 0 and 2^256. You can prove you added an integer to that set by showing the leaves for an operation updating the appropriate bit, and you can remove an integer with another set of leaves. (equally
any deterministic binary tree works)
17:54 <@petertodd> You can't however take two such accumulators, and merge them in this example, without knowing all the bits involved.
17:54 <@petertodd> (well, without knowing S1 and S2)
17:55 <@petertodd> Equally, assign prime numbers in order, and just multiply your primes together, and then the resulting number is an accumulator.
17:55 <@petertodd> That one you can get the union of S1 and S2 easily, but large n's are a problem.
17:58 < HM> the computation under "a simple scheme" sounds expensive
17:58 <@petertodd> HM: I'm sure people have done better than that :P
17:58 < HM> for the dictionary
17:59 < HM> updates and deletions sound cheap
18:00  * HM continues reading
18:02 <@gmaxwell> BlueMatt: by 'doublespend alerts' I mean the mempool kind. ... in thinking about it it was a little annoying to me that they'd untimately enable miners to mine the more profitable of the two. but I guess attackers could give them directly to miners anyways.
18:10 < HM> I'm guessing the interval trick really doesn't work for transactions
18:10 < HM> to find out if Tx is in S
18:11 <@BlueMatt> gmaxwell: yes, essentially it would be nice to provide alerts which can prove a block is invalid in any of the possible ways a block can be invalid that spv nodes cant identify, though many of those arent possible
18:11 <@BlueMatt> re: doublespend alerts...meh Im still not a big fan of putting those in the standard p2p protocol
18:15 <@gmaxwell> BlueMatt: fine with me. I thought you liked them for some reason. I was only really noting that perhaps they'd fit into the same kind of framework, but perhaps not
 they have different DOS exposure since the rest are tied to blocks.
18:16 <@BlueMatt> gmaxwell: no, Ive always been against them (since like...years ago)
19:08 <@petertodd> Alright, I read over the accumulators stuff, and it seems to me that it isn't magic and doesn't help fidelity-bonded foo's.
19:10 <@petertodd> Basically, the key thing is you can use them to add a blinded token to an accumulator, and later prove that the token was in there, but only if every step gets witnessed.
19:10 <@amiller> there's lattice-based accumulators that are even fancier
19:10 <@amiller> i really don't understand this stuff very well either
19:10 <@petertodd> Oh yeah? Hmm... maybe more reading...
19:11 <@petertodd> I didn't see anything about an "authenticated add", but maybe I'm missing something.
19:11 <@petertodd> (specifically, a *signed* blinded token)
19:12 <@petertodd> Ultimately the problem to solve is how to stop the ledger from faking withdrawals.
19:13 <@amiller> i mean you're right that everything has to be witnessed
19:14 <@amiller> like only a valid transaction can update the accumulator
19:14 <@petertodd> Yeah, and you want token-to-token transactions.
19:14 <@petertodd> Although I kinda punt there and assume Tor is available and logs will be made public and randomly audited...
19:15 <@amiller> yeah no token to token transactions... well i mean i guess that wouldn't hurt anything
19:15 <@petertodd> Well, it kills my dream of off-chain tx's. :P But it'd make for a great coin mixer.
19:24 <@gmaxwell> petertodd: whats the problem for you right now? you make a public log available ... the bank can't inflate without it showing up in the log.
19:26 <@petertodd> gmaxwell: Well, the log will have a sum of all chaum deposits made right? Each token redemption will decrement that counter, but there is nothing stopping the bank from creating tokens that didn't correspond with withdrawls, however they're fraud is limited to the amount deposited because of the running sum.
19:27 <@gmaxwell> ah, because the bank can sign in hiding and people can't tell if a newly presented unblinded signature was a previously existing blinded one or just something the bank pulled out of its rear end.
19:27 <@petertodd> ...and actually, I skipped a step, because really any blinded token whose inner part isn't made public, can be fraudulently counterfitted, so clients should unblind their tokens and "register" them.
19:28 <@petertodd> If no clients do that, the bank can create an unlimited number, on the other hand doing so does create information leak possibilities.
19:28 <@petertodd> Exactly
19:29 <@petertodd> Now with an accumulator, I guess you could prove that the token was part of the accumulated value, and thus prove it really dis correspond to a deposit, or even token-to-token exchange.
19:30 <@petertodd> *did
19:30 <@gmaxwell> well, you could
 at the cost of some privacy, roll the keys, so that you'd know that the outstanding balance had to all be expressed in some window.
19:31 <@petertodd> Yeah, if not for the chaum part it'd be simple.
19:31 <@petertodd> You can have clients come back and do a unblinded register step for sure.
19:31 <@petertodd> Just hard to get good parameters to maintain privacy.
15:44 < adam3us> petertodd: its a cogeneration system: bitcoins & heat
15:44 < petertodd> yup!
15:47 < adam3us> luke-jr: "difficulty adjusted between the different POW algos by trying to make them equally rare" i was thinking you could have competing mining algos with independent dynamic difficulty targetting a chosen proportion of reward
15:47 < jgarzik> bitcoin water heaters.  the next million dollar idea.
15:50 < adam3us> luke-jr: eg allow scrypt(iter=1) or sha256^2 to coexist on bitcoin
15:50 < adam3us> start with say 5% scrypt, 95% sha256
15:50 < adam3us> have independent difficulty that ajdusts to keep the ratio
15:50 < adam3us> in that way runawy asic easyness is automatically adjusted for
15:52 < adam3us> luke-jr: eg if one day someone succeds in making an scrypt ASIC that is 1000 easier, th difficulty of scrypt would be increased to keep at the target % of reward for that mining function
15:53 < adam3us> luke-jr: so i think you could repeat that eg have 10 mining functions, with 10% each reward, all dynamically adjusted, then the ASIC people will not have as much fun because they will be competing more against themselves
16:06 < gmaxwell> adam3us: the scrypt pow stuff is a pretty poor idea. E.g. it's a performance problem with ltc chain sync
16:10 < gmaxwell> oh lots of backscroll to read.
16:22 < adam3us> gmaxwell: i agree scrypt verification cost sucks by orders of magnitude vs hashcash
16:23 < gmaxwell> 10:46 < amiller> btw there's a fully open source alternative to pinocchio/tinyram out https://github.com/srinathtv/pantry/
16:24 < gmaxwell> amiller: have you tried it?
16:24 < gmaxwell> wtf is with the dependencies?! KyotoCabinet, leveldb, fcgi?
16:24 < gmaxwell> also why PBC if they're using the seperate BN ate-paring library?
16:25 < sipa> PBC?
16:25 < sipa> ah
16:25 < sipa> pairing based crypto
16:27 < adam3us> gmaxwell: you might be able to design a better mem hard hash than scrypt  they didnt care much about verif speed, and its memory cpu tradeable as that was a non-requirement - eg using something like the "An (Almost) Constant-Effort Solution-Verification Proof-of-Work Protocol based on Merkle Trees" http://hashcash.org/papers/merkle-proof.pdf by fabien coelho
to verify in c*log2(n) instead of n for small c where n is the memory param
16:27 < gmaxwell> sipa: yea, there are basically two famlies of ways people are doing the backends for the general ZKP stuff. One is based on a pairing crypto knoweldge of exponent assumption and results in very small proofs (like .. 4 field elements which for the BN256 stuff are like 256 bits each), the other is a construction using fiat-shamir (hashtree based proof)
16:34 < odotan> hi
16:34 < gmaxwell> odotan: Hi.
16:37 < adam3us> gmaxwell: odotan and i were discussing timestamping, namespaces and relation to mining with the objective of reducing mining centralization or removing fees somehow (brainstorming) i suggeste we move it here as there was some discussion above... one sec pasting history for odotan
16:39 < warren> perhaps I shouldn't be amazed by the nut cases on the forum...
16:40 < gmaxwell> warren: hm?
17:03 < midnightmagic> oo I like reading stuff from nutcases. link?
17:03 < sipa> midnightmagic: bitcointalk.org :p
17:05 < midnightmagic> lol
17:07 < warren> midnightmagic: also http://www.theblaze.com/
17:36 < Luke-Jr> [21:03:24] <midnightmagic> oo I like reading stuff from nutcases. link? <-- PM "one" <.<
17:44 < midnightmagic> ah HAH. It was Bertrand Russell! I found him. http://www.youtube.com/watch?v=Il7Kxw9TDBc  what an amazing accent.
17:47 < midnightmagic> er.. woops, wrong channel. :( sorry about that
19:38 < amiller> midnightmagic, i remember when you were asking about that from a week ago!
19:46 < midnightmagic> amiller: :)
19:49 < midnightmagic> amiller: I've been looking for it for perhaps 6 months or so. I.. uh..  have trouble letting these sorts of things go.
--- Log closed Sat Oct 26 00:00:45 2013
--- Log opened Sat Oct 26 00:00:45 2013
03:40 < warren> gmaxwell: I'm writing specifications for a next generation forum for theymos.  I figure it would need some kind of cryptographic timestamp with versioning of posts to serve as prior art in defeating patents?
03:40 < warren> think of crazy ideas you think forum TNG should have
03:41 < gmaxwell> warren: talk to nanotube and midnightmagic, they're likely to have more thoughts than I do.
03:41 < warren> nanotube: midnightmagic ^
03:41 < gmaxwell> I do think whatever it does it should enable cryptographic timestamping of posts, with some kind of efficient extraction so you can pull out a single timestamped post and have people verify it.
03:41 < gmaxwell> but thats not all that hard.
03:42 < warren> do you want the ability to permanently delte previous versions of posts?
03:42 < warren> that's a hard part
03:42 < warren> gmaxwell: that might be a good use to bring chronobit into the mainstream
03:46 < gmaxwell> Its fine if the server deletes them .. you should just be able to click a button on a post and get a timestamped and forum signed copy of your post (once one is available for it) which can always be verified, even if the post is deleted.
03:46 < gmaxwell> also means that if someone else saves your post before you delete it, they can prove to other people that it was previously there.
03:46 < gmaxwell> which I think is desirable.
03:46 < warren> yeah
03:46 < warren> very
03:47 < warren> accountability
03:48 < gmaxwell> well, I think allowing editing and stuff is fine, and I'm okay with old versions being throughly deleted... if you manage an edit before no one else sees it.. no harm no foul.
03:49 < warren> for most things yes
03:50 < warren> but if you're talking about priority dates
03:50 < gmaxwell> I think it might be interesting if the non-public forums were encrypted, with the keys stored encrypted with the accounts that have access to them, likewise for PMs.  Basically the goal there would be to reduce the incentive to compromise the server in order to obtain the little non-public data it has.
03:50 < warren> if someone edited a post to add a tiny correction, they lost proof of the earlier date
03:50 < gmaxwell> warren: nah, they just save the earlier proof.
03:50 < warren> gmaxwell: not everyone anticipates that their earlier proof will be important years laer
03:50 < warren> later
03:51 < gmaxwell> could be optional to delete old versions of messages. Dunno. Or maybe make them only accessible to the user who used them.
03:51 < warren> gmaxwell: interesting, client-side encryption of PM's?	You backup your own key.  if you lose it, iyou lost only your PM's.
03:51 < gmaxwell> Access to old versions of messages could make some moderation problems worse.
03:52 < gmaxwell> warren: you make your PM key encrypted with your login password, so it gets backed up on the site... but a hacker who compromises your site now has to bruteforce your login password to get your PMs.
03:52 < warren> could that increase the legal hazard to the forum?   forum has no ability to police using it as a medium for illicit activity
03:53 < gmaxwell> It has no legal responsibility to in the US, see S230. (in fact, forum spying on PMs is probably unlawful in the US) Besides, it could if it's made aware of it.
03:53 < gmaxwell> Though on that subject, retaining old versions accessible to all users has a moderation problem.
03:53 < gmaxwell> E.g. I fill a post with childporn links, then edit them out and replace it with puppy pictures.
03:54 < gmaxwell> Then I quietly tell all the other childporny people where to go find the hidden posts.
03:54 < gmaxwell> so if you do provide access to old versions it should probably be exclusively to the user or user + global admins.
03:55 < Luke-Jr> gmaxwell: meh, no different than a wiki
03:55 < gmaxwell> Luke-Jr: wiki provides good interfaces to view changes and find things in old versions.
03:55 < gmaxwell> (I describe that behavior because people were doing stuff like that in enwp at one point)
03:56 < gmaxwell> In any case, encrypted PMs wouldn't be there to have military grade security or anything, it's just a casual thing that reduces brittleness to hacking. I'd suggest that the forum not even tell users that their PMs are encrypted. If users want good security they should be doing GPG inside their PMs.
03:57 < gmaxwell> Another thing that should be supported: two-factor login via bitcoin signmessage. Hopefully devices like trezor will support that in a latter firmware. So then you could use your hardware wallet to auth you to the forum.. no more account hacks ever.
03:57 < warren> huh
03:58 < warren> sign message?
03:58 < Luke-Jr> gmaxwell: unless you sign every action, you can still get account hacks
03:58 < Luke-Jr> warren:
03:58 < gmaxwell> Luke-Jr: hm? site is SSL.
03:58 < Luke-Jr> you maintain an altcoin and you don't know signmessage?
03:58 < Luke-Jr> gmaxwell: if the server is itself compromised..
03:58 < warren> Luke-Jr: oh, I missed that he said signmessage
03:59 < warren> Luke-Jr: that's impossible! =)
03:59 < gmaxwell> Luke-Jr: yea, sorry. I wasn't meaning also no server hacks I just meant not from user password stupidity.
04:00 < warren> the way I have his server setup right now it would be difficult for even remote php eval() to write anything to disk
04:00 < warren> forum TNG I'm going to suggest get rid of php entirely, either rails or node
04:00 < Luke-Jr> ew
04:00 < Luke-Jr> I'd do php before rails at least
04:00 < warren> ewwww, php
04:00 < gmaxwell> warren: a kind of dumb but easy feature: support some message parsing so that if you post a gpg signed message, the server will verify the signature, and if it can it strips out the gpg noise and puts in a Signed message icon. clicking it gets you the plaintext of the message so you can verify it yourself it you want.
04:00 < warren> php needs to die
04:01 < warren> gmaxwell: ooh, that sounds great.
23:23 < petertodd> maaku: you have full validation if there is 100% coverage of the data by validators; you don't need every individual validator to validate the whole data set fully
23:23 < petertodd> maaku: but you do need to make it possible for any one of those partial validators to prove the fraud they found cheaply
23:23 < amiller> it's not necessary for every full validator to be capable of validating anyone's transaction without their help
23:23 < amiller> full validators don't need to store backup copies of your private key for you, nor do they need to remember all the bits needed to prove your transaction is valid
23:24 < amiller> 10 different people can each submit their indivudal transaction validity proofs and anyone can validate the block consisting of those
23:24 < petertodd> amiller: thing is there's no such thing as a proof that something is valid, only a proof that something is invalid (modulo SCIP)
23:24 < petertodd> *compact proof
23:28 < amiller> what you should have to do is bribe miners not to burn work
23:28 < petertodd> amiller: huh?
23:28 < amiller> it hurts everyone, in a sense, when miners burn
23:28 < amiller> you have a weak/social/long term incentive to pay them *not* to mine
23:28 < petertodd> You can't bribe someone whos goal is to destroy the currency for whatever reason
23:29 < petertodd> Why is there an incentive forthem not to mine?
23:29 < amiller> there *is* an incentive for them to mine, but if you have coins, and you have stake, then you can pay them not to
23:29 < petertodd> How can I do that?
23:30 < amiller> by paying them to fight amongst themselves perhaps
23:30 < amiller> paying for forks
23:31 < amiller> 'defunding' the miners
23:32 < amiller> paying miners not to mine is the pure public good
23:32 < petertodd> how can you pay them to fight? at any given time modulo network latencies the miners can always mine on the best chain, and best has a clear consensus meaning
23:32 < amiller> because it didn't affect them, they get the monetary reward they would have had
23:33 < petertodd> remember when you burn coins in liu of work, *your* a 51% attacker on the chain you are re-orging
23:33 < petertodd> there's no priviledged position here
23:34 < amiller> it won't happen for very long anyway, the point is *you* lose the money you burned, fewer mining occured, but the miners got the same income they would have anyway
23:34 < petertodd> and it's all irrelevant, because as always part of being a profitable miner is mining on the chain that you think has the most support, and that means the next block that will be mined
23:35 < amiller> that may not be the only way to pay miners
23:36 < amiller> er, to pay miners not to mine
23:36 < amiller> the point is, there's your cheap proof of stake, i'm making an observation about what it can mean to burn a coin
23:37 < amiller> just sending it out isn't necessarily burning it because if it's useful to do so, everyone else might to it too, and then it had no effect anyway
23:39 < petertodd> burning coins in liu of work, as I'm advocating above, isn't proof-of-stake, it's transferrable-proof-of-work
23:41 < amiller> maybe there should be like a difficulty measure
23:41 < amiller> in terms of burned coins and work
23:41 < amiller> such that you can arbitrage
23:41 < amiller> if the cost per burned coin in proof of stake is different than what you could pay for mining power on the spot
23:41 < petertodd> I'm really not seeing why this should be any more complex than "If this chain wins, I'm happy to have x less BTC"
23:43 < amiller> look at it this way, if that's true, what's the most effective way to spend x btc to get that chain won?
23:43 < amiller> if you can do it by renting mining power then you can spend it on mining power
23:43 < amiller> if you can do it by paying a particular person somehow then you could do that
23:43 < amiller> if you can accomplish it the best by deleting it
23:43 < amiller> then you could do that, but it seems less plausible that you can't use it to your influence in some better way
23:44 < petertodd> sigh... the issue is we have effective long term ways - buy hashing power - but we don't have effective short-term ways
23:44 < gmaxwell> sweet. I just out cryptoed DJB.
23:45 < petertodd> the challenge is to come up with a way that's effective in the short-term, yet also works in the context of limited bandwidth jam-free networks
23:45 < petertodd> gmaxwell: ?
23:45 < gmaxwell> (well I suppose I should save the bragging for when he response conceding defeat)
23:45 < amiller> petertodd, how is paying for rented hash power not an effective way
23:46 < petertodd> amiller: because it's impossible to increase the supply without waiting!
23:46 < amiller> you can just take it from someone else
23:46 < amiller> you're assumign the attacker eclipses the world economy i think
23:46 < petertodd> amiller: no you can't! there is a limited amount in this world
23:46 < amiller> so you're talking about an attacker that has moved markets
23:47 < petertodd> amiller: markets aren't effient enough to say "hey, I want a few petahash in an hour"
23:47 < petertodd> reality just doesn't work that way
23:47 < petertodd> the whole point of this is to paper over the fact that the real world is ugly and slow
23:48 < gmaxwell> petertodd: DJB created http://safecurves.cr.yp.to/	see the rigidity page. I'm trying to convince him that the choice of generator must be documented too.
23:48 < petertodd> gmaxwell: ha, good job
23:48 < amiller> petertodd, then smash pots or something
23:49 < gmaxwell> he was trying to insist that there is nothing interesting that you can do with generator control in any cryptographic protocol. :P
23:49 < amiller> the point is if you just burn your money without burning something objective it doesn't have the same effect
23:49 < amiller> i'm trying to figure out how to articulate why that matters because what i think you're doing is ignoring the distinction or have already decided it doesn't matter
23:50 < gmaxwell> petertodd: so I sent him http://0bin.net/paste/Aqayl-V7cyFWqv5E#ju+Q69udt8UIOVxaMYV9AFSJLkr/V2FhT2Lke1S0wQU=
23:51 < amiller> tjat
23:51 < amiller> that's so cool gmaxwell
23:52 < petertodd> amiller: start from the end-goal: we want to come to a consensus that reflects the desires of the economic majority, and work backwards
23:52 < amiller> i don't think that makes any sense
23:52 < gmaxwell> amiller: yea, well I don't think it's so cool. It means that the curve in bitcoin could be somewhat backdoored, because we can't explain G.
23:53 < petertodd> gmaxwell: good job
23:53 < gmaxwell> We can explain all other parameters, but not G.  I'm trying to save DJB's future curves from the same weakness.
23:54 < petertodd> amiller: again: so someone launches a 51% attack, stopping all transactions and/or rewriting some part of the blockchain, how do we divise a system where the response can be made fast enough that people don't just give up on the system before actual hashing power can be obtained?
23:54 < petertodd> amiller: hardware has leadtimes of months - there is *nothing* we can do about that, especially since we're using proof-of-work systems that are ASIC friendly
23:55 < petertodd> amiller: even if the proof-of-work system was 100% best mined by fully commodity hardware, it'd still take days to weeks to obtain it in a mad rush - there just isn't all that much computing power available for rent in a decentralized way
23:55 < petertodd> (the attacker might have already rented it all!)
23:55 < amiller> then outbid the attacker
23:55 < amiller> the attacker has limited funds
23:56 < amiller> or else the attacker has already one
23:56 < amiller> won*
23:56 < petertodd> amiller: "outbid" how? the real world doesn't always let you outbid
23:56 < petertodd> amiller: No amount of money is going to get Amazon EC2 to kick off their existing customers you know.
23:57 < amiller> i don't see why you are assuming it's sufficient to choose the chain based on something that shares some-but-not-all of the properties of proof of work
23:57 < amiller> how about in a pinch you just have gavin sign the blocks?
23:57 < petertodd> amiller: And I mean that: if you had sufficient money to make it worth their while, it'd take too long for them to verify that you were for real.
23:57 < amiller> i'm saying that burning coins doesn't have the same effect as burning power
23:57 < petertodd> amiller: heck, agreeing to just have gavin sign the blocks would probably take long enough that you'd be better off buying hashing power...
23:58 < amiller> agree in advance?
23:58 < amiller> and override it if he fires without cause
23:58 < petertodd> amiller: Then you have a system that's vulnerable to gavin...
23:58 < amiller> so what is the system vulnerable to
23:58 < amiller> that burns coins
23:58 < amiller> instead of work?
23:58 < amiller> you are implicitly assuming that there's no difference or that the difference isn't important
23:58 < amiller> i'm trying to understand what that difference is
23:58 < petertodd> amiller: Even worse, Gavin is vulnerable to the system - legally he'll be gone after for having the ability to control the system.
23:59 < amiller> i agree with both your explanation of the problem to be solved, and your reason why the gavin approach is vulnerable to something undesirable, so now lets try to get to the bottom of what vulnerability the burning coins might have over proof of work
--- Log closed Fri Oct 18 00:00:04 2013
--- Log opened Fri Oct 18 00:00:04 2013
--- Day changed Fri Oct 18 2013
00:00 < petertodd> See, the more interesting thing, is if you have a system where you can burn coins, how does that affect things? For one it'll make more clear that confirmations matter.
00:00 < amiller> because maybe you can make an actual destroying-value thing that's more responsive
00:00 < amiller> the larger you are the less impact burning coins has on you
07:33 < gmaxwell> right, now if each samples the same half, thats not so useful.
07:33 < HM2> 2^10 = 1024
07:33 < HM2> so you divide the wine in to 1024 samples?
07:33 < HM2> :\
07:34 < HM2> hmm
07:35 < HM2> so you give each prisoner a distinct 5-mixture from 100 bottle sets
07:35 < HM2> so they sample 500 bottles total
07:36 < HM2> that gives them a 50% chance of dying
07:36 < HM2> nope, that doesn't work
07:37 < HM2> how does a probabilistic solution help anyway?
07:37 < HM2> "My lord! there is only a 0.1% chance you will die if you drink this lovely 1758. It was a good year!"
07:38 < gmaxwell> ah, I wasn't suggesting that it was a probablistic solution, only that a maximum information one would give the prisoners 50% odds of dying (apriori)
07:38 < gmaxwell> because anything other than 50% wouldn't make good use of them.
07:38 < sipa> each prisoner is essentially one bit of information
07:38 < sipa> you want to maximize the entropy in each
07:43 < HM2> you only need to determine which of 1000 bottles is poisoned. so that's < 10 bits
07:43 < HM2> so i agree it should be feasible, but i've clouded my thinking now with mixing overlapping sets of wine
07:45 < HM2> you can easily divide the wine in to 10 x 100 bottle sets and mix 5 different sets together for each prisoner
07:46 < HM2> 5 will still be dead after 30 days, as in my solution, but i don't think you will be 100% certain of the result?
07:48 < HM2> but i totally give up for now
07:49 < gmaxwell> HM2: yea, if it doesn't just come to you later we'll tell you. :) (you've put some much time into it, it would be a let down to not let you solve it though)
07:49 < gmaxwell> you've probably worked yourself into a rut, it'll probably be obvious as soon as you stop thinking about it.
07:49 < HM2> i maintain i solved it and poison works like countdown ;P
07:51 < HM2> wait a minute
07:52 < HM2> isn't this just a parity problem
07:53 < HM2> hmm
07:54 < HM2> 0 to 1024 in binary
07:54 < HM2> 10 prisoners
07:54 < HM2> each get a coefficient of the radix
07:54 < HM2> so 1 prisoner drinks all the odd bottles
07:55 < HM2> another 1 in 4
07:55 < HM2> another 1 in 8
07:55 < HM2> etc
07:55 < HM2> if they die then you know a bit of the poison bottle number
07:57 < HM2> sipa, and it's less than 5 on average :P
07:57 < HM2> because there are less than 1024 bottles
08:05 < gmaxwell> HM2: tada.
08:09  * HM2 grumbles
08:20 < HM2> what sucks about that is my solution isn't even better for < 10 prisoners
08:34 < HM2> the monk riddle was harder
08:45 < gmaxwell> yea, well I mostly mentioned the evil kings riddle in order to present the version of it where exactly two bottles are poisoned.
08:45 < gmaxwell> which is harder than the monks riddle.
09:43 < HM2> gmaxwell, interesting
17:04 < Luke-Jr> gmaxwell: that guy is obviously trolling, but I don't think he's completely wrong about pull request purgatory. I've seen useless/silly things get merged while truly useful pulls sit ignored.
17:05 < gmaxwell> well I don't think he's being intentionally trolling. if he got confused about how things works thats a problem in and of itself.
17:06 < gmaxwell> Considering that he claimed bitcoin was written in typescript, I suspect he's not trying very hard... none the less, unfortunate that he didn't feel welcome. (and weird that he though a ~dead project welcomed him...)
17:06 < Luke-Jr> gmaxwell: comparing it with namecoin? I don't see any "defecting from bitcoin" in #namecoin
17:06 < gmaxwell> and yea, the pull process is bumpy. usless things are easier to merge: they're usually more obviously harmless. :)
18:51 < midnightmagic> petertodd: thanks for dust-b-gone btw
18:51 < midnightmagic> very much more convenient than waiting until my miners mine a block..
18:57 < petertodd> midnightmagic: cool!
18:57 < petertodd> Luke-Jr: I was having some trouble getting coin-join txs mined on eligius - what are the current rules for a tx that has a single OP_RETURN, 0-value, output?
18:59 < petertodd> Luke-Jr: s/coin-join/dust-be-gone/
19:02 < Luke-Jr> petertodd: data carriers are currently blocked entirely by Eligius, IIRC
19:03 < petertodd> Luke-Jr: right, but this scriptPubKey is just OP_RETURN, with no data
19:03 < Luke-Jr> hmm
19:03  * Luke-Jr pulls out the code
19:04 < petertodd> Luke-Jr: I picked that because I wanted the dust-b-gone utility to be absolutely clear that no-one other than miners could get any financial benefit from the coins destroyed
19:06 < Luke-Jr> http://codepad.org/L2J8i1HV
19:06 < Luke-Jr> I don't actually see anything that should change behaviour from mainline that would affect this
19:08 < petertodd> does the push-tx thing on eligius.st submit directly to the node that would be mining the transactions?
19:08 < Luke-Jr> yes
19:09 < petertodd> huh, weird
19:09 < petertodd> give me a sec; I'll make up a tx right now
19:13 < Luke-Jr> give me advance notice of the push; someones are IBDing from Eligius atm
19:14 < petertodd> 'k
19:16 < petertodd> well, it's getting rejected right now, so maybe a previous attempt is still in your mempool, but anyway here is what I tried to pushtx: http://0bin.net/paste/yuxubWzRRKtvj1QX#BFoxJ/sAq5pdwrkufd9BBSRmkYC+BPGKVWbDRHZlafY=
19:17 < petertodd> see how much easier replace-by-fee would make this? :P
19:19 < petertodd> oh, BTW, any objection to be making the TXO discussion we had the other day public? I mean, -wizards is semi-private simply by how it's a bit obscure, and there aren't public logs anywhere (AFAIK)
19:19 < Luke-Jr> which discussion was this?
19:20 < petertodd> two days ago, oct 17th
19:20 < Luke-Jr> I don't see any I participated in
19:21 < petertodd> yeah, I don't think you did
19:21 < Luke-Jr> well, then you don't need *my* permission :P
19:21 < Luke-Jr> just permission from those who spoke in it
19:22 < petertodd> heh, I wasn't asking you, although that you assumed that says something about the relative privacy of -wizards :P
19:23 < Luke-Jr> well, freenode policy makes that matter clear anyway
19:23 < petertodd> oh yeah?
19:23 < Luke-Jr> public channels need to have the log in the topic or onjoin
19:23 < petertodd> ah
19:24 < petertodd> specifically I'm asking because of this guy: https://bitcointalk.org/index.php?topic=314467.0
19:24 < Luke-Jr> gmaxwell: maaku: I think you guys were in the convo?
19:26 < petertodd> amiller: you too
19:27 < amiller> wat
19:27 < amiller> oh, yeah this should be public
19:27 < petertodd> amiller: mind if I make our conversation from two days ago re: TXO commitments public
19:28 < petertodd> amiller: thanks
19:28 < amiller> my understanding is this channel isn't even meant to be obscure, it's just that we discuss stuff that's too weird/frightening for someone trying to build bitcoind
19:28 < petertodd> same
19:29 < petertodd> I think setting up a public archive for this channel would be a good thing re: patents for instance
19:30 < gmaxwell> it's not meant to be obscure, though I have kinda avoided inviting people with ideas which I think are weird because the author is an idiot.
19:30 < petertodd> yeah, that's an issue too
19:31 < gmaxwell> e.g. if your idea is far out because you're dumb I tell you to go away, if its far out because its advanced or really speculative but still sane, I say join #bitcoin-wizards.
19:31 < gmaxwell> it's something of a personal failing that I don't respond really well to people who are agressively promoting jibberish. I'm working on doing better. :)
19:32 < gmaxwell> (if nothing else its at least a failing because my jibberish filter sometimes has false positives)
19:33 < petertodd> https://s3.amazonaws.com/peter.todd/bitcoin-wizards-13-10-17.log <- this is it to be specific
19:33 < gmaxwell> (I'm happy that things here go however everyone else wants them to, but if we get too many people with batshit technobable I'll probably stop participating myself)
19:34 < petertodd> god help us if we need to make #bitcoin-sane-wizards
19:46 < petertodd> alright, replied: https://bitcointalk.org/index.php?topic=314467.msg3371043#msg3371043
19:46 < petertodd> bbl
19:47 < gmaxwell> petertodd: you also posted about the idea in the forum in the bitspam (or whatever it's called) thread.
19:51 < sipa> gmaxwell: i think you answered very politely to the open-source criticism person :)
20:16 < gmaxwell> sipa: thanks.
20:16 < gmaxwell> petertodd: https://bitcointalk.org/index.php?topic=314467.new#new
20:17 < nanotube> hehe loved the riddles.
20:19 < gmaxwell> sipa: I came up with a slight enhancement to PT's MMR-tree idea, just the simple observation that if all nodes are required to store the N top most levels of the tree (by virtue of never including them in proofs), that wallets only need to monitor the fragments of blocks which are making update to parts of the tree where they have UTXOs.
20:20 < gmaxwell> sipa: e.g. you could have wallets 'bloom filter' blocks still in this model.
20:21 < nanotube> sad to say that while i was reading the blue/red hats one for clarifications, hm2's solution snuck up on me. >_< the monk one took a few hints from sipa before i grokked. poisoned wine was easy. and thanks for that riddles link, gmax. :)
20:21 < gmaxwell> (e.g. in addition to normal bloom filtering, they'd recieve the parts of blocks that modify any parts of the history where they have coins)
20:21 < sipa> gmaxwell: i really need to think hard about those MMRs
20:25 < gmaxwell> Crap crap. I solved some wizards relevant problem recently.. and I've forgotten to tell you all. I remembered it while writing that MMR post but then forgot it again by the end.
20:26 < gmaxwell> sipa: at the moment, the worst I can say about MMR is that enjoying its full potential requires more compromises than perhaps we can accept in bitcoin.
20:27 < gmaxwell> E.g. if you go 100% of the way to no one has the full history, then a bootstraping node must only have SPV security.
20:27 < gmaxwell> OHHHHHH
21:27 < amiller> petertodd, is this deterministic structure
21:27 < amiller> it's not randomized?
21:27 < petertodd> amiller: Yes actually, 100% deterministic consensus.
21:28 < amiller> the sturcture depends only on the number of elements and nothing about the contents of the elements i mean
21:28 < maaku> amiller: yes, as far as i can tell
21:28 < petertodd> maaku: Well, it's worth measuring, but keep in mind that there's lots of useful things you can do with UTXO abuse, and I'd rather we get out of the game of lecturing everyone about it.
21:28 < petertodd> amiller: Yup.
21:29 < amiller> i still don't see it
21:29 < amiller> do you have any more illustrations
21:29 < amiller> of like insertions 1 through 10
21:29 < petertodd> amiller: did you see gmaxwell's link on my paper about MMR's?
21:29 < amiller> or psuedo code for insertion
21:29 < amiller> i don't care about the hashes just the tree is fine
21:29 < petertodd> //github.com/opentimestamps/opentimestamps-server/blob/master/doc/merkle-mountain-range.md
21:29 < amiller> yes i have been reading that
21:29 < amiller> yeah i got that
21:29 < amiller> i can't understand it
21:30 < amiller> pseudo code for append plz
21:30 < petertodd> OK, so get out a piece of paper, and put a bunch of dots along the horizontal axis. Now from left to right, pair a few dots, then pair those pairs etc.
21:30 < maaku> amiller: just imagine a standard Merkle list
21:30 < maaku> but without satoshi's weird handling of the last element, so it's O(1) updatable
21:30 < maaku> on an append at least
21:31 < petertodd> hell, here's python code that actually implements it: https://github.com/opentimestamps/opentimestamps-server/blob/master/otsserver/dag.py#L203
21:31 < petertodd> maaku: yeah, what's interesting is the naive way of building a merkle tree, going left to right and just promoting the left most odd element, naturally gives you a MMR
21:32 < petertodd> maaku: All I've done is observed that you can cheaply build it incrementally and deterministically, as well as update it cheaply and deterministicly.
21:32 < petertodd> *right most odd element
21:32 < amiller> https://github.com/opentimestamps/opentimestamps-server/blob/master/otsserver/dag.py#L396 i can't understand how this is O(1)
21:33 < petertodd> amiller: The append? technically it's O(log2(log2(n)) for n elements
21:33 < maaku> petertodd: yeah the way bitcoin actually does Merkle trees only makes sense because of the weirdness of how it's done using C++'s vector<> type
21:33 < amiller> oh
21:33 < petertodd> amiller: O(1) for short :P I mean, seriously, log2^2(n) does *not* grow very fast...
21:33 < maaku> i spent a long time trying to make sense of that when i first encountered it
21:35 < petertodd> maaku: Now what I don't get, is how can I update a UTXO radix tree without storing nearly all of it? Like suppose I have an ancient tx0, and I add tx1 where numerically tx0 and tx0 are very close to each other - how do I update the tree without having H(tx0)?
21:35 < amiller> still don't see why it's not log n
21:36 < petertodd> amiller: Not log n for append?
21:36 < amiller> right
21:37 < petertodd> amiller: Appending needs to touch only the "mountain tips", that is the perfect merkle trees already stored, and for n items stored you'll have log2(n) trees. (roughly)
21:37 < petertodd> amiller: I mean, it's actually whatever is the expression that gives you the number of perfect trees on average in n, but log2(n) is pretty close to that.
21:38 < amiller> then how do you get loglog n instead of log n
21:39 < maaku> petertodd: i'm not sure i understand the question. what you do to update proofs is walk the pruned proof-tree updating the pruned branches, as necessary
21:39 < petertodd> amiller: oh, sorry, I mispoke, so if you have n items, because the first perfect tree has log2(m) items, where m is whatever is the largest perfect tree, then the next largest, and so on, in total the number of perfect trees is about log2(log2(n))
21:40 < petertodd> maaku: But that's it: I want a system where to be a full validating node you don't need to store the whole UTXO set.
21:40 < petertodd> maaku: Er, I mean, a mining node.
21:40 < petertodd> maaku: With UTXO radix trees you can validate, but you can't update the UTXO set.
21:40 < maaku> petertodd: where did I say you need the full set? you don't
21:41 < maaku> require incoming transactions to have their own proofs
21:41 < maaku> mempool proofs can be updated with using the delta-proof the blocks, as they come in
21:41 < petertodd> maaku: That covers spending a transaction, but it doesn't cover making a new transaction output.
21:41 < petertodd> maaku: I can delete items from the UTXO set but I can't add new ones basically.
21:42 < maaku> petertodd: ? work it out, it does work
21:42 < amiller> if i have 2^5-1 elements, i have a perfect tree of size 2^4, a perfect tree of size 2^3, etc.
21:42 < amiller> that's log, rather than a log log, number of trees?
21:42 < petertodd> maaku: I have tried to work it out, and I just don't see how it's possible. I mean, look at it this way, if you have *none* of the UTXO set data other than the last top level commitment, can you add a new txout to it?
21:43 < amiller> maaku, with utxo commitments of any kind, you never need to store the whole utxo set to validate a tx that comes with a proof
21:43 < amiller> a validating node doesn't just get given raw transactions and told to look it up
21:43 < maaku> petertodd: yes, because the update proof would consist of the path through the *last* index to where the output is to be placed, and then the data to put there
21:44 < amiller> it's given transactions and proof
21:44 < amiller> maaku, now the quetsion is what's required to take a raw transaction and build a proof
21:44 < petertodd> maaku: There is no update proof! It's a brand new txout.
21:44 < amiller> maybe you don't want an spv node to have to do it themself
21:44 < amiller> maaku, but suppose you are a storing node that has clients
21:44 < amiller> customers i mean
21:44 < amiller> for each addrses you care about, you may have to store up to 256 digests to support creating a proof for any transaction they have
21:44 < maaku> amiller: yes, someone somewhere needs to store the relevant paths to access coins in the utxo structure
21:44 < amiller> per coin they have
21:44 < amiller> maaku, yes but no one has to store *all* of them
21:45 < maaku> amiller: agreed
21:45 < amiller> each person interested in a utxo may have to store (and update) the proofs relative to those
21:45 < amiller> but they're not too many
21:45 < maaku> amiller: yes
21:45 < petertodd> amiller: Meh, call it appends are log2(n) if you want. :) I'd have to think through that one carefully, but anyway in any real situation there will never be more than, IIRC, 16 mountains or something like that so it's always pretty cheap.
21:45 < maaku> amiller: what are you arguing against?
21:45 < amiller> petertodd, well, it depends on whether they're growing unboundedly?
21:45 < amiller> i guess still ther'll never be too many
21:45 < amiller> but yes i'll call it log n until i'm convinced otherwise :3
21:46 < petertodd> amiller: Yeah, you can see how it's certainly less than the log2(n) height of a tree.
21:46 < maaku> amiller: it wouldn't be 256 digests - the proofs are stored level-compressed, so it's log2(unspent outputs)
21:46 < amiller> that assumes they're random
21:46 < amiller> which is maybe
21:46 < amiller> but sure
21:47 < amiller> also if you do it level compressed you can do the concurrent proofs but w/e
21:47 < petertodd> maaku: Basically you're describing a system where someone has to have every single historic UTXO ever created just in case someone happens to need to create a new UTXO that happens to be adacent to it in the radix tree, and that's not good.
21:47 < maaku> amiller: *stored* level-compressed, but expanded when used
21:47 < amiller> ok
21:48 < maaku> petertodd: no, i'm not. maybe you'll just have to wait for the bip to see
21:48 < petertodd> maaku: Whereas MMR TXO commitments are a system where you can throw out every bit of blockchain history, and still add new blocks.
21:48 < amiller> petertodd, oh, i see, you're right
21:48 < amiller> that's a good point
21:48 < amiller> you don't know what to hold on to
21:48 < amiller> in order to create a new address
21:48 < amiller> when you create a new address it's random bits
21:48 < maaku> to create a transaction you need *just* the path through the utxo set to your outputs
21:48 < petertodd> amiller: Yeah, you absolutely need the adjacent UTXOs to create the proof of modification.
21:48 < amiller> you'd have to go find people to query for each branch
21:48 < amiller> it's possible that the only people who had a relevant branch have gone and died
21:48 < petertodd> maaku: Yes, and that path needs at least one adjacent UTXO, which can be of any age.
21:48 < amiller> no one cares about them and they don't care about their coins
21:49 < amiller> but now it's a hazard for anyone creating a new address
21:49 < amiller> merkle mountain range fixes that just fine
21:49 < amiller> mmmm +1 insertion order sorted tree
21:49 < petertodd> amiller: Lol, I like the way you're describing it as a sorted tree. :P
21:50 < petertodd> amiller: Fortunately for the purposes of expiration it's sorted in the right order!
21:50 < amiller> every tree has a sort order, just sometimes it's a random permutation :o
21:50 < petertodd> amiller: Or I should say, pseudo-expiration.
21:50 < amiller> you can immediately forget it all
21:50 < amiller> it's great
21:51 < petertodd> amiller: Ha, yeah, it's one of those crazy systems that's almost too good: if everyone can forget it immediately, we damn well better hope someone doesn't.
21:51 < amiller> nah
21:51 < amiller> you remember if you care
21:51 < amiller> if you don't care then you forgot your private key anyway
21:51 < amiller> now here's the trouble is
01:40 < petertodd> now both input and output transactions are, in the general case, totally standard. (modulo the SIGHASH_NONE business... bit annoying that)
01:40 < gmaxwell> oh interesting, you applied the same transformation on both sides. now if everyone is honest its just a pair of 2 of 2 escrows.
01:40 < petertodd> yup
01:40 < gmaxwell> But if anyone is dishonest it becomes a set of interlinked hashlocked transactions.
01:41  * gmaxwell thinks for a minute
01:41 < petertodd> and if anyone is a shitty programmer we're in for a world of hurt :P
01:41 < gmaxwell> it'll be like namecoin
01:41 < gmaxwell> :(
01:41 < petertodd> how so?
01:41 < gmaxwell> get used for years by thousands of people and it won't matter if the transactions are really anyonecanspend.
01:42 < petertodd> until it breaks and we realize it doesn't actually work? yeah...
01:42 < gmaxwell> I note that the ABS() challenge transaction has free dinner sitting waiting for someone to take it. :P
01:42 < petertodd> needing eligius's help has problems here
01:42 < petertodd> ha, I know
01:42 < petertodd> shhh
01:43 < gmaxwell> petertodd: hm. I'm not actually sure your thing works. I don't see how you release the escrows.
01:43 < petertodd> what do you mean?
01:45 < gmaxwell> okay, nevermind I see it.
01:45 < gmaxwell> there are three layers of transactions going on here.
01:45 < gmaxwell> The default path, the refunds, and the anti-cheating.
01:46 < gmaxwell> transaction teleportation indeed.
01:46 < petertodd> yeah... I'll have to actually implement it to be sure I understand it myself :/
01:46 < gmaxwell> Someone a while back was trying to propose a telportation protocol like this using 2of2 escrows, but he has nothing to prevent people from playing chicken (no hashlock idea)
01:47 < petertodd> figures, it's a nice idea, just tricky to come up with all three layers
01:47 < petertodd> like you need to be a wizard or something
01:48 < gmaxwell> heh. Yea, it needs all three layers to gain all it's magical properties.
01:48 < gmaxwell> its great that it looks like a pair of unrelated 2 of 2 escrows.
01:48 < petertodd> yup
01:48 < petertodd> also, note that Alice and Bob can be the same person :)
01:48 < gmaxwell> that'll give it a pretty good anonymity set.
01:49 < gmaxwell> yea, amiller pointed that right away.[6~[6~
01:49 < petertodd> heh, it's not totally obvious... and it's probably best if it's possible that they aren't!
01:50 < gmaxwell> I think it's actually more useful as something where they aren't.  Bitcoin is already private when you get paid. This makes you private when you pay (well, except towards carol)
01:50 < petertodd> yeah, and Alice can handle Bob's side of the transaction on Bob's behalf
01:51 < petertodd> turning this into a secure version of blockchain.info's send-shared
01:51 < petertodd> s/secure/trust-free/
01:52 < gmaxwell> Yep.
01:52 < petertodd> I think the main thing that sucks about it, is that it can't be arranged to all happen in one step - the rounds-trips are a nuisance.
01:52 < petertodd> Also, waiting for confirms sucks.
01:53 < gmaxwell> yea well thats a reason to note that alice can logically run it for bob. runnning it alice/alice allows alice to unlink funds before selecting bob.
01:54 < gmaxwell> the next obvious thing to do is to partner with a mining pool, so that carol is issuing freshly mined coins.
01:54 < petertodd> ah, yeah that's good
01:54 < petertodd> right, so essentially make a wallet where you setup txouts in advance using this method
01:54 < gmaxwell> Otherwise you always have to worry about crappy carols going and mixing up the funds in the future.
01:55 < petertodd> could be interesting to do this with a pool that had a bit of hashing power, and just wait until they make a block with the desired output right in the coinbase!
01:55 < petertodd> not practically more useful, but nice PR
01:56 < petertodd> heh, and then shuffle the incoming coins through the coinbase via fees...
01:56 < gmaxwell> meh, sullys the airgap.
01:56 < petertodd> not if more than one pool is doing this and they're mining anonymously
01:57 < petertodd> but yeah, better to pay out to miners with the coins coming in instead
01:57 < petertodd> s/miners/hashers/
01:59 < petertodd> anyway, at bare minimum the temporal ordering of the money going in and the money going out is disturbed, which is something coinjoin can't do
02:01 < petertodd> it'd be good to think if the efficiency can be improved - for instance can we construct the coins coming in such that they are actually being paid to someone who is getting coins out from a teleported payment happening simultaneously?
02:02 < gmaxwell> well, that hardly matters much if the transactions are conspicious unless it is very widely used. With them less conspicious its more interesting.
02:02 < petertodd> yeah, we need more multisig-using wallets to have any hope of this not looking interesting
02:03 < gmaxwell> petertodd: I think its hard to do that, because while the alice->carol payment could really go to sue, the cheating escapes are specific to alice->bob.
02:03 < petertodd> might be good to use new pubkeys for all this stuff, so that bob can get the privkeys so he doesn't need NONE|ANYONECANPAY
02:03 < gmaxwell> oh that always has to be a requirement for any protocol where you sign stuff you can't see.
02:04 < gmaxwell> otherwise you risk getting tricked into signing a transaction you didn't intend to sign.
02:04 < petertodd> oh, but see, here I'm not sure you are actually singing sutff you haven't seen
02:04 < gmaxwell> you are for refunds.
02:04 < petertodd> true
02:05 < petertodd> w/ your p2sh anti-mutability trick
02:05 < gmaxwell> In general I think this kind of thing can go forward assuming mutability is just fixed. We're on our way to fixing it, and having applications it breaks is the motivation to finish the job.
02:06 < petertodd> yeah
02:06 < gmaxwell> today people use totally insecure trusted protocols... so something like this where refunds are fragile is probably fine in the short term.
02:06 < petertodd> yup
02:07 < petertodd> of course, this is an example where an alterative implementation is fidelity bonding it all, and it'd be a good deal more efficient given that alice pay a simultaneous bob
02:07 < gmaxwell> sort of a bummer that there is no great way to coinjoin into and out of the thing.
02:07 < gmaxwell> Because the fact that carol learns the matching is lame.
02:08 < gmaxwell> you could sandwitch the thing inside coinjoins with extra transactions though.
02:08 < petertodd> yup
02:08 < gmaxwell> well I don't like anything that creates carol-inertia too much.
02:09 < petertodd> otoh, in a scheme where carol does learn, carol can always be paid off to get the logs
02:09 < gmaxwell> Because carol is a privacy point of failure and an attractive target. It's good that bonding carol doesn't make carol non-anonymous, but better if we can have lots of carols so that there is no obvious target to compromise... and all the really interesting traffic can traverse multiple carols.
02:10 < petertodd> so, here's the neat thing: there's an incentive to be carol too! you get new coins just as much as bob does
02:10 < gmaxwell> right thats why carol learning sucks, and its one way CJ is strictly superior, in that its not hard to totally blind CJ.
02:10 < gmaxwell> But I think in a world with both CJ and teleportation and lots of carols, logs are not so useful.. you get carols logs and the interesting traffic came in/out via another carol or via CJ.
02:11 < petertodd> sure, my point being though if you put this in a protocol, do it on a p2p layer and make the application play the role of both alice and carol when you want to get coins to pay bob
02:11 < gmaxwell> and while you could try to pay all carols chaum blinded CJ can't be bought, only flooded.
02:11 < gmaxwell> oh interesting. you make bob recieve your carol role coins perhaps.
02:12 < petertodd> It should all be wrapped up in a "Pay bob!" and depending on who wants to do what, you'd either pay Bob by being Alice, or pay Bob by being Carol and using Alice2's funds to pay Bob
02:12 < gmaxwell> so you could be alice or carol, whichever is in more demand, and bob either gets bob coins or carol coins.
02:12 < petertodd> yup
02:12 < petertodd> Or even, depending on amounts available you'll wind up using both types to pay Bob
02:13 < gmaxwell> Every time I see you falling
02:13 < gmaxwell> I get down on my knees and pray
02:13 < gmaxwell> I'm waiting for that final moment
02:13 < gmaxwell> You say the words that I can't say
02:13 < petertodd> lol
02:15 < petertodd> though, with non-trivial tx fee costs the pure fidelity bonded version will probably be popular too...
02:15 < warren> I made a Bitcoin 0.8.5 branch with all backports that we have in Litecoin plus a few features that aren't committed to 0.9 yet.
02:15 < petertodd> it's interesting though, because there will always be a lot of transactions whose value is such that fees don't matter much
02:15 < warren> I found a bug in watchonly in the process.
02:16 < petertodd> oh good
02:16 < gmaxwell> warren: \0/
02:16 < warren> waiting for sipa to wake up
02:16 < warren> what should I call this branch ...
02:16 < warren> "plus"
02:16 < warren> "omg"
02:17 < warren> oh heck, I'm including NODE_BLOOM
02:18 < petertodd> heh
02:19 < petertodd> include Discourage fee sniping with nLockTime and you can really be living dangerously :/
02:19 < petertodd> (and determine if anyone uses it...)
02:19 < warren> petertodd: how dangerous is that?
02:19 < warren> petertodd: I'd like people to actually use this branch
02:20 < petertodd> warren: lol, Luke's been testing it for ages actually with no problems, but some badly written wallet software still handles final nLockTime wrong :(
02:20 < warren> I'd like to include https://github.com/bitcoin/bitcoin/pull/2839 but testing in Litecoin OMG2 suggests it doesn't work.
19:28 < gmaxwell> the proof can start at the point the txn of interest was mined.
19:28 < BlueMatt> that gets pretty expensive?
19:28 < gmaxwell> I mean, it's 80 bytes per header. so not really.
19:29 < BlueMatt> very expensive if you hold the alt for an extended period...
19:29 < BlueMatt> well, no miner is gonna mine a tx that is 80 bytes*N where N is a few weeks/months of headers
19:29 < gmaxwell> BlueMatt: oh no, you don't do it over the life of the alt.
19:29 < gmaxwell> crazy no no thats not how it works.
19:30 < gmaxwell> you take some coin and assign it to a scriptPubKey that can be redeemed by anyone who provide a SPV fragment from the altcoin showing any of those coins being reassigned back to bitcoin, with a sum difficulty of at least X.
19:30 < adam3us> gmaxwell, BlueMatt: a 1:1 peg - doesnt that import security risk from the alt into bitcoin? (i suggested a 1 way peg "bitcoin staging" only so bitcoin is security firewalled) are we talking about the same area of feature
19:31 < gmaxwell> adam3us: only to the limit of the alt. say the alt was somehow totally insecure... you could then steal all the bitcoins that had been assigned to the altcoin.
19:31 < gmaxwell> but no more.
19:32 < adam3us> gmaxwell: hmm that might be ok
19:32 < BlueMatt> adam3us: what gmaxwell said (if you decide to put your btc in the alt, sucks for you)
19:32 < gmaxwell> BlueMatt: one problem there is that isn't really spv security, its "spv transcript" security, in that the bitcoin network isn't going to go out and find a longer chain.
19:32 < adam3us> BlueMatt: yes that is an acceptable trade off and already at risk with a 1-way peg
19:33 < gmaxwell> BlueMatt: But I did come up with a way to boost that to more like real SPV security with a bit more script power.
19:33 < BlueMatt> gmaxwell: well, ok, sum difficulty is one way...but very non-ideal
19:34 < gmaxwell> (you make the relase of coins back into bitcoin two phase. The first phase you do a header proof for the release.. and that gets mined.. but it can only output to a special holding script with the following rules:
19:35 < gmaxwell> after N blocks the releasing party can grab the coins. OR at any point, any party can show a longer chain to prove the release was bogus. and then they can only be redeemed with a new release on a chain longer than that one.
19:35 < gmaxwell> In any case I think most of the stuff thats been said of any technical substance on this is in the coinwitness thread (where I suggest using SNARKs for C to compact the proofs, though its not essential): https://bitcointalk.org/index.php?topic=277389.0
19:36 < gmaxwell> obviously if you compact the proofs things start sounding more interesting from a scaling perspective.
19:37 < gmaxwell> also if the headers of the altcoin form a MMR (insertion ordered binary tree) it may be cheaper to prove long spans of difficulty.
19:37 < BlueMatt> yea, though depending on cutting-edge crypto is ugly...
19:38 < gmaxwell> BlueMatt: well there are less ambitious (efficiency wise) ways to construct these proofs, but they're larger... though I'm not sure if we could get the direct proofs down with special support. Maybe.
19:38 < gmaxwell> SPV fragments can be pretty small.
19:39 < BlueMatt> yea, its all a bit expensive, really
19:39 < BlueMatt> it would be fun to be able to peg arbitrary altcoins to bitcoin as it really addresses the issues altcoins cause
19:40 < BlueMatt> allows them to innovate (ie risk people's money) while not costing bitcoin's digital scarcity/competing on store-of-value
19:40 < gmaxwell> BlueMatt: one way is easy
 just have them validate bitcoin too.
19:40 < adam3us> BlueMatt: agreed
19:41 < gmaxwell> BlueMatt: one point is that you could coinjoin your cross chain merges perhaps, to make them smaller. e.g. one proof and then a dozen transactions hop the gap.
19:44 < BlueMatt>  gmaxwell sure, but if you only peg one-way its really not particularly useful
19:44 < BlueMatt> well, it is, but not as useful
19:44 < BlueMatt> gmaxwell: sure, you could limit to like 1 coinjoin'd alt->btc tx per day
19:45 < BlueMatt> but even that could be expensive
19:45 < gmaxwell> I dunno, I mean, it's a seralized transaction and spv proof, plus some additional headers.
19:45 < BlueMatt> well, if you have 100 alts all doing that, it does
19:46 < adam3us> BlueMatt: I like 1:1 peg idea, I only suggested 1-way peg to insulate security, if you can insulate security to the coins in the alt, thats even better
19:47 < BlueMatt> as long as you limit it to the people who transferred their coins...
19:47 < BlueMatt> gmaxwell: hmm...
19:47 < gmaxwell> lets say there are 2^12 txn per altcoin block, ... lets imagine you make the altcoin txn themselves hashtree so you can get to only their outputs.. so say maybe 64 bytes for the altcoin output, 384 bytes for the spv tree. 4 bytes for a spv index, and 12 80 byte headers = 1.4k.
19:48 < gmaxwell> it's bigger than a typical ecdsa signature, but not murderous.
19:48 < gmaxwell> and if they coinjoin the biggest parts (960 bytes of headers, 384 bytes of hashes) can be shared.
19:49 < gmaxwell> adam3us: yea,  I don't think there is a security need to make it one way. If you can never "pull back" more from an altcoin than was sent to it, then only the holders of the altcoin are at risk.
19:50 < adam3us> gmaxwell: seems plausible indeed, i just didnt think of it in those terms at the time.  good
19:51 < gmaxwell> the altcoin is also a bitcoin node, and monitors bitcoin for coins assigned to the altcoin, and then permits someone on the altcoin to emerge those coins from thin air.. and then when you want to send them back you make a special transaction in the altchain and prove you did it to bitcoin.
19:51 < adam3us> gmaxwell: i suppose the other thing is it itself requires bitcoin changes, perhaps non-trivial ones, and that is part of the reason for the exercise.
19:51 < gmaxwell> yea, unfortunately it requires changes to bitcoin.
19:52 < gmaxwell> we could _almost_ do it in script without the disabled opcodes, but there are enough little corners that I suspect we can't.
19:52 < adam3us> gmaxwell: but an interesting enough change perhaps for motivation to be there as it creates an avenue for value preserving experimentation
19:52 < BlueMatt> 12 blocks seems shallow to me given most altcoins have no miners...
19:53  * BlueMatt thinks this solves the "alt problem"
19:53 < adam3us> BlueMatt: probably have to overcome the merge mining / side chain incentive problems somehow
19:53 < adam3us> BlueMatt: yes i like it a lot :)
19:53 < adam3us> ***adam3us wants to destroy all new digital scarcity race alts
19:53 < gmaxwell> BlueMatt: namecoin's difficulty is 81% of bitcoin's.
19:53 < BlueMatt> gmaxwell: really? wow
19:54 < adam3us> gmaxwell: thats because of heavy merge-mining tho because its been around for a long time
19:54 < gmaxwell> I seem to recall telling you this at the meetup here too. :P
19:54 < gmaxwell> adam3us: sure, but this would be merged mined too.
19:54 < gmaxwell> Now, one annoying issue is that MM makes the @#$#@$@# SPV proofs much bigger. :(
19:56 < BlueMatt> gmaxwell: though it does mean bitcoin miners with bitcoin blocks can do more verification :)
19:56 < gmaxwell> basically doubles the hashtree size plus the size of a bitcoin coinbase.
19:56 < BlueMatt> (though not with existing disabled script opcodes)
19:56 < gmaxwell> in any case, its doable and not unrealistic.
19:57 < BlueMatt> personally, if there's one feature we should enable in bitcoin (testnet) its this
19:57 < gmaxwell> it's not even a hardforking change in bitcoin.
19:57 < BlueMatt> but, we need f**$@#%@ reviewers
19:58 < gmaxwell> it can be deployed like p2sh.
19:58 < BlueMatt> well, to re-enable the script opcodes...
19:58 < gmaxwell> well this needs a bit more than script opcodes, and really, to make it efficient it would probably best be implemented directly.
19:59 < BlueMatt> yes
20:00 < gmaxwell> one optimization would be to have only SPV security inside bitcoin for those proofs too.
20:01 < gmaxwell> E.g. the txn that releases coins in bitcoin has just a hash of the proof in its scriptsig.  the actual proof must be provided along with blocks but only until they're sufficient burried in bitcoin.
20:01 < gmaxwell> (after all, if the emergence in the other chain has only SPV security, no reason to have better security in bitcoin)
20:01 < adam3us> gmaxwell: i was going to ask how does bitcoin know the transaction is non orphan on the alt?
20:02 < gmaxwell> adam3us: thats what the 12 or whatever headers are for from the alt.
20:02 < adam3us> gmaxwell: i might make it 100 like mining confirmations
20:03 < BlueMatt> 100 was fairly arbitrary
20:03 < BlueMatt> though I dont like 12...
20:03 < gmaxwell> whatever, the altcoin could actually signal it with something in its headers.
20:04 < BlueMatt> yea
20:04 < gmaxwell> the big problem with making it big is that it creates a release delay in moving the coins back.
20:04 < BlueMatt> meh, who cares
20:04 < BlueMatt> even if the release delay is a day...
20:05 < gmaxwell> there are altcoins with 30 second blocks that advertise confirmed = 3 blocks
20:05 < BlueMatt> meh, I dont care about altcoins that are working at dumb knob-tweaking, I'm talking about altcoins that do actually useful research
20:06 < gmaxwell> well, its a fungiblity thing. It's not really a bitcoin if it has a 24 hour ramp to move across. But one interesting thing is this:  You could do CoinSwaps nearly instantly with reasonable security.  So the real migration doesn't need to be fast because it's only needed to correct long term imbalances.
20:07 < BlueMatt> yep, thats what I was thinking
20:07 < BlueMatt> its really only to peg the value, not to act as something that need be traded regularly
20:07 < adam3us> gmaxwell, BlueMatt: yes agreed; cross chain atomic swa
20:08 < adam3us> gmaxwell: even with 1-way peg i was thinking it should have mostly balanced
04:36 < petertodd> jgarzik: also s/distributed consensus/decentralized consensus/ IMO
04:37 < petertodd> if we were merely distributed at least fixing a bug would be easy...
05:12 < gmaxwell> This sounds like the title of a paper which would be very useful when reading bitcointalk: "Optimal Error Correction Against Computationally Bounded Noise"
09:05 < jgarzik> petertodd, that's a good response
09:23 < jgarzik> petertodd, RE SIN private email (though my answer is of relevance here, perhaps):   general advice from you and gmaxwell on SIN is to not reinvent OpenGPG with its key expiration/revocation/other features.
09:24 < jgarzik> That advice seems wise.  However, it also seems like something a user would want (to revoke a SIN, handle the compromise case, etc.)
09:24 < jgarzik> Does OpenGPG permit integration of ECDSA as we use it -- just verify/sign messages, no crypto?
09:59 < petertodd> jgarzik: Yes. OpenPGP can have packets that only sign of course, and you can use one of the private signature algorithm numbers to implement secp256k1 directly.
10:00 < petertodd> jgarzik: The main disadvantage of OpenPGP is that libraries to work with OpenPGP directory kinda suck for now.
10:13 < jgarzik> petertodd, more than kinda
10:14 < jgarzik> petertodd, it is functionally the Tor situation: everybody tells you "Run This Binary, From This Anointed Codebase"
10:14 < petertodd> jgarzik: heh, well a direct OpenPGP library that's up-to-date doesn't exist except on Java...
10:14 < petertodd> jgarzik: there's a python library, but it's a few years out of date
10:15 < petertodd> OTOH you certainely could write enough to follow whatever you want for your SIN standard, and complete the library later
10:15 < jgarzik> true
10:16 < petertodd> I could use some OpenPGP library goodness myself for timestamping - I want to implement timestamping as a new signature algorithm. Something that you can't benefit from if you create yet another from-scratch standard.
10:17 < petertodd> You probably can also design SINs such that existing keyserver/wot infrastructure will be useful.
10:17 < jgarzik> petertodd, I think the existing keyserver/wot infrastructure is crappy and silly
10:17 < jgarzik> ;p
10:18 < jgarzik> way behind bitcoin community standards
10:18 < petertodd> I think you're very wrong on that actually; WoT is high-maintenance, but used correctly is very high security.
10:18 < jgarzik> petertodd, You've just described why it is crappy and silly :)
10:18 < petertodd> Even not used correctly it's a gigantic pain in the butt to compromise.
10:18 < jgarzik> petertodd, Most won't make the effort
10:19 < petertodd> jgarzik: So? Most don't make the effort, but equally many communities do and get to benefit from it. What'd be good is to have some centralized infrastructure used the same underlying mechanisms, so you can get the best of both worlds where appropriate.
10:20 < jgarzik> I try to target "most" not just high security types
10:20 < jgarzik> SIN/identity is for everyone, necessarily
10:21 < petertodd> Yes, but don't design systems that gratuitiously are incompatible; afterall like it or not but SIN/identity is equivalent to WoT, just with odd trust-graphs.
10:23 < petertodd> Not unlike how there exists the PGP Global Directory Verification Key and CA Cert Signing Authority (Root CA)
10:23 < jgarzik> Average people will never have keysigning parties
10:23 < petertodd> Who cares?
10:24 < jgarzik> I do.Most contact will be digital attestations from
10:24 < jgarzik> governments, corporations, etc.
10:24 < jgarzik> Or private party-party transactions
10:24 < petertodd> Whether or not people have keysigning parties has absolutely nothing to do with whether or not you make a system that is WoT-compatible, rather than gratutiously incompatible.
10:26 < jgarzik> If SIN's ECDSA can be packetized within OpenPGP, it need not be gratuitously incompatible.  Compatibility with existing WoT is not a high priority, however.
10:27 < petertodd> Big question: what type of ECDSA do you want? OpenPGP has support for ECC already, although with snowden there's a chance they'll use different curves.
10:28 < petertodd> Get a copy of GnuPG >= 2.1 and you can try it out.
10:28 < jgarzik> bitcoin's curve and hash-fingerprint method, as specified in https://en.bitcoin.it/wiki/Identity_protocol_v1
10:29 < petertodd> Yeah, you can packetize all that stuff, initially by using the private signature algorithm numbers, and maybe later get an RFC assigned. I've looked into this stuff for OpenTimestamps. There's also per-signature annotation data possible, which is very extendable and would probably cover a lot of things.
10:30 < petertodd> You might also ask why are you so wedded to Bitcoin ECDSA anyway? Using standard RSA lets users make use of pre-existing hardware security stuff to keep their keys secure - a big win.
10:30 < petertodd> IE a bitcoin sacrifice can easily be a signature annotation.
10:32 < jgarzik> And there's no question the software landscape sucks.	Everybody forks the same 1990s era codebase (patched up to modern crypto but not necessarily modern engineering standards).  Ditto Tor.  The packetization is baroque.	But it's widely used, so rather stuck with the last.
10:33 < petertodd> Indeed it is. But baroque packetization and what not are going to be the easiest parts of the problem.
10:37 < petertodd> Keep in mind too how useful SINs added to OpenPGP would be: I'd love it if there was the infrastructure for my local government to attest that my PGP key was correct, and I'd love it if there was a nice way to sacrifice some Bitcoins in support of it.
10:38 < petertodd> There's no good reason to have a bright line separating the two - fundementally it's all web-of-trust anyway.
10:40 < petertodd> Incidentally, OpenPGP should have the notion of negative signatures: I'm signing to say I'm pretty sure this signature is wrong, or this person is untrustworthy.
11:00 < jgarzik> agreed there is no /need/ for a line of separation
11:01 < petertodd> yes, and the line of separation is actually harmful in that it makes useful things, like the government of ontario signing my PGP key, not possible
11:09 < jgarzik> OK back from meeting.	Like I said, don't mind looking into wedding the two.  Codebase is an obstacle; packetization is just annoying thing to complain about, but not change :)
11:10 < jgarzik> so a just-the-bits-I-need codebase library compatible with OpenPGP is option, like you mention
11:13 < petertodd> jgarzik: yeah, well as I said, I need one too because I want to do timestamping of PGP signatures
11:15 < petertodd> oh, and amir said he's got plans to improve the web-of-trust, and he likes python...
16:14 < phantomcircuit> sipa, ps that wasn't a joke
16:15 < sipa> don't worry, i wasn't planning on answering
16:16 < phantomcircuit> i didn't think you were :)
16:27 < skinnkavaj> Have anyone reviewed this yet? https://bitcointalk.org/index.php?topic=308972.0
17:53 < Luke-Jr> skinnkavaj: sounds like a contradiction. 90-bit isn't strong.
--- Log closed Sat Oct 19 00:00:22 2013
--- Log opened Sat Oct 19 00:00:22 2013
00:11 < petertodd> jgarzik: http://www.rubygems-openpgp-ca.org/ <- interesting signing authority for ruby gems, the model could have some relevance when thinking about SINs
00:32 < gmaxwell> those people who's pow I was tearing apart a awhile back? they've posted a new one now offering a bounty to "convince [them] it's not better than scrypt"
00:32 < gmaxwell> I quote a line from their implementation:
00:32 < gmaxwell>			      fc::usleep( fc::microseconds(1000*1000*(1-_effort)) );
01:02 < phantomcircuit> gmaxwell, lolololol
01:02 < phantomcircuit> gmaxwell, what's the bounty?
01:02 < gmaxwell> 30 BTC. Have at it.
01:03 < phantomcircuit> gmaxwell, goat them into making it more
01:03 < phantomcircuit> then claim it
01:03 < gmaxwell> Well, I know from my past expirence with them that they're claim any flaw is a placeholder, so collecting will likely be hard unless you really smoke them bad.
01:03 < phantomcircuit> gmaxwell, it's the mastercoin people right?
01:03 < gmaxwell> (and indeed, I'm sure the sleep for low difficulty really is just a placeholder honestly.. still crazy to see it there)
01:06 < gmaxwell> phantomcircuit: these people: https://bitcointalk.org/index.php?topic=313479.0
01:14 < phantomcircuit> oh
01:14 < phantomcircuit> shrug
04:43 < petertodd> gmaxwell: oh, that was fun to tear apart - I nearly wound up replying with a bunch of VHDL code
04:44 < gmaxwell> petertodd: hahah
04:44 < gmaxwell> I had fun de-memoryhardening their last one.
04:44 < gmaxwell> but it was even more of a toy.
04:45 < petertodd> gmaxwell: I actually sketched out a VHDL implementation of an ASIC, although I held off posting because I was sure there was enough detail there to make a fool of myself :P
04:45 < petertodd> what was there last one?
04:46 < warren> will they actually pay?
04:47 < gmaxwell> https://bitcointalk.org/index.php?topic=279771.msg2996823#msg2996823
04:49 < petertodd> sheesh
04:49 < gmaxwell> they they responded with a bunch of "oh it's not really done" and then rapidly put up a new one.
04:49 < gmaxwell> and apparently they have a new one still. :P
04:49 < petertodd> Though this is an interesting question: maybe it's not possible to make a proof-of-work algorithm where verification is symmetric, and yet doing the work must be sequential - there's a similar result from timelock puzzles IIRC.
04:51 < gmaxwell> verification is symmetric?
04:51 < petertodd> er, asymemetric
04:53 < gmaxwell> well does fiat-shamirizing my idiot solution to proof of storage yield what you want?   POS the data you are working on, sort the leafs, build a new hashtree and construct a verification proof that convinces someone that it queries an sorted version of the list.
04:53 < gmaxwell> The proof would be somewhat bit, alas.
04:54 < sipa> wait, a PoW functiin that sleeps...?
14:40 < adam3us> amiller: i think you can almost do it (ZKP) - the thing that is eluding me is a blind proof of work where the work survives the unblinding operation and is encoded in representation problem format (like pederson commitment or brands credentials)
14:40 < adam3us> amiller: if you had that you could prove the number of confirmations on a coin > 6 without revealing the block
14:41 < adam3us> amiller: and with homomorphic values you could prove everything adds up before mining
14:44 < adam3us> amiller: there are a number of failed partially useful prototype blind proofs of works on this thread https://bitcointalk.org/index.php?topic=308009.msg3302321#msg3302321
14:46 < adam3us> amiller: and some related ones on this thread for secure offloadable KDF to harden brain wallets or encrypted wallets (that your attaker has the encrypted wallet file) https://bitcointalk.org/index.php?topic=311000.msg3341985#msg3341985
14:48 < adam3us> as close as I got was a "partial discrete log", however its really hard to get the work to survive unblinding like a close schnorr signature forgery (not an actual forgery but a number somehow close to a real one with an arbitrarily closeness metric)
14:51 < adam3us> amiller: "amiller: well committed transaction doesn't mean the transaction is valid ... adam3us: it does mean its not double spent however" i think you might be able to do build on that because committed tx prevents many miner abuses
14:55 < amiller> adam3us, how would you get fees for the committed tx
14:56 < amiller> because the committed tx still takes up utxo space it should have to be paid for
15:05 < adam3us> amiller: yes the commited tx has to include a clear text fee outside, which has to be sent from a clean/taint free address
15:06 < adam3us> in this way you can make tainted tx, fixing the taint problem (at least as far as miner influence)
15:06 < adam3us> curiously even if 99.9% of mining power dislikes and would like to block your tx based on who you are, how much you're paying or who you're paying it to
15:07 < adam3us> they are essentially powerless to do it, because you are using their power against themselves
18:56 < Luke-Jr> https://en.bitcoin.it/wiki/Myths#Bitcoin_makes_self-sufficient_artificial_intelligence_possible.2C_which_will_in_turn_become_self-aware_and_decide_to_exterminate_humanity
18:56 < Luke-Jr> ^ elaboration would be good
18:56 < Luke-Jr> and/or better arguments against it
19:24 < gmaxwell> heh. We should alsk MIRI to write the response to that one.
19:24 < Luke-Jr> MIRI?
19:25 < petertodd> Luke-Jr: lol!
19:25 < gmaxwell> Luke-Jr: http://intelligence.org/research/
19:25 < Luke-Jr> interesting, didn't know that existed
19:26 < petertodd> Luke-Jr: I am a bit worried though, because just the other day an industrial robots safety controls malfunctioned and I got a damn hard kick to the groin... not quite sure what that means
19:28 < Luke-Jr> hmm
19:29 < petertodd> Maybe it's actually Litecoin that becomes self-aware? Or PPCoin?
19:29 < Luke-Jr> then I'd be dead
19:29 < gmaxwell> https://en.bitcoin.it/wiki/Myths#Bitcoin_makes_self-sufficient_artificial_intelligence_possible.2C_which_will_in_turn_become_self-aware_and_decide_to_exterminate_humanity  revised answer.
19:29 < gmaxwell> maybe litecoin is self-aware but suicidal?
19:29 < petertodd> gmaxwell: ooh, maybe?
19:29 < Luke-Jr> lol
19:30 < Luke-Jr> gmaxwell: doh! Satoshi is AI!
19:30 < gmaxwell> (I was going for "Oh. Okay. ... hey, wait a minute! oh shit!" as the response to that response)
19:30 < petertodd> though if I were a self-aware AI, I'd want a PoW algorithm that was more general purpose
19:31  * petertodd is suspicious of NeuroCoin, the one with the neural-net based PoW algorithm
19:31 < Luke-Jr> I must have missed that one :o
19:31 < petertodd> lol, I'm sure if someone makes it it'll get adherents
19:31 < gmaxwell> petertodd: heheh. I'm imagining now an aprilfirst coin whos PoW is translating arabic phrases. :P
19:34 < petertodd> oh that's good...
19:34 < petertodd> or make one who's PoW happens to be running nuclear weapon simulations
19:35 < BlueMatt> brute forces encrypted information downloaded from *.nato.gov...
19:36 < petertodd> or maybe the wikileaks dump?
19:36 < BlueMatt> heh
19:36 < petertodd> prove your trying to crack the key?
19:36  * petertodd wonders if there's a known header that could be used to verify if a crack worked
19:39 < warren> As if this chat room wasn't already on the NSA watch list.
19:39 < petertodd> actually, that'd be interesting: the pow would have to be for you to prove you tried to crack it, using AES similar to how SHA256 works. Except actually cracking the key isn't something you make progress too, so you'd have to add a separate rule that an actual crack is worth a reward.
19:40 < petertodd> So force guesses to be done with a PRNG, and you need to show that your guess was generated by H(pubkey + nonce)
19:40 < petertodd> er, really H(merkle-root + nonce)
19:40 < sipa> warren: watch list?
19:40 < sipa> warren: i expect most of you to be nsa agents
19:41 < BlueMatt> petertodd: find decrypted data that is either the correct value or < target and use that as pow
19:41 < BlueMatt> sipa: you arent? you may be the only one
19:42 < BlueMatt> petertodd: or, better yet, decrypted data who's hamming distance is < target from the real header
19:42 < sipa> BlueMatt: i didn't expect you guys to be so honest about that
19:43 < petertodd> BlueMatt: doh, yeah, that's perfect
19:43 < warren> BlueMatt: compartmentalization
19:43  * BlueMatt goes to code that up for next april
19:43 < warren> who watches the watchers?
19:44 < maaku> warren: i do
19:44 < petertodd> sipa: ha, just the other day I had a TLA agent ask me if I wanted him to set up an interview with another TLA agent he knew. (serious)
19:44 < petertodd> sipa: said TLA agent said "I can't blame you" when I declined, pointing out my answer would have been different six months ago...
19:45 < sipa> wth?
19:46 < BlueMatt> what was the presentation at one of the blackhat-cons like a year ago that went into detail on all the info they were able to get on classified projects from linkedin?
19:46 < BlueMatt> it was really quite comical
19:46 < petertodd> sipa: snowden; it's caused a huge crisis of confidence within all these agencies, they've got a lot of people internally who are reconsidering why they work for the people they do
19:47 < petertodd> sipa: remember that things are sufficiently compartmentalized that it's not "in your face" that the stuff snowden leaked was actually happening, and they're good at putting people with politics more like mine in departments that don't have to know
19:49 < petertodd> sipa: nevermind the outright embarassment... a lot of what's been leaked shows these agencies *aren't* all knowing and all powerful - a big part of the draw at working in places like that is you're working with the best and brightest, but, snowden shows pretty clearly that you aren't
19:50 < sipa> k
19:50 < jrmithdobbs> petertodd: this is not particularly surprising
19:50 < sipa> i can't say i've sufficiently followed it all
19:52 < petertodd> jrmithdobbs: yup, money can only do so much. Something I think is especially striking is how it's been revealed that the NSA relies really heavily on highly scripted checklists so that very average techs can executed attacks without getting into trouble.
19:53 < petertodd> jrmithdobbs: or how the crypto-attacks they do have all involve what people have been suspecting all along, and don't involve math all that beyond what is know publicly
19:53 < jrmithdobbs> petertodd: you're assuming they're paying thatwell, and they're not
19:53 < jrmithdobbs> petertodd: even for the people creating said attacks
19:54 < maaku> hah they definately do not pay well
19:54 < petertodd> maaku: ha, personal experience?
19:55 < maaku> worked for the government / contracting, yes, spy agency no
19:55 < jrmithdobbs> petertodd: eg, the fake "outrage" over snowden's salary is hilarious to me, he was making a little above average for his experience on the west coast, not even that much above really
19:55 < petertodd> What I was told, is that the pay isn't much beyond private sector, but the benefits are very good, esp retirement benefits that really induce people to stay for their whole careers and stay loyal.
19:55 < maaku> if you're a civil servent yes
19:56 < jrmithdobbs> petertodd: those are just rationalizations people make, the benefits aren't that great and haven't been anywhere in the fed gov since reagan
19:56 < sipa> jrmithdobbs: what was his pay?
19:56 < maaku> after 25yrs you get full pension (low six figures), and then you usually 'retire' to a higher paying private job
19:56 < jrmithdobbs> sipa: like 125ish iirc
19:56 < sipa> 125k USD/year?
19:56 < jrmithdobbs> ya
19:56 < sipa> that's all?
19:56 < maaku> yeah you could snag that out of college in silicon valley, in the right industry
19:56 < jrmithdobbs> ya
19:57  * sipa hides
19:57 < jrmithdobbs> exactly
19:57 < petertodd> maaku: sounds like what I was told. Of course, you want to be careful with pay: you don't always want people who are pay oriented, especially in the short term.
19:57 < sipa> jrmithdobbs: wikipedia says 200k
19:58 < petertodd> Note how reports are snowden was paid a heck of a lot fairly early in his career.
19:58 < jrmithdobbs> sipa: meh, so he got the equiv of stock grants
19:58 < jrmithdobbs> good for him
19:58 < maaku> sipa: IIRC he filed an income tax for one year that was closer to 200k, but that was with additional income and was a one-time thing
19:59 < maaku> but nevertheless that's of course what the media quotes
19:59 < jrmithdobbs> maaku: ah
20:01 < maaku> the thing is these jobs are *very* stable. so they usually hire people below market rates, and they stay for the stability
20:02 < jrmithdobbs> ya so long as you can cope with the bs
05:24 < petertodd> well, without UTXO commitments and SPV nodes being able to ask peers for UTXO's I'm not sure that there's actually much difference between P2SH^2 and not - dust rules make UTXO bloat expensive anyway, so data-using apps naturally will spend their UTXO's just to keep things cheap
05:24 < petertodd> point is, right now you *can't* query the UTXO set, so there's no difference to storing data in it, vs. storing data in the blockchain in general
05:25 < sipa> but P2SH^2 dosn't let you query it either
05:26 < sipa> gtg
05:27 < petertodd> no, but if you can't query, simple things like dust-rules are fine because there's no *advtange* to storing your data in the UTXO set
05:28 < petertodd> It's something I like about MMR TXO commitments: they *don't* make it easy to prove the existance of a *class* of TXOs
05:31 < sipa> right, but p2sh^2 makes storing any data at all hard
05:31 < petertodd> no, it's still perfectly possible with P2SH multisig
05:32 < petertodd> not much more expensive than a bare CHECKMULTISIG that you spend
05:32 < sipa> true
10:41 < jgarzik> gmaxwell, JFYI check out @jgarzik or @matthew_d_green on twitter, there have been some good conversations reviewing ECDSA + bitcoin
10:41 < jgarzik> (twitter is fscking awful for referencing threads like this...)
10:42 < jgarzik> sipa, ^
10:42 < jgarzik> https://twitter.com/pbarreto/status/392279389716504576  scroll up and down
10:47 < gmaxwell> what gibberish are these people spewing
10:47 < gmaxwell> of course it checks if the point is on the curve or the twist.
10:48 < gmaxwell> and our implementation checks signatures after creating them.
10:51 < gmaxwell> man, twitter sucks.
10:53 < gmaxwell> in addition to the email I sent you,	I also posted this: https://bitcointalk.org/index.php?topic=285142.msg3118788#msg3118788
10:54 < gmaxwell> hm. but I don't seem to point out that bitcoin-qt validates after signing, (and I consider this a best practice)
10:54 < gmaxwell> I guess that should get put in neon lights someplace.
10:56  * jgarzik noticed that when adding signing to node-libcoin
10:56 < jgarzik> Just figured it was sane, good practice
10:57 < jgarzik> Didn't know that validate-after-signing was more important than that
11:02 < petertodd> jgarzik: I'll do my NODE_BLOOM bip as the first pull-req
11:02 < gmaxwell> yea, for our curve (which, like most, is not twist secure) bitflips during multiplies can result in you effectively using an alternative not-secure curve. The result won't validate... but it may be possible to recover private keys as a result.
11:04 < gmaxwell> though really, a better curve can only partially fix that:  a bitflip in a pointer can just have the signature splat our your private key directly, if not validated. :P
11:07 < amiller> can anyone here tell me about DIANNA
11:07 < amiller> as far as i can tell it's the only elaborated idea that is susceptible to a kind of merge mining attack where you withold some data, and then later release it
11:07 < amiller> and someone who later sees it will choose the wrong chain because of timestamp order
12:21 < Muis> I thought of an alternative to proof-of-work, but I need some critic on it by someone with a sound knowledge of the bitcoin protocol
12:22 < Muis> so if anyone has the time/skills to review my idea, let me know!
12:57 < Luke-Jr> did gmaxwell resign as BIP editor?
13:09 < jgarzik> Luke-Jr, gmaxwell is fine too
13:10 < jgarzik> wiki-as-primary is not the best path forward, IMO
13:10 < Luke-Jr> sure, but I don't see why that means we should change BIP editor. gmaxwell has been doing a good job IMO :P
13:11 < jgarzik> TBH I simply was not aware of gmaxwell as BIP editor
13:11 < jgarzik> it seemed quite chaotic and unedited
13:13 < sipa> the 'editing' was just that he was the person to assign BIP numbers
13:28 < maaku> amiller: what's unique about the DIANNA merge-mine attack?
13:40 < maaku> you mean that you can simultaneously mine two or more forks, double-counting the PoW?
13:43 < gmaxwell> Yea, the only task I had was assigning the numbers when it looked like there was some agreement that there should be one. (No lack of desire to do more or less on my part, I'll do whatever people want)
18:51 < sipa> petertodd: care to explain MMR's in some more detail?
18:51 < petertodd> sure
18:51 < sipa> i can come up with a few datastructures that seem to match the general direction you're going in
18:51 < sipa> but i'd like to know exactly what you're thinking about
18:51 < petertodd> you read my thing on MMR's?
18:52 < sipa> no, where?
18:52 < petertodd> https://github.com/opentimestamps/opentimestamps-server/blob/master/doc/merkle-mountain-range.md
18:52 < petertodd> doesn't mention that they are cheaply updatable, but otherwise it's complete
18:59 < sipa> ok, so you have an O(1) append, O(log(n)) updatable merkleized datastructure
18:59 < sipa> what do you store in it?
18:59 < sipa> transaction outputs, including their spentness bit, i suppose
19:00 < petertodd> yup, same as the UTXO set
19:00 < petertodd> though I was thinking that H(scriptPubKey) wouldn't be a bad idea - kinda the same effect as P2SH^2
19:00 < warren> Regarding https://github.com/bitcoin/bitcoin/pull/2900 I'm guessing that the people with working exploits really don't want to discuss it in public.
19:00 < sipa> so they are not indexed in any way - you have to know where a particular element resides
19:00 < warren> The discussion has been dysfunctional from people being unwilling to discuss it openly.
19:01 < petertodd> sipa: yup, which is good, because that's what lets you append without having any of the data
19:02 < petertodd> warren: yeah, it's a complex issue... frankly, meh :)
19:02 < petertodd> warren: mike, gavin and I disagree on philosophical, not technical grounds
19:03 < petertodd> sipa: vs. UTXO sets where any given append might need a UTXO from any point in history
19:05 < sipa> so, how much does a client need to know to update his wallet's txo set?
19:05 < sipa> later blocks will only build new nodes next to, or on top of his nodes
19:06 < petertodd> sipa: well, basically you want a complete path to the most recent commitment. Now every new block will tend to invalidate the latter part of that path, but the beginning is only invalidated when adjacent transactions are spent.
19:07 < sipa> petertodd: so, i wonder, what if instead of a single mountain range, you just have a single tree per block
19:07 < sipa> with its transaction outputs, ordered
19:07 < petertodd> sipa: right! and I think that's a good idea actually, although you still need the MMR to commit the state of all blocks
19:07 < petertodd> ordering transaction outputs is nice of course for proof reasons
19:07 < sipa> that means that once a tx is in a mined block, a wallet doesn't need to know anything anymore
19:08 < sipa> you might even optimize a bit, by scrapping outputs spent within the block itself already
19:09 < petertodd> yeah, see, I'm a bit divided on that actually: I'm not sure that outputs being spent within a block is conducive to compact fraud proofs
19:09 < sipa> i'm unfamiliar with the word 'conducive'
19:10 < petertodd> I was thinking that given that wallets basically never have a good reason to spend unconfirmed coins that someone just gave them, it's not unreasonable to say txs in a block may only spend txs prior to that block, provided that tx replacement is availalbe to rewrite txs to add new outputs when you make a few txs in a row
19:10 < petertodd> "making a certain situation or outcome likely or possible."
19:10 < sipa> i don't see why they'd never have reason for that?
19:11 < petertodd> basically just that it's dangerous re: double-spends generally, not to say it's absolutely never useful
19:11 < petertodd> anyway, I gotta think about that more
19:11 < sipa> well in many cases you do trust the sender
19:11 < sipa> in particular when it's yourself
19:12 < petertodd> yes, although if it is yourself, you could just as easily replace the transaction with one with more outputs
19:12 < petertodd> (usually)
19:13 < sipa> i guess you can build an MMR on top of the block's root state hashes
19:14 < petertodd> yeah, which is ugly... I dunno, I'm just inclined to leave it out if it looks at all complex frankly. We really want fraud proofs to have as few code-paths as possible.
19:14 < sipa> but the benefit is relatively small - you just need to maintain each block's top
19:14 < petertodd> They terrify me enough already.
19:14 < sipa> which grows linearly
19:14 < petertodd> ?
19:14 < sipa> the number of blocks grows linearly in time
19:15 < petertodd> oh, no, building an MMR on top of that is absolutely mandatory to be able to generate fraud proofs
19:15 < sipa> hmm?
19:16 < petertodd> basically the issue is that while the size of the block root hashes is small, the TXO commitments of them change constantly as transactions are spent, so it's unrealistic to expect a low-bandwidth client to have an up-to-date version of that, yet they still will want to be able to reject a block
19:17 < maaku> it might be true though that it is simpler for a light(er) client to work with an MMR of block root hashes
19:17 < petertodd> for instance, imagine if every txout spent in a block was from a different block - that could be a few thousand roots changed at once even with 1MB blocks
19:18 < petertodd> maaku: yeah, and MMR's of block roots help out for other reasons too
19:18 < maaku> i mean, opposed with a straight MMR over a linear sequence of txouts
19:19 < petertodd> maaku: yeah, I was thinking that doing the MMR over just the block roots was the way to go - one good reason is it makes it conveivable that multiple nodes could co-operate to create a block in a low-bandwidth per node way
19:20 < petertodd> also keeps txin proofs reasonable small, especially if it were done with 20-byte hashes
19:23 < sipa> so, each txin must give the merkle path from the prevout point to a known root
19:23 < sipa> which can be used both to verify that it actually existed, and to compute the new root
19:24 < petertodd> exactly
19:24 < petertodd> and what's also nice is those proofs can be easily composed, as well as updated. (similar to maaku's points re: composing radix trees)
--- Log closed Tue Oct 22 00:00:31 2013
--- Log opened Tue Oct 22 00:00:31 2013
15:14 < gmaxwell> petertodd: RE: pay to contract... here is a snazzy #-wizards idea.
15:15 < gmaxwell> petertodd: merchant gives the proposed contract to the user along with a bitcoin pubkey and a pairing pubkey.
15:15 < gmaxwell> User picks a pairing pubkey and a bitcoin pubkey.
15:20 < gmaxwell> User sums the two pairing pubkeys to get a third, shared, pairing pubkey.
15:20 < gmaxwell> (darnit, lost power)
15:22 < gmaxwell> User uses the pairing pubkey and forms a chameleon hash on the contract. He then uses the pairing pubkey + contract hash as the contract with the merchants pubkey in a 1 of 2 pay to contract, with his other bitcoin pubkey in the other side.
15:23 < gmaxwell> The merchants accepts by redeeming the transaction.
15:23 < gmaxwell> The addition of the chameleon hash permits the merchant and the customer to cooperate to create alternative contracts.
15:23 < gmaxwell> So the blockchain is not evidence of the substance of their contracts if they don't choose it to be.
15:26 < gmaxwell> (One of the problems with pay to contract is that they make the existance of a contract public, so perhaps you could be coerced to providing the contract for a particular transaction)
16:47 < amiller> gmaxwell, petertodd one of you mentioned a python library for spamming the network with txs
16:47 < amiller> do you remember that
16:47 < amiller> i think it might have just been pyspend
16:47 < petertodd> ?
16:47 < amiller> not spamming the network but just taking a file and stuffing it in transactions
16:47 < petertodd> oh, the data upload script
16:48 < amiller> yeah that
16:48 < petertodd> that was inserted into the blockchain in marchish
16:48 < petertodd> I'm sure there's a pastebin of it somewhere
17:29 < gmaxwell> I almost forgot to do the obligitory internet sightseeing while in the UK.
17:29 < gmaxwell> Ah. There we go: "Sorry, the web page you have requested is not available through Virgin Media."
18:12 < midnightmagic> gmaxwell: what the hell?
18:14 < gmaxwell> censored internet. :)
18:15 < midnightmagic> gmaxwell: s/what the hell?/which website was it?/
18:15 < midnightmagic> such crap. all they're doing is providing strong pressure to make an uncensorable internet.
18:26 < maaku> is that the porn legislation, or are they blocking other stuff too?
18:27 < warren> does the law actually require that?
18:30 < pigeons> they caught him for attempted circumvention of the queen's filter
18:33 < petertodd> gmaxwell: what do you mean by "pairing pubkey" ?
18:34 < petertodd> gmaxwell: and what's a good and practical chameleon hash?
19:10 < maaku> warren: my understanding was the the PM tried to push legislation, then backed off when there was outcry and some ISPs agreed to preemptively filter
19:11 < maaku> but i'm not in the UK and haven't been paying attention recently
--- Log closed Wed Oct 23 00:00:35 2013
--- Log opened Wed Oct 23 00:00:35 2013
22:44 < gmaxwell> petertodd: any luck getting that coinjoin transaction mined yet?
--- Log closed Thu Oct 24 00:00:38 2013
--- Log opened Thu Oct 24 00:00:38 2013
00:09 < amiller> petertodd, so about DIANNA
00:10 < amiller> it claims that by being requiring that it contains a hash to a prent block in the Bitcoin chain that it's invulnerable to a 51% attack on DIANNA miners, as long as there's no 51% attack on Bitcoin proper
00:11 < amiller> and that just absolutely doesn't work
00:12 < gmaxwell> I tried to tell people about that on some other recent MM thread, but my patience in arging with people is, in fact, not boundless. (shocking, I know)
00:12 < petertodd> I think we found a bug in gmaxwell
00:13 < gmaxwell> Unfortunately I wasn't able to come up with a crisp statement about the security model, at least in the general cause absent a lot of implementation details.
00:13 < petertodd> I haven't gotten around to reading it, but it's probably vulnerable to data hiding attacks where you timestamp your chain and release it later
00:14 < gmaxwell> petertodd: if bitcoin miners aren't also XXX miners then a tiny minority of bitcoin hashpower can insert $bad or whatever commitments for the other thing. What happens then depends on the details of how the other thing works.
00:14 < petertodd> I wouldn't assume it's worthless though; it looks like in specific conditions timestamping instead of proof-of-work can work, for consensus although the incentives get weird and you become subject to attack by bitcoin miners
00:15 < amiller> oh i think i get it
00:15 < amiller> okay it is how i thought it was before
00:15 < amiller> so it does have to be a valid bitcoin block
00:15 < gmaxwell> petertodd: perhaps not worthless, but strong statements like "as strong as bitcoin" can't be true.
00:16 < petertodd> amiller: yeah, that's the only sane way to do it
00:16 < amiller> ugh i can't tell whether "the longest dianna chain" is choosen just by chronological order in bitcoin or whether it adds up the difficulty
00:16 < amiller> i think there isn't even any code for this for me to dredge through
00:16 < petertodd> gmaxwell: nope, OTOH statements like "way stronger than your shitty MM chain" can be
00:16 < gmaxwell> amiller: haha this totally sounds like this discussion: https://bitcointalk.org/index.php?topic=313347.0
00:16 < amiller> anyway in either case it offers no security beyond being an otherwise merge mined chain so they're flat wrong
00:16 < petertodd> if there's no code I wouldn't put too much effort into it
00:18 < amiller> ok, deletd
00:19 < amiller> btw i'm working on a paper to submit to IEEE Security and Privacy, in 3 weeks, the academic security conference for bigshots
00:19 < amiller> it's a "systemization of knowledge", so kind of a survey, but this one is about protocols using bitcoin as a platform, and all the proposed ideas for modifying bitcoin and altcoins, etc
00:20 < amiller> i'd paste a link but it's in too poor shape atm :/
00:20 < petertodd> oh yeah? I'm working on something about colored coins, which has kinda extended a bit into consensus systems in general
00:21 < petertodd> I'll post a link because I have no shame: https://github.com/petertodd/decentralized-consensus-systems
00:24 < gmaxwell> petertodd: https://bitcointalk.org/index.php?topic=317028.0 < perhaps they need some contract work done to produce nice proofs of ownership investors can check.
00:24 < petertodd> gmaxwell: good idea.
00:24 < petertodd> there was another group at the conf with a similar problem
00:25 < gmaxwell> if we're to have a future which isn't stuffed full of fractional reserve the tools need to exist soon so the community can force them onto people.
00:25 < gmaxwell> but it would be nice if someone who wanted them as a competative advantage would pay to get them built.
00:26 < amiller> what is the challenge with making a merkle tree storage-hard pow
00:27 < gmaxwell> no one who cares a lot about alternative pows has enough braincells to understand why such a thing would be desirable?
00:27 < amiller> i thought the scheme i described a long time ago that's based directly on dwork&naor memory-bound moderately hard puzzles works fine and is "asymmetric" in the sense that it's cheap to check rewgardless of how much work it takes
00:27 < gmaxwell> oh you mean for the proof of storage once.
00:27 < amiller> yes
00:28 < amiller> petertodd just reminded me about it
00:28 < gmaxwell> amiller: your stuff is more like "Proof of storage throughput over some data"
00:28 < amiller> right it involves reading instead of writing and reading
00:28 < gmaxwell> amiller: the storage-hard stuff we're talking about is  proof of using up space.
00:29 < gmaxwell> (no real throughput component at all)
00:29 < amiller> and a merkle tree over it is too hard?
00:29 < amiller> oh
00:29 < amiller> but the space can be arbitrarily large
00:29 < amiller> as a parameter
00:30 < gmaxwell> amiller: yea. The idea is that you can use temporarily chewing up disk space as a gatekeeper to opening a peering connection, so that a diskspace bounded attacker can't use up all the connection capacity on the network.
00:31 < amiller> okay i think i see
00:31 < gmaxwell> (also has the benefit of basically zero hardware specialization gain, even stronger than any memory hard throughput function has)
00:32 < amiller> well i dont see about that
00:32 < amiller> you can make the memory hard throughput puzzle (or if you don't need it to be a scratchoff puzzle you can just do a single proof of tretrievability which is like one round of that) use arbitrary as much space
00:33 < petertodd> gmaxwell: and no, no luck in getting them mined
00:33 < gmaxwell> sure, but throughput puzzles at least have gains from making faster space. Bulk storage is one less thing to optimize for. And it can avoid an ongoing cost.
00:34 < amiller> well forget throuhgput, this isn't for mining
00:34 < amiller> it can be interactive challenge/responsse
00:34 < amiller> you can make them commit to an arbitrary merkle tree of power-of-two number of leaves n
00:35 < amiller> each leaf i consists of   H(challenge || i)
00:35 < gmaxwell> amiller: for the goal I stated you need different state per every "server" or a client could have one copy of the data and connect to 100k servers.
00:35  * gmaxwell lets you talk
00:36 < amiller> okay so to make it a little easier do H(verifierID || i) for each leaf i
00:36 < amiller> (so they don't have to interact with you before preparing their disk)
00:36 < amiller> then verifier sends a challenge
00:36 < gmaxwell> and the challenge is?
00:36 < amiller> random string to use for this session or the next five minutes or whatever
18:50 < gmaxwell> nanotube: because presumably we don't have 99% of nodes being run by people who are out to make a profit doing it.  Offering some money to run spy nodes (or whatever) would only switch a small percentage of the total nodes.
18:51 < gmaxwell> nanotube: vs if running a node were widely seen as a money making endeavor, perhaps it would switch most of them.
18:51 < gmaxwell> It's a concern, I'm not sure its a good one.
18:52 < gmaxwell> but I've seen with mining that introducing money into things creates a lot of weird effects. Pirate's hashrate buying service got a LOT of hashrate...
18:52 < nanotube> well, i see what you are saying. but i'm not sure if we model it with real variables, it's actually a concern. let's say currently we have N people running nodes for no compensation.
18:52 < nanotube> if we introduce compensation, we'll have those N people, plus P other people who would only run because of compensation
18:53 < gmaxwell> but will the N continue if there are M people running for pay where M >> N?  Certantly my motivation to run nodes would be reduced if there were already plenty of them.
18:53 < gmaxwell> (My M is your P)
18:54 < gmaxwell> and in terms of network risks,  the ratio of good to bad nodes can matter more than the absolute number of good nodes. E.g. if 99% of nodes are bad it doesn't matter if there are a million good nodes
 you'll only infrequently connect to one.
18:54 < nanotube> ok, let's introduce that factor also. :)
18:54 < nanotube> irc sucks for this, i'm going to write some text.
18:55 < gmaxwell> Sweet our model now needs an ordinary differential equation. :P
18:56 < nanotube> heh
18:57 < gmaxwell> I haven't tried to model it in detail because I expect that I can pick parameters that go either way and won't be able to decide between them. :(
19:10 < nanotube> http://pastebin.com/CfNMB85D <- really naive model... basically since marginal benefit to running a 'good node' is larger if we offer compensation, it seems we'd be no worse off.
19:10 < nanotube> the only catch is, if our offering compensation increases probability that evil will use that technique to do evil.
19:16 < gmaxwell> yea, thats something that I specfically argued when I talked to the tor folks about doing this in tor... that there may be a kind of initial hump in getting people to think of running nodes as a viable enterprise that currently keeps an attacker from doing it.
19:16 < gmaxwell> I'm not sure.
19:23 < nanotube> in addition to the hump, the big hurdle of developing the technology would be taken care of.
19:23 < nanotube> cf, how easy it is to create $fakecoin now that bitcoin is out there.
19:25 < nanotube> but for tor it's somewhat different, because it doesn't get /more/ expensive to run a node over time. for bitcoin it does, so the end game is dramatic shrinkage in node count.
19:26 < nanotube> that said, dunno if you're aware, tor has started some compensation scheme, where some nonprofit in the netherlands is going to pay 3500/month (total) to however many nodes register with the program, or some such.
19:26 < nanotube> so we get to learn from their experience on that front, a little bit.
19:28 < gmaxwell> I know, I'd passed on these concerns to them. (particularly pointing out that if they built the infrastructure so that any anonymous party could pay any tor node, that it might create some weird outcomes like pay-to-spy)
19:28 < gmaxwell> seems like they avoided setting things up like that, at least for now.
19:29 < nanotube> heh well, the government TLAs don't need to pay any third parties to spy. if nsa really wanted to take over tor, it'd only take them a trivial fraction of their budget to spin up like 10k tornodes, and make up significantly more than half of the tornet.
19:30 < nanotube> in fact... maybe 2k out of the 4k-some tor nodes already are government. ...
19:38 < gmaxwell> nanotube: perhaps, but paying third parties might be a more cost effective way to do it. ... and if you're some cybercrime group it might be an interesting thing to play with.
19:39 < nanotube> mm maybe...
19:40 < nanotube> i'm surprised the tor router project doesn't seem to have taken off. beyond a wiki page on setting it up https://trac.torproject.org/projects/tor/wiki/doc/OpenWRT
19:40 < nanotube> they could be selling pre-torified buffalos
20:05 < warren> someone we know here expert in embedded systems is thinking about selling bitcoind low power appliances
20:10 < nanotube> aka, netbook with bitcoind on it? :P
20:13 < warren> headless
20:14 < warren> probably ARM with 2GB RAM
20:17 < nanotube> mm
20:18 < warren> businesses often don't use their bandwidth at night when the office is empty, so if it costs them very little in power, they could run high capacity listening nodes at least all night and throttle back or stop listening during the day.
20:27 < gmaxwell> nanotube: one interesting point is that evil vs good pay is probably not mutually exclusive.
20:28 < gmaxwell> nanotube: e.g. you get payed X to run a good node, and if it also spys on users, you get Y too.
20:29 < warren> hmm, headless bitcoind appliances would need some kind of autoupdate mechanism ...
20:29 < warren> the maker could sell subscriptions to good/evil parties
20:30 < warren> It's amoral, it's just business!
20:36 < nanotube> warren: and while you are at it, put a tor node on the appliance also. that way bitcoin network will become less blockable, and if you turn on relaying by default (with some small transfer cap) you benefit the tor net also.
20:37 < nanotube> gmaxwell: hmm good point.
20:37 < warren> they probably won't like exit node by default
20:37 < nanotube> warren: sure not exit, just relay
20:37 < warren> nanotube: I'm not the one designing this thing
20:37 < warren> he just mentioned he might do it
20:37 < nanotube> warren: well, yea, i mean, pass it along :)
20:38 < nanotube> gmaxwell: but that just means it's cheaper to be evil. :)
20:39 < gmaxwell> nanotube: well it means that if someone else is paying the activitation cost to make a pure profit motivated person run a node, an evil party can redirect most of that effort at far lower cost.
20:40 < nanotube> yes. so s/cheaper/much cheaper/ :P
20:40 < gmaxwell> evil only has to pay enough to move people from good to evil, not to run a node.
20:40 < gmaxwell> yea.
20:41 < nanotube> but many forms of evil can be tested for and not paid. e.g., transaction validation and relay variances, etc.
20:41 < nanotube> spying, not really. but... everything that goes through through the bitcoin network is public anyway. so i'm not sure how much use there is in evil-spying for pay.
20:42 < gmaxwell> yea, spying can't be tested except by the evil master, and rule changes that trigger in the future can't be tested for. (well evil master could kinda test for them, but not anyone else)
20:42 < gmaxwell> nanotube: ::shrugs:: bc.i has monetized their own spying pretty well
 they post people's IPs and then charge people to use their mixer service. I believe its their only revnue source now.
20:43 < warren> s/mixer/shared send/
20:44 < nanotube> do you think they'd make less money on the mixer if they didn't post people's ip addresses? :P
20:48 < gmaxwell> I do. Though I only have the informal evidence of people showing up in IRC angry that the bitcoin blockchain recorded their IP addresses, from time to time. (::facepalm::)
20:49 < gmaxwell> (and then seeing people direct them to the mixer thing)
20:49 < warren> perhaps delisting for  a fee could be another revenue source =P
20:50 < gmaxwell> cheaper to just block them.
20:56 < jgarzik> gmaxwell, definitely not their own revenue source
20:56 < jgarzik> gmaxwell, hint: advertisements on the front page float by unpredictably
20:57 < gmaxwell> oh hey, I just came up with an almost secure way to selectively hang up on nodes which connect to lots of other nodes.
20:57 < warren> oh?
20:59 < gmaxwell> using cryptographically private bloom filters: http://www.reddit.com/r/programming/comments/1ixoov/cryptographically_private_bloom_filters/cb91uj9
21:00 < gmaxwell> the idea is that your peers give you an encrypted list of their peers. You can then encrypt your list of peers, send them to the peer and have the peer reencrypt them, and then you can decrypt the result and tell what peers you have in common.
21:01 < gmaxwell> I say almost secure because if some node was hated by lots and lots of nodes, those nodes could lie and say he was connected to them, in order to encourage other people to drop connections to that node.
21:01 < gmaxwell> but ignoring that attack, this would let you be able to do something like hang up on peers that are already connected to half your other peers.
21:01 < gmaxwell> without disclosing who is connected to who.
21:02 < gmaxwell> (your peers would limit the number of queries you could perform, so you couldn't just test all nodes against their lists)
21:03 < warren> "you" being a connection or an IP?
21:03 < warren> and does that fail if you change your IPv4, or ipv6?
21:04 < gmaxwell> nah, I don't think so, since they could just limit the queries globally. E.g. I won't answer more than X queries per day or whatever.
21:05 < warren> so you can make the entire system just stop working
21:06 < warren> gmaxwell: this could be defeated by simply randomizing the from addresses, combining all the data into a surveillence net
21:07 < gmaxwell> I'm not talking as much about surveillence as I am about connection satuartion.
21:08 < gmaxwell> Today you can fill up all connection slots on the bitcoin network with 1 IP. With some easy fixes we could increase that you needed 124 IPs.
21:08 < gmaxwell> But making it take more than 124 IPs seemed mostly unsolvable to me, perhaps its not.
21:09 < gmaxwell> making surveillence a little harder would be a nice side effect.
21:09 < warren> ooh
21:09 < warren> there's more low hanging fruit to raise the cost of filling all listening slots
01:31 < phantomcircuit> jgarzik, with ssds it's the firmware
01:31 < jgarzik> phantomcircuit, the latter comment, when investigated at Red Hat, turned up stupid app behavior 90% of the time
01:31 < phantomcircuit> it's not uncommon at all for an ssd to completely fuck up where things are written
01:32 < jgarzik> I was L3 on that for years
01:32 < phantomcircuit> yeah that's not surprising
01:32 < petertodd> The great thing about embedded systems development is "know your hardware" can mean reading the datasheet for your 8-bit uC's and getting a timing diagram showing under exactly what conditions EEPROM cells get corrupted. :P
01:33 < petertodd> Heck, on the wall by my desk I have one of my artworks that does exactly that with a carefully calculated set of VCC hold-up caps.
01:50 < jgarzik> petertodd, "the pool uses compressed keys, while the blockchain.info client only uses compressed keys"
01:50 < jgarzik> petertodd, should one of those be "uncompressed"?  or am I just confused?
01:50 < petertodd> doh!
01:50 < gmaxwell> the latter is uncompressed
01:50 < petertodd> yeah, client is uncompressed
01:51 < phantomcircuit> jgarzik, i get a good laugh out of bc.i
01:51 < phantomcircuit> they operate a service which allows you to purchase bitcoins and then obscure their origin
01:51 < phantomcircuit> quite literally money laundering
01:51 < phantomcircuit> herp derp
01:52 < petertodd> money laundering isn't what you think it is...
01:52 < gmaxwell> jgarzik: so the difficulty in getting people to use petertodd's dust-b-gone is starting to make me doubt my prior thought that "wallet applets" could be a viable way to introduce new wallet features.
01:52 < petertodd> the purpose of money laundering is to make money have a *legit* origin, bc.i is just making it have no origin at all
01:52 < phantomcircuit> petertodd, useful money laundering is the first
01:52 < phantomcircuit> legal money laundering is either
01:52 < gmaxwell> petertodd++  but that doesn't mean bc.i might not get into a regulatory mess.
01:53 < phantomcircuit> you'd be an idiot to launder money through bitcoin anything
01:53 < phantomcircuit> but that doesn't mean doing so isn't illegal
01:53 < petertodd> well if we keep repeating my point over and over we might change the discussion... :)
01:53 < gmaxwell> in any case, they've been warned! (and at least renamed their "mixer")
01:54 < phantomcircuit> they've had legal council refuse to represent them because their business is obviously in violation of uk law
01:54 < gmaxwell> we need someone to make a catchy music video like https://www.youtube.com/watch?v=7E0ot9iJm_k (terrible secret of space)  which just repeats over and over again "the purpose of money laundering is to make money have a *legit* origin"
01:54 < Luke-Jr> is that the legal definition?
01:55 < phantomcircuit> Luke-Jr, the legal definition is to obscure the origin
01:55 < jgarzik> gmaxwell, not sure I was party to a "wallet applet" discussion.   I did notice that some wallets like Hive are direct-integrating with gambling and exchange sites via plugins.
01:55 < phantomcircuit> however that's not very useful for actual criminals
01:55 < gmaxwell> in the US there isn't just one legal definition there are dozens (hundreds? easily if you count state laws) of laws that possibly interact with money laundering.
01:55 < phantomcircuit> none the less the definition is what it is
01:55 < jgarzik> gmaxwell, RE dust, I just think there should be background defragmentation
01:55 < phantomcircuit> gmaxwell, bc.i is a uk company
01:55 < jgarzik> gmaxwell, perhaps via coinjoin.  mix + dedust
01:56 < petertodd> gmaxwell: yeah, that's the real issue - better for something like bc.i to not be operating at all if they want to be safe, chances are even operating a wallet is legally risky
01:56 < gmaxwell> jgarzik: ah, I'd thought you'd were at least in the past I'd bought into an idea that things like background defragmentation and such could potentially be introduced with contrib/ grade side-car applications.  As a way of reducing the time to getting features in the core codebase.
01:56 < gmaxwell> jgarzik: yea, petertodd's dust-b-gone is a coinjoin dust discarder.
01:57 < gmaxwell> Luke-Jr: I'd guess that if you are pedantic about the law that in some states its probabably unlawful to accept money.. ever. just due to poorly constructed laws that interact in unexpected ways.
01:57 < phantomcircuit> petertodd, its better that they do one thing at a time
01:58 < jgarzik> gmaxwell, some pedantic interpretations of US law imply you should file forms for every cash transaction, anywhere, regardless of whether you are consumer or merchant or peer
01:58 < jgarzik> especially if you cross state or international borders
01:58 < Luke-Jr> gmaxwell: IMO trying to change the definition to workaround laws isn't a viable option
01:58 < jgarzik> nutters
01:59 < gmaxwell> Luke-Jr: I'm not suggesting it to workaround the law.
01:59 < Luke-Jr> the elegance of CoinJoin is that it isn't concealing anything; it's just discarding unnecessary information
01:59 < petertodd> jgarzik: which reminds me of idiotic people are for continuely pointing out cash as why bitcoin won't be banned; lots of jurisdictions are doing everything they can to ban cash
01:59 < gmaxwell> Luke-Jr: the reason I suggest making the definition more clear is just because the broken one used in bitcoin land (mostly inspired by half understanding tv crime drama) just doesn't make sense.
01:59 < Luke-Jr> gmaxwell: a music video to promote a definition that differs from the legal definition, would be just that IMO
01:59 < jgarzik> My on-going prediction, since 2010, has been that bitcoin will be regulated as cash is currently regulated.
01:59 < jgarzik> in US and elsewhere
02:00 < jgarzik> with all that implies
02:00 < gmaxwell> Luke-Jr: I don't think that what I'm saying is distinct from the legal definition. (I also didn't mean it seriously)
02:00 < petertodd> jgarzik: right, so it'll be illegal to have bitcoin wallets with large amounts of bitcoins in them, and gradually those amounts will decrease to the point where bitcoin is effectively banned
02:00 < Luke-Jr> petertodd: huh?
02:01 < Luke-Jr> is there some law saying I can't bury large amounts of cash in my backyard? :/
02:01 < jgarzik> petertodd, I'm waiting for the first attempted prosecution when someone flies across a US/international border without declaring the > $10,000 in bitcoins they were carrying.
02:01 < petertodd> jgarzik: meanwhile bitcoins, when discovered, will be seized routinely the same way large amounts of cash are under civil forfeitture laws
02:01 < gmaxwell> Luke-Jr: the legal definition is very complicated. the idea that anything that conceals the origin is money laundering is a toy version of the law. The idea that money laundering == giving an apparent legitimate origin to money is another toy statement of the law. The latter has the benefit of actually explaining _why_ people launder money at least...
02:01 < petertodd> Luke-Jr: in some european countries yes
02:01 < gmaxwell> Because just doing the first, in the US at least, actually does you very little good.
02:01 < petertodd> Luke-Jr: for instance IIRC italy has banned all cash transactions for any reason over 1000 euros
02:01 < phantomcircuit> gmaxwell, the problem is that the definition you use is based largely on how strict law enforcement wants to be
02:01 < petertodd> jgarzik: bingo
02:02 < gmaxwell> jgarzik: so I might attempt a declaration of bitcoins when returning from vancuver at the beginning of november. I don't have anything scheduled for the week after that... it would be interesting to see what happens.
02:03 < Luke-Jr> petertodd: that's a cash *transaction*
02:03 < jgarzik> in terms of US "climate", it is noteworthy that government types are also concerned about consumer privacy.
02:03 < jgarzik> A handful of Large Businesses (Fortune 1000) have also expressed concern about business transaction privacy.
02:03 < petertodd> gmaxwell: lol, I like how you're giving a week for that...
02:03 < jgarzik> it is easy to look over a shoulder at starbucks, if you can spot a payment address, and chain-stalk that person
02:03 < petertodd> Luke-Jr: yes, and meanwhile large amounts of cash get routinely seized in the US on suspicion of being involved with drugs, and it's damn near impossible to get it back.
02:03 < gmaxwell> in particular I could arrange it so that bitcoins  I have with me are likely to increase in value while I'm at IETF and cross the threshold.
02:04 < petertodd> Luke-Jr: other countries have direct capital controls on cash
02:04 < gmaxwell> jgarzik: or the minimum wage drone at starbucks hired a week ago is doing the chainstalking.
02:04 < Luke-Jr> gmaxwell: how are the bitcoins "with you"? :p
02:04 < petertodd> jgarzik: one of the ironies is that Bitcoin could be simultaneously considered as being too private, and prone to "money laundering", and too public, and thus banned for privacy reasons
02:04 < gmaxwell> Luke-Jr: that would be part of what the excercise is for exploring. What does customs think that definition is?
02:05 < jgarzik> One argument I do think could be made:  the coins are "in the cloud".	Control of the coins (keys) are what the owner holds.  Not sure if that could be legally useful, but it seems like it might be.
02:05 < jgarzik> petertodd, indeed
02:06 < phantomcircuit> <gmaxwell> in particular I could arrange it so that bitcoins  I have with me are likely to increase in value while I'm at IETF and cross the threshold.
02:06 < jgarzik> petertodd, depends on which prosecutor is writing their next Shakespearean piece
02:06 < phantomcircuit> gmaxwell, the us border patrol will arrest you if you fail to declare the changed amount
21:51 < petertodd> amiller: Fortunately I think you can securely do a "pay to help me get this ancient txout mined" service with a joint transaction.
21:51 < amiller> you can have updates
21:51 < amiller> and if you aren't relatively alive to hear the updates
21:51 < amiller> and eveyrone forgets intermediate state before you get yours
21:51 < amiller> then you might not be able to find it from anyone
21:52 < amiller> say you send a new coin to yourself, then you go into a coma for 50 years, then come back
21:52 < amiller> can you spend your coin
21:52 < amiller> all the tips have changed
21:53 < petertodd> amiller: Yeah, it absolutely could happen, although it's likely there will always be at least one person with a copy out there somewhere.
21:53 < amiller> kinda?
21:54 < petertodd> The other thing is that keeping your wallet updated is actually depecently cheap because you only need to watch for transactions that modify your proof. In addition if you update your proof once, the chain data you need to update it again is much lessoned - just the transactins that changed the lower part of your proof as the upper part is more recent.
21:54 < amiller> maybe you still want to do proof of storage over the whole tree to be sure
21:55 < petertodd> amiller: Yeah, it's hard to say... I suspect that given that everything is easily fraud proofed, we can skip proof of storage so long as finding fraud is rewarded somehow.
21:55 < amiller> no i mean
21:55 < amiller> you want to encourage people to store the data
21:55 < amiller> if it's plausible that someone who should be enabled to spend it might not have that data
21:55 < petertodd> amiller: Right, but the "pay to spend" system works fine for that.
21:55 < maaku> ok i see what you're saying now, but i hadn't thought it was a concern since the signer has control over the transaction id... they can always pick a new one that they can find a path for
21:55 < amiller> no it doesn't
21:55 < amiller> you can pay to spend if someone has the data
21:56 < petertodd> What we need is to encourage people to *validate* the data, which != storing it.
21:56 < maaku> assuming they don't pay an archive node to find a path for them
21:56 < amiller> but you can't pay them ahead of time to store it and update it forever
21:56 < amiller> okay here's a	thing is
21:56 < petertodd> maaku: Yeah, but that basically means those archival nodes need to be found every !@#$ time you create a transaction, or even for that matter just to add coinbase outputs to the set.
21:56 < amiller> maybe if i know i'm aobut to go into a coma or am afraid of it
21:56 < amiller> and want to purchase go into coma for 50 years insurance
21:56 < petertodd> amiller: No, but they can make a business decision that there's enough demand. And anyway, as I said, updating your proofs is incremental.
21:57 < amiller> i can sponsor a bounty that rewards people over time for doing proofs of storage of whatever is the most valid node
21:57 < amiller> it doesn't matter if it's incremental if the point is that i go away for a long time then come back
21:57 < amiller> i'm not interactive and receciving updates during that time
21:57 < petertodd> amiller: Well, you know how you do that? You create nLockTime'd transactions! To spend the txs way in the future they have to prove them!
21:58 < petertodd> When they brodcast the proofs, you can reuse that data to prove your own transactions!
21:58 < petertodd> *broadcast
21:58 < amiller> that's not a great solution for minor economic reasons and periodic proofofstorage is better somewhat
21:58 < amiller> if it seems like you have a poor chance of being the winner then there's no reason to do it
21:59 < petertodd> But this is the thing, we *want* people to be able to expire ancient data! Think 300 years in the future when transactions in the first 10 years of blocks just don't ever happen.
21:59 < petertodd> This is the only thing that can keep the blockchian data required to mine from growing without bound.
21:59 < amiller> i agree that this should be set by market forces of people who want it or are willing to insure themselves
21:59 < amiller> if i go into a coma and haven't paid for lifesupport then it's my problem
21:59 < amiller> if i or someone gracious wants to pay somehow to keep my data validated then ok
21:59 < petertodd> Yeah, and market forces are enough, we do *not* need to add proof-of-storage to the consensus protocol.
22:00 < petertodd> Where as with UTXO commitments, you absolutely do need proof-of-storage.
22:00 < amiller> i'll let that slide for now
22:00 < amiller> petertodd, yes, agreed, because with the utxo trie you never know *which* bits you'll need for appending new data
22:00 < amiller> which is an outstanding revelation
22:01 < gmaxwell> 18:04 < maaku> gmaxwell: my point iswhy pay an external proof-generating service *in addition to* the miners transaction fees?
22:01 < gmaxwell> Right now, ~no one is paid for it. And miners (if you mean the guys who own asics)
22:01 < gmaxwell> don't do it at all... you could argue that the pool op is paid for that
22:01 < gmaxwell> service but it's only as an accidental side effect, and it highly incentivizes
22:01 < gmaxwell> centeralizing that ability. vs letting each user keep their own or pay for
22:01 < gmaxwell> their own retrevial very naturally scales and doesn't create a
22:01 < gmaxwell> centeralization incentive, I think.
22:02 < petertodd> amiller: Yeah, MMR TXO also naturally has good access requirements, which mean that archiving data to tape and so on is very practical.
22:02 < petertodd> amiller: (even when you want to be the "help me mine my txout" service)
22:03 < petertodd> gmaxwell: Did you see how paying to help get a txout mined can be done in a trust free manner too? Just create a transaction spending the txout that gives some BTC to the service - if they can't get it mined they don't get paid.
22:03 < amiller> that's a crap solution
22:03 < petertodd> amiller: ?
22:04 < amiller> it's not good for replication
22:04 < petertodd> amiller: Why do you need to replicate?
22:04 < amiller> like, you'd prefer to have the reward for that paid in some way that encourages several people to have it
22:04 < amiller> because that service doesn't have terribly much incentive to store it redundantly
22:04 < amiller> they'd miss out on the future rewards i suppose
22:04 < petertodd> amiller: Well sure, but frankly that's impossible with math.
22:05 < amiller> no it isn't
22:05 < amiller> that's what pow does
22:05 < gmaxwell> petertodd: well almost. Say you make two versions, one paying a and one paying b.   A fails to do the lookup. B does it. When A hears the transaction from B he can attach B's proof.  ... find for the user bad for the service.
22:05 < amiller> that's the whole point of this massively replicated apparatus we have
22:05 < petertodd> amiller: No, proof-of-work simply proves a bunch of work was done, it doesn't prove that the work was done in a geographically separated set of disaster resistant datacenters.
22:05 < amiller> it doesn't *prove* that, but it *causes* that
22:05 < amiller> that's exactly what it causes
22:06 < amiller> incentivizes, rather
22:06 < gmaxwell> amiller: thats the users own darn problem, if he wants great storage he can pay for it. Importantly, it doesn't have the commons resource problem of making everyone pay for something that only benefits one user.
22:06 < petertodd> gmaxwell: Yeah, those services are going to want to either mine the txs themselves, or have meatspace contracts.
22:06 < amiller> agreed with both of those
22:06 < petertodd> gmaxwell: Well, actually you can fidelity bond those contracts...
22:07 < petertodd> amiller: I dunno about causes that... just look at pools...
22:07 < gmaxwell> yea, and it's super cheap to maintain your own if you're already running a FVN
22:07 < amiller> petertodd, pools are geoseparated disaster resistant data centers, it's hosted mining that's the problem
22:07 < gmaxwell> and to have tit for tat mutual watching agreements in communities of interested.
22:08 < petertodd> amiller: Pff, we're talking like a dozen pools at most - that's not very convincing disaster resistance compared to the thousands (probably) of full nodes.
22:08 < amiller> petertodd, no i mean the pool operators don't matter, the fact is pool participants all have gpus at their homes
22:08 < petertodd> amiller: Anyway, as gmaxwell said "It's your own fucking fault if your wallet becomes unspendable!"
22:08 < amiller> if you make a storage hard pow then it's the mining devices that are the replicated storage
22:08 < petertodd> amiller: GPUS != blockchain data
22:09 < petertodd> amiller: ok, true, but we're not changing the proof-of-work algorithm
22:09 < petertodd> amiller: maybe in some alt-coin
22:09 < amiller> yes you are, when it becomes obvious you have to
22:09 < petertodd> gmaxwell: sorry if I slightly misquoted you there :P
22:09 < amiller> what i'm *not* saying is that you'd have to make it mandatory that the consensus puzzle is over the whole merkle thing
22:09 < amiller> one option is to make it so you can pay to have it included
22:09 < gmaxwell> releastically the required redundancy for txout data is only three or four copies, lets say. But for decenteraization we need tens or hundreds of thousands of full nodes.  And the risk of not having enough copies should be born by the owners of the data which was inadequately replicated but bitcoin makes it a risk for the whole network.
22:09 < petertodd> amiller: people in comas for 50 years waking up to not being able to spend their wallets isn't a good reason :P
22:10 < amiller> so you can pay to have whatever replication factor you want
22:10 < amiller> i'm not arguing any particular solution here because it's not settled
11:21  * BlueMatt isnt sure exactly which "payment channels" is being discussed, but if its done right, it can be all two-party (no blockchain) until the end and then only a few txn can be put in the chain to complete it
11:22 < BlueMatt> (without any trust)
11:22 < petertodd> BlueMatt: Ah, yeah, that's jspilman's version. Nice to see the wiki got updated with it.
11:23 < BlueMatt> anyway, I know mike is actually implementing it, so ping him
11:28 < petertodd> BlueMatt: cool
11:29 < BlueMatt> afaik its pretty far along too
11:31 < petertodd> any client code yet?
11:31 < BlueMatt> hmm?
11:32 < petertodd> I mean, like a demo for an application?
11:32 < petertodd> that'll be the hardest part I think
11:32 < BlueMatt> no idea
11:34 < petertodd> ok, just thinking, lots of subtle issues re: backups and other stuff with protocols like these
11:34 < BlueMatt> entirely depends on how long your channel is
11:34 < BlueMatt> if the channel lasts a few hours...meh
11:34 < petertodd> same problem with chaum tokens: you need to have a reliable way of storing multiple copies immediately of the token, or in this case, the refund tx
11:35 < BlueMatt> sure, if it lasts a month you want to store the state of the channel in the wallet
11:35 < petertodd> it can be skipped initially, but for production...
11:35 < petertodd> well it's a matter of how many coins you are putting in limbo, 0.01BTC, no worries, 1BTC, that's another matter
11:48 < jgarzik> heh, yeah.  I was thinking a payment channel that lasts ~24 hours.  Definitely some wallet state storage, to think about.
11:48 < jgarzik> but really, I'm off-chain agnostic.  The more off-chain systems out there, the better.
11:49 < jgarzik> Would be interesting to see an open source package out there replicating The Big Tor User out there.
11:50 < petertodd> well, one guy contacted me saying he's working on one in his spare time, and I'm meeting with what sounds to be a much more professional effort next week that will include some trusted hardware
11:51 < petertodd> actually, I think just implementing a merkle-sum tree package is worth it - a few companies at the conf said they were interested in that kind of transparency
11:51 < petertodd> like the bitcoin fund guys
11:53 < BlueMatt> bitcoin fund: we fund useless crap
11:53 < BlueMatt> or at least not stuff that is reasonably high priority
11:54 < petertodd> BlueMatt: which fund do you mean?
11:54 < BlueMatt> you mean the guys who offered how many thousands to split wallet and core?
11:54 < petertodd> no, I mean bitcoinfund.eu, the guys offering bitcoins as a professional investment fund
11:55 < petertodd> those guys are crazy, and I wonder if they are really legit
11:56 < BlueMatt> they do have /some/ money...no idea how much it really is, but they kinda picked a random thing and put a big bounty on it
11:56 < petertodd> heh, emphasis on some
11:56 < petertodd> might just be enough to have a nice website...
11:56 < BlueMatt> by off-chain, you do mean off-chain for a while, then sync up the difference in one txn?
11:57 < BlueMatt> oh, no I meant the crazy guys who offered money for split
11:57 < BlueMatt> A few devs have gotten donations from them
11:57 < BlueMatt> relatively sizeable ones
11:57 < petertodd> ah, ok, so they've shown they're for real
11:57 < petertodd> to some extent
11:57 < BlueMatt> if only they'd put up a big bounty on adding more test-cases
11:58 < petertodd> BlueMatt: not sure exactly what the off-chain gusy who have contacted me lately really mean, I'll find out more later
11:59 < petertodd> Indeed. You've done a lot of hard work, but there is so much more to do.
11:59 < BlueMatt> what Ive done hasnt even scratched the surface of the edge cases that exist, tbh
11:59 < BlueMatt> if you fail the tests-cases there, you really were oblivious when implementing
11:59 < BlueMatt> at least, fail more than a few-line fix
12:04 < petertodd> Absolutely. I found lots of stuff re: nLockTime that's not tested, just to name one example.
12:04 < BlueMatt> even coverage reports of the tests show suckage...
12:05 < petertodd> Well, foundation says they're going to hire two more tech staff.
12:06 < BlueMatt> good to hear, can we make one of them full-time test engineer?
12:06 < BlueMatt> s/one/two/
12:06 < sipa> peter vessenes asked me if i wanted to work on bitcoin full-time
12:06 < sipa> but i prefer not giving up my job now
12:06 < BlueMatt> if sipa wanted to work on bitcoin full-time there are around 10 companies that would make it happen...
12:07 < sipa> he was certainly not the first to ask :)
12:09 < midnightmagic> sigh. I have an account with exchangezone too.
12:09  * midnightmagic doesn't like being on lists.
12:09 < BlueMatt> midnightmagic: known terrorist
12:11 < petertodd> sipa: heh, I know the feeling, I even had my old boss from when I was 16 at a software summer job call me up asking if I wanted to start something bitcoin related
12:11 < sipa> heh
12:11 < sipa> now, if i could work more on bitcoin without giving up my job... that'd be nice :)
12:12 < BlueMatt> sipa: spend 10 years, invent a time machine and poof
12:12 < petertodd> sipa: make it your 20% project to do off-chain tx's, and confuse all of Mike's critics...
12:12 < sipa> abstruse goose 249?
12:13 < BlueMatt> sipa: yes
12:13 < BlueMatt> petertodd: doesnt mike already do bitcoinj as 20% time?
12:13 < petertodd> BlueMatt: what I would give to tell my 18 year old self... I was so excited when I found out about hashcash
12:13 < sipa> petertodd: i'm going to try to make getting aecp256k1 optimized in openssl my 20% project
12:13 < sipa> secp256k1
12:14 < BlueMatt> you want to merge something in openssl?
12:14 < petertodd> BlueMatt: exactly, so if sipa does something geared towards decentralization said critics will be rather confused about googles intentions
12:14 < BlueMatt> heh, good luck
12:14 < petertodd> sipa: seems reasonable to me
12:14 < BlueMatt> petertodd: Im not sure anyone reads bitcoinj development as google's intentions.....
12:15 < petertodd> BlueMatt: http://www.reddit.com/r/Bitcoin/comments/1e680k/maybe_this_is_why_google_pays_coredev_mike_hearn/
12:15 < petertodd> jdillon is a pseudo-troll of course
12:16 < BlueMatt> hah
12:16 < BlueMatt> well, people are stupid...
12:17 < petertodd> indeed, but equally I get attacked for my supposed motives too
12:18 < BlueMatt> well, ok, I stand corrected
12:18 < BlueMatt> s/anyone/anyone reasonable/
12:19 < petertodd> well, Mike and Gavin are included in those attacking me for my motives
12:19 < BlueMatt> I meant for reading google motives into mike's work
12:19 < BlueMatt> your motives arent clear anyway...
12:20 < BlueMatt> Ill attack you for your results though
12:20 < petertodd> Indeed, they aren't clear, but by that standard neither are Mike and Gavins, or Jeffs, or a zillon other people. Attack results and ideas, it's just nicer that way.
12:21 < petertodd> After getting $6k worth of mostly anonymous donations, I know full well that I'll probably never know the motivations of people making stuff happen. So talk about what they make happen.
12:21 < petertodd> Actually, $7.5k includng pre-video donations.
12:22 < BlueMatt> hint: no one cares about your donations
12:22 < petertodd> Good, they shouldn't.
12:22 < petertodd> But it's a great example of how knowing about the motivations behind something is often an exercise in futility.
12:23 < petertodd> *trying to know
12:23 < BlueMatt> its not always that hard...
12:24 < petertodd> Well, if you want to play that game, then guys like jdillon can have fun attacking Mike. It's just a matter of perspective.
12:25 < BlueMatt> either Im being clear as mud or your ignoring what Im saying (most likely the first, Im distracted) but I need to get back to being distracted (read: work)
12:25 < petertodd> heh, have fun
12:25 < BlueMatt> :)
12:26 < midnightmagic> I don't understand why people engage the trolls so much. Ignoring them doesn't make them stronger.
12:29 < midnightmagic> And I don't really mean the people who come in to -dev with a chip on their shoulder about something. Half the time they just think they can do something better. I mean the real destructive elements like the press page guys, or MP.
12:35 < jgarzik> It's a tough call
12:35 < jgarzik> Trolls rope innocent people into buying their line of B.S.
12:36 < jgarzik> When I respond, it's mainly to provide an alternative viewpoint, not directly respond to the troll.  But that gives the trolls gas for further trolling, so it's not a great solution.
12:40 < petertodd> Standard social theory would say that acknoledging trolls at all just gives them social status, which you really don't want to do, on the other hand people not familiar with the scene don't have any idea what the social status of anyone is, and they will read and misunderstand bad arguments.
12:40 < petertodd> So have someone else argue on your behalf.
12:42 < jgarzik> ;p
12:43 < petertodd> Similarly, why write software, when you can convince other people that the software should be written?
12:43 < BlueMatt> shell accounts?
12:43 < jgarzik> petertodd, That's what I do already :)
12:44 < petertodd> BlueMatt: Nah, that'd take up a pile of time. Better to convince a small group of your ideas and let it spread.
12:44 < jgarzik> petertodd, (1) write troll patch, (2) watch someone else come along and do it better, more completely
12:44 < jgarzik> c.f. wallet encryption
12:44 < jgarzik> the friendly term is being a catalyst
12:44 < petertodd> Lol, good job.
12:44 < BlueMatt> problem is, your troll patch had bugs that still appear in bitcoin today
12:45 < jgarzik> I declare myself blame-free :)
12:45  * BlueMatt can always fall back on the "I didnt merge it"
12:45 < petertodd> I managed to pull that off kinda with replace-by-fee, but the more complete version had O(n^2) scaling...
08:39 < sipa> and it is limiting in the sense that it requires encoding some basic form of betacoin's transfer rules in bitcoin
08:39 < gmaxwell> no no,
08:40 < adam3us> for my part i think 1-way (and more practically 2-way) pegged side-chain is the best new bitcoin idea of 2013.  i hope its possible.
08:41 < gmaxwell> sipa: the script is a proof "Betacoin say 2 btc can come back to bitcoin to scriptpubkey 1234 + a bunch of betacoin headers". I'd also come up with an idea that required the txout scriptpubkey in such a transaction could be such that it had a minimum time it could be spent from, and before that the transfer canceled with a longer chain of headers.
08:42 < gmaxwell> so then bitcoin is totally blind to betacoin's rules, except for how betacoin headers works, how how betacoin communicates moves back to bitcoin.
08:42 < gmaxwell> from the betacoin side the transfer from bitcoin could be similar or betacoin could watch the bitcoin chain, the latter is probably better.
08:43 < gmaxwell> if the whole transfer is slow and cumbersome and requires a 8 kbyte transaction it doesn't really matter, since if you have two parties you can just to an atomic coin swap.
08:44 < gmaxwell> the cross chain teleports are only needed to balance liquidity.
08:44 < gmaxwell> (so if there are more coins wanted on the betacoin chain than exist there there is a way to satisify the demand)
08:45 < gmaxwell> also means that if you can fake out the teleport method e.g. with a huge betacoin reorg, you can make betacoin fractional reserve, but you never inflate bitcoin.
08:47 < gmaxwell> presumably this could be stronger in practice than in theory because if bitcoin miners were all betacoin miners they could generally refuse to mine suspect betacoin proofs, or themselves be prompt about providing contradiction-proofs that aborted the trasnfer in a soft-security fashion.
08:48 < gmaxwell> "no no, there is a compeating betacoin fork as good/better than this one, abort this transfer until someone can show an even better betacoin proof"
08:49 < adam3us> sipa: the 1-way peg also could consider a longer term version of the market providing liquidity based on later settlement, eg if the network bootstraps to become credible, or if multiple sensible people and orgs make an approximate indication that they plan to switch over with in 18-mo - 2yrs to a hyopthetical sipa-led rewrite
08:50 < adam3us> sipa: as after the switch over the rest of the bitcoins are moved over to the new network and the liquidity providers can earn the arbitrage profit they were aiming for
08:50 < adam3us> sipa: (wrote about somewhere on the tldr 1-way peg thread)
08:51 < adam3us> (what a choice
 pay gbp 5 to extend free airport wifi or type a password into a *windows* machine.  yup i paid)
08:51 < gmaxwell> plus imagine all the great drama we'll get in two way pegs. people creating altcoins that can two-way-peg with bitcoin (because why not make the facility completely generic so anyone can hook up a new chain to it?) just with the intention of leaving it insecure so they can steal all the coins that move over.
08:52 < gmaxwell> LHR 45 minute wifi is robbery.
08:52 < brisque> adam3us: just spoof your MAC.
08:52 < adam3us> gmaxwell: i could tumble the mac i guess, but too late
08:53 < adam3us> gmaxwell: i was thinking really should ptu a script to tumble th emac on network connect anyway - privacy principle.  probably nsa is tracking mac s somewhere in utah
08:54 < brisque> adam3us: changing your MAC doesn't stop that, you can just look for wifi cards announcing what networks they're looking for and then compare that to the google skyhook database to find their home address.
08:54 < adam3us> gmaxwell: also it a rather nice argument against scamcoins (still need a better word to describe param-tweak/get-rich-quick from genuine innovation)
 and why did you start a new digital scarcity race?  we were discussing that above in relation to coingen.
08:55 < adam3us> gmaxwell: and it seems likely the min-bar will just go up slightly to things like primecoin, or other artificial uninteresting or stupid changes that are just above the param-tweak and come with a semi-plausible to novice argument and white paper.  (Like NXT
08:55 < brisque> adam3us: out of my own curiosity I set up a wifi dongle looking out onto the street that did something like that. incredibly effective when people walk around with phones in their pockets.
08:56 < adam3us> brisque: i think bitcoin has a problem.  once a competent grey-hate gets too tempted the base band phone p0wning will harvest $ms of coins in automated attacks.  we need hardware fast.
08:57 < adam3us> someone who shall remain nameless to protect their own stupidity showed me a phone with 500btc on it ('doh!)
08:57 < adam3us> (an otherwise i guess reasonably competent CS degree programmer type of person)
08:58 < brisque> adam3us: I was more talking about privacy violations by phones announcing people's home addresses every few seconds. I'd really like to see sensible hardware too though, the Trezor looks quite nice.
08:59 < brisque> adam3us: I personally predict a piece of commodity hardware will be hacked to create a secure but cheap USB based wallet. there's quite a number of children's toys that have been turned into RF analysers and other tools.
08:59 < adam3us> brisque: not sure if 2014 will be the year, but a year RSN we will surely see baseband and targetted DSL IP# hacks from bitcoin big change identified IP# from bitcoin users who dont use tor to spend from large coins; the only hope is air-gaps IMO, or TPM (arm trustzone,  intel TPM etc)
09:00 < gmaxwell> adam3us: someone with a typo squat on a popular bitcoin service domain and a java exploit for IE that I was seeing get investigated recently had stolen several hundred btcs in a few days time.
09:00 < gmaxwell> so the bar is still pretty low
09:01 < brisque> adam3us: doesn't really have to be a specifically designed hardware. anything would do. I saw photos of a childrens toy that would make an excellent Trezor type device with a lot more features (full keyboard) than the real thing.
09:01 < adam3us> gmaxwell: the stupidity factor never ceases to amaze.	its scarcy that people are not being hacked way more.
09:01 < brisque> adam3us: there's some constraints, but the hardware doesn't have to be complex. you don't even need to have a hardware RNG on board.
09:02 < adam3us> brisque: you said about wifi network advertising networks it wants.  it works that way?  no waiting for announce, requesting ssid ? the client broadcasts all the wifi ssid it knows??
09:03 < brisque> adam3us: a wifi client announces sequentially every wifi network it knows, every 10 seconds it ruins "hidden" SSID by sending out the name and MAC of the routers it knows.
09:03 < adam3us> sipa: so are you getting the 2-way peg bug yet? ;)
09:03 < sipa> adam3us: let's call them "silly alts", "delusional alts" and "flawed alts" :)
09:03 < brisque> adam3us: this is the childrens toy I was talking about. you could certainly port a hardware wallet to this. http://d4c027c89b30561298bd-484902fe60e1615dc83faa972a248000.r12.cf3.rackcdn.com/imagepicker/4494/thumbs/IM.jpg
09:04 < adam3us> brisque: on noes!  i guess the mac-tumbler script i need to write needs to flush the ssid cache also
09:05 < adam3us> brisque: i like the QR code as optical isolation connection that "visual btc" setup
09:05 < adam3us> brisque: of course it helps if the value could be signed so the input tx history doesnt need to be sent to work around that bug
09:06 < brisque> the IM-me is missing a camera so a QR code is out of the question. the sticking point is that you can't use sound because of the must-see-every-input issue of transactions.
09:06 < brisque> a device like this with more IO (a camera mainly) would be able to replace trezor with cheap commodity hardware.
09:07 < brisque> if the must-see-every-input bug was fixed in 0.9, you could almost push a TX via sound, it's just too heavy as it stands.
09:07 < adam3us> sipa: i guess someone could do a zoo-ology catalog of them.  the variety of stupidity and greed in involved is hilarious.  some of them even bootstrapped to semi-respectability by first-mover advantage.  i think one test maybe zero real-transactions (non speculator), lack of clients, lack of any development, lack of any plan to obtain real-tx
09:09 < gmaxwell> people would never believe the zooology wasn't all made up
09:09 < adam3us> brisque: as i recall gmaxwell guestimated 2 years to fix the sig malleability bug; not sure what the guestimate would be on the no signed values bug.	depressing.  hence enthusiasm for 2-way peg.  in the old thread on 2-way peg gmaxwell said (in relation to my question if this itself could get implemented given the other bugs) was that yes but this (2-way
peg) is the one change to rule them all
09:10 < adam3us> gmaxwell: crypto-zoology :)
09:10 < gmaxwell> adam3us: also
 why bother with baseband hacks and zero days, when you can just ask people to give you their money: https://bitcointalk.org/index.php?topic=393593.msg4274997#msg4274997
09:11 < gmaxwell> adam3us: yea, a two way pegging facility is fully general. I mean its a way you could completely replace the protocol in a totally consentual way, start up  mergemined two-way-peg and move all the funds to the new chain over time.
09:11 < brisque> adam3us: if dogecoin can do a hard fork in 10 days, I'm sure gmaxwell can come up with some crypto-magic to get bitcoin's done in 20.
09:12 < gmaxwell> having a hard fork is not a problem, avoiding one is.
09:12 < gmaxwell> suggested two way peg stuff doesn't actually need a hardfork, might not even be any easier with one.. it's just new scriptpubkey features, at least if it stays at the quasi spv security level.
23:00 < amiller> it costs $100 to defend against a $100 attacker
23:00 < amiller> okay but how about we just spend $10 but then if a $100 attacker attacks, we'll just be safe anyway
23:01 < petertodd> gmaxwell: yeah, which is interesting, because if the community knows there are defenses, that itself helps keep the faith in the system high
23:01 < petertodd> amiller: No, the defense doesn't have to be cheap, it has to have a short leadtime.
23:01 < petertodd> amiller: If it was $100 for every $10 the attacker spent, it'd probably be ok too, but it has to be possible to respond quickly.
23:01 < amiller> i don't think it counts if you do it retroactively
23:01 < amiller> but hm.
23:02 < amiller> so you build a huge force field but you leave it unpowered
23:02 < amiller> if you detect a missile you raise the shields
23:02 < gmaxwell> amiller: petertodd is arguing that if you can defend instantly, you could put up to 100% of the money the attack would cost you into the defense.
23:02 < petertodd> amiller: Ha, yes kinda! The huge force-field is the huge number of coins sitting around in people's wallets basically.
23:02 < gmaxwell> amiller: and if everyone does that the attacker can basically never win if their winning is defined as a gain within the system.
23:02 < amiller> the coins aren't real value though
23:02 < amiller> if everyone spends them all then you still have the same vlaue
23:02 < amiller> nothing was spent
23:02 < gmaxwell> amiller: not everyone, the people getting ripped off.
23:02 < amiller> the suckers who decided to defend?
23:03 < petertodd> gmaxwell: yeah, part of my argument is also that you need the attackers to know this, and not really want to try
23:03 < petertodd> amiller: They're not suckers; they're people with transactions that would otherwise be reversed.
23:03 < gmaxwell> amiller: you pay me 5 btc. then reorg that transaction out. I say fuck you and convert that 5 BTC into POW on the old chain.
23:03 < amiller> that's a weird argument though
23:03 < amiller> you can't burn money you can't only give it to everyone else
23:03 < amiller> you can only*
23:04 < petertodd> amiller: Right, but by burning it, you're giving it to the people you actually want to: the other pre-existing participants in the system.
23:04 < gmaxwell> if miners were not hardware, what peter todd suggests could just work via fees.
23:04 < gmaxwell> pre-existing participants in the chain you want to survive.
23:04 < petertodd> gmaxwell: Yes, if we had replicators we'd implement my scheme in hardware. :)
23:05 < gmaxwell> yea, if the miners were free but only took power when used, then it would work.  You'd just have huge latent hashpower that turns on when there is an attack.
23:06 < amiller> that sounds good
23:06 < petertodd> Exactly! And we can even learn how the dynamics of this stuff work with proof-of-sacrifice blockchains, like the zookeyv system I proposed a few months ago.
23:06 < gmaxwell> petertodd: here is your POS:	nodes pick the most profitable to mine chain.
23:06 < petertodd> gmaxwell: my POS?
23:06 < gmaxwell> you can convert coins to proof by just making the chain you like more profitable.
23:07 < amiller> so pos is exactly bribing the miners anyway :o
23:07 < gmaxwell> amiller: there is a subtle difference!!!
23:07 < petertodd> amiller: which would work, expect that miners have fixed capacity
23:07 < petertodd> amiller: *except
23:07 < gmaxwell> amiller: say 60% hashpower is evil and stays on the less profitable chain. The network still ignores them.
23:07 < gmaxwell> Because "fuck you, our consensus is the most profitable chain"
23:08 < petertodd> gmaxwell: well remember that "profitable" can also mean "my business is profitable because my transaction went through and I got paid"
23:08 < amiller> so no one picks the longest proof of work they only pick the most profitable chain?
23:08 < gmaxwell> petertodd: and you can conver one to the other by spending to fees.
23:08 < petertodd> gmaxwell: we can have this entire discussion if there is no block subsidy
23:08 < petertodd> gmaxwell: yup
23:08 < gmaxwell> amiller: longest POW would, I guess be the tiebreaker for differences in short term profitablity?  I haven't fully thought this out.
23:09 < petertodd> and in the zookeyv system, the consensus key-value thing, profitable is soley "my DNS records are what I want them to be"
23:09 < amiller> maybe longest pow is nothing but an expensive focal point?
23:09 < petertodd> *solely
23:09 < gmaxwell> amiller: "profitable" includes the notion that it's likely to be the winner. So you can use other symmetry breakers like most pow work as part of your profitable figure.
23:10 < gmaxwell> The devil is how they balance.
23:10 < amiller> symmetry breakers is silly to make expensive thouhg
23:10 < amiller> if that's the only explanation for the role of pow then that's not compelilng
23:10 < warren> <petertodd> [15:08:17] maaku: With MMR TXO commitments we can stop hassling every idiot who bloats the UTXO set, and for that matter, they aren't idiots anymore...
23:10 < warren> petertodd: so does this mean you give up on keepbitcoinfree?
23:10 < petertodd> gmaxwell: yeah, in zookeyv if it's implemented as a strict DAG there can be the problem that there's no incentive to build on anything but your own records
23:11 < petertodd> warren: keepbitcoinfree isn't just about UTXO's
23:11 < gmaxwell> none of the MMR stuff solves bandwidth.
23:11 < petertodd> warren: Though in general I suspect you *can* create consensus systems that allow for arbitrary numbers of transactions, but they look radically different than bitcoin.
23:11 < amiller> bandwidth is payers problem though
23:12 < amiller> spend your utxo sooner so it costs less
23:12 < petertodd> amiller: bandwidth can prevent you from detecting fraud...
23:12 < amiller> oh you're assuming probabilistic validation or something?
23:12 < petertodd> amiller: yes, there's just no other way than sharding, and that's got ugly issues - I'm sure I can come up with a proof that any such system always suffers from the risk of data deletion
23:13 < petertodd> amiller: and the only way to prevent that is force mining - whatever form it takes - to require some kind of proof-of-stake-ish consensus to make sure that if the txout owners chose to they would be able to keep up with updates to their little shard of the txout set
23:14 < petertodd> s/force/for/
23:15 < maaku> ?
23:15 < maaku> are you assuming scaling beyond the limit of a single pipe being able to carry block updates?
23:15 < petertodd> maaku: yes
23:15 < petertodd> maaku: beyond any individual internet connection in the world in fact
23:16 < amiller> grubmel, i can't figure out what it is you can you achieve by actually *burning* value *for everyone* instead of just disbursing it at random to everyone else in the system
23:16 < petertodd> amiller: destroying a coin == disbursing it to everyone else
23:16 < petertodd> amiller: so why not make things simple?
23:16 < maaku> is that even worth considering?
23:16 < amiller> yes and pow = burning it for everyone
23:17 < amiller> they're different and the difference may be important
23:17 < petertodd> amiller: point is we need an artifical form of proof-of-work, and that's the best we can get that operates in limited-bandwidth jam-free networks
23:17 < amiller> no it's not artificial
23:17 < amiller> it's fake
23:17 < amiller> disbursing to everyone != actually destroying something
23:17 < maaku> 1Gbps is what, 600k tps?
23:18 < petertodd> amiller: who cares what exactly it is? what's important is that it gives us a way of coming to consensus about what is the best chain
23:18 < amiller> that's not it
23:18 < amiller> they both give you a way of coming to consensus if everyone or enough people follow the protocol exactly
23:18 < amiller> what it doesn't explain is how the difference affects the incentives to come to consensus rather than doing something else
23:19 < amiller> you can forgive a proof of stake
23:19 < petertodd> maaku: a ideal system should be able to operate with individual nodes having nothing more than a tin can and string, so lets see how close we can get to that
23:19 < amiller> if everyone decides to you could just distribute the money right back to the person who staked it in there
23:19 < amiller> and there would be no system loss, no friction
23:19 < amiller> you can't forgive the burning of energy
23:20 < maaku> i'm as wary as the next guy to saying '640k is enough for anybody', but really i don't know a single application that would require *public* consensus over that many transactions
23:20 < petertodd> amiller: look, it's really simple: I want a way of saying "this chain is the best chain" without having access to mining power
23:20 < petertodd> amiller: That's it!
23:20 < amiller> but you want it in a rational system with anonymous players!
23:20 < amiller> or else i suggest just having one guy with a private key that signs it
23:21 < maaku> ok, maybe i'm missing something again, but how do you have full validation (which miners have to do), without access to the blocks?
23:21 < petertodd> amiller: yes, which makes it hard, and the best I can think of is being able to create a little bit of data that says "if this chain is the best chain, I'm happy to give up 1 million FOO TOKENS from the foo-system ledger"
23:21 < amiller> petertodd, if you're a dictator you can just raise everyo'nes taxes by 1 foo each
23:21 < amiller> and recoup your costs
23:21 < amiller> and actually no one hurt
23:22 < amiller> you can convince them all it was good for them to give you that power
23:22 < petertodd> amiller: Now you add up all the other little bits of data saying similar things, and you say "well, block 12345 has a lot of people willing to give up foo tokens if it's the best, so it's the best!"
23:22 < petertodd> amiller: huh?
02:39 < gmaxwell> But the site learns nothing about which bitcoin were yours...  or nothing about identities you use on other sites !Y.
02:40 < gmaxwell> and if the proof takes a cpu hour to compute, well that actually doesn't reduce the usefulness all that much.
03:01 < BlueMatt> can I ask a dumb question?...whats a sin in this context?
03:02 < maaku> google identity protocol
03:02 < maaku> oh gribble's not here
03:03 < BlueMatt> ahh, ok
03:03 < BlueMatt> my google-fu was looking in the wrong places
03:03 < maaku> https://en.bitcoin.it/wiki/Identity_protocol_v1
03:03 < maaku> yeah
03:04  * maaku is still waiting for someone to come up with a v2 protocol so we can have a lively debate about the merits of original SIN
03:06 < BlueMatt> has anyone even started implementing identity protocol?
03:09 < BlueMatt> ahh, yes, there is
03:11 < BlueMatt> heh, ofc jgarzik wrote it in node.js...
03:33  * gmaxwell groans at maaku's pun
03:38 < BlueMatt> hey, its better than HD wallets
03:39 < gmaxwell> I continue to think HD wallets is a perfectly good name.
03:39 < BlueMatt> I continue to disagree (though considering how often I'm mia, thats rarely useful)
03:40 < gmaxwell> ;;ticker
03:40 < gribble> MtGox BTCUSD ticker | Best bid: 500.5, Best ask: 500.97, Bid-ask spread: 0.47000, Last trade: 500.97, 24 hour volume: 48505.69491744, 24 hour low: 500.5, 24 hour high: 774.9899, 24 hour vwap: 628.33712
03:40 < gmaxwell> oops wrong window. :P
03:40 < BlueMatt> well, thanks for reminding me to buy cheap coins :)
09:21 < jgarzik> maaku, gmaxwell: pun already made: http://garzikrants.blogspot.com/2013/08/original-sin.html
10:56  * Luke-Jr ponders how to respond to altoz this time.
11:12 < andytoshi> i think he's just going to keep claiming not to be able to read what you're saying
11:13 < andytoshi> if you PM him, idk if he'll receive the message if you're on his blacklist
11:34 < gmaxwell> Luke-Jr: I advise just dropping it.
12:12 < gmaxwell> Luke-Jr: I cracked his cryptosystem
12:12 < Luke-Jr> lol
12:12 < andytoshi> wow, nice
12:22 < gmaxwell> This is what I sent him:
12:23 < gmaxwell> Incidentally, I can compromise your cryptosystem for a single message with 2^64 known-ciphertext queries to a decryption oracle.  E.g. you run a server that decrypts messages and returns the results and I obtain the ciphertext of a message someone else created (which the oracle refuses to decrypt for me, otherwise this would be trivial), and after making
~2^64 queries to your decryption oracle I can decrypt the unknown message.
12:23 < gmaxwell> This isn't the most grievous of weaknesses, but its somewhat surprising, and I could imagine someone using this in a way which made it actually exploitable for something.
12:23 < gmaxwell> I'm being a bit oracular because I thought you might enjoy figuring out what I'm thinking.
12:24 < gmaxwell> (I was hoping it would be 2^32 queries
 then it would be reasonable to put up demonstration code)
12:24 < gmaxwell> (alas)
12:25 < andytoshi> brute-forcing the keyspace would be 2^256?
12:27 < andytoshi> ah, no, he is using aes-128
12:28  * gmaxwell refrains from giving hints.
12:29 < Emcy> im just wondering what oracular means
12:29 < Emcy> guess synonym verbose
12:29 < andytoshi> Emcy: i think, you have to submit questions to gmaxwell, and he will decide whether to answer them
12:31 < andytoshi> or rather, altoz does
12:31 < gmaxwell> Emcy: Where I say that I'm being oracular, I'm referring to the point that oracles
 of the classic sort
 answer questions in riddles.
12:32 < Emcy> "In Classical Antiquity, an oracle was a person or agency considered to interface wise counsel or prophetic predictions or precognition of the future, inspired by the gods."
12:32 < Emcy> hmm thats my werd lernin for today
12:33 < Emcy> how dod you get to know so much about crypto? Do you have any formal math background?
12:33 < gmaxwell> In my attack description I'm using the world oracle in the sense used in cryptographic lit. ... an oracle is some black box that performs some function. E.g. a remote server that signs messages for you or decrypts things for you would be an example of an oracle.
12:35 < gmaxwell> well I majored in math before I dropped out of college... but no, I was just one of those annoying kids who read most of the books in the library and remembered a few of them.
12:36 < Emcy> hmm ok pretty cool
12:36 < Emcy> its one thing to learn the maths it another to break someone elses maths
12:37 < Emcy> i had a tutor once who impressed upon me the difference between learning by rote and the power of original thought
12:37 < Emcy> he said the former end up tutoring in college and the latter end up tenured in university
12:37 < gmaxwell> I think a lot of people are short changed by education which focuses on learning by rote.
12:38 < gmaxwell> haha
12:39 < gmaxwell> The annoying thing about breaking cryptosystems is that even when you find a neat flat it usually only gets you 99% of the way there, but you can't expand it to a full compromise because of some accidental detail which isn't _just right_ for the attack to work. In this case I think it would actually work (I guess I could go weaken it further to be completely sure).
12:40 < gmaxwell> s/flat/flaw/
12:40 < Emcy> is 2^64 queries to some soerver actually viable though
12:41 < gmaxwell> Yes it is, though not enough to demonstrate easily.
12:41 < gmaxwell> Or at least close enough to viable that its a surprising weakness.
12:41 < gmaxwell> Emcy: e.g. what if the "server" is a bitcoin trezor like device in your possession?
12:42 < Emcy> cry
12:42 < gmaxwell> But I mean that that often weaknesses are such that even allowing for "unreasonable" freedoms like 2^64 queries to a blackbox decryptor you still can't break it.
12:42 < Emcy> at least 2^64 packets over the actual internet though. Seems like a faff. Suppose you could be in no rush though
12:43 < gmaxwell> (It's hard to say if thats unreasonable or not, depends on the applications. Thats the bummer about generic constructs)
12:44 < gmaxwell> Emcy: yea, before I looked at the code again I thought it would be 2^32, in which case it would have been trivial even over the internet.
12:44 < Emcy> still i think 2^64 or 64 bits or whatever is not something you want to see in any cryptosystem any more afaik
12:44 < gmaxwell> right.
12:45 < Emcy> 2^32 is only like 4 billion right
12:45 < gmaxwell> Right.
12:46 < gmaxwell> If there is also a simple software bug I can reduce it to one query.
12:46 < andytoshi> Emcy: things like decryption-oracle attacks are fairly standard in cryptography and there is a lot written about them
12:46 < andytoshi> like "Random Oracles are Practical" by Bellare and Rogaway is a paper the wizards pointed me to
12:46 < Emcy> would that be how the wifi hacks work
12:46 < gmaxwell> But I suppose that for some definition of "bug" thats always the case, e.g. bug: gives up the private key.
12:47 < andytoshi> wifi attacks i think showed up on matthew green's blog..
12:47 < Emcy> you packet inject until you get enough back to recover the key
12:47 < Emcy> the router is the oracle?
12:48 < andytoshi> ah, yes
12:48 < andytoshi> http://blog.cryptographyengineering.com/2011/09/when-things-fall-apart-part-1.html
12:48 < gmaxwell> Emcy: yea, well, the wifi attacks are very specialized... WEP uses RC4 which is a stream cipher, you put in a key, it puts out an infinite stream of 'random' bits.  These bits get xored with the packets.
12:49 < gmaxwell> If RC4 were a perfect, you wouldn't be able to learn anything useful about the key just by knowing some of those random bits.
12:49 < gmaxwell> RC4 is far, far from perfect.
12:50 < gmaxwell> If you know some data in a packet, you can take an encrypted packet, xor it with the data you know, and you'll learn the output of RC4 in those known positions.
12:50 < gmaxwell> So the WEP attacks usually work by replaying an encrypted arp request (which you reconize by the size). The router acts as an orcale producing a stream of ARP replies which are encrypted.
12:51 < gmaxwell> But you know some bits of the arp replies because they're fixed in the packet syntax.
12:51 < Emcy> ha i was right
12:51 < gmaxwell> and some because they copy data from the arp request.
12:52 < gmaxwell> So you gather a bunch of rc4 output with different initilization vectors (incremented in every packet),  and you can setup a system of equations that derrives the key.
12:53 < gmaxwell> Nothing _quite_ so fancy is needed for this encrypted message thing.
12:54 < Emcy> what you described doesnt seem so fancy to me
12:54 < Emcy> just seems like pattern matching
12:55 < Emcy> you just need enough pattern
12:55 < gmaxwell> sure, the gist of it is simple, the math somewhat less so.
12:55 < Emcy> sure
12:56 < gmaxwell> I find that nothing accomplished by men is actually all that complicated once put into the right terms. Otherwise we couldn't accomplish it.
12:56 < Emcy> do we have any systems that are too complex for a single mind to grasp alone?
12:56 < Emcy> layout of a modern CPU perhaps
12:58 < gmaxwell> sure, but you break them down.
12:58 < gmaxwell> And all the parts are sensible in isolation, and the overall design
 ignoring the details
12:58 < gmaxwell> It's actually quite reasonable to build software systems which are vastly beyond the ability of one person to comprehend at least all at once.
12:59 < Emcy> yes, but things get interesting when someone goes wrong due to an emergent property of how the parts interact. And no one can figure it out because no human has the cubic centimetres of brain required......
13:00 < Emcy> i wonder if humans have a system like that anywhere
13:00 < Emcy> the OPERA neutrino thing maybe? that stumped em
18:54 < amiller> np
--- Log closed Sun Sep 22 00:00:05 2013
--- Log opened Sun Sep 22 00:00:05 2013
00:08 < warren> darn, wouldn't have the gitian linux -> mac cross compile goal have been a worthy grant proposal?
00:09 < warren> too late now
01:47 < amiller> i'm going to call my new abstraction of the hashcash puzzle, "Scratch-Off Puzzles"
01:47 < amiller> since proof-of-work isn't quite the right definition after all
01:48 < amiller> also i'm going to write a series of papers called "Money from Scratch," "Decentralized Storage from Scratch," etc.
01:49 < gmaxwell> I might have complained about "Scratch-Off Puzzles", but those justify it
01:49 < amiller> it's a solid three-way pun
01:49 < gmaxwell> "Scratch-Off Puzzles" sort of suggests that there is a dealer.
01:49 < amiller> especially the bootstrapping problem implied by "Money from Scratch" is the best
01:49 < amiller> yeah.
01:49 < gmaxwell> (I suppose the network actually is a dealer, but it has no secret)
01:49 < amiller> is it the "puzzle" that suggests that?
01:50 < amiller> scratch-off challenge is almost better
01:50 < gmaxwell> The finiteness of the scratch-off contributes too, but it's actually correct... it's actually finite due to the network acting as a dealer.
01:51 < amiller> it might not be a "puzzle" if it's not guaranteed to have a solution
01:52 < amiller> riddle, etc., has the same connotation
01:53 < gmaxwell> it's not hard to describe a construction where a solution is guaranteed, I think. e.g. a keyed permutation, network state is one input, you search for a key. Pigeonhole principle says there is always a solution.
01:55 < amiller> it doesn't seem like that's important in any case, i mean it's low enough probability it would happen with sha2 right
01:56 < gmaxwell> right. (in fact, because how how we're setup where we have >256 bits of input I wouldn't be surprised if it were actually impossible to have no solution, though we can't prove that)
01:57 < amiller> even if it's a random oracle it's possible to have no soultion
01:57 < gmaxwell> just pointing out, you can actually create a sutible structure where you _can_ prove that... if you care.
01:57 < amiller> because bitcoin doesn't use the full infinite domain of the hash function, it has a bounded size header
01:59 < gmaxwell> It could turn out that sha256^2 has no output with >74 leading zero bits, even with infinite length inputs.
02:00 < amiller> yes but if it were a random oracle, that would happen with probability zero
02:01 < amiller> it could happen with nonzero probability to "sponges", since those have bounded internal state
02:01 < amiller> i think sha2 is closer to a sponge
02:03 < gmaxwell> (dunno if you noticed, but we now have a hash with 73 leading zeros)
02:08 < gmaxwell> I'm wondering if it would trick anyone if I wrote a obfscuated paper describing some fictitious attack on SHA256 that produced some of bitcoins very low value outputs. esp since the input will look random.
02:09 < gmaxwell> I wonder if you could use bitcoin's biproduct to break some protocols which are secure under random oracle.
02:09 < gmaxwell> er byproduct.
02:09 < amiller> that's a cool observation.
02:09 < amiller> no one cares about the zeros
02:10 < amiller> but it's definitely non-random, it's a pickable (not just recognizable) pattern, like 123456789
02:11 < gmaxwell> well, it just means you can get lots of sha256 inputs that give you a common prefix. E.g. a DHT that stored things by content hash uniformly distributed to nodes with <2^32 nodes would be totally devastated by a feed of bitcoin shares.
02:11 < amiller> yeah, perfect
02:12 < gmaxwell> amiller: because bitcoin is sha256^2 the inputs to sha256 that produce the low values are quite non-obvious.
02:13 < gmaxwell> (I previously verified that our shares wouldn't break freenet, they add extra data to the hash)
02:13 < gmaxwell> Otherwise we would
 and a trivally modified bitcoin fpga farm could break freenet pretty good. :(
02:14 < amiller> did you write anything about that
02:14 < amiller> er, mention it anywhere
02:15 < gmaxwell> (nodes will move their locations to split up the hash space better
 but it's insanely unlikely that two locations will ever become close enough to split hashes sharing a 32 bit common prefix)
02:15 < gmaxwell> I went and asked the freenet developers what was in their hash, but thats it.
02:16 < gmaxwell> (freenet locations are randomly generated, and then the network swaps them to optimize
 so if the keys are non-uniform
02:16 < gmaxwell> I expect lots of DHTs are vulnerable to something like this, but since they're generally made of fail I don't know that it matters.
02:17 < gmaxwell> I'm sure the serious cryptographers would go "see, random oracle assumptions suck"; But this attack works with a real random oracle too.
02:18 < amiller> it's really fun trying to define the reward-claiming part of the puzzle
02:18 < amiller> because the proof-of-work puzzles and client-puzzles don't
02:18 < amiller> the fun part is that since i want to include the stealable puzzle stuff, i'm being careful not to say you have to choose the message before starting
02:18 < amiller> so it's something like non-malleability
02:19 < amiller> given just the scratch-off-proofs generated by arbitrarily many other parties, who dedicate it to messages m1, m2, m3, .... , however many, that doesn't give you any help in producing a scratch-off-proof dedicated to some other message m
05:36 < warren> jgarzik: https://github.com/bitcoin/bitcoin/issues/2770#issuecomment-24756647
05:37 < warren> jgarzik: you said you had people that could reproduce the macos corruption?  severely delayed but here's a build to test.  GPG signed.
05:38 < warren> jgarzik: we have a dedicated machine to doing our builds, setup we *think* in exactly the same way gavinandresen does it, we aren't certain.
16:14 < warren> jgarzik: saw the above?
16:15 < jgarzik> warren, da
--- Log closed Sun Sep 22 22:19:31 2013
--- Log opened Mon Sep 23 01:10:29 2013
--- Log closed Tue Sep 24 00:00:09 2013
--- Log opened Tue Sep 24 00:00:09 2013
07:29 < warren> I'm not sure how to respond to https://github.com/bitcoin/bitcoin/pull/3008
07:32 < warren> truthful response? "I think you're backwards in reasoning on every part of your explanation. Your existing spam solution is terrible and entirely insufficient, and dropping the 0.01 size limit will make spam worse.	And the part about a zero fee 26KB tx... is impossible."
07:34 < warren> also "This 10KB -> 1KB change will mean how many extra wasted bytes in the permanent blockchain for dust combiners?  Previously they could combine 67 inputs in one output.   This kind of user DOES care about fees and is willing to wait many blocks for their 10KB tx to sneak in."
10:27 < petertodd> warren: the 0.01 thing makes it not much more expensive to put data in the UTXO set, think about it
10:27 < petertodd> warren: also, do the math for how many extra wasted bytes that actually is, it's not much...
10:53 < gmaxwell> warren: I don't think the 0.01 thing matters pretty much at all, after looking at the txn.
10:54 < gmaxwell> people will pay their 0.0001 BTC fee, and then make a minimum size output. No one is going to make a 0.01 output to avoid the fee and then use it on an unspendable output, as that would cost more.
10:55 < gmaxwell> 0.01 = >$1 now, ... the new anti-dust rules are more compariable to the original 0.01 intent.
11:53 < adam3us> is there a proposed method to work around mutability of ECDSA signatures for the purposes of making dependent transactions (that depend on one or more of the outputs of a previous transaction)?
11:54 < adam3us> eg broadcast the dependent transaction twice once with each mutation txid=H(msg,r,s) and txid'=H(msg,r,-s)?
11:55 < adam3us> and can you on an output with zero value?
11:57 < gmaxwell> adam3us: There are more mutabilities than that one sadly.
11:58 < gmaxwell> We're slowly fixing them. E.g. bitcoin(d/-qt) git will now only produce the smaller possible S value. We'll also no longer relay varrious forms of garbage DER encoding that openssl still accepted.
12:42 < adam3us> that may be a slightly fragile approach - if they re notionally all fixed, and people start relying on that for big transactions/high value contracts, and just one more DER openssl bug is found boom
12:43 < adam3us> what about as a one fix instead saying validation must be done (any sigs valid etc) but the txid = H( msg, pub-key ) instead of H( msg, sig )
12:43 < gmaxwell> adam3us: our proposal to fix it is to rigidly parsing so openssl is irrelevant.
12:43 < adam3us> as msg includes locktime, sequence, and inputs
12:44 < adam3us> ok
12:44 < gmaxwell> adam3us: getting the sig out of the txid could help but that would be a very deep hardforking change, .. and it's actually tricky to make secure. E.g. what happens when you first get one with a bad signature?
12:44 < adam3us> reducing use of openssl to bare crypto is probably for the best, its defect rate is not fantastic
12:46 < adam3us> i guess my robustness comment is you then have a new security assumption - that there is no signature or encoding mutuability remaining
12:46 < adam3us> (well that assumption is already there except the mutability bugs are deterring reliance on such scripts for now)
12:46 < gmaxwell> adam3us: right, we're still a long way from that in any case.. right now we're just slowly moving towards it.
12:47 < gmaxwell> but I agree that before you can take it for granted you really need to do a lot of final review.
12:48 < midnightmagic> jgarzik: Can you tell your employer that it would be really helpful if a user could request more than one payment address for a single transaction? :-)
12:49 < midnightmagic> :-(
16:22 < petertodd> gmaxwell: nope, well, not yet anyway :) figuring out how to do that is my next goal... but I suspect that always runs into issues of censorship, where someone manages to get the only copies of some part of the txo set and prevents people from spending their coins
16:22 < gmaxwell> petertodd: well the whole problem with this set of issues is that you can't have an "autonoymous cold wallet"
16:22 < petertodd> gmaxwell: I think you need a proof-of-stake scheme for that; force miners to prove they have the consent of some majority (floating) of the people holding txouts
16:23 < gmaxwell> keeping your own data sounds great, except you require the person keeping it to be eternally vigilent.
16:23 < petertodd> gmaxwell: yup, I think that's unsolvable unfortunately
16:23 < gmaxwell> well, it's not, but I don't like the solutions.
16:24 < petertodd> what do you think solutions to that might be?
16:24 < gmaxwell> You need a one way accumulator that doesn't grow, so you can tick off spent coins.
16:25 < petertodd> Point is accumulators always either grow, or the proofs that your coin is in the accumulators require updating.
16:26 < gmaxwell> petertodd: sure, but what if the accumulator only tracks spent coins?  Of course something that doesn't grow at all can't be collision free...
16:27 < gmaxwell> e.g. MMR to prove your coin existed, and then some kind of cryptographic accumulator that to check that it hasn't been spent.
16:27 < petertodd> gmaxwell: Right, now you can get down to 1 bit per txout for a spent coin accumulator, but you're not going to get lower than that... and if you do the numbers on an accumulator with acceptably low risk of collission it needs to be huge.
16:29 < petertodd> *probabalistic accumulator
16:30 < gmaxwell> so an interesting thing is that the bitstring can never have a weight greater than 21e14. I wonder if that helps.
16:30 < petertodd> ?
16:31 < gmaxwell> you can never have more than 21e14 unspent coins.
16:31 < petertodd> what do you mean by "the bitstring" though?
16:32 < gmaxwell> the spentness data.
16:33 < gmaxwell> I guess it doesn't really help, even though the number of 1s is limited the potential storage is still infinite.
16:33 < petertodd> oh, you mean by how many satoshis can be in circulation?
16:33 < gmaxwell> right.
16:33 < petertodd> yeah, those satoshis can be respent over and over again
16:33 < gmaxwell> sure but if they are they take away a 1 and move it elsewhere.
16:34 < gmaxwell> I was thinking about how an efficient representation of the bit array is minimum size for all spent and for none spent, and largest when p=.5
16:34 < K1773R> petertodd: hehe, i tested that script (download not uploading to chain) and it worked slowly
16:35 < petertodd> gmaxwell: Ah right.
16:36 < petertodd> K1773R: which script?
16:38 < petertodd> gmaxwell: It's interesting how you could think in terms of capping the whole UTXO set such that every human being could hold some bitcoins - a gigabyte of bits if represented properly
16:39 < petertodd> Represent it such that the actual UTXO scriptPubKey has to be provided along with an appropriate proof.
16:39 < sipa> you probably want some per-human granularity above "something/nothing"
16:40 < petertodd> sipa: The value of the UTXO would be part of the proof you are asked to provide to spend it.
16:41 < sipa> ah
16:44 < petertodd> sipa: anyway, the other part of that observation, is how the UTXO set could also be nothing more than H(outpoint) truncated to, say, 160bits, giving you 160 giga bytes - also reasonable.
16:44 < petertodd> Again, make transactions provide the outpoints they're spending.
16:47 < petertodd> (note how close this proposal is to P2SH)
17:08 < K1773R> petertodd: https://github.com/runn1ng/namecoin-files
17:19 < HM2> lol
18:00 < amiller> i have been thinking about a weird idea
18:00 < amiller> i am not sure whether it's possible to even state this clearly
18:00 < amiller> one of the main points of this one bitcoin economics paper is that following the stated rules is only a "focal point"
18:01 < amiller> http://www.weis2013.econinfosec.org/papers/KrollDaveyFeltenWEIS2013.pdf
18:01 < amiller> it would conceptually be easy to perturb various rules and if everyone switches all at once, then there's not obstacle to doing so
18:01 < amiller> like a hardfork change requires nothing more than a hardfork
18:01 < amiller> could there be a way to bake in the rules so that it would be hard to perturb them without breaking the whole thing?
18:02 < amiller> there's something like a lower bound, which is that everyone could just stop working on bitcoin and switch to some other protocol all at once
18:02 < amiller> but then the transaction history would all be different and such
18:02 < amiller> there's no way to prevent everyone leaving bitcoin and participating in some other protocol instead
18:02 < amiller> but a hardfork change is different because it builds on the previous history
18:02 < gmaxwell> arguably thats the most ethical way to change the rules, but evaporation is a risk.
18:03 < amiller> so something like error correcting code
18:03 < amiller> where the validation code is built into the history somehow
18:03 < amiller> i mean you could embed the source code to the validation rules in the history
18:03 < amiller> like a commitment to it
18:03 < gmaxwell> E.g. people would be forced to change only by economic realityies and network effect, but not by the software.
18:03 < amiller> but it's not binding
18:03 < amiller> maybe there's a way to build the validation code commitments
18:03 < gmaxwell> amiller: well you could make it binding. and use a majority vote. But voting for rules is not actually just.
18:04 < amiller> into everyones public keys
18:04 < gmaxwell> Democracy isn't a virtue, its a compromise.
18:04 < amiller> so that if you perturbed the valiadtion rules at all
18:04 < amiller> you would get no security whatsoever
18:04 < amiller> so it's like every slightly changed ruleset using the same transaction history would be trivial/broken
18:04 < amiller> then the only way to proceed would be to commit transactions satisfying the correct rues
19:42 < gmaxwell> petertodd: you going to try to do a windows binary for dust-b-gone or should I try to nag someone else to do it?
19:42 < petertodd> gmaxwell: nag someone else - I don't have a copy of windows to do it on
19:45 < gmaxwell> petertodd: nor do I. :) OK.
19:47 < petertodd> gmaxwell: fwiw there hasn't exactly been many people using it...
19:48 < gmaxwell> petertodd: yea, I know, but no drool and clickly way to run it is one barrier.
19:49 < gmaxwell> I saw someone trying who was hung up on some python dependencies.. I think the windows exe magic stuff fixes that too.
19:49 < petertodd> gmaxwell: yeah, I think I helped that guy
--- Log closed Wed Oct 16 00:00:13 2013
--- Log opened Wed Oct 16 00:00:13 2013
04:42 < warren> http://mastercoin-explorer.com/  <--- Mastercoin actually exists?
04:42  * warren hasn't been paying attention
04:44 < warren> huh.  this thing is just another litecoin-0.6.3 clone
04:48 < warren> oh wait, there's actually two coins called mastercoin
04:51 < gmaxwell> lol
04:59 < sipa> are there any english dictionary words $W for which {$W}coin doesn't exist?
05:33 < wumpus> lol
05:33 < wumpus> starting to doubt it
05:33 < wumpus> almost looks like someone implemented my random altcoin generator idea
05:34 < warren> Does it get listing on an exchange on the first day, upload to github, post to bitcointalk, etc?
05:34 < warren> =)
05:36 < wumpus> it doesn't get listing on an exchange (that'd need help from one of the exchanges), but generating a name, generating a ruleset, uploading to github, posting to bitcointalk, sure :-)
05:36 < warren> steal a random picture from google images for the logo
05:37 < warren> automate more steps and more people will do it!
05:37 < wumpus> yeah or just generate a random color for the bitcoin logo and put a different letter in it
05:37 < warren> hah
05:41 < sipa> you should make it a game
05:41 < sipa> you can tweak only N parameters
05:41 < sipa> but if your altcoin takes off, you level up
05:41 < sipa> and you get to change more things in your next coin
05:42 < warren> sipa: game administrator might have to be centralized ...
05:42 < sipa> is that a problem?
05:42 < sipa> checkpoint broadcasts are ok as well, no?
05:43 < warren> seems anything is OK there.
05:51 < wumpus> good idea, 'coin tycoon'
05:52 < sipa> tycoin!
05:52 < wumpus> :D
05:52 < gmaxwell> thaicoin?
05:53 < gmaxwell> what currency symbol could it use?
05:53 < gmaxwell> I know, the Thai baht symbol!
05:53 < gmaxwell> (if its not already taken)
06:08 < gmaxwell> sipa:  http://bitcoin.sipa.be/speed-lin-2k.png you're off the scale again
06:08 < warren> Bitcoin is THAT awesome.  Off the scale.
06:14 < gmaxwell> warren: you ever offload that bfl you bought onto someone else? :P
06:14 < sipa> gmaxwell: my bitcoind is down it seems :(
06:14 < warren> gmaxwell: yeah, and I feel guilty about it now.
06:15 < warren> gmaxwell: I'm considering just giving his money back and eating the loss even though contractually I don't need to.
06:17 < warren> gmaxwell: I
06:17 < warren> I'm hearing nothing about deliveries now, and people who ordered months before me are reporting no deliveries, so the guy who bought mine is screwed.
06:17 < gmaxwell> hm. Did they suddenly go quiet?
06:18 < gmaxwell> I know people who had SC order recenly (couple weeks ago) got their piles of singles alternative.
06:18 < warren> recently?!
06:18 < warren> huh
06:18 < warren> gmaxwell: my April 2013 order didn't ship yet
06:19 < gmaxwell> no no I mean they recently recieved stuff, not recently ordered.
06:19 < gmaxwell> Ordering back in 2012.
15:04 < gmaxwell> phantomcircuit: e.g. it can just ban their input for N hours, if you want, you're free to choose the paramters to make it reasonable.
15:04 < petertodd> gmaxwell: done
15:05 < petertodd> andytoshi: sorry, just sent it already
15:05 < gmaxwell> andytoshi: what part of the world are you located in?
15:05 < andytoshi> no worries :)
15:05 < andytoshi> gmaxwell: austin
15:05 < andytoshi> it's a $300 flight
15:05 < petertodd> andytoshi: ah, if you were local I'd say just sneak in :)
15:05 < andytoshi> :P
15:05 < petertodd> andytoshi: $100 flight for me
15:06 < andytoshi> hopefully in a year or two i'll have the connections here for the university to fund me..
15:07 < phantomcircuit> gmaxwell, so interesting thought (which im sure someone else has had) coinjoin combined with outputs broken up into standard sized pieces would make it effectively impossible to run conventional money tracing algorithms
15:07 < andytoshi> maaku, gmaxwell: i understand your blinding protocol now, thanks
15:07 < phantomcircuit> as it stands with coinjoin you wouldn't be very protected if you were merging with significantly different amounts from everybody else
15:07 < gmaxwell> phantomcircuit:
15:07 < andytoshi> i'd still like to have multi-day joins, and it's too inconvienient if there's a possibility of invalidation
15:07 < petertodd> phantomcircuit: yeah, my post-dark-wallet write-up was going to suggest that merge-avoidance + coinjoin is a powerful tool
15:07 < phantomcircuit> but if all the outputs were powers of 2
15:08 < phantomcircuit> well now
15:08 < phantomcircuit> good luck with that
15:08 < phantomcircuit> petertodd, i actually already do something sort of like this with the intersango cold storage
15:08 < petertodd> phantomcircuit: should do it as a slider basically saying "I'm willing to pay up to x% more fees for better privacy"
15:08 < petertodd> phantomcircuit: oh cool
15:08 < phantomcircuit> i exploded it into lots of standard sized outputs ages ago
15:08 < phantomcircuit> and every so often do it again
15:08 < phantomcircuit> im sure it's not actually safe
15:09 < phantomcircuit> but it means that finding it is at least non trivial
15:09 < gmaxwell> phantomcircuit: yes, if all the outputs are equal sized you have perfect information theoretic anonymity among all the players.  (or if they nicely factor then you have privacy proportional)
15:09 < gmaxwell> phantomcircuit: thats also why andytoshi's tool tells you which output values are most popular... so you can match them up.
15:10 < phantomcircuit> ah
15:10 < phantomcircuit> gmaxwell, yeah i was just thinking like
15:10 < gmaxwell> if the outputs aren't matched up (or at least factor nicely) then CJ just has the benefit of breaking 'taint' analysis assumptions about common key ownership.
15:10 < gmaxwell> Which is good to do, but not very private.
15:10 < phantomcircuit> 1/0.5/0.25/0.125 etc etc down to the point at which it would be dust
15:10 < phantomcircuit> and then whatever dust there is would pay to the meeting point as a small fee
15:11 < gmaxwell> oh interesting, a fixed cascade.
15:11 < phantomcircuit> or even as a transaction fee
15:11 < phantomcircuit> gmaxwell, yeah then you REALLY couldn't follow anything
15:11 < phantomcircuit> (also it protects against someone intentionally making a weird output size very popular to trick you)
15:12 < andytoshi> hmm, i like this idea
15:12 < gmaxwell> if you're putting in 10 btc though, you really probably don't want to recieve it back as a zillion 0.125 btc outputs.
15:12 < petertodd> phantomcircuit: kinda reminds me: I was thinking coinjoin w/ ANYONE_CAN_PAY is useful because it lets you easily up tx fees by adding dust txin's as needed
15:12 < phantomcircuit> gmaxwell, with HD wallets and public derivation you could even pay everybody like that
15:12 < gmaxwell> petertodd: yea but right now doing anyone can pay makes the CJ transactions very distinguishable.
15:13 < petertodd> phantomcircuit: yeah, we need a way in the payment protocol for recievers to state how many extra addresses they're willing to have payments spread over
15:13 < phantomcircuit> gmaxwell, 10 btc would come back to you as 8/2
15:13 < petertodd> gmaxwell: yup, works best if everyone uses cj...
15:13 < phantomcircuit> gmaxwell, you would still need to be merging approximately the same amounts
15:13 < andytoshi> gmaxwell: if you had, say, fixed output sizes of 10, 5, 1, 0.5, 0.1, that should suffice
15:13 < andytoshi> restricted output sizes*
15:13 < phantomcircuit> but even if you weren't at the very least the smaller amounts would be perfectly anonymous
15:13 < gmaxwell> andytoshi: really? someone puts in 1	someone else puts in 10.  .. now they get no privacy under that scheme.
15:14 < phantomcircuit> gmaxwell, i forget what's the default dust limit for an output?
15:14 < andytoshi> well, you'd combine it with the 'most popular output' scheme
15:14 < gmaxwell> phantomcircuit: e.g. if you get an output of X no one who put in <X would be in the same anonymity set as you.
15:14 < petertodd> Anyway, fixed output sizes are all well and good, but in addition to that you can do value matching: party #1+n to the CJ intentionally picks the same output value for some or all of their txouts as a previous party.
15:14 < phantomcircuit> is it 0.0005 ?
15:14 < andytoshi> but yes, that could be the case
15:14 < helo> 0.00005something
15:14 < phantomcircuit> gmaxwell, right
15:15 < petertodd> Or, even more sophisticated, some output value that is the sum of their txin's and your txins, or some similar strategy.
15:15 < gmaxwell> andytoshi: in any case you can do something like where the biggest output is <= the smallest input, and then you have octaves and you randomly assign people's coins to outputs.
15:16 < maaku> phantomcircuit: coin size doesn't actually matter ... you're only mixing with the people participating in the transaction
15:16 < maaku> and from transaction to transaction you can very the output sizes
15:16 < petertodd> *sum of a subset of their txins and your txins
15:16 < andytoshi> i'd like that, but there's still edge cases (that aren't too extreme) where i'm asking people for 20 addresses
15:17 < gmaxwell> andytoshi: and paying their 10 BTC input as a zillion .125 outputs. :P
15:17 < phantomcircuit> maaku, right but lets say you have 1 input for 200 btc and we explode that into outputs for 128/64/8
15:17 < phantomcircuit> maaku, and there is 1 other input for 10 btc
15:17 < phantomcircuit> only the 8 btc output is anonymous
15:17 < phantomcircuit> the 128 and 64 are both clearly linked to the 200 btc input
15:18 < phantomcircuit> ahah wait
15:18 < gmaxwell> phantomcircuit: ENOTENOUGHDATA
15:18 < phantomcircuit> that's wrong
15:18 < gmaxwell> phantomcircuit: if there are two people with 200 BTC inputs, you're great.
15:18 < phantomcircuit> you can have multiple inputs yourself
15:18 < phantomcircuit> so 10 inputs for 10 BTC and 2 outputs for 50 BTC tells you nothing about who is who
15:18 < gmaxwell> sure sure, I'm trying not to assume that the inputs themselves are already somewhat anonymous.
15:19 < gmaxwell> The hard case is where all the data going in is know, if you're secure in that case you're secure in the easier versions.
15:19 < phantomcircuit> gmaxwell, right neither am i
15:19 < phantomcircuit> gmaxwell, if you have exactly 2 inputs both of which are not anonymous and outputs which are larger than one of the inputs
15:19 < phantomcircuit> then those outputs are clearly linked to the larger input
15:20 < maaku> phantomcircuit: if you perform three 2 party mixes, then you've reduced taint of your original input down to 1:8 ... even if there are a thousand other particpants with that output size
15:20 < maaku> your output is still only one of those eight, and definately not one of the other 992 outputs
15:20 < phantomcircuit> maaku, taint is such a terrible measure :/
15:21 < maaku> well im speaking loosly, not giving taint any specific meaning
15:21 < phantomcircuit> maaku, if you take the larger outputs and merge them receiving ever smaller outputs (ie exploding them into a standard size) then you eventually end up with tons of tiny outputs that are super annoying
15:21 < gmaxwell> The word you want to use is "anonymity set".
15:21 < maaku> in coinswap you do benefit from the size of the crowd, but not coinjoin
15:21 < maaku> phantomcircuit: you don't have to explode your outputs, that's what I'm saying
15:21 < gmaxwell> well coinswap crowd benefits would currently be ~0 due to the fact that escrow transactions are basically non-existing, though that'll change.
15:22 < phantomcircuit> ideally you could get a distribution of who controls the inputs
15:22 < phantomcircuit> maaku, if you dont control your outputs to be standard sizes you'll run into fuzzy statistical matching that is actualyl very very sophisticated
15:23 < phantomcircuit> maaku, in general "dirty" money flowing around the banking system isn't traced by following each hop but rather is traced using fairly broad statistics
15:23 < gmaxwell> phantomcircuit: sure and you can reduce the distribution to a single number
 the entropy of the distribution.
15:23 < andytoshi> i think having a 'most popular output', and a small set of standard sizes, would suffice
15:23 < andytoshi> then i'd spin up multiple joiners with different standardsizes
15:23 < phantomcircuit> gmaxwell, hmm
15:24 < maaku> "you'll run into fuzzy statistical matching that is actualyl very very sophisticated" I don't think this is correct
15:24 < phantomcircuit> maaku, the attempts at tracing bitcoins on the network to date have been ... how do i put this nicely? ... not sophisticated
23:25 < phantomcircuit> gmaxwell, in general i suspect the best he could hope for is to recover 20 BTC at the time tradehill (version one) was liquidated
23:25 < phantomcircuit> iirc it was actually formally and legally liquidated in chile
23:26 < phantomcircuit> there might be a transfer agreement specifying liabilities... but i doubt it
23:26 < phantomcircuit> it's like there's a guy who owes intersango 511 BTC
23:26 < gmaxwell> phantomcircuit: right, so there you go, time to shut down intersango.
23:26 < phantomcircuit> but it was from when that was worth 4k USD
23:27 < phantomcircuit> there is no way we could get a court to find that he owes us 408k USD instead
23:27 < phantomcircuit> gmaxwell, im going to try changing the business model relatively soon hopefully that will align the costs with the fees
23:27 < phantomcircuit> and people will stop thinking their 10 EUR transfer will be executed immediately
23:36 < pigeons> i met jared and the tradehill folks at the money202 conference in vegas a few months ago and was kind of suprised they show their faces
23:36 < pigeons> the whole san fransisco crows with him, jesse powell, jonathan ryan owens, jared kenna etc
23:36 < pigeons> *crowd
23:36 < pigeons> *money2020
23:53 < phantomcircuit> pigeons, afaict jered himself doesn't intentionally screw people over
23:53 < phantomcircuit> it just kind of happens
23:53 < phantomcircuit> the others though? well that's a different story
23:53 < pigeons> ok, well makes me wary
23:54 < phantomcircuit> total 90degree shift here
23:54 < phantomcircuit> one server with vmware or multiple servers
23:56 < pigeons> probably whatever your admin prefers
23:57 < pigeons> i prefer multiple servers on my own projects, but i for some reason like it all on vmware when its someone else's project, easier for me to keep striaght ofr some reason
23:58 < phantomcircuit> pigeons, im the admin
23:58 < phantomcircuit> yeah i guess individual servers
23:58 < pigeons> of course if you're paranoid there are always break out of the guest and compromise the host bugs that take years to even get leaked
23:58 < phantomcircuit> bleh have to buy switches and shit then
23:59 < pigeons> probably more and more such bugs the way they don't really virtualize the video cards
--- Log closed Tue Nov 26 00:00:08 2013
--- Log opened Tue Nov 26 00:00:08 2013
00:00 < phantomcircuit> hmm
00:00 < phantomcircuit> true
01:48 < Ryan52> cfields: Oh, okay. Sorry about that, I should have provided a status update, I totally fell asleep last night trying to rest my eyes before doing so... I'm on my way out to play cards now, but I'll comment on your commit (or alternate preferred means of providing those details?) tonight.
01:49 < Ryan52> cfields: And no problem regarding missing my pong, please let me know if the results are urgent, and I can try to put a rush on it.
02:28 < cfields> Ryan52: nah, nothing urgent. I just don't want it to go stale
02:29 < warren> cfields: has anyone tested your new gitian targets?  sorry I'm	too swamped personally now.
02:30 < cfields> warren: not yet. I'm trying to sucker Ryan52 into it :)
02:30 < warren> We'll toss some coins to Ryan52 for doing it and improving it if necessary.
02:31 < cfields> great
02:32 < cfields> Ryan52: i suppose you're not able to trigger the osx db corruption?
02:32 < warren> cfields: I'm pushing builds to all the people who complained to ask for testing of your patch
02:33 < cfields> ok
02:33 < warren> litecoin too
02:33 < cfields> warren: it's a stab in the dark, but there's some logic to it
02:56 < Ryan52> cfields: yeah, understandable, I'll give it a try once I figure out gitian. WRT mac osx, I wish, but my client has been happily downloading blocks for days (perhaps starting with a bootstrap would have somehow been more effective for testing?).
02:56 < Ryan52> s/mac osx/mac osx corruption/
02:56 < warren> Ryan52: bootstrap.dat will be no different in testing as corruption people experience seems to be mostly after full sync
02:57 < Ryan52> warren: yeah, that was my assumption, I wasn't sure if it was valid. thanks for confirmation.
02:58 < Ryan52> I thought maybe throwing stuff at it while it is busy downloading/validating/etc might make reproducing faster, but it was a long shot.
02:59 < warren> nah, reproducers have been as simple as "clean shutdown" and start it again
03:13 < warren> cfields: so folks want qt5 with autotools, but there's no qt5 in macports yet?
03:14 < Emcy> anyone think its worth getting a topic for bitcoin put on usenet
03:15 < warren> no
03:15 < Emcy> :(
03:15 < wumpus> warren: demand for qt5 doesn't come only from mac
03:17 < warren> wumpus: I know
03:17 < wumpus> the newer ubuntus also come with qt5 by default
03:17 < warren> and lack db48?
03:18 < wumpus> yes
03:18 < warren> is anyone going to get rid of bdb?
03:18 < wumpus> as it is now, it looks like we're getting rid of the wallet before getting rid of bdb
03:19 < Emcy> only the wallet uses bdb
03:19 < wumpus> (well, at least to make wallet optional, and use nowalletmode by default)
03:19 < wumpus> yes Emcy
03:19 < Emcy> its simple, we kill the wallet and we kill the bdb lol
03:21 < wumpus> it wouldn't solve the problem, of course, as people that want to use the wallet are still stuck with bdb, but the wallet component will always need it for backwards compatibility anyhow :/
03:22 < wumpus> we can't just say 'hey, you can't use your old wallet.dat's anymore!'
03:23 < warren> cfields: do still plan on redoing the win32 gitian deps?
03:23 < warren> cfields: tarball instead of zip, version upgrades, etc.
03:24 < Emcy> look sipa will get around to it one day
03:24 < Emcy> theres in only one of him
03:24 < wumpus> I'm not sure Emcy, I think he lost interest in the wallet part as well, he's focused on improving the block handling now
03:25 < Emcy> rightly so
03:25 < wumpus> which is also a much higher priority
03:25 < wumpus> there are many wallets, but there is only one full node
03:25 < Emcy> i wouldnt like to see the wallet part fall into such disrepair that someone jsut says fuck it and comments it all out one day
03:26 < Emcy> i suppose thats a danger if no one works on it for years
03:26 < wumpus> the nice way would be to seperate it out into a different part
03:26 < Emcy> i was surprised to see gavins old headers first branch on the github the other day too like 2 years old, so it could happen
03:27 < wumpus> we just don't have enough interested developers
03:27 < Emcy> wumpus i wouldnt like to see a functioning reference client be fractured into parts
03:28 < Emcy> im sure it makes sense to nerds but thats how you turn the project into a plaything for just the tech elite
03:28 < wumpus> *everyone* with C++ skills could say any day "hey, let's improve the wallet" and improve the code and submit a pull
03:28 < Emcy> well there are like 150 people with commits on the github but most of those are one or 2
03:29 < gmaxwell> seems to be a lot more interest in reimplementing the basic underlying stuff.
03:29 < wumpus> but as it looks now, on the long term we need to focus the bitcoin projects on its core responsibilities
03:29 < wumpus> which is the P2P and block chain handling
03:29 < Emcy> but yes im surprised there hasnt been more interest from all the rest of the talented people out there
03:29 < wumpus> gmaxwell: yes, many people get stuck in the 'let's reimplement this to learn' part
03:30 < Emcy> with bitcoin being like a new frontier of computer sceince or whatever......thought that would attract the brainboxes. Perhaps even academia for more than shitty papers here and there
03:31 < midnightmagic> Emcy: Nobody wants to be the one that broke bitcoin.
03:31 < wumpus> Emcy: and splitting up the project doesn't have to mean anything changes for end users, we couuld still package a full node with wallet if there is demand for that, it will just consist of multiple parts internally
03:34 < wumpus> Emcy: well there is lots of focus on bitcoin as a currency or speculation vehicle, but almost none on the open source project
03:34 < Emcy> right
03:35 < Emcy> goes along with my suspicians that all the price wanking is hurting bitcoin the project in subtle ways
03:35 < wumpus> we're extremely good at attracting traders and gamblers though, but expecting them to learn to code between their adrenaline binges would be expecting too much :-)
03:35 < midnightmagic> :)
03:36 < Emcy> but there are many parts of the sytem that can only be engineered on in situ
03:36 < Emcy> because no one knows how the fuck it will behave otherwise
03:38 < Emcy> i wonder if some team could get an EU grant to do bitcoin stuff
03:38 < Emcy> theres a team that gets EU money to code a functioning 100% decentralised torrent client i think
03:39 < Emcy> tribler? I think thier solutions was MOAR DHT though
03:39 < gmaxwell> maybe there should be a gambling interface that shims into GCC.  "Will this line of code compile? Bet now!"
03:40 < wumpus> hehe, and a code editor that combines statements using a slot machine
03:41 < gmaxwell> spliting out the wallet is important for a lot of reasons. It is somewhat crazy that our private key handling wallet process is exposed to the internet. With the wallet seperated we could do a lot better sandboxing of all the processes.
03:41 < warren> gmaxwell: that might be the cause of the macos x corruption
03:41 < Emcy> and threading of things that should be threaded
03:41 < gmaxwell> oh some sandboxing thing?
03:42 < warren> gmaxwell: no, "Will this line of code compile? Bet now!"
03:42 < wumpus> or with speculation 'this line of code is now worth 3 mBTC, invest in it to make it worth more!'
03:42 < gmaxwell> ah!
03:42 < gmaxwell> lol
03:42 < Emcy> as long as you can still compile a binary with all the parts forming a functioning client, it would be ok
03:42 < Emcy> as long as it doesnt end up like PGP
10:09 < HM>     if (!BN_mul_word(x, i)) { ret=-1; goto err; }
10:09 < HM>     if (!BN_add(x, x, ecsig->r)) { ret=-1; goto err; }
10:10 < HM> very simple
10:10 <@sipa> indeed
10:11 < HM> is it just 2 possible values?
10:11 < HM> p/n is the cofactor isn't it?
10:11 < HM> which is 1
10:11 <@sipa> yes, n is 2^256 - 2^128 approximately
10:12 <@sipa> so the chance of it being >n is even exceedingly small
10:14 < HM> very cool
10:14 < TD> HM: the same code exists in bitcoinj in a more readable form
10:14  * HM covers sipas ears
10:14 < HM> more readable than sipa's code you say? :P
10:14 <@sipa> HM: i make no claim my implementation of key recovery is good
10:15 <@sipa> it's a straightforward implementation of the algorithm in SEC1, but it could be much more readable
10:15 < TD> well, you can't really make openssl based code readable
10:15 < TD> https://code.google.com/p/bitcoinj/source/browse/core/src/main/java/com/google/bitcoin/core/ECKey.java#464
10:16 <@sipa> some parts can be abstracted into functions, variables can be more readable, ...
10:16 <@sipa> also, i'm not actually convinced i use the BN_CTX api correctly - it may leak
10:17 <@sipa> (something i learnt when reimplementing Hal's optimization)
10:18 < HM> TD: i prefer ther C++ :P
10:18 <@sipa> HM: feel free to compare with the OpenSSL-using code in https://github.com/bitcoin/bitcoin/pull/2061/files
10:18 < TD> each to their own :)
10:20 < HM> yeah that code is nice
10:21 < HM> I think that FLV optimisation, or whatever it is called, it well outside my grasp atm though
10:21 <@sipa> the reason why it works, i don't understand either
10:22 <@sipa> but given the mathematical property, i understand why this is correct and gives a speedup
10:23 <@sipa> HM: also, originally it was this code by Hal: https://bitcointalk.org/index.php?topic=3238.msg45795#msg45795
10:26 < HM> hmm
10:27 < HM> is it going to merge sipa?
10:27 < HM> or are you waiting for a cryptoangel to come down and bless it?
10:32 < HM> i think the bad bit is you're duplicating code from OpenSSL
10:36 < HM> offtopic but hilarious:
10:36 < HM> http://blog.evernote.com/tech/2011/05/17/architectural-digest/#comment-455
10:36 < HM> "Before Evernote, I spent five years building high-end cryptographic systems for government customers"
11:23 <@sipa> HM: i'd hope to get that into 0.8.1, but i doubt gavin likes to merge it without some big-ass crypto guy signing off on it
11:23 <@sipa> maybe rightfully so
11:25 < gavinandresen> I'd be ok merging it as an off-by-default "if sipa-turbo-transaction" option that people who are CPU limited wanted to use, could use....
11:26 < HM> lol "sue sipa mode"
11:26 <@sipa> hmm
11:27 <@sipa> i'm currently actually trying to write an ECDSA implementation from scratch, with all operations specialized for secp256k1
11:27 <@sipa> trying to see if i can beat OpenSSl :p
11:29 < HM> including your own bignum ops? :p
11:31 <@sipa> yes, i already have a specialized implementation for arithmetic modulo the secp256k1 field size
11:31 <@sipa> which has a function that does an integrated multiply-and-modulo or square-and-modulo
11:32 <@sipa> i haven't compared it with OpenSSL's montgomery multiplication (which is in assembly!) but it beats (naive) GMP by a factor of >4
11:32 < HM> nice
11:33 < HM> Bernsteins implementation of curve25519 was written in his own assembly language and translated to x86 using his own translator :|
11:33 < HM> I'm not sure if he wrote his reference of Ed in the same language
11:33 < HM> haven't looked at it
11:34 <@sipa> well i use a trick i read in the ed25519 paper, namely using 5 uint64_t's (with 52 bits in each) instead of 4
11:34 <@sipa> so you need somewhat more multiplications, but you can add several together before doing a carry
11:35 <@sipa> it needs 47ns for a field multiplication on my 3.1GHz i7
11:35 <@sipa> and doesn't have any assembly code
11:35 < HM> 52 x 5 is 260
11:36 <@sipa> the last one only has 48 bits :)
11:36 < HM> so the top 4 are 0
11:36 < HM> keeps code simple i guess
11:36 < HM> that doesn't sound particularly tricky
11:37 <@sipa> well the trick s verifying that for any allowed input you never overflow any internal variable
11:37 < HM> why is avoiding the carry ideal?
11:37 <@sipa> because 64-bit addition with carry is slow
11:37 <@sipa> (and hard to do in C...)
11:38 < HM> i guess
11:38 < HM> i wrote a divideby58 function that uses 24 bits in uint32_t words
11:38 < HM> the top byte just becomes the carry
11:38 <@sipa> and it allows you to do field additions, subtractions and multiplications with small constants without any carry
11:38 < HM> since 58 takes 6 bits
11:39 < HM> but i was just bored
11:39 <@sipa> just add/sub/mult the respective uint64_t's together
11:39 <@sipa> if you can prove they won't overflow
11:39 < HM> yeah
11:40 < HM> http://pastebin.com/rRcrYUm8
11:41 <@sipa> anyway, the result is a field doubling in 361ns
11:41 <@sipa> eh point doubling
11:41 <@sipa> i haven't implemented addition yet, or compared with openssl
11:41 < HM> sounds fast
11:42 <@sipa> i suspect it's at most a factor 2-3 faster than openssl, but may be a lot less
11:45 < HM> you should look at compiler intrinsics for 128bit operations if you want to push it further
11:45 <@sipa> i use those
11:45 <@sipa> you can't do 64*64 multiplication otherwise
11:47 < HM> sure you can
11:47 < HM> won't be fast though
11:48 <@sipa> well there is no way to do a native 64*64 multiplication in one instruction that keeps the upper ,64bit of the output otherwise
11:48 <@sipa> better?
11:49 < HM> I am satisfied :)
12:57 <@sipa> gavinandresen: -turbo added :)
13:05 < gavinandresen> cool, I look forward to the TurboUltraPlus version
18:04 <@sipa> \o/ 725ns for a point addition
18:42 < HM> that seems pretty slow
18:42 < HM> you can do better
18:43 < HM> sipa: you should really normalise that in cycles.
18:44 < HM> or cycles per byte
18:44 < HM> hmm
18:49 <@sipa> well, to give any meaningful number: a rough guess is 3x faster than OpenSSL
18:50 < HM> good work
18:51 < HM> I would find the code interesting as well
18:51 <@sipa> though i'm pretty far from a full implementation, it's just the field & group operations for now
18:52  * HM nods
19:08 < ielo> hi
19:19 < HM> hi ielo
19:19 < HM> the address format is really weird in bitcoin
19:20 < ielo> why
19:20 < HM> well the hash is converted in to base58 in big endian
19:20 < HM> so the first byte is the most significant
19:20 < HM> then it's reversed
19:20 < HM> so it's now little endian
19:20 < HM> then the front is padded, if applicable, with 1's
19:21 < HM> which means you're semantically adding 0's to the least significant end
19:21 < HM> makes no sense
19:22 < ielo> but all of those parts are useful like the key hash and checksum no?
19:23 < HM> right, it's a composite structure, so it really has no endianness
19:25 < HM> https://github.com/bitcoin/bitcoin/blob/master/src/test/data/base58_encode_decode.json
19:26 < HM> a naive conversion of say 00eb... will treat it as a big endian bigint and output L9ED...
19:27 < ielo> but in what situation would that happen
19:28 < HM> the mainline client does it
19:29 < HM> https://github.com/bitcoin/bitcoin/blob/master/src/base58.h#L64
19:31 < HM> e.g. if you had "10000" and divided it by "10" the BN_div and append op actually produces "1000"
19:31 < ielo> /
19:31 < ielo> / Why base-58 instead of standard base-64 encoding?
19:31 < ielo> / - Don't want 0OIl characters that look the same in some fonts and
19:31 < ielo> /      could be used to create visually identical looking account numbers.
19:31 < ielo> haha
19:31 < ielo> thats curious
19:32 <@sipa> HM: https://github.com/sipa/secp256k1/blob/master/secp256k1.cpp
19:33 < HM> hmm
19:33 < HM> there are some microops you can still do there i think
19:34 < HM> micro optimisations
19:34 <@sipa> i have no doubt about that
19:34 <@sipa> but much is compiler-dependent at that point
19:34 <@gmaxwell> next that gets converted into ASM. :P
19:35 <@sipa> well, that's what i mean: if you want to optimize further, you're probably better off generating the assembly, and tweaking that
19:35 < HM> i doubt it
19:36 <@sipa> for example i do keep a 128-bit accumulator throughout the first multiplication stage in SetMult
19:36 < HM> you should benchmark it in more than 1 compiler though
19:36 < HM> perhaps intels
19:36 <@sipa> in an earlier version, i took the resulting shifted output into a uint64_t, and added to that to obtain the next __int128
19:37 <@sipa> in theory, that is faster, as i know the top 64 bits are zero
19:37 <@sipa> however the generated code was slower
19:37 <@sipa> so there is certainly room for improvement at the assembly stage
19:38 < HM> 100 million
19:38 < HM> how long does it take roughly
19:38 <@gmaxwell> well, not like the compiler is going to output PCLMULQDQ on its own.
19:39 <@sipa> HM: 2.5 minutes here
19:39 <@sipa> it's actually 200 million additions
19:39 <@sipa> but i wanted to avoid always adding the same number
19:39 < HM> I'm going to try something
19:40 <@sipa> feel free :D
19:41 < HM> i only have an i5 480M in this laptop so might take a while
19:41 <@sipa> gmaxwell: it does output mul and adc instructions, which is what i need
19:42 <@sipa> (64-bit multiply with 128 output, and addition with carry of two 64 bit values)
19:42 <@sipa> i think it however generates a few add instructions too many
19:42 < HM> i wonder how much overhead is due to the lack of inlining in the openssl version
19:43 < HM> plus those CTX structs
19:45 <@sipa> those CTX's are actually very efficient
19:46 <@sipa> they cause algorithm to reuse the same variables throughout many iterations
19:46 <@gmaxwell> thats the sort of thing that the cpu will handle well too usually.
19:47 <@sipa> gmaxwell: well you don't want malloc()/free() inside your tight crypto loops
19:56 < HM> hmm
19:56 < HM> well
19:58 < HM> takes over a microsecond here
19:58 < HM> 3m30
19:59 < HM> 2.2 Ghz core
19:59 < HM> 2.67 actually :|
00:00 < petertodd> But what's nice about that, is by making burning coins possible, you can give nice lower-bounds on how much it'd cost an attacker to attempt to re-org the chain!
00:00 < petertodd> That's actually a good thing!
00:00 < amiller> i don't think so?
00:01 < amiller> burning coins is already possible, just make it a softfork thing
00:01 < amiller> i guess you're just arguing that people should take advantage of that and start doing it
00:01 < petertodd> Why not? In reality they could rent the hashing power, maybe, and you have no strong idea if it's possible.
00:01 < petertodd> Huh? What does a soft-fork have to do with anything?
00:02 < amiller> it's only a soft fork change to have consensus-by-burn isn't it?
00:02 < petertodd> No, it's very much a hard-fork change.
00:02 < amiller> why
00:03 < petertodd> Because it means sometimes a block with less real work is the winner.
00:03 < amiller> just make a transaction that burns the coin and has an encoded message containing the block you like
00:03 < amiller> only for a short time though
00:03 < petertodd> Doesn't matter, that's a hard-fork change.
00:04 < petertodd> Heck, what's ugly is how hard it is to implement this in a low-bandwidth SPV compatible way - you'd need some fancy NI proof thing, and they're all bulky.
00:05 < gmaxwell> forget bulky
 one of the deep advantages of bitcoin is that assuming a very small amount of blackboxing (hash functions and ecdsa) joe-coder can basically understand the whole thing, or really believe he can understand it.
00:05 < amiller> i don't see how it couldn't be a soft fork
00:05 < gmaxwell> add too much wizardy and it becomes incomprensible.  Considering the insecurity of namecoin thats a serious liability.
00:05 < amiller> it falls under a particular kind of bribe-the-miners appraoch
00:05 < amiller> it's just instad of appealing to their own bonus, you're just saying that it's a good altruistic thing to have this property built in
00:06 < petertodd> gmaxwell: Yeah, though I will point out that if I understand this we probably have a hope of making a description that's joe-coder understandable. :P
00:06 < petertodd> gmaxwell: NI proofs are possible to explain without that much math
00:07 < gmaxwell> some of them are.
00:07 < petertodd> amiller: you could have a situation where a block has no work done at all to mine it, and it's valid only because of the burns
00:07 < amiller> uh, hm, i see
00:07 < petertodd> gmaxwell: yes, and all the ones I'm envisioning for this stuff are in that class, because I failed calculus
00:08 < petertodd> amiller: or in a different system, it is valid, but is on a chain that's way shorter than the attackers chain
00:08 < petertodd> amiller: yet the attacker's chain is still defined as not the winner
00:08 < amiller> okay i agree with the first part
00:08 < gmaxwell> I have been explaining everything I learn in this space to my girlfriend, so I have a pretty good idea of the effort to explain things.  I can explain it but the explinations take hours before they cross the point of being useful.  So ability to explain isn't enough, the explaination has to be shorter than their attention span.
00:09 < amiller> i wonder if you shouldn't consider a new rule like "choose the block that has desirable transactions in it" rather than "choose the longest block" a soft fork change
00:09 < amiller> you'd have to convince everyone to go on it or you'd have a split among people who did and people who didnt
00:09 < petertodd> gmaxwell: yeah, don't get me wrong: all these advanced distributed consensus ideas are less joe-coder friendly than Bitcoin v1.0, but we're pretty far from the point where it's impossible to explain
00:09 < amiller> i guess that's the main quality you want to express by hard fork
00:10 < gmaxwell> splits are pessimal though.. and you could be malicious easily e.g. make two forks one randomly pays 1e-8 btc to half the users, one randomly pays 1e-8 to the other half.
00:10 < petertodd> amiller: basically remember that anything in the block headers is guaranteed to be changable only by a hard fork - we're changing the very core of the consensus algorithm here
00:11 < amiller> suppose you made it so that a block was technically valid even if it had self-decided difficulty
00:11 < amiller> that's a DoS problem primarily
00:11 < petertodd> gmaxwell: for sure - tie-breaking in many cases is pretty damn ugly
00:11 < amiller> but you could make that hard fork change, and by soft-fork rules still maintain everyhting as normal
00:12 < amiller> in otherwords you would use softfork policy to enforce the same difficulty policy we have now, so no tiny valueluess bloat blocks
00:12 < petertodd> gmaxwell: mainly I'm proposing this stuff because it gives a democratic-ish and automatic way for the community to directly fight an attacker; the fact it works well in more specific scenarios is just luck
00:12 < amiller> once you applied that hard fork change, then it would only be a soft-ish fork to change it to preferring proof-of-burn rather than proof-of-work at some exchange rate
00:12 < petertodd> amiller: no, that'd be a hard-fork too
00:13 < amiller> it's neither a soft fork nor a hard fork
00:14 < petertodd> amiller: if you have a situation where an older client can't come to consensus with the majority of hashing power, it's a hard-fork
00:14 < amiller> but you're changing the definition of hash power
00:14 < amiller> technically the older client will continue to come to consensus with the majority of hash power
00:14 < petertodd> amiller: yes, hence we've got a hard fork!
00:15 < petertodd> amiller: I mean, I'd call changing the pow algorithm from SHA256^2 to scrypt to be a hard-fork
00:15 < amiller> what about adding a bit to the difficulty expression
00:15 < amiller> so that the work is twice as hard at the same difficulty level
00:15 < amiller> normal miners would get it right half the time
00:15 < petertodd> amiller: again, hard fork
00:15 < amiller> eventually the hash power would take over though
00:15 < amiller> not a hard for
00:16 < amiller> that's unambiguously a soft fork
00:16 < petertodd> amiller: yes, but now a less than majority of hashing power can lead the older clients astray
00:16 < amiller> no it can't
00:16 < petertodd> amiller: yes it can, specifically a 25% attacker
00:17 < amiller> i think you've just misunderstood my example or i made some error in describing it
00:17 < petertodd> you made it twice as hard, therefore someone with half as much strength can create what looks like a valid chain, hence a 25% attacker
00:17 < amiller> no i self impose a rule that's twice as hard
00:18 < petertodd> yes, which means the majority of hashing power is now doing twice as much work, but the older clients don't know that, and they then think a 25% majority is a 50% majority
00:18 < amiller> oh
00:19 < amiller> uh... yeah, sorry
00:19 < petertodd> hehe, that'll make for a good problem in my upcoming textbook on decentralized consensus systems :P
00:20 < amiller> that's somewhere in between a hard fork and a soft fork then lol
00:20 < amiller> because it gives a slight advantage but not a complete one to the smaller attacker :o
00:21 < amiller> you still want everyone to change their client but they might not
00:21 < petertodd> yes! you can have changes that are hard-forks to fully validating nodes, and soft-forks for SPV nodes
00:21 < petertodd> in my textbook I'll have to define a hard-fork very clearly!
00:21 < amiller> are you really writing a textbook
00:22 < petertodd> lol, but I'm starting to seriously think about it...
00:25 < amiller> ok so having coin burning as an option would be a hard fork, (even if it were syntactically already permitted somehow) because it would require changing the consensus definition of clients
00:25 < petertodd> yup
00:26 < amiller> so back to the difference between burned-work and burned-coins
00:29 < amiller> profitdriven miners pick the chains to work on that give them the most profit
00:29 < amiller> clients pick chains according to their code?
00:29 < amiller> is there any notion where a client picks the chain based on some incentive?
00:29 < amiller> i suppose the client picks the chain that's most likely to be sustained by other miners
00:30 < amiller> but it has to choose which miners it cares about!
00:30 < gmaxwell> amiller: the most important thing in a consensus system is to come to a consensus... :)  of secondary importance is to come to a consensus which doesn't screw you over.
00:30 < amiller> the client probably picks the chain that's most likely to be sustained by the miners that make the kind of blocks other clients you interact with choose
00:30 < amiller> yeesh it's still circular
02:45 < jgarzik> I hope I'm not being overbearing: https://bugzilla.redhat.com/show_bug.cgi?id=1020292
02:46  * jgarzik generally feels that most people, including smart hackers, Just Don't Get It when it comes to distributed consensus, forks, and bitcoin security.
02:46  * jgarzik should have written that blog post, when the Debian thing surfaced
03:01 < warren> jgarzik: sigh, I was hoping they would understand
03:02 < warren> jgarzik: perhaps it's time to discuss the underlying policy purpose of the no library duplication rule
03:15 < warren> jgarzik: hmm, I like the way you described it.	I think Peter Lemenkov is not among the more experienced people there.	let's see how spot responds...
04:33 < petertodd> jgarzik: "This sounds very strange to me. If it's true, and Bitcoin is so fragile due to changes in underlying libraries, then it looks like a potential attack vector." <- might be worth it to go ahead and say that yes this is a problem, but right now the state-of-the-art does not know how to remove this risk
04:34 < petertodd> jgarzik: helps give the guy the impression that you're listening to him, while making it clear why his first impression is an incomplete understanding
14:06 < HM> the EC stuff sounds like it'll dominate
15:56 <@sipa> swap OpenSSL for GMP: down to 136us
15:56 <@sipa> (though haven't validated whether the results are correct)
16:36 < HM> nice
16:39 < HM> sipa: did you optimise exponentiation yet?
16:40 <@sipa> sure
16:43 <@sipa> there are not many optimizations left that i know about
16:48 < HM> Still, a four fold performance increase over current bitcoind?
16:49 <@sipa> something like that
16:49 < HM> that's sweet
16:59 <@sipa> the worst part: creating bug-for-bug identical signature decoder
17:06 < HM> well you can be lazy and leave out the bugs
17:06 < HM> I'll forgive you
17:07 <@gmaxwell> No, we won't. Not matching the bugs would be a bug.
17:07 <@sipa> not matching the bugs means a potentially forking client
17:08 <@sipa> though i'm well aware of which violations of DER-encoding for signatures appear on the network, and matching those isn't hard, i can't know what else OpenSSL might accept
17:08 <@sipa> trivial solution: use OpenSSL to do the signature decoding :)
17:27 < nanotube> what if openssl decides to fix the bugs at some point?
17:27 <@gmaxwell> nanotube: bitcoin is over.
17:27 <@gmaxwell> :P
17:28 < nanotube> heh
17:28 <@gmaxwell> this is one of the reason that having external libraries define our normative blockchain behavior is surprisingly risky. Most other software doesn't have the suicide pact for bug preservation we do. :P
17:29 < nanotube> indeed
17:29 <@gmaxwell> In my eyes the whole of the blockchain code would be some hermetically sealed single set of C files which don't even call any libc functions, beyond those needed to allocate memory and use the disk. :P
17:30 <@sipa> nanotube: it's not bugs as such: they accept ill-formatted signatures; in many settings, that is wanted behaviour
17:30 <@sipa> the problem is that it implicitly defines a hard network rule for us
17:30 < HM> gmaxwell: *C++ files :P
17:30 <@gmaxwell> The old and now increasingly depricated internet "be forgiving in what you accept"
17:31 <@gmaxwell> HM: If C++, it would really properly be a subset. it shouldn't use STL containers. Their _exact_ visible behavior is not defined.
17:31 <@gmaxwell> (or at least it would have to be very careful in how they were used)
17:32 <@gmaxwell> Basically it can't use implementation defined behavior. In C I know how to do this, I'm sure it's possible in C++ but I don't personally know how.
17:32 < HM> the STL containers let you use custom allocators
17:33 < HM> i'm not sure what in particular you're worried about
17:34 <@sipa> gmaxwell: you could copy the STL headers into the project if you're really worried :)
17:34 <@sipa> they're not system dependent
17:34 <@gmaxwell> sipa: good luck getting them to compile with any random compiler! :P
17:35 <@sipa> gmaxwell: obviously you copy g++'s source code into the project as well :p
17:35 <@sipa> and the linux source code
17:35 <@sipa> and the design docs of your CPU.... oh wait
17:35 < HM> SeaBIOS for open bios
17:35 < HM> then run the whole thing in a virtual machine
17:35 <@gmaxwell> But yea, there you go
 limitations on my C++ clue. I'm sure there are ways to avoid implementation defined behavior (avoiding implementation bugs perhaps tricker
 in C the compilers are now tested against random ASTs for agreement among implementations, including implementations like CompCert)
17:36 <@gmaxwell> sipa: if the compiler isn't buggy then your exposure is just malloc and disk io not working.
17:36 < HM> malloc isn't reliable
17:36 <@gmaxwell> But there is a _big_ difference between bug and implementation defined behavior.
17:36 < HM> Linux will happily allocate more memory than you have
17:36 <@gmaxwell> HM: sure it is. It is always successful. And if it fails you reboot. :P Have you not done embedded system design?
17:37 < HM> oh right, that's how it's done
17:39 < HM> this is boned
17:39 < HM> i'm running 50 copies of a client binary to test a servers fairness
17:39 <@sipa> hmm, how hard would it be to make bitcoin depend on GMP?
17:39 < HM> the clients are quitting after 1 minute
17:39 <@sipa> it's LGPL
17:41 < HM> LGPL is fine?
17:41 <@sipa> first check why they get such good performance, maybe a similar algorithm can be implemented directly
17:41 < HM> one instance takes 7 seconds, 100,000 iterations
17:41 <@sipa> but 160us -> 130us is pretty significant...
17:41 < HM> 50 instances seem to finish in 1 minute...
17:42 < nanotube> <gmaxwell> The old and now increasingly depricated internet "be forgiving in what you accept" <- yea, that always struck me as introducing some perverse incentives. :)
18:05 <@gmaxwell> nanotube: it's widely considered to be a bad idea now in many circles, esp anywhere in remote proximity to HTML.
18:06 <@gmaxwell> in IETF meetings people will say something like that and then get called out "no, we used to think that. And now we know were were stupid."
18:06 <@gmaxwell> inexactness means you need a faithful emulation of every set of possible bug permutations, rather than just exact emulation of the bugs in the standard. :P
18:09 <@gmaxwell> 14:32 < HM> the STL containers let you use custom allocators
18:10 <@gmaxwell> Because they have exposed non-normative (implementation defined) behavior.
18:11 <@gmaxwell> conformant software could be written which can detect which STL implementation it uses. Which means if they are used care must be taken to make sure none of that behavior leaks into the externally visible behavior of the system.
18:21 < HM> why is this a problem for a blockchain server
18:21 < HM> i'd rather have a system faulty and fault tolerant than something coded for the space shuttle but written like it's the 70s
18:26 < HM> i agree generally on external libraries though
18:33 < midnightmagic> be fogiving in what you accept implies that imperfectly-specified standards (even SUSv3 has endless argument around it requiring clarification notes from Austin group) don't force everyone else to conform to your interpretations.
18:34 < midnightmagic> it's not particularly evil to allow something outside your state machine to come in, and discard it, it promotes interoperability.
18:34 < midnightmagic> HTML is something else.
18:35 < nanotube> <b>what you <i>say</b> about html?</i> :)
18:41  * nanotube suspects that the badly formed html just killed everybody's clients. or brains. >_>
18:44  * sipa reboots
18:45 < HM> be forgiving in what you accept
18:46 < HM> or whatever the correct quote is, merely means accepting the reality of imperfect implementations
18:47 < HM> imagine if a bitcoin implementation had a bug in it that was subtle and hard to discover
18:47 < HM> and 50% of the network began using that implementation
18:47 < HM> if you're overly strict and just exit when that bug is detected half your network vanishes
18:47 < HM> sometimes limping on, when it doesn't damage integrity, is just better
18:49 < nanotube> HM: missing a step there. before it gets to 50%, the first guy who uses it and realizes nobody is seeing his transactions, will report the bug if everyone is strict.
18:49 < nanotube> it'll only get to 50% if everyone is not strict
18:50 < nanotube> but i guess if bug only happens very rarely... it's possible.
18:51 < HM> *exit or disconnect
18:51 < nanotube> but then i don't know if it's actually better to accept some invalid transactions just because 50% of the network is using a buggy implementation that thinks it's valid.
18:53 < nanotube> probably best to respond with some error msg, rather than quietly disconnecting
18:55 < HM> it depends on the bug
18:55 < HM> i mean with bitcoin you could be talking about crippling and economy
18:55 < HM> bad software gets widely used, this is an unavoidable fact
18:56 < HM> users are slow to patch and upgrade
18:56 < HM> being liberal in what you accept just makes life easier
18:57 < HM> i don't know who came up with the original phrase, or what they were referring to, but i always take it to mean tests should focus on output as well as input
18:57 <@sipa> HM: that problem is one we'd have today if one implementation uses openssl and another uses something elae
18:57 <@sipa> and they are compatible for every use that exista in the chain
18:57 <@sipa> but there is one weird corner case, that nobody knows aboit, which openssl accepts and another implememtation doesn't
18:59 < HM> what is that?
21:11  * sipa just corrected a bug in an algorithm on wikipedia!
21:22 < HM> lol which one?
21:22 < HM> the sad thing is i probably learned it from it
21:23 <@sipa> http://en.wikipedia.org/wiki/Elliptic_curve_point_multiplication#wNAF_method
21:30 < HM> no Monty Ladder?
21:32 <@sipa> no need for a constant-time algorithm when verifying
21:33 < HM> true
22:10 <@sipa> 126us \o/
--- Log closed Mon Mar 11 00:00:49 2013
--- Log opened Mon Mar 11 00:00:49 2013
18:31  * sipa validates the main chain using his own ECDSA implementation
18:33 < HM> >)
18:33 < HM> are you profiling ?
18:34 < sipa> i'm using -benchmark to measure validation speed
18:35 < sipa> seems my CPU can do some 20k validations per second
18:35 < sipa> but it's only the beginnen of the chain, so not too much parallellism possible yet
18:35 < sipa> oh, validation failed
18:37 < sipa> ok, just a failed signature parsing
18:37 < HM> :}
18:37 < sipa> see, i warned you about bug-for-bug conformance!
18:39 < HM> i haven't even got around to bootstrapping Bitcoin Wallet on my phone yet
18:55 < sipa> anyway, apparently one more usage of non-canonical sigs that even exists in the chain that i wasn't aware of that it was allowed
18:57 < HM> how different can they be?
18:58 < sipa> the 'errors' i knew about: negative R or S values (they're just interpreted as unsigned), values with excessive 0 padding in front
18:59 < sipa> the one in block 135105 that i didn't know: an extra 0 byte at the end, without increasing the length descriptors
18:59 < sipa> so just a valid sig, with a 0 bytes appended to it
18:59 < HM> right, well ignoring length is definitely a bug
23:40 < gmaxwell> (the coinswap is simpler from a protocol perspective because you just prove this relation externally to me, then we can just make parallel hashlocked payments knowing that one will reveal the other without a public linkage.
--- Log closed Sat Jan 11 00:00:25 2014
--- Log opened Sat Jan 11 00:00:25 2014
01:00 < shesek> gmaxwell, oh, that's very interesting! hashlocked transactions always seemed like a great solution if we could get rid of the link it creates on the blockchain
01:01 < shesek> 40mb isn't ideal, but isn't too awful either given that its exchanged privately between two users and shouldn't be done too often
01:17 < shesek> the transactions would look somewhat unique if its used as the primary transaction method and not just as a fallback in case of cheating, though I don't know how much of a problem that is if its commonly used
01:56 < Guest85612> ethereum discussion on the front page of HN : https://news.ycombinator.com/item?id=7041628
02:06 < justanotheruser> maaku: do they have some prevention from people making infinite loops?
02:06 < justanotheruser> If I wanted to attack the currency I would just mine an infinite loop into the blockchain
02:13 < gmaxwell> shesek: oh well there is another way to eliminate the link, but the protocol has a number of steps, which in practice results in a lot of engineering trouble.
02:13 < gmaxwell> shesek: https://bitcointalk.org/index.php?topic=321228.0
02:14 < shesek> with coinswap and 4 transactions?
02:14 < gmaxwell> okay so you'd seen it then, yea. It would work but the state machine required to actually do it
 while easy to chart is a real pita.
02:14 < shesek> yeah, I know, but this is a much more elegant solution
02:15 < shesek> though, as I mentioned above, being somewhat identifiable as transactions meant for that purpose is somewhat problematic until this is commonly used
02:16 < shesek> if there are only two transactions in a whole day that uses hashlocked transactions its quite easy to link them together
02:17 < shesek> maaku, too bad its down though
02:18 < shesek> someone from HN posted it to pastebin: http://pastebin.com/NCGRv74u
02:21 < shesek> oh, seems like it was published for some time now... I didn't hear of it until now
02:25 < gmaxwell> shesek: you need to review the coinswap page.
02:25 < gmaxwell> shesek: the innovation there is that if the transaction goes through successfully the public never sees the hashlock (!), it looks like a set of multisignature transactions.
02:26 < shesek> are you talking about coinswap or the new idea you had?
02:26 < gmaxwell> (2 of 2 at a minimum, but no reason that you couldn't throw in a garbage pubkey and make them 2 of 3s to be less irregular)
02:26 < gmaxwell> shesek: coinswap.
02:26 < gmaxwell> but that cost is that the protocol has a bunch of stages.
02:26 < shesek> that "they look unique which can link them" was referring to your idea posted here, not to coinswap
02:26 < gmaxwell> oh! okay yea.
02:27 < gmaxwell> Well you could perform the same transform to this, but then you lose the fact that its simpler. :P
02:27 < gmaxwell> in any case, lots of uses for hashlocked transactions. so perhaps they'll be common at some point.
02:30 < shesek> yeah, lots of interesting uses for them. I even have something for atomic exchange between altcoins (I think that was your idea originally?) laying around somewhere on my harddrive, though in a very very early stage
02:31 < shesek> its possible to spread out the transactions over a random period of a few days to weeks, which should help until they're more commonplace
02:31 < gmaxwell> yea, I'd proposed the non-private version of that pattern for exactly that purpose.
02:32 < shesek> (^ is regarding the transactions being unique)
02:34 < justanotheruser> gmaxwell: regarding our proof of stake discussion yesterday, how do I prevent a miner from paying tx fees to themself and using the new UTXO as their proof? Should I require them to use a time lock on their bitcoin payment with a tx fee?
02:51 < shesek> gmaxwell, btw, I'm not really familiar with the current solutions for keeping other participants from linking your input/output in coinjoin, but I was thinking about a tor-like onion encryption to pass messages around, where you would onion-encrypt it with N participants, exposing the input and output at different "peel levels"
02:51 < shesek> does something like that makes sense?
02:52 < shesek> I assume it was probably already solved in some more elegant way, I should probably read some more about how coinjoin should work
13:50 < gmaxwell> andytoshi: mostly I think a reduction in failed signings is worth it, and if the tool itself were misbehaving you're likely screwed.
13:52 < andytoshi> gmaxwell: agreed
13:52 < andytoshi> i wish i didn't need to demand a wallet passphrase in a program that is openly communicating with my server
13:52 < andytoshi> the optics are terrible
14:22 < jgarzik> Bitcoin blockchain torrent updated, 70% of previous bootstrap.dat is re-used.	https://bitcointalk.org/index.php?topic=145386.0
14:46 < _ingsoc> Does anyone know if Vitalik Buterin hangs out on Freenode?
15:37 < wyager> So who's read the ethereum whitepaper?
15:38 < wyager> It's very interesting, but I think it might prove very difficult to manage
15:57 < maaku> wyager: incentives for computation is wrong
15:57 < wyager> How so? I'm not particularly enamored with the incentive model, but I thought it seemed OK
15:57 < maaku> there's no point in paying miners fees for computation, when the miners are not doing the compuation
15:58 < wyager> Aren't they?
15:58 < maaku> no
15:58 < maaku> validating nodes are
15:58 < maaku> most miners are not validating nodes
15:58 < justanotheruser1> everyones doing the computation, only the miners are getting paid right
15:58 < maaku> and worse, they are getting paid proportional to hash power
15:58 < maaku> which has nothing to do with the computation
15:58 < wyager> So when a program broadcasts a transaction, every single validating node broadcasts the transaction?
15:59 < justanotheruser1> maaku: why wouldn't the miners be validating nodes? If they had something invalid in their block it would get rejected right?
15:59 < maaku> *every single validating node computes the transaction
15:59 < maaku> justanotheruser: no, nearly all miners use pools
15:59 < wyager> What about when, during the course of a contract/program executing, it sends a transaction? Does that happen like a real person/bot sending a transaction?
15:59 < maaku> and a pool only needs to run a single validating node
16:00 < justanotheruser> maaku: oh, I see what you're sayinh
16:00 < maaku> e.g. GHash.io and BTC Guild each only need to run one validating node
16:00 < maaku> and yet they together get more that 50% of the reward
16:01 < maaku> and the thousands of people running validating nodes for non-mining purposes get nothing
16:01 < maaku> (but still have to run the computation)
16:01 < wyager> OK, but I guess that still makes some sense if the point is simply to prevent logic bombs rather than to compensate the people running the contracts
16:02 < justanotheruser> I wish there was a way to reward validating nodes. But I don't think there is without risky sybil
16:03 < maaku> the best approach is to make it truly cheap to run validating nodes
16:03 < maaku> and/or make it so they are not required
16:03 < justanotheruser> maaku: what do you mean "make it so they are not required"? Wouldn't them not validating make them not validating nodes?
16:05 < maaku> make it so that whatever application you needed a validating node for, you don't anymore
16:05 < maaku> e.g. because you have a succinct proof of validation (so you don't need to validate it yourself)
16:07 < justanotheruser> ok
17:15 < gmaxwell> so, actually implemented my ZKP,  a proof of sha256 is 47mbytes.
17:16 < gmaxwell> (for ~123 bit security)
17:18 < gmaxwell> and validation requires about 1 million EC multiplies with the generator and about 4 million hash operations.
17:20 < sipa> that's a proof for "i have some input you don't know, which hashes to X" ?
17:24 < gmaxwell> Yes
 basically its just the cost of running SHA256 under my NIZK proof system.  So not just "I have" but any trivial operation along with it. Like "X is the hash of something that begins with 'sipa'" would have the same cost.
17:24 < gmaxwell> or for 2x that cost I can do my   "Z is the xor of the preimage for hashes X and Y"
17:25 < gmaxwell> now I should go see if ripemd160 can be done with fewer gates.
17:33 < andytoshi> this is really exciting, thanks for doing this work gmaxwell
17:35 < petertodd> gmaxwell: +1
17:36 < sipa> indeed, very nice to see some things actually being done
17:36 < sipa> instead of the mostly talk here :p
17:40 < justanotheruser> gmaxwell: Is this related to SNARK?
17:44 < andytoshi> more of a NARK :P
--- Log closed Sun Jan 12 00:00:35 2014
--- Log opened Sun Jan 12 00:00:35 2014
14:48 < michagogo|cloud> Hmm, remember how I replayed the Bitcoin blockchain onto an altcoin from coingen that used Bitcoin's genesis block and parameters?
14:49 < michagogo|cloud> Looking at the log, I don't think the blocks made it to the other peers...
14:49 < sipa> yes
14:49 < sipa> oh?
14:49 < shesek> michagogo|cloud, how come?
14:49 < michagogo|cloud> I don't know
14:50 < shesek> perhaps there weren't any other peers? :P
14:50 < michagogo|cloud> But the version messages carry the normal block height
14:50 < shesek> were you connected to nodes?
14:50 < sipa> maybe you just OOM'ed the node you sent it to, when it tried to reorg?
14:50 < michagogo|cloud> Idk
14:50 < michagogo|cloud> Looking at the logs, I don't see a couple hundred thousand getdatas...
14:55 < michagogo|cloud> There are all the 2014-01-09 06:21:10 ThreadRPCServer method=submitblock
14:55 < michagogo|cloud> 2014-01-09 06:21:10 SetBestChain:
14:55 < michagogo|cloud> 2014-01-09 06:21:10 ProcessBlock: ACCEPTED
00:09 < petertodd> no, that can't be it: "0", "IF 0xba ELSE 1 ENDIF", "opcodes above NOP10 invalid if executed"
00:09 < petertodd> er, I mean: ["0", "IF 0xba ELSE 1 ENDIF", "opcodes above NOP10 invalid if executed"],
00:10 < gmaxwell> if your ass is handed to you, don't just fix one thing at a time, go back and carefully check whole areas.
00:10 < petertodd> I added tests for every single invalid opcode months ago back when I got provably unspendable standardized
00:10 < petertodd> yeah, good way to do it
00:10 < petertodd> but not what businesses want to hear...
00:10 < gmaxwell> petertodd: seems they didn't open an issue. maybe they went and found out that they'd since been added.
00:11 < gmaxwell> well, I'm unsure of what their business is.
00:11 < gmaxwell> My best guess is that they're being paid by some wealthy bitcoin entity as a hedge against ecosystem monoculture.
00:11 < gmaxwell> (but thats 90% speculation and 10% a result of discussion with them)
00:11 < maaku> gmaxwell: i talked to them for 45min over lunch at the conference, and walked away still not knowing what their business is
00:12 < petertodd> hmm... last change to the script unittests was when I documented some OP_RESERVED weirdness, aug 25th
00:12 < gmaxwell> maaku: okay you had an similar expirence to me then, I basically got the impression that I was being lied to because they didn't want to disclose it.
00:12 < maaku> but that's a better theory than anything i came up with
00:12 < gmaxwell> and from that I was speculating beyond there.
00:12 < petertodd> gmaxwell: ha, a hedge against monoculture by making something vulnerable, lovely
00:12 < phantomcircuit> gmaxwell, my guess is they're being paid by a wealthy bitcoin person who is a fool
00:12 < petertodd> gmaxwell: sounds like they're as misguided as amir is
00:13 < petertodd> gmaxwell: and gavin last I heard from him
00:13 < gmaxwell> petertodd: well, as I said, I think they're doing more effort to be compatible than most alt implementations.
00:13 < gmaxwell> not enough,  obviously. And they've replaced real compatiblity with slavish duplication of bitcoind. (well, could be worse)
00:14 < petertodd> this type of stuff is why fraud proofs are going to be great fun :(
00:14 < gmaxwell> but I'm not quite able to tell how much they understand, they're too quick to agree with me.
00:15 < petertodd> tell them some pure BS and see if they challenge you on it :P
00:15 < Luke-Jr> who is "they"? O.o
00:15 < gmaxwell> well, I don't really gain anything from knowing that they're dangerous. Since they're dangerous anyways just becuase all alt implementations have some danger.
00:15 < gmaxwell> Luke-Jr: conformal
00:16 < gmaxwell> latest fun with them is that their pure go crypto is excruciatingly slow, even compared to openssl.  "Don't worry, checkpoints!"
00:16 < petertodd> we need a market so we can short alt-implementations, maybe do a prediction market on it
00:16 < petertodd> god help us...
00:16 < gmaxwell> they're also doing some really insane stuff to work around their decision to use sqllite.
00:16 < petertodd> ha
00:17 < gmaxwell> E.g. they constantly rewrite indexes because inserts with the index are too slow.
00:17 < petertodd> sheesh
00:17 < gmaxwell> So they batch up a bunch of changes then drop the index and add them then recreate the index.
00:18 < Luke-Jr> lol
00:18 < petertodd> if the large-block crowd get their way it'll be fun watching implementations explode due to performance fuckups
00:18 < gmaxwell> I wouldn't be surprised if this implementation couldn't keep up with 1mb blocksize, in fact.
00:18 < phantomcircuit> gmaxwell, that's actually a very common thing to do with sqlite
00:18 < gmaxwell> It's slow enough that this is a concern.
00:18 < gmaxwell> phantomcircuit: I know but that doesn't make it a good idea!
00:19 < gmaxwell> right now it works because the utxo set only has a few million entries.
00:19 < phantomcircuit> sqlite indexes dont include the WAL portion until it's flushed
00:19 < maaku> sqlite? seriously? *shudder*
00:19 < phantomcircuit> yeah sqlite is not designed to be fast
00:19 < phantomcircuit> their stated goal is to replace flat files
00:19 < gmaxwell> one of their blog posts goes on extolling its virtues.
00:19 < phantomcircuit> for like config files
00:20 < Luke-Jr> ew
00:20 < Luke-Jr> who'd want a binary format for configs?
00:20 < Luke-Jr> even XML is better
00:20 < maaku> ugh
00:20 < phantomcircuit> Luke-Jr, well compared to the binary files that lots of stuff uses it's an upgrade
00:20 < gmaxwell> in any case, we need to get off our asses and fix a lot of stupid sharp corners with the reference software if we don't want things like this to be a problem for the ecosystem. ("oh no, you can't implement new feature X because implementation Y is slow as shit!")
00:20 < phantomcircuit> like firefox used to use a custom binary format for everything
00:20 < gmaxwell> (or worse, "because we depend on implementation Y and no one is maintaining it now.")
00:20 < phantomcircuit> which they replaced with sqlite3 files
00:21 < petertodd> gmaxwell: well IMO the right thing to do is just run your services behind trusted ref implementation nodes
00:21 < petertodd> gmaxwell: trust the ref implementation and do no verification at all
00:21 < phantomcircuit> gmaxwell, it would be very helpful for alt implementations if the rules were split up into network/soft/antiddos
00:22 < gmaxwell> so crap like bitcoind + wallet seperation, spv bootstrap, initial sync time, watching wallets, coin control, etc. all need to get fixed, because they're all really easy to fix in a crappy greenfield implementation.
00:22 < gmaxwell> we're fortunate that btcd copied as many of bitcoind's design flaws as it did. :P
00:23 < gmaxwell> (I mean, lucky in that if they'd made it moderately better in user facing ways but did so without commitment to network consistency, or performance, it might be bad for the network)
00:23 < maaku> sqlite actually would be better than bdb for the wallet...
00:23 < petertodd> gmaxwell: ok, so add SPV and partial UTXO modes to bitcoind, and leave it at that
00:23 < gmaxwell> maaku: yea, probably. BDB, for all its warts, actually got a lot of things right though.
00:23 < jgarzik> maaku, I'm suspicious of that claim
00:23 < petertodd> gmaxwell: make sure it continues to be useful for miners
00:23 < jgarzik> maaku, sqlite is SQL on top of a lower level BDB-like system
00:24 < jgarzik> what do you think sqlite indexes are?
00:24 < maaku> jgarzik: i mean better than locking wallets to a specific (outdated and large) bdb version
00:24 < jgarzik> Using SQL would move some intelligence out of the client and into the database layer
00:24 < maaku> and better debugging support
00:25 < phantomcircuit> sqlite3 isn't safe really
00:25 < maaku> (sqlite executable would replace pywallet)
00:25 < jgarzik> maaku, by locking to sqlite3 instead?
00:25 < jgarzik> six of one, half-dozen of the other
00:25 < phantomcircuit> maaku, i've had sqlite corrupt databases entirely on more than one occasion without any obvious reason
00:27 < petertodd> IMO the wallet should be designed such that the core of it can be a strictly append-only file
00:27 < jgarzik> petertodd, yes, that has been said many times on #bitcoin-dev
00:28 < petertodd> sure, have indexes for speed, but there should be some part of it that can literally be set to append-only in the fielsystem flags
00:28 < jgarzik> petertodd, even a rough sketch of append-only by sipa and myself was discussed
00:28 < petertodd> jgarzik: I know, that's why I'm bringing it up :P
00:29 < jgarzik> one problem is appending in block-aligned sizes
00:29 < petertodd> jgarzik: you mean re: partial writes at the device level?
00:30 < maaku> jgarzik: why does that matter, assuming you are checksumming appends?
00:34 < gmaxwell> because losing the last N appends kinda stinks. .. though with misdirected writes and eraseblock relocation screwups becoming common now with ssds... I dunno how important HDD durability models matter anymore.
00:35  * maaku smells a grad student project for someone with academic connections
00:35 < petertodd> maaku: you mean someone with industry connections to figure out what the !@#$ hardware is doing? :P
00:37 < maaku> heh
00:37 < maaku> i'm not sure industry would really know better
00:37 < maaku> not institutionally at least
00:37 < gmaxwell> my thought was if we're going to a determinstic wallet thing, we should just splat out 64 bits of the master public key with every @#$@# write to the file... so recovering any few kilobytes of it is enough to at least recover your @#$#@$ private keys.
00:38 < maaku> you'd have to find the engineer that actually debugs these bizaare failure modes
00:38 < gmaxwell> er s/master public/master private/
00:38 < gmaxwell> you assume they debug them. I assume they just replace the product. Time to market!
00:38 < maaku> gmaxwell: some customers get the special treatment
00:39 < petertodd> maaku: the nice thing is there are very few suppliers out there who actually do this stuff, so you'd only need a dozen contacts to cover it all
00:39 < maaku> i know someone who does basically the same thing for HP, debugging weird NonStop errors for clients like air traffic control and NASDAQ
00:40 < petertodd> maaku: half a dozen is probably good enough for 90% of the storage devices out there
00:40 < maaku> but most of the problems he solves are introduced by HP because HP engineers have no idea how the hardware failure modes really work...
00:40 < jgarzik> gmaxwell, maaku: it matters for both hardware and kernel reasons.  Kernel really really likes page-based I/O, and you wind up with atomicity of pages at multiple levels.  Applications crossing page boundaries or updating a single page multiple times can cause corruption.  Also, for hardware, you want sector-aligned -- usually page-aligned gets you that
for free.  As gmaxwell points out, this matters less on SSD, but in some ways it is stil
04:22 < gmaxwell> there is no good infrastructure for delayed non-selective disclosure.
04:22 < gmaxwell> which is actually what you'd want there.
08:46 < HM3> lol at least the forum hack had a sense of grandeur
10:13 < jgarzik> http://thegenesisblock.com/analysis-silk-roads-historical-impact-bitcoin/
10:13 < jgarzik> Correlates various SR events with bitcoin price charts
13:40 < midnightmagic> jgarzik: Hah! I've been right all along!
13:41 < midnightmagic> <-- is getting major ego boosts from confirmation of years-long assertions.
--- Log closed Fri Oct 04 00:00:40 2013
--- Log opened Fri Oct 04 00:00:40 2013
--- Log closed Sat Oct 05 00:00:42 2013
--- Log opened Sat Oct 05 00:00:42 2013
17:13 < HM3> wow a bitcoin full-node daemon written in Go
19:07 < warren> anyone familiar with entropy sources available to the linux kernel?  I'm configuring the new bitcointalk.org server and need to feed more entropy into the VM...
19:07 < K1773R> warren: HD IO increases it, otherwise you have to use a TRNG as seed
19:07 < jgarzik> warren, you're running rngd?
19:08 < warren> jgarzik: 16 core xeon server seems to lack intel hardware rng ...
19:08 < warren> not sure what kind of hardware thi sis
19:08 < warren> Starting rngd: can't open entropy source(tpm or intel/amd rng)
19:08 < warren> Maybe RNG device modules are not loaded
19:08 < warren>								   [FAILED]
19:08 < jgarzik> warren, TPM RNG works too
19:08 < jgarzik> warren, also, check for unused video or audio hardware (audio-entropyd, ...)
19:08 < jgarzik> bbiab
19:09 < warren> hm
19:09 < warren> jgarzik: virtio-rng.ko is only for inside guests right?
19:17 < warren> no TPM, no hw rng, no audio or video input available
19:17 < jgarzik> warren, correct, virtio-rng only for guests
19:17 < jgarzik> warren, can you PM (or just show) a pastebin of lspci?
19:18 < warren> http://pastebin.com/5XQhL36B
19:20 < K1773R> warren: http://www.vanheusden.com/te/
19:20 < jgarzik> warren, is video connected to anything, like a KVM?
19:21 < K1773R> warren: ^ always works
19:21 < warren> jgarzik: right now yes, but it will be removed I think
19:23 < warren> jgarzik: is the video usable as rng with or without something plugged in?
19:24 < jgarzik> warren, probably
19:24 < warren> jgarzik: it has KVM and it will remain forever
19:25 < jgarzik> warren, might have a second port unused, etc.
19:26 < gmaxwell> warren: http://www.issihosts.com/haveged/
19:26  * jgarzik reconsiders
19:26 < jgarzik> all this is pointless.  Spend BTC on bitcoinstore.com and buy an entropy device ;p
19:27 < jgarzik> tell people to plug it in
19:27 < gmaxwell> the entropy keys are not available anymore.
19:27 < gmaxwell> :(
19:27 < gmaxwell> (they'll take your order but have no idea when they'll ship them)
19:28 < warren> http://www.vanheusden.com/ved/	hmm?
19:31 < warren> oh, video4linux =(
19:31  * warren tries haveged and te
19:31 < gmaxwell> haveged works very well, and the high and low watermark keep it doing the right thing... of course perhaps its randomness is garbage.
19:32 < warren> it works well, just it might not be good? =)
19:32 < gmaxwell> The software behaves well: runs as much as it needs to, keeps the kernel filled to at least the low watermark, etc.
19:32 < gmaxwell> but I provide no cerfitication on the quality of its randomness. :P
19:36 < K1773R> warren: did you check http://www.vanheusden.com/te/ ?
19:36 < K1773R> gmaxwell: are we talking about simtec's product?
19:38 < warren> K1773R: I did, but haveged was available as a package and it got gmaxwell's non-endorsement, so ... easy
19:39 < gmaxwell> K1773R: http://www.vanheusden.com/te/ is yuck compared to haveged just due to entropy pool management.
19:39 < K1773R> gmaxwell: ACK
19:39 < K1773R> didnt know about haveged
19:39  * warren trying to figure out virtio-rng ...
19:40 < gmaxwell> haveged addresses the fact that the kernel's pool is too darn small... it pregenerates like 1mbyte of randomness, and then will track how full the pool is and feed in at a measured pace.
19:41 < gmaxwell> Everything else just dumps a bunch on the pool at once and thus doesn't get credited... which matters if you care about keeping /dev/random from blocking.
19:42 < K1773R> wow haveged is awesome :)
19:42 < warren> aside from not "perhaps its randomness is garbage" part
19:42 < gmaxwell> yea, just don't read the code. (I contemplated integrating it into bitcoind and managed to not choke on the resulting vomit)
19:45 < gmaxwell> warren: well, it passes tests at least...
19:46 < K1773R> i ordered some of these http://www.entropykey.co.uk/ almost a year ago, didnt get mine yet :(
19:46 < gmaxwell> K1773R: yea. :(
19:47 < warren> heh, bitcoin uses a screenshot?  amusing.
19:50 < gmaxwell> yea, in windows.
19:53 < K1773R> gmaxwell: can you recommend http://www.vanheusden.com/ved/ ?
19:55 < warren> K1773R: I'm amused that the thing he recommended had praise of "managed to not choke on the resulting vomit".
19:56 < gmaxwell> K1773R: I looked at it before and concluded its entropy estimation was bunk. Running it couldn't be harmful however. (likewise with their audio one)
19:56 < gmaxwell> warren: there are lots of ways software can be good/bad.
19:56 < gmaxwell> Go look at the havage source code, it's a engineering disaster of crazy C macro abuse.  But its handling of the kernel is excellent.
19:57 < gmaxwell> But I wouldn't recommend it as the only entropy source for a high security application because I'm unconvinced that their cache timing stuff is actually all that random... and not just determinstic based on some really complicated cpu-internal state.
19:58 < gmaxwell> but I use it on my hosts that have randomness supply issues.
19:58 < gmaxwell> it's good just for its management of the too small kernel pool.
19:58 < gmaxwell> (changing the kernel pool size requires patching and recompiling, ... kinda cruddy if you want to stay with a distro kernel)
19:59 < K1773R> yea, should be a kernel option...
19:59 < warren> wget http://reddit.com/r/somewhere and pipe to rngd.  Random garbage source.
19:59 < gmaxwell> it was a proc settable thing until there was some bug related to it
20:00 < K1773R> warren: lol
20:00 < gmaxwell> warren: yea, totally secure against someone with no access to reddit. :P
20:00 < gmaxwell> might as well "echo "my scheme is to run a cron that curl http://reddit.com/r/somewhere into /dev/random" > /dev/random"  :P
20:13 < warren> jgarzik: https://fedoraproject.org/wiki/Features/Virtio_RNG
20:14 < warren> jgarzik: dang, sounds like RHEL6's libvirt doesn't actually know how to launch qemu with the virtio-rng-pci tihng
20:25 < midnightmagic> so awesome: https://www.usenix.org/conference/woot13/page-fault-weird-machine-lessons-instruction-less-computation
20:32 < warren> jgarzik: my mistake, I see RHEL6 updated its libvirt!
23:38 < sipa> haveged ftw
--- Log closed Sun Oct 06 00:00:44 2013
--- Log opened Sun Oct 06 00:00:44 2013
--- Log closed Mon Oct 07 00:00:47 2013
--- Log opened Mon Oct 07 00:00:47 2013
17:32 < maaku> so, wizards: how worth it would it be to have a validation index structure that supports transitive/commutative updates?
17:32 < maaku> (U -> A) & (U -> B) -> (U -> AB)
17:35 < gmaxwell> it's certantly worth it if it has ~no cost. I think our conclusion before is that it prevents you from doing level compression, which for index on txid's is fine, because level compression buys you very little there.
17:37 < maaku> It doesn't affect level compression on disk, just the number of hash operations.
17:39 < maaku> A proof right now would be about ~40 SHA-256 blocks; removing level compression of hashes would bump that up to about 290 SHA-256 block - so *a lot* more CPU time
17:40 < maaku> but my suspicion is that even without sha256 cpu instructions the database is still going to be the bottleneck...
17:41 < maaku> of course those hashes would be eating away at cpu/gpu resources used for ecdsa validation
17:55 < maaku> i guess benchmarking is the only real answer here
18:02 < gmaxwell> sha256 is stupidly fast even without cpu help.
18:02 < gmaxwell> 1us per operation or whatever.
--- Log closed Tue Oct 08 00:00:50 2013
--- Log opened Tue Oct 08 00:00:50 2013
--- Log closed Wed Oct 09 00:00:53 2013
--- Log opened Wed Oct 09 00:00:53 2013
--- Log closed Thu Oct 10 00:00:57 2013
--- Log opened Thu Oct 10 00:00:57 2013
02:35 < Luke-Jr> ok, so the BitShares guys said this isn't a secret..:
02:35 < Luke-Jr> memory-hard PoW using the birthday problem
02:36 < Luke-Jr> finding a solution can use GBs of RAM, yet verification is cheap
02:36 < Luke-Jr> thoughts? :p
02:38 < warren> Luke-Jr: time to start your own scam coin!
02:39 < gmaxwell> Luke-Jr: Not a new idea, I think (pollard-rho POW on my alt ideas has that property), I think.  But it has a time memory tradeoff so you don't have to be any particular amount of memory hard
02:39 < gmaxwell> e.g. you can half your memory and just search 2x more points.
02:40 < gmaxwell> e.g. say you're trying to find two values with the same initial 32 bits.  You decide in advance that you're only going to consider solutions that begin with a 0 bit.
02:41 < gmaxwell> Now you will have to check 2x more values, but you only need half the memory.
02:42 < warren> at some level of TMTO it becomes faster due to memory bandwidth?
02:43 < Luke-Jr> gmaxwell: isn't it exponentially faster the more memory you commit to it?
02:48 < gmaxwell> Luke-Jr: no, alas. Man wikipedia sucks.
02:48 < gmaxwell> lemme find you an actually informative citation
02:49 < gmaxwell> Here: http://eprint.iacr.org/2012/731.pdf
02:49 < Luke-Jr> XD
02:50 < gmaxwell> (for some reason WP doesn't describe pollard rho as applied to general memoryless collision search)
02:51 < Luke-Jr> hmm
02:51 < sipa> perhaps improve it then? :p
02:51 < Luke-Jr> Wikipedia is improvement-resistent. :p (but doesn't hurt to try I guess)
02:51 < Luke-Jr> gmaxwell: I wonder whether memoryless ASIC would be much faster than memory-as-ASIC in this case
14:18 < gmaxwell> MoALTz: refunding doesn't work becuase it may not be the in-kind miners block who ultimately has the transaction
14:18 < gmaxwell> (consider reorgs)
14:48 < adam3us> gmaxwell: "well I don't mind create two different signatures the signers could always create infinite more." well its a little different - if the users client created two signatures, maybe he has it in his state, but if a third party can then create a third signature algebraicly from the two signature that would be yet one more thing to watch out for,
eg what if your computer crashes part way, and he signature is recalculated but the message
14:49 < adam3us> not that i so far see a way to do even that somewhat contrived mutability
14:52 < gmaxwell> adam3us: It's true
 but thats just yet another argument to use drandomized DSA.
14:52 < adam3us> absolutely :)
15:01 < gmaxwell> (2r,2^-1s) doesn't appear to work.
15:03 < gmaxwell> (obviously that doesn't mean that no such issue exists, but at least the simplest possible attempt didn't work)
15:05 < gmaxwell> e.g. in sage, http://0bin.net/paste/tGoT890fHgUhmhxT#YvA84LJPZQBrCNSP3msD0NM1m2lK2iFE5PyzDWMyzv0=
15:06 < adam3us> no that was broken there is an r in the s calculation s=k^-1(H(m)+rd)
15:06 < adam3us> so can correct k, but not r so far
15:08 < amiller> apparently there will be a dedicated Bitcoin workshop at the Financial Cryptography conference next year
15:08 < amiller> they'll accept papers by november 24
15:09 < amiller> nicolas cristin is the leader of it
15:09 < amiller> that's pretty cool, it's about time, and also that's a good venue
16:37 < adam3us> re manipulation of r,s other than r,-s this way of expressing the sig verification process looks more plausibly malleable than the s definition (r,s)r=([kG]x, k^-1(H(m)+rd) might suggest
16:38 < adam3us> k=s^-1*r*Q - s^-1*H(m)*G
16:39 < adam3us> sorry kG = s^-1*r*Q - s^-1*H(m)*G
16:40 < adam3us> or r = s^-1(r*Q - h(m)*G)
16:40 < sipa> .x
16:41 < adam3us> r.x yes
16:41 < sipa> well, no, but i see what you mean :)
16:41 < sipa> r = ... .x
16:41 < adam3us> ok;)
16:45 < adam3us> which can also be written rs = rQ-H(m)G
17:13 < gmaxwell> r = s^-1(r*Q - h(m)*G) < with r on both sides of the equation this makes it sort of hard to changes S to solve for r
17:20 < sipa> r = (r/s*Q - h*G).x
17:21 < sipa> R = R.x/s*Q - h*G
17:22 < sipa> oh
17:22 < sipa> R = (R.x*Q - h*G)/s
17:41 < gmaxwell> (you lost me on the Q, unless its the order, but I don't follow that)
17:47 < sipa> Q is the public key
17:48 < sipa> the tricky thing is that R is both used as an EC point, and its x coordinate as a scalar
17:52 < adam3us> i think its easier to work with (non EC) DSA notation but alternatively one can work with the point
17:52 < adam3us> eg i am thinking about hostile R values such that [R]x = H(m)
17:54 < adam3us> you dont need to know k' such that k'G = R with that property just choose R = (H(m),f(H(m))) for example
17:55 < adam3us> then the hard part try to solve for s
--- Log closed Tue Sep 24 19:47:20 2013
--- Log opened Tue Sep 24 19:47:38 2013
23:17 < petertodd> warren: same, although child-pays-for-parent would be good to implement first, that is implement the relaying changes so that groups of transactions are relayed at once
23:18 < warren> petertodd: that sounds helpful
23:18 < warren> petertodd: would there be any arbitrary limit of how deep the unconfirmed chain can be?
23:19 < petertodd> gmaxwell: *effectively* getting the sig out of the txid is a very easy change: just make signatures be on the scriptPubKey's or even scriptPubKey:value's your spending rather than txid:n
23:21 < petertodd> warren: doesn't have to be beyond the limit of "how much data I'm willing to accept from a peer in one go"
23:21 < petertodd> warren: 32MiB is that limit in some places
23:26 < gmaxwell> petertodd: no, that leaves you with all the really @#$#@ non-uniqueness problems.
23:26 < gmaxwell> "Am I spending this output or that?"
23:27 < petertodd> gmaxwell: if you don't re-use addresses there's no issue... and if you do, that's your own fault (and including value mitigates that somewhat)
23:28 < petertodd> gmaxwell: soft-forking change too, because it can be done as a new signature type
23:28 < petertodd> gmaxwell: you'd still want to keep txid's, but they're only a hint really (and for backwards compatibility)
23:39 < petertodd> gmaxwell: oh, brainfart, scriptPubKey:value is the only way to do it because of fees, so yeah, do that and you're set. from the transaction's point of view, who cares what exact txid was used to satisfy the input?
23:40 < gmaxwell> petertodd: ...
23:40 < petertodd> gmaxwell: obviously creating two scriptPubKey:value's is unwise in this scheme, but don't do that...
23:40 < gmaxwell> You don't control that.
23:40 < petertodd> gmaxwell: don't control what?
23:40 < gmaxwell> Other people paying you.
23:40 < gmaxwell> This basically reintroduces the duplicate txid problem.
23:41 < petertodd> gmaxwell: sure you do: new system is that when you give someone an address, you actually give them a way to generate scriptPubKey's on your behalf, be it ECC or something as dumb as a nonce
23:42 < gmaxwell> petertodd: but then they pay you twice from non-strongly seralized systems.
23:42 < petertodd> gmaxwell: heck, failing that, do scriptPubKey:value:block:tx#...
23:42 < gmaxwell> can't spend unconfirmed outputs, which then defeats the whole issue with worrying about the malleability, nothing is malleable once confirmed.
23:43 < petertodd> gmaxwell: fair enough
23:44 < petertodd> gmaxwell: then just make it possible to leave out the txid in the signature hash calculation, usually it'll be there, but for special applications hash something else to be sure malleability doesn't bite you
--- Log closed Wed Sep 25 00:00:12 2013
--- Log opened Wed Sep 25 00:00:12 2013
01:53 < phantomcircuit> warren, :)
17:41 < warren> perhaps mastercoin should be encouraged to bloat testnet
17:41 < warren> then it gets dumped with testnet4
17:42 < sipa> ha
17:54 < gmaxwell> I think their marketing precludes them from using testnet.
17:54 < gmaxwell> would be nice if someone could convince them!
18:05 < warren> "testnet has no IsStandard() enforcement so you can do any transaction you want!"
18:05 < warren> "the fees per KB will be lower, making mastercoin cheaper to operate!"
18:06 < sipa> and it's technically just as useful for them
--- Log closed Thu Sep 26 00:00:16 2013
--- Log opened Thu Sep 26 00:00:16 2013
--- Log closed Fri Sep 27 00:00:19 2013
--- Log opened Fri Sep 27 00:00:19 2013
18:12 < gmaxwell> so, I've come up with a way of exploiting ECDSA on the basis of controlling the generator.
18:13 < gmaxwell> basically, if you select G to be some multiple of someones public key, then you can forge signatures as being from that public key, without ever knowing the private key.
18:14 < gmaxwell> I don't think this is a problem for us, since of course all our pubkeys would be generated after the generator was fixed. :)
18:14 < gmaxwell> But there you go.
18:17 < sipa> so, say there is a secret private key x
18:17 < sipa> then you choose G to be n times ... what?
18:18 < sipa> G = n * (x * G) ...
18:18 < sipa> ok, so n has to be 1/x
18:19 < sipa> how can you do that without knowing x?
18:20 < gmaxwell> sipa: no no, say there is an existing public key P.  (forget how it was generated). I can pick the generator as P*X  for some X and then sign messages as P even though I do not know P's discrete log.
18:21 < gmaxwell> (perhaps P is some nothing up my sleeve number)
18:23 < sipa> but P = G * p
18:24 < sipa> (whether you know p or not)
18:24 < sipa> i'm just saying that the notion of a public key sounds meaningless without having the generator
18:25 < gmaxwell> Right it's not really a 'public key' anymore. It's just an "apparent public key"
18:26 < gmaxwell> for example. Say bitcoin was stupid and send "expired coins" to a pubkey of SHA256("expired").  I could pick G so that I could spend those coins.
18:27 < sipa> ok, say you have P
18:28 < sipa> a valid point on the curve
18:28 < sipa> now you choose G to be n*P
18:28 < sipa> then by definition, P's corresponding private key becomes 1/n
18:29 < sipa> or in other words, by choosing G, you're choosing P's private key
18:29 < sipa> ... of course you're able to spends coins using it, then
18:30 < gmaxwell> Yea, did we really know this before?	At least before figuring this out, I thought the only thing you could do by controlling G is forge the signature of a single message.
18:31 < sipa> right
18:31 < sipa> no, i actually never realized that
18:32 < sipa> the realization is that if you're choosing G in terms of an existing public key (however generated), that public key's private key becomes apparent
18:33 < sipa> so, we should actually demand that the generator point has some property that makes it unlikely to be the multiple of something known
18:33 < sipa> why isn't G something like (0x333333333333...33333, <whatever needer>)
18:35 < gmaxwell> or just (1,whatever) + (whatever,1) ?
18:35 < sipa> right
18:35 < sipa> SO
18:35 < gmaxwell> yea, I have no idea. Its irritating. I won't disclose how much time I've spent thinking about this purely because I can't see why the generator isn't some obvious value
 or at least chosen for performance.
18:35 < sipa> satoshi works for certicom
18:37 < gmaxwell> yea, I can't figure out any attack for this which is at all interesting. We have no nothing up my sleeve pubkeys in bitcoin. We never use pubkeys from other systems as our pubkeys, etc.
18:38 < sipa> right
18:39 < sipa> all it can do is make an apparent nothing-up-my-sleeve number in fact not be a black hole
18:39 < sipa> but that's all it could be in bitcoin: a proven black hole
18:39 < gmaxwell> if 1bitcoineaterdontspend were really a pubkey (if we even had addresses for pubkeys) then I could have made it so those coins were spendable.
18:40 < sipa> yup
18:40 < sipa> for one single address
--- Log closed Thu Jan 02 00:00:47 2014
--- Log opened Thu Jan 02 00:00:47 2014
01:30 < michagogo|cloud> But why force someone who wants to mine namecoin to set up a bitcoind?
01:30 < michagogo|cloud> :-P
01:32 < justanotheruser> michagogo|cloud: Are you saying they shouldn't mine bitcoin, only namecoin?
01:38 < gmaxwell> michagogo|cloud: you don't have to setup a bitcoind.
01:38 < gmaxwell> michagogo|cloud: just produce namecoin blocks with dummy (invalid) bitcoin parents.
01:39 < brisque> nothing really stopping there being namecoin only pools is there? just nobody would want to lose out on the BTC profit.
01:43 < Luke-Jr> gmaxwell: don't even need parents..
01:44 < Luke-Jr> oh
01:44 < Luke-Jr> I see
01:46 < Luke-Jr> yes, I think namecoin is vulnerable here
01:46 < Luke-Jr> I think a better solution would be to use the POW hash as the prevblock header ;)
01:47 < brisque> Luke-Jr: I've done almost no research into namecoin, does it allow for SPV clients?
01:50 < brisque> actually I can answer that one. it's a 0.7 fork so it doesn't support bloom filters, but you can still do some lite verification with the block header and merkle tree.
01:54 < michagogo|cloud> justanotheruser: I was jokingly saying, what if someone wanted to do that?
01:59 < gmaxwell> brisque: you can't really do spv name resolution with it, however.
02:00 < Luke-Jr> brisque: not even that
02:00 < Luke-Jr> what gmaxwell said
02:00 < Luke-Jr> to actually use it, you need a full client
02:00 < brisque> if there was a DNS-namecoin proxy it could prove using the merkle tree and header that the data is valid and in a block though, right?
02:01 < Luke-Jr> brisque: it can't proove  the data isn't replaced/stale
02:01 < brisque> sounds like I need to read up on it's design. that makes sense though.
02:02 < brisque> I was forgetting name resolution isn't static like a transaction is.
02:05  * andytoshi-logbot is logging
02:10 < gmaxwell> brisque: it could be made possible with some modest design changes.
02:11 < gmaxwell> https://bitcointalk.org/index.php?topic=21995.0
02:16 < brisque> gmaxwell: that's interesting. for old blocks that would presumably get resource intensive though.
02:17 < gmaxwell> hm?
02:17 < gmaxwell> brisque: I would only expect nodes to retain the data structure as of the tip.
02:18 < gmaxwell> (to reorg they would keep undo data, like we do for blocks)
02:20 < brisque> yep, I follow.
02:20 < brisque> at this point I'm convinced that you've written a post on the forum about every topic conceivable, it's just buried in bitcointalk nonsense.
02:28 < CodeShark> yeah, agreed, brisque - it would be nice to organize all of gmaxwell's forum posts into a coherent reference :)
02:29 < CodeShark> I just don't have time nor focus to sift through all the forum crap
02:30 < brisque> CodeShark: I'd read that, maybe a coffee table book of failed altcoins too
02:33 < gmaxwell> I've actually considered hiring someone to do that.
02:34 < gmaxwell> (to go index everything I've written and make summaries)
02:35 < brisque> damn, I was getting excited for the coffee table book.
02:37 < brisque> gmaxwell: provided all of your 3000 posts aren't almost BIPs in length, I'd be happy to do that though if you wanted. they're usually quite interesting reads unto themselves.
02:39 < brisque> gmaxwell: I particularly enjoy that you used interrobangs in 2011.
02:51  * andytoshi-logbot is logging
02:52  * andytoshi will manually paste everything the logbot missed over the last hour into the logs -- this outage was (semi)planned as the logbot was getting a virtual sound card installed
02:54 < brisque> andytoshi: nothing important was said anyway, just me being impressed by gmax'wells crazy punctuation.
03:01 < BlueMatt> early beta preview: http://coingen.bluematt.me/ =D
03:01 < CodeShark> haha!
03:01 < CodeShark> nice
03:01 < brisque> BlueMatt: that's absolutely brilliant
03:02 < andytoshi> ha ha!
03:02 < brisque> BlueMatt: might want to drop the pricing if you really want to flood the market though.
03:02 < andytoshi> i love the prefilled "MagicCoin"
03:03 < BlueMatt> brisque: yea, havent fixed that up yet
03:03 < CodeShark> BlueMatt: wasn't it you just a few days ago after we talked about this who was so adamantly opposed to making it easier for people to make alt coins? :)
03:03 < CodeShark> or was that someone else?
03:04 < BlueMatt> no
03:04 < BlueMatt> I absolutely hate altcoins
03:04 < BlueMatt> hence why I built this
03:04 < brisque> BlueMatt: making it free for the no-source version and paid to remove the branding would probably be best for maximum impact, then you end up with a situation where you have people too cheap to pay for the removal of the branding being shown as such.
03:04 < BlueMatt> brisque: not sure yet...the server isnt free...
03:05 < BlueMatt> really havent decided yet
03:05 < CodeShark> you stole my idea :p
03:05 < CodeShark> j/k
03:06 < CodeShark> it was only a matter of time before it got built
03:06 < BlueMatt> plenty of people have been discussing it for a long time :P
03:06 < brisque> BlueMatt: completely up to you naturally, it would have maximum impact if you could undercut people offering this as a manual service though.
03:06 < BlueMatt> yep
03:06 < BlueMatt> yea
03:06 < andytoshi> oh god, we're gonna have people on #bitcoin asking which alt generator is the cheapest
03:06 < andytoshi> ...and people answering them
03:06 < CodeShark> yes, brace yourself
03:07 < brisque> BlueMatt: do you have an address I can throw a tip to? I'll throw you some for the effort when I'm near my cold wallet next.
03:07 < warren> brisque: there should be an option with a 100 BTC minimum to set the exchange bribe amount.
03:08 < brisque> warren: I like that too
03:10 < brisque> BlueMatt: probably needs a couple more variables now that I'm looking at the altcoin forum. starting difficulty, target time, that sort of thing.
03:11 < BlueMatt> brisque: put up a donation address
03:11 < BlueMatt> brisque: yep, its still fairly early
03:11 < CodeShark> starting difficulty should be minimum difficulty - the other parameters are starting time, block reward rule, retargetting rule, and magic bytes (which might be best to just choose randomly)
03:11 < BlueMatt> the scrypt option doesnt even work yet
03:11 < CodeShark> and while you're at it, allow dynamic linking to a block header hash function
03:12 < BlueMatt> also need to put up something like pre-mine a single block and put up a "accept anything" peer that bootstraps the initial network
03:12 < CodeShark> and make sure not to make the same mistake as litecoin and use two separate block hash functions
03:12 < CodeShark> the PoW hash function for blocks should also be used for block identifiers in the protocol
03:12 < kyrio> magic bytes need to be random
03:12 < BlueMatt> magic bytes are random
03:12 < kyrio> oh
03:12 < brisque> BlueMatt: made a tip transaction, I'll go sign it and broadcast it later.
03:12 < BlueMatt> brisque: thanks
03:12 < kyrio> >p2pool networks.py config included
03:13 < CodeShark> and just for kicks, allow them to enter arbitrary data into the genesis block coinbase transaction :)
03:13 < warren> Dual_EC_DRBG random?
03:13 < kyrio> >.1 btc
03:13 < kyrio> or maybe .25
03:13 < andytoshi> warren: yes :D
03:13 < BlueMatt> yea, mining support would be awesome
03:13 < brisque> BlueMatt: oh, sweet idea. default the POW to MD4 unless they pay
03:13 < warren> hahaha
03:13 < CodeShark> lol
03:13 < BlueMatt> heh
03:13 < brisque> maybe that's too mean.
03:14  * BlueMatt has had waay more mean thoughts while building this
03:14 < BlueMatt> just didnt do any (yet)
03:14 < brisque> for maximum impact (not necessarily profit) you'd want to make it low enough cost for people to do it on a whim.
03:14 < kyrio> yes
03:15 < kyrio> but things that will make the creator profit (like putting up the first pool) should cost him first
03:15 < brisque> for maximum profit you'd want it set up with freemium options like it is now. free unless you want a better algorithm, or the source, or the branding removed.
03:15 < kyrio> so he loses money
03:15 < petertodd> BlueMatt: I implemented CRC32 in opentimestamps fwiw...
03:15 < petertodd> BlueMatt: maybe do CRC64 as a compromise
03:15 < gmaxwell> BlueMatt: oh wow!
03:16 < gmaxwell> you've been so much more productive than I've been lately.
03:16 < brisque> petertodd: luhn check POW?
03:16 < gmaxwell> You need some kind of graphic involving a fountain of money.
03:16 < andytoshi> i wonder if there's actually a way to involve captchas in the PoW..
03:16 < petertodd> It'd be the master of all coins.
03:16 < BlueMatt> gmaxwell: submissions gladly accepted
03:16 < gmaxwell> BlueMatt: I might take you up on that.
03:16 < brisque> andytoshi: nope. who would make the captcha? the point of POW is that the work is generated without a second party.
03:17 < gmaxwell> brisque: where did he suggest that it would be secure?
03:17 < BlueMatt> anyway, still needs lots of work but for now it does work for making a bitcoin-clone that has custom branding automagically
03:17 < brisque> gmaxwell: right. I'd forgotten I just suggested a check digit as a POW.
03:18 < andytoshi> :P
03:18 < BlueMatt> probably plenty of sed issues, but oh well
03:19 < brisque> for the greater good.
03:19 < gmaxwell> There should be an option to use this in the scripting language: https://en.wikipedia.org/wiki/LOLCODE
03:20 < BlueMatt> OP_X86 :)
03:20 < andytoshi> brisque: suppose you have to find a hash, and an 2-color image of the hash's hex code which starts with the same bytes when read as a bitmap
03:20 < andytoshi> and the users have to solve the captcha for their node to accept the blocks
03:21 < brisque> BlueMatt: you should probably avoid being malicious. the simple existence of such a tool is enough to make the point.
03:21 < gmaxwell> brisque: thats not malicious, it's just ill advised.
03:21 < petertodd> BlueMatt: OP_PYTHON
20:00 < HM> sipa: do you have the equivalent OpenSSL benchmark?
20:00 <@sipa> no
20:01 <@sipa> feel free to write one
20:01 <@sipa> but there are optimizations possible "higher up" that openssl doesn't do, too
20:09 <@sipa> so i'd rather continue, and make a full verifier on top of this, and then compare to OpenSSL
21:10 < HM> incidentally
21:11 < HM> i'm in need of an algorithm where a trusted third party can use to establish a shared secret between 2 parties using only their public keys and participation from *one*
21:12 < HM> e.g. Alice <-- Ted ---> Bob
21:13 < HM> Ted wants to establish a shared secret between Bob and Alice with Bobs help
21:13 < HM> but he needs to ensure Alice will be able to get it
21:13 < HM> without holding private keys for either
21:14 < HM> Ted also doesn't fully trust Bob :)
21:15 < HM> So far the best i've come up with is blinding a dozen tokens, getting Bob to compute a multiplication for each of them
21:15 <@gmaxwell> HM: what purpose does Ted serve at all?
21:15 < HM> then unblinding 11 of them and verifying them
21:15 < HM> that was there's only a 1/12 chance Bob has been dishonest and he will be caught in all likelihood
21:15 <@gmaxwell> if everyone has everyone's public keys. Bob and alice can combine them to get a shared secret... (e.g. ECDH) and no need for Ted to do anything.
21:16 < HM> yep
21:16 < HM> but Bob and Alice cannot communicate in realtime
21:16 <@gmaxwell> so? they have public keys
 they have a shared secret with no more communication.
21:16 <@gmaxwell> ECDH doesn't require interaction beyond exchanging the public keys, if you don't care for the key to be ephemeral.
21:17 < HM> not really
21:17 < HM> look at it this way
21:17 < HM> Bob knows Alices public key
21:17 < HM> but he doesn't have to use it
21:17 < HM> if a package is encrypted and stored for later with some shared secret, there's no way for Alice to know until later whether he can access it
21:18 <@gmaxwell> Great, then bob knows the AliceBob shared secret.  And if Alice knows Bob's public key, then alice also knows the AliceBob shared secret.
21:19 < HM> Alice can't establish the shared secret in realtime, and decrypt the package and say "yup, that's cool"
21:19 < HM> she has to rely on Ted to make sure Bob is playing ball
21:20 <@gmaxwell> Please step back and describe what you're trying to do. What do people have, what do they know, what state are they trying to get in?
21:21 <@gmaxwell> It sounds to me like you are saying everyone knows everyone's public keys. Alice wants to send an encrypted file to bob. Bob is offline.  Later alice will be offline and bob will be online.
21:21 < HM> basically Ted is locking something up, that is witheld from both Alice and Bob, until sometime in the future.
21:23 < HM> it's encrypted and you need 2 keys to access it
21:23 < HM> either (Alices or Bobs) AND another key
21:25 < HM> the other key is made public in future if Bob needs access, but it's used with other pairings.
21:25 < HM> e.g. (Alice or Sarah) and the other key
21:26 < HM> Ted has to set this up without having Alices private key
21:26 < HM> or Sarahs and Bobs
21:26 < HM> or the private key for the other key
21:27 < HM> so far the best i have will only protect Alices access for some probability
21:27 < HM> i'm not sure it's possible
21:27 < HM> without Ted establishing an ephemeral key
21:28 < HM> I guess an easier way of thinking about it
21:29 < HM> Sarah and Bob are part of a group that need access to Teds documents if provided with a group key
21:29 < HM> Alice has access any time
21:30 < HM> it's not just a  group key though because the documents are individual, but they do need the group key
21:30 <@gmaxwell> You've overcomplicating it. Ted can just encrypt the document and then encrypt the document key for any party or group that he wants to have access. Done.
21:31 < HM> yep
21:31 < HM> but then the encrypted document key needs to be shared
21:32 < HM> the objective is to accomplish this without Sarah and Bob having to remember any additional data
21:32 < HM> or having that kept with Ted
21:33 <@gmaxwell> HM: it would be included with the document, of course.
21:34 < HM> what i invisioned was this
21:35 < HM> what syntax do you use for public EC keys?
21:35 < HM> G^x good for you?
21:37 < HM> i'll use *G
21:37 < HM> (g   +  H(b*a*G))*G =  g*G + H(b*a*G)*G
21:38 < HM> g = group key, a = alice, b = bob
21:38 < HM> H = some hash function
21:38 < HM> given a*G (Alice's public key), bob can calculate H(b*a*G), as can Alice
21:39 < HM> because that's basically D-H
21:39 < HM> if 'g' is later made public then Bob can also then get the final private key: g + H(b*a*G)
21:40 < HM> Ted can construct this whole thing because he only needs a*G and b*a*G from Bob and Bob trusts him
21:40 < HM> that is, Ted can calculate the right hand side
21:40 < HM> the problem is Ted can't just expect Bob to calculate b*a*G
21:40 < HM> 'b' is unknown so he could just as easily reply with anything
21:40 < HM> and screw Alice
21:44 < HM> My best idea atm is to have Ted blind a*G and actually keep that secret. send Bob a dozen blinded x[]*Gs and have him compute b*x[0..i]Gs
21:44 < HM> Ted can then verify that Bob has calculated at least a dozen correctly because he already has b*G which is used earlier for authentication
21:45 < HM> so Ted can be pretty sure that the b*a*G he has is really a multiple of a*G
21:47 < HM> a*G doesn't actually have to be secret, that was poor phrasing
21:47 < HM> i meant the location amongst the blinded points
21:48 <@gmaxwell> this just seems stupid to me, sorry. I can't fathom why you want this. Fragile, complicated, computationally expensive... and I'm trying to speculate _something_ this gets you over doing the obvious, simple, and secure thing and I'm coming up empty.
21:49 < HM> Bob only has to know his own key, and alices public key, aG doesn't change
21:49 < HM> the group key changes all the time as Bob participates in many groups
21:49 < HM> this way Bob doesn't need his own key within each group
21:51 < HM> consider 1000 Bobs, each participating in 100 groups. your total keys if you use encryption is 100,000. which Ted has to keep safe until both Bob and Alice have at least received a copy
21:51 < HM> with this scheme you only need 1000 keys held by 1000 bobs (no work for Ted, already required) and 100 group keys
21:52 < HM> and Ted doesn't really have to keep much safe. he can make the right hand side completely public
21:53 < HM> damn, i've lost my nick list
21:53 < HM> hopefully that makes sense
21:54 <@gmaxwell> HM: I now send you off reading: http://en.wikipedia.org/wiki/Broadcast_encryption
21:56 < HM> hmm stateless users, sounds promising
21:58 < HM> i think the idea of traitor tracing is what i was getting at with blinding
21:58 < HM> since if Bob decides to do anything other than a multiply with their key they risk detection by Ted who will ban their ass
21:59 < HM> the broadcast analogy seems spot on though thanks
22:01 <@gmaxwell> You should read the cited papers, there has been a moderate amount published on this (a bunch by IBM people, oddly)
22:02 < HM> i think where it varies is Bob actually has 2 way comms with Ted
22:04 < HM> see the appeal is Alice can just talk to Ted any time and use her 2 keys ('g' and 'a') to produce the private key from bG
22:04 < HM> and later public 'g' but never 'a'
22:04 < HM> Ted never has to provide anything he hasn't had for a long time, just knowledge that the whole thing happened
22:05 < HM> hell Alice may evne sync regularly and download Teds logs
22:05 < HM> Ted is just an extension of Alice
22:05 < HM> who doesn't have her private key
22:07 < HM> *later publish 'g'
22:07 < HM> I'll scour the web for papers later, it's 3am. Night
--- Log closed Tue Mar 05 00:00:41 2013
--- Log opened Tue Mar 05 00:00:41 2013
00:04 < amiller> mmm scouring the web for papers
00:04 < amiller> i like this channel
08:02 < HM> I've thought up a better analogy to my problem
08:03 < HM> I'm going to write it up properly
16:39  * HM wonders how sipa is getting on with his speedy secp256k1 implementation
17:11 <@sipa> HM: patience, i don't have that much time to work on it
17:12 < HM> well at least you use the time you do have productively
17:12 <@sipa> haha
17:14 < HM> :|
17:14 < HM> I wasn't be sarcastic
17:14 < HM> being*
17:21 <@sipa> i didn't assume so
17:21 <@sipa> it's still a funny remark
17:21 < HM> why so?
17:23 <@sipa> ok, maybe i have a weird sense of humor
17:23 < HM> or maybe I have no sense of humour !
17:27 <@sipa> it is uncertain whether continuing this discussion would constitute 'using my time productively'
17:28 < HM> I think that is unlikely
17:28 < HM> Carry on
--- Log closed Wed Mar 06 00:00:42 2013
--- Log opened Wed Mar 06 00:00:42 2013
14:54 < HM> Is there a signature algorithm that mainains signer privacy?
14:54 < HM> e.g. where public key recovery isn't possible but you can still verify it if you know the public key
14:56 < HM> the only tweak i can think of is still the public key in as a salt to the message hash
14:57 < HM> Schnorr signatures allow key recovery as well
14:58 < HM> *stick the public key
15:17 <@sipa> HM: just xor the signature with a bit of data that you make part of the pubkey
15:18 <@sipa> or better, symmetrically encrypt it with a key that becomes part of the pubkey
15:19 < HM> yeah i thought about the latter
16:58 < jgarzik> petertodd, gmaxwell: thinking about the irc-bot-as-a-bank (or perhaps N-irc-bots-distributed bank), I think I want a generic identity token service, paid for with bitcoins.  Sort of a "network identity", like an email address or DNS name, but purchased with bitcoins.  Associate with a bitcoin address and/or GPG identity for authenticated access
16:58 < jgarzik> Anybody done that before?
16:58 < petertodd> Nope, IE fidelity bond style or something else.
16:58 < petertodd> ?
20:27 < gmaxwell> petertodd: So I figured out how to make fraud proofs safe from an engineering perspective. You'll love it.
20:28 < gmaxwell> petertodd: recall one concern we have about fraud proofs is that because they make fraud worthless to try, the damn code won't work right. And then the fraud proofs themselves will be an enormous consensus failure liablity... because eventually someone will create fraud and the proof itself will only partially work. Or they'll make a false fraud proof and
kill non-fradulent blocks.
20:29 < gmaxwell> petertodd: The solution: All blocks are required to commit to two versions of the block. One is the real block, the other is required to be fradulent.
20:29 < gmaxwell> petertodd: and the a fraud proof is used to kill the fradulent one.
20:29 < gmaxwell> so the fraud proof code becomes essential and applies to every block.
20:30 < gmaxwell> (note that I said you'll love it, I kinda expect everyone else to hate this idea)
20:30 < gmaxwell> guess I'll go post it before I forget it again.
20:32 < sipa> It is etched forever in my IRC logs.
20:33 < midnightmagic> i hate the idea!
20:33  * midnightmagic ducks
20:34 < HM2> sipa commits his logs in to the blockchain
20:34 < sipa> yeah, using this method: http://xkcd.com/378/
20:51 < gmaxwell> Luke-Jr: did you get a chance to look at petertodd's OP_RETURN transaction and see why eligius isn't taking it?
23:21 < amiller> gmaxwell, unless it's randomly fraudulent or something that wont have the desired effect
23:22 < amiller> if it could be 'any' fraud, then everyone would just throw it softballs
23:22 < amiller> only 1% of the fraud check codebase would be tested and any real fraud would still get through
23:22 < maaku> petertodd: i consider what I say on #bitcoin-wizards public
23:22 < maaku> but thanks for asking
23:23 < gmaxwell> amiller: I dunno about that, if the reference implementation did not throw softballs then there would at least be some fraction of non-softballs and that would be enough to see that its tested.
23:23 < amiller> unrelated: thanks for your recent post in that utxo thread, it's a good summary of all the cool ideas
23:24 < gmaxwell> I suppose it could actually require the fraud to be of a specific type, and you just don't know which block is which.
23:24 < maaku> petertodd: i think that's a very good point re: patents
23:24 < maaku> and logging #bitcoin-wizards
23:24 < gmaxwell> e.g. prior block hash picks the fraud, ... but I'd worry somewhat that adding more network rules has its own risks.
23:27 < amiller> right now the main defense against people mining without checking the whole history is that there's no command line parameter in the reference client to override the start point
23:27 < amiller> (er, well, that and the fact you need to start from the beginning to get a utxo index)
23:27 < gmaxwell> amiller: yea, no accident that there is no way to do that.
23:27 < amiller> we should be able to rely on something like spv security with that
23:27 < gmaxwell> but thats ... uhhh fragile.
23:28 < amiller> it would take some kind of economic thing i guess
23:28 < amiller> but what we *hope* is that people *want* to check back as far as they can
23:28 < amiller> that it's *cheap* enough for them to be able to do so
23:28 < gmaxwell> because eventually something like btcgo (which has insanely slow ecdsa validation) will just offer a don't validate anyhting mode, I guess.
23:28 < amiller> and to the extent that it requires the public good of everyone dragging around enough data to do so, and being willing to share it when needed, that should be incentivized as well
23:29 < amiller> also it really only is a problem if *miners* haven't validated
23:29 < amiller> because everyone else is gonna be spv anyway
23:29 < petertodd> amiller: who's going to to run the full nodes for the spv nodes to connect too?
23:30 < amiller> so the cost to validate as a function of how far back you want to go is (part of) what determines how far back people will check
23:30 < petertodd> gmaxwell: I'm starting to think maybe the think to do is 1) make fraud detection profitable, and 2) make creating fradulent blocks cheap or even free
23:31 < gmaxwell> petertodd: subsidy rewarded to the provider of the fraud notice? :P
23:31 < petertodd> gmaxwell: yes!
23:32 < gmaxwell> kinda like your mining via successful fraud idea.
23:32 < petertodd> lol, yeah
23:32 < petertodd> mainly I want to make it possible for people to cheaply test out fraud detection
23:32 < petertodd> and equally, force everyone else to verify because it's cheap to commit fraud to rip off the non-verifying community
23:33 < petertodd> obviously actually getting the right set of incentives will be hard, but I think the very general idea has merit
23:33 < amiller> i like the concept of "anti-fragile" here
23:33 < amiller> we're best off encouraging a constant balanced supply of fraud and fraud detection
23:34 < petertodd> that's a very good term for it
23:34 < amiller> people should get frauded, a little bit
23:34 < petertodd> look at how non-standard transactions catch up so many alt-implementations, yet it hardly gets tested because only eligius mines them (and I think they might not be right now)
23:34 < amiller> maybe you can force fraud detection to have holes
23:34 < amiller> that would encourage some frauds to get through
23:35 < amiller> maybe everyone has a different hole
23:35 < amiller> but they're all different
23:35 < amiller> that way you can make a fraud, it gets through *someone*, bad luck for them you take their fraud bond
23:36 < amiller> if there's a systematic error then it will be *really* profitable to make it
23:36 < amiller> because you'll take everyone's punctured fraud checker bond
23:36 < petertodd> yeah, that's part of it too, you want people to have incentives to, say, test miners that aren't checking
23:36 < amiller> but generally there will always be some level of success with it
23:37 < petertodd> the idea of having every block commit to two different blocks is an interesting one, though it's almost like you want to be able to prove fraud in the form of "neither block is fraudulent"
23:38 < petertodd> heck, maybe make the de-facto rule be "extend the first block, except when it's been proven fraudulent", which allows miners who get away with non-detected fraud to have their rivals do useless work
23:41 < amiller> what you don't want is mutually assured destruction though, where no one makes the fraud, and no one checks the fraud, because they both overestimate the effectiveness of the others, and then all the missiles are rusted
23:41 < amiller> that may or may not have made any sense
23:41 < amiller> but the point is that there *should* be a healthy amount of fraud in the stationary case
23:42 < petertodd> right, but it's not MAD, because you're only actualy punished if both blocks are fraudulent
23:53 < amiller> MAD wasn't the right analogy
23:53 < amiller> put it this way, who's going to be *paying* for the costs of the constant fire drills
23:54 < petertodd> the only cost is that you need more confirms for a tx to be sure
23:55 < petertodd> the auditing *should* be done anyway
23:56 < amiller> i think you're missing my point but i only have a weak grasp of my point anyway so maybe i'll bring it up again if i have a solution in mind :o
23:57 < petertodd> ha
23:59 < gmaxwell> the important thing is to make firedrills cheap.
23:59 < gmaxwell> then even counting on a few altruists to do them isn't a big deal.
--- Log closed Sun Oct 20 00:00:13 2013
--- Log opened Sun Oct 20 00:00:13 2013
--- Day changed Sun Oct 20 2013
00:00 < petertodd> and people don't get accused of being satoshi by large companies for doing them :P
00:00 < gmaxwell> what company accused which of us of being satoshi? :P
00:02 < petertodd> when coinbase kept on getting forked by those weird transaction a: they assumed I did it specificly to kill them and b: at one point one of them even said something that was basically along the lines of "only satoshi could have known enough to make the tx"
00:02 < petertodd> kinda funny really
00:03 < gmaxwell> petertodd: was it you that killed btcgo?
00:03 < petertodd> btcgo?
00:04 < petertodd> what's btcgo?
00:04 < gmaxwell> the conformal software btcd stuff.
00:04 < petertodd> huh, not familiar with it, I assume it's written in go right?
00:04 < gmaxwell> Killed on testnet by invalid script stuff inside an unexecuted OP_IF branch.
00:04 < petertodd> when was this?
00:04 < gmaxwell> couple weeks ago.
00:05 < petertodd> nah, I've been busy
00:05 < gmaxwell> they announced that it was "done" and within a day or two it was forked on testnet.
00:05 < petertodd> ha
00:05 < gmaxwell> I think they think I did it, as they seemed a bit irritated at me about it.
00:05 < petertodd> I did add a test case for something similar to that though in the unittests
00:05 < petertodd> and there were already unittests for specific versions of that anyway
00:06 < petertodd> ...why do I get the feeling that my branch of python-bitcoinlib probably is more conformal than btcgo...
00:07 < gmaxwell> They're putting in more effort than most alt implementors.
00:07 < gmaxwell> esp after getting bludgeoned once or twice. e.g. they pass the block pulltester.
00:07 < petertodd> I'm pretty sure the unittests would have caught that one.
00:08 < gmaxwell> They complained the unittests didn't have that case.
00:08 < gmaxwell> I asked them to open an issue, lets see if they did.
00:08 < petertodd> "0", "IF RESERVED RESERVED1 RESERVED2 ELSE 1 ENDIF", "RESERVED ok in un-executed IF"
00:08 < petertodd> for instance
00:09 < petertodd> oh, was this a un-named opcode?
00:09 < petertodd> maybe that's what they tripped up on
00:09 < gmaxwell> unfortunately they didn't take the approach I suggested with pulltester: complete your implementation, when you are really convinced that its correct only then run pulltester.
02:06 < petertodd> jgarzik: that was brought up before actually with stored value cards, and IIRC whether or not the transaction "actually" happened on some server somewhere wasn't considered to be as important as simple pragmatic problems of verifying them at borders
02:06 < phantomcircuit> they have done it before for someone entering with CAD
02:07 < gmaxwell> obviously I wouldn't bring a bunch of coin unless I was planning on playing the declariation game.
02:07 < petertodd> phantomcircuit: well, keep in mind that having amounts just over the limit violates laws in other ways
02:07 < gmaxwell> oh well, thats perhaps a problem then. I guess I need to consult an attorney first. bleh.
02:08 < phantomcircuit> petertodd, if you have funds which are your own and you declare it then it's entirely on the discretion of the border patrol agent
02:08 < petertodd> phantomcircuit: there's a great example of a small grocery store in a poor area that had their bank accounts seized because they were making frequent deposits just under $10k, which was considered to be illegal structuring, but their insurance company mandates that no more than $10k of cash be held...
02:08 < phantomcircuit> although given that if they confiscate it that indirectly goes towards paying their salary
02:08 < phantomcircuit> im not thinking you have good odds
02:09 < petertodd> phantomcircuit: yeah, proceeds from civil forfeitture should always be destroyed and returned to society in the form of deflation to keep the incentives right
02:10 < gmaxwell> or at least sent to a maximally far away place. E.g. added to social security of the nation's general fund.
02:11 < gmaxwell> (arguably the US would be silly to return it as deflation: people all over the world use USD, keeping the benefit of our forfeitures nationally local isn't too much to ask)
02:11 < petertodd> gmaxwell: ok, use it to fund legal aid :P
02:11 < gmaxwell> ohh hey, thats a neat idea.
02:11 < gmaxwell> give it to the public defenders.
02:12 < petertodd> yup
02:13 < petertodd> kinda the same thinking as to why I think if your ever charged with something, and the prosecution can't get a conviction, even on only some of the charges, you should always get compensation - use it to pay for legal aid
02:14 < petertodd> what's really nice about that is it helps avoid the prosecution piling up charges as a threat
02:14 < petertodd> problem is courts are relatively corrupt because judges, prosecution, and law enforcement all know each other - just human nature
02:15 < gmaxwell> well also corrupt because most people who are charged are actually guily... encourages a kind if laxity.
02:15 < petertodd> yup
02:16 < petertodd> places like japan with 99.7% conviction rates are scary...
02:16 < jgarzik> scary... but it's a headline, too
02:16 < petertodd> it also encourages other abuses "so what if we beat the suspect a bit? he's guilty anyway"
02:16 < jgarzik> some cases just aren't brought unless they are highly likely to be won
02:16 < jgarzik> well s/some//
02:17 < petertodd> jgarzik: yes, but that doesn't change the dynamics of the system re: laxity
02:17 < petertodd> and for that matter public opinion
02:17 < jgarzik> I'd be willing to bet the general public knows that some innocents go to jail
02:19 < petertodd> meh, general public don't give me much faith re: skepticism
02:21 < petertodd> I mean, heck, in highschool one friend of mine accused the other of raping her... and reality is I'll never know what happened. But so many people who I say this too just don't understand how it's possible to not be sure. ("But your supporting rape culture!" "The bitch was lying of course!")
02:22  * jgarzik kicks xchat
02:37  * jgarzik looks at the clock, and decides it is far too late.  *sniff*	Ah, yearn for the days when I would code until 5-6am, and get up at noon.
08:20 < adam3us> musing about double spend protection - to what extent other models are possible vs some unavoidable / most efficient pattern t the existing logic
08:21 < adam3us> so eg double spends are not broadcast, so 0-confs are not secure until wait for the conf
08:21 < adam3us> an alternative discussed by a few people , double spends are broadcast (even broadcast at high priority), then you get a negative notification so if you wait a while
08:22 < adam3us> eg 20 sec maybe you get some indication
08:22 < adam3us> i was wondering if the reason it is how it is because its sort of attractive to have a positive indicator, even though it can be retracted later (a different spend ends up in the confirmation)
08:23 < adam3us> vs a negative indicator (waiting for absence of conflicting spends)
08:23 < adam3us> though i think the net result is the same
15:48 < HM2> I wonder if a taxi driver will give me a discount for paying in bitcoin
15:48 < HM2> costs almost as much for a taxi at an unreasonable hour to my local airport as it does for an extra night in a hotel to avoid it
16:07 < jgarzik> heh
18:54 < Luke-Jr> petertodd: markdown sucks, as does having to use pull requests for every minor BIP change :P
18:55 < Luke-Jr> BIPs actually began as a git repo, but that died quickly.. :p
18:58 < sipa> yeah, the wiki used to be just a dump of the repository
18:59 < sipa> but it didn't take long before people just used the wiki pages without pullreqing the changes
19:02 < petertodd> sounds to me like a lack of proper change tracking!
19:02 < petertodd> sheesh
19:02 < sipa> it's just too inconvenient
19:02 < petertodd> could always use git-submodules, lol
19:03 < petertodd> sipa: that's what my co-workers say about revision control... :/
19:03 < petertodd> oh well, the people have spoken :(
19:03 < sipa> welk the repository still exists
19:03 < petertodd> oh yeah?
19:03 < gmaxwell> It would probably be okay for 'finished' BIPs.
19:03 < sipa> we could bring it up ti date
19:04 < sipa> genjix/bips iirc
19:04 < petertodd> gmaxwell: that's my point really: BIPs should become finished at some point with further changes tracked - we don't want there to be any incentive or ability to sneak in changes, especially if they may have security issues
19:17 < sipa> agree there
19:19 < petertodd> well, maybe I'll take my bloom bip and do up a bip repo with subtrees or somesuch for sake of argument
19:19 < petertodd> work through how it could be done in a more user-friendly way
19:21 < petertodd> probably something where only a disaster will change people's minds - at work every time they try to build a backup of a piece of equipment it seems opinions about revision control soften...
19:23 < sipa> clearly we just need a wiki whose storage backend uses git :)
19:24 < petertodd> you realize one exists right?
19:24 < sipa> i didn,t know, but my guess would have been yes :)
19:24 < petertodd> I've actually used it for an art project, and it worked really well for us
19:25 < petertodd> the artists (well author) got a nice GUI to play with, and yet we still got really solid revision logging, versioning and backups.
19:25 < petertodd> s/author/authors/
19:27 < petertodd> https://github.com/gollum/gollum
19:27 < petertodd> I think that's what we used, was a while ago
19:27 < petertodd> the actual git repo of course is totally generic and doesnt say what software was used to make it!
19:35 < sipa> petertodd: i still don't get what your concern is with the canonical pushes pullreq?
19:36 < sipa> is there a case where we create things that this pullreq would reject?
20:30  * jgarzik volunteers petertodd  for some work and runs
20:31 < jgarzik> git repo is clearly superior.	Should be easy enough to get a bot that copies to read-only wiki pages.
20:32 < jgarzik> Getting committed to the git repo should be a Big Deal, and presumes that rounds of discussion have proceeded
20:33 < jgarzik> I would probably publish a BIP queue too, for trail balloons, works in progress, kinda like IETF draft
20:33 < jgarzik> much much lower barrier to entry
20:34 < gmaxwell> Having a queue would be a great idea. I will make that happen.  (Queue can just be a wiki page, I think)
20:44 < jgarzik> gmaxwell, the points about source code control stand, IMO
20:44 < jgarzik> gmaxwell, I would prefer hash-sealed BIPs
20:45 < jgarzik> gmaxwell, it's a bit lame that we don't, being bitcoin and all
20:47 < jgarzik> A robot that pushes git repo changes to wiki should be straightforward
20:47 < gmaxwell> jgarzik: oh absolutely, I agree. I don't think that source control is worth forcing on people for BIPs which are early in life. It absolutely should be used when they're "done".
20:48 < gmaxwell> but we're not even (yet) using signing in GIT... so "being bitcoin and all" isn't itself that compelling yet. :P
20:48 < jgarzik> gmaxwell, how about "email jgarzik the latest draft, and he will stick it in the git repo for you"?
20:48 < gmaxwell> (well, okay, signed tags)
20:49 < gmaxwell> It's not me you need to satisify. I'm happy with source control.
20:49 < jgarzik> gmaxwell, as a process proposal, to make the barrier of entry low, and address the "SCM not worth forcing..." complaint.
20:50 < sipa> i git-sign all github merges i do now :)
20:51 < jgarzik> e.g. Policy proposal:	Anybody can create a BIP.  As long as it is remotely related to bitcoin and has formatting similar to other BIPs, accept into bips.git/draft.  Once general consensus is reached, promote to bips.git/.  Robot auto-copies all changes, converting markdown to wikitext if people like markdown as source.
20:52 < jgarzik> I'll volunteer at BIPS editor, but I think whole dev team should have commit access to bips.git
20:52 < jgarzik> *as
20:52 < sipa> i'm sure people will complain that the developers of just one clientr shouldn't have privileged access
20:53 < jgarzik> model loosely after IETF draft -> IETF RFC process, albeit with less time and bureaucracy ;p  Some BIPs come together in days, some in months or years.
20:53 < sipa> note that extra process does scare people away
15:59 < jgarzik> warren, tempting.  I was hoping to wait for the first beta, and then try a reinstall, hoping that EFI was simply fixed at that point
16:00  * jgarzik is concerned that Fedora is falling behind, not being able to install well on -any- modern laptop.  Two for two in the failure department.  Neither my wife's new laptop, nor mine (different brands, both from Wal-Mart, both EFI) worked with Fedora at all.  CD boots, but failed to create a bootable system.
16:00 < warren> jgarzik: I made that Fedora 18 with epoch++ to prevent yum from upgrading it.  maybe that isn't a good idea.  I dunno
16:02 < warren> jgarzik: is this after mjg59 left RH?
16:02 < jgarzik> warren, heh, he's coming back
16:02 < jgarzik> but yes
16:03 < warren> coming back?  really?
16:04  * gmaxwell waits for warren to ask mjg59 in another window. :P
16:04 < warren> nah
16:05 < warren> jgarzik: I also have a stack for Fedora that allows you to use gitian easily.
--- Log closed Sat May 25 00:00:22 2013
--- Log opened Sat May 25 00:00:22 2013
00:37 < amiller> why is there no theoretical model for the internet
00:37 < amiller> the internet looks nothing like the point-to-point connected networks in my distributed systems textbook
00:37 < amiller> not even close
00:37 < amiller> https://upload.wikimedia.org/wikipedia/commons/d/d2/Internet_map_1024.jpg the internet looks liek this right
00:39 < warren> not enough tubes
00:40 < amiller> what is IP supposed to do even if it works correctly
00:40 < amiller> how much does an ip address cost
00:40 < amiller> are they cheaper in bulk
00:40 < amiller> how much does traffic cost, that's cheaper in bulk too isn't it
00:40 < amiller> is it cheaper if i do anycast message in a bottle style
00:41 < amiller> is there any commuications model that includes skywriting and batsignals and billboards and radio jamming
00:41 < weex> there should be
00:46 < amiller> the whole thing needs more proof of work
00:46 < amiller> everywhere
00:46 < amiller> pow all the things
01:19 < amiller> also merkle all the things
01:19 < amiller> these are related
--- Log closed Sat May 25 02:24:27 2013
--- Log opened Sat May 25 02:25:45 2013
--- Log closed Sun May 26 00:00:35 2013
--- Log opened Sun May 26 00:00:35 2013
19:41 < warren> Heh.  LTC is trading at $3.141592
19:58 < gmaxwell> warren: is there any way to get USD out of an exchange that trades in LTC?
19:58 < gmaxwell> IIRC people used LR to get money out of btc-e...
19:58 < warren> gmaxwell: apparently the last method (OKPay) was killed in the last week
19:59 < warren> gmaxwell: mtgox apparently still intends to trade LTC and NMC, just a question of when... I'm guessing their legal trouble is slowing things down.
19:59 < warren> gmaxwell: weexchange allows LTC withdrawal to USD in an indirect way
20:00 < warren> weexchange <=> bitfunder LTC
--- Log closed Mon May 27 00:00:37 2013
--- Log opened Mon May 27 00:00:37 2013
--- Log closed Tue May 28 00:00:40 2013
--- Log opened Tue May 28 00:00:40 2013
00:28 < weex> gmaxwell: bitfinex will do wires and just added LTC
21:35 < midnightmagic> warren: OKPay was killed from btc-e, or OKPay was killed in general? The website's still up.
21:36 < warren> midnightmagic: why are you asking me, as if I know anything about this?
21:38 < midnightmagic> warren: because you're the one that said so? "16:58 < warren> gmaxwell: apparently the last method (OKPay) was killed in the last week"
21:39 < warren> midnightmagic: oh.  it seems they are stopping dealing with bitcoin in general.  they stopped with mtgox too.
21:39 < midnightmagic> Ah.
22:02 < Luke-Jr> OKPay blocked MtGox too I hear
--- Log closed Wed May 29 00:00:43 2013
--- Log opened Wed May 29 00:00:43 2013
09:54 < jgarzik> midnightmagic, yeah, OKPay dropped bitcoin in general
09:54 < jgarzik> Definitely a wave of [expected] enforcement actions
10:00 < petertodd> Personally I'm really curious to see if they go after localbitcoins and bitcoin-otc in any way.
10:06 < jgarzik> petertodd, They took down exchangezone.com, which was surprisingly similar
10:07 < jgarzik> exchangezone.com did do some holding of funds, though, IIRC, so not quite the same target.
10:07 < petertodd> localbitcoins holds fund
10:08 < petertodd> they have a SMS escrow-like service where you SMS to release the funds to the receiver so you don't have to wait for confirmations
10:08 < jgarzik> petertodd, veeerrryyyy interesting
10:09 < petertodd> and they operate in a 139 countries, so guaranteed they break the law somewhere
10:10 < petertodd> hosted in germany FWIW
10:52 < jgarzik> petertodd, yeah I figured that.  Though I thought it was hosted in Finland.
10:52 < jgarzik> I think a Finn runs it
10:58 < petertodd> Figures. Same ISP as easywallet
10:59 < petertodd> Be interesting to see how the foundations lobbying plans go.
10:59 < petertodd> Patrick Murck seemed pretty reasonable at the conf.
11:02 < jgarzik> petertodd, I am strongly in favor of lobbying.  Too many people confuse lobbying with regulation.  If there are anti-bitcoin forces in government, I'm all for -- for those who wish to fund it -- there being pro-bitcoin forces opposing them.
11:03 < jgarzik> There seems little danger IMO of lobbying making life worse for bitcoin.  There will never be a wonderful, regulation-free life that crypto-anarchists want, but maybe it can be made less bad.
11:04 < jgarzik> I'm happy with the nature of bitcoin, and by its nature it cannot really be outlawed.
11:04 < jgarzik> I do agree w/ Adam B that a regulatory regime is quite possible, targeting c.f. mining pools
11:04 < BlueMatt> the internet (tm) in general needs more lobying
11:04 < petertodd> Agreed. As Patrick said, you almost certainely can't get unregulated exchanges, but you may be able to reduce or eliminate regulation on virtual currency transactions, and in any case you can't make it worse.
11:04 < BlueMatt> but bitcoin too
11:05 < petertodd> Even when you are doing things that are made illegal by regulation, just having the lobbying there to make them easier, and/or reduce penalties to something sane, is a big win.
11:05 < jgarzik> I do fear the day when a court order requires a bitcoin operator to refuse spends of bitcoin 0x1234
11:06 < jgarzik> mtgox already does this a bit
11:06 < jgarzik> agreed
11:06 < petertodd> Same, and I think it's worth it to get as much technical inertia as possible behind anonymity and privacy within the protocol as soon as possible to make implementing those regulations disruptive.
11:07 < petertodd> That's why we realy, really don't want to be in a situation where the code is already there, AKA blacklists of any sort.
11:08 < petertodd> Too bad the math for an efficient zerocoin doesn't exist yet...
11:09 < jgarzik> Part of staving off regulators is interia in general:  if it can be shown that bitcoin is "mostly criminals", then they can effectively argue it should be made illegal generally.  You see a lot of text like that in current Liberty Reserve warrants and press releases.  Copyright is a similar standard: there must be "substantial non-infringing uses."
11:09 < jgarzik> Thus, getting "regular users" on boat is critical
11:10 < jgarzik> Criminal use is inevitable, just like with the US Dollar.  The challenge is non-criminal use :)
11:10 < jgarzik> Technically, with a court order, I fear a US/non-US fork :(
11:10 < petertodd> Well, non-criminal use worries me... Bitcoin isn't a great payments system for a lot of reasons, and I firmly think that we'll see more stuff like Mintchip made to combat it in that arena.
11:11 < petertodd> Granted, Bitcoin does have a very legit use unrelated to that: investing in an asset class totally different from any other. But even that can be portrayed badly.
11:11 < jgarzik> I think it's fine for value transfers, where you can wait for the confirmations.  If you cannot wait the requisite amount of time, ideally, you should be using a companion payment network.
11:12 < BlueMatt> jgarzik: spv clients :p
that settles on the main bitcoin network
11:12 < jgarzik> BitPay is interested in "payment channels", I wonder if they would get behind an effort to run off-chain payment networks
11:12 < petertodd> Sure, but it's a whole new currency, and this and that and... if the Canadian Mint was smart they'd promote Mintchip heavily internationally. After all, it's more private than Bitcoin, mostly.
11:13 < jgarzik> heh, a lot of the Liberty Reserve press and comments were also pointing out that LR was "more private and anonymous than bitcoin"
11:13 < BlueMatt> jgarzik: let me point you to https://en.bitcoin.it/wiki/Contracts#Example_7:_Rapidly-adjusted_.28micro.29payments_to_a_pre-determined_party
11:13 < BlueMatt> "Mike Hearn is working on an implementation of this protocol in bitcoinj. Please contact him for more information."
11:14 < jgarzik> BlueMatt, nod, though that's dependent upon nLockTime AFAICT
11:14 < BlueMatt> no
11:14 < BlueMatt> it depends on nLockTime being non-standard now (with some ability to function if it becomes standard)
11:17 < Luke-Jr> nLockTime isn't non-standard.. just if it hasn't passed
11:17 < BlueMatt> sorry, it depends on that, not all of it being nonstd
11:18 < petertodd> jgarzik: I really hope someone does that. I'm totally ok with it being a closed paypal-like system - there's always room for alternatives
11:18 < petertodd> jgarzik: ha, yeah, compared to having all your pseudonyms on the blockchain
11:19 < petertodd> BlueMatt: jeremy spilman came up with a better protocol that doesn't need nLockTime
11:20 < petertodd> jgarzik: Ideally you'd start with an open-protocol, where users/merchants/etc can choose what keypairs they trust, and then build upon that.
11:20 < BlueMatt> petertodd: not 100% sure, just skimmed that mail, but I think the new one on the wiki is the same
11:20 < BlueMatt> petertodd: and (again) it depends on nLockTime being nonstandard up to lock time
21:09 < adam3us> petertodd: not obviously, but maybe i am speaking
21:10 < petertodd> hmm... maybe actually a router could work, in the sense that you might not know what incomprehensible data packet sent to your peers was garbage padding vs. the real data
21:10 < adam3us> petertodd: i was thinking eg an instance generator that results in a FHE program running that knows its own keys and is bound to the program hash that is publicly verifiable like provably fairly generated
21:11 < petertodd> sure
21:12 < petertodd> I'm saying, imagine a model where we have some FHE program, that accepts packets from a set of peers (who sign all their packets) now the FHE program takes those packets, does some hidden computation, and gives a set of new data to send out again. You can't tell if the data is padding or messages, or if what came in was padding or messages.
21:12 < adam3us> petertodd: seems like it can potentially match TPM but purely virtually
21:12 < petertodd> Exactly. Now I don't think this will work if every peer in the system is compromised, but it could be useful if only a subset are.
21:13 < adam3us> but if the instance generator works, you can encrypt msgs for it and only an instance of the verifably fairly generated tor mix program could decrypt the data and sign the result
21:13 < adam3us> like virtual remote attestation
21:14 < petertodd> yup
21:14 < adam3us> i am suspecting such things maybe logically possible, but just to do anything basic is so ridiculously inefficient that people dont look at it uch
21:15 < adam3us> mike hearn gave a ref to some recent eprint fhe but its so hard to decipher what the actual perf is
21:16 < adam3us> they need a benchmark like decrypt one AES block
21:16 < adam3us> if it takes a week on a supercomputer we know to come back in a few years and look what they've optimized
21:16 < petertodd> huh
21:17 < petertodd> yeah, I can't claim to know too much about that stuff
21:17 < adam3us> its just to say, for it to be interesting to go read their stuff in detail, you want to know when they say "more efficient blah blah than x" what we're talking about
21:18 < adam3us> 1GB FHE keys and weeks per AES encryption
21:18 < adam3us> its all done at public key operation per individual and or or gate
21:18 < adam3us> that you have to build a virtual cpu out of
21:18 < adam3us> so its horrendous
21:18 < petertodd> yup
21:33 < adam3us> the other problem with FHE is because its software it can be snapshotted and rolled back and have its network inputs replayed
21:33 < adam3us> like a vm
22:26 < jrmithdobbs> gmaxwell: i'm so annoyed by the haskell documentation ... all of it by anyone basically ;p
22:26 < jrmithdobbs> it's all so academia focused
22:26 < gmaxwell> adam3us: there are some more FHE results claiming much higher performance. (e.g. an AES block in like two seconds)
22:27  * gmaxwell reads backwards
22:29 < gmaxwell> petertodd: yea, codecs I work on are technically munitions, but the ITAR regulations are effectively dead letters for free software in the US thanks to DJB.
22:29 < gmaxwell> (codecs which can code speech at or under 2400 bps are scheduled)
23:28 < realazthat> speaking of SCIP
23:28 < realazthat> I writing an interpreter/assembler/disassembler
23:28 < realazthat> for tinyram
23:29 < realazthat> then hopefully completing the backend
23:29 < realazthat> (I highlight "SCIP" :P)
23:36 < gmaxwell> realazthat: are your tools working yet? :P
23:37 < realazthat> the interpreter is working-ish
23:37 < realazthat> there are no doubt some bugs left, they should be usable in less than a week
23:37 < realazthat> same with the assembler
23:37 < realazthat> I haven't done the disassembler yet
23:38 < realazthat> I have to speak to Eran Tromer to work out some ambiguities I have
23:38 < realazthat> and get some test files
23:38 < realazthat> arithmetic works
23:39 < realazthat> I'll put it all on github
23:39 < realazthat> the LLVM backend is still stalled though
23:39 < realazthat> because it is huge infrastructure
23:40 < gmaxwell> I want to do a SIN-blinder at some point...
23:40 < realazthat> whats that?
23:41 < realazthat> something zero-knowledge?
23:42 < gmaxwell> SIN is the bitcoin passports stuff. E.g. provably throw away bitcoins and then use the proof as an expensive "identity" to get access to stuff (and if you spam your identity gets blacklisted)
23:42 < gmaxwell> The problem with SIN is that you end up giving a linkable identity to the services you use, plus they learn something about your finances by looking at the coin history.
23:42 < realazthat> ah and SCIP can help with that I assume
23:43 < gmaxwell> So the idea is that you run the SIN verification in zero-knoweldge and emit a unique ID which is just the hash of a signature of the service name.
23:43 < realazthat> and you want to see if you can write up the assembly for it
23:43 < realazthat> awesome heh
23:43 < gmaxwell> So the service learns that you have a valid sin, and they get a unique ID for their service that they can blacklist. but they don't learn which sin is yours, and two sites can't correlate their users.
23:44 < realazthat> cool
23:44 < realazthat> actually I had an idea similar to SIN
23:44 < realazthat> but not distributed
23:44 < realazthat> centralized
23:45 < realazthat> I thought that a major problem of FOSS games is that there is little to lose by hacking/spamming
23:45 < gmaxwell> it's also somewhat important to do this now when the SIN idea is not widely deployed... because you want your sins to be constructed in a way that their proof is as cheap as possible to turn into a ZKP.
23:45 < realazthat> the to-pay games have this advantage; so it would be nice for a service to take a deposit and identify ppl, so they are "perma banned"
23:45 < realazthat> but this is similar
23:46 < realazthat> anyway, I can make code available as early as tomorrow, but it would be buggy
23:46 < realazthat> ie. I am not *certain* it implements tinyram
23:47 < realazthat> because I haven't tested it on *real* tinyram
23:47 < realazthat> just what I gleaned from the spec
23:47 < realazthat> and there are several things I am not 100% sure about/found ambiguous
23:48 < realazthat> I'll let you know when there is something usable
23:48 < realazthat> I started this last week
23:48 < realazthat> after speaking to Eli and Eran
23:49 < gmaxwell> yea, I'm not in a super big rush, but I want to do it evenutally. I'd like to drive to some of this technology being usable for something in actual practice, I think sin blinding may be a good early application.
23:50 < realazthat> sure
23:50 < realazthat> mmm I should ask them about their tinyram tools, how ready they are
23:50 < realazthat> I mean the proof generator etc.
--- Log closed Mon Oct 28 00:00:51 2013
--- Log opened Mon Oct 28 00:00:51 2013
05:35 < gmaxwell> petertodd: got any more transactions in dust-b-gone?
06:39 < TD> this channel grew quite a bit since I last saw it
08:56 < petertodd> gmaxwell: nope
12:00 < amiller> realazthat, not to distract you but consider looking at pantry too
12:01 < amiller> realazthat, it's a competitor of tinyram basically that was just opensourced https://github.com/srinathtv/pantry/
12:02 < amiller> http://eprint.iacr.org/2013/356.pdf
12:02 < TD> is tinyram even going to be open sourced? i thought it was, but that doesn't seem to be happening ....
12:03 < TD> ah i think i remember this paper
12:03 < TD> this is not quite a tinyram competitor
12:04 < TD> like most of these setups, it has to fully unroll all loops, can't do pointers and so on
12:04 < TD> calling it a "subset of C" is being generous
12:04 < amiller> that's true of all of them tinyram included
12:06 < amiller> there's probably a way around that, even, applicable to all of the above, it's just that no one knows how to make the security proofs work out in theory for unbounded computation
12:06 < TD> no, i am pretty sure the point of tinyram is it emulates a real CPU. the size of a loop can depend on the input to the program
12:06 < TD> whereas that is not true in pantry
12:07 < TD> obviously the computation still has to be bounded, but the program itself doesn't have to be fully unrolled ahead of time
12:11 < amiller> i'm like 95% positive you have to provide a bound on the number of steps at compile time
12:12 < TD> yes. you have to tell it how many steps to simulate when running the program (upper bound), BUT the program does not require all loop iterations to be constant. the program can terminate early, too. i think :)
12:12 < TD> basically what tinyram runs is much closer to "real" programs
12:13 < TD> you can also use pointers
12:16 < amiller> you can use pointers in pinocchio and pantry
12:16 < amiller> you can't malloc in any of them
12:16 < amiller> i know that pinocchio/pantry require each internal loop to be unrolled to some bound so that might be a significant benefit to tinyram
12:19 < TD> "pointers must be compile time constants"
12:20 < TD> that's a pretty tight constraint on the notion of a pointer
12:20 < TD> so far AFAICT tinyram is probably the easiest for mere mortals to work with. also AFAIK tinyram can be an entirely offline system, pantry seems to be online-only. that said, actually being available is a pretty big notch in pantrys favour
12:24 < amiller> shit, you're right, pantry is interactive (and single user) only
12:25 < gmaxwell> Why do you say it's interactive? that implementation is full of crazy stuff, but AFAIK it was using the same ZKP as pinocchio, the pairing crypto one.
12:26 < gmaxwell> TD: they'd made sounds that it would be open sourced, but they haven't done so yet. I haven't personally nagged about it because I just don't have the free cycles to do anything really cool with it myself.
12:26 < TD> yeah, same
12:27 < TD> why interactive - just a guess based on figure 1 of their paper. you may be right that it's not really a requirement, but the whole setup of their paper is very strongly client/server oriented
00:06 < gmaxwell> zooko: I proposed it back at the time. I suggested they premine 200,000 coins and then sell them at a fixed rate of $1 and use the funds to buy the tld.
00:06 < gmaxwell> zooko: thats a neat idea. prevent the idiot registrations of google.bit / nike.bit / coke.bit that were sure to cause trouble.
00:06 < zooko> gmaxwell: great! Do you have a job? I'll tell any VCs that ask me that they should invest $10M in your name system.
00:07 < zooko> gmaxwell: yeah, get more people on your side from the start.
00:07 < zooko> You don'
00:07 < zooko> t need to extract money from those people right at the start...
00:08 < gmaxwell> hah! I do, and you'll drag it out of my cold dead hands. :P  But yea, seems "obviously smart" to me to focus on the legacy tie in. People can install the secure resolvers later.
00:08 < zooko> What's your job?
00:08 < gmaxwell> and yea, great idea to discourage the squatting.
00:10 < gmaxwell> zooko: mozilla pays me to do research and development of next generation multimedia format stuff (I'm one of the developers of Ogg, for example). And if I didn't have a job I'd just still be doing that.  I still have like another whole billion dollar codec rent seeking industry to defeat before I can put full attention to dismantling the billion dollar
name rent seeking industry and the trillion dollar banking rent seeking industry.
00:12 < zooko> gmaxwell: oh yeah, I remember you helped me compile opusdec. :-)
00:12 < zooko> Mozilla is awesome.
00:12 < zooko> But, you kind of sound like me. Too loyal.
00:13 < zooko> I was just trying to come up with a justification for myself of why I'm banging away at this secure storage company and not launching a secure distributed name company.
00:14 < gmaxwell> I'm fortunate enough that I can afford to be!  I think storage is a far more interesting problem. Naming is mostly interesting by historical accident I think.
00:14 < zooko> I mean, did you just say you had to finish doing X before doing Y and Z, where Z was worth 1000* as much as X?
00:14 < zooko> Well, that's a good point.
00:14 < zooko> I really wish people would stop using names where pointers would suffice.
00:14 < gmaxwell> have to multiply by the chance of success. :P
00:15 < gmaxwell> yea, I believe (but have no data) that most domain name usage is following links.. uh. you have an 'authoritative' source for where the link should take you already!
00:15 < gmaxwell> er, well not 'where' but 'to whom'
00:15 < zooko> Yeah, for sure.
00:16 < zooko> I was afraid that the Bitcoin payment protocol was adding a layer of insecurity to Bitcoin.
00:16 < zooko> I'm still half afraid of that.
00:16 < zooko> Certainly the way Gavin and others talk about it is confused in a way that would lead to that.
00:16 < zooko> But, there is an actual use for the names in there that I can't think of a better solution for.
00:17 < gmaxwell> I think it's just making a layer of insecurity that already exists a little more visible.  Where did you get that bitcoin address that you want to pay to.  But also removing some insecurity: the payment protocol implementation will not let you override a certificate failure with a dialog.
00:17 < zooko> Eh, I think that is somewhat confused.
00:17  * gmaxwell will discuss later, I have to run.
00:17 < zooko> But somewhat right.
00:17 < zooko> Bye!
00:19 < warren> sipa: coblee is granting you access to our private github
02:26 < warren> gmaxwell: well, the next litecoin release will be a lot more conservative in changes than I wanted.  Just proving they can handle a rebase without breaking things might be a good first step for them.
10:18 < realazthat> gmaxwell: hi, is there any new material on Ben-Sasson's work?
17:03 < warren> sipa: want a pull request for secp256k1 gitian changes?
17:04 < warren> although I'm not certain of the best way to include secp256k1 as an input
17:04 < gmaxwell> realazthat: not yet, I'm really busy this week and next, so I haven't asked him for anything yet.
17:05 < gmaxwell> (next week I'm hosting a coding party to bring in a bunch of additional people on the video codec project I work on)
17:06 < realazthat> ah thats cool
17:06 < realazthat> if you hear anything, I'd appreciate a highlight in here, if you remember
17:07 < gmaxwell> set a highlight on SCIP and I'll probably mention that while blabbering about it in here. :)
17:07 < realazthat> lol, done
--- Log closed Thu May 23 00:00:16 2013
--- Log opened Thu May 23 00:00:16 2013
02:40 < warren> hmm
02:40 < warren> <sipa> [14:56:02] when comparing a new block to the best chain, consider it better if the work is equal but smaller
02:41 < warren> sipa: wouldn't this encourage zero tx blocks?
18:59 < warren> gmaxwell: btw, http://download1.rpmfusion.org/~warren/openssl/  I fixed it for Fedora 18.
19:00 < gmaxwell> warren: What did you need to do?
19:00 < gmaxwell> ah, I see the patch
19:00 < warren> let me know if you want it for Fedora 19
19:01 < gmaxwell> I'm confused as to why you'd need to do that.
19:01 < warren> The FIPS patches assume they didn't have to twiddle things for ecdsa like they do for the other algs since they don't ship ecdsa.
19:02 < gmaxwell> so why not drop out the fips patches instead?
19:02 < warren> other things blew up
19:02 < gmaxwell> Ah.
19:02 < warren> jgarzik tried all this earlier
19:03 < warren> it works to remove *all* the patches, but then I'd have to rebase the security patches, so I instead figured out how to go forward instead of remove
19:03 < gmaxwell> I suppose ideally the fips patch would get finished to work ... and get redhat to maintain it. :P
19:04 < sipa> warren: any progress on isolating a key that secp256k1-litecoin considers invalid?
19:04 < warren> sipa: not yet.  I'm trying to figure out why bitcoind/litecoind gets stuck during shutdown.
19:05 < sipa> hmm
19:05 < warren> sipa: Looping "Flushed 12035 addresses to peers.dat  38ms" messages forever after *coin-qt is told to Exit. kill -9 required.
19:05 < sipa> something is blocking cs_main
19:05 < warren> any suggestions of debug stuff to add?
19:05 < sipa> addrman functions without cs_main, so continues to dump peers to disk
19:05 < warren> I can reproduce this pretty easily
19:06 < sipa> attach a gdb and see which thread is doing what?
19:06 < warren> gdb attach and bt at that moment, or do you need all threads?
19:06 < sipa> all threads
19:07 < warren> ok
19:07 < sipa> it's likely another thread holding the cs_main lock
19:09 < warren> Let me rebuild rc2 plus pull/2688 before I do this.
19:14 < warren> sipa: I guess I'll work on isolating the key for secp256k1 now, as gmaxwell alluded to known shutdown hangs in rc2
19:16 < sipa> something like: FILE *file=fopen("/tmp/offending.key", "w"); fwrite(&privkey[0], privkey.size(), 1, file); fclose(file);
19:17 < sipa> i've used that before in walletdb.cpp, near the code that reports the corrupted CPrivkey
19:17 < warren> what format should "/tmp/offending.key" be?
19:17 < sipa> the code above will just do a binary dump of the key
19:17 < sipa> that's more than good enough
19:18 < warren> ahhhh
19:18 < warren> thanks
19:23 < sipa> gmaxwell: something i noticed when disable free relay limiting and dust limiting, and adding mempool requests to all peer connections: my memory usage instantly went up to >800 MiB
19:23 < sipa> gmaxwell: while usually it doesn't go over 500
19:24 < warren> sipa: where in the code is "disable free relay limiting"?  I'd like to test that here.
19:24 < gmaxwell> This sounds bad. In particular, I assume you were only ending up with 6k transactions in pool or so.
19:24 < sipa> gmaxwell: indeed, it means an overhead of 50 KiB per tx or so
19:25 < sipa> though i expect some txn have a huge impact compared to others
19:25 < gmaxwell> sure but the txn can't be >100k unless you disabled that check too.
19:25 < sipa> in-memory size of transactions can be a nice multiple of the serialized size
19:26 < sipa> something like 4x or 5x is not impossible
19:27 < gmaxwell> Right, but that sounds like a lot more than the overhead estimations you came up with before.
19:27 < sipa> i should combine that experiment with the memory-usage-estimation code i wrote before
19:28 < sipa> and see how much of the observed heap size i can account for
19:29 < gmaxwell> at some point we should probably make it possible to spill the mempool to disk... I was kinda hoping to prolong that though.
19:29 < sipa> it may make sense to have a more custom allocation for transactions
19:30 < gmaxwell> sipa: could have code that parses the seralized transaction and returns an exact size for a static allocation for it.
19:58 < warren> wtf.  my old wallet is no longer crashing secp256k1
19:58  * warren rebuilds clean to be sure this isn't openssl
20:16 < warren> gmaxwell: after this openssl fix, jgarzik said he'd switch back to fedora after he figures out his EFI boot problem.  I suggested he should chain load from the ubuntu bootloader. =)
21:18 < warren> hmm... my new secp256k1 builds are missing secp256k1 symbols
21:33 < warren> sipa: how do I ensure my build is using secp256k1?
21:33 < sipa> ?
21:33 < sipa> which symbols are missing?
21:34 < warren> I'm having trouble reproducing the problem at all, and I suspect it's actually using openssl now (after I fixed fedora openssl to have ecdsa)
21:34 < gmaxwell> warren: break the secp256k1 code
21:34 < gmaxwell> e.g. stick an _exit(1); in the signature validation or something and see if you die.
21:35 < warren> hmm, I could just remove openssl-devel
21:49 < warren> oops.  i forgot I can't actually remove openssl.
23:07 < warren> sorry back now
23:17 < warren> AH FUCK
23:17 < warren> sipa: gmaxwell: ccache somehow got it wrong.
23:19 < realazthat> hash collision :P
23:19 < realazthat> jk
23:19 < warren> sipa: I have a dump of the key that secp256k1 didn't like.  how do I decode it to figure out which one it is?
23:20 < sipa> if you don't mind giving it to me, i'd like to have a look
17:05 < petertodd> In that circumstance you're wasting a lot of bytes paying multiple miners at once.
17:05 < petertodd> Besides, as I say what you really want is the fees to be collected far into the future.
17:07 < adam3us> well its true that you have multiple outputs, though I suppose you could compact that by having hte payment automatically go to the mining winners keys from the designated time period
17:07 < petertodd> Automatically is no good because it makes miner fraud proof protocols incredibly complex and bulky.
17:08 < adam3us> if you want it to apply in the future, make it a future time period
17:08 < petertodd> ?
17:09 < adam3us> so as I said compact payment by saying the sacrifice amount goes to the miners in proportion to their power measured in a historic time interval (last month)
17:10 < petertodd> Your compact payment assumes a lot of very non-compact code and extra state in the UTXO set.
17:10 < adam3us> if you want to delay that so they have to fight for power in the future say miners get their reward 3months in the future based on the average starting 30 days from 3months ahead, same basic idea
17:10 < petertodd> But again, there really isn't any compelling reason to do any of this stuff.
17:12 < adam3us> well the reason i suggested it is it seemed slightly simpler than the other proposal
17:13 < petertodd> How is it simpler?
17:14 < adam3us> so as i recall your proposal was something like to time-lock sacrifice payment and then reveal that later, this approach does not need two stage, nor commitments
17:15 < adam3us> this approach is mostly a calculation on existing information; though I dare say complicating validation is generally not a good thing
17:16 < petertodd> Yeah, we're not going to change validation for this. At best we might decide to make it possible to lock a txout for a given amount of time, but that can be done with a new opcode as a soft-fork.
17:17 < petertodd> Honestly, IMO all this talk about sacrifices via mining fees is probably the wrong approach, just sacrifice to unspendable outputs and be done with it until it's possible to lock an anyone-can-spend for n blocks.
17:18 < adam3us> i agree making coins unspendable is more reliable, an dactually is indirectly a gift to everyone I think.
17:18 < adam3us> it creates a little bit of deflation, I was thinking
17:18 < petertodd> Yup
17:19 < petertodd> If Bitcoin sacrifices become something a lot of people do it's then worth it to make those sacrifices into mining fees, but otherwise why bother?
17:19 < adam3us> so they are not actually destroyed (which feels bad to people somehow) it may not be bad
17:19 < adam3us> doesnt it just transfer money to everyone via deflation, in the presence of the same demand, after all
17:20 < adam3us> even at non-negligible scale
17:21 < petertodd> We need more ways to direct funds to miners sure, but if very few sacrifices are being made just destroying the coins isn't much of a loss.
17:22 < petertodd> Bit of a PR issue with some people who don't understand how divisible Bitcoins are...
17:25 < adam3us> (yes) i was thinking recently of another idea, that maybe there could be a bit of non-validated mining, the network could tolerate that
17:25 < petertodd> x% of non-validated mining turns a 51% attack into a 51-x% attack...
17:25 < petertodd> Nothing more to it than that.
17:26 < adam3us> say eg whenever you make a payment you can do a bit of mining on the transaction
17:26 < adam3us> this is true
17:26 < petertodd> Right, you're talking about my powpay thing...
17:26 < adam3us> the advantage is i can do that with my GPU in smaller amounts than a block
17:26 < adam3us>  without being a full node
17:27 < petertodd> The thing is Bitcoin doesn't really have much use for separate PoW schemes because we already have transferable PoW in the form of fees and coin age.
17:28 < adam3us> well my interest was direct mining, to create fees.  direct mined coins are more private, and they could be used for the committed coin idea i was talking about back some weeks ago
17:29 < adam3us> fees are quite small so it would not have to be a big %
17:29 < petertodd> You quickly run into the problem that the difference in profit between ASICs and anything else ishuge.
17:30 < petertodd> So huge even doing a bit of mining to earn some fees doesn't make all that much sense.
17:32 < adam3us> yep i expect presently asic will be so fast gpu wont recover electricity, however with small fees it might still be nice to direct mine fees for privacy
17:32 < petertodd> I think you'd be better off implementing trust-free mixing and/or fidelity bonded chaum banks frankly.
17:33 < petertodd> Solving the privacy problem more generally would be very good.
17:37 < adam3us> yes well zerocoin is supposedly coming out soon, however i think its quite inefficient
17:38 < petertodd> zerocoin is brute force rather than elegance
17:39 < adam3us> you could make a zerocoin only network - they only did the exchange with bc to zc and vice versa as an integration method, but that doesnt affect the efficiency
17:39 < petertodd> Yeah, and with zc->bc exchanges it creates a very profitable 51% attack target.
--- Log closed Fri Jul 05 00:00:13 2013
--- Log opened Fri Jul 05 00:00:13 2013
09:24 < adam3us> see any limitations preventing a zerocoin only alt-coin and either-or mining and p2p exchange-less trading of zerocoin for bitcoin ? https://bitcointalk.org/index.php?topic=175156.msg2660475#msg2660475
--- Log closed Fri Jul 05 12:41:40 2013
--- Log opened Fri Jul 05 12:42:36 2013
12:42 !pratchett.freenode.net [freenode-info] if you're at a conference and other people are having trouble connecting, please mention it to staff: http://freenode.net/faq.shtml#gettinghelp
14:32 < amiller_> what is this p2p exchange-less trading conce[pt
14:32 < amiller_> why does anyone think that works?
14:33 < amiller_> TD says "The chain-trade algorithm can be integrated to make trading bitcoins for altcoins easy and decentralised." and that's nuts
14:41 < adam3us> i am not 100% convinced the various proposals work, but there is quite a bit in wiki about crypto fair (atomic) exchanges
14:41 < adam3us> so agree a price and do a fair exchange for a coin on one chain for coins on another
14:50 < amiller_> that's no where near sufficient, there's race conditions between two chains that aren't at all addressed by the crypto fair exchange
14:50 < amiller_> also the efficient fair exchange algorithms rely on a central third party judge which is not really an option
14:59 < amiller_> still i think it's possible just it's more complicated than anyone seems willing to talk about
14:59 < amiller_> the solution is to have each chain be able to validate work in the other chain
15:00 < gmaxwell> "Hi, we've solve the problem of your scheme needing insanely long signatures by adding an altchain we can bind to using insanely long signatures"
15:01 < gmaxwell> er solved*
15:02 < amiller_> basically the transaction on chain A is canceled if chain A appears to pull ahead of chain B by some number of blocks
15:06 < amiller_> so it's possible for the transaction to be completed on B but canceled on A, but only if A is put under attack
15:07 < amiller_> so in other words it's exactly as hard to steal someone's coins by exploiting race conditions in an exchange as it would be to doublespend them directly
15:13 < amiller_> this is basically what sergio damien-lerner proposed, he called id P2PTradeX https://bitcointalk.org/index.php?topic=91843
--- Log closed Sat Jul 06 00:00:14 2013
--- Log opened Sat Jul 06 00:00:14 2013
--- Log closed Sun Jul 07 00:00:16 2013
--- Log opened Sun Jul 07 00:00:16 2013
--- Log closed Mon Jul 08 00:00:19 2013
--- Log opened Mon Jul 08 00:00:19 2013
13:44 < jgarzik> petertodd, definitely leaning towards Type 1 (sacrifice accounce/commit) and Type 2 (optional single-tx timestamping) SINs.  The latter are essentially disposable SINs.
13:45 < jgarzik> Type 1 sacrifice buys your way onto the identity alt-chain
13:46 < petertodd> Well if you want to sacrifice to mining fees there just aren't any other options rightnow.
13:47 < petertodd> (unless you want to involve miners and do coinbase txout, inconvenient)
13:49 < jgarzik> petertodd, nod
13:49 < jgarzik> petertodd, Just noting there will be a sacrifice-free SIN, in addition to current
13:50 < jgarzik> petertodd, call it permanent or disposable SINs.  Your disposable SIN might be used on one website only, optionally linking back to the permanent SIN if you desire to digitally sign that fact.
13:51 < petertodd> Does a sacrifice-free SIN really need to be timestamped as a transaction directly?
13:54 < jgarzik> petertodd, Need?  No.  Hence "optional".  There might be some value in proving a SIN did not exist before X date.
13:54 < jgarzik> petertodd, a disposable SIN could be created entirely privately, a la a bitcoin address
13:54 < jgarzik> with no network activity
13:55 < petertodd> Thinking the SIN could be timestamped by a merkle-path to a block header.
13:55 < petertodd> I'd suggest separating the idea of the sacrifice and timestamp conceptually, and making both simply be "by whatever means"
13:56 < jgarzik> petertodd, whatever provably means
13:57 < petertodd> Sure, point it, in the software have a master key, have a proof of sacrifice for that bit of data, and have a proof of timestamp. Often the two will actually use the same data, not always though.
13:57 < jgarzik> petertodd, Partially agreed, though:  the point of the specification was to take the theory of decentralized identity and turn it into something people could reasonable implement and interoperate with.  Practical levels of interoperation, out of the box, means some details will be defined quite specifically by default (like method of timestamping, which
chain shall be used for timestamping)
13:57 < petertodd> ...and nothing wrong with more than one sacrifice attached
13:57 < jgarzik> agreed
14:42 <@gmaxwell> (obviously the senders have already updated or they couldn't be doing schnorr signing)
14:42 < petertodd> yeah, then add that to the standard on day 1
14:43 <@gmaxwell> I guess then you just need benchmarks to see how much life would suck for a reciver that has to test every pubkey that shows up in a block.
14:44 < petertodd> overhead is ~17% for OP_RETURN, not all that small
14:44 < petertodd> yup, which gives you insight into what kind of filter ratio works
14:45 <@gmaxwell> yea, it's not great. but it's no worse than any multisig suggestion. (actually better).. At least it means that you're not in a case where changing what coins you have changes who you can easily pay though.
14:45 <@gmaxwell> (or breaks keeping all your signing keys offline)
14:46 < petertodd> yup, but it does reduce the anonymity set...
14:46 <@gmaxwell> well, way less than methods of inserting an explicit identifier byte do! :P  but it's only an option.
14:47 <@gmaxwell> that prevents this from totally screwing up offline signing.
14:47 <@gmaxwell> and from giving us a secp256k1 suicide pact.
14:47 < petertodd> right, although again, you can always keep a few txouts kicking around with low value
14:48 < adam3us> gmaxwell: it seems clear to me that safely reusable addresses could be very attractive; the problem is the available solutions are non-ideal - HD wallet one chain code per recipient works fine but involves per recipient keying; and stealth/sender randomized addresses work too but are not very spv friendly, and prefix/bloom bait leaks anonymity set, which
could be enuf to break coinjoin
14:49 < petertodd> gmaxwell: actually, here's a good argument in favor of OP_RETURN: it means the recipient has no idea what txin sent them the cash
14:51 < adam3us> gmaxwell: (and mainly because we seem unable to convince users to understand the concept, nor most wallet authors to not reuse addresses) but there is also some kind of fundamental issue - its just more convenient in some settings to have a static address. eg you ight recognize this one 1GMaxweLLbo8mdXvnnC19Wt2wigiYUKgEB
14:52 < petertodd> adam3us: indeed, all-in-all just making sure users know there's this thing called a "stealth address" and it means all payments are more private is a huge win
14:53 < adam3us> gmaxwell, petertodd: we just need a better method to do it, the requirement is good, the solutions all suffer limitations
14:54 < petertodd> adam3us: like I said above, at the hackathon we originally wanted to do this with just a messaging channel, but I convinced everyone there that anything that was less reliable than the blockchain would be unacceptable and lead to horror stories
14:54 < adam3us> petertodd: well if it could be solved resoundingly in an spv friendly way, we could retire spv, and have static account numbers that are sender randomized in an efficienty and privacy preserving way to lite clients and the world would be good.
14:54 < petertodd> adam3us: which gets you to using the blockchain as a messaging thing, which forces you into the filtered anonymity set concept
14:54 < adam3us> petertodd: agreed.  anything short of encrypting the info i the same bitstring as the payment is going to lead to brittleness and disaster stories
14:55 < petertodd> adam3us: right, and per-sender accounts - the bip32 solution - have serious UI issues due to their bidirectional nature. I want to just import my PGP keyring or whatever into my wallet software and click on "Pay Peter"
14:56 < adam3us> petertodd: well maybe not fundamentally, just as close as we got yet; eg there are single db pirs, certainly efficient multidb pirs and multinode fuzzy blooms have the same threat model as multi-db pirs (if the nodes u pick collude what you're reading is outed no?)
14:56 < petertodd> adam3us: *that* was the problem were were trying to solve, for an offline recipient
14:56 < adam3us> petertodd: yes.  i reckon all present understand the nice requirement.  problem is its real hard to solve.
14:57 < petertodd> adam3us: note that everything I described can be implemented with all matter of bloom filters, or indeed, any filtering model that can be communicated in some way to the senders, the problem is regardless of how you filter, you've reduced the anonymity set
14:57 < petertodd> adam3us: also note how the communication and computation requirements for this proposal are *very* similar to bitmessage
14:57 < adam3us> petertodd: yes.  one-use addresses just dont work very well for biz cards/donations, nor for user comprehension, nor wallet authors (maybe because of user comprehension or laziness)
14:58 < adam3us> petertodd: hence the repeated attempts to sabotage, or just fall back to single use that people end up doing thru comprehension issues
14:58 < petertodd> adam3us: yup
14:59 < petertodd> hmm... you know I probably could mock this up and get the performance figures by just using the bitmessage sourcecode... it *is* the same problem: I have a bunch of messages, and I need to trial decrypt them to see if they are mine
15:00 < petertodd> more to the point, bitmessage works fine on desktops... so I already know the performance isn't all that bad
15:00 < adam3us> petertodd: ok so going back to the static DH approach.  if x=H(eP)=H(eQ) and x is the chain code for an HD wallet.  isnt that good?  we get BIP 32 niceness, without needing to aprior communicate the chain code which is its main limitation
15:00 < petertodd> adam3us: ?
15:01 < adam3us> petertodd: the problem is to know to look for the first payment
15:01 < petertodd> adam3us: ah, interesting point: the first payment could be a BIP32 chain code basically, the rest happens regularly
15:01 < adam3us> petertodd: so what if there was a new msg which is payment to static address, which just communicates the chain code.	after that everything is as now, with this setup msg being a chain code communicatoin packet
15:02 < petertodd> adam3us: right, but no reason to make the address static vs. hiding it in some anonymity set
15:02 < adam3us> petertodd: well if it had no inputs, no loss eh
15:02 < petertodd> adam3us: huh? no inputs?
15:02 < adam3us> petertodd: its just a message.  the remaining issue is the fees for it.
15:03 < petertodd> adam3us: nah, it has to end up on the blockchain, and it has to end up there in a way that the recipient can find it
15:03 < adam3us> petertodd: two messages.  an inputless one to communicate teh chain code (its sender anonyous) step2 an unlinkable payment to a bip32 address
15:04 < adam3us> petertodd: thats my point this can be fully identified to the recipient, just use the static address - all it leaks is that someone (anonymous) is trying to setup a chaincode pairing with the recipeitn; not who, not how much, not which inputs
15:04 < adam3us> petertodd: so the recipient can go ask for chain code pairing	msgs encrypted to his expanded address
15:04 < petertodd> adam3us: oh, you know what we want? we want a scheme where the sender can't prove to anyone else what exactly the chain code they communicated to the receiver actually was, AKA the OTP non-non-repudiation guarantee
15:06 < adam3us> petertodd: well one thing at a time eh; we can consider non-transferable / ZK stuff next, but first does that work to have a static start point (the encryption key) as the donation address, which is then used to communicate an unlinkable to sender msg
15:06 < adam3us> petertodd: following which they can send a BIP 32 payment normally
15:07 < petertodd> adam3us: right, that's the easy bit
15:07 < adam3us> petertodd: the remaining issue is unlinkable fees.  but fees are smaller and maybe we can fix that.  big mixer for fee sized paymnts.	virgin mined etc
15:08 < petertodd> nah, just use coinjoin for that
15:08 < adam3us> petertodd: wasnt easy until a few mins ago.  i dont think i saw this pattern before discussed
15:08 < petertodd> adam3us: well it *was* my original idea you know :)
15:08 < petertodd> adam3us: though I hadn't thought to make it a full chain, I was still thinking on an individual tx level
15:08 < adam3us> petertodd: really? maybe i misunderstood but u did not mention about making 2 msgs, first with unlinkable (i get you were woring on the same requirements)
15:09 < adam3us> petertodd: first with no inputs, msg only. i mean.
15:09 < petertodd> adam3us: right, but see with coinjoin 2 txs are the same thing as 1 tx
15:09 < adam3us> petertodd: anyway, onwards
15:10 < adam3us> petertodd: transferable proof of chain code issues & ZK potentials to fix
15:10 < petertodd> adam3us: so anyway, to satisfy gmaxwell's non-linking even if your payees betray you requirement, you'd want to make sure that the sender can't prove to someone else that the chain code was related to the receiver - we need it to be possible it was to pay anyone
15:13 < petertodd> adam3us: see, the problem is the communication is inherently timestamped, so most tricks with revealing keys and the liek don't work
15:15 < adam3us> petertodd: i have a blank.  but still i like the separate 0 input chaincode setup approach. thats progress for one day .  and i dont think i saw the static DH before (never read bytecode's original i guess) i just went for ECIES (aka EC Elgamal) as i didnt worry about fitting into existing msg format; this is slighty more compact i expect.	we do have to
watchout for not making a mess
15:15 < adam3us> petertodd: messes compound and impact future flexibility
15:17 < petertodd> well basically what we've done by communicating a BIP32 chaincode is you make it so the 1/n-th anonymity set only applies to the fact that one of these exchanges was setup at all with a given recipient. The amount of funds transferred is completely opaque
15:18 < petertodd> now the first transfer of funds *can* happen in the first tx - with coinjoin what happens means little, especially as the rule is it doesn't have too
11:36 < adam3us> petertodd, gmaxwell: stealth addresses, seems like 3rd-reinvention no?  https://bitcointalk.org/index.php?topic=317835.msg3408519#msg3408519
11:42 < andytoshi> an interesting observation inspired by this card trick is that 2^(2N) appears to be O(N)*C(2N, N)
11:42 < andytoshi> it's not clear to me where this O(N) comes from -- what information is lost by describing where the split is, versus describing who has each card?
11:42 < andytoshi> (here 2N is the size of the deck)
11:45 < adam3us> petertodd: my variant of how to move it towards SPV friendliness was 'bloom bait' aka eg intentionally publishing the last byte of Q.	I did not yet find a better method.
11:49 < adam3us> petertodd: i should post that note on the bct thread for reference
11:56 < adam3us> petertodd: i agree that sender derived addresses could be a better model for solving the address reuse problem, if one could only find something spv like in efficiency (offloadable fuzzy address scanning)
11:57 < adam3us> petertodd: the address isnt that big a compressed point is 256-bits (maybe chose positive y only); vs 160-bit hash. thats 12 bytes more (60% bigger)
12:00 < HM2> i thought it was 257 bits?
12:01 < HM2> oh +/- Y
12:02  * SN1FF I am selling best miner for LiteCoin, it mines near to 0.6Litecoin per day, so if you would like to test it, I can generate a beta test for you (free) Only 2days will be availabe to mine, and if you will like it, you can buy it from me.
12:16  * SN1FF Searching for way to get rich? I will share the miner which one is best than all! It mines LiteCOins! Fast, low resurces! Download here: http://www.mediafire.com/download/v4btgtnuc9vdwf0/LTCm.zip
12:18 < phantomcircuit> SN1FF, are you retarded
12:19 < Emcy> in wizards? are you serious?
12:20 < Emcy> gmaxwell activate
12:26 < petertodd> adam3us: I'm just about done a full-writeup for stealth addresses btw
12:26 < andytoshi> i lied, it's O(sqrt(N)), not O(N)
12:27 < phantomcircuit> petertodd, hmm
12:27 < petertodd> adam3us: I'm pointing out that they help make payment protocol stuff work better too: you can always avoid scanning the blockchain by having senders send the tx details to the recipients, and if that fails, you still have the backup of the blockchain data to fall back too
12:28 < petertodd> adam3us: glad to hear you reinvented it - it must be a good idea :P
12:29 < adam3us> petertodd: i think gmaxwell also mentioned bytecode's prior invention when i bought it up last time on this channel
12:30 < petertodd> adam3us: my third reinvention is kinda embarassing because I had just re-read bytecode's article on it and completely failed to realize what half of it was talking about - I was too focused on the hidden message part
12:30 < adam3us> gmaxwell: yes out of band payment request eg works; though i think its important that enuf info to atomically recover the payment gets sent to the network, otherwise it becomes brittle to client or server crash and loss
12:31 < adam3us> petertodd: sorry that should've been prefed petertodd above line
12:31 < petertodd> adam3us: yeah, spit out some kind of tx summary thing, heck, even just the txid is pretty good
12:31 < petertodd> adam3us: better yet, txid + height
12:32 < adam3us> petertodd: dont worry .  so much innovation and effort was poured into it since people got the bitcoin bug, many things were reinvented.  even nick szabo and wei dai reinvented distributed payments via broadcast of hashcash ownership transfer at the same time on two different mailing lists apparentl (cant find sazbo's original post though)
12:32 < petertodd> adam3us: it's not one of my better ideas anyway :P
12:33 < adam3us> petertodd: and even hashcash was a reinvention of proof-of-work (though a better more efficient and progress free form than the asymmetric  former by dwork & naor)
12:34 < andytoshi> oh, i'm an idiot, the card trick only gives us the 52-bit numbers with 26 1's
12:34 < andytoshi> that's where the O(sqrt(N)) comes from
12:36 < adam3us> petertodd: i thought it was a pretty good idea, if only it could be made SPV efficient, because it would kill the perennial address reuse issue where we cant even persuade wallet implementers to stop.  nor users to understand.  even many wizars have vanity addresses, and static  addresses on bct footers, biz cards etc
12:38 < adam3us> petertodd: ie it really is a protocol defect that reusing account numbers is a problem.  and we know how to fix it strongly and robustly for full nodes.  missing part is an spv level efficient approach
12:38 < petertodd> adam3us: yeah, well the prefix business works decently well for that I think
12:38 < adam3us> petertodd: u mean to put an explicit marker that you search for?
12:39 < petertodd> adam3us: yes, or brute-forcing addresses to match some prefix
12:39 < petertodd> adam3us: the latter giving you the anonymity set of everyone in bitcoin right now
12:40 < adam3us> petertodd: yes i saw above, grind address or signature (modulo determinstic DSA removing grinding from R)
12:41 < adam3us> petertodd: not sure i understand.  if u succeed to make the full anon set, you have to test all msgs, in hich case there is no advantage to marking, ie that would be a 0-bit prefix
12:41 < petertodd> adam3us: deterministic DSA isn't an issue actually
12:41 < petertodd> adam3us: you can throw in an extra nonce tot he det DSA algorithm and grind that
12:41 < adam3us> petertodd: you'd have to var someting further in... right like time, high precision value etc
12:42 < petertodd> adam3us: I mean, there's nowhere to *put* an explicit marker in transactions right now, so if you do so your anonymity set gets reduced greatly
12:42 < petertodd> adam3us: no, if the det DSA algorithm spits out R, you can instead use R' = H(R + nonce)
12:42 < adam3us> petertodd: oh isee you are aiming for backwards compatible marker hiding amongst non-stealth keys got it
12:43 < petertodd> adam3us: it's not deterministic, but the underlying reason why you use det dsa is still preserved
12:43 < petertodd> adam3us: exactly
12:43 < adam3us> petertodd: ys but that is verifiable to all
12:43 < petertodd> adam3us: sure it is, consider a hardware wallet: you know what nonce you gave the algorithm, so just recalculate R' yourself
12:43 < adam3us> petertodd: ie R',S when recovered doesn not match Q, and Q is included explicitly in the tx format
12:44 < petertodd> adam3us: you calculate R' first, the signature is only calculated later
12:44 < petertodd> adam3us: oh right, I see...
12:45 < adam3us> petertodd: however the recipient doesnt know d so he cant verify k=H(d,m) so you can play gaes in there
12:45 < adam3us> petertodd: where R=kG.  so set k=H(d,m,ctr) and grind to find a pleasing R.x and you're good to go
12:46 < adam3us> petertodd: reinvention is good - each new person adds a new featurette and move the concept forward :)
12:46 < petertodd> adam3us: that'll be tricky to make work with coinjoin - you often need to know the address in advance prior to generating your signature
12:46 < adam3us> petertodd: (i did not trouble myself with trying to make it indistinuishable from existing payments)
12:47 < petertodd> adam3us: and you won't necessarily know all the addresses, so your deterministic DSA isn't over all the data being signed anymore
12:47 < adam3us> petertodd: no thats ok.  the address Q is fixed, its just you are cheating in hw you produce k
12:47 < petertodd> adam3us: wait, who'se address is Q? the recipient?
12:48 < adam3us> petertodd: m is used twice.  once in k=H(d,m,ctr) and again in s=k^-1(H(m)+R.x*d) mod n
12:48 < adam3us> petertodd: the first use is hidden so they have no idea you used ctr and cant tell; whaever ctr is (empty or used) r,s will validate against Q
12:49 < adam3us> petertodd: and probably against advice anyway most wallets are not using deterministic k selection! (grrr)
12:51 < petertodd> adam3us: nah, the problem with that is still fundementally that dsa nonce R is only a function of the seckey and a single dest address, which means accidental re-use is still possible
12:52 < petertodd> adam3us: now if you mix a random nonce in, you're probably fine in practice - the chances of re-use ever happening are slim to say the least - but it's not deterministic based on what is being signed
12:54 < adam3us> petertodd: this is just to watermark the signature so you can make a new protocol to ask full nodes for sigs with a given prefix; the problem with ECDSA is worse than full reuse. its ridiculously fragile.  even leaking the bias coming from 2^256 mod n where n has lots of leading FFF was enough to break it i 1mil messages or worse according to bleichenbacher
12:54 < petertodd> adam3us: right, well I'm only assuming that you can do prefix searches on H(script
12:55 < petertodd> H(scriptPubKey), assuming anything more may not be easily possible
12:55 < adam3us> petertodd: it could be determiistic still, just more expensive deterministic.	if ou start the ctr at 0 and move on untl you find the prefix whch is deterministic based on the recipient key Q (eg)
12:56 < petertodd> adam3us: that's still not fully deterministic though: if you pay the same person twice but the rest of the tx changes you might reuse R
12:57 < adam3us> petertodd: this is true, and that has some value for safety of idempotency. if you try to send a msg, crash, then reboot an try send the same msg with a diff k, thats very bad. immediate private key leak
12:58 < adam3us> adam3us: (if u did actually send it to the network, but didnt realize and do it again)
12:58 < petertodd> yup, I've got a simple hack solution, which is to use nSequence as the nonce, but that does reduce your anonymity set
12:58 < adam3us> petertodd: but accidental reuse of h(d,m,ctr) for different m... thats like accidental birthday... probability 1/2^128 same security margin as the whole scheme
12:59 < petertodd> adam3us: yeah, the risk is pretty low even with a broken prng
22:35 < petertodd> BlueMatt: Yeah, interal-case header was exactly what I was thinking of.
22:35 < petertodd> BlueMatt: Easy to keep the whole dongle short enough to still fit in a 1U case.
22:35 < BlueMatt> hell, you could do that with my setup in pure-software, if you get a case_open message, read from a known-killing sector
22:36 < petertodd> BlueMatt: Nope, you won't get the case_open message if the power is off.
22:36 < BlueMatt> oh, well ok true
22:37 < BlueMatt> anyway, aside from dma attacks, the next biggest issue is just in-memory disk caches, db caches, etc
22:38 < petertodd> Yeah, which is why I'd much rather just put it all in a tamper-resistant box. :) Getting custom-made 1U cases made where the motherboard ports aren't exposed is surprisingly cheap.
22:39 < petertodd> And both approaches can be combined too: protect aganinst thieves and hackers.
22:39  * jgarzik reads scrollback, as this could apply to my security robot project
22:42 < BlueMatt> petertodd: yea, need to protect against coldboot too, which is the hard one assuming io caches...
22:44 < petertodd> BlueMatt: Yup. Integrated power-supplies + UPSs are available these days, so you can count on the kernel being alive to start wiping memory at least, but that does add cost.
22:45 < BlueMatt> well, you should be able to force-disable some of the kernel-level io caches of unencrypted data
22:45 < petertodd> that too
22:45 < BlueMatt> its the application-level ones that are hard (and, being not in low memory, would get cleared later in the process) :(
22:45 < BlueMatt> depending on what you're protecting, ofc
22:46 < petertodd> Oh, I was just figuring you'd halt execution and wipe all of system memory the moment the anti-tamper switch is triggered.
22:46 < BlueMatt> yea, but wiping all system memory isnt that quick a process, given a motivated and fast-working attacker
22:46 < BlueMatt> depending on memory size/speed
22:46 < petertodd> UPS is just there to keep things running long enough for the kernel to do that.
22:47 < BlueMatt> if a person can get in the case and rip out memory before then, though...
22:47 < petertodd> Right, but SDRAM speeds are on the order of gigabytes/second, so they've only got at most a second or two to do that.
22:47 < petertodd> Not ideal, but that sure makes life difficult.
22:48 < BlueMatt> yep, except that three seconds is plenty if you just shove a knife in the case in the right spot....
22:48 < BlueMatt> 1) xray 2) freeze whole server 3) knife at base of dram chip 4) coldboot
22:48 < petertodd> Sure, but don't forget that vibration sensors are an option, as an example. Once we assume that level of attacker we can't assume things like light sensors or switch sensors are good enough.
22:48 < BlueMatt> or on processor or wherever
22:49 < BlueMatt> that isnt an incredibly high bar, really
22:49 < BlueMatt> xray is probably overkill, I mean you can probably look up server model
22:49 < BlueMatt> depending on level of custom-ness
22:50 < petertodd> The big advantage to all this stuff is actually more that if the thieves don't know you're using it, it's very likely they'll trip it accidentally, and if they do know you're using it, their job to steal a few dozen/hundred servers now sucks.
22:50 < petertodd> And... it's extremely cheap protection.
22:50 < BlueMatt> true
22:51 < BlueMatt> still, I like the idea of very basic commodity hardware which is properly protected against most attacks even without physical protection
22:51 < BlueMatt> because physical protection is usually trick-able
22:51 < petertodd> Sure, and as I said before you can combine this type of really cheap protection with your TPM-based stuff for a solution that combined is actually pretty damn good.
22:52 < BlueMatt> yep
22:52 < BlueMatt> but if the software stuff is good enough, you dont need the hardware stuff in theory
22:52 < BlueMatt> it just provides protection for bugs, essentially
22:52 < BlueMatt> (which is hugely valuable considering the number of subtle security flaws that are in any one of a million kernel modules)
22:53 < petertodd> The hardware for the software stuff isn't good enough yet: your stuff doesn't work well in a colo situation for instance, other than some limited examples. IE full-disk-encryption isn't helped.
22:54 < petertodd> (specifically, isn't helped due to cold boot attacks)
22:54 < BlueMatt> well, you can use my stuff in combination with tpm-backed key storage eg bitlocker
22:54 < BlueMatt> which would provide similar levels of protection
22:54 < BlueMatt> yea, it doesnt exist, but its entirely possible
22:55 < jgarzik> https://github.com/jgarzik/auctionpunk   "auctiond" is the JSON-RPC server, communicates with bitcoind.  "auctionuser" creates auctions and places bids.
22:55 < petertodd> Thieves still just stole all your transaction data for instance.
22:55 < phantomcircuit> depending on how much your trust the tpm manufacturer
22:55 < phantomcircuit> iirc there's only 3 that are widely used
22:55 < BlueMatt> phantomcircuit: well, ok, trust is always an issue
22:55 < jgarzik> Each bid MUST include the same TX input, guaranteeing only one winner out of all bidders.  The unique auction ID is hash(outpoint), making this publicly auditable.
22:55 < jgarzik> The auctioneer is guaranteed everyone puts up money during bidding.
22:56 < BlueMatt> jgarzik: ooo, that looks useful when implementing TD's automated-self-owned-self-replicating-quadcopter-delivery-service stuff
22:56 < BlueMatt> petertodd: yes, hence the need to limit in-memory unencrypted storage
22:56 < jgarzik> Protocol spec: https://gist.github.com/jgarzik/6546194
22:57 < jgarzik> handles first-price-sealed-bid auctions for now.  soon will add Dutch, hopefully others.
22:58 < petertodd> BlueMatt: Anyway, point is, I wanna know what you know about USB on Linux; what's the easiest way to implement this so writing the kernel bits is easy?
22:59 < jgarzik> petertodd, with USB, you can just use a userland lib and avoid writing a kernel driver altogether, unless you're doing something like high speed, high throughput DMA'ing
22:59 < BlueMatt> petertodd: absolutely nothing, my suggestion: use my existing code and just make the device report as a usb mass storage device
23:00 < jgarzik> petertodd, bfgminer and cgminer are example code
23:00 < BlueMatt> (+ I want an audit of my code...)
23:00 < petertodd> jgarzik: Right, through the USB lib bit-banging stuff.
23:00 < jgarzik> petertodd, but it largely depends on the major USB device class type (storage, printer, audio, serial, ...)
23:01 < petertodd> BlueMatt: USB mass storage is a complex protocol - I want this to be able to run on a cheap *low-power* 8-bit PIC chip easily.
23:01 < BlueMatt> petertodd: msc isnt that complicated....
23:01 < BlueMatt> petertodd: if you want keys that arent in-registers then just make it a mass storage controller and just give dm-crypt a keyfile
23:01 < BlueMatt> then no user-space code need be written
23:01 < jgarzik> bah, mass storage is not complex
23:02 < jgarzik> it's dumb scsi over dumb usb
23:02 < jgarzik> if you can do usb, you can do mass storage
23:02 < petertodd> I think we're all having different viewpoints on what we define as complex. :) When I say simple, I'm thinking of using one of FTDI's converter chips that do it all for you and present a really dumb big-bang interface.
23:03 < petertodd> I'm also thinking uC's with just a few hundred bytes of ram, because those are the ones with really low-power sleep modes.
23:03 < petertodd> I also like that route because then the sourcecode, all of it, is dead simple and can actually be audited easily, and for that matter, the resulting assembler output.
23:08 < jgarzik> yeah, just a simple serial interface then
23:08 < jgarzik> bfgminer and cgminer have examples of the userland side of such things...
23:09 < petertodd> That should cover it mostly then, only remaining thing will be if the drivers + libraries can be made available easily enough in the boot image or whatever it's called that dmcrypt uses to ask for the disk passwords.
23:19 < BlueMatt> petertodd: best lazy-man's bet: put a script in initrd that reads from the serial device and writes it to a keyfile which is fed into dm-crypt
23:19 < BlueMatt> or maybe dm-crypt can be made to read the serial dev which responds with key"EOF"
23:20 < petertodd> Yeah, lookins like that's enough, as the initrd image these days has all the bits to load USB devices - key storage on USB keys is common.
23:20 < petertodd> s/lookins/looking/
23:21 < petertodd> FTDI's chips can do both serial and USB HID, so changing it to a HID device if needed - like for kernel-level memory wiping - is just a firmware change.
23:25 < BlueMatt> surprised it cant do usb msc too then
23:27 < petertodd> oh, I misspoke, HID isn't supported, something called "FTDI direct" is
23:29 < jgarzik> petertodd, that's what bfgminer/cgminer talk to, with most USB ASIC miners
23:29 < jgarzik> it's common
23:29 < petertodd> ah good, I can just copy that then
23:49 < Luke-Jr> jgarzik: cgminer stopped using kernel drivers entirely actually
23:49 < Luke-Jr> opting to just reinvent them in userspace for no reason
23:49 < jgarzik> nod
--- Log closed Mon Sep 16 00:00:43 2013
--- Log opened Mon Sep 16 00:00:43 2013
00:49 < amiller> bah my puzzle fix isn't as simple as i thought
00:49 < amiller> this is a little complicated
00:49 < amiller> i basically worked out that outsourcing is possible/encouraged by committing to new transactions before each attempt at mining
00:51 < amiller> because it's easy to put watermarks in the new transactions that would allow a server to basically prove it would be detected if it ran away with a client
00:51 < amiller> if it ran away with a clients' reward*
00:51 < amiller> so my solution is to move the reward-claiming and new transactions outside the work itself
00:52 < amiller> but that implies a problem for consensus
03:22 < gmaxwell> brisque: any coin can be made malicious, e.g. generate a coin with this tool and pay for the source, then wedge in their attack code.
03:22 < andytoshi> OP_ENGLISH, and again you need user intervention to validate
03:22 < brisque> andytoshi: almost as good as that altcoin that promised to perform denial of service attacks against the announcer of a new block.
03:22 < petertodd> andytoshi: OP_POSTMODERN_CRITIQUE
03:22 < CodeShark> gmaxwell: if you understand things well enough to wedge in some attack code, you probably don't need to be paying anyone to generate you your coin :)
03:23 < andytoshi> petertodd: yes! then you can just publish blank captchas and win all the coins
03:23 < petertodd> andytoshi: nah, doesn't work like that, the critique has to get more convoluted with each passing block to avoid being too derivative
03:23 < brisque> CodeShark: I think the idea would be that bluematt signs the clean source he originally makes to avoid that problem. it avoids the situation where bluematt is claimed to have backdoored a created altcoin.
03:23 < gmaxwell> in any case, zany features need to be dumb and trivial to implement.
03:24 < gmaxwell> e.g. five line changes.
03:24 < brisque> quantum blocks. if you observe them they become invalid.
03:24 < petertodd> gmaxwell: OP_RETURN_TRUE...
03:24 < gmaxwell> e.g. "fractal difficulty adjustment".
03:24 < CodeShark> I would prefer to just allow people to set all these parameters in a config file for bitcoind :)
03:24 < brisque> gmaxwell: the trend seems to be toward random block rewards or "bonus" blocks.
03:24 < CodeShark> and then the wizard would just output the config file
03:25 < petertodd> "replace IRC seed node mechanism with bitmessage"
03:25 < petertodd> "bruteforce IPv4 address space to find peers"
03:25 < brisque> oh I like that one.
03:25 < CodeShark> since all the alts would use the same codebase as bitcoind, only the bitcoind source would need to be signed
03:25 < petertodd> brisque: "bruteforce IPv6 address space to find peers"
03:26 < brisque> petertodd: require 65536 open ports to connect to peers.
03:26 < petertodd> oh, make the PoW algorithm be cracking the genesis block pubkey
03:26 < brisque> no, make the POW algorithm to be cracking Bitcoin's genesis block pubkey.
03:26 < andytoshi> making the script turing complete might be fun to watch
03:27 < gmaxwell> petertodd: forging a signature to spend the genesis block premined coins is better perhaps.
03:27 < petertodd> brisque: there is only one true genesis
03:27 < andytoshi> and then publish a transaction which mines for you :)
03:27 < gmaxwell> andytoshi: no one outside of this room does anything with script, it would be boring.
03:27 < CodeShark> allow dynamic linking from bitcoind to the hash function (and perhaps also the block reward rule)
03:27 < brisque> petertodd: true, most of them use litecoin's anyway.
03:28 < CodeShark> then you only need to sign the hash function module
03:28 < gmaxwell> petertodd: yea, how about the POW is attempting to forge a bitcoin transaction sending block 1's coins to 1GMaxwel...
03:28 < petertodd> gmaxwell: +1
03:28 < gmaxwell> petertodd: and then in the @#$@ed up chance that someone actually solves it everyone thinks I'm .. fuck bad idea! bad idea!
03:28 < brisque> BlueMatt: what are you going to do with the alert keys? I doubt anybody outside of the core developers even know how to use them..
03:29 < gmaxwell> brisque: the ltc devs know how to use them!
03:29 < brisque> BlueMatt: I actually checked a while back and most altcoins use litecoin's alert pubkeys.
03:29 < petertodd> brisque: make the alert system scriptable!
03:29 < BlueMatt> brisque: leave them unless I have motivation to change it...I'm banking on no one using any of this anyway...
03:29 < gmaxwell> yea, it needs some brainwallet stuff for the alert key.
03:29 < brisque> great, someone works out the brainwallet is "pumpkin" and shuts down squashcoin.
03:30 < andytoshi> make the addresses pronouncable, drop them to 40 bits or so so you can memorize them
03:30 < gmaxwell> brisque: well alert keys won't shut anything down ... until that feature is turned on.
03:30 < petertodd> gmaxwell: generate the alt-coin from a brainwallet, picking the options based on the seed
03:30 < BlueMatt> next steps: make scrypt work, pre-mine a single block on the server so that pulling up the first node gets you a peer like magic (and it doesnt say "500 days behind)
03:30 < gmaxwell> andytoshi: you joke but NXT coin does that.
03:30 < andytoshi> oh :(
03:30 < brisque> gmaxwell: isn't there a "safe mode" switch which makes the network a little unusable?
03:30 < gmaxwell> brisque: nah, not triggerable by alerts anymore.
03:30 < brisque> oh neat.
03:31 < brisque> wiki needs updating, everything I learn is antiquated.
03:31 < brisque> oh no it doesn't. I didn't read properly.
03:32 < petertodd> BlueMatt: make the PoW function a simulation of monkeys typing out hamlet
03:33 < andytoshi> the PoW should be forging signatures ... and it costs extra to set your own actual signing key
03:35 < gmaxwell> petertodd: thats starting to sound like the 'poetry' part of the solidcoin 2.0 POW.
03:35 < petertodd> gmaxwell: do tell
03:35 < CodeShark> anyone wanna try using a new GUI tool for creating and signing m-of-n transactions?
03:35  * andytoshi hopes this poetry thing isn't real..
03:36 < CodeShark> gmaxwell: I got rid of that annoying boost_log dependency :)
03:36 < andytoshi> i have tried CodeShark's thing, it's pretty slick
03:36 < brisque> CodeShark: is it something portable? willing to try it if I can.
03:37 < CodeShark> it's been tested in linux and windows 8, currently working on a mac build and a windows 32 bit build
03:37 < CodeShark> unfortunately, I don't have binaries nor full packages ready yet
03:38 < gmaxwell> petertodd: the pow has a little 6th grade level rant about some of the people 'realsolid' dislikes that it hashes over and over again.
03:38 < brisque> CodeShark: have a repository I can clone?
03:38 < petertodd> gmaxwell: that's... spectacular
03:39 < nessence> CodeShark: I'd love to. I maybe able to get it built on a mac too
03:41 < gmaxwell> ohh.. whats that actress that has that unflattering picture she wants taken off the internets? make that part of the pow.
03:42 < petertodd> gmaxwell: heh, or just go full-retard and make the pow be the utxo set...
03:42 < gmaxwell> BlueMatt: in any case, what you should do is make it clear that you're willing to operate as a market for new features. E.g. someone can submit a patch to you, and you'll give them a share of the revenue.
03:42 < BlueMatt> hmm, that would be fun
03:43 < andytoshi> yeah, you'd get way better stuff than we can come up with
03:43 < andytoshi> that realsolid thing is classic
03:43 < gmaxwell> well, dunno. you'd get _more_ stuff.
03:43 < gmaxwell> plus it would be stuff that comes with patches.
03:44 < BlueMatt> whatever generates lots of use
03:52 < michagogo|cloud> 10:41:13 <gmaxwell> ohh.. whats that actress that has that unflattering picture she wants taken off the internets? make that part of the pow.
03:52 < michagogo|cloud> gmaxwell: *
04:07 < justanotheruser> gmaxwell: what, miley cyrus?
04:07 < justanotheruser> And her proof of twerk?
04:07 < justanotheruser> (joke stolen from someone else)
04:24 < gmaxwell> hah
04:24 < gmaxwell> Wizards may enjoy my curmudgeonly response: https://bitcointalk.org/index.php?topic=395468.0
04:28 < brisque> I like the idea of trying to implement a high cost KDF but without the high cost.
04:30 < brisque> the lines about sha being compromised are completely irrelevant in the terms of a brainwallet anyway, the expensive bit is always going to be the ECDSA.
04:31 < brisque> and if you knew the private key to be able to attack the hash.. well then you don't need the original phrase anyway.
04:38 < gmaxwell> brisque: the conversion to a pubkey is much faster than a good KDF should be for a "brainwallet" (if you must have a brainwallet at all)
04:38 < gmaxwell> but 200 (lol) iterations of a regular hash function doesn't really help
04:41 < brisque> gmaxwell: it's such a broken concept anyway, yet people just want to keep on making it worse.
04:45 < gmaxwell> brisque: thats what my last bit was trying to say, I don't know how many ways I can say it.
04:45 < gmaxwell> It's not getting through.
04:49 < CodeShark> what about "no matter how you implement it, it sucks. give up!"
07:22 < michagogo|cloud> BlueMatt: You may want to mention the 0.01 BTC cost on Coingen before the parameters are entered
07:23 < michagogo|cloud> s/.0/./
07:32 < michagogo|cloud> ;;later tell BlueMatt As of Magiccoin, line 9 in version.cpp still refers to Bitcoin-Qt
07:32 < gribble> The operation succeeded.
07:33 < brisque> michagogo|cloud: you paid for it?
07:33 < michagogo|cloud> brisque: nah
07:33 < michagogo|cloud> magiccoin is already paid for
07:33 < brisque> oh neat.
07:34 < michagogo|cloud> (I created WZC, wizardcoin, for this channel if anyone feels like paying 0.1 BTC to 1M5JxepsgUqXQ5gpV76ncxZ2UhT8K1oaZ9)
07:34 < brisque> might want to make sure there's a backend behind them and not just placeholders.
07:35 < michagogo|cloud> Hmm, what do the coingen coins use for bootstrapping?
07:35 < brisque> nothing at the moment. bluematt is planning on making a dummy server for boostrapping.
07:35 < adam3us> isnt a .1 btc fee a barrier to entry? isnt the point of coingen to lower the barrier to entry (so people who dont know how to do archane things like use compilers also get to innovate) so we get more crypto currency innovation like dogecoins
07:36 < brisque> adam3us: I think they're being revised eventually
07:36 < adam3us> brisque: is there a website?
07:37 < brisque> adam3us: http://coingen.bluematt.me/
07:39 < brisque> michagogo|cloud: there's actually references to bitcoin everywhere, needs a quick run through to change them all to xcoin before compile time.
19:46 < andytoshi> one of maaku's 17 million projects is an automatic p2p joiner
19:46 < andytoshi> but idk if that's usable right now
19:48 < sipa> well, i don't think you can't expect any measurable uptake without any serious wallet application having integration or even automatic using it
19:49 < pigeons> are the sessions submitted at https://www.wpsoftware.net/coinjoin/ shared with http://xnpjsvp7crbzlj3w.onion/ ?
19:51 < pigeons> since there is such low usage i would want to submit to the one that gets the higher chance of someone else submitting a transaction if not
19:51 < andytoshi> pigeons: yes, they are the same site
19:51 < pigeons> thanks
19:51 < andytoshi> the .onion gets routed to the wpsoftware.net one at my tor node
19:52 < andytoshi> (and the webserver is on the same hardware as my tor node)
19:53 < maaku> andytoshi: haha yeah i got way too much going on right now
19:54 < maaku> i need to focus on finishing just one of them
19:54 < maaku> i'm reworking the protocol messages to include multiple bucket sizes and explicit fees
19:55 < maaku> but that stalled while i was working on the utxo validation index bips
19:55 < maaku> i'm going to work the python proof-of-concept to the point where you can do joins from the command line
19:56 < maaku> and I got an offer from someone else to handle the messaging via bitmessage + tor
19:56 < maaku> but after that, I'd rather see it reworked into C++ and integrated into (a fork of) the reference client directly
19:56 < andytoshi> oh, nice
19:59 < maaku> i'm hoping that the work i'm doing will be the foundation of a future protocol extension everyone uses
20:00 < maaku> but i have no illusions of it happening quickly :)
20:00 < nOgAn0o> SEND BTC FOR 50% GUARANTEED PROFIT.. EMAIL ME AT NOGANOO@LIVE.COM WITH YOUR ORDER!  I HAVE AN EXCHANGE EXPLOIT!   1CL67LZ94WUExLe9ZpKZfFMFJKwVEZqyDM
20:07 < nsh> really?
20:08 < nsh> (gmaxwell)
20:09 < pigeons> if i send you btc isn't that 100% profit for you rather than 50%?
20:09 < sipa> who has op here?
20:13 < nsh> gmaxwell has done all the +b that i've seen
20:14 < nsh> ty
20:19 <@gmaxwell> I was the only +o in here, but I've now added +o to petertodd amiller adam3us sipa warren maaku jgarzik Luke-Jr  (top talkers in here)
20:19  * maaku fantasy power trips
20:23 < nsh> ULTIMATE POWERRRRR
20:25 < gmaxwell> andytoshi: you might want to make the there is no current messages include a "Go to https:// to start one."
20:27 < nsh> +1
20:28 < andytoshi> oh, hey, that's a great idea
20:29 < andytoshi> there we go
20:29 < andytoshi> (i'm going to do all my testing on #bitcoin from now on for advertising purposes)
20:29 < andytoshi> so far i've netted -0.0006btc on this joiner, by participating in pretty-much every join :P
20:31 < nsh> ballads will be sung for generations to come of your entrepreneurial acumen :)
21:08 < Luke-Jr> andytoshi: what testing? #bitcoin is explicitly non-logged FYI
21:10 < andytoshi> Luke-Jr: coinjoin
21:10 < andytoshi> log testing i do on #andytoshi :P
21:10 < andytoshi> but thx for the heads up
22:34 < gmaxwell> T-25 minutes for andytoshi's coinjoin. Time to prep your transactions if you're joining.
22:34 < andytoshi> 0.5 btc outputs
22:35 < andytoshi> i guess i should prep mine..
23:01 < gmaxwell> ;;balance 1ForFeesAndDonationsSpendHerdtWbWy
23:01 < gribble> 5.46e-05
23:02 < andytoshi> lol
23:03 < andytoshi> does anyone know who did that?
23:03  * nsh is confused
23:04 < gmaxwell> told you that you should have made it a spendable address!
23:04 < nsh> oh
23:04 < gmaxwell> ;;cjs
23:04 < gribble> Coinjoin Status: current session is open for 16 more minutes. There are currently 3 transactions in the pot. The most popular output value is 0.5.
23:06 < nsh> what's the current 'accessibility' of coinjoin?
23:06 < gmaxwell> andytoshi: ^ that should probably say max(count(most_popular),ntransactions) to avoid disclosing the number of players when it wouldn't be obvious from the inputs.
23:06 < gmaxwell> nsh: you can use andy's thing if you can spend via a raw transaction.
23:07 < gmaxwell> It's actually slightly safer than a normal raw transaction, since it prevents to common all coins to fees failure mode.
23:07 < andytoshi> hmm
23:07 < nsh> how hard would it be to let any-random-noob perform the rawtx spend safely?
23:08 < nsh> (i assume it would be better for privacy is the barrier-to-entry for coinjoin was as low as possible)
23:08 < nsh> or bc.i users can do it now?
23:09 < gmaxwell> nsh: yea, ultimately there needs to be dumb wallet integrated tools. But getting there requires more expirence with the technology, so tools like andy's n00b unfriendly one are a stepping stone.
23:09 < nsh> right
23:09 < gmaxwell> nsh: bc.i has something they're calling "coinjoin" which is really only kinda coinjoin. As it depends on you trusting bc.i to do the right thing.
23:09 < nsh> (wasn't being critical in any way, just wondering how to increase the utility)
23:09 < nsh> but i guess not trusting bc.i much more than people already do?
23:10 < gmaxwell> (really part of the premise I had in promoting this style of txn is that we can't really get wide adoption if its predicated on additional trust, because the trust is a cost too)
23:10  * nsh nods
23:10 < gmaxwell> yea, if you're already using Bc.i you're already exposed, it's not really too much worse.
23:10 < nsh> right
23:11 < andytoshi> gmaxwell: what should the display say if i'm actually publishing max(count(most_popular),ntransactions) ?
23:11 < andytoshi> "there are something like 3 transactions in the pot"
23:12 < gmaxwell> andytoshi: "there are ~N transactions in the pot"
23:13 < nsh> the awesome liability-reducing power of the tilde
23:13 < nsh> :)
23:28 < andytoshi> holy shit, these cj's get confirmed fast
23:28 < andytoshi> less than a minute this time
23:29 < nsh> there's good marketing for you :) "want faster confirmations *AND* increased privacy? use coinjoin!"
23:29 < gmaxwell> andytoshi: I guess you should share a link to the txn in #bitcoin
 worse the slight loss in privacy to show people that its real.
23:30 < nsh> (just add a tilde if it's not actually faster on average)
23:31 < andytoshi> i've got to jack up the fees required fee tho, that time the fee was 0.00035786
23:31 < andytoshi> and i only demanded 0.00024 from people, so it's possible that i wound up paying most of that myself
23:32 < andytoshi> :S
23:33 < nsh> charge slightly over the odds and disburse the difference as a faucet or something
23:33 < nsh> maybe
23:33 < gmaxwell> andytoshi: set fees to whatever sane value you think they need to bet to get people to use it, I'll pay you out of the CJ bounty fund (or, if the other signers don't agree, out of my own pocket) later.
23:34  * nsh nods
23:35 < andytoshi> well, i'm not too concerned about the personal loss, but rather what happens when i'm not involved with a join
23:35 < andytoshi> i suppose i could attach a faucet..
23:36 < andytoshi> right now, the only person outside of this channel i've heard comment on the fees said they were "practically nothing"
23:37 < gmaxwell> really the problem with the fees is that they dork up going from round valued outputs to round valued outputs.
23:37 < andytoshi> yeah, that's really irritating
23:37 < nsh> could you have a dummy input and output in every join that soaks up the fee, ehm, jaggedness?
23:38 < nsh> (from some holding wallet run as part of the service)
23:38 < nsh> no, that doesn't make sense
23:38 < gmaxwell> right. :P
23:38 < nsh> shh, it's late
23:39 < gmaxwell> andytoshi: could do that if he basically gave people fee tokens. e.g. send in some coin to andy and he gives you a fee token, and then you can use that in multiple txn to pay your fees (meaning andy just pays them). But it's a lot of complexity
 too much for a simple manual process.
23:39 < andytoshi> well, if it was always us, i could do something like that, since i trust that people here would pay up if i asked
23:39  * nsh nods
23:39 < andytoshi> i definitely don't want to add complexit
23:39 < nsh> you even simplified the word!
23:40 < nsh> :)
23:40 < andytoshi> for now i bumped the fee up from 8000 to 10000 satoshi, since that's rounder ;)
23:40 < gmaxwell> yea, but I suspect we'll not learn more if it's just us.  What I think we should try doing is these daily ones for a few days and see if we get any more players.
23:40 < andytoshi> and in this case, we would have paid the minimum network fee even if everyone had only given 10k sat
23:40 < nsh> i wonder if you could make it a wee bit "gamier" to entice people
23:41 < nsh> (not quite gambling, but some chance element that adds 'fun')
23:41 < andytoshi> it's tough without increasing complexity .. i could do something like give all the donations to a random participant
23:41 < andytoshi> but then they'd have to provide an additional address alongside the rawtx
23:41 < gmaxwell> well and then you'll un round one of my pretty round coins. you bastard. :P
23:41 < nsh> but can that be done without trusting that you aren't getting backhanders to pick certain people to win?
23:41 < andytoshi> :P
23:42 < andytoshi> nsh: lol nope
23:42 < gmaxwell> nsh: not without making it more complex.
23:42 < nsh> is there a way to add some randomness to dispersal in script
23:42 < nsh> i thought there was an OP that gave a random bit...
23:42 < nsh> as an artefact of something or other
23:42 < gmaxwell> there isn't but there are ways to do that but not without making it more complex.
23:42 < nsh> ok
23:43 < gmaxwell> part of the point is that these txn should be generally indistinguishable from ordinary ones
 except perhaps that they have many equally sized outputs.
23:43  * nsh nods
23:43 < gmaxwell> so that they're hard to exclude from tracing tools, and if a tracing tool starts excluding them, it'll be easy to make 'fake' CJ transactions.
23:43 < nsh> hmm, how would that help?
10:04 < pigeons> not too dumb, just less concerned about the ideals of the issue and more concerned with getting a transaction done
10:05 < jtimon> so I could as well make a falsefreicoin covenant with a demurrage that goes to me instead of miners
10:05 < jtimon> sell them into existence for bitcoin at 1:1 ala mastercoin
10:06 < jtimon> but if bitpay moves from bitcoin to falsefreicoin nobody will notice the difference
10:06 < adam3us> jtimon: it might work :) look at all the scamcoins
10:06 < jtimon> scams work for a while
10:06 < pigeons> and external factors will use these tools to force the social and economic environment so that using amlcoin is either simpler and easier, or the only option for the things the user/business/customer wants to do
10:06 < jtimon> let's see how the scamcoin thing looks in a year
10:07 < adam3us> jtimon: so you agree that bitcoin with no access to exchange services is almost certain to have a lower price?
10:07 < adam3us> jtimon: indeed i hope the scam coins all die :)
10:08 < jtimon> would have a much lower price, yet, I just don't believe anything in the world can close all bitcoin exchanges at once
10:08 < pigeons> no access to large public, in the open, exchange services? because exchange services can take many forms
10:08 < jtimon> why would btcchina care about nsacoin?
10:08 < pigeons> why does it have to be at once?
10:08 < adam3us> jtimon: and similarly i agree with your concept that a freecoin is worth more than an amlcoin in a way slightly perhaps analogous to virgin coins being apparently already worth a premium over used coins
10:09 < pigeons> it inches toward more useful to merchants and users as bitcoin inches aways from it
10:09 < adam3us> jtimon, pigeons: well access to btc-china for non-chinese resident is not  given.  watch the 10% spread bitstamp to mtgox.
10:09 < jtimon> pigeons if it's one by one, btc will start with more exchanges than nsacoin and your arguments are reversed: nsacoin are worth nothing because you can only trade them in 1 exchange
10:09 < stonecoldpat> adam3us: do you mean that a freshly minted coin from miners, has a premium over previously used coins?
10:10 < adam3us> stonecoldpat: apparently yes.	there was someone selling virgin coins for a premium
10:10 < stonecoldpat> haha fantastic
10:10 < pigeons> well my argument isnt about price, im not concerned with the price, im concenred that amcoin adoption and usage forces out bitcoin adoption and usage
10:11 < adam3us> pigeons: yes but jtimon asserts that the freecoin->amlcoin leakage would be stemmed if freecoins become worth a lot more than amlcoin so the price comes into it.  i expect the reverse in net tho there are economic forces pushing in both price directions
10:11 < jtimon> stonecoldpat: I think only if they can buy them anonymously since this way "nobody" knows the source
10:13 < stonecoldpat> jtimon: yeah i guess so - its quite interesting ti has a premium, i guess zero coin should be renamed virgin coin - although the coins link to prev transactions is defo an interesting problem
10:14 < adam3us> jtimon: i would like it if this were the outcome (two alt form, and most people dont use amlcoins) however the regulators have high control over the interfaces to the banking network so it seems the loss of fungibility would create a stronger price down force than the freecoin prefering audience would be able to counter with their econoomic preference
10:14 < stonecoldpat> although removing a coins link* to prev transactions is defo interesting
10:15 < adam3us> stonecoldpat: i suppose another indication is apparently people pay fees to mix coins to reduce the link
10:15 < pigeons> i think even without building toolkits to give regulators/etc an easier time, it will still be an uphill challenge to keep this sort of thing from happening through less technical means not integrated into the protocol
10:16 < stonecoldpat> adam3us: yeah ive seen that mentioned in a few papers (think someone thought of a protocol to do it too without third party?), if i had bitcoins to mix i perosnally wouldnt trust them though
10:17 < jtimon> stonecoldpat: coinjoin solves it by anonymous p2p mixing
10:17 < jtimon> coinswap is even more effective
10:17 < adam3us> pigeons: yes.	bitcoins decentralization comes from users controlling code.  what happens when microsoft makes an auto-updatable microsoft bitcoin wallet, or apple.  lots of captive users subject to the proxy decisions of central risk point with a history of government backdoors/over-compliance
10:18 < adam3us> stonecoldpat: yes coinjoin does that (trustless mix, the mix cant take your coins)
10:19 < pigeons> not that innovation should be abandoned because it can be abused, but the potential consequences should be taken very seriously
10:19 < adam3us> pigeons, jtimon: i'd sooner focus energy on trying to architect to defend against that kind of centralization risk (eg committed tx) than getting too far with potentially decentraliztion-risky expansion of script language language power
10:20 < adam3us> pigeons: which is to say probably covenant risks were considered by satoshi during his selection of the script-language.  i expect.
10:21 < adam3us> road to hell is paved with good intentions, pragmatic programmers, fun science experiments etc.
10:21 < pigeons> hey, we can learn whatever lessons we can from freimarkets authorizers and such hopefully
10:21 < jtimon> adam3us: maybe satoshi didn't thought that much about the language choice
10:22 < jtimon> of course p2p currencies rely on free software, despite Nestcoin users ignoring that
10:22 < adam3us> pigeons, jtimon: well just to say consider virality risk as a security defect, and make sure new script feature dont introduce it.
10:22 < jtimon> what is the commited transactions risk?
10:23 < adam3us> jtimon: commited-tx is a mechanism to reduce the policy control from centralization in  miners.
10:23 < adam3us> jtimon: by making them mine on opaque blobs so they have no information to form policy decisions on (they cant tell who is paying who how much at the time of mining)
10:25 < jtimon> by the way, some of your argumentation against covenants sournd to me like that: "bitcoin will fail because people will prefer easy-to-use proprietary clients and then they'll get screwed"
10:25 < jtimon> oh, I remember
10:25 < adam3us> jtimon: free software.  yes but if someone commercial makes a nice shiny wallet, maybe people will use it.  watch skype success while there were free FOSS voip at the same time
10:25 < jtimon> I though it was another risk
10:26 < jtimon> again, unlike you I'm not very concerened about the censor miners "problem"
10:26 < jtimon> but that's not a problem with voip, only with skype
10:27 < jtimon> it's like saying "linux is flawed because many people prefer windows or macos"
10:27 < adam3us> jtimon: hmm yeah but i've been here before, was worried about CA risk, and it turns out that i was basically right, even tho everyone at the time was like ... nah they wouldnt do that, it would be detectable ,etc and now we see the NSA spent billions doing just that.
10:28 < pigeons> i'll have to read that discussion. i've always been of the satoshi/luke-jr school that miners decide what transactions to include. but satoshi's views where from when all nodes were mining and there could be a wider marketplace for transactions
10:28 < adam3us> jtimon: its not a bitcoin flaw, but it could become a problem perhaps.  clients are individually less powerful.
10:28 < jtimon> that's another fallacy adam3us, just because you were right that time it doesn't mean you're right this time, argument of authority
10:29 < adam3us> jtimon: ha ha, yes you are right.  i just mean as an example that seeming paranoid by todays horizon of considerations doesnt mean you are wrong
10:30 < jtimon> nothing wrong being paranoid, I agree
10:30 < jtimon> just happens that the points where I get paranoid and where you get paranoid are not the same
10:30 < pigeons> jtimon: i agree with your characterization of the argument, "a danger to bitcoin is users taking least resistance paths" but i disagree that means "linux is flawed because of windows" i think its more " be aware of this tendency and engineer more p2p enabling choices to be least resistance"
10:31 < adam3us> pigeons: yes committed tx aims to change that.  minrs have no clue what they accepted.  users chose.  pairs of consenting users should be able to pay each other with no censure, or decide their own policy.
10:32 < jtimon> I agree that having an in-chain anonymous transfer mechanism could be would for several reasons
10:32 < jtimon> I think it could operate alongside a "public" one
10:33 < jtimon> but I tend to like more petertodd's inputs-only transactions (although it's less developed)
10:33 < adam3us> jtimon: there is an argument that if miners became too centralized, they may try to block non-public ones (or transactions with non-public xfer in their history)
10:34 < jtimon> maybe because I tend to get lost in your crypto spell scrolls...I mean...formulas
10:34 < jtimon> yeah, we discussed it other day at lenght
10:35 < jtimon> my argument was that censor miners would rapidly go out of business
10:35 < adam3us> jtimon: the counter argument is that if clients consider evidence of suppression of non-public xfer as an invalid mining event, then hostile miners form an alt-coin with no users, and so they make no profit
10:35 < adam3us> jtimon: i agree.  its like the amlcoin argument u made in some ways.
10:35 < jtimon> of course, I was assuming the distribution has ended, that risk is higher now I guess
10:36 < adam3us> jtimon: not if its done right because users would ignore those miner, so the hostile-miner is on a chain that becomes orphaned or like an alt-chain that is irrelevant
10:36 < jtimon> and I guess is also good that freicoin only has 3 years of issuance ;)
4Mined by AntPool sc0
 https://eternalhiat.us Uw
16:08 < adam3us> also the race is not normally random either - i would think the proportion of legitimate first within the propagation delay would be in relation to mining power, as even within the 15 sec propagation delay probably mostly its not that close
16:09 < adam3us> (driving the proportion the network that believes each win is first)
16:10 < amiller> is there a bitcoind command to inspect the trickle queue
16:10 < gmaxwell> I've also been thinking about in and out seperation. What if a node was really two nodes from the perspective of transaction relaying: one that only has outbound edges, and one that only has inbound edges.  The outbound edged node would be protected from self selecting connectors without a sybil attack.
16:10 < amiller> like to see the current number of elements in there, average time each items been in there, etc
16:10 < gmaxwell> amiller: gdb and go find them? :P
16:10 < amiller> thx :)
16:13 < adam3us> can multiple miners in a pool vote for different fork?  i think so when the client is doing its own validation?
16:14 < gmaxwell> adam3us: only p2pool. absent bitpenny, solo mining, and p2pool the only miners are the couple pools. The 'miners'
 people with hardware
 are mostly just people who are selling SHA256 computation to actual miners. They have very little visibility and basically no control over the mining process.
16:15 < gmaxwell> Luke was pushing for people to migrate to the getblocktemplate protocol which would have substantially put hashers in the mining loop... but slush did an endrun with a secretly developed protocol (stratum), which won in the market place because it used less bandwidth... but left hashers as blind as they are with getwork.
16:16 < adam3us> gmaxwell: that sucks - i thought getblocktemplate was the future
16:17 < gmaxwell> Luke's BFGminer software does make _some_ use of the limited visiblity that exists from the block headers. E.g. it can detect when a pool tries to mine a fork against its own prior work and can then switch.
16:17 < gmaxwell> adam3us: well, maybe it is still.. since subsiquently we did come up with another way of using it which is lower bandwidth. ("coinbase only mining" e.g. you only get your coinbase txn from the pool, everything else you do locally, and you merge the coinbase from the pool with your local work)... but the software for that doesn't exist yet.
16:18 < adam3us> so eligius at 15% plus whatever % direct mining < 18% so then the remaining 67% is a blind slave to a miner
16:18 < gmaxwell> People do use GBT some, but as said
 stratum is lower bandwidth (because it doesn't send transaction data to miners
 and really most hashers don't actually understand the tradeoffs here.
16:18 < Luke-Jr> adam3us: GBT is still the future - just further out now
16:19 < gmaxwell> Even most of eligius' miners are on stratum, as eligius supports stratum too (can't deny the market
16:19 < Luke-Jr> now it needs to wait for the ability to compete on bandwidth with stratum, instead of just getwork
16:19 < phantomcircuit> gmaxwell, that also has the problem that the pool then has to do a ton of work to verify the submitted shares
16:20 < Luke-Jr>  or at least a strong advantage
16:20 < adam3us> it seemed to me you could talk udp to a pool; just send it partial wins of what ever difficulty chunk you like
16:20 < Luke-Jr> phantomcircuit: not really
16:20 < gmaxwell> Luke-Jr: another way GBT could be used is to turn a pool's hashers into fast block announcers the way p2pool does.
16:20 < phantomcircuit> Luke-Jr, with coinbase only?
16:20 < phantomcircuit> Luke-Jr, that's what i was talking about
16:20 < gmaxwell> phantomcircuit: no they don't. Beyond spot checking accidentaly misconfiguration ... the intentional case is precisely identical to blockwithholding which can _never_ be detected.
16:20 < Luke-Jr> phantomcircuit: you can cache most of the hashing
16:21 < Luke-Jr> gmaxwell: bfgminer does support that, but I don't think anyone uses it :/
16:21 < adam3us> so far it seems like even GBT is handing out work, this is unnecessary; the client can chose a random starting point and pay to pool address
16:21 < phantomcircuit> Luke-Jr, yeah im just saying that someone intentionally being a nuisance could continuously rearrange transactions
16:21 < adam3us> in that way the client can chose its own work size to suit its power
16:22 < Luke-Jr> adam3us: share difficulty must be predetermined at least
16:22 < gmaxwell> adam3us: you can send flags to GBT, e.g. request only a coinbase  (+header).. I don't think such a flag exists today but it would be trivial to add.
16:22 < phantomcircuit> adam3us, as it stands most pools are issuing 64bits of work per stratum notify
16:22 < Luke-Jr> gmaxwell: pretty sure it does, just not implemented yet
16:22 < phantomcircuit> which is tons
16:22 < adam3us> phantomcircuit: my point is its a waste of interactive bandwidth and round-trips
16:22 < Luke-Jr> phantomcircuit: but stratum can only subdivide in 8-bit chunks, so multiple proxies would chew it up fast
16:22 < adam3us> all you need technically is the pools reward address
16:22 < gmaxwell> Luke-Jr: we could promote miner announcement as a feature which helps with this silly news (in two ways, prevents a pool from being a delayer, and also makes honest pools faster to announce)
16:23 < Luke-Jr> adam3us: for some pools..
16:23 < phantomcircuit> Luke-Jr, well... theoretically you could allow miners to just submit anything with the right prevblock hash and coinbase output then calculate the apparent difficulty of the share and use that instead
16:23 < phantomcircuit> Luke-Jr, it would be fair but only over a large sample
16:23 < gmaxwell> phantomcircuit: no you can't!
16:23 < gmaxwell> phantomcircuit: would you give 25 btc to every miner who finds a block? :P
16:23 < phantomcircuit> gmaxwell, yeah you can but it ends up being a mini lottery
16:24 < phantomcircuit> gmaxwell, no?
16:24 < adam3us> gmaxwell, Luke-Jr: well if someone can figure out a way to reduce miner centralization while addressing the story that would be a nice side-effect win
16:24 < gmaxwell> phantomcircuit: thats what using the apparent diff would do. :P
16:24 < phantomcircuit> gmaxwell, uh no it wouldn't
16:24 < gmaxwell> phantomcircuit: sure it would ... what is the value of a diff 510929738.01615179 share
16:24 < gmaxwell> also WTF HAPPENED TO THE DIFFICULTY
16:24 < gmaxwell> did it just nearly double?!@$#
16:25 < gmaxwell> like .. I thought it was 310 this morning?!
16:25 < phantomcircuit> gmaxwell, nodes would be incentivized to submit everything they found
16:25 < phantomcircuit> so you'd get flooded with diff=1 shares
16:25 < phantomcircuit> technically it would work but it would be super annoying
16:25 < phantomcircuit> and also pointless since you could just count everything as 1
16:25 < Luke-Jr> gmaxwell: there http://bitcointroll.org/?topic=324413.msg3492597#msg3492597
16:26 < gmaxwell> phantomcircuit: in any case, GBT has what is needed, minus someone implemeting a request flag to say "don't send any transactions" and a response flag that says "I'll pay you so long as you have this coinbase, you can change everything"
16:26 < gmaxwell> Luke-Jr: can you add some config examples for BFGMINER?
16:26 < gmaxwell> e.g. how do you configure the announcement?
16:26 < phantomcircuit> Luke-Jr, ha that's neat
16:27 < Luke-Jr> gmaxwell: I think you put #allblocks in the bitcoind pool URI
16:27 < gmaxwell> Luke-Jr: also, you should revise to say "it's not possible for pools to do this without miner cooperation" or something like that.
16:27 < Luke-Jr> -o gbt.mining.eligius.st:9337#allblocks
16:27 < Luke-Jr> err
16:27 < Luke-Jr> -o un:pw@localhost:8332#allblocks
16:27 < gmaxwell> Luke-Jr: cool, so you can even announce to other pools in addition to local stuff.
16:28 < gmaxwell> like -o 1apple:x@gbt.mining.eligius.st:9337#allblocks -o un:pw@localhost:8332#allblocks  ?
16:28 < Luke-Jr> gmaxwell: like this?
16:28 < Luke-Jr> http://bitcointroll.org/?topic=324413.msg3492597#msg3492597
16:28 < Luke-Jr> gmaxwell: you *can*, but they'd likely reject it :P
16:29 < Luke-Jr> http://codepad.org/oKSM9yUT
16:29 < gmaxwell> Luke-Jr: you should fix eloipool to accept notification of blocks that way. :P
16:29 < Luke-Jr> gmaxwell: ?
16:29 < Luke-Jr> oh, .. maybe
16:29 < gmaxwell> Luke-Jr: e.g. if someone mining on another pools finds a block and submits it to you, might as well take it and give it to bitcoind... though you might do some santization to prevent DOS with old blocks.
16:30 < Luke-Jr> gmaxwell: yeah, hard to do because to check we'd have to hash the block
16:30 < gmaxwell> In any case, post "just add -o un:pw@localhost:8332#allblocks as a backup pool to bfgminer and it will send all blocks you find to your local bitcoin daemon"
16:30 < gmaxwell> Luke-Jr: just check the prev== current prev. and difficulty over target. thats enough..
16:30 < Luke-Jr> gmaxwell: checking difficulty means hashing it
16:30 < gmaxwell> just hash the header.
16:31 < gmaxwell> check prev, which is a compare, hash the header
 which is what you do to check if a share is good already, no?
16:31 < gmaxwell> an advantage of getting people to put eligius in their configurations is that you turn other pool's miners into block monitoring drones for you.
16:31 < gmaxwell> Plus you get people to setup eligius as a backup pool.
16:32 < gmaxwell> (some of whom won't care if they get paid if it falls over to it....)
16:32 < gmaxwell> plus you can announce it as a change you made to address the issue, which sounds nice.
16:34 < Luke-Jr> gmaxwell: currently we check the user and coinbase-scriptSig-prefix are known before we hash
16:34 < Luke-Jr> and wizkid057 is whinign about server overload stuff, although I can't imagine why it'd overload so easily
16:37 < gmaxwell> Luke-Jr: sounds broken, the hashing of the header should be superduper fast. hm.
16:37 < Luke-Jr> not faster than comparing two strings :P
19:49 < petertodd> sipa: that's not what I mean actually, I mean does the script have access to things like txins, txouts, blockchain headers?
19:49 < sipa> petertodd: for bitcoin, no
19:49 < jtimon> jrmithdobbs I mean simpler than Joy, not simpler than the current one
19:49 < sipa> petertodd: well, generalizing the hashtypes may be useful
19:50 < maaku> sipa: if you give the script access to the transaction, block header, and utxo data, a lot of interesting covenant-related stuff becomes possible
19:50 < sipa> but that's not really an interesting discussion - i'm being intentionally conservative here
19:50 < gmaxwell> maaku: it's pretty hard to write a compact script to do things with that access however.
19:50 < petertodd> sipa: yeah, where I'm really more focused on something you'd need for MSC, day job and all :P
19:51 < gmaxwell> It would be nice if people would write some hypothetical scripts.
19:51 < maaku> gmaxwell: hard to write a compact script? howso?
19:51 < petertodd> gmaxwell: that's also on my priorities list
19:51 < gmaxwell> E.g. we know that enabling xor or add on hash outputs gets us a bunch of things, and what we have to do to get those things.
19:51 < maaku> do you mean the interpretor, or the script(s)?
19:52 < gmaxwell> maaku: no, go write a script using the disabled opcodes that and a hypothetical PUSH_OUTPUT_N and PUSH_INPUT_N that achieves a non-trivial covenant.
19:53 < gmaxwell> it's pretty easy to end up with a painfully complicated script just to do something conceptually simple.
19:53 < petertodd> maaku: you ever written any assembler code?
19:53 < maaku> ok, you mean in bitcoin script, yes
19:53 < sipa> jtimon: an AST is really equivalent to a stack language where every operation only consumes the N last entries (with N known before evaluating them) and produces a single one
19:53 < maaku> petertodd: look at the scripts we have in the back of the freimarkets paper ... yuck
19:53 < sipa> and you have end up with a single output
19:54 < jtimon> sipa, yeah, this http://en.wikipedia.org/wiki/Abstract_syntax_tree
19:54 < maaku> that's why I'd like a more powerful scipting language - even with opcodes re-enabled it's still a mess
19:54 < gmaxwell> maaku: but the problem with more powerful is that as soon as you color outside the lines you're back to a mess.
19:55 < sipa> jtimon: yeah sure, just saying that it can't be harder to implement, it's pretty much a subset of what we have now
19:55 < jtimon> I meant that something like joy seems more powerful, thus simpler for the scripting language users
19:55 < sipa> scripting language users?
19:56 < sipa> i don't care about that - go use a compiler if necessary
19:56 < jtimon> the hackers writing bitcoin scripts
19:56 < gmaxwell> sipa: well there are complications, because we'd want M-AST but the merkelization should be optional... because it doesn't make sense to merkelize something which is smaller than the hash and which you don't need to keep private.
19:56 < jtimon> sipa: good point
19:56 < jrmithdobbs> gmaxwell: btw speaking of language semantic stuff ... please go yell at someone to implement higher order kinds in rust so that functor can be implemented correctly already ;p
19:56 < gmaxwell> Thats what an assembler is for. Plus for any real use of this you'll want an assembler with a theorem prover in it so you can actually know if your script works.
19:56 < sipa> jtimon: i care about easyness by which an implementation (script interpreter) can be judged to be correct
19:57 < maaku> sipa: is there a specific AST that is a good match to bitcoin?
19:57 < sipa> give me a day and i'll write you one
19:58 < gmaxwell> E.g. when eligius proposed using a multisig script for controlling their emergency pool recieving address the policy they decided they wanted was (X and Y) or ((X or Y) and NofM(Q,R,Z...))	and we wrote a script to achieve that... but we had no way to tell for sure that it was safe!
19:58 < maaku> i just mean i'm wondering if you had something in mine, like lisp/scheme or the spineless, tagless machiens of Haskell
19:58 < gmaxwell> and it wasn't so simple that you could just look at it and tell for sure it was safe.
19:59 < maaku> jtimon: btw theorem prover mentioned by gmaxwell is why you'd want static typing
19:59 < gmaxwell> (for _sure_ not just 'sure'... as it would potentially have hundreds of BTC assigned to it in a day)
20:00 < petertodd> gmaxwell: so these theorem provers, what kinds of languages don't they exist for?
20:00 < gmaxwell> so it would be nice if I could throw that into a theorm prover and ask it "is there any way to satisify this script that doesn't provide sixX or sigY"
20:01 < jtimon> oh, gmaxwell, I forgot that open problem
20:01 < gmaxwell> petertodd: the provers themselves are seperated from the languages, and there exist tools to convert code into inputs for them for a variety of languages.
20:01 < sipa> maaku: ok, there's a data stack that is initially populated with the script inputs (scriptSig data pushes), and a program, which is a serialized abstract syntax tree
20:03 < sipa> maaku: AST nodes are: access[i] (retrieves the i'th element on the stack, counting from the top, and returns it without modifying the stack)
20:03 < gmaxwell> In C I use a tool called frama-c that can drive a dozen different backend provers. (probably one of the best of the provers for proving things about program execution is http://alt-ergo.lri.fr/ )
20:03 < sipa> maaku: const[x] (just returns x)
20:03 < petertodd> gmaxwell: exactly, so I assume for non-turing complete AST's basically the provers are easier, but as you're saying, sounds like they exist for interpreted stuff as well - hence the desire to have a prover available is not directly a consideration for the language itself (at the consensus layer)
20:04 < jrmithdobbs> petertodd: they exist in compilers like he wants, even, for that matter
20:04 < jrmithdobbs> petertodd: (haskell does some forms of this during compilation)
20:04 < sipa> maaku: let(expr1,expr2), which evaluates expr1 and puts it on the stack, evaluates expr2 using that modified stack, and then pops the element again
20:04 < gmaxwell> petertodd: certantly the language design could influence how easy it is to have a prover. For C it's a complete cluster@#$@ and the provers are not terribly complete  E.g. there is no _sound_ prover for the full C language.
20:04 < sipa> maaku: and then some basic arithmetic/crypto/string/... whatever operators
20:05 < maaku> sipa: i see. thank you this helps
20:05 < gmaxwell> petertodd: because things like pointer deferences make life insanely hard for the provers. (though, they're not completely impotent)
20:05 < petertodd> gmaxwell: right, and again, this sounds like you're just getting pushed to what I've always thought is the most obvious way to do it: merklized forth
20:05 < sipa> maaku: you can map this indeed to a lazily evaluated functional language
20:05 < sipa> maaku: which would for example mean you don't need to evaluate expr1 in a let, if its expr2 never refers to it
20:05 < jrmithdobbs> also, I'm somehow watching 3 different conversations about this same basic subject in 3 different channels in the same window at the same time and I have no idea how that happened but it's confusing
20:06 < gmaxwell> yea, I do think that stack langauges can result in easy life for the prover, though there is still the free variable of how types work.
20:06 < maaku> sipa: i've been favoring strict over lazy due to implementation compleity and risk of consensus errors
20:06 < maaku> does the laziness gain you anything?
20:06 < sipa> speed
20:06 < jrmithdobbs> sipa: tbqh, a limited haskell98 with no IO monad would be perfect and without IO the runtime gets tiny
20:06 < gmaxwell> maaku: if we merkelize the untaken branches it also can get you improved privacy and reduced program size.
20:07 < jrmithdobbs> sipa: something like fay
20:07 < maaku> jrmithdobbs: more than that Haskell core language is quite simple and probably something worth looking at, or the even more low level STG machine in GHC
20:07 < jrmithdobbs> sipa: which is haskell98->js compiler sans typeclasses (so no monads period)
20:08 < gmaxwell> maaku: e.g. if your transaction can be redeemed way X or way Y   and Y is some 4of5 of 5 pubkeys   ... then you (1) save all that space in the transactions spending it way X, and also (2) don't disclose the details of way Y unless you use it.
20:08 < sipa> yeah, adding a choose operator that evaluates one of two branches, and takes a hash for the other, is easy enough to add here
20:09 < gmaxwell> One thing to keep in mind is that what we put in a scriptsig does _NOT_ need to be a copy of the program. What goes into the scriptsig is a _witness_ that proves the program was correctly evaluated. This doesn't require including the whole program.
20:09 < sipa> yup
20:09 < jrmithdobbs> ya that's the key part satoshi missed i think
20:09 < gmaxwell> This mental model obviously applies directly to the snark stuff, but it even works in conventional execution.
20:10 < jtimon> gmaxwell not with p2sh, does it?
20:10 < sipa> so, to elaborate a bit further
20:10 < gmaxwell> jtimon: we're talking about a generalization of P2SH that works recursively, effectively.
20:11 < sipa> you associate a hash with every ast node
20:11 < maaku> gmaxwell: what was that point about merkelizing in response to?
20:11 < gmaxwell> sipa: I still think you need to have non-hashing nodes in your AST, because its wasteful to hash for a single operation.
20:11 < gmaxwell> 17:06 < maaku> does the laziness gain you anything?
20:11 < sipa> gmaxwell: yup, that's easy to do
20:12 < jtimon> gmaxwell so you're saying that without the snark you need the merklization for what you want, got it
20:12 < jrmithdobbs> that question seems so backwards to me
20:12 < sipa> instead of associating a hash with every node, you only associate one with every "tree piece"
02:33 < amiller> already there are other smaller bitcoin knockoffs like litecoin (which now has its own silk road, uh oh) that basically differ only because they go faster
02:34 < warren> amiller: I looked at their SR-clone, it is wayyy faster and a nice web design at least.
02:35 < warren> amiller: I'm concerned of their recent x10 price spike, and possibly more coming, only to be smashed by their complete lack of developers and an unmaintained client.
02:35 < amiller> there's been some thought into relativistic finance that is less interesting than bitcoin but still goes over some basic ideas: http://www.alexwg.org/publications/PhysRevE_82-056104.pdf
02:36 < amiller> that's the most famous one that basically says you want to place your hedge fund headquarters at the right spot between orbiting financial centers you want to possibly arbitrage between...
02:38 < amiller> ah dammit i can't find the last paper i wanted to show
02:39 < warren> I'm sorry for contributing to -dev devolving away from -dev.
02:39 < warren> I can't help it sometimes.
02:40 < amiller> yeah http://www.biosystems.physik.lmu.de/paperpdfs/money_momentum_p_a.pdf
02:41 < amiller> there's a view of how different currencies might interact
02:41 < amiller> it's an analogy to particles and anti particles and conserved quantities thereof
02:42 < amiller> it's interesting in part because it's about transferable credits associated with a particular issuer
02:42 < amiller> so as a financial model it's closer to opentransactions or ripple or even colored coins
02:43 < amiller> i think the two particles interacting is the right way to think about what would happen if coins between multiple chains needed to be transferred
02:45 < warren> you mean randomness
02:45 < warren> two manic depressive entities on each side of a trade
02:49 < amiller> not randomness
02:49 < amiller> more like localized atomic interaction
03:07 < andytoshi> amiller: i think coins across multiple chains is the right way to think about particles ;)
03:10 < amiller> there are some really interesting forms of money
03:10 < amiller> early forms of accounting basically
03:10 < amiller> since multiple currencies is really more about accounting than anything else
03:10 < amiller> http://www.jstor.org/discover/10.2307/40697984?uid=3739704&uid=2&uid=4&uid=3739256&sid=21101834916641
03:10 < amiller> the orginally tally, the 'split tally', is a lot more interesting
03:10 < amiller> than the tally you're probably used to just drawing things on boards
03:10 < amiller> it's a split tally, that sort of resmebles bitcoins scriptsigs and scriptpubkeys
03:11 < amiller> where one piece is needed to be presented to redeem the value promised by the other
03:12 < amiller> there's also an old kind of money called the bulla
03:12 < amiller> https://en.wikipedia.org/wiki/Bulla_(seal)
03:13 < amiller> it was a way of sealing something valuable inside a lump of clay with seals on it so that it remained tamper proof
03:13 < amiller> so it's like carrier money
03:14 < amiller> old testament technology
03:15 < andytoshi> very cool
03:15 < andytoshi> i wish i had time to read up on all this stuff
03:18 < cads> thanks for the papers amiller
03:18 < amiller> glhf
07:43 < warren> So I want to learn how to programmatically interface with bitcoind.  I figure it might be helpful to implement a SD-clone on testnet in order to encourage "realistic" garbage tx's to test the blockchain handling as we move forward with 0.8.1 hard-fork testing?  Note that I disapprove of SD.  I don't post this in -dev because I'm not sure about the legality
of running a fake test money gambling service.
07:57 <@gmaxwell> "no no, your honor, testnet money is _double fake_"
07:57 < sipa> is "faking" nilpotent?
08:12 < warren> I realize that might be a stupid worry.  I just don't want to broadcast intent like that for something that I would actually do if I'm not sure.
08:12 < warren> about the legality
08:13 < warren> and maybe this won't even be helpful?  If so I'll do something else.
08:13 < warren> I just figure people actually USING testnet would be a good thing.
09:07 < warren> gmaxwell: and dude.  I'm really sorry I've been annoying you these past few weeks.  My stress has been really high trying to do this thesis all this time, and I have to learn better to deal with stress than to unproductively discuss crazy and unproductive things and make dumb jokes.  When I'm past this a month from now, I really would like to learn more
about Bitcoin and do things that are helpful.  I would appreciate guidance if this curren
09:07 < warren> t idea would be helpful or not.
09:09 <@gmaxwell> I don't think it's worth doing if you're not also interested in trying more efficient variations.  If you just want to generate txn on the network you can do that without running a service.
09:16 < warren> oh.  I figured random user behavior that mimicked the real network would be helpful for a simulation, but I guess it doesn't matter if we're only concerned with the quantity of transactions from block to block.  The thing is I'm not really interested in thinking about or helping gambling to be more efficient.  I think they should stop spamming the chain
entirely, do most things in-house, and only payout when they withdraw.
09:28 < warren> OK, I'll think of something else more useful.
09:34 <@gmaxwell> warren: sure but you could artificially generate the 'random user behavior' in a way that was pretty faithful with basically no more effort, plus the advantage of repeatability and no risk or ambuity about legality.
09:34 <@gmaxwell> e.g. it's only really interesting if the users are the subject of the experiment instead of the system.
09:39 < warren> gmaxwell: Watch the bitcoin mempool and reproduce those txn in testnet of similar quantity, KB size, age and fee behavior?
09:42 <@gmaxwell> yea, even make a model with parameters fit from the actual network. one fun test would be to also try on a private testnet with difficulty 0 (comment out the POW check) and see how fast it can run.
09:43 < warren> Oh.  Accelerate the simulation.  Don't wait for real-time mining.
09:44 < warren> gmaxwell: was testnet in a box fixed?
09:45 <@gmaxwell> warren: testnet in a box is fine
 but testnet in a box doesn't have the pow disabled. You can just isolate some regular testnet nodes and remove the pow check.
09:45 < warren> gotcha
09:45 < warren> g'nite
21:30 < andytoshi> has much thought been given to how an altchain could pay people to run full nodes?
21:30 < andytoshi> or bitcoin, for that matter..
21:47 <@gmaxwell> andytoshi: the best I have along those lines is "validation is mining", where you have a POW which is a memory hard function based on performing UTXO queries.
22:58 < andytoshi> i wonder if simply charging for IBD would do it
22:58 < andytoshi> though i suppose there's probably no way to get bitcoins for payment until you've got a blockchain :P
22:59 < warren> IBD?
22:59 < sipa> initial block download
23:05 < warren> gmaxwell: how would that POW be transmitted and kept track of?
23:06 < warren> oh.  I see.  nevermind.
23:22 <@gmaxwell> andytoshi: charging for IBD == ~no one validates. In general the whole idea of blockchain consensus's security involves assuming that an attacker can't partition the network "because information wants to be free"
 hard to hide the best chain.
23:27 < warren> gmaxwell: was your earlier comment a suggestion that an alt chain to pay for validation would be a good idea?
23:32 <@gmaxwell> warren: No. Try reading andytoshi's question again.
23:33 < warren> argh.  sorry.  back to thesis.
23:53 < andytoshi> warren: i'm also working on a thesis, i understand ;)
23:53 < andytoshi> wait, not a thesis, a term paper..
--- Log closed Sat Mar 16 00:00:26 2013
--- Log opened Sat Mar 16 00:00:26 2013
04:46 < cads> has any thought been given to using techniques from crypto-currencies to device a decentralized education and accreditation system?
04:47 < cads> they say that when all you have is a hammer, everything looks like nails
04:48 < cads> I've been learning a lot about BTC lately, and I had a silly idea about how something like it might be used as a form of social currency, and in particular to help drive online education communities
04:49 < cads> in these communities, education is cheap or free, but the problem, as I see it, is that they do not offer and real world incentive to study hard enough to really grasp the material.
04:49 < cads> The student has to be a self motivated learner and provide the incentive via his own love of pure learning
04:50 < cads> there is secondary incentive - skills learned in free online classes transfer to employable skills.
04:52 < cads> however this is hard to accept for many learners, who might ask "how do I prove what I know without a degree"
04:52 < cads> online classes like coursera offer the coursera badge of completion for any class that a student completes with a passing grade, and eventually this may be recognized by universities and businesses
04:53 < cads> but coursera is just one centralized authority
04:53 < cads> I'd like to propose a system in which online classes award a decentralized learning currency to students that complete the class
04:54 < cads> the value of currency awarded is determined by the network in some way I only speculate on so far
04:55 < cads> for example, students could bid a certain number of their current education coins on a class. This determines the desirability and hence market value of the class, and determines how many coins are awarded to students.
04:56 < cads> That already has a bunch of vague spots and even a couple flaws I can think of, and I won't speculate on how the payoff per class should be determined, for now
04:57 < cads> my idea is that students will be able to use the education coins to register themselves in free online classes.
04:57 < cads> they do not need coins to join - the classes are free
17:54 <@gmaxwell> adam3us: did you see my commends about the ed25519 multupliers apparently requiring the scalar to have the high bit set?!
17:55 < andytoshi> gmaxwell: fwiw we can remove that requirement
17:55 < andytoshi> and even maintain timing resistence
17:55 <@gmaxwell> sure we can, but we lose their good existing implementation and become formally incomaptible, which is lame.
17:56 <@gmaxwell> andytoshi: there was also something about requiring the scalars to be a multiple of 8 which I didn't understand at all.
17:56 <@gmaxwell> and I assume its just confused.
17:56 < andytoshi> yeah, i didn't get that either, i was hoping a wizard would be able to clarify
17:56 < andytoshi> or that somebody on crypto.SE would step in
17:56 < andytoshi> somebody not confused *
17:56 < nsh> where is this discussed?
17:57 < nsh> (or specified)
17:57 < andytoshi> nsh: http://crypto.stackexchange.com/questions/12425/why-are-the-lower-3-bits-of-curve25519-ed25519-secret-keys-cleared-during-creati
17:57 < nsh> ty
17:57 < andytoshi> i posted that a few days ago, gmaxwell is continuing without context :P
17:57  * nsh smiles
17:57 <@gmaxwell> andytoshi: I didn't remember you posted it, it got left up in a tab.
17:58 <@gmaxwell> the responses there are just confused.
17:58 < BlueMatt> gmaxwell: the internet only works when you respond and correct them :)
18:00 <@gmaxwell> well I can correct the highest bit thing I know why it does that, though it's crappy and overoptimized.
18:00 <@gmaxwell> the *8 thing I have no freeking idea
18:10 < adam3us> gmaxwell: yes i am also not sure what the formula is achieving... djb paper is obtuse, but i guess he does answer email.  or we should ask on sci crypt cc him or they have some dev resources for the lib?
18:13 < nsh> --
18:13 < nsh> Ed25519 keys start life as a 32-byte (256-bit) uniformly random binary seed (e.g. the output of SHA256 on some random input). The seed is then hashed using SHA512, which gets you 64 bytes (512 bits), which is then split into a
 (the first 32 bytes) and a
. The left half is massaged into a curve25519 private scalar
 by setting and clearing a few
18:13 < nsh> high/low-order bits. The pubkey is generated by multiplying this secret scalar by
 (the generator), which yields a 32-byte/256-bit group element
18:14 < nsh> -- https://www.readability.com/articles/gswpw12d
18:14 < nsh> just quite blaze "massaged into ... by setting and clearing a few .. bits"
18:15 < nsh> so no particular indication the author (Brian Warner from Mozilla) thought much of the reasoning
18:17 <@gmaxwell> it's not surprising that points have a special form, it's very surprising that scalars have a special form. The high bit set is for timing attack resistance in the multipler. I can only assume that the low bits is some other psycho performance optimization.
18:18 < adam3us> gmaxwell: its kind of remiss that they dont explain in the paper really
18:43 < andytoshi> gmaxwell: https://www.wpsoftware.net/coinjoin/ should be working
18:44 < andytoshi> as discussed with CodeShark, it strips scriptSigs, which may cause problems for complex use cases
18:46 < petertodd> andytoshi: cool, just submitted a tx
18:48 < petertodd> gmaxwell: yeah, but the r value is public, which lets anyone who knows the stealth address deanonymize you - you might as well just use the txid:vout
18:48 < petertodd> andytoshi: hmm, got " Sorry, this session was not found. "
18:48 < andytoshi> petertodd: yeah, and it's claiming that the session is -92 minutes old
18:49 < andytoshi> sorry, one moment
18:49 < petertodd> andytoshi: now -94 minutes :p
18:49 < andytoshi> oops, permission error
18:50 < andytoshi> should be good now
18:50 < andytoshi> but you'll have to resubmit
18:50 < petertodd> just did
18:52 < petertodd> cool, anyone else want to submit?
18:52 < andytoshi> sure, i'll submit one
18:53 < petertodd> andytoshi: "The most popular output value is 0.0005" <- treating the fee as popular
18:53 < andytoshi> yeah, i noticed that :P
18:53 < andytoshi> probably not a useful behavior
18:53 < petertodd> yeah
18:55 <@gmaxwell> adam3us: the number of the points isn't @#$@#$@#$@ prime. it has a @#$@#$@ cofactor of 8.
18:56 <@gmaxwell> petertodd: wtf. no. the r value is _exactly_ like your public key.
18:56 <@gmaxwell> K is the cooresponding private key.
19:00 < petertodd> gmaxwell: ah I see what you mean, that works
19:02 < andytoshi> petertodd: cool, i joined you
19:02 < petertodd> andytoshi: cool, so I sign when the tx closes right?
19:02 < andytoshi> yeah, if the window is open it should play a chime
19:02 < andytoshi> in 5 minutes
19:04 < petertodd> andytoshi: a nice feature would be to list not just popular output values, but also combinations of input values that you might want to match
19:04 < andytoshi> in future, it will not use donations in computing the popular outputs
19:04 < petertodd> andytoshi: though obviously that gets complex :)
19:04 < andytoshi> petertodd: yeah, agreed, the devil is in the details
19:04 < amiller> andytoshi, that's cool
19:04 < andytoshi> gmaxwell suggested just showing all the output values which appear at least twice
19:05 < andytoshi> or an arbitrary one, if none do
19:05 < CodeShark> you could also use a second transaction to further split outputs
19:06 < CodeShark> hmmm, although if not careful, that can leak information
19:06 < petertodd> andytoshi: "The current session is open for -0 more minutes."
19:06 <@gmaxwell> The current session is open for -0 more minutes.
19:07 < andytoshi> petertodd: lol, it won't go actually negative
19:07 < andytoshi> agreed, i should fix that bug
19:08 < petertodd> andytoshi: signed and submitted
19:08 < CodeShark> you could have all inputs be the same value, then have each submitter send a change output
19:08 < andytoshi> cool, one sec, i'll just verify
19:09 < CodeShark> participants could create specifically denominated outputs beforehand
19:09 < CodeShark> to use as inputs in this transaction
19:09 < andytoshi> i submitted too, in a minute it should give us a txid
19:09 < andytoshi> CodeShark: also a good idea
19:10 < andytoshi> it's hard to say what would be best, and all the ideas proposed involve a lot of work ;)
19:11 < petertodd> andytoshi: fee is a bit low
19:12 < petertodd> andytoshi: off by one digit
19:12 < andytoshi> really?
19:12 < CodeShark> requiring specifically denominated outputs should be easy to implement from your perspective - you just need to have multiple "rooms" for different denominations, ensure the inputs are the same value. you do need a txindexed database to query against to get input values, though
19:12 < CodeShark> err, specifically denominated inputs
19:13 < andytoshi> petertodd: the code uses 1500 satoshi / kb
19:13 < petertodd> andytoshi: it's 688 bytes, so the fee should be at least 0.0000688 BTC
19:14 < andytoshi> oh, i am off by a power of ten
19:14 < andytoshi> shit
19:14 < petertodd> heh
19:14 < CodeShark> the 0.1 room, the 1.0 room, the 10.0 room, etc.. :)
19:15 < andytoshi> really
19:15 < andytoshi> ? 15000 seems wrong
19:15 < andytoshi> 10000*
19:15 < CodeShark> you might also want to charge the fee proportional to the number of bytes contributed
19:16 < CodeShark> for each participant
19:16 <@gmaxwell> you don't know the bytes in advance, alas.
19:16 < CodeShark> well, you don't know the signatures
19:16 <@gmaxwell> though you can compute a conservative estimate but it makes it hard to use.
19:16 < petertodd> andytoshi: int64 CTransaction::nMinRelayTxFee = 10000
19:16 <@gmaxwell> CodeShark: which is almost all the bytes.
19:16 < andytoshi> i'm already using a conservative estimate
19:16 < petertodd> andytoshi: 15000 is a good value
19:16 < CodeShark> but you can estimate the signature size
19:16 < andytoshi> ok, that's what i'm going to use then
19:17 < andytoshi> i'll have to jack up the minimum donation
19:17 < petertodd> andytoshi: I wouldn't worry about maybe too high fees myself
19:18 < andytoshi> ok, so the site now demands 10000 satoshi from each participant
19:18 < andytoshi> from that, it submits 15000/kb to network fees, and keeps the rest (if any)
19:18 < petertodd> andytoshi: heck, scriptSigs are limited to 520 bytes or something IsStandard - that's not that much more than the usual scriptSig size, so just assuming that with absolute min fees wouldn't be a big deal
19:18 < CodeShark> another way to deal with the fee calculation is have each participant specify a change output - then you calculate fees on your end and set the value accordingly
19:20 < CodeShark> as a convention, for instance, the first output of the transaction can always be treated as the change output
19:20 < CodeShark> or the last
19:20 < andytoshi> CodeShark: i don't think that much complexity is needed
19:20 < CodeShark> of course, you should shuffle it on your end before signing is done
19:20 < CodeShark> point is you could set the fees yourself
19:20 < andytoshi> yes, there is shuffling done
19:21 < CodeShark> without requiring the participants to calculate the fee
19:21 < CodeShark> makes it easier to use :)
19:21 < andytoshi> CodeShark: if they want ease of use they can just send a ton to the donation address ;)
19:21 < CodeShark> lol
19:22 < andytoshi> petertodd: should i fix our transaction and try to resubmit it? my node has not seen it yet for example
19:22 < andytoshi> i'd have to pm you for a new signature
19:22 < petertodd> andytoshi: sure
19:22 < petertodd> andytoshi: or fix the site and I'll just do another join
19:23 < andytoshi> the site is fixed, but it won't let you put the same inputs in
19:23 < petertodd> ah
19:24 < andytoshi> yeah, quite frustrating
19:24 < andytoshi> gimme a couple minutes..
19:30 < petertodd> just started a fresh tx if anyone wants to join
19:31 <@gmaxwell> pretty high minfee now.
19:32 < petertodd> gmaxwell: low compared to the value of my time :P
19:33 <@gmaxwell> yea, its not bad.
14:02 < gmaxwell> petertodd: okay, so I've got an idea for a solution to your asymetrically memory hard POW function. I'd give it an 90% chance of working, and a 50% chance of being practical.
14:04 < gmaxwell> petertodd: here is how you do it.  First define some function that consists of a fixed sequence of adds and multiplies which cannot be algebraically simplified without knowing the values in question.  E.g. I think x=a*b+c*b+c*b+c works
14:04 < gmaxwell> petertodd: now, go find a fully homorphic encryption scheme... e.g. supports both adds and multiplies.
14:05 < gmaxwell> petertodd: now when the client connects you give him a,b,c under homorphic encryption with a key known to you and tell him to run the operation chain for difficulty steps.  He memorizes results.
14:06 < gmaxwell> When he finishes he tells you the last one, and you challenge him for intermediate values however often you like.
14:06 < gmaxwell> Because you know the keys and the values of a,b,c you can compute the outcome directly, while he's forced to operate sequentially (under the slow homorphic encryption too)
15:08 < gmaxwell> maaku: Oh I just saw your coinjoin thread. I will be really sad if you aren't able to get funded to work on this.
15:10 < maaku> i would be suprised if i didn't - there's lots of deep pocketed people that want privacy for their bitcoins, but we'll see
15:11 < maaku> sometimes for nefarious reasons i'd rather not support, but i don't see how to add privacy without also enabling that
15:12 < gmaxwell> Right thats my view too. Thats just a nature of technology all of it is dual use.
15:13 < maaku> gmaxwell: what i'm trying to do is make it so that only you know which outputs are yours, without requiring a complex multi-party computation and all the requisite overhead
15:13 < gmaxwell> And if some of the flow of nefarious funds can be redirected to help out the public, then great.
15:13 < maaku> unless of course you're only joining with one person other person
15:14 < gmaxwell> maaku: right. So, some party is acting as a "hub" that e.g. merges up the signatures. Why can't they just pick the ordering at random?
15:15 < maaku> gmaxwell: that was my protocol before, and it has the disadvantage that although the mapping is obscured through blind signing, the hub can keep records
15:16 < maaku> but if the protocol is the hub manages collecting blinded tokens, signing them, and then colledting unblinded signatures, and *then* sorts by unblinded signature value
15:16 < maaku> the hub has no way of knowing any more than anyone else what the ordering is
15:17 < gmaxwell> maaku: What kind of records? I assumed that the unblinded outputs would be returned to the hub over a seperate anonymous connection.
15:18 < maaku> true
15:19 < maaku> ok all the sorting does is provide a deterministic ordering, so the hub isn't required for the last step (building the transaction)
15:19 < gmaxwell> (that requirement is kind of lame, considering that there really does not exist a good solution for those
 tor is good enough for casual privacy at least)
15:19 < maaku> that means the protocol already has the feature i wanted. cool
15:19 < gmaxwell> maaku: okay good I think we're on the same page.
15:20 < gmaxwell> and yea, making the sort a function of some data known to all the particiants is fine and good and might simplify it in practice. Don't use data in the transaction to sort however, you don't want CJed transactions to be more identifyable in the blockchain than the need to be.
15:21 < maaku> yes, sort the signatures of the outputs, not the outputs themselves
15:21 < maaku> yeah i'm not happy with revelation over an anonymous connection, but it seems we're venturing into somewhat unexplored territory to avoid that...
15:22 < maaku> hopefully it's something that can be added later
15:22 < gmaxwell> well, at least I do think the multiparty computation route requires _only_ sorting. ... which isn't so bad. But I think trying to do that at the front would be suicide.
16:11 < nanotube> fwiw, i run full node on my main comp. and following that discussion spun up another node on a vps. gmaxwell wanna peer? :)
16:12 < gmaxwell> nanotube: make it accept hidden service connections too?  see doc/tor.md  :)
16:13 < nanotube> good idea.
16:14 < gmaxwell> My laptop is 5yljdotwhmx65nlk.onion  my main mining node at home is outbound only right now, but I should fix that.
16:15 < nanotube> ok. i'll get tor up in a bit.
16:16 < nanotube> is it possible/advisable to run a single node behind both tor and non-tor?
16:17 < nanotube> i see it is possible, as per doc. is it advisable? :)
16:19 < gmaxwell> If you're using tor for privacy, no. If you're using it to provide network services, yes
 since you'll bridge tor-world and non-tor-world.
16:20 < gmaxwell> eventually we'll have to deal with DOS attacks coming via hidden services... (thats actually part of the motivation for the "asymetrically memory hard POW" I was nattering on above)...
16:21 < gmaxwell> so in theory the only real downside to doing both right now is that maybe a hidden service only dos attack takes out your node on both networks at once. I think thats an acceptable risk right now.
16:47 < nanotube> heh yea, i was taking a walk and realized that if i'm doing it for network health, it'd probably be good to bridge, since if everyone was tor-only it wouldn't work. come back and see you've confirmed my thinking. :)
16:51 < gmaxwell> in the future I expect that smarter networking will constrain resources so that a dos attack on one side only hurts that side.
18:23 < gmaxwell> oh god, someone some stupid reporter got the idea that the node wedging transactions were the result of someone creating bitcoin out of thin air by successfully mining a block
18:24 < gmaxwell> and it took an excruciating amount of effort to break them of the mental model where nodes simply trust everything in a block and security comes "because no one person can make a block"
18:30 < phantomcircuit> gmaxwell, lol reporters
18:30 < phantomcircuit> gmaxwell, http://pastebin.com/raw.php?i=Hjrrg3kX
18:31  * gmaxwell types /axwell   whew
18:33 < phantomcircuit> gmaxwell,
18:33 < phantomcircuit> ""Isn't anonymity one of the biggest reasons lots of people support Bitcoin?" one member of bitcointalk.org asked last month, in a comment echoed by other users. "So that the centrally controlled banks/governments don't control personal transactions or even have records of those private transactions?""
18:33 < phantomcircuit> makes me want to cry
18:35 < gmaxwell> I love it that they don't attribute there, because the guys name was problably like JohnGaltDickSlapperCyberCunt1996
18:36 < phantomcircuit> https://bitcointalk.org/index.php?topic=274186.msg2938172#msg2938172
18:36 < phantomcircuit> actually it's just Chronikka
18:36 < phantomcircuit> sooooooo
18:39 < gmaxwell> maaku: thanks for that RapidBalls thread. :P
18:39 < gmaxwell> maaku: phantomcircuit actually has wallet fixes that make the behavior not-exponential.. but I wasn't super eager to point them to them when it sounded like they were doing something spammy (lines you correctly read between even when they couldn't
18:40 < gmaxwell> ("rapidballs" totally sounds like a forum username too)
18:40 < phantomcircuit> gmaxwell, there's actually still a ton of hilariously inefficient behavior in the wallet
18:41 < phantomcircuit> but it's all acting on structures in memory
18:41 < phantomcircuit> so
18:41 < phantomcircuit> shrug
18:41 < phantomcircuit> i would however really like to break out the protocol rules into rule modules
18:41 < maaku> heh, got an unexpected 0.5btc got out of it.. which is lucky because my first inclination was to be a snarky douchebag and I almost was
18:41 < phantomcircuit> since at the moment network rules and soft node rules and anti dos rules are all mixed together
18:42 < maaku> newbie named RapidBalls spamming the network is asking for it ;)
18:43 < phantomcircuit> gmaxwell, sipa do either of you have any ideas on the structure/naming for classes that contain the network/soft/antidos rules?
18:43 < phantomcircuit> i was thinking something as simple as a class with static const methods
18:45 < gmaxwell> maaku: yea, in any case, to keep up your contracting business there I thought I'd tell you about phantom's fixes.
18:47 < phantomcircuit> lol
18:56 < midnightmagic> nanotube: which write-up was that again?
18:58 < midnightmagic> (that convinced you to spin up another node)?
18:59 < maaku> yeah thanks i didn't know about phantomcircuit's fixes
18:59 < phantomcircuit> maaku, did you manually create transactions for them or something?
19:00 < maaku> no, just told them about blocksize limits and such. they're really new to this
19:01 < maaku> he's making something like 500 transactions/minute, and wondering why bitcoin is behaving slowly
19:02 < phantomcircuit> why is he creating 500 transactions/minute...
19:02 < phantomcircuit> yeah my patches would improve his bitcoind performance but he'd just end up with a bunch of unconfirmed transactions
19:03 < gmaxwell> phantomcircuit: because his name is "RapidBalls" what do you think?
19:03 < phantomcircuit> lol
19:03 < phantomcircuit> so because he's being a dick
19:03 < phantomcircuit> got it
19:03 < gmaxwell> the username alone tells me its some derpy gambling site that hasn't figured out that they can do something other than one transaction per bet.
19:03 < phantomcircuit> or that
19:03 < gmaxwell> I promise that that their visa handling people would shut of their service faster than you can say "rapidballs" if they started running 500tx/minute.
19:05 < phantomcircuit> yeah for sure
19:06 < phantomcircuit> 500tx/minute is maybe what something like walmart does
19:06 < phantomcircuit> on a saturday at peak hours
19:07 < phantomcircuit> gmaxwell, so in trying to improve the reliability of automated withdrawal request processing
03:49 < warren> sigh, *this* might be the reason for the apparent "bad luck" of p2pool.  Just a few orphans here or there can make it look bad over short time scales especially since the pool finds blocks infrequently.
03:49 < petertodd> what do you mean '*this*'?
03:50 < warren> Lots of home users with asymetric bandwidth, uploading slowly.
03:50 < petertodd> ah, yes absolutely
03:50 < petertodd> people really don't realize how much bandwidth you need to upload blocks fast enough to keep orphans down
03:50 < warren> People have been commenting on the "bad luck" of p2pool forever and nobody mentioned this as a possibility.
03:51 < petertodd> Really? Shit, I thought I mentioned it publicly a few times in the small blocks stuff... I probably forget to mentiuon P2Pool specifically.
03:51 < warren> The block forwarding thing could be made better if the p2pool nodes also connected their bitcoind's together, so "INCOMPLETE BLOCK" won't happen.
03:51 < warren> They can't choose tx's anymore, but at least they're all reference.
03:52 < warren> or rather, INCOMPLETE BLOCK would happen less often
03:52 < petertodd> Yeah, it'd be a good idea. You'd need to come up with a central tx chosing algorithm, and at that point, you can actually semi-ditch bitcoind...
03:52 < warren> ah!  p2pool already has RPC access to bitcoind.  It could just addnode right?
03:52 < petertodd> Yup
03:53 < warren> do you have any way to read the bitcoind's IP:PORT from RPC?
03:53 < warren> it could addnode but it has no way of knowing *what* to connect to
03:53 < petertodd> No, but you don't need to. Just read ~/.bitcoin/bitcoin.conf
03:53 < warren> No, I mean the foreign node:port, which is what your addnode would need.
03:53 < petertodd> Ah, just have them tell you.
03:53 < warren> ahhh
03:54 < warren> Some people were talking about integrating p2pool-like functionality directly into bitcoind.  Perhaps this would be easier that way.
03:55 < warren> (not a great idea for other reasons, like you would have lots of extra code in the reference client)
03:56 < petertodd> Yeah, we're moving towards removing stuff from the bitcoinc lient not adding.
03:58 < warren> INCOMPLETE BLOCK FOUND seems to happen ~50% of the time here
03:58 < warren> so p2pool could be propagating the block faster in some cases, and slower in others
03:58 < petertodd> Interesting, have you read the p2pool code to figure out what's goign on?
03:58 < warren> no, never thought what INCOMPLETE meant
03:58 < petertodd> read it
03:59 < warren> and I heard the block forwarding thing was added because block submission on some nodes was failing entirely
03:59 < petertodd> lovely...
03:59 < warren> on LTC p2pool most of the nodes are actually failing block submission right now
03:59 < warren> and nobody noticed for months due to the block forwarding
04:00 < petertodd> nice
04:01 < warren>  block = share.as_block(self.tracker, self.known_txs_var.value)
04:01 < warren>             if block is None:
04:01 < warren>                 print >>sys.stderr, 'GOT INCOMPLETE BLOCK FROM PEER! %s bitcoin: %s%064x' % (p2pool_data.format_hash(share.hash), self.net.PARENT.BLOCK_EXPLORER_URL_PREFIX, share.header_hash)
04:01 < warren> self.known_txs_var.value ... that's probably it.
04:02 < petertodd> makes sense
04:02 < warren> so ugh... there is a *real* cost to decentralized mining
04:03 < petertodd> for sure, and that's the cost *now* with 1MB blocks, hell, more like 150KB blocks really...
04:03 < warren> which can be minimized with peer optimization, putting your nodes in nearby data centers or upgrading your upload bandwidth, connecting directly to other nodes, using reference clients that link to each other...
04:03 < petertodd> ....all things that cost money ultimately
04:04 < warren> some of that can be automated.  but yes, other things cost.
04:04 < warren> It's worthwhile for ASIC owners probably.
04:04 < petertodd> yup, it's the things that gavin and mike don't get: every cent spent on bandwidth is a cent not spent on hashing power
04:04 < petertodd> for now, only because ASICS bring in stupid amounts of money
04:05 < warren> the alternative for ASIC owners is to mine on a centralized pool, increasing risk to the network, and losing income from DDoS attacks on the centralized pool.
04:05 < petertodd> although, what that says is ASIC owners have reasons to just point it at BTC guild...
04:05 < petertodd> nah, a big ASIC miner should be mining solo
04:05 < warren> well, big in aggregate
04:05 < petertodd> but a small one should go for the biggest pool with hopefully the most resources to fend of dos attacks
04:06 < warren> DoS yes, but centralization is dangerous if the pool is compromised or http://xkcd.com/538/
04:06 < petertodd> but that's my point, the individual ASIC own doesn't care
04:06 < warren> You want to destroy Bitcoin?  forget fancy hardware.  Just kidnap two pool owners.
04:06 < warren> *done*
04:06 < petertodd> centralization costs everyone, not just them
04:06 < petertodd> absolutely
04:07 < petertodd> and it's most likely to happen when starting a new pool is hard... like with Mike's crazy world where just getting access to the UTXO set in it'sentirety is tough
04:07 < warren> yes, I really dislike those elitist arguments
04:08 < petertodd> he works at the biggest server *manufacturer* in the world, what do you expect?
04:08 < warren> oh, which?
04:08 < petertodd> Google. They make all their hardware from scratch
04:08 < warren> petertodd: this is largely why I'm interested in working on litecoin.  their users already accept anti-spam, so I have  lots of flexibility to try better anti-spam ideas there.  I don't need to fight the political battle in bitcoin.
04:08 < warren> oh
04:09 < warren> Right now their anti-spam mechanism is a blunt instrument, HIGH FEES ON EVERYONE AND EVERYTHING.  I aim to make those fees more targeted to encourage and discourage certain behaviors.
04:09 < petertodd> I had an interview there for a job with their hardware division actually, it's huge.
04:10 < petertodd> It was for a firmware testing position, and I'm analog electronics, so I'm not surprised I didn't get the job. :P
04:10 < warren> =)
04:11 < petertodd> If anything, it shows how desperate they were for people that they flew me down even after I made it clear I had no intention of a career change.
04:11 < petertodd> I like the "make it expensive" anti-spam rules myself, but they are only practical with small block sizes.
04:12 < warren> litecoin blocks are indeed small. =)
04:13 < petertodd> blockchain can grow 1MB per block, with 4x more blocks per hour
04:14 < warren> I intend on checking if any past blocks were bigger than 256KB or 512KB and if so shrinking the hard-limit.  It won't be risky after the majority of miners switch.
04:14 < petertodd> ah, see that would be a good thing
04:14 < petertodd> (I looked into attacking litecoin via spam, and figured it was too expensive, namecoin on the other hand is doable)
04:14 < warren> probably don't want to go all the way down to 4x smaller, since tx sizes aren't 4x smaller
04:15 < petertodd> more important though: work on off-chian tx systems, they'll help bitcoin and every alt-coin
04:15 < petertodd> even simple stuff like auditing is a big win
04:15 < petertodd> and multisig coin storage to reduce hacks
04:15 < warren> my interest in litecoin is primarily to prove that fee-based anti-spam incentives work, because I'm really angry about the bitcoin situation.
04:15 < petertodd> what, data in the chain?
04:16 < warren> No, the elitist arguments, and the blind belief that "fee competition" will somehow solve our problems.
04:16 < warren> bullshit.
04:16 < warren> Just throw more hardware at the problem
04:16 < warren> Satoshi's design is perfect.  Stop questioning it.
04:17 < petertodd> wait, so you think throwing more hardware is a solution, or the dumb way to fix it?
04:17 < warren> dumb
04:17 < petertodd> good
04:17 < warren> You can use fee-based incentives to encourage and discourage all kinds of behaviors that are beneficial to the overall network growth.
04:18 < warren> Discourage externalizing costs.
04:18 < petertodd> but see, I *do* have a blind belief in fee competition, so to speak, because I'm happy to spend $5 per tx if off-chain tx's work and are adopted widely
04:18 < petertodd> we can live with 1MB blocks basically forever even if every block is exactly 1MB
04:18 < petertodd> it's what we all signed up for, and in that scenario, spam doesn't bother me one bit
04:18 < warren> "what we signed up for" is a logical issue here
04:19 < petertodd> heh, well, it's what the source says
04:19 < petertodd> satoshi wasn't thinking too far ahead
04:19 < warren> satoshi got a LOT right
04:19 < petertodd> ...and a lot wrong too
04:19 < warren> He forgot to realize that UXTO cost isn't reflected in the fee formula.  Oops.
04:19 < petertodd> that's a BIG one he got wrong
04:20 < warren> yeah, and that's a key one a few devs fight
04:20 < petertodd> he never thought of fidelity bonds :P
04:20 < petertodd> (and I say that as someone who both invented them, and likes to make fun of them all the time)
04:20 < warren> anyway, I can't win this battle directly with bitcoin, so i'm going to prove it with litecoin.
04:21 < petertodd> well, good luck
04:21 < warren> I'm trying to push in arbitrary behavior incentives, including "punish uncompressed keys with yet another fee for no good reason"
04:21 < warren> excuse for all of this is "Hey you're unaffected with coin age."
04:22 < warren> and also "we're lowering the normal-sized tx fees.  Just don't spam and you're fine."
04:22 < petertodd> hmm... I'd suggest you focus on the UTXO business, and do so directly, don't get into the game of punishing specific tx types
04:22 < petertodd> if fees become valuable, miners will behave rationally
04:23 < warren> fees are already too valuable there, even the pool owners want fees to go down (for non-spam)
06:03 < warren> I'm booking my trip to the Vegas conference.   anyone else going?
06:03 < warren> there's a hidden discount code
06:03 < adam3us> warren: yeah i think so
06:03 < adam3us> warren: oooh nice ... do share :)
06:03 < petertodd> warren: vegas?
06:03 < adam3us> warren: (not booked yet)... btw fair warning it seems to be relatively non-tech
06:04 < warren> adam3us: I'm a MBA/law student
06:04 < adam3us> warren: reiner is presenting, otherwise suits
06:04 < petertodd> adam3us: yeah, and by sticking to ordering, you are forced to deal with incentivising mining separately, which can be an advantage rather than just giving it a hope and prayor
06:04 < adam3us> warren: i am talking about people who cant code, or probably fully understand bitcoin protocol if they had to to save their life
06:05 < adam3us> petertodd: yes that is a nice side effect- many incentives and attacks become weaker if you're attacking opaque blobs of your adversary, worst you can do in many cases is random DoS that costs you money
06:06 < warren> adam3us: you mean any of us fully understand the bitcoin protocol? =)
06:06 < warren> I don't think Satoshi understood it fully.
06:09 < adam3us> warren: satoshi - maybe... the full implications at the limits of game theory are complex.  but the whole thing is amazing so bucket loads of kudos to satoshi
06:11 < petertodd> adam3us: see the tx fees/latency thing is something I've lately realized should be worried about - specifically how orphans incentivize mining centralization
06:24 < adam3us> so bitcoin hw security.  seems like the risk is going up.  at some point someone with $1m worth of zerodays is going to burn them to steal $10m worth of bitcoins.  and there are people with access to zero days
06:25 < adam3us> i think the solution is hw wallets like trezor and armory offline
06:25 < petertodd> armory says they'll have useful multisig soonish
06:28 < adam3us> petertodd: my other thought is any 2fa for services can not be disconnected from teh tx
06:28 < petertodd> adam3us: ever see my 2fa sceme with multisig txs?
06:28 < adam3us> petertodd: ie it must resolve to the tx, on an offline wallet with a display
06:28 < adam3us> petertodd: no but that sounds like you already had the same thought
06:30 < petertodd> adam3us: well I was thinking use bip32 to generate one of the keys, and then use a OTP scheme to generate the other. Now when you initialize it, you pre-generate all the pubkeys for the OTP scheme, and then transfer coins to the resulting addresses. Every OTP code you reveal has in effect authorized the expenditure of some fixed amount of BTC.
06:30 < petertodd> adam3us: it's not "interactive", but the security is very understandable and predictable, and the scheme can be done on paper
06:43 < warren> adam3us: fail.	conference fee paying has no bitcoin option.
06:43 < adam3us> petertodd: well i mean like say an exchange, it holds your coins and fiat
06:43 < petertodd> adam3us: ah, outsource the risk to them, which is reasonable too
06:44 < adam3us> petertodd: rather it should do the type3 exchange. it green signs only
06:45 < adam3us> petertodd: then the 2fa is the user signs with their multisig key after reviewing the transaction
06:45 < adam3us> petertodd: they should issue their usdcoin also with an offline issuing key, block chain validated, again 2fa signed by multisig
06:46 < petertodd> adam3us: yeah, gavin outlined something similar to that actually
06:46 < petertodd> adam3us: 2fa auth to the holder, and then they coutner-sign
06:46 < adam3us> petertodd: in that way the exchange cant steal or be hacked
06:46 < adam3us> petertodd: and their only signing key (issue/redeem) is air gapped
06:47 < adam3us> petertodd: people are going to have to do type3 exchange sooner or later or bad things are going to happen
06:47 < petertodd> type3 exchange?
06:48 < adam3us> petertodd: so where the exchange has no coins at risk
06:48 < petertodd> ah right
06:48 < adam3us> petertodd: type2 i was calling where they have only fiat at risk (like bitalo finally is working on)
06:49 < petertodd> well, there's also type2.5, where the exchange can't steal, but if they lose the key you're fucked
06:49 < adam3us> petertodd: after having their previous exchange owned/insider attacked or something - only because they learnt the hard way!
06:49 < adam3us> petertodd: yes.  i think you want a timelocked reimbursement for the multisig in case exchange goes rogue, disk crash, out of biz, etc
06:50 < petertodd> absolutely, although actually handling that is hard - lots of ugly state and software messyness
06:50 < adam3us> petertodd: of course your usdcoin are toast anyway - thats down to queueing up as a creditor of the type 3 exchange
06:50 < petertodd> owning USD is inherently not a type3 scenario :P
06:50 < petertodd> regardless of how directly you own it
06:51 < adam3us> petertodd: i think its the new model really i cant see anything else working as you're just putting up a fat perfect crime target, people will burn zerodays, hack certificate authorities, bribe employees, physically break into server rooms... its all coming
06:52 < adam3us> petertodd: i suspect even the 1000s of snowden level guys at NSA and other intelligence agencies with access to their grey-market zerodays, and the grey hat hackers who developed and sold them the zerodays will sooner or later go darkside
06:52 < petertodd> adam3us: I remember saying to gmaxwell months ago that I was hesitant to write anything remotely real related to fidelity bonded banking until I had some remote attest capable TPM hardware to use
06:52 < adam3us> petertodd: eg btcarmory.org is a malware clone of bitcoinarmory.com professionally cloned web site, presumably designed to steal your offline armory wallet
06:52 < petertodd> nice...
06:52 < petertodd> yes, bad software is a nasty one too
06:53 < petertodd> heck, whenever I've used bitaddress.org I've always entered in my own randomness :P
06:54 < adam3us> petertodd: people are going to steal code signing certs or obtain by document forgery.  even happened to micrsoft something like that ... fool the RA process of a CA
06:54 < petertodd> yup
06:55 < petertodd> excellent reason to avoid auto update for tha tmatter... also spread your coins across multiple wallet implementations
06:56 < adam3us> petertodd: i think even code signing is bad... signing keys can be compromised, compelled sig on TLA malware version by court, compelled signing key disclosure things like that
06:56 < adam3us> petertodd: maybe its time to publish software hashes to the block chain and forward secure signatures
06:57 < petertodd> forward secure sigs?
07:04 < adam3us> petertodd: kind of like forward secrecy for encryption
07:05 < adam3us> petertodd: you destroy old signature keys so you couldnt forge and resign an old one with the same key
07:06 < adam3us> petertodd: http://www.cypherspace.org/adam/nifs/refs/forwardsecure.pdf
07:06 < petertodd> ah right
07:07 < petertodd> see, just timestamping signatures in bitcoin works well too for that
07:07 < adam3us> petertodd: the main thing is they found a way to have a sequence of public keys and deleted old private eys compactly, otherwise ou could just state an intent to use each sig only once
07:07 < adam3us> petertodd: yes it maybe functionally similar in effect
07:08 < petertodd> I keep meaning to update opentimestamps with OpenPGP support, but that'll be a fair amount of work...
07:08 < adam3us> petertodd: also there is a way to do one use signatures where the signature key can only be used once,
07:08 < petertodd> how does that work? I mean, how could you enforce that?
07:08 < petertodd> (well, without a consensus key-value system anyway...) :P
07:09 < adam3us> petertodd: its quite simple you pre-generate R=xG and make it part of the address, so Q'=H(Q,R)
07:09 < adam3us> petertodd: now people will only accept as valid a signature with that specific R value
07:09 < adam3us> petertodd: brands uses it for one-show certificates.
07:09 < petertodd> I guess I'm not following
07:10 < adam3us> petertodd: the interesting thing is if you go ahead and reuse R, and sign two idfferent messages, you can do that but you leak our private key via simultaenosu equation
07:10 < petertodd> ah right, figures, my point was, that's not a scheme where you can't re-use a signature, that's a scheme where you damn well shouldn't, but a validator without perfect knowledge can't tell the difference
07:10 < adam3us> petertodd: so ecdsa sig Q=xG, R=kG, s=(h(m)+rd)/k, r=R.x
07:10 < petertodd> (knowledge of all sigs made)
07:10 < adam3us> petertodd: ok
07:11 < petertodd> my point being that with a consensus key-value system, you can define the signature as valid if it's the one setting a given key to a given value
07:11 < adam3us> petertodd: yes, but it becomes unconvincing - why would you sign twice, it tells you this is invalid, if you can combine it with time-stamping to order them, thats it
07:12 < petertodd> right, but then the attacker signs twice, so you have three in total, and you still need the consensus system to figure out which was first
07:12 < adam3us> petertodd: yes.  it could be interesting though because any miner could ake the private key and spend it to himself instead
07:12 < petertodd> right, so in some cases you can treat it like a fidelity bond
07:13 < adam3us> petertodd: and it prvoides cryptographcally enforced one-use addresses re Luke-Jr attempt to incentivize secure use
07:14 < petertodd> yeah, but s/enforced/boobytrapped/ :P
07:14 < adam3us> petertodd: yes i guess so.  it could even be specificed who benefits eg put the double spend address in the address
07:14 < adam3us> petertodd: the one downside is yo have to be really careful with sw failure, spending is not idempotent
07:15 < petertodd> yea, and that's damn ugly
07:15 < adam3us> petertodd: accidentally pay twice due to system crash during a spend and lose your money
16:37 < petertodd> helo: agreed, they *do* have tradeoffs with regard to pow. However I would argue that for full-nodes "botnet-centralization" isn't a risk, so avoiding asics makes a lot of sense.
16:37 <@gmaxwell> maaku: but I'll grant you that if bitcoin had been asic (/gpu) resistant then it would have been mostly botnets.
16:38 < petertodd> helo: anyway, it's rather hypothetical: bandwidth kills you way before you need asics to process the blockchain...
16:38 <@gmaxwell> petertodd: I don't believe you can avoid asics.
16:38 <@gmaxwell> petertodd: at best you could lower then to some small factor advantage, but the competativeness of mining means that eventually that small factor will be enough that only the specialized hardware survived. I thought you agreed about this?
16:38 < petertodd> gmaxwell: sure you can, like I've said before making asics a small integer multiple more efficient rather than hundreds of thousands of times is a huge win
16:38 <@gmaxwell> I don't think it's a win.
16:39 < petertodd> gmaxwell: well, I agreed with the first half, the second half I don't: if censorship becomes prevalant, it's ok if blacklisted transactions cost some small multiple more to get mined
16:39 <@gmaxwell> e.g. if the asics are 10x advantaged then asics farms in the lower 50-tile worldwide power can put everyone else completely out of profitablity.
16:40 <@gmaxwell> okay, maybe there is something there.... but censored miners have an uphill battle, e.g. like having to hide their operations.
16:40 < petertodd> sure, but a hill is far more likely to be surmounted than a cliff
16:52 < jtimon> asics cannot by avoided by definition, by asics I mean specialized hardware
16:53 < maaku> jtimon: yeah, but the petertodd's goal i think would be to have a pow whose specialized hardware is the everyman's computer
16:54 < jtimon> you could design an algorithm targeted for certain architecture, that's all
16:54 < maaku> e.g., memory-hard and requiring complex computational capability, which would make something like the AMD APU the best system to use
16:55 < petertodd> well, absolute lowest cost will likely be custom hardware, but if it's a matter of custom PCB's and maybe some FPGA's linking it together, you've made a cottage industry that's fairly decentralized vs. ASICs which are hard-centralized.
16:56 < petertodd> and if off-the-shelf PCs aren't *too* large of a difference, people may still very well mine with them for reasons like "because I can" and "hey, free heat!"
16:56 < maaku> petertodd: ASICs will always win out, by double-digit factors I would wager
16:56 < jtimon> to matcht the "majority's architecture" you would need to both 1) predict the futterre 2) cause it, by imposing a favourite arch
16:57 < petertodd> maaku: well, I'm arguing single-digit factors, so we're in agreement roughly :P
16:57 < jtimon> no, maybe not both, sorry I'm...
16:57 <@gmaxwell> good luck powering a common cpu with just a 2 layer pcb.
16:57 < petertodd> jtimon: target RAM and you're within ballpark - heck, litecoin's PoW seems to have decent FPGA performance
16:58 < helo> how would the security-via-difficulty achieved with a novel proof of work and the expected value of nc2 block rewards + fees compare with capitulating to bitcoin merge-mining?
16:58 < petertodd> gmaxwell: 8 and even 16 layer PCB production is pretty decentralized, easilly two orders of magnitude more decentralized than ASIC production
16:58 < maaku> nc2?
16:58 < helo> (namecoin2)
16:58 < jtimon> the main problem is what is the target
16:58 <@gmaxwell> petertodd: okay, I'll grant that.
16:59  * nsh wonders what the unit of decentralization is
16:59 < helo> cost to attack?
17:00 < petertodd> nsh: person dollars?
17:03 < nsh> mmm, maybe
17:03 < jtimon> maaku if petertodd wants to impose a low level architecture that's more philosophical than techincal, what is the "layman arch" of the next year?
17:05 < petertodd> re: ASICs vs FPGA's, this paper suggests numbers ranging from mid double-digits to even low single digits: https://dl.acm.org/citation.cfm?id=1117205
17:05 < jtimon> I think we all overestimate pow
17:05 < jtimon> the rules are the chanel
17:06 < petertodd> suggesting a mem-hard PoW is likely to be FPGA implementable without *that* large of a gap
17:06 < maaku> jtimon: I was being devil's advocate :)
17:06 < maaku> you know I'm diehard pro-ASIC
17:07 < jtimon> what's more important
17:07 < petertodd> FPGA development isn't as decentralized as off-the-shelf PC, but it's still a lot better than ASICs
17:07 < jtimon> we shouldn't be targeting archs
17:07 < maaku> petertodd: i don't know, i think you're likely to get custom, non-von-neuman memory architectures for that
17:07 < maaku> i think people who analyze these things are thinking too much in the box
17:07 < petertodd> jtimon: memory vs FPGA vs ASIC are arch classes; they're fundemental
17:08 < petertodd> maaku: that's the point of FPGA's: you can cheaply make all kinds of crazy non-von-neuman memory architectures
17:08 < jtimon> we should be targeting problems that are common goods and not confilictive with the incentive structure
17:08 < petertodd> jtimon: huh?
17:09 < jtimon> gmaxwell knows how it could go all wrong if we target something "too useful" as pow
17:10 < jtimon> seriously, targetting archs is wrong, even html5 js could be implementedlow level in a way you don't expect now
17:11 < petertodd> jtimon: that's completely unrelated to what I'm talking about... with the one exception that the more competitive the pow is on off-the-shelf hardware, the easier it is to use for things like anti-sybil
17:12 < petertodd> jtimon: again, I'm not arguing for targetting architectures.
17:12 < jtimon> what do ou mean by competitive"?
17:12 < jtimon> what resources are we measuring?
17:13 < jtimon> what are we optimizing for?
17:14 < petertodd> jtimon: I want cost per hash for high-capital-cost ASIC implementations to be as close as possible to cost-per-hash on hardware that is less custom, off-the-shelf pc's are the extreme of less custom, gpu's slightly less so, standard fpga dev kits less, fpga's on custom PCB's even less, etc.
17:14 < petertodd> you pull off that trick by targetting PoW that makes use of RAM as much as possible, because RAM is fairly generic. *how* you target ram is tricky though
17:14 < jtimon> I first of all
17:15 < maaku> petertodd: or you make efficient asics into the commodity, off-the-shelf category
17:16 < jtimon> we willl all code parallel without noticing in the near future thanks to some fancy lib beter than cuda, so please don't anti-gpu
17:16 < petertodd> maaku: and you never will because of the nature of ASIC manufacturing. it may be "commodity", but the world economy appears to be unable to support more than maybe three or four top-of-the-line ASIC manfacturers, and they have a huge advantage over their lesser competitors
17:16 < MoALTz> petertodd: you want to support general computation?
17:16 < jtimon> but everybody has gpus or could have
17:17 < jtimon> I don't but I rented ne for villages gours
17:17 < jtimon> hours
17:17 < jtimon> one
17:17 < maaku> petertodd: so? monopoly/duopoloy on manufacture of asics is not the same as controlling the hashpower itself
17:19 < petertodd> maaku: it's very close to it, those companies can put restrictions of hashing power they produce overnight, for instance they can only sell it to authorized and licensed miners, or build backdoors into the hardware itself
17:20 < jtimon> wait, wait, how are monopoly miners changing the rues again?
17:20 < maaku> to the first that's why we have incentive structures that reward them for widespread distribution (which thankfully the freemarket provided and we didn't have to setup)
17:20 < maaku> the second is a hollywood threat
17:20 < petertodd> maaku: vs. to control FPGA's, let alone generic CPU's, they're forced to put restrictions on a huge industry - that's much harder politically. Not impossible, but much harder.
17:20 < petertodd> maaku: incentives mean nothing to a government that decides Bitcoin needs to be regulated
17:21 < jtimon> I didn't heard that part, maybe I don't get the solutions because I don't undesrtand the problem
17:21 < petertodd> jtimon: by 51% attacking us until we accept their new rules
17:21 < jtimon> why would we accept their new rules
17:21 < petertodd> jtimon: because if we don't we don't have a currency anyway
17:21 < helo> so with asic/memory-hard pow, there would likely be a varying mining script ('header, sha256, sha256' with bitcoin)?
17:22 < maaku> petertodd: and that's the one scenario where we'd realistically switch to scrypt or something else
17:22 < jtimon> chanell 1: morgan and rothchilds 22565554 petachashes
17:22 < jtimon> chanel 2: the rest of the world 100 moderatohashes
17:22 < petertodd> maaku: ah! you mean you'd be glad people like me had researched the problem and had solutions ready.
17:22 < maaku> it's nonsense hollywood threat. no government is going to spend 100's of millions of dollars to construct such an eleaborate scheme with so many moving parts
17:22 < maaku> when it can be so easily undone
17:22 < maaku> (i worked for the government I know ;)
17:23 < maaku> petertodd: ok, I shouldn't have said scrypt - SHA-3 would be more my tastes
17:23 < jtimon> that's the best part of bitcoin: you cant's change the rules unless theres consensus BY THE USERS
17:23 < petertodd> maaku: they don't have too, they tell intel/globalfoundries and tsmc to include cheap lockout circuit in every ASIC they produce so they have a bitcoin kill switch
17:24 < petertodd> jtimon: nope, without mining the rules aren't very useful
17:24 < maaku> petertodd: which you can see with an electron scanning microscope
17:24 < maaku> you want to be useful, organize an effort to image asic chips
17:24 < petertodd> maaku: so what? you have no choice but to buy ASICs that have it if you want performance that doesn't suck
17:24 < jtimon> that's true
09:12 < adam3us> the other annoying thing about airport wifi is i have a pay as you go 3g sim with 3GB/month data allowance for gbp 2/day for UK on any day used, but the wretched thing never works, and i think i grabbed the wrong replacement sim when i was leaving.
09:13 < brisque> gmaxwell: that story is terrible.
09:16 < adam3us> is there anyway to get above SPV security i wonder in a sensible level of bitcoin main changes that doesnt just have both protocols in the client (or a link to a beta validator running in parallel)
09:17 < gmaxwell> well spv security can mean multiple things there is communicationless spv which is what you get when someone hands you a proof and you're happy, and normal spv when you can go out and seek more evidence.
09:17 < gmaxwell> I think we can get it the latter of those two.
09:17 < gmaxwell> More than that implies validating the rules
09:17 < gmaxwell> which implies embeding the rules in bitcoin
09:17 < gmaxwell> and all of the data needed to check the rules
09:18 < gmaxwell> and short of snarks or something, I think thats probably not realistic. (well and not realistic with snarks today regardless but maybe in a few years)
09:19 < adam3us> brb
09:30 < adam3us> gmaxwell: well say hypothetically a client that speaks both bitcoin v1 and bticoin v2 protocol with a pegged side-chain connecting them
09:31 < adam3us> gmaxwell: eg less of a general competition between 2a, 2b 2c etc side-chains but more the next version of bitcoin with fork requiring bug fixes on it, running in parallel with real-value transferred via the 1:1 peg by those who need the 2.x features, eg 1.x for value storage and 2.x for anything other than basic tx (say)
09:36 < adam3us> adding insult to injury this gbp 5/hr wifi is failing I think because of the web injection urls timing out. grr
10:21 < brisque> regarding hardware wallets.
10:22 < brisque> I was looking into various bits of hackable hardware, looking at the specs and everything. realised it's a little pointless when you can get a 6" laptop from Alibaba for 30 pounds or so.
10:23 < brisque> that's all you'd need for a super effective offline device really, and it's cheaper than the Trezor ever was.
10:25 < gmaxwell> brisque: but bulky.
10:26 < brisque> gmaxwell: one of these would work too http://en.qi-hardware.com/wiki/Ben_NanoNote
10:26 < gmaxwell> (also: thats why I didn't order a trezor)
10:26 < gmaxwell> yea, but stupidly expensive.
10:26 < gmaxwell> I actually looked at getting a nanonote for wallet use.
10:26 < gmaxwell> it's not true of trezor but in theory a hardware wallet could be tamper resistant too.
10:27 < gmaxwell> your cheap laptop will suck when the evil made pops the keyboard and adds a keylogger chip.
10:27 < gmaxwell> s/made/maid/
10:28 < brisque> that's why I was thinking of consumer hardware that can be hacked. the childrens toy I mentioned has almost everything you need, including a wireless pink USB dongle. the issue is that you have to open it to get to the serial ports to flash it. not something you can convince everybody to
do. http://d4c027c89b30561298bd-484902fe60e1615dc83faa972a248000.r12.cf3.rackcdn.com/imagepicker/4494/thumbs/IM.jpg
10:29 < gmaxwell> wow neat
10:29 < gmaxwell> what cpu?
10:29 < brisque> that's the other sticking point, it's CPU is a little short on memory.
10:29 < gmaxwell> though wireless usb dongle may mean a rather large attack surface area.
10:30 < brisque> the low memory is ultimately what makes it useless sadly.
10:30 < brisque> works as a RF spectrum analyser though.
10:31 < gmaxwell> why would it make it useless as a signing device?
10:31 < gmaxwell> surely it has enough for that.
10:31 < brisque> http://www.ti.com/product/cc1110f32
10:32 < brisque> 32kB flash, 4kb of RAM
10:32 < gmaxwell> could be used as a signer no problemo.
10:33 < gmaxwell> though uh, perhaps not with wireless.
10:34 < brisque> yeah. my thinking is that there's got to be another dirt cheap childrens toy with an LCD, keyboard and some decent IO that can be hacked into a deterministic wallet.
10:34 < gmaxwell> but, of course, that also makes it easier to tamper with
10:34 < brisque> camera for QR codes, or audio, or even USB pretending to be a HID would work perfectly for this.
10:35 < brisque> isn't the assumption that with a hardware token, your coins are compromised anyway?
10:35 < gmaxwell> hm?
10:36 < brisque> any KDF on an embedded device would make it useless, and no matter what you do the seed is going to be extracted.
10:36 < brisque> I've seen hardware that's meant to destroy keys before, it's not all it's cracked up to be.
10:36 < gmaxwell> nah, you can make successful extraction of the seed pretty hard and make it be destructive.
10:37 < gmaxwell> (be destrutive meaning an intruder couldn't tamper and put it back)
10:37 < gmaxwell> and yea, sure concerted 'offline' effort by an expert you can't be safe from, but certantly it's better if your curious teenager couldn't extract the keys easily.
10:38 < gmaxwell> not saying mandatory: trezor fails this too as I understand it, but it would be preferrable.
10:38 < brisque> there was a game console that did something like that. had a chip with the ROM, and a battery backed RAM chip with a secret key. on boot it XORed the two to get the executable. any screwup meant you lost the RAM chip and had to pay a pile of money for a new one.
10:39 < gmaxwell> yea there are all kinds of interesting things you can do, and then also embed the stuff in epoxy with embeded tripwires that cut power to the ram if cut.
10:40 < brisque> that's all doable, but that wasn't my aim with this concept. a dirt cheap hardware device holding a seed is preferable to a computer running windows and java.
10:40 < gmaxwell> fair enough. probably more interesting to reduce the interface exposure.
10:41 < brisque> QR codes would be ideal, then audio, then you're back to pretending to be a USB HID. are there any other "airgapped" ways of getting TX data to a device?
10:43 < gmaxwell> hid doesn't get you bidirecitional, does it?
10:43 < brisque> it does. the device can pretend to type, and the host can flash the caps lock key.
10:43 < gmaxwell> lol!
10:43 < gmaxwell> thats going to be rather slow
10:44 < brisque> doesn't the trezor pretend to be HID?
10:44 < gmaxwell> no clue
10:44 < gmaxwell> you need to transfer several kb.
10:44 < brisque> yes, the Trezor pretends to be HID too.
10:44 < gmaxwell> man the things you need to do to make windows happy
10:44 < gmaxwell> I would have just made it a usb serial device, but I guess those need drivers in window
10:44 < brisque> being driverless was probably the aim.
10:45 < brisque> 10kB/s using the caps lock light..
10:46 < gmaxwell> crazy, still a bit slow
10:46 < gmaxwell> how about usb storage... plug unplug plug. :P
10:46 < gmaxwell> and sign and enter your pin on the device itself while unplugged.
10:46 < jgarzik> caps lock light - ha, creative!
10:47 < brisque> well for me wanting to hack something, that's probably going to let the host flash the device which is undesirable. I'm really just throwing ideas around.
10:47 < jgarzik> jumping airgaps is all the rage, these days.  NSA or private community alike.
10:49 < brisque> doing it usefully is the issue though. I don't want to have to listen to my CPU buzz with a parabolic microphone to get Bitcoin TX data to an embedded device.
10:49 < gmaxwell> obviously why having a device with a minimized surface area matters.
10:49  * gmaxwell looks at gox and hurrays
10:50 < brisque> gmaxwell: I wanted a Ben NanoNote just to play with, doesn't look like anybody sells them anymore.
10:51 < brisque> by the looks of things, the easiest and cheapest airgap transmission is audio. if people hated dialup modems they're going to hate me screaching 200kB of previous outputs at them.
10:51 < gmaxwell> brisque: harder to setup bidirectional.
10:52 < gmaxwell> how about a usb device immitating a sound device?
10:52 < brisque> USB sound cards are cheap as chips, you can get one that works on any linux device for a few dollars.
10:52 < gmaxwell> and then you can easily just get 192kbit/sec in each direction using two bits per sample, and it would be completely inaudable if addressed to the wrong device.
10:52 < brisque> bonus, you can do transfer over audio to a phone.
10:54 < brisque> imitating a USB sound device would be doable though. matching a generic driver on the host would mean no attack surface.
10:54 < brisque> could also have audio output, then connecting to a cellphone would work.
10:55 < brisque> bonus mode, make adaptors so that transactions can be signed over phones, 56k style
10:57 < jgarzik> I continue to be stunned that mtgoxUSD receives the trading action that it does
13:33 < justonegy> hello
13:33 < justonegy> anywhere here who can help with ubuntu build?
13:33 < justonegy> or rather wants to..
13:39 < michagogo|cloud> justonegy: What about it?
13:39 < michagogo|cloud> (though this is most likely off-topic for this channel...)
13:40 < justonegy> I'm trying to build and its difficult to find information
13:40 < justonegy> EXCEPTION: N5boost12interprocess22interprocess_exceptionE
13:40 < sipa> #bitcoin or perhaps maybe #bitcoin-dev
13:41 < justonegy> checking for Berkeley DB C++ headers... default
14:06 < justonegy> no one want to help?
14:07 < justonegy> trying to fix this issue and there is just no information and the debug info is non existent
14:08 < sipa> please, not here
14:08 < jcorgan> #bitcoin-dev is better, and, you need to provide a bit more info
14:25 < midnightmagic> lol, one more reason why having a maid is crazy.
14:25 < midnightmagic> if yer in a house and can't vacuum your own floors, you're in the wrong damn house.
18:37 < petertodd> 1CounterpartyXXXXXXXXXXXXXXXUWLpVr <- crazy, 107BTC sacrificed for some "protocol for the creation and use of decentralised financial instruments such as asset exchanges, contracts for difference and dividend payments"
21:14 < petertodd> gmaxwell: oh, maybe I did miss some older ones
21:15 < gmaxwell> (and 0.0004 should greatly improve the odds)
21:15 < petertodd> ah, yeah I think I did
21:15 < petertodd> well, it'd be a conflict now, so I just resent the old ones
21:16 < gmaxwell> 0bin?
21:16 < petertodd> http://0bin.net/paste/j5LLNLEDS7WFsf3S#XJaGGObQv3VZyuUFWSScsbMHFvyMStuXTGzzhrion7c=
21:16 < gmaxwell> nicely, if the second one fails I can merge these myself. :P
21:16 < petertodd> nice that OP_RETURN is now standard...
21:17 < petertodd> enough git head nodes that it's propagated across all my nodes at least
21:20 < gmaxwell> with them merged Total: 0.00227106
21:21 < gmaxwell> this is the merged one: http://0bin.net/paste/4kgGct5K+guuOdY8#7u9CCxfYaOz//nFCqfII5xS53sYx1V0oQSX7i2RjTuQ=
21:26 < petertodd> that GHash.IO is performing an investigation sets a very bad precedent IMO
21:30 < gmaxwell> phantomcircuit: how so?
21:30 < gmaxwell> er petertodd
21:30 < petertodd> lol
21:30 < petertodd> the idea that miners have any responsibility towards zero-conf users is dangerous
21:30 < petertodd> for instance it means you can't change your mempool acceptance rules
21:31 < petertodd> and raises ugly questions about what to do in the event of DoS attacks
21:31 < gmaxwell> well, changing your rules is a bit different from making a bunch of doublespends yourself and then paying the procedes to miners.
21:31 < gmaxwell> investigation doesn't mean conclusion either. like... uh .. if they don't _know_ how that was happening, thats .. bad.
21:32 < petertodd> so? it's a slippery slope. For instance is it ok that Eligius blocks some tx's from ever entering it's mempool, allowing a 10% double-spend attack?
21:32 < gmaxwell> I mean, if they don't know and can't just answer it suggests that they're not actually in control of their own stuff. 0_o
21:33 < gmaxwell> vs eligius filtering where wizkid or luke can step right up and say "yea, we block txn that look like X"
21:34 < petertodd> well such is renting out hashing power...
21:34 < gmaxwell> sure... which no one who cares about their investment in hardware should ever do...
21:34 < gmaxwell> Which I assume will be their answer, because it's an easy out regardless of the real cause.
21:35 < petertodd> ...except when they've already sold it all on an exchange, and the peopel on the exchange figure they can sell it to the other sucker before anything happens
21:35 < gmaxwell> well, there is still the value of the hardware itself.
21:36 < petertodd> what value? CEX doesn't own it anymore if I understand their business model correctly
21:36 < petertodd> just maintenance, and that could be negative value if they ever screw up
21:36 < petertodd> (negative to CEX)
21:36 < gmaxwell> moral hazard in any case you can rent out your hashpower fine, so long as few enough other people do it too.
21:37 < gmaxwell> I wasn't sure how much of the hardware cex had sold off as shares
 it's never been priced attractively.
21:37 < gmaxwell> but fair point...
21:39 < gmaxwell> what a mess.. you hardware fractionalized and sold to people with no control over it.. who then mine at a single enormous pool which is full of these miners that can't vote with their feet.
21:39 < petertodd> well, assume they sold it all off, and then screwed up the contract such that they couldn't get out of supporting it for people at a price that wasn't profitable. They're incentive is to actually destroy Bitcoin.
21:40 < petertodd> More likely, they don't have any strong incentive *not* too...
21:43 < gmaxwell> The maintenance fee is estimated as $0.30 / kW x hour: $0.17/kW electricity cost + $0.09 data centre upkeep + $0.04 hardware repair/maintenance.
21:44 < petertodd> Sure, and screw up that contract in some way... You want an unconditional "out" clause, but eventually someone in the business is going to mess that up.
21:44 < gmaxwell> at the moment their hosting is 3.15% of the mining returns. looks like its structured so they can't get screwed.
21:46 < petertodd> Eventually someones going to mess that up. Also remember that their ROI is %3, so the amount of money sufficient to make it in thier interests to do something that damages Bitcoin is significantly less than for their customers.
21:47 < gmaxwell> right. Agreed. some stupid doublependy thing that doesn't return much could easily double their profit.
21:48 < gmaxwell> lol the users get dinged for another 3% pool fee.
21:51 < petertodd> well, a painless 3% is pretty attactive to a lot of people
21:51 < gmaxwell> there is a calculator on their site that shows 1 GH will net 0.08 BTC over its life.... and currently on their market 1GH/s sells for 0.09. :P
21:52 < petertodd> ha
21:52 < midnightmagic> *-/
21:52 < gmaxwell> their calculator assumes 50% hashrate growth per month. which is probably low for the near term, and in the longer term their operating fees eat the profits regardless of how you set it.
21:53 < gmaxwell> oh great, they are saying they'll have short selling by november 16th.
21:56 < petertodd> yeah we're fucked
21:57 < gmaxwell>  Is there anything I can do about the high stale counts on the GHash.IO pool?
21:57 < gmaxwell>     The stale and duplicate shares are kept to the minimum, however we do not guarantee low stale and duplicate shares on 3rd party hardware mining at out pool.
21:57 < gmaxwell> 0_o this is in the faq on the cex.io site.
21:58 < gmaxwell> We are conducting business as a legitimate UK based company. We will not be able to disappear, as we are governed by UK laws.
22:00 < gmaxwell>  When conducting Bitcoin Transfer Transactions with a Bitcoin user who is not a Member, CEX.io responsibility shall be further limited to ensuring the transfer of the necessary technical data to the Bitcoin peer-to-peer network.
22:01 < petertodd> "* At any point in time we may elect to turn into a Cayman Islands company, and such act will not constitute a disappearance"
22:03 < gmaxwell> CEX.io may by notice to Members discontinue or modify the Platform and/or revise or terminate these Terms at any time.
22:05 < gmaxwell>  Additionally, we may, in appropriate circumstances and at our discretion, suspend or terminate Accounts of Members for any reason, including without limitation: ... (6) unexpected operational difficulties,
22:06 < gmaxwell> sounds like: 'although you cannot see us, we are technically visible in that we are opaque to optical radiation and thus have not disappeared.'
22:06 < petertodd> heh
22:08 < gmaxwell> I can't find any terms related to the actual hardware.
22:12 < petertodd> the sad thing is how even with fancy ZI stuff to let hashers steal block rewards and stuff, it still doesn't solve the problem of hosted mining
22:12 < gmaxwell> petertodd: the older one (at least!) went through!
22:12 < petertodd> nifty
22:12 < gmaxwell> petertodd: the miners here can't even tell the hardware exists.
22:12 < petertodd> exactly
22:13 < gmaxwell> much less that they're not being robbed on it.
22:13 < petertodd> and if they keep getting their expected dividend, who'se to say they're really being robbed?
22:14 < gmaxwell> you could create a bitminter.io and pay a few weeks of dividends as people pile in to buy cheap "fasthash" gigahashes... and then just walk.
22:14 < petertodd> ha, for sure!
22:14 < petertodd> no hardware required
22:19 < gmaxwell> in any case you saw my initial response on that post "meh". I've never been one to think that just because your door is unlocked that its okay to rob you, but an unconfirmed gambling site is ... well I don't know what to think about that. but the fact that it looks like the pool or cex was earning a profit from it is interesting.
22:21 < petertodd> double-spend warnings are going to make this really interesting given that gavin's planning on implementing them by broadcasting the whole tx
22:23 < gmaxwell> if you don't broadcast the whole tx it's hard to verify they're correct... and just sending, e.g. pubkey,sig or whatever doesn't let you do things like ignore ones that still pay you.
22:23 < gmaxwell> so yea...
22:23 < gmaxwell> heh 2013-11-12 03:11:42 CWalletTx::GetAmounts: Unknown transaction type found, txid 499e80a173ee095d44b1c3503c5d00015222a2d7c17a2140fa16f28eeeda8b93
22:24 < petertodd> never mind that you can always rebroadcast a sig from an earlier tx if you do it with just hashes
22:24 < petertodd> (due to address re-use)
22:24 < gmaxwell> indeed.
22:24 < gmaxwell> "what ashame!"
22:24 < petertodd> it'll be a good time to push direct replace-by-fee, and incentivise it by making some double-spends with, say, 0.5BTC fees
22:25 < petertodd> won't surprise me if people try to push making miners ignore blocks that contain things they think are double-spends of course... but that has lots of ugly consequences
22:26 < gmaxwell> very bad for convergence.
22:26 < gmaxwell> esp if you flood the network with concurrently broadcasted doublespends.
22:26 < petertodd> yup, and makes any mempool difference practically a forking bug
22:26 < amiller> No one ever seems to bother doing a secure multiparty lottery
22:27 < amiller> in multiparty computation there are auctions and fair exchanges and stuff like that
22:27 < amiller> Adam Smith is quoted as saying "there can never be a fair lottery" but we should be able to do exactly that
22:27 < amiller> you would absolutely need a non-EU model or rationality to even analyze the lottery under terms like that
22:27 < petertodd> why would I want to do that? I'm a trustworthy guy.
22:28 < amiller> what does trustworthy have to do with participating in a lottery?
22:28 < petertodd> I'm running the lottery, you can trust me to do it fairly. Why trust all this crypto shit? It's probably designed by the NSA anyway.
22:29 < gmaxwell> amiller: most of this mpc stuff isn't even secure in an model where an attacker is active.
22:29 < gmaxwell> most of it is against a model where the attacker is curious but won't compromise the protocol.
14:28 < gmaxwell> e.g. coding 5 checksigs and then a truth table over them would likely not be the best way to represent that multisig.  The truth table is smaller than the branching stuff, but if we had hash compression of untaken branches the branching stuff would be smaller.
14:29 < gmaxwell> So I was wondering if there might be an efficient representation for truth tables where that _wouldn't_ be the case, e.g. where no 1 bit prefix can factor out at least two of the interior tests.
14:30 < gmaxwell> e.g. there is no such x input wire that makes the table insensitive to more than two or more other wires.
14:31 < nsh> beats me
14:34 < Taek42> Would Pierce's logic help any?
14:45 < amiller> i'm interested if anyone here has looked at ethereum http://ethereum.org/ethereum.html
14:45 < amiller> vitalik's attempt at making a broader script language for contracts
14:46 < amiller> the main interesting thing is you can have a "contract", which is like a persistent utxo, it receives data inputs from transactions, it has a special register-like thing representing a "balance" of conserved currency, and it can contains instructions that "send" from that balance to some other contract
14:49 < pigeons> i dont know what can be done about it, and obviously its not a technical issue, but when i look at different smart contract proposals, not usually directly bitcoin related, i wonder about how sometimes a party to the contract would need to be an expert in the execution platform and the language to be sure the contract he is agreeing to, maybe written by
the other party will do what he expects. i guess that's no different than "real world" "du
14:49 < gmaxwell> pigeons: you got cutoff at than "real world" "du
14:49 < pigeons> real world "dumb" contracts
14:50 < pigeons> not that anyone can protect everyone from potential ripoffs all the time, but some people would try to fool people. contract does X, but it does not
14:50 < gmaxwell> pigeons: but sure, part of the point is that "standard" contracts can be formed which get reviewed by experts. But its absolutely an issue, and its part of the reason that the simple forth-like encoding in bitcoin is pretty good
 simply becasuse it actually isn't TOO terrible for the right kind of expert to evaluate them.  Likewise, their non-turing
completeness makes it possible to make tools that analize them and present to you ...
14:51 < gmaxwell> ... all the ways of satisifying them.
14:51 < pigeons> right
14:59 < maaku_> gmaxwell: if you allow non-valid pubkeys and sigs for the ones which are not required, isn't that enough?
14:59 < maaku_> e.g. the pubkey script is OP_TABLE for x,y,a,b,c
15:00 < maaku_> the scriptSig is x-pubkey x-sig y-pubkey y-sig OP_0 OP_0 OP_0 OP_0 OP_0 OP_0
15:00 < maaku_> er-no, you need to check that the pubkeyhashes match, nevermind
15:01 < andytoshi> amiller: i've seen it mentioned a few times here, so i think somebody (not me) has looked into it
15:02 < amiller> ok. it's possible i've pasted it here before too.
15:02 < amiller> having a) contracts that persist through multiple transactions and b) a way of sending value from one to another are both new
15:02 < amiller> and far more relevant to discuss imo than the red herring of turing completness
15:03 < maaku_> well, open-txns does that
15:03 < maaku_> but new as a bitcoin proposal i suppose
15:03 < maaku_> it fails spectacularly at managing DoS potential with its TC scripts
15:03 < gmaxwell> amiller: well I think the covenants post I made shows the kind of farscial mess you can make with that stuff.
15:04 < gmaxwell> I'd be more interesting in someone giving a clear example which can't just be replaced with an interactive protocol.
15:04 < amiller> chess game
15:04 < gmaxwell> I'm sure ones exist, but I mostly drew a blank.
15:05 < amiller> the reason you can't do multiple round protocols with bitcoin including covenant script is that you can't condition future txouts on the current txout
15:05 < gmaxwell> amiller: what, you have the program verify your chess witness?  One of the players will just stop moving once he sees that he'll lose but before the transcript is finished,
 exponential advantage for cheating.
15:06 < amiller> ok so you do the standard trick for adding fairness by having a move timer
15:06 < amiller> if you fail to publish a valid move within k blocks you forfeit
15:08 < gmaxwell> amiller: okay, fair enough.
15:08 < amiller> so. maybe it's still possible to do this with covenant
15:08 < amiller> because you can make the input claimable with evidence that there is a blockchain with sufficient length that includes corresponding transactions etc. whatever
15:09 < amiller> maybe you can always transform any other smart-contract system into one with the current semantics and using chain proofs like that.
15:09 < gmaxwell> amiller: in any case, its _always_ possible without making the network evaluate turing complete code, because you can just outsource script processing via a snark.
15:10 < amiller> yes turing complete is completely irrelevant here
15:11 < amiller> i think the semantics of the chess game example are pretty clear and that makes it a good example, it's just not an obvious business case financial impact kind of thing, that's the only problem with it
15:11 < gmaxwell> Then what is? you can allow arbritary data from the chain just by extracting it and presenting it to the program.
15:11 < amiller> including a proof that a suitable transaction doesn't exist?
15:12 < amiller> like if i wanted to time out the player who fails to publish a chess move, i would want to show that the current chain has k blocks and does not contain a valid move
15:12 < gmaxwell> why would you even publish the moves? you'd use a dominating spend like I proposed for anti-cheat in the coinwitness thread.
15:13 < gmaxwell> Basically if someone tries to time out redeem the game, the output is covenant locked so that it can be spent by either a longer witness or after a final timeout.
15:14 < gmaxwell> Was I clear enough there? sorry. I don't actually know how much of what I'm talking about you've read.
15:14 < gmaxwell> I didn't want to repeat it all if you've read it all.
15:14 < amiller> i've at least skimmed both threads but i am pretty sure i don't understand many details correctly
15:15 < gmaxwell> amiller: the idea is that to redeem the prize in our chess game you either present proof you've seen	a complete transcript for the game in which you've won OR
15:16 < gmaxwell> if the time is past a timeout, AND you present a transcript where your move is last then you can spend it with a transaction whos TXOUT is constrained, such that:
15:16 < gmaxwell> it can be spent after a final timeout (some time from now)  OR   it can be spent by a similar constrained transaction which a somewhat advanced final timeout and proof of a witness of a longer transcript.
15:17 < amiller> witness of a longer transcript than what
15:17 < gmaxwell> that the longest seen so far, it accumulates.
15:17 < amiller> here's an edge case though
15:17 < amiller> suppose player 1 has a timeout
15:17 < amiller> but player 2 does *not* have a timeout
15:18 < amiller> player 1 publishes his move in time
15:18 < amiller> player 2 pretends that he didn't see the first move, and shows a long transcript and tries to redeem the timeout
15:18 < gmaxwell> He can't, because player 2 can't produce a longer transcript on his own.
15:19 < amiller> player 1 can't just try to timeout player 2 because player 2 isn't on the clock, but you would want to prevent player 2 from omitting the published move
15:20 < gmaxwell> amiller: e.g. player 1 moves, player 2 tries to redeem an empty transcript. Player 1 says fuck you and publishes a 1 move transcript. Player 2 can either give up, or present a 2 move transcript. If he does the latter player 1 can present a three move transcript and so on.
15:20 < amiller> when is the coin irrevocably spent?
15:20 < amiller> if this can keep going on
15:21 < gmaxwell> when the transcript can grow no more, or when someone finally misses an update timeout.
15:22 < gmaxwell> and sure, it's probably possible in chess (it is possible in go) to setup a case where the game goes periodic-stalemate in which case it could go on forever if no party will yield. But the evaluation model doesn't matter there.
15:23 < gmaxwell> (e.g. you can't solve this by having proof of publication)
15:52 < jtimon> gmaxwell, for your non-disclousure key logic problem
15:54 < jtimon> any boolean ecuation can be turned into the form (a * c * e) + (b * c * e), wait
15:54 < jtimon> let me look at your example
15:54 < jtimon> well, no
15:55 < gmaxwell> the 2 of 3 can be expanded into (a&&b or b&&c or a&&c)
15:55 < jtimon> the point is to build a tree with N or branches
15:55 < jtimon> n OR branches
15:56 < jtimon> a tree in which width is OR and deep is AND
15:56 < jtimon> argh
15:56 < jtimon> words don't come easy
15:58 < jtimon> and anything can be expanded to that structure
15:59 < jtimon> to get the coins you only need to reveal the relevant branch
15:59 < jtimon> sorry, I'll smoke a cigarrete while trying to translate that to english
16:01 < gmaxwell> jtimon: right, but because hiding a branch still costs you a 256 bit hash, it doesn't save you anything to hide a branch that only contains one key, its better to just test it directly at the current level.
16:02 < gmaxwell> e.g. you would not represent	 a or b    as	a else {b}
16:07 < jtimon> ?I don't understand the e.g.
16:08 < jtimon> but about the hidden branch hash cost
16:08 < jtimon> it is on the scriptSig, not the scriptPubKey, does it really matter?
16:08 < jtimon> well, yes, sorry
16:08 < jtimon> not that much, but still matters
16:18 < jtimon> <maaku_> it fails spectacularly at managing DoS potential with its TC scripts
16:18 < jtimon> I'm not so sure about that
16:19 < jtimon> my understanding (and I'm not sure I understand the proposal)
07:54 < adam3us> TD, gmaxwell: i admit some fault with coingen.io also (I was stting opposite mappum when he registered the domain), not a new idea apparently, but I yacked about how cool it would be a bunch with BlueMatt and put him up to it.  maybe it'll back fire in interesting ways, but the intent is humorous clearly and genuine: to deflate param tweaks
07:56 < adam3us> TD, gmaxwell: and its actually serious.  it seems to me that alts are stifling actual innovation.  if u think about it inmany ways bitcoin innovation has virtually stalled since 2009.  thats why i want to kill param-tweaks, and think pegged side-chains are the bet new idea since 2009 in bitcoin period.
08:02 < adam3us> about ethereum i talked to vitalik about it, not sure i mentioned this part or not, that while fees is a solution to the halting problem in a Turing Complete complete script language; however the history of java byte code interpreter sandbox escapes could give it a massive, repeating, binary failure, where each sandbox escape results in theft of all coins (and maybe bitcoins)
08:15 < adam3us> aka there is a reason bitcoin script is functional, no iterators/recursion, and most of even the stylized/simplified/cut-down script language is itself disabled.  ripple dont seem to appreciate this risk and their draft script language looks turing complete.  in open transactions, chris showed me he has pluggable script language interpreter hooks and jscript,
lua etc but thats just code because he likes generalized clean code.
08:54 < andytoshi-away> justanotheruser: logs are at http://download.wpsoftware.net/bitcoin/wizards/ ... if you msg andytoshi-logbot with 'help' i think it'll tell you
08:55 < andytoshi-away> sipa: re 'someone should write a "what to think about before making an alt" document', i'm planning to write something like that this weekend
08:58 < TD> adam3us: you wouldn't try to steal all coins simultaneously, that'd be dumb
08:59 < TD> adam3us: it'd just be treated as an outage
08:59 < TD> you'd want to steal 1% or something like that ...
09:00 < adam3us> TD: if these coins are pegged bitcoins, you'd want to steal as many as possible.  it depends on the reaction mode to stemming the loss.  if its like the many exchange/processor thefts like say sheep market place (the largest?) because of the irrevocability maybe you may not even care if u empty the alt chain in one go on the way
09:01 < adam3us> TD: what re people going to do? issue and deploy an emergency bitcoin patch to reject this specific side chains re-conversion?  that sounds centralized and fed policy like
09:01 < TD> we were talking about ethereum i thought?
09:01 < adam3us> TD: but you may well be right for detail reasons that the optimal exfiltration
09:02 < adam3us> TD: oh yeah sorry :D
09:03 < adam3us> TD: i guess that depends on the market cap and the liquidity and intent of the sabateur.  why are they killing the alt.  to make money or because they want to do a 'scorched earth' to borrow a petertodd'ism to prove a point
09:04 < adam3us> TD: lot of people might be quite upset and litigious about it if the market cap was like non-trivial at the time.  dangerous thing to do possibly even via Tor.
09:04 < adam3us> (sorry i was still in pegged side-chain mode so misinterpreted your observation)
09:04 < TD> anyway, most of the java sandbox escapes especially these days are not issues with the bytecode verifier but rather with the huge libraries or native code that they call out to
09:04 < TD> presumably ethereum would not have anything in the way of libraries or big surface area APIs
09:07 < adam3us> TD: interesting point, yes i never went looking at the root cause of the repeated sandbox failures, but if thts accurate the risk might be a bit lower.  but anyway i guess you can say its a brittle failure mode and more risky than  bitcoin as a value store as a result.	not only could a big bug collapse value like, but some worse things i think, like taking
control simultaneously of all online nodes.
09:07 < TD> sure
09:07 < TD> code execution is always tricky
09:08 < TD> ironically, i suspect the JVM may end up being one of the safest sandboxes around. given how massively and repeatedly it's been attacked by hardened hackers compared to most sandboxes
09:08 < adam3us> (could happen to btc also, but higher risk as their code is basically an abstract interpreted asm with memory and iteration, pointers.  very flexible.  more like executing x86 interpreter)
09:08 < TD> if they keep plugging away at it for enough time, and if you restrict the API surface area, it could end up being kind of robust
09:10 < adam3us> TD: yes.  but it seems in some ways that btc is surfacing whole new levels of code assurance.	if there's a $1bil reward sitting on the table for entire system value exfiltration, more resources nd resourceful people get in, or lose their ethical behavior $ limit filter, seemingly empirically many otherwise trustworthy people have such limits)
09:11 < adam3us> just to say maybe its more interesting to sandbox escape ethereum (if btc was using that model right now) than sandbox vm escapes.  it only takes one.
09:11 < TD> yeah. it makes me wonder if one day it'll simply become impossible to make any changes to the code at all because the legal/financial risk of making a mistake is so high
09:11 < TD> either that or every bitcoin developer will be anonymous and work from behind Tor
09:11 < adam3us> TD: yes i think so
09:11 < TD> neither outcome seems desirable
09:11 < TD> still i guess banks manage, sorta, somehow
09:12 < adam3us> TD: the Tor thing is interesting.  i think people who get into exchanges and btc biz dont realize the risk they are putting themselves, their family etc at.  if they get enough value inside a server, they have become like a bank.	at the high end what do we need like thebunker.net or fortress with servers in it.  seems like banks or physcal security need
to be part of the picture with multsig eventually
09:14 < adam3us> TD: yes, that seems part of the genuine value of banks, they have structured governance (cross checks) physical security, personnel vetting, alarms, perhaps monitored security at managers houses.  they had to think about it all and manage it.  that is actual value.
09:14 < TD> probably. one reason why i'd never run an exchange or bitbank. however, exchanges are needed, so .... someone has  to take that risk. w.r.t the rest of it, well, it's MIT licensed and disclaims all responsibility for everything
09:14 < TD> though i imagine some people will eventually ignore that and try their luck in courts anyway
09:14 < adam3us> TD: what u mean sue for losses due to code bugs?
09:15 < TD> well, or for any other kind of excuse. or patent lawsuits or whatever.
09:15 < TD> i mean as the amount of value goes up, anything could happen
09:16 < adam3us> TD: was vaguely wondering if one could retain unseizability property while protecting your self or your exchange or your processor (some server or equipment or paper under the service operators and employees control) from physical duress, by multisig the whole thing with a physical security provider of one part of the multisig.  the RA aspect of the bank
multisig is typically weak also.  tho they do a lot of risk management
09:17 < WOODMAN> morning warriors
09:17 < TD> they're also insured
09:18 < adam3us> TD: like cheque sigs are not verified under
30k i hear.  but if u wire
20k you can do that with some lame, malware attackable security.  exactly insurance and risk management.
09:18 < WOODMAN> anybody been around on this technology since early days, i have a decent question if its ok?
09:18 < WOODMAN> brb
09:19 < andytoshi-away> WOODMAN: usually, try #bitcoin-dev first
09:19 < adam3us> TD: but i think what backs it all up is the revocability, usually when things go wrong they can undo the tx, they have ID, so they can recover even withdrawn funds, and insurance covers the rest
09:20 < adam3us> TD: btc lacks that.  and if we introduce it (certainly can do revocable, easy using irrevocable + multisig escrow) then the disput resolution costs come back in and btc tx costs same as credit card.  so we cant win.  the remaining new avenue is to some smart contract magic
09:20 < WOODMAN> what is this site?
09:20 < TD> yep. it might turn out in the long run that irreversible transactions are simply something humanity can't handle, when the amounts of value being handled get too high
09:20 < WOODMAN> https://bitcointalk.org/index.php?topic=11606.0
09:20 < TD> (too hard to build secure software systems)
09:20 < adam3us> TD: was ever thus.  ecash (irrevocable fast settlement) and slow cash just dont interface together well
09:21 < WOODMAN> i believe i bought bitcoin in 09
09:21 < adam3us> TD: yes.  maybe that is an answer.  large payments typically can tolerate being slow, and the parties having recourse enough to tolerate the revocability.
09:21 < WOODMAN> i never set up a client....bought from someone who put it on a USB and sent it to me....me never wanting to store on computer cause of hacking and never planned on selling, as there was no market at that time
09:21 < andytoshi-away> WOODMAN: #bitcoin please
09:21 < WOODMAN> i found this link and it discusses that you can put bitcoins on a USB
09:22 < WOODMAN> ah come on andy
09:22 < andytoshi-away> though i did enjoy the second post saying 'screw that, just use mybitcoin' :)
09:22 < WOODMAN> be a sport
09:22 < sipa> WOODMAN: #bitcoin, now
09:22 < WOODMAN> ahora!
09:22 < WOODMAN> im banned from there
09:22 < sipa> (you're very welcome to follow the discussion here, or contribute, but basic questions are completely off topic)
09:22 < TD> or post to bitcointalk
09:23 < WOODMAN> too many indians , not enough chiefs
09:23 < WOODMAN> this could be problem with open source
09:24 < WOODMAN> got another bitcoin IRC where they respect free speech?
09:24 < WOODMAN> or is this all funded by soros?
16:31 < HM> it's not a bad idea
16:32 < gmaxwell> ... it rally has absolutely nothing to do with the json rpc code.
16:33 < HM> it does lol
16:33 < gmaxwell> Why are you saying that?
16:34 < HM> because it reads json right off the 0mq socket
16:34 < HM> passes calls to the existing json code
16:34 < HM> gets replies, and reps it back
16:34 < gmaxwell> Are you being a fool just to irritate me?
16:35 < HM> https://github.com/bitcoin/bitcoin/pull/2415/files
16:35 < HM> https://github.com/bitcoin/bitcoin/pull/2415/files#L5L944
16:35 < HM> notice it makes existing JSON RPC functions non-static
16:35 < HM> https://github.com/bitcoin/bitcoin/pull/2415/files#L3R322 <-- reads and writes json off the 0mq socket here
16:35 < HM> it's just an observation, i'm not being critical
16:36 < HM> it's the smart thing to do when you have an existing rpc implementation
16:37 < gmaxwell> okay, I see the source of the confusion here.
16:37 < gmaxwell> Since I commented on it the guy added a bunch of extra commits that do wrap the json rpc stuff.
16:37 < gmaxwell> You have my apology.
16:38 < gmaxwell> The original code did not do that.
16:38 < HM> tis ok, review a lot of stuff
16:38 < HM> you review*
16:38 < gmaxwell> I don't know that I like that.
16:38 < gmaxwell> will have to contemplate.
16:47 < HM> meh, I'm sure RPC isn't a priority
16:49 < HM> sipa mentioned splitting it up in to components, e.g. wallet stuff and transaction stuff
--- Log closed Sun Apr 07 00:00:15 2013
--- Log opened Sun Apr 07 00:00:15 2013
--- Log closed Mon Apr 08 00:00:16 2013
--- Log opened Mon Apr 08 00:00:16 2013
15:06 < gmaxwell> HM: I was surprised to see you complain about rust's syntax. I guess ocaml and haskell (and C++, in different ways) have distorted a bit of what "bad syntax" is, but a major goal for rust is making advanced language functionality more accessible to programmers by avoiding highly irregular and cryptic syntax.
15:06 < gmaxwell> HM: the rust devs spend a lot of time thinking about discoverability and obviousness of the syntax. .... if you've got some specific syntax nits, and they're not just personal preference but things you've found will actually bite people, you should go bug the rust lists, because they can still fix syntax nits.
15:23 < HM> the pointer types are insane
15:23 < HM> and it contains unnecessary terseness
15:23 < HM> i don't believe the numbers of characters i can type a second is the bottleneck of programmer productivity
15:26 < HM> in C++ you have weak_ptr and shared_ptr and unique_ptr, which are verbose, but at least you can't make one moments brain fart and use the wrong pointer type
15:27 < HM> example
15:27 < HM> for [1, 2, 3].each |item| { ... }
15:28 < HM> ick
15:28 < HM> anyway, I reserve my right to find it horrid
15:31 < HM> I read up on Rust a few months back
15:31 < HM> right now I can't even remember which pointer is which
15:32 < HM> let y = @*x; <-- i have no idea what this does
15:40 < HM> C++ also has that for loop syntax btw
15:40 < HM> for (auto i: {1,2,3,4,5}) {
15:42 < HM> auto can be replaced by int, double, or any type implicity convertible from an arithmetic type
15:44 < HM> you could probably implement all of Rusts garbage collection semantics by replacing weak, shared and unique ptrs with types that used your garbage collector
15:52 < gmaxwell> You can't generally do GC in C++ because you can't reliably keep pointers from 'escaping' the box. I know it works in theory, but it doesn't work in practice as confirmed by many parties.
15:53 < gmaxwell> HM: Most of the time using the wrong pointer type in rust will result in something that fails to compile and gives you a useful error.
15:53 < gmaxwell> I dunno if thats enough, indeed.
15:53 < HM> because you can always call operator-> on a smart pointer and pull out the raw pointer?
15:54 < gmaxwell> HM: yes, and because actually using them results in you leaving around pointers in local memory, inside other objects, etc.
15:55 < HM> sure, but raw pointers were inherited from C
15:55 < HM> you don't have to use them
15:56 < HM> Rust has the nice luxury that its concurrency and garbage collection can be designed to work well together
15:56 < HM> in C++ you have neither as part of the standard library or language spec
15:56 < gmaxwell> You can try to legislate against it, but even when you control the codebase this observably doesn't work well (there are reasons why it must be violated, or why container objects violate it while you're not looking) - though I'm the wrong person to be debating that.
15:56 < HM> (well except std::thread)
15:57 < gmaxwell> The rust people would argue (with plenty of data to back it up), that in C++ you're basically encouraged to do the 'wrong' thing at all turns due to inertial, legacy, and complications of the right thing.
15:57 < gmaxwell> inertia*
15:57  * HM shrugs
15:57 < HM> i think it's more that you can, and people are lazy
15:57 < gmaxwell> The idea is that rust tries to make it so that when you're lazy you do the right thing.
15:58 < gmaxwell> I dunno if they'll be successful, but thats very much the goal.
15:58 < HM> I like the premise of Rust
15:58 < HM> it's the closest thing out there atm to actually being a new C
15:58 < HM> or C++
15:59 < gmaxwell> And they make the compiler more able to detect the wrong things, facilitating that in the language when they can, and they make you explictly request the wrong behavior (e.g. it takes more work)
15:59 < HM> yep
16:00 < HM> I spent like 2 days this week gone just staring at C++ errors containing type names longer than this conversation
16:00 < HM> i hate it
16:01 < HM> but it's not such a burden to use words instead of symbols all over the syntax map
16:01 < gmaxwell> yea, and partly that comes from really deeply core features of C++ being implemented not as part of the core language but via templates.
16:01 < gmaxwell> You say this, but java's verbosity is a major reason people oppose it. For things which are components a programmer should be using daily it's not clear that its a good thing.
16:02 < HM> sure
16:02 < HM> but const, volatile, shared, "local", would have been good short readable alternatives to ~, @, &, *
16:03 < HM> in a new language, you don't have to worry about squeezing things in to reserved names and syntax constructs
16:03 < gmaxwell> e.g. if you can't keep the pointer types in your head clearly mapped to their symbols you're going to be making a lot of other (perhaps non-detectable errors). There is a right thing to make sugar and a wrong thing. Keep in mind that they're also at least trying to have some appeal to people who believe that specifying types is a huge burden programers
shouldn't have to deal with.
16:03 < HM> get back to me when you have a highly parenthesised line of code containing half a dozen @, ~ and &s
16:04 < HM> another example
16:04 < HM> C++11 got hammered for using an ugly lambda syntax
16:05 < HM> ...Rust is using the same syntax for all functions
16:05 < HM> fn recursive_factorial(n: int) -> int { }
16:05 < HM> C++11 lambda:
16:05 < HM> [](int n) -> int {}
16:05 < HM> almost the same
16:06 < HM> I think they've made a tonne of really bad choices
16:07 < HM> at least C++ had the excuse of having to maintain some semblence of backward compatibility with 30 years of C and C++ source code
16:08 < HM> and what about this
16:08 < HM> `fmt!` is a macro that statically verifies a format string.
16:08 < HM> println(fmt!("%d", *item));
16:08 < HM> eesh
16:09 < HM> Boost.Format got formatted strings right
16:09 < HM> don't make the programmer encode type information twice
16:09 < HM> %d = double
16:09 < HM> the compiler already knows the type of item
16:09 < gmaxwell> the C++ lambdas are panned because the syntax is complete moonlanguage especially when its anonymous. Seriously you're complaining that the prototype puts the return type on the right?
16:10 < HM> no, i'm questing why they changed it from C or C++ at all.
16:10 < HM> questioning
16:11 < HM> and kept a lot of other bad garbage around
16:11 < gmaxwell> because the C style leads to severe visual (and in C++ parsing) ambiguity.
16:11 < HM> just because it's familiar
16:12 < HM> what about other weirdness
16:12 < HM> let i: int = 50;
16:13 < HM> let i = 100u;
16:13 < HM> let i = 100i32;
16:13 < HM> one minute the type info is on the left, the next it's on the right
16:13 < HM> ok, so that's copying Cs integer literals
16:13 < gmaxwell> In the latter case the type of i is inferred by the data its being assiged to.
16:13 < midnightmagic> This week, on language wars.. some guys discuss the relative merits of C++ vs. Rust, absent twkm!
16:14 < HM> but in C++ you can do "auto i = 50ul;"
16:14 < HM> or unsigned long i = 50;
16:14 < midnightmagic> HM: May I enquire as to where you were originally complaining about Rust syntax?
16:14 < HM> in -dev
16:14 < gmaxwell> HM: typing litterals is something that can't be avoided... but the actual language feature you're complaining about there is the inference.  E.g. let i = foo();  works and gets the type from foo's return.
16:14 < midnightmagic> oh
16:15 < HM> let y: uint = x as uint;
16:15 < HM> ^ wtf?
16:15 < gmaxwell> yes, thats a cast.
16:16 < gmaxwell> same as float x = (float)double_returning_function();  so that static analysis tools know you mean to do it and won't whine about the narrowing.
16:17 < HM> auto x = (float) double_ret_func();
16:17 < HM> only typed the type i want once
16:17 < HM> the Rust code has 2 operators/keywords and you type it twice
16:17 < gmaxwell> HM: you might well be completely right, what do I know. Smarter people than I create this stuff... C++ is just an endless _sea_ of total wtfs. I don't assume the C++ designers were morons, though it often seems so
 I assume language design is subtle and hard.
16:18 < HM> it is
16:18 < HM> and C++ is disgusting
16:18 < HM> but I think Rust should have done better given it's starting fresh
23:00 < petertodd> systems designed for that assumption are far more robust when something goes wrong
23:00 < amiller> eh well i'm intrigued in either case.... in that case the point to make is that this is possible
23:01 < amiller> it's easy to provide a high resolution realtime _lower-bound_ for proof of work
23:01 < amiller> whether it's good or bad to do so... i don't now
23:01 < petertodd> well keep in mind that the fast internet connections we take for granted between nodes may not always be possible
23:02 < petertodd> bitcoin users may be forced to tor, and worse, tor can certainely get more unreliable/need totally different alternatives
23:02 < amiller> yeah no kidding.
23:02 < amiller> to be clear i live in fantazy wizard land where about half the bitcoin mining power is on mars
23:03 < petertodd> I guess part of your fantasy is FTL comms... :P
23:03 < amiller> no i'm hard sci-fi, special relativity is the crucial limitation that makes things weird
23:04 < amiller> and ascii bernanke was put in the blockchain as a warning against relying on mysterious leaders correctly setting global parameters...
23:04 < amiller> anyway yeah the normal block rate determines like the maximum coarseness bound for proof of work samples
23:04 < petertodd> heh, well, so mars has a second chain I hope?
23:04 < amiller> hehehe well since you asked...
23:05 < amiller> mars and earth participate in a largest global coin that is shared between them
23:05 < amiller> but pretty much most of the volumes of their economies are conducted on smaller planet-localized chains
23:05 < petertodd> amiller: https://bitcointalk.org/index.php?topic=158756.msg1786069#msg1786069 (bottom)
23:05 < amiller> that run so much faster that it's hard for people on mars to get much profit from running on the earth local chain
23:06 < amiller> people tend to shift more of their mining power to the earth-mars joint chain when mars's orbit brings it closer to earth
23:06 < petertodd> LOL!
23:06 < amiller> and of course when it's solar eclipsed they might as well be isolated
23:06 < amiller> also sometimes a colony gets knocked out of orbit and no one knows whether we'll ever hear from them again
23:06 < amiller> in that case their chains diverge
23:07 < amiller> if they sometimes come back, eitehr there is a remarkably painful reorg process or they just agree to have separate histories
23:07 < amiller> s/sometimes/somehow
23:07 < petertodd> we're gonna need #bitcoin-scifi at this rate
23:07 < petertodd> and #bitcoin-steampunk
23:09 < amiller> i think blockchains will follow the 4 F's of evolutionary biology
23:09 < petertodd> ?
23:09 < amiller> feed, fight, flee, and mate
23:09 < petertodd> ah 'mate'
23:10 < amiller> i meant fuck
23:10 < petertodd> don't tell me you've been working on making merkle AST's have sex
23:13 < BlueMatt> petertodd: sadly, thats a fairly easy process....
23:13 < BlueMatt> well, mate maybe, sex not so much
23:13 < amiller> i think bitcoiners need simultaneously more imagination and more formal modeling, we've seen absolutely nothing yet as far as 'bitcoins final form' or w/e goes
23:13 < amiller> the value of the fantasies is when it puts theoretical limits / invariants in focus
23:14 < petertodd> changing bitcoin is so difficult Bitcoin may well be in it's final form...
23:14 < amiller> or to put it another way, bitcoin is an intergalactically brilliant idea :D
23:14 < amiller> i couldn't possibly disagree more
23:15 < amiller> the whole 21million coins thing is like a teenager getting a tattoo of his first girlfriend on his forehead
23:15  * BlueMatt picks the middle
23:15 < amiller> i guess i menat first girlfriend's name but w/e
23:15 < BlueMatt> actually, limited supply (pick your number, doesnt matter) is quite a brilliant solution
23:16 < BlueMatt> imnsho
23:16 < amiller> the BTC is limited, but the alternate cryptocurrencies with identical design are ridiculously abundant
23:16 < BlueMatt> and do you see them with long-term adoption?
23:17 < amiller> i see them as growing to the point that they threaten and reveal the emperor's nakedness of bitcoin's scarcity
23:17 < petertodd> cryptocurrencies have ridiculous first mover advantage issues
23:18 < amiller> how plausible is it that there will eventually be a consensus among 'newcomers' to dismiss that first mover advantage
23:18 < amiller> class of 2013 rules!@!!
23:18 < BlueMatt> let me rephrase, do you see bitcoin having gotten the kind of adoption it has (and thus providing more for the altcoins) without it?
23:19 < amiller> i think it was a good choice for the time
23:19 < amiller> everything else about bitcoin is so foreign and unexpected that making it like 'gold' which everyone has a shared understanding about helps.
23:19 < amiller> also i don't think this is a bad thing because i think bitcoin will happily gobble up new technology/ideas as they catch on
23:19 < amiller> as long as the first mover advantage is respected
23:20 < amiller> their value can always be grandfathered in
23:21 < amiller> i don't think bitcoins' current financial model comes even close to resembling what will come shortly after though
23:21 < amiller> ripple trust is more scarce than cryptogold
23:24 < amiller> ripple trust is also the only financial model with any sound theoretical footing, e.g. http://www.econ.wisc.edu/workshop/trust_and_social_collateral.pdf
23:27 < amiller> or to put it another way, _where we're going, we don't need gold_
23:29 < amiller> on the other hand we definitely _will_ still need a magic irreversible ledger in the sky
23:33 <@gmaxwell> amiller: nah, I think ripple is unlikely to survive. You'll at a minimum need to get a new name for it.
23:34 < amiller> yeah mb i meant "credit network trust"
23:34 < amiller> or social collateral
23:34 < amiller> social collateral is what i meant
23:34 <@gmaxwell> (as an aside ... forum users are now getting flooded with offers of $20-$30 for their accounts, because people want in on the XRP goldrush.)
23:34 < petertodd> gmaxwell: still?!
23:35 <@gmaxwell> I haven't checked where it is now, but the complaints from users only started about a week ago.
23:35 <@gmaxwell> but they might be about older messages.
23:35 < petertodd> well, regardless that's just silly
23:35 < amiller> i'm so pissed at ripple and ryan fugger selling out the trademark to idiots i can't see straight
23:36 < amiller> and yet i'm also glad they're doing so much work on their api and interface
23:36 < petertodd> yeah, it's a very nice name, hard to come up with good names
23:36 <@gmaxwell> perhaps I'll suggest to theymos that he make 100 old accounts appear out of SQL INSERT magic and go cash in. :P
23:36 < amiller> petertodd, beyond that it has like 10+ years of heritage
23:36 < petertodd> amiller: yup
23:36 < petertodd> amiller: the sort of heritage where it would have been totally ok to use the ripple name for even a few implementations
23:37 < petertodd> and actually get it right
23:37 < amiller> ripple.com has a shitty new video out that includes the phrase "80% is the threshold for mathematical certainty"
23:37 < amiller> i'm so mad and yet maybe it will be net positive, the work they're doing
23:37 < petertodd> oh dear
23:37 < amiller> i can actually withdraw bitcoins
23:37 < amiller> against my social trust lines.
23:38 < petertodd> honestly, ripple to me smells of engineers not getting how complex social trust relationships are
23:38 < amiller> via bitstamp the first operating "gateway" (where gateway means illegally operating msb)
23:38 < amiller> see the social trust part is the part that works.
23:38 < petertodd> although, I do want to see the fincen guidance on ripple, that could be hilarious
23:38 < amiller> they got all of that right
23:38 < amiller> the part that looks craziest and awfulest about them i think is actually the part that's fine.
23:39 < petertodd> heck no, the social trust bit is where it falls falt on its face because it's too complex and time consuming
23:39 < amiller> i couldn't disagree more
23:39 < petertodd> can it work? sure, but it's a lot of work
23:39 < petertodd> it's why I see ripple as making sense b2b, not p2p
23:39 < amiller> what they fail at is not understanding anything about byzantine/decentralized consensus
23:39 < amiller> not b2b
23:39 <@gmaxwell> amiller: yea, thats the annoying part to me, people are obsessing over the ripple-ish parts and ignoring the sketchy XRP stuff, the decenteralized part, etc.
23:39 < amiller> b2b is inherently about government regulation
23:39 < amiller> p2p also maybe is too much work
23:40 < amiller> what else would you call it c2c? community to community? tiny faction to tiny faction?
23:40 < petertodd> no, business to business just means betwen entities big enough that accounting is an accepted activity
23:40 <@gmaxwell> unfortunately the regulatory enviroment will make us P2P some stuff that really ought not to be P2P.
23:40 < petertodd> which if they're smart will be their goal...
23:41 < amiller> petertodd, you should read a little about the theory of self enforcing contracts and credit networks
23:41 < petertodd> man I gotta make some computational oracles happen
23:41 <@gmaxwell> And there is even some indicators that some regulatory bodies are actually willing to go "p2p? oh. Well we give up"
 note fincen offering guidence which is different for decenteralized and non-decenteralized cryptocurrency! blew my mind.
23:41 < petertodd> amiller: that's my whole point, the fact that you need to read anything is why it's a bad idea for person to person
23:41 < amiller> gmaxwell, yeah omg!
23:41 < amiller> i shat myself when fincen provided a "definition" for "decentralized currency"
23:42 < petertodd> I'm not going to believe for a second the initial guidance actually means anything
23:42 <@gmaxwell> I think that the decenteralization actually takes away some of the distractions that makes regulatory meddling seem more justified.
23:42 < amiller> i  think it's justified
22:13 < Ryan52> cfields: Yes, verified the MacOSX10.6.pkg in my downloaded .dmg matches.
22:14 < cfields> ok, great. So if anyone else want to try to build with gitian, i can provide that file to spare you the trouble
22:15 < warren> cfields: it's available to anyone with an apple dev account?
22:15 < Ryan52> cfields: I'm working my way through the rest of the list to verify, but will have to stop halfway through that and leave in a couple minutes. Can come back in ~5 hours to finish it, but I'll submit my work in progress.
22:15 < Ryan52> warren: if you're willing to download the 4GB .dmg it's a part of :)
22:15 < cfields> warren: yea, it's necessary to build. Anyone who's built bitcoin for osx has downloaded it at some point
22:15 < warren> 4GB!?
22:16 < cfields> warren: only one file is needed from it, and it's ~50mb iirc
22:16 < warren> cfields: so the gitian VM must be *much* larger, or you extract something from it?
22:16 < warren> ah
22:16 < cfields> which is why i'm offering to provide that file to anyone who needs it, rather than going through that mess
22:16 < warren> as long as Ryan52 verified it I want the 50MB file
22:16 < warren> I don't have much time
22:17 < Ryan52> Yep, I also recorded the sha256 of the .dmg it came from, in case somebody wants to compare notes on that, at some point.
22:18 < Ryan52> (tho as long as the 50MB file is fine, that doesn't make much difference)
22:18 < cfields> 2ad43957613642f29166dd452662a2adeecb8b69e01ca373f2cb47fbe42764fc  xcode_3.2.6_and_ios_sdk_4.3.dmg
22:19 < warren> oh, I have that
22:19 < Ryan52> 2e666a972c616a35fed5790265fb5aa61ef74ea7c36e4e5a11261df00008822c  Downloads/xcode_3.2.6_and_ios_sdk_4.3.dmg
22:19 < Ryan52> That is odd. I wonder if Apple embeds our developer ID, or if mounting it causes the checksum to change.
22:20 < warren> hmm, what macports has sha256sum?
22:20 < Ryan52> (mine is of a copy before mounting)
22:20 < warren> Ryan52: oh damn
22:20 < cfields> Ryan52: hmm, maybe. that's good to know
22:20 < cfields> so the dmg checksum is uninteresting, but the pkg counts.
22:21 < Ryan52> Right.
22:21 < warren> how do I get sha256sum on mac?
22:22 < cfields> shasum -a 256
22:23 < cfields> Ryan52: not sure what list you're verifying?
22:23 < warren> I wish macports gnupg worked.  it fails to build.
22:27 < Ryan52> cfields: the list of checksums in your download script.
22:28 < cfields> Ryan52: i'm not sure what there is to verify manually?
22:30 < warren> cfields: as noted earlier, check against download sources of various linux distros and ports to be sure it's exactly the same as what everyone else is shipping.  If something is very new and not widely distributed yet, then manually examining the diff from the old version.
22:31 < cfields> mm, ok
22:31 < warren> cfields: if we're giving people a download.sh and hard-coded checksums we better be damned sure we didn't accidentally pull in something bad
22:31 < cfields> fwiw, i reused the tarballs i already had laying around mostly
22:31 < warren> that's fine.  another paranoid check is worthwhile.
22:31 < cfields> meaning: existing win32/linux dependencies
22:31 < warren> oh?  I noticed you upgraded boost.
22:31 < warren> you upgraded nothing else?
22:31 < cfields> so before going to that trouble, might want to see if we're already using em
22:32 < cfields> for the more complicated ones i took the macports version
22:32 < warren> Ryan52: the checksums already in contrib/gitian-descriptors/*.yml have been verified by me and the entire litecoin team redundantly.
22:32 < cfields> so that i could more easily re-use their patches
22:32 < warren> cfields: did you upgrade qt?
22:32 < cfields> yes, x.y.5
22:33 < cfields> 4.8.5 i think?
22:33 < Ryan52> Here is my WIP "notebook": http://pastebin.ca/raw/2478933
22:33 < cfields> same reason. Notice it has about 30 patches in play. I didn't want to waste the macports work on that
22:33  * Ryan52 has to go do other things for some hours, but can continue looking at things in a long while
22:34 < warren> Ryan52: if we're satisfied with this, time to move on to the external ip review.
22:34 < warren> Ryan52: write a good report on what you reviewed, how and maybe debug print patches
22:34 < cfields> also worth noting that regardless of any investigation, these are the versions that have been in-play on osx due to their use in macports anyway
22:34 < warren> I did that myself but I might have missed something.
22:34 < Ryan52> I did try to see if there were gitian-descriptors already, but not many did have them.
22:35 < cfields> you guys are really getting a bit ahead here, anyway. First step is to have someone else verify that it builds and works, then discuss with the other devs whether the approach is reasonable for releases or not
22:36 < Ryan52> Hm, okay. So should I just document my verification of the MacOSX10.6.pkg then, since that's the only I was really "done" with? Where is best to do that?
22:37 < cfields> Ryan52: how bout commenting on my commit, so it's visible to anyone else looking over it?
22:38 < cfields> at github, that is
22:38 < Ryan52> cfields: Alright, wasn't sure if there would be a more relevant PR or BR, thanks!
22:39 < cfields> Ryan52: i'm still not quite sure how to handle it. need a recommendation from a veteran
22:39 < cfields> gavinandresen: ping
22:40 < warren> BR?
22:41 < Ryan52> warren: bug report, sorry I abbreviate too much sometimes :)
22:42  * Ryan52 isn't sure if that is proper github terminology, since it calls them issues, doesn't it?
22:45 < Ryan52> cfields: Here's your comment: https://github.com/theuni/bitcoin/commit/8a64fb98370ccc299d73111bbf97cdde23f681b1#commitcomment-4688671
22:45 < cfields> Ryan52: thanks
22:54 < warren> 9c5424e26fb10836ebfc602d61d5e4f984a9ce33d327877dd51405b08b977ac5  xcode_3.2.6_and_ios_sdk_4.3.dmg
22:54 < warren> looks like it does change it by mounting =(
22:55 < Ryan52> eh, as long as the pkg matches we have verification. that sure is annoying tho.
--- Log closed Mon Nov 25 00:00:06 2013
--- Log opened Mon Nov 25 00:00:06 2013
00:41 < gavinandresen> cfields: hmm?
00:42 < cfields> gavinandresen: I have a working POC for deterministic dmgs built from linux. I need a bit of group-think on how to proceed. Suggestions?
00:43 < cfields> POC in that the process is ugly. The result seems stable.
00:43 < gavinandresen> what makes the process ugly?
00:44 < cfields> gavinandresen: mainly patching the shit out of qt/boost to get it built cross-arch cross-platform
00:44 < gavinandresen> mmm. That IS ugly.
00:44 < gavinandresen> Hard to review, hard to be sure the patches are correct....
00:45 < cfields> gavinandresen: well, they're 99% taken from macports...
00:45 < cfields> so the argument really isn't valid, it's just been covered up until now
00:45 < cfields> so before going further, i'd like some kind of concensus on the goal. Namely: Should it aim to be useful for everyday building? Or aim for gitian release builds only?
00:46 < gavinandresen> release builds only, in my opinion.  And maybe pull-tester builds.
00:46 < gavinandresen> I'm certainly not going to cross-compile in a linux VM to develop
00:46 < warren> I test gitian builds in dev all the time, personally.
00:46 < cfields> sure, pull-tester was the main target i had in mind
00:47 < warren> cfields: are all the static libs built into a deterministic deps tarball to use as an input?
00:47 < cfields> warren: not currently, but it'd be simple to get em to that point
00:48 < warren> cfields: that would help substantially
00:48 < gavinandresen> cfields: if it helps, I think it is time to drop 32-bit and OSX 10.5 support.
00:48 < gavinandresen> Maybe even drop 10.6 support.
00:49 < cfields> I'd be pretty opposed to dropping 10.6, but 10.5 and 32bit i would agree with
00:49 < cfields> but that's tangential to this discussion, neither of those added any complication to this process
00:49 < gavinandresen> ok
00:50 < gmaxwell> cfields: I am advised that 10.9 has been backported to * and was also advised that if we wanted anyone at apple to care we'd need to be on at least 10.7 and building in 64 bit.
00:50 < warren> * ?
00:51 < cfields> gavinandresen: i suppose i'm just looking for a bit of guidance as to how to proceed. It works, but it's ugly. If it's only for gitian, ugly doesn't really matter.
00:51 < cfields> I suppose I should re-define ugly. qt/boost are heavily patched either way. It's either macports or homebrew or us.
00:52 < cfields> so ugly means: a nasty build-script that either completes or fails gloriously
00:52 < gavinandresen>
 and relies on a very specific version of boost/qt, I assume?
00:52 < cfields> well I used the versions that macports use, so we could borrow their patches
00:53 < gavinandresen> That doesn't sound horribly ugly
  just document the process of upgrading.
00:54 < cfields> Sure. It's the same as upgrading any other gitian deps. Just on a bigger scale for osx.
00:55 < cfields> gavinandresen: this probably explains better than me rambling about it: https://github.com/theuni/bitcoin/commit/8a64fb98370ccc299d73111bbf97cdde23f681b1
00:55 < jgarzik> is there an OSX that works in VM?
00:55 < jgarzik> that would be useful
00:55 < cfields> jgarzik: none legally, so it tends to be avoided if it's done publicly
00:55 < cfields> (build-slave, pull-tester, etc)
00:56 < gavinandresen> cfields: can we avoid putting all those patches in our tree?  Maybe run a script to fetch them from macports ? (with just the macports public key in our tree)
00:58 < cfields> gavinandresen: if that's what you'd prefer, but seems that would only make it more complicated?
00:58 < cfields> I suppose your goal is to differentiate between our changes and theirs?
00:59 < gavinandresen> yes, if we are going to extend trust to MacPorts then better to make it explicit.
00:59 < gavinandresen> (if we are going to CONTINUE to extend trust....)
00:59 < cfields> i wasn't going to say it ;)
21:43 < petertodd> sipa: You expecting payment protocols?
21:43 < sipa> yes, i don't like that
21:43 < sipa> petertodd: yes
21:43  * BlueMatt beats jgarzik with a wet fish
21:43 < petertodd> sipa: Well... that's a long, long, long way off.
21:44 < sipa> petertodd: but what has that to do with anything?
21:44 < petertodd> sipa: After all, a UTXO set copy is a requirement for a validating node, which means the RPC should support it.
21:44 < gmaxwell> petertodd: funny multibit works just fine (cough on the fine part...) without any of that stuff.
21:44 < sipa> petertodd: wallet can perfectly keep track of their own transactions
21:44 < petertodd> gmaxwell: Right, by just downloading blocks.
21:44 < sipa> petertodd: no need to depend on any non-authorized data
21:45 < gmaxwell> petertodd: no, it uses bloom filterd blocks.
21:45 < petertodd> sipa: Remember, I did say UTXO in the *RPC*, not as a network visible thing.
21:45 < petertodd> sipa: Network visible is insane I agree.
21:45 < sipa> petertodd: i don't care, whatever protocol you use to let wallets and bitcoind communicate
21:46 < sipa> petertodd: and an address-indexed UTXO set isn't even enough for all wallet applications - you need the full transactions anyway to produce a ledher
21:47 < jgarzik> sipa: More seriously...  I proposed a similar split on #bitcoin-dev a few days ago.  Was looking into a fork(2)-based firewall between RPC/wallet/GUI and "everything else" (blockchain engine, really)
21:47 < jgarzik> sipa: would be trivial to split even further, once that happens
21:47 < sipa> agree
21:47 < petertodd> fork(2) is a clever way to do it, and easy to get started on
21:47 < gmaxwell> jgarzik: this has been said _lots_ of times in the past. By too too I think. I don't think anyone disagrees... doing that would let us do nice sandboxing eventually.
21:48 < jgarzik> I even researched Windows compatibility, RE fork+pipe: http://msdn.microsoft.com/en-us/library/edze9h7e%28v=vs.80%29.aspx
21:48 < sipa> no need for pipes; network sockets will work fine?
21:48 < jgarzik> sipa: fork+pipe is a nice existing model, can become sockets later
21:49 < jgarzik> sipa: but no big deal either way
21:49 < sipa> right
21:50 < jgarzik> in current code's context, The Program would fork off (re-run the exe, in Windows' case) the blockchain engine.  The Program would be RPC/wallet/GUI etc.
21:51 < jgarzik> gmaxwell: Well, from my perspective it seemed like everybody disagreed, when BlueMatt's big work was held in favor
21:51 < jgarzik> I prefer a more heavyweight messaging boundary (like pipe / network socket)
21:51 < petertodd> jgarzik: That also means you can make a very secure strictly non-wallet RPC interface that lives with the blockchain engine. - blockheaders and what not only
21:52 < petertodd> jgarzik: (or as a third process)
21:52 < gmaxwell> we don't need a zillion processes please. :P
21:53 < BlueMatt> jgarzik: meh, CBlockStore never worked out because it was never mergeable at the time I had free time to maintain it (along with many other issues)
21:53 < sipa> jgarzik: that was just making a hub structure for different components to communicate instead of ad-hoc... the idea was that some parts could move to other processes as well
21:53  * petertodd has shares in micron
21:53 < BlueMatt> realistically, it needs to happen in pieces, not at once
21:53 < sipa> yeah
21:53 < sipa> one of the things i'm "waiting" for, is CodeShark's split of main/core
21:54 < BlueMatt> CodeShark is working on this?
21:54 < gmaxwell> I don't see a reason for more than three proceeses  p2p network / block(+block rpc) / wallet(+wallet rpc / optionall gui)  and maybe the p2p and the block part are one process.
21:54 < petertodd> gmaxwell: right, that's exactly what I'm proposing
21:54  * jgarzik bets he can complete a fork()er before CodeShark ;p
21:54  * BlueMatt ponders writing CBlockStore part 1 version 4...
21:54 < jgarzik> mmmmm, competition
21:54 < BlueMatt> or am I on version 5 now?
21:54 < gmaxwell> then we can get to pick between pulls
21:55  * BlueMatt gives up and goes back to writing a bitcoinj full verification engine no one uses
21:56 < jgarzik> One "blockchain engine" process should manage p2p and block database, IMO.  Does not seem a need to split further (but who knows 'til ya get there)
21:56 < gmaxwell> BlueMatt: If I send you a fruit basket will you stop being sore about that? :P
21:56 < jgarzik> and that would be a natural splitting point for a further bitcoind/rest separation.
21:56 < sipa> jgarzik: core/main split has nothing to do with that; it's just that main right now has a) very low-level stuff (definitions of CTransaction/CBlock/...) and b) very high-level stuff (management of block db, verification, ...)
21:56 < petertodd> jgarzik: Keep in mind I'm specifically thinking of an RPC interface that would serve up data locally completely unauthenticated.
21:56 < jgarzik> petertodd: yes
21:56 < sipa> jgarzik: idea is that the low-level stuff moves to core.h/.cpp, so that +- everything loses its dependency on main
21:57 < jgarzik> petertodd: a blockchain engine would use something like that
21:57 < jgarzik> sipa: ah ok.  +1
21:57 < BlueMatt> gmaxwell: which one, CBlockStore or bitcoinj?
21:57 < BlueMatt> gmaxwell: and, no, I just like to bitch
21:58 < gmaxwell> BlueMatt: CBlockStore XXIVXI (the revenge) :P
21:58 < sipa> after that, i'd like to have a "block manager" or something, which just maintains CBlock's that are being worked on in memory, refcounts, and has a background thread for syncing them to disk
21:58 < gmaxwell> 2013-03-29 01:57:53  block index          716145ms
21:58 < gmaxwell> :P
21:58 < BlueMatt> valgrind?
21:58 < gmaxwell> yea.
21:59 < BlueMatt> gmaxwell: also, the amount of work that went into CBlockStore...
21:59 < BlueMatt> anyway...
21:59 < jgarzik> essentially all wallets, and other fun petertodd apps, are query clients for the public blockchain dataset
21:59 < BlueMatt> yes
21:59 < jgarzik> some apps might want additional indices we don't care about, to make things like searching for bitcoin address easier
22:00 < petertodd> yup, timestamp verification is you canonical example where a pure blockheader thing would be useful, fidelity bonded banking/ledgers needs searchable UTXO sets at the other extreme
22:00 < sipa> i do like to see a split (not necessary separate processes, but at least funcionality-wise independent) between archival block storage (with optionally some indexes) and UTXO maintainance (with optionally some indexes)
22:01 < petertodd> sipa: Good idea - needs to be done long-term conceptually for agressive SPV with a healthy network after all.
22:02 < sipa> SPV has nothing to do with that :p
22:02 < sipa> as it has neither
22:02 < petertodd> sipa: brainfart - s/SPV/pruning/
22:02 < sipa> ok
22:03 < petertodd> speaking of: blockchainbymail.com
22:04 < BlueMatt> hahahaha
22:04 < petertodd> It was going to be my April Fools joke, but then someone went off and did it so I gave them the domain. :P
22:09 < warren> petertodd: would be great if the only way to order the blockchainbymail is with bitcoin.
22:11 < petertodd> sigh, recursion...
22:12 < petertodd> related: I'm thinking for a merklized AST what makes sense is merklized forth. The forth dictionary concept is perfect for it, and means you have a simple, easy to implement language already used for embedded andother things (and bitcoin scripting) along with all the usual nice things like editor modes and what not
22:12 < sipa> did you mean: recursion?
22:12 < BlueMatt> sipa: no he meant recursion
22:12 < sipa> BlueMatt: the recursive kind?
22:13  * petertodd is an analog electronics designer, just so you know.
22:13 < sipa> petertodd: dude, what are you not?
22:13 < petertodd> sipa: well, I'm not an expert at anything...
22:19  * jgarzik ponders the bandwidth of QR codes
22:19 < jgarzik> Could a 1MB block fit on a single, printed 8.5" x 11" page?
22:20 < jgarzik> easy enough to have multiple QR codes
22:21 < sipa> jgarzik: there's even a standard for that
22:22 < petertodd> 400dpi works out to 1.87MB at 1 bit per dot
22:22 < petertodd> so I'm guessing no, but it's not far from possible
22:23 < petertodd> computer data storage on paper used to be a thing
22:32 < jgarzik> so
22:33 < jgarzik> header + coinbase tx + list of TX hashes is sufficient to recreate a full block byte-for-byte, assuming fully cached TX's
22:33 < jgarzik> correct?
22:33 < sipa> yes
22:42 < petertodd> Merkle Forth: So you've got your parameter stack and return stack, and are thus at the point where you can recreate Bitcoin scripting. Now the interesting thing to do is add TPM functionality, which means a PCR opcode and stack to allow you to select what you want to consider as the start of the current trusted block of code. Then add an encrypted stack,
as expected encrypted with H(sec|PCR tip), and some sort of monotonic counter thing. That should give you enough to do trusted computing with an extremely stable API, and that API itself can be just AST heads of useful library function calls that may actually be implemented directly in C or whatever rather than the opcodes themselves.
22:43 < petertodd> Now off-chain tx's with trusted hardware is just a matter of agreeing on a common program that will manipulate the counters representing value attached to the private keys, as well as agreeing on what signatures sign the classes of hardware you can trust.
22:44 < petertodd> With some careful design you can probably even use the programs themselves to prove fraud/compromised trusted hardware, basically by just providing a program that should have run, and some kind of execution trace proving it didn't do that, at least in many cases.
22:45 < petertodd> Equally, that also makes designing redundent hardware easier, as you can reuse the execution traces to determine if two sealed up uC's runningt he code executed the code in the same way on the same data.
00:10 < andytoshi> midnightmagic: lol, i formally skipped two grades, but my attendence was ~0 so it didn't matter, just let me get out earlier, so i'd recommend it
00:11 < midnightmagic> oh cool
00:11 < petertodd> andytoshi: huh, must be a regional thing that they settle in Toronto
00:11 < midnightmagic> yikes.
00:11 < andytoshi> midnightmagic: agreed re iranians, the one guy i know is so much fun
00:11 < gmaxwell> Its not something that was widely publicized, I think I only knew it was possible as a result of talking to some prof at the local community college who'd done it himself in the 70s... I caused a number of other people to do it.
00:12 < petertodd> andytoshi: also people from Iraq, Palestine, Afghanistan etc.
00:12 < midnightmagic> then again I personally have never met a single US'ian I didn't love so.. dunno if I'm just a people lover or plain lucky
00:13 < andytoshi> petertodd: cool, also know only one iraqi, two afghanis, no palestinians.. vancouver is all east asia and india
00:13 < petertodd> midnightmagic: it's interesting just how much iran has changed for so many of the iraneans I know - practially a different country now compared to the 70's or so
00:13 < midnightmagic> yunan province chinese are awesome
00:13 < midnightmagic> lol
00:13 < petertodd> midnightmagic: most of the ones I knew had grown up here - it was their parents who fled
00:14  * midnightmagic tries to think of a people that irritate him and fails.
00:14 < petertodd> midnightmagic: aussies?
00:15 < andytoshi> haha
00:15 < midnightmagic> petertodd: Hrm, yeah maybe. There's some weird misogyny stuff going on there. But NZ make up for it
00:15 < petertodd> ha
00:15 < petertodd> good, cause my mom's an aussie, and my brother lives there :P
00:15 < midnightmagic> :-)
00:16 < midnightmagic> my cousin is marrying an aussie, he's like the ultimate man's man, great guy
00:16 < petertodd> lol
00:16 < midnightmagic> (in the awesome way, not the chauviniat way)
00:16 < petertodd> sounds about right
00:17 < midnightmagic> :-)
00:18 < petertodd> actually the one group I didn't like at ocad was about half of the Jews from Israel - see, one half left Israel because they couldn't stand the violence, and the other half left Israel because they couldn't stand the violence... and you'd, roughly speaking, have one half of that group be "peachniks", and the other half be downright frightening if you ever
got them talking about the security of Israel. Very bizzare in the context of an art ...
00:18 < petertodd> ... school to say the least.
00:19 < petertodd> Really good example of how utterly polarizing that issue can be with people unfortunately. :(
00:30 < gmaxwell> At the IETF many of the Israel folks are super duper heavy pro-surveillance-state (enough that its conspicuous). I've observed this create some pretty awesome dissonance in hallway conversation with americans of jewish dissent. "Goverment tracking and logging everyones activity, surely there is no historical precident for the abuse of this kind of infrastructure!"
00:34 < petertodd> gmaxwell: ha, sounds about right. Really bothered me the one time I heard one of the more militant of them talk about the "Palestine problem" as something that needed a final solution.
00:35 < gmaxwell> Final Solution. Get the case right.
00:35 < petertodd> gmaxwell: good example of how perceived safety works too... the people I knew from Palestine, heck, even Gaza, never seemed to have that kind of hostility.
00:36 < petertodd> gmaxwell: I'll assume they were quoting Ariel Sharon, who gets quotes as saying that in lowercase. :/
00:37 < gmaxwell> I can't even pretend to understand the geopolitics there, but it is interesting to see how different social/cultural backgrounds color positions and perspectives.
00:38 < gmaxwell> I've also seen some people from places with severe organized crime and corruption problems see antisurveillance technology as problematic. In particular because the badguys there have unequal access to it, and because surveillance is _sometimes!_ successfully used against them.
00:39 < petertodd> Yeah. Really unusual that too given there were just as many Israels I ran into it who were truly passionate about the peace process and ending violence; kept running into one of my teachers at protests related to it.
00:39 < gmaxwell> I wonder how different the US perspective on the NSA might be if it were also used to root out a bit of serious corruption in government here and there.
00:40 < petertodd> I think that's a very good point: the middle-east people I knew from OCAD were the first to pick up on the NSA stuff other than tech people I knew.
00:40 < petertodd> While I've yet to hear any Russians bothered by it.
00:43 < petertodd> Of course, Toronto also had the G20, which I think *really* turned public opinion against the police locally with how badly it was handled. First time in my life that all the major papers quite direclty accused the police of lying.
00:43 < petertodd> I think that's rubbed off to survailance stuff in general, at least based on the way people seem to talk about the NSA.
00:44 < andytoshi> petertodd: where i live, there is a general distrust of the "american police state", especially since many vancouverites drive to and from seattle routinely
00:44 < petertodd> andytoshi: interesting! due to border guards?
00:44 < andytoshi> petertodd: yes
00:45 < andytoshi> the american border guards are idiots and agressive, and we all know people who've been barred from the country for trying to bring dope over
00:45 < andytoshi> about 25% of the time you are 'randomly selected' to go stand in line for several hours while they take your car apart
00:45 < petertodd> andytoshi: heh, might have something to do with my co-workers dislike too: we've had hundreds of thousands of dollars worth of really sensitive equipment destroyed by border guards pulling it apart :(
00:46 < petertodd> andytoshi: took the second occasion before they realized they'd jsut have to ship stuff by hand
00:46 < andytoshi> when i fly to the US, customs entering the US is fascinating to watch because the non-canadians have to do the police-state record-all-ten-fingerprints thing
00:47 < andytoshi> meanwhile canadians get a special treatment because they would never put up with that, and they are still hostile to the guards and vice-versa
00:47 < petertodd> andytoshi: it's canadians too sometimes...
00:47 < andytoshi> ..and the poor europeans are basically being strip-searched, watching canadians glare at guards as the stand 2 inches over the line they were told to stand behind
00:48 < andytoshi> petertodd: canadian guards? driving in i have had them be assholes before, though they have never taken my car apart
00:48 < andytoshi> flying in, the "customs" process involved them asking if i went to school in the US
00:48 < andytoshi> i said yep, the guy said ok, sure
00:48 < petertodd> heck, I had a friend who tried to go into the states in the middle of summer, with her dog in her car, and they forced her to leave said dog in the car while they interregated her. The whole time they just stonewalled her as to what was happening to her dog, saying they didn't give a damn. Of couse, in reality it was just a pressure tactic and they'd let
it out and gotten it some water, but...
00:48 < andytoshi> jeez
00:48 < petertodd> andytoshi: oh, I mean they give the fingerprint treatment to canadians sometimes
00:49 < andytoshi> oh, i got that when i first got my F1 status
00:49 < andytoshi> very annoying, i'll have to replace those fingertips when i get out of school <.<
00:49 < petertodd> ha
00:49 < petertodd> take up quarts glass blowing, and be clumsy
00:49 < andytoshi> :P
00:51 < petertodd> I was impressed with the european border control when I went to the dark wallet hackathon, which was held in an abandoned building with known cyber-terrorist Amir Taaki: didn't ask me a single question
00:51 < andytoshi> haha, excellent
00:53 < andytoshi> is amir a "known cyber-terrorist"?
00:53 < andytoshi> haha, i see, i've never read his wiki page before..
00:53 < petertodd> I sure hope so! I've got an image to maintain
00:54 < andytoshi> https://en.wikipedia.org/wiki/Amir_Taaki#Activism would certainly classify him as a terrorist in america
00:55 < petertodd> agreed, and Esperanto?! evil
00:55 < phantomcircuit> only on tuesdays
00:55 < andytoshi> that wiki page also claims he is on forbes' top 30 entepreneurs of 2014
00:55 < andytoshi> ..which was published tomorrow o.O http://www.independent.co.uk/news/business/analysis-and-features/meet-the-worlds-next-billionaires--from-mashables-pete-cashmore-to-bitcoin-renegade-amir-taaki-9042710.html
00:55 < petertodd> andytoshi: um... yeah... I belive that guy when he says he's penniless
00:56 < andytoshi> oh, no, that's today's date up top, the article is a week old :P
00:57 < phantomcircuit> petertodd, im pretty sure he has at least like
00:57 < phantomcircuit> 100 euros
00:57 < andytoshi> yeah, the article credits him for darkwallet, but that seems pretty hard to monetize
00:57 < petertodd> phantomcircuit: and one pair of unwashed sweatpants
00:57 < andytoshi> i assume jon matonis was involved in that list ..
00:57 < petertodd> andytoshi: lol
00:57 < phantomcircuit> petertodd, im pretty sure he has only one pair of everything
00:58 < phantomcircuit> maybe he has two shirts
00:58 < petertodd> phantomcircuit: probably both scavenged
00:59 < phantomcircuit> eh probably not quite
00:59 < phantomcircuit> maybe his mom bought them
00:59 < phantomcircuit> (that's always a good way to get new clothes)
00:59 < petertodd> phantomcircuit: works best when you're parents live in northern canada... and they invite you home for chistmas
00:59 < phantomcircuit> which is why i get a nice laugh at people accusing him of doing things for bad reasons
01:00 < phantomcircuit> it's just not how he operates
01:00 < petertodd> yup, he's very genuine
01:00 < warren> jgarzik: older versions of osx run in a heavily hacked kvm
01:00 < warren> jgarzik: it's quite a pain
01:00 < warren> jgarzik: I found it easier to buy an old macbook with a broken screen, put it into a data center and ssh->vnc in
01:00 < gavinandresen> I asked Apple developer support about building in a VM, and they basically said "No."
01:01 < cfields> gavinandresen: ok. I'm happy to clean up and document the patching process. Atm it's just one hammer after another, just wanted to get the thing built/working
01:01 < jgarzik> heh
01:02 < cfields> gavinandresen: but ofc that hinges on whether or not you think the goal is useful. If it's deemed not worth the hassle, obviously there's no sense in continuing
01:03 < gavinandresen> cfields: we're on the ragged edge of what we can support with the developers we've got right now, in my humble opinion.
01:03 < gavinandresen> Adding another build environment
01:03 < cfields> hehe, my writing makes me sound so dickish. the above translates to: "think it's worth pursuing?"
01:04 < cfields> gavinandresen: well there is no new environment really. It's just existing environments doing cross-builds
01:04 < gavinandresen> In the grand scheme of things, gitian building gives geeks the warm fuzzies, but doesn't matter diddly-squat to end users.  Who are using lightweight wallets anyway.
01:07 < cfields> gavinandresen: given that line of reasoning, there's no need to do linux releases if distros are handling them.
01:07 < phantomcircuit> cfields, oh god no
01:08 < gavinandresen> A good test for whether it is worth continuing:	I think we should switch to qt5 for the 0.9 release.  How much extra work to get the osx gitian build working?	Could anybody besides you do it in a reasonable amount of time?
01:08 < cfields> Not arguing one way or another, but that seems at odds with current development
01:08 < phantomcircuit> the distros are NOT handling them
01:08 < warren> cfields: the distros are really messing it up
01:09 < cfields> heh, just evaluating data-points. I'm not suggesting anything at all
01:09  * gavinandresen notices there is no qt5-mac yet in macports
01:10 < cfields> gavinandresen: i have qt5 up and running on my macbook somewhere
01:10 < cfields> taken from the binary release
01:10 < gavinandresen> cfields: me too!  Not using it because autotools.....
01:11 < cfields> gavinandresen: heh, 9235th hint received
01:11 < cfields> gavinandresen: i was planning to knock that out after the dmg. seems i got my priorities reversed.
01:11 < warren> cfields: there's a 200 unit bounty!
01:11 < gavinandresen> mmm.  It is always a question of priorities:  gitian-built OSX is a would-be-nice for me, not a priority.
01:12 < gavinandresen> qt5 is a priority, because there's a nasty bug in the payment protocol on Windows that is fixed by qt5
01:12 < cfields> gavinandresen: well i resigned from my job and there's a sizeable bounty for the dmg. So in this case the priority was food and shelter :)
01:13 < cfields> gavinandresen: what's the timeline for .9 release?
01:13 < gavinandresen> cfields: Release candidate sometime in January
01:13 < jgarzik> 1 day
01:13 < jgarzik> +/- 100% error factor
01:14 < jgarzik> headers-first sync doesn't seem to be moving?
01:14 < jgarzik> or did I miss something
01:14 < gavinandresen> headers-first sync isn't a showstopper feature for 0.9
01:14 < gavinandresen>
 it is on my 'nice-to-have' priority list, too.
01:14 < gavinandresen> (way up near the top of that list)
01:14 < gmaxwell> this should probably be in #bitcoin-dev
01:15 < cfields> gavinandresen: if qt5 is that much of a necessity, i can switch gears and get it knocked out this weel
01:15 < gavinandresen> yup
01:15 < cfields> *week
01:15 < cfields> i was under the impression it was just a shiny new toy to play with
01:17 < gavinandresen> cfields: yes, please! qt5 is necessary for 0.9....
01:20 < cfields> gavinandresen: ok. I suppose win32 is top priority, then?
01:21 < cfields> gavinandresen: given that it may cause headaches in linux/osx due to it being new and relatively unpackaged, it'd probably be best to attack it in chunks
01:21 < cfields> meaning: push in support for win32 before it's supported across the board
01:34 < gavinandresen> cfields: okey dokey
01:50 < warren> gavinandresen: what in particular about 10.7 and "anyone at apple to care"?
04:09 < michagogo|cloud> 5:14:50 <cfields> ok, great. So if anyone else want to try to build with gitian, i can provide that file to spare you the trouble
04:10 < michagogo|cloud> Erm, is that file legally redistributable?
05:03 < gmaxwell> I noticed something on the latest surprisingly bad Shamir paper.
05:03 < gmaxwell> ... it was also on the other one, but I didn't notice it there.
05:03 < gmaxwell> Acknowledgments. This research was supported by a research grant provided by the Citi Foundation.
05:05 < TD> huh
05:05 < TD> that is indeed what it sounds like
05:38 < gmaxwell> https://news.ycombinator.com/item?id=6793270
05:40 < TD> yes, i've been wondering what happened to shamir  ....
05:45 < TD> makes me wonder if the R and A carried more of the weight than the S
06:02 < Ryan52> heh, a friend of mine was bragging to me the other day that he knows "the S in RSA", in response to the shirt I wore having "RSA" mentioned on it. I guess that may not count for quite as much as he had hoped now. :)
07:18 < Emcy> citi foundation you say
07:18 < Emcy> as in the bank
07:18 < gmaxwell> As in the bank.
07:19 < Emcy> guess were past the laughing at us stage then
07:20 < Emcy> you should see some of the 'papers' on filesharing which various Ass. of America groups have bankrolled
07:21 < gmaxwell> Emcy: did you see me say the same thing on reddit?!
07:21 < Emcy> um no?
07:22 < gmaxwell> Emcy: http://www.reddit.com/r/Bitcoin/comments/1reuwq/vigorous_debate_over_shamirrons_supposedly/
07:22 < Emcy> i stopped going on the bitcoin reddit because it comes across as mainly a huge price pump engine/death to the foundation noticeboard
07:23 < gmaxwell> hah, that about characterizes it, yup.
07:24 < gmaxwell> I'm pretty sure my net karama in that subreddit (and only that one) is negative... because I keep saying edgy things things like "Bitcoin is uncertan and has risks too" :P
07:24 < gmaxwell> Emcy: in any case, see my comment there: http://www.reddit.com/r/Bitcoin/comments/1reuwq/vigorous_debate_over_shamirrons_supposedly/cdmjbze
07:33 < Emcy> nulldc?
07:36 < Emcy> " the existence of a surprising link between the two mysterious figures of the Bitcoin community, Satoshi Nakamoto and DPR."
07:36 < Emcy> oh fuck right off with that shit
07:36 < gmaxwell> yea, its crud.
07:37 < Emcy> this is why satoshi stayed anon, and people still question why
07:37 < gmaxwell> News flash: Two bitcoin users used a common exchange!
07:37 < Emcy> i never knew satoshi ever used an exchange
07:39 < sipa> it's not about satoshi :p
08:15 < wumpus> one of the early adopters used an exchange!
08:16 < gmaxwell> wumpus: someone had to go first!
08:16 < petertodd> Emcy: really remarkable that Satoshi and DPR both used an obscure digital store-of-value system
08:18 < wumpus> hehe
08:18 < Emcy> i bet they both use the toilet too
08:18 < Emcy> half life 3 confirmed
08:19 < petertodd> Emcy: it's going to be sooo weird when it turns out that satoshi was a facehugger
08:19 < gmaxwell> Whats a facehugger?
08:19 < Emcy> what now
08:19 < petertodd> http://static1.wikia.nocookie.net/__cb20080712194334/avp/images/b/bb/Alien-The_Facehugger.png
08:20 < Emcy> and the human is the banks rite
08:20 < petertodd> hehe, yup
08:20 < Emcy> heh now watch this chatlog get used in congressional testimony as to why bitcoin was designed to be a parasitic force on the great and the good
08:21 < gmaxwell> If the banks were as tough as sigourney weaver they wouldn't need so many bailouts.
08:22 < petertodd> gmaxwell: nah, banks are the alien queen - sigourney weaver is credit unions, and satoshi is the nuke they should have used from orbit...
08:22 < petertodd> ...only way to be sure
08:22 < Emcy> no theyre more like the female lead from the new prometheus film....totally useless but got out of an extremely hairy situation when they really shouldnt have
08:23 < petertodd> Emcy: ha
08:23 < petertodd> Oooooh, there's an alt-coin that hasn't been made yet: HR Giger Coin
08:24 < petertodd> "You're funds are well protected by proof-of-sexual-sacrifice"
08:24 < Emcy> yeah, the logo is an alien dick penetrating some chimera ass
08:24 < petertodd> Brings new meaning to the term "fidelity bond"
08:24 < Emcy> ahuehue
08:36  * gmaxwell checks the channel hes in
09:00 < pigeons> petertodd: sounds like a good additional feature for https://bitcointalk.org/index.php?topic=294383.0;all
09:21 < TD> boggle
09:31 < cfields> michagogo|cloud: by itself, no
09:31 < cfields> michagogo|cloud: you can jump through a series of hoops to get it completely legally
09:31 < cfields> michagogo|cloud: in fact, everyone who has ever built on osx has already done so, it's a requirement
09:50 < jgarzik_> Interesting point by BTC guild op, https://bitcointalk.org/index.php?topic=338452.msg3670185#msg3670185
09:50 < jgarzik_> Makes me want to accelerate my mempool expiration plans
09:53 < TD> or just optimise that algorithm
09:53 < sipa> i started working on a quick patch to use BIP37 full-block-match for block relaying
09:53 < sipa> but it's hard to do know, if we need integration with orphan handling
09:53 < TD> how so ?
09:53 < sipa> implementation reasons
09:54 < sipa> doing that after headers-first is probably much simpler
09:54 < sipa> and safer too, as it will allow validating the header ahead of time
09:54 < TD> maybe you could send the headers-first code you've got to gavin?
09:55 < sipa> the former pull request is public
09:55 < sipa> around christmas i'll have time, i guess :)
10:38 < Emcy> is any pool not capping thier blocks
10:38 < Emcy> i think only eligius?
18:25 < warren> bored hacker was the risk we're concerned about?
18:25 < gavinandresen> warren: "many of us" ?  be specific, please.
18:25 < petertodd> warren: not exactly a strong guarantee, but it takes pressure off and lets all kinds of solutions be worked on.
18:25 < warren> gavinandresen: perhaps you didn't notice that nearly everyone is in favor of it?
18:26 < petertodd> warren: bitcoin-qt development happens by rough consensus, nearly everyone with strongly opposed minority isn't rough consensus
18:26 < gavinandresen> warren: I was under the impression that sipa/jgarzik/gmaxwell did not feel strongly about it.  And I'm listening to Mike Hearn very carefully, because bitcoinj is ACTUALLY USING THE FEATURE
18:27 < gavinandresen> It seems extremely likely that match-only bloom filters will be the default way of propagating nodes in the 0.9 release, too.
18:27 < gavinandresen> (to help address the orphan cost / high transaction fee problem)
18:27 < warren> sipa jgarzik gmaxwell were actually in favor.
18:27 < gavinandresen> ^propagating nodes^propagating blocks
18:27 < sipa> i'm in favor of NODE_BLOOM yes, but i don't think it's urgent
18:27 < petertodd> sipa: +1
18:28 < warren> OK, it isn't urgent enough for 0.8, I agree.
18:28 < sipa> also, match-only bloom filtering has no DoS risk, it can always be available
18:28 < petertodd> sipa: yeah, match-only bloom filtering has nothing to do with the real intent of NODE_BLOOM
18:28 < sipa> it's just a side effect of nicely fitting in the same protocol
18:29 < gavinandresen> I'm already hearing the "why am I getting merkleblock messages when I don't have NODE_BLOOM set" complaints
18:29 < warren> gavinandresen: part of the problem with bitcoinj is its scary absolute reliance on using only the DNS seeds, not asking nodes for peer addresses and not remembering any.  It also has no facility to query peers for service bits and deciding not to use that peer.  We're looking at fixing that.
18:29 < petertodd> sipa: yup, and as match-only becomes more developed my NODE_BLOOM bip should be updated to figure out how to differentiate them
18:29 < warren> gavinandresen: how is that true?  there aren't any NODE_BLOOM nodes yet.
18:30 < sipa> warren: he's prognosticating
18:30 < gavinandresen> warren: if we implement NODE_BLOOM but make an exception for match-all, then that is a wart that future developers will wonder/complain/obsess-over ....
18:31 < petertodd> gavinandresen: yes, which means letting the discussion sit for a bit while that's hashed out is perfectly reasonable.
18:31 < warren> gavinandresen: let's have the full policy discussion for 0.9, no rush for now.	We have problems with other implementations of full nodes and future pruned nodes that can't service bloom.
18:31 < warren> gavinandresen: sorry for pushing for 0.8, it's not ready, I agree.
18:31 < gavinandresen> good, we all agree
18:32 < sipa> warren: you mean 0.10 and 0.9 i think
18:32 < sipa> 0.8 has been out for half a year or more
18:33 < petertodd> warren: the question isn't "can't service bloom", it's "don't want too/it would be best if they used their resources in a different way"
18:33 < petertodd> warren: sure, some can't, but that's not the interesting part
18:37 < cfields> which ubuntu version did we end up upgrading gitian to for win32 builds?
18:37 < warren> cfields: 12.04
18:38 < cfields> blah
18:38 < warren> cfields: let's have a fourth VM! =)
18:38 < warren> cfields: you found that any distro clang is good enough?
18:39 < cfields> warren: i just had the fun of ripping out my nightlies and confirming that raring's default clang works
18:39 < warren> trouble there is it isn't LTS
18:39 < petertodd> gavinandresen: re: high fees, if you can get 0.1s latency, and 500KB/s bandwidth between hashing power, 0.1mBTC/KB fees are profitable with 1MB blocks - if you care about the issue, tell BTC Guild, GHash.IO, Eligius and BitMinter/Slush to run some nodes doing private peering and do 1MB blocks and you're done.
18:39 < cfields> without a big hassle, i can't test anything lower. so for my POC, i'm going with raring
18:40 < cfields> if it turns out that it works with earlier versions, that's a bonus
18:40 < petertodd> gavinandresen: if they don't listen, well, that says a lot about pool incentives...
18:40 < warren> cfields: want me to create a 12.04 VM for you to login and test?
18:41 < cfields> warren: nah, nothing's automated. so it's not an easy test, i'd have to recreate my entire env.
18:41 < cfields> i'll script something up as agnostic as possible
18:41 < gavinandresen> petertodd: I'm trying to get out of the business of "Everybody Do What Gavin Says"
18:42 < warren> cfields: if we can figure out how to use new-linux to compile old-glibc compatible binaries, we can have the same VM for all gitian.
18:42 < petertodd> gavinandresen: ok, I'll do
18:42 < petertodd> *do it
18:42 < gavinandresen> petertodd: excellent
18:42  * gavinandresen rubs his hands together like Mr. Burns
18:43  * petertodd rubs his hands together like the board that Mr. Burns is accountable too
18:43 < cfields> warren: aiming for a single abi isn't reasonable to me. someone else can attempt if they'd like, but i won't be spending my time on that
18:43 < warren> petertodd: was that ever featured in an episode?  I don't recall.
18:43 < petertodd> warren: it got left out for dramatic purposes
18:44 < petertodd> warren: quite serious I'm really interested to see how pools react to this stuff - it can be taken as a solid sign of centralization after all
18:45 < petertodd> warren: what I'm also interested in, is trying to figure out if this latency/bandwidth stuff - the limits of the "jam free broadcast medium" model - is inherent to the design of Bitcoin and by extension other possible consensus systems.
18:47 < petertodd> warren: e.g. suppose you had a system where multiple blocks could have the non-conflicting parts of them re-merged - how does that change the profitability vs. hashing power effect? can you get a system where the dE/dQ isn't positive, maybe zero or even negative? I dunno.
18:47 < sipa> petertodd: you know about amiller's blockdag idea?
18:47 < petertodd> sipa: that's exactly what I'm talking about
18:48 < petertodd> sipa: could be especially important for p2pool for instance - and it's easiest to implement there
18:48 < sipa> not really, if you say "non-conflicting parts"
18:48 < petertodd> ?
18:50 < amiller> i never got very far on it
18:50 < amiller> it's along the lines of stuff you've talked about anyway petertodd
18:50 < petertodd> amiller: ah, I was going to ask if you had published it
18:51 < amiller> i have rambled about it once or twice in forum posts and bitcoin-dev
18:51 < sipa> petertodd: blocks would refer to a single "valid predecessor" node, but also to 0 or more other blocks of which only the PoW is merged, not the transactions
18:51 < petertodd> sipa: right, and in this case, if merging the PoW also rewards those who did that work in some way, then you may be able to make profitability not so heavily dependent on hashing power and latency/bandwidth
19:15 < amiller> no one's going to like it, but i'm vaguely headed towards a notion of incentive-compatibility in a world of context-dependent values of things
19:15 < amiller> basically the path to that is to realize that miner fees may be in the form of color coins
19:15 < amiller> and you can't prevent miners from being motivated by overlay values
19:40 < gavinandresen> amiller: If "nobody" likes it, then it should be easy to prevent. Just have miners "discourage" blocks that they don't like.  We haven't done any of that yet, but the more I think about it the more I think that is the way miners will solve collective-action problems
19:41 < amiller> i mean no one's going to like it just because it challenges the notion of "one true currency" that makes things simpler
19:41 < gavinandresen> amiller: ah, ok.
20:13 < Luke-Jr> gavinandresen: that only works if it's something non-debatable with unanimous consensus against it
20:14 < Luke-Jr> to discourage blocks that are mining legitimately, even if everyone dislikes something, is nothing short of a conspiracy to 51% really
20:14 < gavinandresen> Luke-Jr: doesn't have to be unanimous
20:15 < gavinandresen> if miners are using a variety of policies for how to break block-chain-race ties, then that is perfectly OK
20:15 < Luke-Jr> oh, sure
20:15 < Luke-Jr> I thought you meant deliberately forking
20:16 < gavinandresen> if miners don't know exactly how ties are being broken, all the better.
20:16 < gavinandresen> No, when I say "discourage" i mean  relay all orphans, and if there is a tie, use some policy to decide which fork to follow
20:17 < Luke-Jr> makes sense then
20:18 < petertodd> There's also the argument that relaying all orphans levels the playing field between those with and without a lot of nodes, although I'm not 100% convinced - relaying orphans done badly uses up bandwidth that could be used for something else.
20:18 < petertodd> Relaying orphans would be damn convenient though to get good stats...
20:19 < warren> petertodd: just peer with all nodes to get good stats...
20:19 < gmaxwell> I don't think thats obvious at all. Relaying orphans is against your self interest in some cases, e.g. if it helps nodes end up on a different chain than the one your node prefers.
20:20 < petertodd> warren: and if knowing about orphans is ever profitable we've just incentived an attack
20:20 < gmaxwell> For example, non-relaying of orphans means that a inconsistent hardforking glitch is more likely to pick the least common denominator chain instead of leaving some nodes hardforked.
20:21 < Luke-Jr> let the receiver choose whether he wants it ;)
20:21 < petertodd> gmaxwell: IIRC I mentioned something very similar to that in my discussion about the 30% propagation incentives
20:21 < Luke-Jr> btw, I assume "orphans" here is being used to mean stale blocks..
15:14 < petertodd> A chaumian bank could just as easily encrypt it's database and give that to the client in the same way.
15:14 < gmaxwell> petertodd: true but you'd have to transfer the whole thing each time.
15:15 < petertodd> But you still have to transfer the list of spent tokens with zerocoin
15:16 < gmaxwell> oh darn, right the accumulator update proof still requires you to have the accumultor.
15:16 < petertodd> Yup
15:16 < petertodd> in zerocoin the accumulator size doesn't grow IIRC, but the spent tokens do
15:17 < petertodd> also if I understand it with zerocoin the witness required to prove a coin is actually related to the accumulator at a given state - if you want to apply the witness to the most recent accumulator you need to apply every transaction to that witness
16:28 < gmaxwell> hey. So. Lamport signature.  Say your private key is 16384 256 bit values. The public key is hash tree root over 16384 256 bit hashes of those values.
16:30 < gmaxwell> To sign, you hash the message and the public key. And you use the results to uniformly pick 9 of the 16384 secrets to reveal.
16:30 < gmaxwell> You reveal hem along with the fragments that connect them to the root.
16:31 < gmaxwell> so the signature size is 4.3kbytes or so. Why is this not secure?
16:38 < sipa> is there any reason to assume it's not secure?
16:38 < gmaxwell> I mean, I'm suggesting a variation on lamport which is smaller and which should be more secure under multiple signatures with the same key.
16:40 < gmaxwell> Classical lamport with a tree public key has the signature disclose 256 preimages and 256 hash secrets. I propose instead to disclose only a few, controlled by the hash of the key and the message. And prove that they're the right ones by showing that they're part of the key's hashtree.
16:57 < gmaxwell> ah. okay so that proposal has only 64 bits of security against a rebinding attack by a quantum attacker.
--- Log closed Wed Jul 10 00:00:25 2013
--- Log opened Wed Jul 10 00:00:25 2013
--- Log closed Wed Jul 10 10:10:45 2013
--- Log opened Wed Jul 10 10:11:21 2013
--- Log closed Wed Jul 10 16:48:47 2013
--- Log opened Wed Jul 10 16:49:01 2013
--- Log closed Thu Jul 11 00:00:28 2013
--- Log opened Thu Jul 11 00:00:28 2013
--- Log closed Fri Jul 12 00:00:30 2013
--- Log opened Fri Jul 12 00:00:30 2013
--- Log closed Fri Jul 12 09:51:44 2013
--- Log opened Fri Jul 12 09:52:18 2013
--- Log closed Fri Jul 12 12:46:07 2013
--- Log opened Fri Jul 12 12:46:20 2013
--- Log closed Fri Jul 12 12:57:54 2013
--- Log opened Fri Jul 12 12:58:20 2013
--- Log closed Sat Jul 13 00:00:57 2013
--- Log opened Sat Jul 13 00:00:57 2013
21:07 < amiller__> making some progress on the bitcoin for researchers front
21:07 < amiller__> well more to the point, i can report that other people are making progress
21:08 < amiller__> arvin narayan an assistant prof at princeton is interested in working openly on bitcoin things, and pointed out that it's strange there's no tutorial or survey for researchers https://docs.google.com/document/d/1OGLD6YssxABjvcIdGMqXW-EkZnv6g52iLSUdJrxldJg/edit
21:09 < amiller__> matthew green is also an assistant prof in cryptography and applied security and has sort of started a project he views as a "planetlab for bitcoin" but is basically a similar concept as "scamcoin"
21:09 < petertodd> amiller__: I've got someone interested in a tutorial/survey you can try it out on BTW.
21:09 < amiller__> the zerocoin guy
21:10 < petertodd> amiller__: Not a perfect test, because they know me and I've talked to them about Bitcoin before, but the guy admitted the other day that he still didn't understand enough about mining to understand some statistics questions I was asking.
21:10 < amiller__> h
21:10 < amiller__> m
--- Log closed Sun Jul 14 00:00:59 2013
--- Log opened Sun Jul 14 00:00:59 2013
--- Log closed Mon Jul 15 00:00:02 2013
--- Log opened Mon Jul 15 00:00:02 2013
--- Log closed Tue Jul 16 00:00:05 2013
--- Log opened Tue Jul 16 00:00:05 2013
--- Log closed Tue Jul 16 06:14:42 2013
--- Log opened Tue Jul 16 06:15:12 2013
16:28 < gmaxwell> oh, hey, doing non-interactive cut and choose would let you do things like reasonably compact 1024 of 2048 multisig transactions via (sufficiently powerful) script.
16:31 < gmaxwell> e.g. the pubkey commits to a hashtree of M allowed voters (h1),  the signature provides a hashtree (h2) over N approving voters, signatures for a sufficient number of voters selected via CSPRNG from (h2), and the connecting hashtrees.
16:33 < gmaxwell> e.g. a 128 bit security 1024 of 2048 could be done in about 9.5kbytes.
17:42 < petertodd> Nice!
22:53 < petertodd> Note though, this only works in scenarios where creating the signature is expensive/one-time, otherwise there's no cost to keep trying until the cut-n-choose gets lucky,.
22:54 < petertodd> So you could do a two-stage tx in this method, if committing to a signature provably costs you something. (like fees paid to a miner in the future)
22:55 < gmaxwell> petertodd: you don't have to
 if the cut and choose picks enough points you will expect to do >2^128 (or other security parameter, your choice) hash operations before you get one that only picks your chosen values.
22:57 < gmaxwell> obviously it creates some slop right around the threshold, I suppose it would be better for things that required a supermajority.
22:58 < petertodd> gmaxwell: yeah, I'm thinking those edge cases where that's much harder, or for sets that aren't all that large
22:58 < gmaxwell> yea, if the set isn't that large acceptable security starts demanding you provide all the signatures.
22:58 < petertodd> what's the equation for hash functions required vs. proof size exactly? I seem to remember it's not all that forgiving in many cases
23:11 < gmaxwell> It actually works out less well than I thought, because the probablity that the hidden set does not contain a opposing voter drops off much less rapditly than the probablity that it contains only one supporting voter.
23:13 < petertodd> yeah, I worked it out for trying to do NI cut-n-choose on sacrifice proofs and it was ugly
23:17 < petertodd> idea I had: do a partial UTXO set mode where you build the UTXO set based on what txouts you have verified, starting at the most recent block
23:17 < petertodd> it's interesting, because you can then validate transactions that spend from that partial set with good confidence
23:18 < petertodd> hence such nodes can safely relay transactions and be useful to the network, and over time download enough blocks to become full nodes as well
23:18 < petertodd> makes for a nice SPV->partial UTXO->full node progression
23:19 < petertodd> the scary thing though is you could safely mine in this mode as well... safe from your perspective anyway
23:19 < gmaxwell> e.g. for the probablity that your revealed values are the only good ones: product(1/(1024-x),x,1,13)<=1/2^128  which is good, but the "are no false ones" can never have a probablity better than 1/(n-1).
23:20  * Luke-Jr ponders why petertodd's remote didn't update with --all :/
23:20 < petertodd> Luke-Jr: my remote?
23:20 < Luke-Jr> petertodd: on github. probably their fault
23:20 < petertodd> Luke-Jr: ah, what code are you interested in?
23:21 < Luke-Jr> petertodd: preparing to do another next-test spin
23:21 < Luke-Jr> so.. everything
23:21 < Luke-Jr> well, everything there's an open pullreq for anyhow :x
23:22 < Luke-Jr> hmm
23:22 < petertodd> Luke-Jr: heh, the mempool rewrite is partial, I only did the pull-req because I wanted to run the pull-tester against it... :P
23:22 < Luke-Jr> petertodd: well, at least this way you'll annoy me and get a rant if it breaks gitian? :p
23:23 < petertodd> Luke-Jr: heh
23:23  * Luke-Jr dunno why the pulltester doesn't use gitian yet
23:23 < Luke-Jr> second --all found codeshark's not updated either
23:23 < Luke-Jr> stupid git
23:24 < petertodd> oh, reminds me, so in the mempool code, I created a CMemPoolTx subclass of CTransaction and use that subclass to store the extra mempool-related data - is that considered good C++ practice?
23:25  * petertodd hasn't done serious C++ programming since highschool.
23:25 < Luke-Jr> petertodd/correct-isfinal-isstandard and discourage-fee-sniping need rebase
23:26 < Luke-Jr> petertodd: bad in our case, at least - the transaction should be capable of being in multiple distinct mempools
23:27 < petertodd> I wanted to avoid that additional layer of indirection - leads to some ugly code
23:27 < petertodd> you'd need to do ref counting too in that case
23:28 < Luke-Jr> good thing boost has pointers to handle that for us <.<
23:28 < Luke-Jr> side rant about rebasing: it prevents anyone from maintaining a real fork of the codebase
23:28 < petertodd> I know, but from what I see we've avoided those constructions everywhere else
23:28 < Luke-Jr> effectively forces centralization on the project
23:29 < petertodd> Luke-Jr: IMO not relevant here because we're talking about code that is getting changed drasticly as the pull-req evolves
23:30 < Luke-Jr> petertodd: sometimes. most of the time the rebase is just to adapt to the upstream
23:30 < Luke-Jr> and even then, those changes could be additional commits on top
23:30 < petertodd> Luke-Jr: I think more interesting is what litecoin is doing, rebasing all the 0.7->0.8 changes, where they probably could have done a merge
23:31 < petertodd> So what's your usecase for multiple distinct mempools anyway?
23:33 < Luke-Jr> petertodd: I do that every other month. It's possible, but a real pain.
23:33 < Luke-Jr> petertodd: I wouldn't want to actually *maintain* a client based on it.
23:33 < Luke-Jr> no use case. just proper abstraction
23:34 < petertodd> hmm, well when that case comes up changing things would be a fairly mechanical patch
23:35 < petertodd> more generally it shows how a more functional style would make sense here - we keep on recomputing tx hashes because tx's are mutable
19:22 < maaku_> warren: anti-centralization is uncontrovertial. some of the side effects of relevant proposals are worrisome on the other hand
19:23 < petertodd> killerstorm: "can implement lamport" is probably a good minimum test for whether or not your scripting system is general enough!
19:23 < maaku_> there's no clear cut path forward which decentralizes the network without tradeoffs
19:23 < warren> petertodd: 1) easy to MITM 2) easy to determine which keys you have 3) no way of doing authenticated peerings 4) expensive to the server
19:24 < petertodd> warren: right 1) committed (U)TXO  2) all the lessons in my blockchain privacy paper  3) add SSL or SSL-alike  4) prefix-filters w/ appropriate indexes
19:25 < warren> maaku_:  multiple competing scalable p2pool-like things with a trustless accumulators and more GBT pools would be low hanging fruit
19:25 < petertodd> warren: electrum actually is reasonably close to solving all that, modulo committed indexes
19:25 < warren> petertodd: yeah
19:25 < adam3us> petertodd, warren: prefix have worse privacy properties than bloom.
19:25 < petertodd> warren: problem is we have to make it *more* profitable to mine with p2pool/decentralized, and that's going to require changing economics
19:25 < maaku_> petertodd: well, Thomas is waiting on me for the indices
19:25  * maaku_ gets back to work
19:25 < petertodd> adam3us: depends on your attack model
19:26 < petertodd> adam3us: again, did you read my paper? :P I strongly think in practice with real users prefix has better real-world privacy
19:26 < adam3us> petertodd: broadcast vulnerable info is like worse because it can be analysed later by anyone, vs sent to one random node
19:26 < adam3us> petertodd:  i did, i just disagree.
19:26 < petertodd> adam3us: well, least you read it finally, ha
19:26 < warren> petertodd: the lower orphan rate should help.  currently the too-many-txo's in coinbase is a problem.
19:26 < adam3us> petertodd: yeah i skimmed it before also.  as i recall gmaxwell has the same view as me on that risk.
19:27 < warren> petertodd: the trustless accumulator should help that
19:27 < petertodd> adam3us: problem is bloom naturally leads to a situation where people broadcast the *exact* contents of their wallets over and over again to random peers, and that's just nasty
19:27 < petertodd> adam3us: android wallet has 1 in 16k specificity for a reason - users want fast syncs
19:27 < petertodd> adam3us: that could really kill coinjoin the moment attackers start running SPV nodes to collect wallet data
19:28 < petertodd> warren: no it won't - it still requires all the expense of running a full node
19:29 < adam3us> petertodd: they are both non ideal solutions.	it is considered in privacy that you should pick a random node and stick to it.  if its going to analyse you it already did.  if you explore random nodes eventualy you'll find a hostile one.	tor doesnt do this yet either, but theyre planning to fix it.
19:29 < petertodd> adam3us: anyway, prefix *queries* are a categorically better model than bloom filters from the point of view of lookup privacy
19:29 < adam3us> petertodd: that might be.  also electrum is like central/trusted type of solution right?
19:30 < petertodd> adam3us: now forcing your txouts to match prefixes may or may not be the right approach, but only prefix queries lets you distribute the load, and thus query specificity leak, accross multiple nodes
19:30 < petertodd> adam3us: electrum is not different from bloom SPV in principle
19:30 < petertodd> adam3us: in practice maybe more secure in some models because there are fewer electrum servers
19:30 < petertodd> adam3us: and their operators are better known
19:30 < adam3us> petertodd: but in practice, i thought electrum have a few central servers
19:31 < petertodd> adam3us: meh, picking random nodes and sticking to them isn't very feasible without a "small number of nodes run by volunteers" model
19:31 < adam3us> petertodd: yes if u trust electrum.  the other model as said above, pick a random node and try to stick to it.
19:31 < petertodd> adam3us: and even in that model you're better off with prefix queries
19:31 < petertodd> adam3us: electrum *is* the pick a random node and stick to it mdoel
19:32 < adam3us> petertodd: well its electrum advertising them selves as a trustworthy node.  sometimes that is a flag to say dont trust them.
19:32 < petertodd> adam3us: anyway, my prefix solution may leave some statistical data in the chain, but it has the enormous advantage that it doesn't fail hard the moment an attacker does a sybil attack. it also doesn't give that attacker a reason to do that sybil attack
19:33 < petertodd> adam3us: note how prefixes gives you decent security even *if* you're connected to the nsa
19:33 < warren> We could just forget about SPV, finish ultraprune and stop worrying about this.
19:33 < adam3us> petertodd: if u use prefix with one-use addresses t seems ok no?  no need for explicit prefix
19:33 < petertodd> adam3us: (prefixes + addr grinding)
19:34 < petertodd> adam3us: no! unless your addresses in your wallet are clustered around a prefix, for a given amount of bandwidth you have to have very specific prefixes and thus are leaking a heck of a lot of data
19:34 < CodeShark> what's the prefix solution? using the first few bytes of a pubkey or script hash rather than a bloom filter?
19:34 < petertodd> warren: ultraprune doesn't help with bandwidth
19:34 < petertodd> CodeShark: yeah, there's two parts to it, first for queries you can always query by prefix
19:34 < adam3us> petertodd: could be block range constrained + closeness metric to tune like bloom
19:35 < petertodd> CodeShark: secondly you can always force your addresses in your wallet to *all* be clustered around soem prefix, which means you only have to do a single query
19:35 < petertodd> CodeShark: the beauty of the latter is even if you're querying the NSA for blockchain data they learn very little about what's in your wallet, the disadvantage is you leak *some* stat information to the blockchain permanently
19:35 < adam3us> petertodd: yeah but then you're back to broadcasting anon-set reducing info to the block chain for the stats analysis guys to party on.
19:36 < petertodd> CodeShark: I argue leaking some all the time is much better than leaking your exact wallet contents the moment you manage to connect to the NSA
19:36 < petertodd> adam3us: the types of people who have the resources to do stats analysis have the resources to just run 50% of the available nodes to connect too
19:36 < adam3us> petertodd: if you query the NSA with a prefix, they learn the anon-set you are in.  just info o help triangulate you no?
19:37 < adam3us> petertodd: eh no?  academics do it for like 3rd year project
19:37 < petertodd> adam3us: I mean, shit, I was running about 10% of all public nodes for a few hours to test an attack
19:37 < petertodd> adam3us: yeah, all they learn about is the prefix, and then the stats leaks stops
19:37 < adam3us> petertodd: oh ok, u mean on the low side, gotcha
19:38 < petertodd> adam3us: vs. without prefixed addresses *in reality* users set very specific prefix/bloom filters, and then you leak very specific contents of your wallet
19:38 < adam3us> petertodd: but a bloom filter with some decent params can do that also no?
19:38 < petertodd> adam3us: yeah, from the point of view of "clustered wallet addresses" bloom and prefix are identical
19:38 < CodeShark> petertodd: right now with BIP0032, you can have at most 2^31 different keys from a particular master seed - so say you use  k bit prefix - that reduces the number of keys to 2^(31 - k), no?
19:38 < adam3us> petertodd: so say TD fixed improved the params
19:38 < petertodd> adam3us: if you're not clustering wallet addrs, bloom and prefix are identical, it's just the latter is way more scalable
19:39 < jtimon> petertodd is there any reason why you can't use several prefixes in your wallet? more bandwith but more privacy
19:39 < jtimon> ?
19:39 < petertodd> CodeShark: well BIP32 has problems there
19:39 < petertodd> adam3us: it's impossible to fit the params, it's a specificity/bandwidth tradeoff
19:39 < petertodd> adam3us: s/fit/fix/
19:39 < jtimon> say, use 3 prefixes, n instead of 1
19:39 < petertodd> adam3us: if you think params has anything to do with it you didn't understand my paper...
19:39 < adam3us> petertodd: bloom/prefix similar with no addr clustering... yes.
19:39 < CodeShark> perhaps we should expand the BIP0032 child index to 64 bits :)
19:40 < petertodd> jtimon: more prefixes *of the same length* just means you're using more bandwidth
19:40 < petertodd> jtimon: remember this is a bandwidth/anonymity set tradeoff
19:40 < adam3us> petertodd: you claimed the default params were too specific, so make them les so, while still tolerable bw.
19:40 < petertodd> adam3us: the reason why they are so specific is because users aren't tolerating more bandwidth
19:40 < jtimon> petertodd yes, my point is you can make the tradeoff configurable
19:40 < petertodd> jtimon: yes, and you can do that with prefix clustering too
19:40 < CodeShark> petertodd: I'm also thinking about how deterministic m-of-n script chains could work with this prefix model
19:41 < adam3us> petertodd: well more importantly u also said as i recall there was no feature to change the params
19:41 < jtimon> yes, yes, with prefixes
19:41 < petertodd> jtimon: the fundemental problem is that if you don't cluster all your addresses in one prefix or bloom index, then naturally you have to have fairly specific filters, which overtime become more specific and let you be attacked
19:42 < petertodd> adam3us: in the library and wallets no, but the bloom filter specification does let you change the params easily by making the filter smaller
19:42 < petertodd> adam3us: smaller filter == less specific
19:42 < CodeShark> there is in my library :)
19:42 < petertodd> CodeShark: good
00:24 < amiller> now for each one of these, if some untrusted agglomeration of network nodes gives me a proof, i can validate this proof with one crazy crypto field multiply.
00:25 < amiller> also no secrets are involved, so the big ol' crazy program can be compiled once for everyone and maybe we can agree on them using checkpoints
00:25 < amiller> or validate them piecemeal or something
--- Log closed Sun May 05 00:00:05 2013
--- Log opened Sun May 05 00:00:05 2013
03:24 < amiller> i haven't looked at my anti-coalition puzzle for a while, but i've learned how to use two crypto primitives to do roughly what i want
03:24 < amiller> the first is a zero knowledge proof, the second is an extractable hash function
03:24 < amiller> i'll explain what the point of this is
03:25 < amiller> to encourage decentralization (or discourage pooling resources) we might want to design a proof of work puzzle that is difficult to outsource
03:25 < amiller> the basic scenario is this
03:26 < amiller> suppose Alice and Bob each have a personal budget, and they have two options: either they pool resources and purchase one big Asic, or they each mine independently with their GPUs
03:26 < amiller> also they don't inherently trust each other
03:26 < amiller> it's more efficient for them to pool resources and buy an asic, although this option is also more centralized and therefore worse for the network overall
03:27 < amiller> assume that if they buy the asic then Alice has to operate it at her house
03:28 < amiller> since they don't trust each other, the only way they'd agree to this is if they can work out an arrangement where Alice can prove that she's operating the asic fairly, meaning in a way that benefits them both equally
03:28 < amiller> the current proof of work puzzle mostly accomplishes this
03:28 < amiller> the basic technique is for Alice to show Bob her shares, like the closest she gets to a winning block each day
03:29 < amiller> more specifically, the winning nonces are a set, and the "shares" are a much larger superset of the winning ones
03:29 < amiller> each computed hash in bitcoin contains a hash commitment to a particular block, so by revealing the block alice can prove that she was running at roughly the correct rate, and that she was only working on blocks that would have paid out equally to both of them
03:30 < amiller> okay so this is bad for decentralization, because in the extreme case everyone might want to pay for shares of a huge mining operation that gets cheap power in sweden or something
03:31 < amiller> what we'd basically want as an alternative is a proof of work puzzle that doesn't admit such a safe outsourcing protocol
03:32 < amiller> the idea is that whoever is operating the asic and doing the hashing should be enabled to run away with whatever the winnings are
03:33 < amiller> what makes the safe outsourcing protocol work for the hashcash pow is that the work contains a commitment to a particular payout strategy
03:34 < amiller> to get this desired anti-coalition property, it should be malleable in the sense that the payout destination is undefined until after the work is complete!
03:35 < amiller> the current work can be thought of as this:   h( nonce || block-commitment || payout-commitment ) < difficulty
03:35 < amiller> the basic structure of my suggestion is this:  h( nonce || block-commitment || privatekey ) < difficulty
03:35 < amiller> so you can still commit to a block, just it's everything except the actual thing it takes to win the coin
03:36 < amiller> like whoever possesses the private key can claim the prize
03:36 < amiller> so far this is all just a recap i've done this same ramble previously in #bitcoin-dev
03:36 < amiller> now for the new material...
03:36 < amiller> there's a certain property of this hash function that we want which is that it should be "extractable"
03:36 < amiller> extractable is like the opposite of obfuscatable
03:37 < amiller> if it's not extractable, then there's the potential for the involved parties to create some wacky obfuscated hash function where the private key is built into the hash and there's no way to recover it just from evaluating it on different nonces
03:37 < amiller> if it's extractable then that's not possible
03:38 < amiller> extractable hash functions are discussed here: http://eprint.iacr.org/2011/443
03:38 < amiller> it's sort of a recently popular concept because it's equivalent to the super-efficient circuit verification i talked about last time
03:39 < amiller> but it's kind of on shaky ground as far as assumptions go, it doesn't seem possible to prove that a construction is extractable, but there are constructions that are thought to be...
03:39 < amiller> okay so the next problem is
03:40 < amiller> normally you have to revael the nonce and the block commitment etc as plaintext
03:40 < amiller> but in my scheme where that's a private key, it wouldn't be safe to do so
03:40 < amiller> this is where a zero knowledge proof comes in, all you have to do is construct a zero knowledge proof that you know a privatekey such that the condition holds
03:41 < amiller> and you can still open the block-commitment as normal
03:48 < amiller> to actually give a formal definition for this property i'd have to have something more to say
03:48 < amiller> about like the kind of joint work protocols that i'd consider
03:48 < amiller> because like
03:49 < amiller> any hash function at all could be done as a multiparty computation or a homomorphic outsourcing thing
03:49 < amiller> but basically those would be way less efficient (hopefully)
03:50 < amiller> so i think like the best that can be done is to say something to the effect of well if you want to form a coalition among untrusting parties, then you'd have to use a heavy generic technique which would probably obliterate any advantage from economy of scale
20:43 < sipa> warren: btw, i have a branch of my bitcoin repository (secp256k1) that uses my library, and doesn't need OpenSSL/EC
--- Log closed Mon May 06 00:00:08 2013
--- Log opened Mon May 06 00:00:08 2013
03:41 < warren> sipa: horray!
03:41 < warren> sipa: I was about to install Ubuntu for the first time ever.
03:43 < warren> I'm sorry I haven't been helpful here.
04:00 < jgarzik> warren: heh, just did so myself tonight
04:01 < jgarzik> warren: felt dirty, too
04:03 < gmaxwell> "I heard jgarzik installed ubuntu, the writings on the wall"
04:05 < jgarzik> gmaxwell: It was either Ubuntu or debug grub :/
04:18 < warren> jgarzik: I installed ubuntu in a VM but didn't login yet.  Now I can wipe it. =)
05:08 < warren> sipa: is the intent for this library to eventually be incorporated as /src/secp256k1, ship as a separate library, or both?
05:16 < sipa> at least as a separate library, but for bitcoin it probably makes sense to incorporate it in the source tree
06:59 < warren> sipa: [warren@newcaprica secp256k1]$ ./configure
06:59 < warren> <stdin>:1:24: fatal error: openssl/ec.h: No such file or directory
06:59 < warren> sipa: I guess that wasn't adapted yet.  Makefile works.
07:00 < sipa> oh
07:01 < warren> TODO is also old.
07:29 < sipa> warren: fixed
07:51 < warren> sipa: allocators.h:12:53: fatal error: openssl/crypto.h: No such file or directory
07:51 < sipa> warren: you still need openssl, just no EC-enabled one
07:51 < warren> ahhh, ok
07:51 < sipa> this isn't too hard to change, though
07:51 < sipa> it's only used for RIPEMD160, SHA256 and a PRNG
07:52 < sipa> and lbisecp256k1 uses either openssl or gmp by itself
07:52 < sipa> (preferably gmp, as it's faster)
07:56 < sipa> oh, and SSL-RPC, which would be pretty hard to change (though i'm in favor of just removing that, and suggesting to use stun if you need it)
08:19 < warren> /bin/ld: cannot find -lboost_thread
08:19 < warren> I'm missing something...
11:30 < gmaxwell> warren: BOOST_LIB_SUFFIX='-mt' make -j4 -f makefile.unix bitcoind USE_UPNP=
--- Log closed Tue May 07 00:00:10 2013
--- Log opened Tue May 07 00:00:10 2013
14:19 < gmaxwell> So. An idea to make proof of stake more workable... what if coins selected to function as consensus stake were temporarily destroyed at heights where they were eligible for stake and then returned via regeneration, if and only if no one presents to the network evidence that the same stake signed more than one distinct consensus?  It still wouldn't prevent
abuse of stake to create deep reorgs, since you can't make coin invaldation so ...
14:19 < gmaxwell> ... powerful that it invalidate the coins of downstream users.
18:43 < warren> gmaxwell: does that deal with the "rich getting richer" issue?
18:45 < gmaxwell> warren: I don't think there is any real RGR issue in POS inherently, so long as linearity is preserved. (PPCoin doesn't do a good job preserving linearity)
18:49 < gmaxwell> having to have the stake still for a while does create some richness bias, alas.
18:50 < warren> gmaxwell: Is any form  of PoS flawed because any form of it incentives pooling of stake to ensure receiving stake rewards, which is an anti-incentive to decentralization?  Yes, it's hard for stakeholders to *trust* each other, but if they do they become an unstoppable cartel.
18:53 < gmaxwell> warren: they're all linear, having more stake in one place doesn't increase your ability to mine stake than having it in many. Now
 you might not care to run validation if you don't have a sufficient consolidation to make your income great... but thats no different than any POW scheme: if _validation_ costs are high relative to users tolerance such that
they have to be paid to validate, then it can't be decenteralized.
18:58 < warren> haha.  one of the litecoin clones bubbled to be 400% more profitable than mining BTC for a week.  Attracted a great many miners then popped.  Now it is limping along with new blocks  > 4x slower than designed.
18:59 < warren> those stupid exchanges have been adding days old alt coins to trading
20:07 < petertodd> justanotheruser: your communication includes that nLockTime'd tx - that's how you pay for it
20:07 < justanotheruser> petertodd: well you would have to pay a fee for that tx, then everyone would have to pay a fee for the coinjoin tx to go through
20:08 < petertodd> justanotheruser: which you have to anyway - tx's aren't free
20:08 < justanotheruser> petertodd: yes, but with PoS you only have to pay one
20:09 < petertodd> justanotheruser: no, it's identical to pos, except that you ensure something of value is actually lost
20:09 < petertodd> justanotheruser: after all, you can't prove pos other than by signing for a txotu scriptPubKey, this is the same, except you've signed a valid-in-the-future transaction with some minor fee
20:11 < justanotheruser> petertodd: When you have stake that means you payed a fee to  get the coins. That is what you lost.
20:12 < petertodd> justanotheruser: it's the same argument as merge-mining: to the attacker they can re-use something they already have (txouts sitting around) for free
20:12 < justanotheruser> except for cases where millionaires don't pay fees, but there aren't enough of those to worry about
20:13 < justanotheruser> petertodd: they can use it for free, but they can only use a certain amount of it. Then they have to make another tx to spend again. The coinjoin tx takes care of this.
20:14 < justanotheruser> s/use a certain amount of it/use it to a certain extent.
20:15 < petertodd> justanotheruser: yes, but now you have to have a database of UTXO's whose stake has been proved, vs. there's a natural time limit because the fee sacrifice tx's get mined
20:16 < justanotheruser> gmaxwell: does pinnochio take care of petertodds concern?
20:17 < justanotheruser> petertodd: Wouldn't proof of burn also remove anonymity in the same way?
20:18 < petertodd> justanotheruser: yes, emphasis on the same way, they're both identical re: anonymity, but the burn version has better resistance to DoS attack
20:21 < justanotheruser> petertodd: I don't understand pinnochio fully, but gmaxwell said it would work for proof of burn and I think he said it would work with PoS
20:22 < justanotheruser> It's a pretty big research paper
20:22 < gmaxwell> what concern?
20:22 < justanotheruser> And I have to look stuff up every page
20:22 < gmaxwell> you guys said a bunch of stuff
20:22 < justanotheruser> gmaxwell: (08:15:21 PM) petertodd: justanotheruser: yes, but now you have to have a database of UTXO's whose stake has been proved, vs. there's a natural time limit because the fee sacrifice tx's get mined
20:22 < petertodd> justanotheruser: pinnochio is orthogonal to the choice between proof-of-stake and proof-of-sacrifice
20:23 < justanotheruser> petertodd: then your comment was irrelevant to the discussion of which was the better method
20:23 < gmaxwell> what pinnochio lets you do is make compact blind proofs from something where you have efficiently extractable authenticated data.
20:23 < justanotheruser> because they both have that glaw
20:24 < petertodd> justanotheruser: pinnochio's proof-of-stake for anti-DoS still requires a UTXO database, or you can re-use proofs. (it becomes like some weird zero-coin thing in that case)
20:24 < gmaxwell> right now because we don't have a committed utxo proof-of-sacrifice will be smaller unless you expect all validators to keep a copy of the utxo themselves.  Having the verifiers have a utxo database might actually be a bunch better since it could be restructured in a way to make the proofs small.
20:24 < petertodd> justanotheruser: for the proof-of-burn case, then pinnochio is less desirable because you have to do a separate burn that's actually mined
20:25 < gmaxwell> petertodd: my suggest for rate limiting based on POS is that you do get a once per $time_interval random ID out of your stake.
20:25 < petertodd> gmaxwell: proof-of-stake for anti-dos requires you to at worst end up storing something like a bloom table of spent stakes
20:25 < petertodd> gmaxwell: it's doable, but potentially ugly long-term if people really want to attack it
20:25 < gmaxwell> yea, you'd then use a hashtable that you keep for $time_interval
20:26 < petertodd> gmaxwell: I mean, you've created an incentive to make a lot of utxo's you know... or failing that, you let rich people block coinjoin
20:26 < petertodd> gmaxwell: at least proof of burn ensures they'll spend fees doing so
20:26 < gmaxwell> petertodd: well of course the proof can emerge a bound on its value.
20:26 < justanotheruser> couldn't your "proof of time" be the hash of your proof plus the unix time being below a certain value?
20:26 < gmaxwell> proof of burn can't be done non-interactively in zero knoweldge.
20:27 < gmaxwell> PoS and PoS can be.
20:27 < petertodd> gmaxwell: no, but my trick of nLockTime'd tx's isn't a serious disadvantage - note how you can very much use a different txout then the one you actually join
20:28 < gmaxwell> for coinjoin PoB is pretty great, I agree.
20:28 < gmaxwell> since coinjoin inherently must expose a txout.
20:28 < petertodd> yeah, and for everything else, proof-of-prior sacrifice *with* some kind of domain-specific tag is pretty decent
20:28 < gmaxwell> for something like a replacement for BitMessage's pow I prefer PoS or PoS.
20:28 < sipa> gmaxwell: PoS and PoS (i do keep reading that as piece of s**t...)
20:29 < gmaxwell> Proof of Stake or Proof of sacrifice.
20:29 < petertodd> sipa: PoS and PoX I prefer myself
20:29 < justanotheruser> gmaxwell: should their stake expire after a certain number of blocks? Otherwise they can use the network at no cost
20:30 < gmaxwell> justanotheruser: you'd prove that you had stake as of some reference time that moves periodically.
20:30 < gmaxwell> e.g. first block after midnight utc every day.
20:30 < petertodd> justanotheruser: funny how you actually want the inverse of coinage in this case
20:30 < justanotheruser> petertodd: yes, coin/days
20:30 < gmaxwell> every day at the first block after midnight all the message nodes snapshot their utxo and reorg it into a hash tree and save the root.
20:31 < gmaxwell> Then when you want to use a message for this hour you run the ZK proof to get a token good for the hour that proves you had a coin in the last day's utxo snapshot.
20:32 < gmaxwell> likewise for proof of sacrifice, except you just extract sacrifice like transactions.
20:32 < petertodd> gmaxwell: heck, just prove you have a txout that existed in some time period, and spent a txout preior with some amount of coin-days destroyed
20:33 < gmaxwell> yea, whatever, you can get compact proofs of any of this if you don't mind the participants needing to bitcoin nodes and thus generating the data extracts themselves.
20:33 < petertodd> gmaxwell: well, that case you'll have all that data in your wallet actually
20:33 < gmaxwell> unfortunately using bitcoin's own data for ZK proofs is kinda craptastaic because of having to traverse a whole variable length transaction just to extract an output.
20:34 < petertodd> yup
20:34 < gmaxwell> but if you extract the data directly you can reorder how its stored.
20:34 < justanotheruser> How big is the proof of stake using pinnochio?
20:34 < gmaxwell> e.g. use exactly the ultraprune data structure though bitcoin itself never commits to it... all participants would come up with the same value.
20:36 < gmaxwell> justanotheruser: the proofs are 288 bytes (well, in the pinnochio paper they might be a bit larger, but they can be done in 288 bytes), plus a few more bytes to identify the serial number, epoch, and utxo set that its relative too.
20:36 < justanotheruser> That's not bad
20:39 < justanotheruser> gmaxwell: Why is a proof of SHA256 so big?
20:41 < maaku> justanotheruser: SHA256 is a non-trivial function?
20:41 < justanotheruser> maaku: So ECDSA isn't?
20:42 < maaku> that's an apples-to-hot-wheels-cars comparison
20:42 < midnightmagic> gmaxwell: I do not appear to have an easily-accessible sidechain that reorgs out 1000-blocks, if -loadblock can be used to replay the blk*.dat files and the dat files have the sidechains stored in them by default.
20:42 < petertodd> justanotheruser: you don't need to prove ECDSA in this case
20:42 < midnightmagic> gmaxwell: I have one more place where I can look. Would you like me to check?
20:43 < gmaxwell> Because ECDSA is special in that it naturally yields compact proofs of knoweldge. There are very few things that do this.
20:43 < gmaxwell> midnightmagic: not that urgent I have it at home someplace.
20:43 < petertodd> gmaxwell: how does that work?
20:43 < midnightmagic> ok
20:44 < midnightmagic> gmaxwell: If it's cleanly possible to get a copy of that I would sure love one. :-D
20:44 < gmaxwell> petertodd: an ECDSA signature is a proof you know the discrete log of the public key value.
20:44 < petertodd> gmaxwell: ah, and these schemes can do that directly?
20:45 < gmaxwell> petertodd: no no. Perhaps we're miscommunicating.
20:45 < gmaxwell> I thought justanotheruser was asking why the pinnochio proofs were much bigger than an ECDSA signature.
20:46 < petertodd> gmaxwell: right, I took it as asking why you couldn't feasible make a pinnochio proof of a ECDSA sig
20:46 < sipa> ECDSA is basically a scheme designed for creating a compact proof... for a very specific operation
20:46 < gmaxwell> petertodd: oh you could, and ... like all other GGPR'12 proofs would be 288 bytes.  Though the proving time might be awful.
20:47 < petertodd> gmaxwell: right, and the proving would be some crazy thing that basically implements ECDSA with some circuit
20:47 < gmaxwell> right, with an arithemetic circuit over some finite field.
20:48 < gmaxwell> (or some boolean circuit, though usually arithemetic circuits are more compact, e.g. they make sha256 quite compact)
20:56 < petertodd> so the pinnochio source code is available, but I don't see any license anywhere
20:57 < petertodd> oh wait, I found it, Microsoft non-commercial, not too useful
22:12 < amiller> i think that is a realistic interpretation of what people have believed about bitcoin without stating it as such
22:12 < gmaxwell> yea, thats a stronger claim and there are a bunch of ways thats wrong.
22:13 < gmaxwell> amiller: they may have, they also think things like 1 confirm is safe.
22:13 < gmaxwell> You can find me disputing the claim that you need >50% to cause trouble all over the forum and on
22:13 < gmaxwell> IRC.
22:13 < gmaxwell> (though not on this particular basis)
22:14 < amiller> so they show one compelling way that it's not the case for x>33% and no one would really dispute that
22:14 < amiller> anyone who's bothered to state incentive-compatible as a goal would not have said that
22:14 < amiller> and it's nice of this paper to introduce incentive compatible and make it clear that's the desired goal
22:14 < amiller> so that whole set of ideas is great and is a good result
22:14 < gmaxwell> well, they haven't published their simulation source and are apparently not interested in doing so. so I'm not actually sure about the 33% number, bytecoin got a different figure in his simulation.
22:15 < amiller> maybe they should have shown the positive result that with x<33%, honest mining *is* incentive compatible!
22:15 < gmaxwell> I don't think honest mining is ever incentive compatible, sadly. Not with a wide enough net of possible bad behaviors.
22:15 < amiller> actually kroll davies and felten in their WEIS paper showed precisely that, but for a more restricted set of strategies (they didn't look at block delay, only which block you build on)
22:16 < amiller> yeah and i showed that it's not if there's a sufficiently big enough anomalous tx fee, but that is easy to fix except for coinbase maturity :3
22:16 < amiller> so does their result actually build *more* evidence that honest mining is incentive comaptible under a somewhat wider range of bad behavior?
22:16 < amiller> do you really think it's never the case?
22:17 < amiller> what else does it depend on, like your ability to pull off a double against against some 1-confirmers?
22:17 < gmaxwell> no. I'm just saying, I don't know how useful it is to show these things under restricted behavior. Peoples behavior is not restricted.
22:17 < gmaxwell> amiller: yes, thats one example. Or get paid to censor, as another.
22:18 < amiller> well maybe moving in that direction is the right idea
22:18 < amiller> maybe that's the thing to do is start with incentive compatible under restricted behavior and widen the net?
22:18 < gmaxwell> not just 1-confirmers... at anything under infinite confirms a <50% faction has improved ability to reverse than a smaller <50% faction.
22:19 < amiller> yeah but at some point you're just wasting money for a poor chance
22:19 < amiller> yes an adversary who just *has* a portion of the hash power can keep trying to get a streak-of-7 forever
22:19 < gmaxwell> e.g. the success rate at reversing 15 confirms is higher for a 40% faction than a 20% faction. So that just depends on how big a heist you can pull off. And the size of that depends on how many txn you can put in a block, and how many parties will be exploitable at a number of confirms.
22:20 < amiller> i think that's a game we can win
22:20 < amiller> for some kind of reasonable attack model
22:20 < gmaxwell> amiller: pratically nothing in bitcoin land waits for more than 6 confirms.  https://people.xiph.org/~greg/attack_success.html
22:20 < gmaxwell> 50% success rate for 40% hashpower.
22:21 < amiller> everyone who waits 6 blocks probably should wait longer?
22:21 < amiller> my only question is this
22:21 < gmaxwell> plus you can outsource the actual performing of attacks by just letting other people send their double spends to you directly, and they pay you a high fee and they get included in your attack blocks.
22:21 < amiller> is the overall network harmed by people setting their threshold too low?
22:21 < gmaxwell> yes, I think they are: you saw the ghash.io thread?
22:21 < amiller> it's like living in a neighborhood where no one buys door locks except you, and that attracts lots of criminals, one of those security analogies
22:21 < amiller> yes i saw the ghash.io thread
22:22 < gmaxwell> 25% miner attacking a zero confirm betting service (hurray!)
22:22 < amiller> but afaict that isn't affecting consensus or anyone with larger confirm therhold
22:22 < amiller> then just think of the stupid betting service as part of the 25% attacker
22:22 < amiller> it isn't a money pump exactly
22:23 < gmaxwell> yea but you now have a mining farm created of captive miners who have no control of their mining, which is controlled by people who can perhaps multiplicatively increase their income by playing games.
22:23 < amiller> let them bleed the zeroconfirm gambling thing dry?
22:23 < amiller> then they have to stop?
22:23 < amiller> i mean that's no different than subsidized mining to attract users and then use them for arbitrary double spends
22:23 < gmaxwell> they could profitably exploit the betting service even if they required 6 confirms, in fact.
22:24 < gmaxwell> (because the house rake on that betting service is only like half a percent or something)
22:24 < gmaxwell> though they might not like the variance of that game. :P
23:56 < ebfull> https://bitcointalk.org/index.php?topic=327064.0
23:56 < ebfull> re: this ^
23:56 < ebfull> when blocks are orphaned and their transactions are re-introduced into the mempool
23:56 < ebfull> what are the transactionseconds for those transactions?
--- Log closed Wed Nov 13 00:00:24 2013
--- Log opened Wed Nov 13 00:00:24 2013
00:01 < ebfull> if it's nil because the node never saw the transaction enter the mempool... then new blocks would have zero incentive to include those transactions because they could be orphaned so easily by a competing miner
00:02 < ebfull> if it does exist, we have to retain a transactionseconds map of arbitrary length to anticipate reorgs
01:32 < midnightmagic> lol. of course they're not interested in publishing their simulator. Why would they be? Fuck science.
01:33 < ebfull> who
01:35 < amiller> ebfull, the ES people with the selfish mining
01:35 < midnightmagic> the "bitcoin is dead unless you fix it with our patch specifically, and choose randomly between two possible forks of the blockchain"
01:35 < ebfull> they made a simulator and are not publishing it
01:35 < ebfull> maybe it sucks as bad as mine ^^
01:36 < ebfull> i actually tried their patch
01:36 < midnightmagic> Yeah, Eyal and Sirer.
01:36 < ebfull> it only slightly dampens the selfish mining attack
01:36 < ebfull> and in fact it makes sybil attacks less necessary
01:37 < midnightmagic> (apologies to channel for foul language.)
01:37 < ebfull> so you not only get the small benefit of the selfish mining attack above 30% or so, but you also don't have to sybil attack the network
01:37 < ebfull> i think they admitted in their paper it raises the threshold to 25% or something
01:37 < ebfull> i don't remember
01:38 < gmaxwell> ebfull: yea that was my immediate observation.
01:38 < gmaxwell> makes an immediate incentive for a large pool to delay their blocks. I generally worry about any scheme that isn't "earliest block first" in terms of the convergence behavior in a real network.
01:39 < ebfull> one thing i want to try to simulate
01:39 < ebfull> is the idea ByteCoin had on the forum
01:40 < ebfull> which was to choose the branch with the most transactions from the mempool (proportional to how long they were in the mempool)
01:40 < ebfull> since the selfish miner won't have as many as the honest miner
01:43 < gmaxwell> I thought that was interesting, but its complicated to consider possible strategies that encourages completely. e.g. will someone announce old transactions that are unattractive to mine but just enough to get into the mempool and mine those to win races?
01:55 < warren> any way to score quality ahead of quantity?
01:56 < gmaxwell> warren: most things like that are bad for convergence.
01:56 < gmaxwell> e.g. letting you continue to mine in competition instead of extending as long as you can produce a block with better quality.
01:57 < warren> Past assumptions about why big pools are not dangerous assumed that miners would realize the damage a bad pool is causing and move to another pool.  The recent huge hashes to the highest bidder makes that seem unlikely.
01:59 < gmaxwell> dunno whos past assumptions those are? not mine.  you miss me cheering about ghash.io attacking, and no one budging? :P (well, not for the attack but that I have a concrete example of what I believed)
02:00 < warren> does ghash own all the hardware that hashes there?
02:02 < gmaxwell> no.
02:03 < gmaxwell> ghash is a semi-public pool, most of its hashrate is owned by the public via cex.io. (which is probably really the same people as ghash.io through some wink and nod) but its all captive.
02:08 < midnightmagic> warren: They did leave deepbit when it was approaching the magic majority a while back.
02:08 < gmaxwell> midnightmagic: not ... quite.
02:08 < gmaxwell> more like deepbit left the miners. :P
02:09 < gmaxwell> (and not approaching, after it was a majority for a fair bit of time)
02:09 < midnightmagic> gmaxwell: Did deepbit kick out a botnet then? Why did its hashrate dip back?
02:09 < gmaxwell> midnightmagic: it was under heavy DDOS for over a week and was unreachable a lot of the time.
02:09 < midnightmagic> hrm..
02:09 < midnightmagic> I wonder if that was btcexpress.
02:13 < warren> gee, if only there were a way to do decentralized mining...
02:14 < gmaxwell> warren: decenteralized denial of service, thats almost like decentralized mining, right?
02:15 < warren> gmaxwell: given the fragility of these nodes ...
02:20 < gmaxwell> hm? pools are pretty hard to attack from a bitcoin perspective.
02:21 < gmaxwell> the dos attacks mostly try to run them out of bandwidth, sometimes try to break their poolserver stuff...
15:26 < gmaxwell> (I know what they're doing now, but would prefer to comment after the paper is out)
15:26 < Emcy> righto, be interesting to see if its the real deal
15:26 < TD> ditto
15:26 < gmaxwell> Emcy: they'll probably keep calling it zerocoin, but indeed, it will achieve somewhat different things and its done using a different mathmatical basis.
15:26 < TD> it's SCIP based, i guess we can say that.
15:27 < TD> but for anything more wait for the paper
15:27 < TD> i'm sure it'll be out soon
15:27 < Emcy> who is matthew green?
15:27 < TD> a top class guy
15:27 < TD> (one of the zerocoin researchers)
15:28 < gmaxwell> ;;lmgtfy matthew green
15:28 < Emcy> http://spar.isi.jhu.edu/~mgreen/ this one i assume
15:31 < Emcy> well he got hos doctorate in 3 years with a thesis on a privacy thing
15:31 < Emcy> so we will see
16:19 < adam3us> so i guess people eg amiller were thinking that you could do things with scip - eg you could compact a committed coin with a scip (zkp it adds up and relates to a previous payment)
16:20 < adam3us> probably other variants also scip-coin, so they seemingly have put something together
16:20 < adam3us> but another question is if you could  (and the are probably multiple configurations, scip is very general and flexible) would you want to
16:21 < adam3us> meaning its based on weil pairing and lots of cutting edge stuff
16:22 < adam3us> whats to say shamir or someone isnt going to break some of the assumptions or techniques - so we'd need to know the implications from the security unraveling partly - eg can they then attack individual coins which is maybe too expensive or can they attack the whole system.  hard t say without further details
17:29 < amiller> i doubt matt green is using anything with generic zk
17:30 < amiller> i have no idea what's actually in the new zerocoin thouhg
17:30 < Emcy> pixie dust
17:31 < adam3us> amiller: "TD: it's SCIP based, i guess we can say that."
17:31 < Emcy> if ti works it could be pixie dust for all i care
17:31 < amiller> i think td is just guessing
17:32 < adam3us> amiller: it seems to me if you allowed scip there should be multiple ways to build a scip-coin with privacy
17:32 < gmaxwell> No, td isn't guessing. It's zk-SNARK based.
17:32 < amiller> oh
17:32 < amiller> well... cool then
17:32 < adam3us> do we know a publication timeline?
17:33 < adam3us> fc2014?
17:33 < amiller> oakland
17:33 < gmaxwell> I dunno, I was told their paper was done and just being edited
17:33 < amiller> he'll put it on arxiv wthin weeks
17:33 < gmaxwell> well "done" and that they'd send it to me soon.
17:33 < gmaxwell> ah there you go.
17:34 < amiller> it can be zk-snark and still not use the generic tools like pinocchio or scip
17:34 < amiller> in other words i would still guess he'd construct it himself out of bilinear groups rather than compiling a circuit
17:35 < adam3us> amiller: yeah ok terms backwrds
17:35 < gmaxwell> there is also compiling a circuit but not using something fully generic like tinyram (e.g. more like pinocchio)
17:35 < gmaxwell> or mixing.
17:36 < amiller> pinocchio is identically as generic as tinyram!
17:36 < gmaxwell> you get pretty different circuits out of it though.
17:37 < amiller> yeah that changes
17:37 < amiller> i think the right question is whether it uses GGPR
17:38 < amiller> which all of the three generic snark projects do so far (scip, pinocchio, pantry)
17:38 < amiller> that's the particular way of using bilinear group primitives to do zk over arbitrary circuits
17:39 < gmaxwell> amiller: eli's group also has a backend that is not GGPR based apparently.
17:39 < amiller> well hm, i'm not aware of that
17:40 < gmaxwell> (IIRC their other one is a fiat shamir on some RS locally testable codes for 'more efficient' pcp)
17:41 < gmaxwell> amiller: IIRC it eliminates the trusted randomness that all the GGPR stuff needs for the construction of the proving key (which if violated allows the construction of false proofs)
17:41 < gmaxwell> but I have no @#$@ clue what the performance is really like, because ... theoreticians.
17:42  * amiller isn't sure about the trusted randomness needed for ggpr
17:43 < amiller> it's public coin to build the verification key, you could do it pseudorandomly like fiat-shamir too
17:45 < gmaxwell> amiller: it's annoying because I think most of the papers have really not been clear about this requirement.
17:45 < gmaxwell> It was my understanding that if you knew the original randomness then you could trivially produce false proofs, but I could be incorrect.
17:46  * warren is greatly amused.  Feathercoin has been trying and failing for 2 months to copy Litecoin 0.8.x and make it network compatible with their old 0.6 client.
17:50 < Luke-Jr> lol
17:52 < amiller> unrelated to zerocoin, the whole team at best people at microsoft research have published a workshop paper that no one heard about despite being presented at a workshop a week ago....
17:52 < amiller> http://forsyte.at/petshop-2013/
17:52 < amiller> called, unimaginatively, "Pinocchio Coin"
17:54 < gmaxwell> The coin is (telling) a lie.
17:54 < gmaxwell> hm. so it inflates when you lie about it?
17:56 < Luke-Jr> lol
17:58 < amiller> no, it just uses pinocchio's generic zksnark to do what zerocoin does apparently. it's also a 1 page paper and they give very little analysis.
17:59 < gmaxwell> do these people not feel any pain that their work never gets used in anything?
18:01 < TD> well i guess matthew does, hence the focus on building an actual alt coin
18:03 < gmaxwell> yea it was a general complaint about crypto folks. (well not just crypto, same thing exists in dsp / coding tech)
18:03  * amiller wonders what satisfaction can be had having people use your altcoin...
18:04 < gmaxwell> ;;ticker
18:04 < gmaxwell> oh gribble isn't here.
18:04 < gmaxwell> Well. there is at least <what gribble would have said>.  Kinda boring though. :P
18:04 < TD> in fairness, if every crypto paper had to create a useful real world app before they could do the next one, there'd be much less crypto research
18:04 < TD> btw does anyone want to connect with me on Pond?
18:05 < TD> (talking of crypto that needs usage)
18:05 < gmaxwell> a lot of stuff has applications, but it does seem that a lot of things get proven possible and then forgotten.
18:05 < Luke-Jr> amiller: you get to pump & dump?
18:06 < Luke-Jr> TD: wtf is Pond?
18:06 < maaku> TD: is pond stable enough to use for real stuff?
18:06 < maaku> Luke-Jr: email done right, from a crypto nerd's perspective
18:06 < maaku> https://pond.imperialviolet.org/
18:07 < Luke-Jr> something wrong with PGP+SMTP?
18:07 < amiller> metadata?
18:07 < maaku> yes, lots
18:07 < maaku> metadata, reliance in relays, etc.
18:08 < TD> maaku: it sort of sucks on MacOS X thanks to GTK and Go being rather 1990's, imo, but yes, it works and I've been using it to communicate a bit. a guy from the foundation forums set it up with me and we used it to have some back and forth discussions
18:08 < TD> Luke-Jr: the big one (other than it being a pain to use) is that PGP+SMTP leaks who you are talking to
18:08 < TD> Luke-Jr: and it turns out that often you can sort of guess what is being said, if you can see who is communicating
18:08 < Luke-Jr> this doesn't?
18:09 < TD> it's also got no forward secrecy. private key compromise == all sniffed/obtained comms owned
18:09 < TD> nope, pond runs exclusively over tor and all clients/servers communicate at randomized intervals, sending garbage if there's no real comms to do
18:09 < Luke-Jr> you can see who is communicating with each other over tor
18:09 < maaku> TD: I'll see if I can get it setup and reach out to you
18:10 < TD> maaku: there are binaries these days. if you send me a shared secret then that's all we need
18:10 < TD> Luke-Jr: not really. all you see is a bunch of hidden service connections that send traffic at random intervals. even if you can strip tor, the messages themselves are all encrypted using some very fancy crypto. even the server doesn't know who is sending a message to an account, and of course, accounts are all anonymous anyway
18:11 < TD> basically it's about the most extreme form of secure email imaginable. i'm tempted to call it massive overkill, but ...... maybe these days it's not
18:11 < TD> also the linux version supports using a TPM to implement secure delete, even if you have an SSD that wouldn't normally be able to delete data properly
18:11  * sipa invokes XKCD 538
18:11 < Luke-Jr> I just lost TPM in my upgrade :P
18:11 < Luke-Jr> new mobo just has a header
18:12 < TD> the downside of pond is there's no concept of an email address
18:12 < TD> before someone can send you messages, you have to do a key exchange with them
18:12 < Luke-Jr> and in any case, that's assuming the TPM vendor is trustable
18:12 < TD> well all the TPM is used for is the NVRAM really
18:13 < Luke-Jr> which the TPM *could* be making secret backups of..
18:13 < TD> nah. they're too limited.
18:13 < Luke-Jr> I wasn't aware of TPMs having open source designs
18:13 < Luke-Jr> or did someone do an X-ray audit or something?
18:14 < TD> their design and features are limited by the spec + cost pressure. there's nowhere for a secret backup to go. these things have storage measured in kilobytes
18:14 < TD> but sure if you go full tinfoil hat, then your computer has no way to delete stuff.
18:14 < Luke-Jr> TD: NSA-subsidised additional NVRAM never exposed to the outside
18:14 < TD> the TPM wasn't designed to be used in this way, so that'd require the NSA to be clairvoyant
18:14 < TD> which even I don't believe
18:14 < Luke-Jr> XD
18:15  * Luke-Jr wonders if TPMs from >1 year ago would work on his motherboard's header
18:15 < gmaxwell> Luke-Jr: they should.
18:16 < Luke-Jr> what would they be called? TPM "boards"?
18:16 < Luke-Jr> maybe I could wire my old motherboard's onboard TPM up to it somehow?
18:17 < TD> TPM chips
18:17 < Luke-Jr> chips plug direct into the header? ;)
17:24 < warren> https://bitcointalk.org/index.php?topic=337294.msg3668245#msg3668245
17:25 < warren> sipa: win32 binary works on Linux and Mac, so we could distribute just one build for all platforms. =P
17:25 < warren> bad joke
17:30 < gmaxwell> virtualbox plus the linux binary.
17:30 < gmaxwell> :P
19:44 < michagogo|cloud> Maybe some stripped down, boot-to-Bitcoin Linux distro?
19:45 < michagogo|cloud> I'd guess warren's got experience creating Linux distros...
19:45 < michagogo|cloud> That has the added bonus of allowing people to boot up into it
19:46 < michagogo|cloud> (Non-VM)
21:33 < cfields> heh, i _seriously_ underestimated how much building qt for osx in linux would suck
21:33 < cfields> that was no fun at all
21:37 < phantomcircuit> lol
22:55  * n0g hugs all the wizards <3 <3 <3
22:56 < n0g> I am honored to be in your presence.
23:57 < warren> gmaxwell: EFI bitcoin?
--- Log closed Fri Nov 22 00:00:56 2013
--- Log opened Fri Nov 22 00:00:56 2013
04:54 < warren> NMC is now $2.65 ...
04:54 < TD> back from the dead, huh
04:58 < warren> undead
04:58 < warren> TD: somehow BBQCoin is still alive
04:59 < TD> even the name of that coin makes me smirk
04:59 < TD> lol. BQC Foundation
04:59 < TD> given how controversial the creation of the foundation was, alt coins sure love the idea
05:11 < petertodd> warren: interesting, namecoin diff is 471M, btc diff 695M, so it is 51% attack secure as a merge-mined coin
05:11 < petertodd> warren: IIRc for a while it was looking a fair bit worse than that
05:34 < michagogo|cloud> Um, BBQCoin?!?
05:34 < michagogo|cloud> ;;google bbqcoin
05:34 < michagogo|cloud> Oh, no gribble
06:02 < sipa> we are gribbless
06:03 < michagogo|cloud> Any specific reason?
06:03  * michagogo|cloud wonders if there's an altcoin called altcoin yet
06:26 < wumpus> not according to this list http://coinchoose.com/
06:27 < warren> I've come to realize all the scrypt clones are actually useful for something.
06:28 < warren> although I can't tell them what that is.
06:28 < wumpus> there are HoboNickels though, does that come close enough? :p
06:29 < warren> I can't imagine why anyone wouldn't want to use it with that name.
06:30 < wumpus> right, I can't imagine bitcoin would have taken off with that name
06:31 < warren> wumpus: http://coinchoose.com/charts.php  this is a more interesting chart
06:31 < warren> Pac Man
06:33 < wumpus> like a pacman eating all the other coins
06:42 < warren> heh
06:57 < Emcy> percentage of chart that looks like pacman: 85.80
07:46 < michagogo|cloud> 13:28:02 <warren> although I can't tell them what that is.
07:46 < michagogo|cloud> Why not?
09:11 < adam3us> michagogo|cloud: suspecting its like evolution in action and he doesnt want to disrupt the process by renting them a clue ;)
09:12 < michagogo|cloud> Now I'm curious :-/
09:13 < gmaxwell> "Prime directive"
09:14 < michagogo|cloud> okay, I need to go get dressed -- Shabbat Shalom and I'll see you tomorrow night
09:25 < n0g> Good morning, everyone. *hugs*
09:42 < adam3us> y'know i've been musing about subliminal channels and smart-card wallet with observer protocols from Brands and others for eg the trezor.  some people opined that well why should i trust a trezor wallet.  well indeed - trust no one - thats the point of crypto currency
09:43 < adam3us> so with these observer protocol the smart card subliminal channels are 100% plugged its only "communication" is logical level one-bit at a time by failing with an error msg instead of signing, which you're going to notice
09:45 < adam3us> the idea is the observer (your desktop/latop/smartphone computer) sends a zkp that the blind protocoin (not yet signed coin) has the given input txids, vales etc whatever you need the signature on.	the trezor displays that info for the user to cross check, signs it, the observer unblinds the signed coin, and then has an extended ECSchnorr sig which is
transferably verifiable to anyone
09:46 < adam3us> and yet there is no effective subliminal channel - the only way for the trezor to squeal is to have malware on your observer, or have an unadvertised bluetooth or something in it (maybe want to make it a mini faraday cage:)
09:54 < gmaxwell> adam3us: so, it would be simpler to just use the device in a multisignature manner with the observer as another signer, no? then it could squeal but if the observe was strong, it wouldn't matter.
09:55 < adam3us> yes i think u certainly could stop it squeeling via a multisig
09:56 < adam3us> gmaxwell: however your primary issue is the insecurity of your observer.  this is the most corrosive driving force for security attacks ever invented by several orders of magnitude
09:57 < adam3us> gmaxwell: certainly doesnt hurt to multisig it, but 99.9% of your security is in the trezor, so it would be nice if it's subliminal channel is blocked.  i think lack of end2end secure, mutually airgapped finance built on to of bitcoin may start to erode its value and potential
09:58 < gmaxwell> right, but if your observer is compromised then the blinding procedure won't stop it either.
09:59 < adam3us> gmaxwell: address authenticity is the other problem, you cant trust anything your online computer is telling you.  eg exchanges should be end2end airgapped at both ends with a chain code shared by the exchange trezor and the user trezor
09:59 < gmaxwell> And sure, if you'll note, I wanted them to switch it to determinstic DSA so it was more easily auditable against side channels.
09:59 < adam3us> gmaxwell: this is true, but if the observer is not compromised you dot
10:00 < gmaxwell> if you use dice to come up with your master key and load it into the tresor, then everything that comes out should be deterministic and reproducable by a simulator.
10:01 < adam3us> gmaxwell: yes the deterministic DSA is verifiable with a paper backup and an offline computer and ec calcultor, which is nice; the observer allows you automatically and safely online prevent the subliminal channel (ie yes if your observer is compromised you have a problme, but the observer doesnt have secrets)
10:01 < adam3us> gmaxwell: agreed.  i was wondering if you could make a dsa variant, or another way to compute a dsa that can be publicly verified as subliminal channel free.	ie against the public key.
10:03 < gmaxwell> adam3us: you could probably have the signer produce a zkp that the r is (g*H(message||private key))
10:03 < adam3us> gmaxwell: the deterministic DSA requires the private key to verify, maybe there's another way to do it where you get a dsa sig an something that proves it was generated fairly.  eg proof of concept SCIP.  provide also a proof that you know k and k was chosen as H(d,m) via scip and auxilliary proof
10:03 < adam3us> gmaxwell: yes exactly
10:04 < gmaxwell> now the problem is that the signer is a 40 mhz cortex-m3 with 256k of ram. :P
10:04 < adam3us> gmaxwell: you know it would be even better if its compact and publicly auditable so the miners check it and reject htem
10:04 < adam3us> gmaxwell: if they are non-deterministically signed... then your hw has no power to abuse a subliminal channel
10:05 < gmaxwell> adam3us: meh, that would just make the transaction bigger. if it gets into the network even if it doesn't get mined a badguy can see it.
10:05 < gmaxwell> adam3us: huh? it's easily possible to have a working subliminal channel with non-deterministic signatures.
10:06 < gmaxwell> E.g. keep drawing random numbers until r encodes some bits for you.
10:06 < adam3us> gmaxwell: it was split across to ims.	i meant to say if you can prove its deterministic (to the observer) then your hw cant cheat you
10:06 < gmaxwell> oh indeed.
10:08 < adam3us> gmaxwell: see eg you can have an optically isolated observer.	mini tablet with no network, point it at screen qr code, it displays msg and green check box that yes this coin has no subliminal channel
10:08 < adam3us> gmaxwell: could be the new era analog of the paper note counterfeit detectors
10:08 < gmaxwell> So a proof would work nicely for this, but making it pratical would be hard. (such a proof could also inhibit people storing other garbage in the blockchain)
10:09 < gmaxwell> "digital iodine pen, now with 100% less snake oil"
10:10 < adam3us> gmaxwell: a nice side effect to be sure (garbage stuff on the block) that seems like it needs nother step tho eg prove the receiving address as a private key known to someone- we could already do that at the cost of some bloat (eg selfsigned public keys as addresses)
10:10 < gmaxwell> adam3us: you could have a optically isolated tresor' with the same private key loaded in it (but you don't need to trust it much because its isolated) and it just checks signatures.
10:11 < gmaxwell> adam3us: you don't even need the bloat in the history because you'd throw the proof out and only check it in for the most recent block.
10:12 < adam3us> gmaxwell: broadcast but not stored, validated spv style by late joiner full nodes, yes
10:14 < adam3us> gmaxwell: the other mechanism direction was thinking maybe you can do a direct zkp, rather than fiat shamir transform, eg if you replace the hash H(m,d)=SHA-256(m,d) with like H(m,d)=mG+dH for some point H with unknown discrete log
10:15 < gmaxwell> ha ha
10:15 < adam3us> gmaxwell: then make a signature with that.  dH would be secret also.  that is broken no doubt, but maybe it can be fixed
10:17 < gmaxwell> I'm laughing due to my failed attempt to convince djb that we ought to have curve parameters selected so that strong nothing up my sleeve points exist.  Because we don't know how our generator was selected it's possible whomever picks it knows the discrete log of an apparently nothing up my sleeve point.
10:17 < adam3us> gmaxwell: yes that is a no no, thats what went wrong with EC_DRBG
10:18 < adam3us> gmaxwell: the base point needs to be proven.. eg by hash2curve on digits of pi or such things
10:18 < adam3us> gmaxwell: didnt he do that?
17:47 < amiller> or a dsecription
17:47 < amiller> (or just elaborate here?)
17:47 < jrmithdobbs> gmaxwell: even with a pre-sorted map all historical txns in the chain?
17:47 < gmaxwell> amiller: because the colored coin rule says that the color goes into the first colored coins worth of txouts.
17:47 < amiller> so only one txinput can be colored?
17:48 < amiller> only splits no merges?
17:48 < jrmithdobbs> gmaxwell: and by 'the chain' i mean the blockchain, not the usage/history chain of those coins
17:48 < gmaxwell> amiller: TXOUT. I'm specifically saying tracing forward from the genesis, not backwards from the payment.
17:48 < jrmithdobbs> gmaxwell: it's getting more prohibitive but still feasible after all
17:48 < gmaxwell> and if you split then its the first N or whatever, and yea, you have to trace them all in the case of a split, thus why I mentioned meet in the middle.
17:48 < amiller> you mean i trace *all* the ones forward?
17:49 < amiller> i see
17:49 < gmaxwell> or you have someone just preidentify the paths and you just confirm them, which is fundimentally easier.
17:49 < amiller> yeah i'm just thinking of the ones needed to confirm
17:49 < gmaxwell> and I have no clue about code for this. As I said, most people talking about this crap have not implemented it and are missing how expensive this is.
17:50 < amiller> i wish i had some way to express this bound
17:50 < gmaxwell> some of the stuff that was implemented simply just keeps an enormous database and traces the color (according to their rules) of every coin.
17:50 < jrmithdobbs> it's only one of the most computationally expensive features ever requested
17:50 < amiller> that's what i first wrote down
17:50 < jrmithdobbs> I don't know that I really agree with the necessity of it
17:50 < amiller> it's the same as mastercoin in that case
17:50 < amiller> you get nothing like spv security
17:51 < amiller> you need to build the index for every coin that *might* interact with a coin later that you care about
17:51 < amiller> or else traverse a potentially exponential number of tx
17:51 < gmaxwell> yes, thats been one of the objections to all these stupid parasitic things. The network is blind to them, but the network is blind to them.
17:51 < sipa> i wish we hade pruning and spv in the reference client, so all these fancy-feature implementers would at least realize what they're precluding
17:52 < sipa> gmaxwell: the first member of tautology club...
17:52 < gmaxwell> after all, you could just have a bitcoin where the blocks were nothing but timestamps and miners didn't validate anything. ... of course you could never have any kind of lite node in that world except centeral server trusting ones.
17:53 < gmaxwell> sipa: don't worry we'll just <arms wave> use checkpoints to make our uber indexes scale! or we'll like, write those checkpoints into transactions so you can get them in the blockchain too.
17:53 < sipa> Easy.
17:53 < jrmithdobbs> gmaxwell: i just vomitted a little
17:54 < sipa> gmaxwell: if the indexes grt toobig, you use a DHT of course
17:54 < sipa> and rainbow tables
17:54 < sipa> *get too big
17:54 < jrmithdobbs> dht is my favorite of those
17:54 < jrmithdobbs> lol
17:55 < gmaxwell> yea, plus if that doesn't handle it we can use an xml database with ldap to haddoop to achieve webscale in the cloud!
17:55 < jrmithdobbs> there's no problems to solve with a massively distributed untrustworthy dht rite guys?
17:55 < amiller> grrr
17:55 < gavinandresen> rainbow tables are pretty
17:56 < jrmithdobbs> gmaxwell: and you could do elastic scaling pools of resque queues synchronized by a redis entry and just give up on this decentralized nonsense while we're at it
17:56 < amiller> colored coins definitely aren't fungible if some of them are potentially way more expensive to verify than others
17:56 < amiller> i'm annoyed if anyone really thinks that's preferable than the index approach
17:56 < amiller> if everyone has to keep an index then colored coin has no advantage over mastercoin
17:57 < gmaxwell> amiller: the index approach isn't cheap either, no spv nodes, just some gigantic index.
17:57 < amiller> yes
17:57 < gmaxwell> amiller: well mastercoin requires coding in a bunch of extra stupid data into transactions which seems kinda silly, since if you have to have that index why can't that index store it?
17:58 < amiller> not really, if it's published then you have a guaranteed ordering
17:59 < amiller> it is reasonable to use bitcoin as append only log in that sense
17:59 < gmaxwell> In any case, minus that detail they're actually the same thing, index vs trace being an "implementation detail", likewise the system depending on its own currency that the creators minted and manually issued is an implementation detail.
17:59 < gmaxwell> amiller: you can get guaranteed ordering from the hash of the state rather than coding it explicitly.
17:59 < amiller> no you can't
17:59 < amiller> because it's indeterminate whether the preimage of a hash has been revealed yet
18:01 < gmaxwell> amiller: makes it halariously vulnerable to censorship if they're counting on the blockchain as a jamming free communications channel.
18:01 < amiller> why?
18:02 < jrmithdobbs> amiller: because you can outbid them for space and delay their comms indefinitely under some circumstances
18:02 < amiller> that's no worse than with bitcoin proper
18:02 < gmaxwell> because they're trivially distinguishable.
18:03 < jrmithdobbs> amiller: right but bitcoin isn't trying to differentiate inputs like this so it doesn't matter, delaying the data distribution can effectively delay any affect from the color system decreasing it's value
18:03 < gmaxwell> It would be in the rational self interest of bitcoin users and miners to not allow the currency to be dilluted by the non-fungable mastercoin transactions which are trivially distinguishable.
18:03 < jrmithdobbs> amiller: if i can pull off a heist and delay coloring of my coins for 48 hours i can probably spend them
18:03 < jrmithdobbs> eg
18:04 < amiller> i see
18:04 < amiller> well... if you can delay blocks to full validating nodes... then
18:04 < amiller> i dunno i don't really see a conflict with requiring bitcoin to implement a jam free network sufficient to validate transactions
18:04 < amiller> you have to at least run the tx through the hasher
18:04 < amiller> you can prune it before validating etc
18:05 < jrmithdobbs> don't have to delay blocks just SD style spam with paid fees (what I'm talking about isn't free, I'm sure you could come up with more inventive similar attacks)
19:50  * Luke-Jr stabs Google for signing him up for G+ without permission
19:51 < gmaxwell> Luke-Jr: it's not all bad, ... now you can show up in ads endorsing products! and you didn't even have to go to a tryout!
19:51 < Luke-Jr> I don't want to be on G+
19:51 < MoALTz> accidentally clicked one button that did it all? microsoft did that to me a few years ago
19:51 < Luke-Jr> my only guess is when YouTube asked if they can put a space in my name "Luke Dashjr" instead of "LukeDashjr" when I left a comment
19:52 < gmaxwell> yea, youtube does that.
19:52 < Luke-Jr> didn't say I was joining G+
19:52 < Luke-Jr> -.-
19:52 < gmaxwell> you have to just not use youtube for 12 hours after it pops up that rename dialog.
19:52 < Luke-Jr> srsly?
19:53 < gmaxwell> yea, works for me. you can delete your google+ but it'll keep doing the thing after the fourth or fifth consecutive video you view.
19:55 < BlueMatt> or not comment on youtube videos?
19:55 < gmaxwell> BlueMatt: nah, it gets triggered even if you don't comment if you view a couple videos in a row
19:55 < BlueMatt> lol, wow...
19:57 < gmaxwell> It also helps to be in an office with a couple other google+ refuseniks... since you can share mechenisms for getting around it. though there seems to be no workaround for some things. E.g. no way to do hangouts.
19:57 < gmaxwell> so we have a sacrifical mac in the office for hangouts access that has its own dummy account.
19:57 < BlueMatt> or you could just have a dummy g+ account on your google account, its not like you have to use it
19:57 < BlueMatt> you just get counted as a g+ "active" user
20:01 < K1773R> there should just be a way to opt out...
20:10 < Luke-Jr> gmaxwell: therefore, discourage people from doing Hangouts
20:11 < Luke-Jr> gmaxwell: Google Apps which upgrade to Hangouts lose XMPP interoperability -.-
20:16 < jgarzik> Hangouts > Skype
20:16 < sipa> hangouts <-> XMPP works fine, as long as you don't do groupchats
20:16 < sipa> unsure about federation though
20:23 < gmaxwell> Luke-Jr: it's hard to discourage google employees from using hangouts. :P
20:30 < Luke-Jr> gmaxwell: "you won't be able to talk to me" works for me
20:30 < Luke-Jr> jgarzik: two bad choices don't make the lesser bad a good one
20:31 < Luke-Jr> there are open standards for all this; Google just doesn't care apparently
21:32 < jgarzik> XMPP is exceeding lame
21:33 < jgarzik> and I speak from experience, having coded solutions for it back when it was called Jabber
21:34 < jgarzik> It's hard to fault people for avoiding a lame standard
21:37 < Luke-Jr> jgarzik: it's better than none at all
21:38 < phantomcircuit> xmpp is pretty horrible
21:38 < jgarzik> http://gigaom.com/2011/06/30/google-hangouts-technology/
21:39 < jgarzik> I cannot find any open protocol docs, but it does use several open techs
21:39 < jgarzik> XMPP is not meant for real time multi stream audio+video
21:47 < BlueMatt> was there a bug in a recent satoshi client that allows it to forward vin empty txn?
21:48 < phantomcircuit> BlueMatt, yeah there is
21:48 < phantomcircuit> or was
21:48 < phantomcircuit> i cant remember if it was fixed
21:49 < Luke-Jr> jgarzik: SIP is
21:50 < jgarzik> phantomcircuit, not sure if it was fixed... I think it was tracked down to $something wound up writing an all-zeroes transaction to the wallet, or somesuch.
21:51 < phantomcircuit> jgarzik, oh i think i found it
05:04 < Luke-Jr> all recorded Church teaching is consistent with current Church teaching
05:05 < petertodd> As in, in my model I'm saying Catholic teaching can change in reality, but of course everyone knows it doesn't, therefore any inconsistencies are obviously imperfect records of the past. (I jest obviously)
05:05 < Luke-Jr> except there are no historical records to support that
05:06 < petertodd> Luke-Jr: it's a joke!
05:06 < Luke-Jr> jokes are supposed to be funny.
05:06 < petertodd> Luke-Jr: funny is subject to consensus problems :p
05:07 < petertodd> proof-of-comedy would be an aweful way to do an alt-coin...
05:09 < petertodd> anyway, in all seriousness, my other point is you don't want a standard based on "the best interests of the child" because you want diversity in society. For instance, you could make an argument that homeschooling isn't in "the best interests of the child" and stop parents from doing so, when we're much better off having that diversity in society.
05:11 < petertodd> The right approach is "Does this cause sufficient provable harm that we can't accept it?"
05:13 < petertodd> on topic: WTF is with 122.108.150.47, it reports nServices as 00002017
05:14 < petertodd> Five bits set in total.
05:18 < Luke-Jr> petertodd: not quite. the problem is that the question doesn't exist.
05:18 < Luke-Jr> governments do not have *jurisdiction* over child custody/care
05:19 < Luke-Jr> they have no grounds to even set any standard at all
05:20 < Luke-Jr> so even if it can be demonstrated that Joe Parent's way of raising his children is harmful, nobody has the authority to kidnap his children
05:21 < petertodd> ok, so can I murder my own kids?
05:22 < Luke-Jr> hopefully someone would stop you
05:22 < petertodd> indeed, maybe someone paid by my tax dollars
05:23 < Luke-Jr> maybe
05:23 < Luke-Jr> they still can't kidnap your children, though
05:23 < Luke-Jr> and if you actually succeed in killing one, you're then a criminal who can be locked up
05:23 < petertodd> ah, see, now that could be closer to a reasonable standard: if it's not behavior that would get the parents criminal charges, maybe the state should keep it's hands off
05:25 < Luke-Jr> actually, on that note, that's part of why the US is as bad as it is
05:25 < Luke-Jr> since there's no criminal charges filed, they never have to prove anything
05:25 < petertodd> that's a very good point
05:25 < petertodd> child protection actions should absolutely be held to standards of due process
05:40 < adam3us> luke-jr: btw i wasnt saying move to .ch i was saying put your money there and declare it on your US tax form, in that way your funds are protected from US court decisions, the swiss model is they have  jurisdictional authority and do not accept foreign courts and law enforcement unproven claims, they require to see the proof
05:41 < adam3us> luke-jr: and the activity has to be illegal by swiss laws, not by foreign laws - and their laws are generally more sensible, and more fairly interpreted with less risk of political interference
05:41 < adam3us> luke-jr: of course I wouldnt doubt the US law enforcement would present outright forged evidence to try get their way if they were worked up enough
05:43 < adam3us> back on topic: posted some crypto comments on the mintchip like "othercoin.com" guys thread https://bitcointalk.org/index.php?topic=321085.msg3440818#msg3440818
05:44 < adam3us> i think its far more efficient and he doesnt need crypto hw accel that he's giving up openness and signing NDAs to get access to
05:44 < adam3us> and probably 10x the hw cost for also
05:45 < petertodd> interesting
05:46 < petertodd> what's available for open source smartcard devel?
05:46 < petertodd> when I looked I couldn't find remote attestation, so you'd be stuck with a trusted distributor
05:46 < adam3us> retep: brands is a genius :) u dont need anything much to do the observer part
05:47 < petertodd> ?
05:47 < adam3us> retep: just cx+w mod n (one 256-bit mod mul, one 256-bit add these are integers not point ops)
05:47 < adam3us> retep: that can be done in software, now crypto accel on an 8-bit card in a timely fashion; about hw tamper resistance i am not sure
05:47 < adam3us> retep: correction now=no
05:49 < petertodd> right, but these cards are stuck implementing ECDSA exactly like bitcoin needs, there's no alternative
05:49 < adam3us> retep: to my way of thinking, relying on the good behavior of a hw manufacturer central or a small pool is the antithesis of user controlled blockchain security, and its not far removed from an AES encrypted balance and MAC msgs flowing between cards with a shared key
05:50 < petertodd> (other than revealing d and locking coins to H(d), but that doesn't have verifiability)
05:50 < adam3us> retep: is there anyway we could get EC schnorr sigs deployed w/out a hrd fork
05:50 < petertodd> yeah, we can add anything we damn well want in a soft-fork
05:50 < adam3us> i'll volunteer to implement EC schnorr and write the BIP
05:50 < petertodd> it's not going to happen for a long time
05:50 < adam3us> there are dozens of wins from schnorr over the wretched DSA
05:51 < adam3us> eg k of n, n o n sigs in teh space of one sig
05:51 < petertodd> all of which don't matter because even I don't know what you're talking about :P
05:51 < adam3us> blding etc
05:51 < petertodd> we can't even get people to support p2sh... asking for new sig methods is hopeless in the near future
05:51 < adam3us> retep: schnorr is better and enables  many things; dsa is a cheap and inferior knock off of schnorr
05:52 < petertodd> as I say, it's completely irrelevant because the politics of changing anything in bitcoin is a nightmare
05:52 < petertodd> go propose it to litecoin instead
05:52 < adam3us> retep: i started out anti-alt-coin, but the more i see this kind of thing, the more its weakening that reasoning
05:52 < petertodd> yup
05:52 < adam3us> retep: i prefer the bitcoin staging approach to lite-coin
05:52 < petertodd> I'd give it 50:50 that you could get that implemented in litecoin in, say, two years
05:53 < petertodd> bitcoin staging is hopeless because there's no financial incentive, litecoin is your bitcoin staging
05:53 < adam3us> retep: why dilute the digital scarcity with a param tweak if you're not even one of the first week "soft premine" winners
05:55 < adam3us> retep: i just mean its destructive of the meaning of digital scarcity, to lend support to param tweaks like litecoin, if you want to o it, i think do it with the bitcoin-staging mechanism with or without foundation buyin
05:55 < petertodd> meh, we can live with one tweak
05:55 < adam3us> retep: as that retains the 21 mil coin cap and doesnt start a fresh gold-rush
05:56 < adam3us> retep: yes we could but its partly a matter of principle: why should we enrich a bunch of param-tweakers, just because bitcoin itself cant change quickly due to security validation risks of soft forks/hard forks, hence bitcoin staging
05:56 < petertodd> destructive or not, doing stuff in litecoin is viable, and has the advantage that the competition can induce bitcoin to actually change
05:57 < petertodd> anyway, go write the code! we can figure out how exactly to deploy it later
05:57 < adam3us> retep: scrypt(1) is broken for its design objectives... its even a bad param tweak - its not even memory hard
05:57 < petertodd> all this stuff is the exact same codebase
05:57 < petertodd> who cares? litecoin exists and has ameniable politics
05:58 < adam3us> retep: true
05:59 < adam3us> retep: maybe the observer proto can be made to work with ECDSA but i am not looking forward to the slog of figuring out if or how, it just seems so stupid to be using DSA given the multple clear advantages of Schnorr were its all trivial
05:59 < petertodd> explain the observer protocol?
06:03 < adam3us> retep: so with schnorr, similarly to dsa, the signature is computed all mod n not group values (except for the initial witness r=kG in DSA and analogus a=kG in schnorr)
06:04 < petertodd> right
06:05 < adam3us> retep: so in ECDSA sig is r,s where r = R.x from R=kG, and s=k^-1(H(m)+rd) mod n where in EC Scnorr: sig is a,s: a=R.x, s=k+H(a,m)d mod n
06:06  * Luke-Jr ponders why adam3us is using retep for petertodd
06:06 < petertodd> Luke-Jr: it's backwards day
06:06 < adam3us> retep: verification is ECDSA sR=?H(m)*G+rQ in ECSchnorr its rG =? A+cQ whre c = H(a,m)
06:06 < petertodd> right
06:06 < Luke-Jr> ?yllaer
06:06 < adam3us> luke-jr: he has a ridiculously long handle & ive been typing too uch and its his bitcointalk handle :)
06:07 < Luke-Jr> adam3us: .. you don't have a real IRC client? :p
06:07 < petertodd> don't you have copy-n-paste?
06:07 < Luke-Jr> pe<tab> is sufficient
06:07 < adam3us> luke-jr: its pidgin and i am a irc client n00b so i am probably missing existing features
06:07 < petertodd> BTW, I prefer to be called by my full name: peterkevin-georgetoddthethird
06:08 < adam3us> petertodd: (hot damn thanks luke-jr TAB works)!
06:08 < petertodd> (or if you're british: thehonorablepeterkevin-georgetoddthethird
06:08 < Luke-Jr> didn't IRC have a 7 character limit to nicks? or was it 11?
06:08 < Luke-Jr> <.<
06:08 < petertodd> Luke-Jr: it got turned up to 11
06:09 < adam3us> petertodd: ok so the interesting thing about schnorr is there is no dreaded k^-1 factor so its easy to do 2 of 2.. just add the k & c*d contributions together, DONE!
06:09 < warren> <petertodd> destructive or not, doing stuff in litecoin is viable, and has the advantage that the competition can induce bitcoin to actually change
06:09 < warren> <---- has already happened
06:10 < warren> <adam3us> retep: scrypt(1) is broken for its design objectives... its even a bad param tweak - its not even memory hard
06:10 < adam3us> petertodd: now observer, because of the flexibility there is a DL generalization called the representation problem instead of Q=xG you can have Q=xG+yH for two generators G & H whic no one kows the DLof
14:21 < CodeShark> throwing more hardware at making bitcoin scale seems to encourage greater centralization, though
14:22 < adam3us> maaku: anyway the comment was part of some wide-ranging what-ifs i tried to isolate the dependency bitcoin puts on mining, and it turns out there are multiple entangled reasons
14:22 < petertodd> yes, but bitcoin will easily survive having transactions gradually become more expensive
14:23 < nsh> "There are levels of survival we are prepared to accept." -The Architect.
14:23 < petertodd> nsh: transactions already actually cost like $50 each; fees can go up a hell of a lot
14:24 < CodeShark> $50 each?!?!?
14:24 < nsh> hmm
14:24 < CodeShark> are you talking about international wire transfers, petertodd? :)
14:24 < petertodd> CodeShark: yup. total new bitcoins created out of thin air * $/BTC / # of transactions = $50
14:24 < adam3us> there are multiple paths to policy neutrality: actual decentralization, moderately central nodes having insufficient info to do policy (committed tx)
14:25 < adam3us> petertodd: yeah but thats a point in time description allocating all of reward to tx fees; as number of tx increases and reward decreases the cost/tx falls
14:25 < CodeShark> petertodd: I don't follow - block rewards don't cost the parties transacting bitcoins
14:26 < CodeShark> it has a small inflationary effect, perhaps
14:26 < CodeShark> but that affects everyone
14:26 < petertodd> adam3us: sure, but the point is the *economics* are such that bitcoin works at a real cost of $50/tx, which implies that the core usage of bitcoin is as a store-of-value/speculation
14:27 < petertodd> adam3us: maybe it'd start to get ugly at $10/tx, but we can certainely survive $1/tx
14:27 < CodeShark> petertodd: so you're saying that each transaction spreads a cost of $50 amongst all holders of bitcoins?
14:28 < adam3us> petertodd: seems like the reward is the reward, its just a distribution mechanism/bootstrap mechanism.  i dont see a reason to equate it to tx cost at current tx rates
14:28 < petertodd> CodeShark: no, I'm saying the cost to run the whole bitcoin system is $50/transaction
14:28 < maaku> petertodd: that's saying subsidy is $50/transaction
14:28 < CodeShark> petertodd: who foots the bill?
14:28 < petertodd> CodeShark: that's not to say the *marginal* cost of a transaction is $50, but it strongly suggests that much higher fees are economically feasible
14:28 < adam3us> petertodd: the supposition is that % of income from mining crosses over as tx # increase so that fees take over as reward tapers
14:29 < petertodd> adam3us: exactly, and given the system functions just fine with a huge fixed cost, making that into a marginal cost is likely fine to a first approximation - my main worry is actually off-chain systems being *too good* and not supporting miners enough
14:30 < petertodd> adam3us: but we probably have ~10 years before that's a big deal...
14:30 < adam3us> so far no one made a remotely plausible off chain anything other than TDs micropaymens channel but thats point to point so its just a way to avoid aborts on a tab
14:31 < petertodd> adam3us: micropayment channels are *not* off-chain, don't call them that
14:31 < maaku> adam3us: freimarkets
14:31 < petertodd> adam3us: and I'd say fidelity bonded banks, especially w/ trusted hardware, are perfectly plausible, they just won't happen unless fees make them happen
14:31 < maaku> but i think you have some confusion over what off-chain is
14:31 < adam3us> maaku: isnt freimarkets on chain (on freicoin or other coin)
14:32 < adam3us> petertodd: there you go that is off-chain
14:32 < petertodd> adam3us: I think you a word
14:32 < maaku> adam3us: private accounting servers (with atomic transfers with the public chain, including bitcoin) are part of the spec
14:32 < adam3us> maaku: off-chain is like not on-chain ;;)
14:33 < maaku> and i'd count open transactions too
14:33 < adam3us> maaku: yeah you could say chris odom open transactions is focussing on off-chain
14:33 < adam3us> maaku: the problem is all the off-chain stuff i've seen loses fundamentaly 1 or 2 important and useful bitcoin functions
14:34 < maaku> well the key part is how value is moved on and off chain
14:34 < maaku> chris only figured that out with his "holy grail" voting pools
14:34 < maaku> which still aren't implemented, i think
14:34 < maaku> adam3us: if it didn't lose bitcoin functionality, it'd replace bitcoin entirely
14:35 < adam3us> maaku: or what properties are left once you have the coin in some offchain situation.	eg what OT tokens backed in bitcoin?  thts not going to be as secure, nor distributed etc
14:35 < petertodd> adam3us: and to that, so what? losing my $100 morning coffee slush funds every once in a while isn't a big deal
14:35 <@gmaxwell> :( https://github.com/spesmilo/electrum/issues/512
14:36 < maaku> let me rephase ... you can't expect an off-chain solution to be better or equal to bitcoin in every way, or else it will be strictly speaking better (off-chain scales better), so what are we doing?
14:36 < petertodd> gmaxwell: huh? every time you make a paymen tto an address it goes into the "used" bin and gets hidden
14:37 < adam3us> maaku: well itd be nice to minimize the feature loss offchain.  maybe its possible to not give up anything even.  we can at least try with that objective
14:38 < petertodd> adam3us: don't let perfect be the enemy of good enough
14:38 < maaku> adam3us: well i'm on board with that. recognizing that the goal is something we weill probably never achieve (and if we did we'd replace bitcoin entirely)
14:38 < adam3us> maaku: eg say btc gets to minimum amount of $10k on chain, perhaps a solution is multiple side-chains and atomic swaps into the main chain for example
14:38 < maaku> but shoot for the moon and you'll at least land among the stars
14:39 < adam3us> maaku: i just like to understand clearly the requirements (rather than think in terms of the artefacts of the current system) not all of the artefacts may be actual fundamental limitations
14:39 < maaku> who knows what the minimal, least impactful features are that we'd have to give up, so might as well try to keep them all
14:41 < CodeShark> atomic swaps would also permit a fully decentralized cryptocoin exchange :)
14:41 < adam3us> maaku: yeah well so far all my design rejigging attempts ended up making something worse, its definitely hard; seems like bitcoin only-just-works, and its multiple features so inter-dependent on mining its hard to modify anything
14:42 < maaku> CodeShark: what's the value of having more than 1-2 decentralized currencies? :P
14:42 < adam3us> CodeShark: this is true; somewhat.  you also need script extension to have non-stalling (otherwise people will stuff the order book to manipulate price with cryptocoins they have no actual intention of selling). ie so you can take the ask, by definition by satisfying its price
14:43 < CodeShark> maaku: there are different use cases where different features might be more/less desirable - economic parameters, confirmation times, etc...
14:43 < adam3us> maaku: i think one digital scarcity definition (bitcoin) is the limit,
14:43 < adam3us> CodeShark: they are mostly excuses for me-too-coins aka pump & dumps with no transactions and so no intrinsic value
14:44 < maaku> CodeShark: I challenge you to come up with one real example that isn't better served by some other off-chain solution
14:44 < petertodd> gmaxwell: oh hang on, just tried that myself... weird, recv addr list not getting repopulated, yeah, that's a WTF
14:44 < petertodd> gmaxwell: recent bug I think
14:44 < adam3us>  bitcoin-staging with 1:1 peg (as discussed a few days ago by BlueMatt & gmaxwell) is the answer IMO
14:45 < CodeShark> adam3us: I'm familiar with that argument - and while true that all the alt coins are essentially bitcoin ripoffs, I see it differently - I think the parameters Satoshi chose for bitcoin are completely arbitrary - what's not arbitrary is the block chain concept as a decentralized timestamping mechanism. why should we get stuck on a specific set of arbitrary parameters?
14:45 < adam3us> anyone not doing that needs their pump & dump sabotaging financially of via mining difficulty attacks
14:45 < maaku> adam3us: in my view changing the nature of the decentralized money is the only valid reason to try a different coin (like we've done with freicoin, and I'm sure there are other possible variations)
14:45 < maaku> but changing interblock time, proof of work algorithm, subsidy algorithm, etc. has ~zero real world benefit
14:45 <@gmaxwell> CodeShark: they aren't completely arbritary, as alts have been created which only changed the "arbritary" ones and turned into fireballs as a result.
14:45 < adam3us> maaku: yes freicoin actually and namecoin are not param tweaks
14:46 < adam3us> CodeShark: yeah satoshi clearly but extensive modeling into the params; pretty much all alts are outright worse
14:47 < CodeShark> adam3us: Satoshi is the wright brothers and bitcoin is the first powered airplane.
14:47 < petertodd> CodeShark: and our job as bitcoin developers is to upgrade that airplane to a modern Boeing 787, without landing
14:48 < andytoshi> gmaxwell: i saw that comment on #bitcoin too, i left
14:48 < andytoshi> idk how you can tolerate so much of that channel at once
14:48 < nsh> my secret is copious consumption of crack cocaine
14:48 < petertodd> andytoshi: my contacts at the vatican say greg's getting canonized when he kicks the bucket
14:49 < maaku> CodeShark: you know the wright brothers spent years in their private wind tunnel perfecting their airplane before it ever flew ;)
14:49 < adam3us> CodeShark: like i said i think param tweak alts that try to start a new race are pump & dumps; and if one did come along that got real transactions, it would rise to instead be dangerous to the confidence in digital scarcity which is too valuable a new concept jeopardize with toy pump	& dumps
01:12 < realazthat> I remember the data structure
01:12 < midnightmagic> google also leaves out the wooledge bash wiki when you goog for bash questions. never understood that.
01:12 < realazthat> from a quick scan of the paper, and remembering his video, he was very into testing random graphs
01:12 < realazthat> and that is suspicious right off the bat
01:13 < realazthat> because random graphs are easy
01:13 < realazthat> its suprisingly hard to get random hard problems
01:13 < Luke-Jr> midnightmagic: http://www.youtube.com/watch?v=kLueWNsYRno
01:13 < realazthat> one common way is to do RSA => SAT => HAM
01:13 < realazthat> and those fail all the solutions to HAM
01:13 < realazthat> and if they don't, well then you can profit :D
01:14 < realazthat> ah yeah
01:14 < realazthat> thats *awesome* vid
01:14  * realazthat is eagerly awaiting codes
01:15 < Luke-Jr> the more I think about it, the more I convince myself it's impossible
01:15 < realazthat> lol
01:15 < realazthat> I haven't gone through the math
01:15 < realazthat> I prolly wouldn't understand it
01:15 < Luke-Jr> is the math actually published yet?
01:15 < gmaxwell> Luke-Jr: there is basically a decade of papers behind this one.
01:15 < realazthat> mmm I think gmaxwell was saying he was gonna publish "tomorrow" a while back
01:15 < gmaxwell> The most important are the PCP from graph coloring problems papers, and the tinyram paper.
01:16 < realazthat> I haven't even begun to think applications yet
01:16 < realazthat> it is exciting :/
01:16 < Luke-Jr> gmaxwell: do they make sense to you? <.<
01:18 < zooko> I consider this more of a novelty than an important result, but: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1773169
01:18 < gmaxwell> Luke-Jr: I can follow parts of the math, not all of it.
01:18 < Luke-Jr> gmaxwell: enough that you can vouch for it being possible?
01:18 < gmaxwell> http://eprint.iacr.org/2012/071.pdf < in any case, this is the paper to start research from right now.
01:19 < gmaxwell> Luke-Jr: oh yea, sure it's possible. Although the succinct proofs are not sound, they're only secure against a computationally bounded attackers. (like cryptographic security)
01:20 < gmaxwell> If you accept proofs which are polynomial in the amount of computations these systems can produce sound proofs, ones which can't be forged even if the attacker is not computationally bounded.
01:21 < gmaxwell> In addition to that paper, there is a earlier paper by Eli about RS codes over finite fields which is important to understand how the proofs are made succinct.
01:22 < realazthat> mmm so this seems to be a somewhat good solution to untrusted hardware perhaps, as well, no?
01:22 < realazthat> was that mentioned somewhere?
01:22 < Luke-Jr> gmaxwell: what stops me from simply redefining a crucial x86 opcode? ;p
01:22 < gmaxwell> realazthat: Yes, eli pointed that out specifically in discussion.
01:22 < realazthat> ok
01:23 < Luke-Jr> then it will run the same code, but produce a different result..
01:23 < gmaxwell> Luke-Jr: well, you're not executing x86 but instead "tinyram" which is a instruction set that has ~24 opcodes.
01:23 < Luke-Jr> hmm
01:24 < Luke-Jr> so the feature is an integrated part of an emulated CPU basically
01:24 < Luke-Jr> and I presume it has some way to stop me from redefining one of the 24 opcodes?
01:24 < gmaxwell> (add/mul/sub/and/or/xor/shal/shr/not/mov/cmp*/jmp/load/store)
01:25 < realazthat> if you redefine it, the signature will obviously not verify your output to the program
01:26  * Luke-Jr ponders a good way to distract himself from the urge to pester CareBear\ about his copyright issues so he can release BFG 3.1.0 already <.<
01:30 < midnightmagic> Luke-Jr: at a certain point, I'm not going to be able to resist an eve:online reference about carebear tears. :)
01:30 < Luke-Jr> midnightmagic: O.o
01:30 < Luke-Jr> aha, games
01:30 < Luke-Jr> that's how I cna distract myself
01:30 < petertodd> games? you mean like making cryptocurrencies?
01:31 < Luke-Jr> I mean like freeciv
01:31 < petertodd> well, you combined the two...
01:31 < gmaxwell> go try to read that paper. :P (of course, you'll need to go read the ones it references...)
01:31 < Luke-Jr> I did!
01:31 < Luke-Jr> my freeciv has a Cryptocurrency technology :P
01:31 < gmaxwell> that was pretty cool.
01:33 < petertodd> gmaxwell: usually I can pretend I have a real degree, reading that paper is not one of those times
01:34 < Luke-Jr> petertodd: you say that as if degrees have value!
01:34 < gmaxwell> One way of thinking about the proofs is that a reed-solomon code lets you efficiently verify the validity of data. Their work lets you use an RS code to verify that arbritary boolean constraints for data are true... then they run the program and create a transcript of the execution,
01:35 < gmaxwell> and reduce the program to a boolean set of constraints that only vaid transcripts would match....
01:35 < petertodd> Luke-Jr: heh, first and second year calc/analytics were well worth it, even if I failed the latter
01:35 < petertodd> *analysis
01:35 < Luke-Jr> petertodd: I bet you could have learned it faster on your own ;)
01:35 < petertodd> gmaxwell: I now have to recursively evaluate reed-solomon codes...
01:35 < gmaxwell> they apply an RS code to the result, and are able to then send only part of the RS code output, along with a proof that the constraints match the program, and a proof that the RS coded transcript matches the constraints.
01:36 < petertodd> Luke-Jr: No actually, absolutely not. The analysis part of the math I did take was by far the hardest thing I've ever done and there is no way in hell I would have gotten anywhere without uni. I know this because I tried going through the textbook the summer before...
01:37 < gmaxwell> the whole reduction of the programs execution to constraints is pretty tricky thing, it involves passing the execution through a sorting network and then using the sorting computation to create a graph coloring problem.
01:38 < petertodd> gmaxwell: See, I kinda follow that, but not in the sense that I would know if you were bullshitting me.
01:38 < Luke-Jr> lol
01:39 < gmaxwell> petertodd: I can't say that I understand it _that_ much better. I basically understand what they're doing but not in the kind of complete way needed to see problems with it.
01:39 < petertodd> oh lovely: https://www.btproof.com/ yet another timestamper... I think they're all using the blockchain.info API
01:40 < petertodd> gmaxwell: Yeah, as you say, 10 years of research.
01:42 < gmaxwell> also lots of deeply nested stuff, I wouldn't be surprised if no one person working on it really understands the whole thing.
01:43 < petertodd> Mostly true of Bitcoin too, if you include the inner workings of the crypto primitives in that set. (esp. hashing algorithms)
01:44 < gmaxwell> It's true.  ... or ... boost. :P
01:46 < petertodd> ...
01:47 < midnightmagic> gmaxwell: That's a really big beard. How long did it take you to grow that badboy?
01:47 < Luke-Jr> lol
01:47 < gmaxwell> midnightmagic: I trim it every couple weeks.
01:47 < gmaxwell> so no idea.
01:48 < gmaxwell> midnightmagic: what picture of me are you looking at?
01:49 < midnightmagic> http://www.youtube.com/watch?v=qgJtaBE6uT8#t=6m1s
01:49 < midnightmagic> That's you waving right?
01:49 < Luke-Jr> lol, gmaxwell is in it? XD
01:49 < Luke-Jr> apparently I'm right in the center of the altcoin Q&A XD
01:49 < gmaxwell> yes, thats me.
01:50 < midnightmagic> cool
01:51 < Luke-Jr> I should have feigned falling asleep when the ripple guy went on and on
01:51 < midnightmagic> lol
01:52 < realazthat> lol
01:53 < midnightmagic> Luke-Jr: http://www.youtube.com/watch?v=fZ85cssgDmI#t=0m29s  ah there you are.
01:53  * midnightmagic is growing sadder and sadder to have missed out
01:53 < gmaxwell> midnightmagic: yea, you suck. People asked about you multiple times.
01:53 < midnightmagic> aww
01:53 < Luke-Jr> midnightmagic: can't say we didn't try!
01:54 < midnightmagic> no sure can't.
01:54 < zooko> It would have been nice to have met you IRL.
01:54 < midnightmagic> zooko: You too!
01:55 < realazthat> there'll be another one
01:56 < realazthat> prolly
01:56 < realazthat> unless that P=NP paper does pan out after all :P
02:01 < petertodd> jgarzik: was thinking some more on the k-v store idea...
02:01  * zooko 's ears perk up
02:02 < petertodd> jgarzik: So I think the sacrifice specially marked txout needs to be able to back reference *two* prior txouts, and you should store cumulative size in there as well.
02:03 < petertodd> jgarzik: To incentivise small size k-v maps I'm still not sure... If the rule is largest total sacrifice always wins, that doesn't take storage size into account, but if it's value/size, then empty blocks win.
02:04 < petertodd> jgarzik: Probably want something in between, but now you get to pick a constant and... ugh
02:04  * petertodd feels like gavin...
02:04 < petertodd> zooko: did you see the discussion earlier?
02:05 < zooko> petertodd: I did not.
02:06 < petertodd> -wizards needs archives...
02:06 < petertodd> Essentially jgarzik needed a key-value store, and I came up with one based on a proof-of-sacrifice, where the best block is defined by total sacrifice. (roughly speaking)
02:07  * zooko boggles at the concept.
02:07 < petertodd> The trick is, the sacrifices in the Bitcoin blockchain are made to be identifiable, which means that if someone withholds the block associated with a sacrifice, you can be sure your fork wins by just sacrificing more than they did.
02:08 < petertodd> The incentive to build on others blocks, is then simply that you are building on their sacrifices, and in turn that gives an incentive to propagate your blocks.
02:09 < realazthat> I can paste logs
02:09 < petertodd> I've got them too
02:09 < realazthat> ok
02:09 < zooko> Is "proof of sacrifice" explained on the wiki or somewhere?
02:10 < zooko> Welcome, nejucomo. (I invited him.)
17:53 < realazthat> Finally, if you're up to writing a LLVM (or any other compiler) for our TinyRAM spec (which is a very simple and nice virtual machine) we'll be happy to share the spec. It will also go online soon.
17:53 < realazthat> ^^
17:53 < petertodd> Nice!
17:57 < petertodd> Hmm... mind, the problem with my scheme is it's non-recursive; the wager has to be a large fraction of all previous sacrifices... hmm...
18:06 < petertodd> ACtually, no this works: so lets say my sacrifices form a linear list, with a total sacrificed sum at position i of S(i). The rules are now that with propability 1/S(i) I can "cut-the-chain" and do not need to provide the previous link in that list to consider my sacrifice valid.
18:07 < petertodd> The problem is my expected proof size is still long...
18:13 < petertodd> With a tree construction I can keep the proof size small though by picking between n previous sacrifices.
18:17 < petertodd> The other trick, for picking the random number based on the block hash, is you can do a weak proof of work to arbitrarily make it harder to pick the hash. IE run SHA256 n times to make an attacker spend n more resources (in terms of thrown away blocks) to pick the number.
18:20 < petertodd> re: tree, construct a merkle-sum-tree of the prior sacrifices, and randomly pick a single sacrifice out of that n for the one you are required to keep.
18:22 < petertodd> What's interesting, is that provided you have a means to do the commitment and a followup random nonce, you can use this same principle for any proof-of-work system.
18:23 < petertodd> Yet another example of how the very existance of Bitcoin makes Crypto-Magic possible...
--- Log closed Wed Jun 05 00:00:07 2013
--- Log opened Wed Jun 05 00:00:07 2013
--- Log closed Thu Jun 06 00:00:10 2013
--- Log opened Thu Jun 06 00:00:10 2013
--- Log closed Fri Jun 07 00:00:13 2013
--- Log opened Fri Jun 07 00:00:13 2013
--- Log closed Sat Jun 08 00:00:16 2013
--- Log opened Sat Jun 08 00:00:16 2013
--- Log closed Sun Jun 09 00:00:19 2013
--- Log opened Sun Jun 09 00:00:19 2013
--- Log closed Sun Jun 09 03:35:39 2013
--- Log opened Sun Jun 09 03:35:56 2013
--- Log closed Mon Jun 10 00:00:22 2013
--- Log opened Mon Jun 10 00:00:22 2013
--- Log closed Tue Jun 11 00:00:24 2013
--- Log opened Tue Jun 11 00:00:24 2013
--- Log closed Wed Jun 12 00:00:27 2013
--- Log opened Wed Jun 12 00:00:27 2013
11:27 < amiller_> good morning, it's a great day to be a wizard
11:29 < jgarzik> time for more wizzing
11:47 < petertodd> speaking of, I'm trying to figure out how to model flood fill on a random graph, so really the expected number of nodes reached at time t
11:48 < petertodd> everything I see from google talkes about maximum's... not so useful
--- Log closed Wed Jun 12 13:32:30 2013
--- Log opened Wed Jun 12 13:32:47 2013
--- Log closed Thu Jun 13 00:00:31 2013
--- Log opened Thu Jun 13 00:00:31 2013
--- Log closed Fri Jun 14 00:00:33 2013
--- Log opened Fri Jun 14 00:00:33 2013
--- Log closed Sat Jun 15 00:00:36 2013
--- Log opened Sat Jun 15 00:00:36 2013
06:48 < HM> the NSA are pretty good at boiling down complex crypto for their presentations
06:48 < HM> and expressing it simply
06:50 < HM> i bet it's a great organisation to work for, just for being exposed to all kinds of interesting work
07:39 < amiller_> my roommate used to work for the NSA but he quit, he says he hated it
07:39 < amiller_> now he is doing a startup company about yoga classes
07:40 < HM> lol
15:58 < midnightmagic> As I understand it, it's pretty universally miserable working at places like the NSA unless you're a particular kind of human, or motivated by some external philosophy.
--- Log closed Sun Jun 16 00:00:38 2013
--- Log opened Sun Jun 16 00:00:38 2013
--- Log closed Mon Jun 17 00:00:41 2013
--- Log opened Mon Jun 17 00:00:41 2013
--- Log closed Tue Jun 18 00:00:44 2013
--- Log opened Tue Jun 18 00:00:44 2013
--- Log closed Wed Jun 19 00:00:47 2013
--- Log opened Wed Jun 19 00:00:47 2013
--- Log closed Thu Jun 20 00:00:50 2013
--- Log opened Thu Jun 20 00:00:50 2013
13:29 < jgarzik> petertodd, Seen this?  "The Economics of Bitcoin Mining
13:29 < jgarzik> or, Bitcoin in the Presence of Adversaries"  http://www.weis2013.econinfosec.org/papers/KrollDaveyFeltenWEIS2013.pdf
13:30 < petertodd> interesting!
13:31 < petertodd> IMO we're really going to need some sort of proof-of-stake system in the long run, but it'll inevitably involve a somewhat different security model
13:32 < jgarzik> Edward Felten is pretty well known author
13:32 < jgarzik> never heard of the others
13:33 < petertodd> funny, I'm not sure the authors realize the blockspace is a limited resource
13:35 < petertodd> the authors also don't grasp how difficult it is for SPV nodes to do anything other than put all their faith in PoW, or trust some central authority
13:47 < petertodd> their analysis of transaction fees also doesn't take into account that adding a transaction increases your chance of an orphaned block - IE there is a very real cost, albeit one that varies dramatically and has weird technological and size variables
13:48 < petertodd> re: orphans, given that higher hash rates == lower orphan rates, everything else equal, it implies the right strategy is pool consolidation to allow you to spend less on hardware to lower orphan rates
13:51 < gmaxwell> I'm not convinced that higher hashrate == lower orphans in any meaningful sense until you're at a consolidation level thats already invalidating the security assumptions. (e.g. one party with a third of the hash power)
14:11 < jgarzik> petertodd, The authors seem to think there is a fee market right now, missing the fact that most fees are paid due to hardcoded anti-spam limits
14:18 < jgarzik> "The only way to preserve the system?s health will be to change the rules, most likely either by maintaining mining rewards at a level higher than origi- nally envisioned, or making transaction fees mandatory."
14:18  * jgarzik rolls eyes
14:18 < gmaxwell> 0_o
14:18 < gmaxwell> well petertodd said they didn't sound like they knew that blockspace was a limited resource?
14:19 < jgarzik> gmaxwell, indeed, though I haven't reached that point yet
14:25 < gmaxwell> I can't resist giggling at "making transaction fees mandatory", but if you discard blockspace as a limited resource then I don't know that I could draw any better ones.
14:37 < jgarzik> When reading papers like this, I'm torn between the urge to thank academics for looking at bitcoin? or to flame them for inaccuracies
14:43 < amiller_> this paper gets the wrong euqilibrium analysis
14:43 < amiller_> mine is better
14:43 < amiller_> they basically ignore transaction fees altogether
14:46 < amiller_> rather than looking at how the presence of transactions with fees alters the equilibrium
14:46 < petertodd> well, what I did get from the paper was some math notation to use when I write a better one... :P
14:46 < petertodd> amiller_: link to yours?
14:47 < petertodd> I suspect the overall trust of the idea that security costs money is a good point though - an attacker will spend less than the value they are destroying
14:47 < amiller_> https://gist.github.com/amiller/cf9af3fbc23a629d3084
14:47 < amiller_> this is by far the best paper i've seen on bitcoin analysis imo
14:48 < amiller_> they get more 'right' than anyone else so fa
14:48 < amiller_> r
14:48 < amiller_> for example focusing on a rational rather than honest model
14:48 < amiller_> looking at mining and competition rather than just, e.g., user anonymity
14:48 < petertodd> yeah, it's a 51% majority of rational nodes, not honest ones
14:49 < amiller_> it's still a sort of weak paper
14:49 < jgarzik> amiller_, it's full of hand-waving
14:49 < jgarzik> several statements along the lines of "this must be changed" without supporting evidence
14:49 < amiller_> really nothing they've said is terribly well supported
14:50 < amiller_> it's just a workshop paper
14:50 < amiller_> that's basically the equivalent of a forum post
14:50 < gmaxwell> It's still an example of the peer review model failing.
14:51 < gmaxwell> There are some pretty obvious derpy things that any of us could have said "uh, you at least should talk to Y"
14:52 < amiller_> academia moves really slowly
14:52 < amiller_> it's a good sign if a bunch of goofy grad students start writing papers on related things eventually better ones will come out
14:52 < petertodd> They could have said they are analyzing a cryptocurrency with a given set of properties, rather than talking about Bitcoin specifically... which is what they've done really.
14:52 < petertodd> We need common terminology for different models of cryptocurrencies for instance.
14:53 < petertodd> Their analysis is valid for something almost, but not quite, like Bitcoin.
14:55 < petertodd> gmaxwell: re orphans, but we're already seeing pools with such a high hash rate that they are kinda invalidating the security model, modulo the fact that their users can in theory switch pools (weak I know)
14:57 < gmaxwell> yea, okay sure, I'll grant that.. but thats busted. I assume it'll change eventually. If nothing else sooner or later one of the pool compromises will do something unkind with the hashpower and it'll get cleaned up after the panic.
14:58 < Luke-Jr> I have my doubts
14:59 < petertodd> lets suppose though that, say, pooled-solo mode and auditing becomes popular or whatever: you'll wind up with the same centralization for higher profitability, without the obvious risks
--- Log closed Fri Jun 21 00:00:05 2013
--- Log opened Fri Jun 21 00:00:05 2013
--- Log closed Sat Jun 22 00:00:07 2013
--- Log opened Sat Jun 22 00:00:07 2013
--- Log closed Sun Jun 23 00:00:10 2013
--- Log opened Sun Jun 23 00:00:10 2013
--- Log closed Mon Jun 24 00:00:12 2013
--- Log opened Mon Jun 24 00:00:12 2013
12:16 < HM_> Hmm
12:16 < HM_> seems to be common in ECC to take the x coordinate, mod n, of a point g1 to multiply it by another point g2
19:00 < HM> how do signed values even work
19:00 < sipa> they're stored as 2's complement
19:00 < sipa> so if the highest bit of the first byte is set, it's a negative vale
19:00 < sipa> but OpenSSL just parses everything as unsigned
19:02 < HM> sure, but how did these transactions get accepted ?
19:02 < sipa> because OpenSSL parses everything as unsigned :)
19:02 < sipa> and every bitcoin full node has used OpenSSL to parse signatures
19:03 < sipa> that's what i mean with bug-by-bug conformance: every full node must mimic all 'errors' that OpenSSL allows, and no others
19:03 < HM> I don't follow, if they're always interpreted as unsigned then the first 1 bit means nothing
19:04 < sipa> imagine you want to store the value 0x9999
19:04 < HM> 0b10011001100110011001
19:04 < sipa> so the positive integer 39321
19:04 < sipa> the correct DER encoding is 0x009999
19:05 < HM> oh, I'm not familiar with DER
19:05 < sipa> as 0x9999 is interpreted as -26215
19:05 < HM> seemed like crufty nonsense to me
19:05 < sipa> well, that's the standard, and it's crufty indeed, but it's sane
19:06 < sipa> the problem is, because OpenSSL knows it expects an unsigned integer, even if you store 0x9999, it will interpret that as 39321 and not as -26215
19:06 < HM> how is sane to encode a perfectly reasonable 2 byte unsigned value in 3 bytes with 1 useless 0x00 byte?
19:06 < sipa> because it is not an unsigned value
19:06 < sipa> DER doesn't have an unsigned integer type
19:07 < HM> why didn't Bitcoin just use 32 byte unsigned big endian byte types
19:07 < HM> that's pretty straightforward
19:07 < sipa> because Satoshi just used OpenSSL to encode/decode pubkeys/sigs
19:07 < sipa> and probably knew nothing about the encoding itself
19:09 < sipa> anyway: bottom line: every implementation _must_ accept 0x9999 as 39321, even though a standards-compliant DER parser would interpret that as a negative number, which would cause ECDSA to reject the signature as out of range
19:10 < HM> don't you mean it must accept 0x00 0x99 0x99
19:10 < sipa> it must accept both
19:10 < sipa> as OpenSSL accepts both
19:11 < HM> OpenSSL is broken
19:11 < sipa> it is not - it is a tolerant parser
19:11 < sipa> which tries to accept anything that makes sense
19:11 < HM> Why does it use DER if it interprets it as unsigned and DER doesn't have an unsigned type?
19:12 < sipa> well in a way it makes sense: "ok you give me this signature *parse* ok, syntactically correct. wait... this R value is negative? i don't expect a negative number here... let's assume you just missed a 0 byte in front"
19:13 < sipa> the only problem is that bitcoin passes signatures directly to OpenSSL
19:13 < HM> ick
19:13 < sipa> and thus made OpenSSL's implementation an implicit hardforking network rule
19:13 < HM> so basically you have to read the byte string and if it's not already zero padded, add a 0x00 byte
19:14 < sipa> by the way: we did use this 'oversight' to our advantage as well: it allowed a completely backward-compatible implementation of compressed pubkeys
19:14 < sipa> as every old nodes silently already accepted compressed pubkeys
19:15 < HM> using one oversight to correct another :P
19:15 < jgarzik> speaking of (somewhat)...  petertodd already used 0x00 + 32 bytes for information purposes, so I think we should just do OP_DROP-as-standard
19:15 < jgarzik> i.e. purposefully invalid pubkey
19:15 < HM> compressed public keys made sense from the start
19:16 < sipa> jgarzik: i really dislike making something like that standard, but i have no problem with instant-pruning obviously-unspendable outputs
19:17 < jgarzik> interesting
19:17 < sipa> which was what he was asking for, i think
19:17 < jgarzik> a bit more limited than OP_DROP, but should suffice for per-transaction information purposes
19:17 < sipa> (make scriptPubKeys that start with an OP_RETURN insta-pruned)
19:18 < jgarzik> yeah
19:18 < sipa> 195k blocks verified
19:20 < HM> sipa: how is that AST idea for scripting going down?
19:20 < HM> along with P2SH
19:20 < sipa> HM: it exists
19:20 < sipa> in the abstract mathematical sense :p
19:21 < HM> anyone slapped together a grammar?
19:21 < sipa> roconnor and i have worked on something like that for a while about a year ago
19:22 < HM> any public documents?
19:22 < sipa> dunno
19:24 < sipa> we certainly never got to a point of defining a serialization, so i guess that'd count as 'no' to your question
19:26 < sipa> hmm, problem with such fast script verification: i can't get my parallel signature checking to use more than ~3 cores
19:28 < HM> i almost feel a register based script engine would suffice.
19:29 < HM> although long lists of pubkeys and such pose a problem
19:29 < HM> less flexible to expand as well
19:30 < sipa> 206k
20:02 < sipa> done!
21:06 < amiller> i'm learning to do proper semantics now
21:06 < amiller> wiht things that look like this:
21:07 < amiller> so i'm sure i'll have this sorted in no time
21:49 < gavinandresen> all righty
. who has done what?  I sent an alert to 0.8 nodes and tweeted, pointing to sipa's post on bitcointalk
21:49 < gavinandresen> gmaxwell: you sent email to the infrastructure list?
21:49 <@gmaxwell> Yes.
21:50 <@gmaxwell> Sorry it wasn't a great email, but I checked and one hadn't been sent
 fast seemed better than perfect.
21:50 < gavinandresen> fast is good
21:51 < gavinandresen> I'm going to kiss the kids goodnight, and stop and take a breath.  We'll need a web page explaining to people what happened / what is happening; either on bitcoin.org or I could post to the foundation blog
--- Log opened Mon Mar 11 22:50:36 2013
--- Log closed Tue Mar 12 00:00:39 2013
--- Log opened Tue Mar 12 00:00:39 2013
00:17 < HM> so, sipa... you were telling me about bug for bug compatibility ;)
00:30 < midnightmagic> HM: dude, terrible timing, lol
00:37 < amiller> there should be a meta format so miners can voluntarily provide better detail about hash power
00:37 < amiller> it's pretty cool that we can observe pools strength in closer to real time
00:52 <@gmaxwell> HM: I was too. Actually I wanted to take a moment to mock you, but it was too busy! :P
--- Log closed Tue Mar 12 02:59:43 2013
--- Log opened Tue Mar 12 11:11:38 2013
--- Log closed Wed Mar 13 00:00:19 2013
--- Log opened Wed Mar 13 00:00:19 2013
03:46 < jgarzik> <blueadept> Decentralized networks for instant, off-chain payments - https://bitcointalk.org/index.php?topic=152334.0
04:01 < petertodd> oh, is that guy for real?
04:01 < petertodd> I didn't bother reading that huge page - assumed he was a crank.
04:03 < jgarzik> petertodd: I skimmed a bit, but admittedly had RL kid craziness going at same time
04:03 < petertodd> Huh, well at least it's probably not obviously crazy.
04:03 < jgarzik> petertodd: mainly wanted to add it to the collective link collection
--- Log closed Thu Mar 14 00:00:21 2013
--- Log opened Thu Mar 14 00:00:21 2013
17:25 < jgarzik> Block #225430 chain fork dataset available - https://bitcointalk.org/index.php?topic=153170.0
--- Log closed Fri Mar 15 00:00:22 2013
--- Log opened Fri Mar 15 00:00:22 2013
00:17 < amiller> jgarzik do you know how i'd go about getting a dataset of all the work done at that time
00:17 < amiller> like shares from pools
02:02 < warren> didn't know this existed
02:02 < amiller> yeah
02:02 < amiller> it's the rocket science research central
02:02 < amiller> we're going to the moon
02:02 < jgarzik> not until amiller blabbed about it anyway ;p
02:03 < warren> and not logged, apparently
02:03 < amiller> this is more of a shunt away from #bitcoin-dev than an exclusive panel jgarzik :p
02:08 < amiller> it could be logged, no one has seen the need to bother
02:09 < amiller> i have logs if you want a copy
02:09 < amiller> warren,^
02:15 < amiller> good evening
02:15 < cads> 'sir
02:16 < amiller> also see pm
02:16 < amiller> i think you're barking up the wrong tree with the suggestions about AI but it's probably not important
02:22 < amiller> cads ah i'm not sure what question this really answered but i feel like linking to a bunch of papers on the topic of interestellar economics
02:22 < amiller> http://people.csail.mit.edu/rivest/fc97-paper.pdf
02:23 < amiller> first of all ron rivest made a short opinion piece at the first FC conference speculating how future money would be based on computational power and it would have a lot in common with voting
02:24 < amiller> i like a really famous old paper in distributed computing about protocols that scale arbitrarily well http://groups.csail.mit.edu/tds/papers/Lynch/jacm88.pdf
02:24 < warren> shamir?
02:24 < amiller> shamir what?
02:25 < warren> -dev mention
02:25 < amiller> http://eprint.iacr.org/2012/584.pdf
02:25 < amiller> this is a paper by shamir and a colleague dorit ron on an empirical analysis of bitcoin
02:25 < amiller> it was really lame because they didn't really answer any of the questions they posed and those questions weren't worhtwhile in the first place >:|
02:26 < amiller> it has no theory or math or anything in it which is strange given that the authors are reputable academic crypto/math people
02:27 < amiller> still hopefully it's seen as 'breaking the ice'?
02:28 < amiller> the basic idea of partially synchronous networks is that there are some algorihtms that work even if you don't know what the latency is across the whole network
02:29 < amiller> the basic technique is something like exponential backoff - no matter what the real latency is, you 'find it' eventually/quickly
02:31 < amiller> so you said something about wanting to understand the basic limits of global consensus
02:32 < amiller> also it's useful to think about space and long distances if it puts coping with big latency in scope
02:33 < amiller> otherwise you can fantasize about intercontinental network splits or whatever
02:33 < amiller> but a practical reason is that better dealing with latency also implies better use of more efficient networks in a normal environment
21:37 < jgarzik> <smooth> so i built a tip bot for irc cause jgarzik suggested it, but im discouraged by all these legal issues.  i may not deploy it
22:49 < petertodd> interesting
22:49 < petertodd> can he at least release the code?
22:52 < gmaxwell> run it as a testnet thing for development perhaps?
22:53 < jgarzik> He already disappeared off #bitcoin, where that was said, before I had a chance to say hi
22:54  * jgarzik was thinking about writing one, testing on testnet, and open sourcing the code... but not running it
22:54 < jgarzik> with real money
22:54 < petertodd> Ha, we all want to not run it.
22:54 < jgarzik> and even on testnet, zero deposits periodically
22:54 < petertodd> Yup, least testnet BTC suddenly have a value...
22:55 < gmaxwell> Right. I would expect limits on deposits and total value, and then someone in a favorable jurisdiction running it .. over tor. probably no problems, but I'm sure not going to do it.
22:55 < petertodd> I've been pondering TPM'd coins actually; would a remote attested private key swapping thing fall under FinCEN?
22:55 < gmaxwell> petertodd: god knows, we can probably find all kinds of regulatory corner cases very rapidly.
22:56 < gmaxwell> Testnet even is a funny example. Testnet is _clearly_ not money. not unless you want to call beaney babies money.
22:56 < petertodd> What's interesting there, is you can improve security of it by having central double-spend detection servers, yet those servers aren't "running" the scheme and you can have as many of them as you want.
22:56 < petertodd> gmaxwell: Yet the second testnet difficulty rises...
22:57 < gmaxwell> petertodd: well it can't we broke it. Testnet difficulty can be warped back to 1 at an time.
22:57 < gmaxwell> It's fundimentally broken. :)
22:57 < petertodd> gmaxwell: Right, so agree on more testnet checkpoints and it's money again...
22:58 < petertodd> Or fix the timewarp bug...
22:58 < gmaxwell> not just that.
22:58 < gmaxwell> if you mine a 20 minute block at a mod 2016-1 point the diff gets reset to 1.
22:58 < gmaxwell> well, 1-4 depending on the timestamps.
22:59 < gmaxwell> (the retarget uses the prior blocks actual difficulty)
22:59 < petertodd> Exactly, so if that bug gets fixed testnet can turn into money again on miner whim.
23:00 < gmaxwell> I suppose. But then why isn't my respect for you money? :P At some future whim I could convert it into bonds or something. :P
23:00 < petertodd> Anyway, my general point is it's good to have favorable legal rulings, but the law changes, and furthermore the interpretation of the law changes.
23:01 < petertodd> BTW you said you bought some TPM-capable hardware?
23:03 < petertodd> I was thinking of doing so too, and it'd be neat if we had what we had bought co-ordinated.
23:04 < jgarzik> TPM has an RNG too.  Make sure to make use of that.
23:06 < petertodd> I dunno, I think RNG is easier than people make it out to be with yarrow and persistant applications.
23:06 < petertodd> For instance a perfectly reasonable RNG algorithm for something like a smartcard is to use a non-reversable counter with a secret seed.
23:07 < petertodd> *PRNG
23:07  * jgarzik was mainly thinking of its use to fill the kernel's entropy pool
23:08 < jgarzik> rngd will use TPM's RNG automatically, to do that
23:08 < jgarzik> then, /dev/[u]random are happier
23:08 < warren> I vaguely recall reading a paper about a smartcard that detected time-based attacks upon it by checking how much of SRAM had decayed into random bits during poweroff.  I thought that was pretty clever.
23:09 < petertodd> warren: Interesting, although that'd make for an interesting testing problem at the factory.
23:09 < warren> I wondered at the time if that would be a good or bad way to get more entropy.
23:10 < petertodd> My point is, with secure storage you keep a pool that you are essentially adding entropy to the whole lifetime of the device, thus you don't actually need all that much, and it's perfectly reasonable for the factory to fill the pool with entropy per-device.
23:14 < warren> you're right, but you'd have to trust the factory
23:14 < petertodd> You already have to!
23:14 < warren> heh
23:15 < warren> Intel's new entirely digital hardware RNG is supposed to be pretty good.  But the linux kernel developers don't trust intel, so they are feeding it as an input to the kernel prng instead.
23:16 < petertodd> As they should. Similarly software like Bitcoin shouldn't trust the kernel developers, and should feed their random numbers into our own PRNG
23:17 < warren> You're so screwed if you can't trust the kernel.
23:17 < petertodd> I proposed using the last privkey XOR /dev/urandom to create every privkey
23:18 < petertodd> oh, I forgot H(last privkey XOR /dev/urandom)
23:19 < petertodd> For Bitcoin PRNG mistakes are especially bad because the attacks can be done at leisure, so the usual standards of kernel development may not be enough.
23:21 < gmaxwell> petertodd: I already had a pair of X9SCL-F motherboards (i7 systems) which support the txt stuff but just need a tpm module. Getting actual TPM modules is hard. I found one which _may_ be compatible on ebay. I'll let you know when it shows up and I get a chance to test it.
23:21 < gmaxwell> warren: "trust but verify"
23:21 < gmaxwell> warren: if the kernel developers are malicious you're in trouble, if they make mistakes
 well no need for bitcoin to be utterly brittle to weaknesses in the kernel rng.
23:22 < petertodd> gmaxwell: Cool. Yeah my mobo is an Acer and supports TPM modules, but good luck finding one. I was thinking I might just get a thinkpad laptop w/ TPM.
23:22 < gmaxwell> I have one of those but I use it. :P
23:23 < gmaxwell> petertodd: if you go that route: lenovo outlet store.
23:23 < gmaxwell> (or ebay)
23:23 < warren> gmaxwell: lenovo outlet doesn't have awesome deals anymore like a year or two ago
23:23 < gmaxwell> aww
23:23 < warren> gmaxwell: 3 of 11 laptops I bought from outlet were lemons
23:24 < warren> I think they gave up on the customer service for that and just dumped all of them with 3rd party outlets.
23:24 < petertodd> Yeah, I've got a few options - every laptop I've ever owned has been an older used thinkpad from a corporate lease.
23:24 < warren> You'll see them on newegg outlet along with random other brands.
23:25 < gmaxwell> petertodd: perhaps buy a thinkpad with a broken screen on ebay. :P one advantage of using laptops for this sort of thing is that if you wanted to come up with a design which would be cryptoanarchist compatible they could strip the laptops down to nothing but the motherboard and embed them in stuff.
23:25 < warren> That and if you can find a IBM employee, their ibmepp code lets you buy Thinkpads often cheaper than outlet.
23:26 < petertodd> gmaxwell: For sure. TPM 1.2 can do remote attestation just fine, it's just the lack of the infrastructure to convince others that your attestation is correct, but with some standardization I suspect that can be worked around.
23:26 < petertodd> gmaxwell: The JavaCard smartcard standard seems to be able to do it too, but documentation is scanty.
23:27 < gmaxwell> seperately from the bank stuff, a generic computational oracle would be interesting.
23:28 < petertodd> Yup. Not to mention secure remote servers is totally doable, especially if you add some anti-tamper sensors.
23:31 < gmaxwell> yea, well tampering can be made as hard as you like... make an anti-tamper nest of fine wires all around it and pot the darn thing... plus then its waterproof too. :P
23:33 < petertodd> Two other good ones are to use light sensors plus *light sources* in the box, and wipe the keys if the amount of light returned ever changes from the expected, along with vibration sensors. For the latter your only limitation is earthquakes.
23:33 < petertodd> I live on top of four billion year old rock so earthquakes aren't such a big deal. :P
23:33 < jgarzik> RE RNG and feeding... it's not about trusting the kernel but the hardware.  Easier to put a big lump of FIPS testing and other fun in userspace.  Easier to balance between competing consumers of hardware RNG entropy, if its bandwidth limited versus the application.
23:34 < jgarzik> a direct function call kernel->kernel isn't optimal for all situations
23:34 < jgarzik> including hardware RNG burp situation
23:37 < gmaxwell> petertodd: having something like accelerometer wipe and shutdown would be neat but kinda bad that you can never recover if someone just kicks it.
23:37 < jgarzik> gmaxwell: hah, neat idea
23:37 < gmaxwell> petertodd: I imagine it might be possible to drop a computer at the bottom of an abandoned gas well and fill it in. connected via fiber (both for power and comms) .... would be totally tamperproof.
23:39 < petertodd> gmaxwell: Depends on the threat model. Allegedly nuclear anti-proliferation sensors often are basically sealed computers in concrete filled holes, and seismic is an essential part of testban treaty monitoring anyway.
23:40  * jgarzik would love to see a modern day Johnny WifiNodeSeed
23:40 < jgarzik> toss them on rooftops, powered via solar
23:41 < petertodd> jgarzik: Ha, well my other hobby is cave exploration... maybe a microhydro turbine in a storm sewer? :P
23:42  * jgarzik wonders the size of the block header + largest transaction list seen to date
23:43 < jgarzik> having the full TX list can occasionally be more useful than just merkle root
--- Log closed Sat Mar 23 00:00:02 2013
--- Log opened Sat Mar 23 00:00:02 2013
18:43 < gmaxwell> petertodd: it seems to me that all this TPM everything (including hal's stuff)  could all be converged on a single computational oracle model.
18:44 < gmaxwell> E.g. you write a TPM-program that takes a AST-program hashroot. And derrives a program specific secret value H(AST-root||oracle_secret) and pushes that on its stack along with the time. .. and runs whatever program the user sends it.
00:20 < zooko> Like with Bitcoin-proper, we relieve some of the burden on the consensus system by asking it only to determine which of multiple conflicting signed statements to honor, instead of
00:20 < zooko> asking it to speak for everyone.
00:20 < zooko> Right?
00:21 < zooko> In the same way that Bitcoin doesn't ask the global consensus to determine everyone's account balance, but only to choose which spend to honor when there are conflicting spends.
00:21 < petertodd> Ok, but lets rephrase that: Bitcoin is a consensus system, and for every unspent txout (the key!) it assigns a value (what transaction spent it!)
00:24 < zooko> Ok.
00:24 < zooko> But those keys are use-once.
00:25 < Luke-Jr> add a version number to the key name, and voila
00:26 < petertodd> Sure, but lots of key-value maps are set once, doesn't make it not a key value map.
00:31 < zooko> Luke-Jr: I don't quite see what you mean.
00:31 < zooko> petertodd: I didn't mean it isn't a key-value map...
00:32 < Luke-Jr> zooko: version 0 of a key is the first time it's set; version 1 overrides that to set it a 2nd time, etc
00:32 < zooko> So, maybe this is what Luke-Jr was getting at, if you have this set-once kind of thing, you can always use it as a set-many kind of thing by every time you set the set-once key, the value has the next key bundled into it.
00:32 < Luke-Jr> that's an option too
00:32 < Luke-Jr> I'd just make it deterministic :P
00:33 < Luke-Jr> "next key bundled into it" is arguably what Bitcoin does :P
00:33 < zooko> Yeah!
00:33 < petertodd> Exactly, and as jdillon pointed out, you can make a updatable key-value store that way: https://bitcointalk.org/index.php?topic=186264.msg2037810#msg2037810
00:33 < petertodd> Of course, he pointed that out because he wants to show that raising the blocksize limit is madness...
00:34 < Luke-Jr> right now*
00:34 < petertodd> Luke-Jr: correct, *removing* the blocksize limit
00:35 < petertodd> zooko: jdillon is the same guy that timestamped 50K PGP fingerprints into the blockchain to prove a point
00:36 < Luke-Jr> petertodd: glare at him for me
00:36 < Luke-Jr> if you want to prove a point, testnet is the place for that -.-
00:37 < petertodd> anyway... his underlying idea there is sound, the key-value system now called zookeyv that I outlined basically takes that simple structure and makes it efficient, and importantly, gives incentives to not hide your actual keys and values
00:37 < zooko> petertodd: heh heh
00:38 < zooko> So is your "zookeyv" design using the technique of bootstrapping set-once keys to get effectively set-many keys?
00:38 < petertodd> well... very roughly speaking kinda
00:39 < zooko> I don't understand why it is important to disincentivize hiding keys and values.
00:39 < zooko> Or... or what "hiding" could mean here.
00:39 < petertodd> Its more that we can attach a value to those set-once keys, to decide *which* set once key is now canonical, and instead of values being keys directly, they're block headers
00:41 < petertodd> Oh, and the key, that's actually the previous block(s) in the dag
00:41 < zooko> Hm.
00:41 < zooko> I didn't follow that last bit.
00:41 < zooko> There is never a question about which set-once key is canonical, if
00:41 < zooko> you already have a global consensus system to resolve conflicting claims about that from the controller of the key.
00:41 < zooko> Right?
00:42 < zooko> And what's a block header?
00:42 < petertodd> Well, lets suppose we have an updatable set-once key, as Luke described.
00:42 < zooko> Actually I didn't understand that.
00:42 < zooko> The version I described, in which you have a key that can really be set at most once
00:43 < zooko> and then whenever you set it, you set it to a tuple of (value, new-key).
00:43 < zooko> That I understand.
00:43 < petertodd> Basically he's just saying that if your keys follow the convention key-1, key-2, key-3 then you basically *do* have a set-more-than-once key-value map.
00:43 < zooko> (By the way, it dovetails with a thing called "Guy Fawkes Protocol".)
00:43 < petertodd> (assuming consensus about the current set of all k-v pairs)
00:43 < zooko> But, that's, but,...
00:43 < petertodd> Bitcoin has consensus about the state of the txout set.
00:43 < zooko> Someone who didn't control key-1 could set a value for key-2.
00:44 < petertodd> Sure, but what if we look at the whole set of those keys, and decide which one is canonical based on a PoW?
00:44 < petertodd> Which is what the blockchain kinda does...
00:45 < zooko> Um.
00:45 < zooko> Okay, "what if". My answer is, it might not work, might be complicated and dangerous, and also why would we want that?
00:46 < zooko> The thing where you set-once key1
00:46 < petertodd> Do you understand how the Bitcoin blockchain itself is basically one such key value system?
00:46 < zooko> would be secure.
00:46 < zooko> I think so.
00:47 < petertodd> Good. Now lets repalce the proof-of-work, with proof-of-sacrifice.
00:47 < zooko> So, like I was saying earlier, it seems wise to ask as little as possible from a global consensus system.
00:47 < petertodd> (tied to Bitcoin)
00:47 < petertodd> Sure, but we only have one good global consensus system, and that's Bitcoin, so build on it.
00:47 < zooko> Instead of asking Bitcoin-proper what each person's balance is, we ask it only to reject N-1 double-spends.
00:47 < petertodd> That's irrelevant to zookeyv
00:48 < zooko> Likewise, instead of asking it to decide whether key-1 and key-2 both belong to the same "owner" or authority spehere or whatever, let's just ask it to choose at most one of the "set-once" operations authorized by key1.
00:48 < zooko> Then let's use key1
 (value1, key2) to tie key1 to key2.
00:48 < petertodd> Sure, but step back for a minute....
00:49 < petertodd> Lets suppose you had a Bitcoin blockchain, where instead of the hash-based proof of work, you decided on what was the blockchain based on
00:49 < petertodd> Bitcoin sacrifices.
00:49 < zooko> I don't see why it matters how the global consensus system decides.
00:49 < zooko> Although, I'm interested in the Bitcoin sacrifices idea!
00:49 < petertodd> It matters a heck of a lot because we have to build the damn thing...
00:50 < zooko> But I don't see why it matters for this.
00:50 < zooko> Hrm.
00:50 < petertodd> Anyway, point is, so you can make a blockchain where the best chain is picked by proof-of-sacrifice.
00:50 < zooko> Okay.
00:51 < petertodd> Now, the transactions that actually sacrifice funds, you can "mark" them in such a way that by examining the Bitcoin blockchain you can be sure to know about every such sacrifice.
00:51 < zooko> Haha! Security firedrill. Hilarious.
00:51 < zooko> Sorry.
00:51 < petertodd> (essentially there is global consensus on what sacrifices have been made for this PoS blockchain)
00:51 < petertodd> lol
00:51 < zooko> Distracted by that...
00:52 < zooko> Okay, so I think I understand... for example, you could spend to an address which is all 0 bits.
00:52 < petertodd> Now because of that consensus, you can be sure that *if* a sacrifice was made to add a block to the chain, you at least know that happened, if not what the contents of the block actually where.
00:52 < zooko> Ugh, I'm sorry, I missed a step again.
00:52  * zooko thinks.
00:53 < zooko> I still don't understand why it matters whether the consensus system that provides the set-once key-value pairs is PrOW or PrOSa. But I'm still interested in PrOSa.
00:54 < petertodd> Again, strictly speaking, it doesn't, but to actually make one, PoS is a *much* better option.
00:54 < zooko> Okay, so to help me understand, let's move back to more like normal Bitcoin.
00:54 < petertodd> Namecoin is k-v via PoW remember
00:54 < Luke-Jr> PoS = proof of stake
00:54 < zooko> Or something else that I find more familiar.
00:54 < Luke-Jr> petertodd: namecoin's k-v is proof of sacrifice
00:55 < petertodd> Pff, proof-of-stake == PoT, because that's what it's proponents are usually smoking
00:55 < Luke-Jr> lol
00:55 < petertodd> Luke-Jr: No, I mean the namecoin blockchain itself, not how you buy a name on it.
00:55 < Luke-Jr> oh
00:56 < petertodd> zooko: Well, I am talking about something like normal Bitcoin...
00:57 < petertodd> I'm describing how in my zookeyv system we determine what is the state of the blockchain.
01:00 < zooko> petertodd: okay, so suppose we have some way to achieve global consensus on a "blockchain",
01:00 < petertodd> see, you're talking on a level different than what I'm talking about
01:00 < zooko> where the relevant thing about a "blockchain" for this purpose is that a blockchain doesn't contain any conflicting set-once's for any key.
01:01 < petertodd> ok
01:01 < zooko> Am I on the right track so far?
01:01 < petertodd> Not really
01:02 < petertodd> You're getting hung up on what you do with the keys and values, not how you decide them,.
01:02 < zooko> Ah yes.
01:03 < zooko> So, what do you mean "how you decide them"? But don't tell me (yet) about how you would implement it!
01:03 < zooko> Instead tell me what properties it would have.
01:03 < zooko> Who gets to choose what the set-once value for key1 will be?
01:04 < petertodd> But see, zookeyv's underlying model allows for a whole bunch of ways to implement the deciding bit depending on what your problem is.
01:04 < zooko> By "who gets to choose", I hope to be getting at what you were talking about -- how you decide them.
01:04 < zooko> You mean a whole bunch of ways to determine who gets to choose the value for key1?
01:05 < petertodd> No, a whole bunch of ways to decide what the key-value mappings are.
01:05 < zooko> Isn't that the same thing?
01:05 < petertodd> What's more interesting, is how do you do the mappings on top of Bitcoin.
01:05 < petertodd> Because once you have one key-value mapping, you can build upon that to do all kinds of ones.
01:05 < petertodd> (specifically one set once key-value mapping)
14:49 < CodeShark> maaku: the wright brothers didn't even understand swept wing designs or the fundamental subsonic limitations of propellers
14:50 < CodeShark> point is, Satoshi surely missed many things, too
14:50 < adam3us> CodeShark: thought experiment: if ltc got real transactions, overtook btc in market cap, and then perhaps btc users dump btc to buy ltc causing a btc price crash; then ltc users notice ftc catchng up with its market cap - next thing you know people lose confidence in the asset class of digital scarcity and turn the whole thing into a digital tulip
14:51 < adam3us> CodeShark: I dont want that outcome.  alts must die.  use bitcoin-staging to try useful new params or features.
14:51 < CodeShark> anyhow, I'm not going to get sucked into a religious debate
14:52 < CodeShark> alts are inevitable - we must learn to cope with them. they won't die
14:53 < adam3us> CodeShark: i am just saying alts are stupid and maybe even dangerous.
14:53 < CodeShark> the same decentralized nature of the technology which makes bitcoin so hard to kill makes alts hard to kill
14:53 < adam3us> CodeShark: I think most of the pump & dumps will die soon enough.  they have no intrinsic value because there are no transactions.  eventually they die
14:54 < adam3us> CodeShark: bitcoin has first mover advantage - big intrinsic value, infrastructure and stored-value; the alts are abuses trying to make-money-fast with param-tweaks, 99% of them.
14:54 < CodeShark> the core technology is agnostic to these parameters - the core technology consists of a decentralized timestamping mechanism using proof-of-work
14:55 < CodeShark> you can think of alts as simply param tweaks on bitcoin - I see it a different way - I would like to see the decentralized timestamping mechanism Satoshi invented applied to many problems
14:55 < adam3us> CodeShark: if you like analogies its like the wrong brothers came along and cloned the write brothers plane and painted it blue and then tried to claim they invented or profit from the wright brothers work
14:56 < CodeShark> I think the original bitcoin client isn't sufficiently modular and flexible
14:56 < adam3us> CodeShark: "look at my blue plane".... its "BLUE" so its like cool and stuff, please mine it and make me money fast :)
14:56 < adam3us> CodeShark: so work on making it modular and flexible
14:56 < CodeShark> I have been :)
15:01 < CodeShark> adam3us: my motivation here is not making money fast - my motivation is seeing this technology evolve
15:02 < adam3us> CodeShark: ok, me too.  i think the best for tht to happen is bitcoin-staging with 1:1 peg.  BlueMatt & gmaxwell had a plausible argument that a 1:1 peg maybe possible
15:02 < adam3us> CodeShark: the one change to rule them all as greg put it
15:03 < adam3us> CodeShark: it allows btc denominated (21 million coin cap preserving) alts or beta-coins
15:03 < jtimon> adam3us 1:1 is possible but very unconvinient
15:04 < adam3us> how so?
15:04 < jtimon> what would you make bitcoin's security depend on another chain?
15:04 < adam3us> jtimon: i think its fantastic; thats the clever part - onl the coins moved are at risk
15:05 < jtimon> well, the whole altchain is at risk if the validity of its transactions depend on bitcoin's chain
15:05 < jtimon> a reorg in one can cause a reorg in the other
15:05 < nsh> depends on the nature of the dependency :)
15:06 < jtimon> sure
15:06 < adam3us> jtimon: yes.  but it seems unlikely for the mid-term that an alt will be more secure than bitcoin; and most alts are also uninteresting - no tx, and no intrinsic value
15:06 < adam3us> jtimon: i think a reorg in the alt is designed not to do anyting to btc; g like mining a long conf time
15:06 < jtimon> that doesn't say anything in favor of a bitcoin-pegged currency
15:07 < adam3us> jtimon: most of the thinly veiled excuses for alts are "oh the innovation" (like param tweak or hash function swap)
15:07 < adam3us> jtimon: so if they can peg to btc, then they have no excuse, they can do the innovation or go away
15:07 < CodeShark> alts are just tinkering with parameters that a suffiiciently modularized technology would allow you to freely tweak anyhow
15:08 < jtimon> I don't see how a bitcoin-pegged currency will prevent stupid people from doing and saying stupid things
15:08 < adam3us> jtimon: yes but they wont be starting a digital scarcity race and no one will risk btc in them, so its less wasteful and less dangerous
15:09 < jtimon> I disagree with your "digital scarcity" argumentation
15:09 < jtimon> you can innovate in your own testnet, you don't need a btc-pegged currency nor an altcoin for that
15:11 < CodeShark> the genie is out of the bottle
15:11 < nsh> hell, these days you can simulate an entire operating economy with some EC2 instances and historical transaction data
15:11 < CodeShark> regardless of whether or not alts are dangerous to bitcoin, they are inevitable
15:12 < jtimon> agreed
15:12 < nsh> network protocols are inevitable too, yet here we are on tcp/ip(v6) :)
15:12 < nsh> (unfortunately)
15:13 < jtimon> and a btc-pegged altcoin changes nothing with respect to the rest of altcoins
15:14 < jtimon> I think we just need more time and people losing ridiculous amounts of money by speculating in altcoins for the fever to pass
15:14 < adam3us> jtimon: it shows them for what they are - pump & dumps or they would use btc-peg (unless they are actually experimenting with the distribution model itself, like freicoin)
15:15 < jtimon> I think the btc-pegged altcoin is a bad idea and I'm still missing how it is supposed to change in any way the perception on altcoins
15:15 < jtimon> why would they use btc-peg?
15:16 < jtimon> that's not better, is worse
15:16 < jtimon> technically
15:16 < jtimon> an unecessary burden
15:16 < adam3us> jtimon: ok say someone wanted to implement freimarket extensions to make them available to bitcoin scripting.
15:17 < jtimon> cool
15:17 < adam3us> jtimon: they could do that using dogecoin or btc... you choose
15:17 < adam3us> jtimon: (and i like freimarket script extensions a lot... a couple of them i thought about before i saw it, very elegant and minimal!)
15:17 < jtimon> the hardfork on btc is much more difficult
15:18 < jtimon> so I think altcoins will have it first
15:18 < adam3us> jtimon: thats the point of bitcoin-staging and btc-peg.  make that hard fork, then other hard-forks can happen in pegged-alts
15:18 < jtimon> probably freicoin first, then a freicoin-without-demurrage fork or several of them...
15:19 < adam3us> jtimon: thats why i said gmaxwell called it to the one change to rule them all - its literal, other forks dont need forks after that
15:19 < jtimon> just like can happen in non-pegged alts much more easily I still don't see the point
15:20 < jtimon> the whole pegging stuff is a burden in your design I don't see what it adds other than calm some of your "digital scarcity" fears
15:20 < adam3us> jtimon: the point is where woud you rather have freimarket extensions available in bbqcoin or to btc users
15:21 < jtimon> to all users
15:21 < jtimon> but are bbq devs going to rebase their code?
15:21 < jtimon> maintain it?
15:21 < adam3us> jtimon: no really teh original motivation is the unfortunate conflict between the need to be careful with btc changes, to preserve value, and the desire to implement known useful improvements
15:22 < adam3us> jtimon: bbq are a joke, thats my point; it'll probably flame out at some point when the dev gets bored and it breaks
15:22 < jtimon> I understand the motiviation, I just disagree that your proposed solution helps in any way or that altcoins are really a problem
15:23 < jtimon> many people involved in altcoins haven't seen altcoins die yet
15:23 < adam3us> jtimon: give it time.	quite a few have died already in flame outs and peter outs
15:24 < jtimon> after a couple of them die in their hands they will think twice before speculating on the next proprietary altcoin
15:24 < adam3us> jtimon: btw i mean param-tweak alts... should distinguish - i am using alt as short hand for things like bbq coin an doge coin
15:24 < jtimon> they're all alts
15:24 < pigeons> probably the first ones WEEDS, 100% premined only tx fee currency, and beertokens, backed by 1 bottle of beer, have died
15:25 < jtimon> I think "backing" is a bad idea in general
15:25 < jtimon> for money
15:26 < pigeons> yes, but fun thing is you can prove something is a good or bad idea eventually
15:26 < jtimon> a year from now, there will be articles with a long list of death altcoins
15:26 < warren> it's hard for them to die
15:27 < jtimon> well, most of them are zombies as currencies anyway
15:27 < pigeons> anyway the client multicoin that sacarlson used by forking bitcoin and pulling out the parameters into config files was used by later altcoins like tenebrix and fairbrix which eventually brought litecoin even though at that point litecoin decided to fork from bitcoin again
15:28 < jtimon> yeah, multicoin was an interesting project
15:28 < pigeons> he was starting to work on plugin modules for things like difficulty adjustment filters as that started to get more complex than just changing static numbers, but then he got a real job
15:29 < pigeons> and bitcoin is kind of less interesting now  that its big bucks for some
15:29 < pigeons> but for some people that makes it more interesting
15:32 < pigeons> i think a focus on decentralizing mining would be a good niche for an altcoin. i guess the tools are all there with GBT, and there are example models such as p2pool with real data to look at
15:53 < jtimon> kind of off-topic but...does anyone know if the rumors that say coinbase uses mongoDB as their primary store for financial transactions are true or not?
16:07 < nsh> jtimon, i am relatively confident they are true or not, yes
16:08 < jtimon> yeah true or not, that's what I thought
16:08 < nsh> it's always the way...
16:08 < nsh> damn you aristotle. damn you to hell...
21:49 < cfields> warren: the thing about that change, is that it affects lots of leveldb in tiny tiny ways
21:49 < gmaxwell> cfields: we should probably do some testing of level db where we fill the source code with if(atoi(getenv("diehere"))==linenumber)exit(1);  and then run in a loop syncing the testnet chain and picking random numbers to die on then restarting and making sure it continues.
21:51 < cfields> heh
21:52 < cfields> gmaxwell: are you after a test for this one in particular? or general leveldb badness?
21:52 < gmaxwell> well, I always suspect more badness once some is found. :)
22:24 < cfields> heh
22:25 < cfields> gmaxwell: leveldb has a pretty extensive test-suite. I'm really not sure we could catch anything that they miss
22:26 < cfields> in your example above, looping their corruption test as long as syncing testnet would probably give the same result
22:26 < gmaxwell> cfields: well, you found bugs by inserting sleeps and killing it .. :)
22:27 < cfields> heh
22:27 < cfields> gmaxwell: actually, that does raise an interesting point
22:28 < cfields> a bash script to continuously send STOP/CONT to bitcoind could be interesting
22:30 < cfields> i don't know enough about the underlyings of those to know how much (if at all) that could simulate outside-world interference. loss of net connections, closed files, etc
22:33 < gmaxwell> mostly I want to detect cases where a sudden power off would leave the system in an unrecoverable state.
22:41 < cfields> i'm unfamiliar with what is allowed to finish after a SIGKILL. How close does that come?
22:41 < gmaxwell> a real test would be to create a special log structured block device that allows you to mount the log at any write along its history can continue from there.
22:42 < gmaxwell> sigkill is probably close enough to be interesting but just randomly sending sigkills are not because it doesn't get good coverage.
22:42 < gmaxwell> (and thats a test I've already done)
22:42 < cfields> gmaxwell: in any case, if it's important enough to you, i have dozens of small arm dev boards here that i'd be happy to setup for automation
22:42 < gmaxwell> e.g. 99% of the time you kill it doing nothing.
22:43 < cfields> though iirc you mentioned you have them at your disposal as well recently
22:43 < gmaxwell> yea, I have a couple pandaboards. that I mostly use for continious integration testing for code stuff, (e.g. arm simd)
22:44 < cfields> oh, right, i forgot to wtf you on that
22:44 < cfields> you build natively on those things?!
22:46 < gmaxwell> cfields: sure, on codec stuff the compile time is insubstantial compared to the actual tests.
22:46 < gmaxwell> and if something breaks self hosting is much easier to work with then using a remote debugger.
22:46 < cfields> interesting
22:47 < gmaxwell> I wouldn't want to work with bitcoin on them in that way... just because bitcoin takes a long time to compile (though, as you noted I did indeed compile bitcoin on one of them the other day)
22:47 < cfields> i guess i've gotten so used to remote debugging that the idea of debugging on embedded would never enter my mind
22:48 < cfields> though i suppose that really doesn't make much sense, considering their speeds these days
22:48 < cfields> "back in my day..." and all that :)
22:52 < gmaxwell> yea indeed, well I was there too at one point.. but when I started dealing with dual core 1ghz embedded devices...
22:53 < cfields> one of my first embedded projects was porting xbmc (and its ~50 dependencies) to a 400mhz mips SOC
22:54 < cfields> unfortunately, i think that mentality has stuck with me
23:07 < warren> cfields: did you submit the memory barrier thing anywhere?
23:07 < warren> cfields: given that it isn't wrong and it seems to have done something, perhaps more eyes ...
23:10 < cfields> warren: heh, it must be torture inside your head :)
23:12 < cfields> doing now
23:27 < cfields> warren: https://code.google.com/p/leveldb/issues/detail?id=218
23:34 < warren> cfields: thank you
--- Log closed Thu Nov 28 00:00:00 2013
--- Log opened Thu Nov 28 00:00:00 2013
--- Day changed Thu Nov 28 2013
05:52 < gmaxwell> nice numbers on my display here: high: 1100.00      low: 1001.00
06:01 < TD> amazing
06:01 < TD> heh. someone sent me a fee-less transaction yesterday. it took about 22 hours to confirm. seems like that's the normal waiting period at the moment.
06:02 < TD> for low-pri transactions (it was a return to sender kind of thing)
06:15 < Luke-Jr> sounds reasonable
06:16 < gwillen> I've been telling people "typically not more than a day", although I imagine that won't stay true forever
06:21  * TD remembers when all transactions were free and confirmed immediately
06:22 < warren> and unicorns were $2.99/lb
06:23 < TD> more evidence bitcoin is taking off in china - the number of emails i'm getting in broken english from chinese people with questions or who are trying to use bitcoinj, up infinity%
06:23 < gmaxwell> ::shrugs:: I did a zero fee transaction last week that confirmed in under two minutes.
06:23 < TD> yeah. priority is a good thing.
07:44 < warren> http://www.coinchoose.com/charts.php
07:44 < warren> what the heck is QRK
07:45 < _ingsoc> That's "Quark Coin", whatever the heck that is.
07:45 < gmaxwell> I would guess something called "quark"
07:46 < _ingsoc> "Quark Coins are based on the original idea of Bitcoin but improved, more secure, with improvements to design and security."
07:46 < _ingsoc> Where have I heard that before? :/
07:47 < gmaxwell> apparently "more secure" means some @#$@ed up homebrew pow function
07:48 < gmaxwell> ... with 30 second blocks.
07:48 < gmaxwell> so they have a really slow custom pow, and really fast blocks.
07:48 < gmaxwell> and they call this more secure.
07:48 < _ingsoc> And bad grammar, don't forget the grammar!
07:49 < gmaxwell> and ... seem to have no source code?
07:49 < _ingsoc> That's too complicated for the users!
07:49 < gmaxwell> oh there it is.
07:49 < Emcy> legit question, how many 3 letter contractions can there be
07:49 < gmaxwell> almost as hard as finding the bitcoin source. :P
07:49 < Emcy> and can we hope that the tide of altcoins will recede after theyre all taken
07:49 < gmaxwell> lots once you use greek
07:50 < _ingsoc> Soon we will move to a new suffix, like how Zerocoin will be Zerocash.
07:50 < _ingsoc> Wait, that wonh't change anything.
07:50 < Emcy> gmaxwell fratcoin?
07:50 < Emcy> by bros for bros
07:51 < _ingsoc> Max Keiser said someone should make Keisercoin.
07:51 < _ingsoc> Watch it happen.
07:51 < Emcy> cosbycoin happened
07:51 < gmaxwell> _ingsoc: oh, have they actually made public the zerocash name?
07:51 < _ingsoc> He only said they're thinking about calling it that.
07:51 < _ingsoc> Does he have beef with you guys somehow?
07:52 < gmaxwell> Who?
07:52 < _ingsoc> Matt Green.
07:53 < Emcy> no one exactly shitted on zerocoin v1 did they
07:53 < gmaxwell> Not as far as I know, I had a pleasant conversation with him. He asked me if I'd be willing to work on his thing, I told him I would, after chatting a bit. He said he'd send the paper, hasn't done so.
07:54 < _ingsoc> How do I talk you into something like that?
07:54 < gmaxwell> then he started posting tweeting bragging about it, which I found a little .. unfortunate, because I don't think he's being completely frank about the tradeoffs involved, but I feel a little hand tied because I don't want to go blabbing the details of their system.
07:54 < _ingsoc> Do I need to go get a professorship and a Twitter account? :(
07:56 < gmaxwell> _ingsoc: well, as I said before, I don't think most of the alt ideas are actually interesting. The zero cash stuff is, well, except for some of the limitations. But ignoring them it's a material improvement over what we have in bitcoin.
07:57 < _ingsoc> That's fair enough. In any case, your efforts are very much needed on Bitcoin specifically.
07:57 < gmaxwell> well because of some of the limiations I don't expect the zerocash alt to actually be a long term success, but it would be a useful science project.
07:58 < _ingsoc> There are so many interesting ideas to explore, and it's a pity we can't find more people to do it. The money is there, even though you guys demand a pretty penny nowadays. You just need the right model and you'll attract lots of new people.
07:59 < Emcy> perhaps he thinks the best way to get it implemented in bitcoin is via external market pressure
07:59 < Emcy> rather than try and wade thru the internal politics
08:01 < Emcy> assuming he think s ZCv2 is good to go too, they were pretty triumphant about v1 and it was actually completely impractical right now
08:01 < gmaxwell> not only was ZCv1 impratical, but you see how quickly its being replaced by something much better.
08:05 < Emcy> yeah. If such effeciency gains as 98% as claimed were possible, i wonder why they announced the first time.
08:05 < Emcy> assuming its incremental and not some sort of huge re-innovation
13:10 < n0g> I told all my friends that I hang around the BTC devs.. *so proud*
13:10 < n0g> I love you guys.
13:10 < n0g> :D
13:10 < n0g> You make me a celebrity overnight..
13:10 < Einz> lol
13:10 < n0g> LOL
13:21 < jrmithdobbs> cfields: I used a one liner and run it. Stuffed service names in an array and used $RANDOM to decide which instance and which signal (stop, cont, term, kill, int) .. It's two lookup tables and sv ${sigtbl[$(($RANDOM % 5)) ]} ${svtable[$(($RANDOM % 6))]} in a sleep $(($RANDOM % 90)) loop
13:22 < jrmithdobbs> cfields: It's zero work using the right tools. ;p
13:23 < jrmithdobbs> If you don't like the lcw/mcw (I forget which bash uses) provided by random you can $(myfunc_that_printfs_dev_random)
13:28 < jrmithdobbs> cfields: Like gmaxwell said though, such tests don't give good coverage/repeat ability even when there's a known issue that test will eventually trigger ...
--- Log closed Fri Nov 29 00:00:17 2013
--- Log opened Fri Nov 29 00:00:17 2013
16:34 < TD> one of the guys who worked on it said that people associated with the NSA kept making suggestions during the spec process that sounded reasonable to non-experts, but actually broke the security
16:36 < petertodd> TD: it's a good thing we've never ran into that problem with Bitcoin
16:37 < jrmithdobbs> gmaxwell: we don't know for sure but we know they're actively targeting specs now why wouldn't they have been 15-30 years ago while the others were written? Whose to say we haven't ignored some of their infiltration as simple mistakes/advancements on the state of the art
16:38 < gmaxwell> TD: hard to know for sure, since even honest experts make suggestions with bad security here and there.
16:38 < maaku> petertodd: that we know of
16:38 < jgarzik> anybody gonna be in DC next week?
16:38 < TD> yeah i dunno what to make of the ipsec allegation
16:38  * jgarzik decided to attend, on short notice
16:39 < TD> you'll watch live?
16:39 < petertodd> jrmithdobbs: the NSA aren't omniscient, even they probably don't know how to write useful backdoors into a lot of the core algorithms due to constraints on the math; I understand that no-one has ever come up with a plausibly backdoored hash function with the same type of construction as SHA256 for instance.
16:39 < jrmithdobbs> TD: the ipsec allegations are plausible but don't matter, we know it's broken by design ("we" being anyone familiar with the crypto who has actually tried to implement it) for a while now
16:39 < TD> i don't know much about ipsec so i'll take your word for it
16:39 < jgarzik> TD, dunno :)  If it's not open to the public, that's the only alternative.
16:40 < petertodd> maaku: those merkle mountain ranges even sound dangerous
16:40 < jrmithdobbs> TD: the interesting question is was it's design broken by infiltration of the process or by the fact that it's process was design by comitte in the first place? ;p
16:40 < gmaxwell> jrmithdobbs: there are a lot of IETF protocols that are uselessly complex. Some of them get implement none the less (e.g. SIP)
16:40 < TD> i'm not a big fan of designing specifications by committee
16:40 < jrmithdobbs> me either
16:40 < TD> but then again designed by individual doesn't always work either
16:41 < jrmithdobbs> and tls and ipsec are the best examples of it failing
16:41 < TD> e.g. jabber "xml is fashionable let's use that"
16:41 < TD> tls wasn't designed by commitee, right. it's basically SSL which was designed by a few guys at netscape
16:41 < jrmithdobbs> which is why i said tls not ssl
16:41 < jrmithdobbs> the extensions were all by comittee
16:41 < TD> ah ok
16:42 < TD> gavinandresen has some fun stories about when he worked on standardising VRML
16:42 < gmaxwell> TD: most IETF documents are the work of one or two authors. E.g. in the case of jabber the thing was dropped half way fully formed (including the trendy XML) right on the IETFs doorstep.  IETF generally works more like peer-review than a design committee.
16:42  * TD remembers the 3D shark vrml demo
16:42 < Luke-Jr> gavinandresen is to blame for VRML?
16:42 < TD> yeah sure, jabber started as jeremie millers pet project and went from there
16:43 < maaku> I'd much rather someone here take a few months to design IPSec-done-right, we implement it, use it, and standardize after the fact
16:43 < jrmithdobbs> and now it's jeremie millers' pet project as deployed by google
16:43 < jrmithdobbs> basically
16:43 < jrmithdobbs> ;p
16:43 < TD> it did pretty well yeah
16:43 < jrmithdobbs> (bleh xmpp)
16:43 < TD> maaku: what does done right mean?
16:43 < Luke-Jr> XMPP is better than the alternatives, at least.
16:44 < maaku> TD: secure by default, easy to understand and use, hard to get wrong
16:44 < petertodd> maaku: secure against what type of attacker?
16:44 < gmaxwell> maaku: there have been a bunch of proposals, but really done right is not the right objective. The right way of doing it doesn't work because it doesn't get past the enormous installed base of nats and firewalls.
16:44 < jrmithdobbs> maaku: the problem with ipsec is it tries to solve 10 different problems and ends up doing so very poorly because of it
16:45 < gmaxwell> maaku: personally I'm a fan of TCPcrypt: http://tcpcrypt.org/  (though I wish it were using curve25519)
16:45 < jrmithdobbs> we have replacements for each individual component of ipsec ... just not at the transport layer
16:45 < jrmithdobbs> where it would be, you know, useful
16:45 < maaku> cool i didn't know about tcpcrypt
16:46 < jrmithdobbs> gmaxwell: what is that *curve one someone released recently that's similar to sctp (iirc)
16:46 < jrmithdobbs> based loosely on the dnscurve work iirc
16:47 < jrmithdobbs> curvecp!
16:48 < Luke-Jr> gmaxwell: isn't it builtin to IPv6 already?
16:48 < jrmithdobbs> there was a revision or alteration of it by someone else more recently (maybe @tarcieri) but I can't find the name/project i'm thinking of specifically
16:48 < gmaxwell> Luke-Jr: "lol"
16:48 < petertodd> Luke-Jr: nope
16:50 < phantomcircuit> iirc ipsec is required of ipv6 but nobody is actually implementing it that way
16:50 < TD> yeah stuff like tcpcrypt is gret
16:50 < TD> i think that's the right approach
16:50 < phantomcircuit> also ipsec is crazy complicated
16:50 < jrmithdobbs> ipsec is worthless
16:50 < TD> the shared secret thing is interesting
16:50 < jrmithdobbs> (says probably the only person in the country that had a working transport mesh network setup in his house for the longest time)
16:51 < phantomcircuit> jrmithdobbs, i tried to setup ipsec between two boxes on my lan once and it just refused to work
16:51 < jrmithdobbs> phantomcircuit: see above, i got it working
16:51 < TD> it seems to be a dead project though? last change was 2 years ago
16:51 < jrmithdobbs> phantomcircuit: i even got it working WELL and CORRECTLY but it wasn't worth the effort.
16:52 < jrmithdobbs> phantomcircuit: it's convoluted and you actually have to understand both the spec and the underlying primitives, in some cases, to have a shot in hell of even figuring out why it's not working, let alone fixing it =/
16:52 < phantomcircuit> which of course 99.99% of sysadmins wont do
16:53 < phantomcircuit> and 99.999999% of people wont
16:53 < jrmithdobbs> phantomcircuit: right, and that's without even going into the fun subtle differences between different spec versions of the major components (eg, isakmp vs ikev2)
16:54 < jrmithdobbs> phantomcircuit: and then on top of that you can have problems between different implementations that implement the same spec versions and primitives just because of how the spec is so convoluted and unspecific
16:54 < jrmithdobbs> fuck ipsec.
17:02 < phantomcircuit> jrmithdobbs, that was my distinct impression
17:02 < phantomcircuit> jrmithdobbs, so NSA subversion or just normal design by commitee
18:11 < adam3us> https://twitter.com/DataTranslator/status/401410639354019840
18:11 < adam3us> yifu responds "@adam3us see http://www.coindesk.com/bitcoin-tracking-proposal-divides-bitcoin-community/
 Coin Validation is not trying to police Bitcoin or bitcoins."
18:12 < adam3us> ho hum... no but they are hoping their customers will and that it will be viral, and as a side effect will kill fungibility
18:14 < gmaxwell> adam3us: yea, I don't get the people fixating on goverment imposition in general, as if badness can only be emitted by governments.
18:14 < gmaxwell> People seem to not think that bussinesses enforcing it out of paranoia and cargoculting good practices would be somehow better.
18:15 < adam3us> the verified-by-visa of the bitcoin world
18:17 < MC1984> gmaxwell thats stems from fear of govt action
18:18 < MC1984> people think maybe if they make a good show of it perhaps the govt wont steamroll in with regulation
18:18 < MC1984> maybe thats right
18:19 < gmaxwell> MC1984: in some cases
 e.g. even with no fear of government action you can happily throw away a couple percent of 'likely troublemakers' for pure business reasons, but regardless not directly.
18:19 < adam3us> MC1984: well like i said, they just need to issue AML/KYC certs for cases where its needed <eom> why would they want to kill fungibility
18:19 < MC1984> but its like locking your keys in the house so that you dont lose them
18:19 < phantomcircuit> gmaxwell, or like 20%
18:19 < phantomcircuit> (or 90+% like i currently do)
18:19 < MC1984> you cant troublemake with bitcoin though, from the view of a merchant
18:20 < MC1984> why would most of them care where coins come from
18:20 < phantomcircuit> MC1984, oh boy is that not true
18:20 < MC1984> phantomcircuit assuming merchant has sane policies
18:20 < phantomcircuit> did you see the crazy lady saying im killing her dog?
18:20 < MC1984> nope
18:20 < phantomcircuit> just google patrick strateman
18:20 < adam3us> MC1984: they only would feel they need to care because of the existence of taint; if taint were fixed they would have no reason to even give it a second thought
18:21 < MC1984> "just google me"
18:21 < phantomcircuit> MC1984, it's literally the first result
18:22 < phantomcircuit> if i cared more i'd start giving reporters sensational comments to change that
18:22 < phantomcircuit> lol
18:22 < MC1984> yeah im just saying "just google me and all will be clear"
18:22 < MC1984> more like patrick bateman amirite
18:23 < gmaxwell> phantomcircuit: when that person was posting on the forum I thought they were threatening to kill your dog
18:23 < gmaxwell> because they were all "I know where you live and now the dog will die because you didn't give me money!!"
18:23 < phantomcircuit> gmaxwell, she has threatened to kill both me my mother and my dog
18:23 < phantomcircuit> ironically blaming me for killing her dog
18:24 < MC1984> which one of those links is the moneyshot
18:27 < MC1984> yeah thats weird, its like a whole narrative
18:28 < phantomcircuit> yeah
18:28 < phantomcircuit> the thing is
18:28 < phantomcircuit> i have literally no record of her ever
14:40 < gmaxwell> And this is important
 if we can't prevent the data from containing nasty stuff, okay well by the time anyone complaints the data can be deleted from all computers _forever_. Thats protective of the system.
14:40 < petertodd> The problem is that there is absolutely nothing stopping a miner from changing their software to ignore that rule, for instance because some large pools got hacked and the attacker deleted the data and no-one feels like screwing up everything for that minor feature.
14:40 < petertodd> Whereas actual proof-of-posession proves that the miner really did have that data.
14:40 < petertodd> And proof-of-posession still lets you define a deletion period.
14:41 < gmaxwell> huh? It's the same as any other network rule (once deployed). Nodes will reject blocks that they didn't get the attached data for, until the block is well and burried.
14:42 < gmaxwell> petertodd: if you stuff the data into the output then the data can never be deleted. :(
14:42 < petertodd> No, unlike other network rules you *can't* verify that it was actually followed after the fact because the data doesn't exist anymore.
14:43 < gmaxwell> petertodd: you can verify it was followed _during the window_. So unless you hypotheize a >window reorg, you can't.
14:43 < petertodd> gmaxwell: I'm not saying stuff data into an output, I'm saying put a hash of the data in your specially marked output, provide it with relaying, *and* incorporate a proof-of-posession into the proof-of-work scheme.
14:43 < gmaxwell> okay okay whatever.
14:43 < gmaxwell> Look, good luck changing the proof of work. :P
14:43 < petertodd> gmaxwell: No you can't. Miners can agree to not follow it and you have no way of knowing. Where as with any other network rule the data is still there and you can verify it yourself.
14:44 < gmaxwell> petertodd: you won't accept their blocks for some huge gap
 indeed, this data has only SPV security past that gap. Thats the point.
14:44 < petertodd> gmaxwell: But you *are* talking about a soft-fork, and it's not a hard proof of work, just a "well my PoW spat out this nonce, and I'll quickly provide a merkle path picked randomly to prove I had the data"
14:45 < petertodd> gmaxwell: Yeah, that's kinda my point... you've created a system that can't have better than SPV security, while with the slight change of just adding a proof-of-posession it has full security.
14:45 < gmaxwell> These things aren't mutually exclusive either, if your want your proof of possession just strenghtens what I'm suggesting, but I don't think its needed.
14:45 < petertodd> Yes, it strengthns it from very weak SPV to something much stronger; why not take that trivial extra step if you are going to all that trouble?
14:45 < gmaxwell> adding proof of possession gums up deleted forever,
14:46 < petertodd> No it doesn't, those are just merkle paths and anyone interested can retain sufficient data so that they can verify the merkle paths.
14:46 < gmaxwell> because you need for forever store the possession proof
 which is smaller than the data (E.g. if its a cut and choose that only shows one item)
14:47 < gmaxwell> petertodd: no because then people didn't possess the data, they might have possessed H(data)
14:47 < petertodd> But that's it: you *don't* need to even store the item, or even the merkle path at all unless you want to prove your data was visible!
14:47 < gmaxwell> otherwise you could call the txn itself with the hash a proof of possession: you can't prove that they had more than the hash. :P
14:47 < petertodd> No, the algorithm is calculate H(nonce | data), and everyone other than those interested in the data stores nothing more than the tip of the merkle path.
14:48 < gmaxwell> for your PoP the proof that gets committed will have to include at least one of the data elements under proof or its not actually a PoP.
14:48 < gmaxwell> otherwise it's just SPV security. :P
14:48 < petertodd> But the thing is the only people who care that the data was actually visible, and need to prove that, are the people with the data! Everyone else *can* throw away the PoP's.
14:49 < gmaxwell> Okay, H(nonce|data) is interesting.
14:49 < petertodd> Remember, we're calculating H(nonce | data) for each bit of data (or a subset), making a merkle tree of that, and putting the digest in our block somewhere. We temporarily relay the PoP's, and then throw them out after n blocks.
14:49 < petertodd> People who need to prove visibility save those PoP's when they are being created, everyone else throws them away.
14:50 < gmaxwell> But I don't follow "Everyone else can throw away"
 if you make it part of block validation then everyone who wants to validate a block needs the data, otherwise they might accept an invalid one.
14:50 < petertodd> Right, but they only need to store it temporarily.
14:50 < petertodd> For the average miner of course they're just getting SPV security for the PoP validation... but they don't care!
14:51 < petertodd> (I mean, they're getting SPV security that PoP validation was done correctly *in the past* if they are synching up fresh and weren't mining in the past)
14:51 < gmaxwell> petertodd: so, lets say 99% of miners just have SPV security for the pop validation. And oops. some minority cheats them. What happens?
14:52 < gmaxwell> I'm still trying to grasp what PoP really provides over my ripabble data with SPV security.  Both cases reduce to SPV security at some point or you're stuck keeping around data, right?
14:52 < petertodd> Nothing without fraud proofs, and because PoP's are relayed in full temporarily, you can be sure that the last, say, 144 blocks were done honestly.
14:53 < petertodd> The thing is my case reduces to SPV security for the people who don't care if the data was visibile, your case reduces to SPV security for the people who need the security!
14:53 < gmaxwell> but you could also be sure that last 144 blocks were honest just by not accepting them without getting a copy of the rippable data.
14:53 < petertodd> Yes, but you have no way of proving that in the future.
14:54 < gmaxwell> Got it.
14:54 < gmaxwell> Cool.
14:54 < petertodd> Heh
14:55 < petertodd> ....we gotta start writing papers for this shit...
14:56 < gmaxwell> Fuck that, make it real. :P
14:56 < gmaxwell> In any case, now I'm trying to figure how how simply it could be implemented.
14:56 < petertodd> Yeah... actually I had a nice idea for a timestamping alt-chain that I should implement.
14:57 < petertodd> Though rippable data might be easier to implement...
14:57 < petertodd> I wish the scripting system was more sophisticated; you could write scripts that evaluate the proofs and pay miners for having made them directly.
14:57 < gmaxwell> I think that prior to today it hadn't been clear to me that a strong short term visibility proof was completely compatible with not-perpetual-storage.
14:58 < gmaxwell> But now we have a problem that some crap scheme that results in perpetual storage is realistically what is going to get deployed.
14:59 < petertodd> I've also been fleshing out a alt-coin with decentralized mining that depends a lot on proof-of-visibility so it's been on my mind.
14:59 < gmaxwell> because it's 100x easier than anything we discussed.
14:59 < petertodd> Yup, you can't win there.
15:00 < gmaxwell> so the question I have: is there a limited form of the trivial dumb way that won't preclude implementing something smarter later?
15:02 < petertodd> I'd say OP_RETURN is exactly that - you can always just use the UTXO proofs + sha256 midstates as your way of tossing the data when safe with a limited impact on long-term validation.
15:02 < gmaxwell> IIRC the order of the transaction isn't so helpful for midstate compression.
15:03 < petertodd> Yeah, because the txin's come first.
15:04 < petertodd> But other than one outpoint you can verify everything, and UTXO proofs themselves will eventually offer an alterative to the standard transaction merkle tree anyway.
15:05 < petertodd> Once it's a hard rule I'd say that's just as good proof as anything else.
15:06 < gmaxwell> this sounds like a reason to restrict the OP_RETURN to be the last txout though.
15:06 < petertodd> No, restrict it to the first txout.
15:07 < petertodd> Although a sane UTXO proof system will make a merkle tree within the transaction itself, IE hashing txins and txouts.
15:07 < gmaxwell> right yea, I'd proposed making the transactions a merkel tree like a year ago to make it easier to subset the 2#$#@ data.
15:08 < petertodd> PoW is always energy anyway, so you just need to store the parts of blocks you need to prove + UTXO proof stuff + block header and verify that. After a year or two that's a year's worth of PoW - pretty damn good confidence.
15:08 < gmaxwell> petertodd: hm. putting it first doesn't help because you can't even check the signatures anymore. :(
15:08 < petertodd> From an energy point of view the last 3 months of PoW mean as much as the other 4 years.
15:09 < gmaxwell> petertodd: sure though at some point we'll reach an equlibrium
15:10 < petertodd> Right, but you can even stuff your data in the scriptSig if you hash it so that it's authenticated. Though the signatures of the first txout are still meaningless.
15:10 < petertodd> An equilibrium sure, but the point is you can have very good security by just waiting for the PoW to build up.
15:46 < adam3us> maybe i missed the very beginning of this topic but whats the motivation for proof of possession?
15:47 < adam3us> (I am inferring a proof of possession of a preimage of the hash stuffed int the block chain - but why, what do you use it for, what could you build on it?)
15:51 < Luke-Jr> adam3us: you prove it's a hash
15:51 < Luke-Jr> adam3us: ie, you're not spamming data
15:51 < adam3us> ok so to stop people stuffing up the blockchain with stupid stuff that doesnt belong is the motivation?  that sounds like a good idea
13:53 < petertodd> nsh: anyway, the dark wallet guys are interested in doing it, but no specific timeline - cj is much higher priority, as is openpgp stuff for payment protocol/payment protocol-like stuff
13:53 < maaku> ok wizards, I'm trying to decide if the forward-diff, reverse-diff or both should be checkpointed in the utxo validation index proposal
13:54 < maaku> in addition to the committed root hash
13:54 < TD> grrrr. this time the irc app crashed
13:54 < TD> sigh
13:54 < petertodd> maaku: explain?
13:55 <@gmaxwell> nsh: I don't think anyone is using characteristic 2 for pairing, at least not in the open world... everything is using the 254 bit BN curve, which is on a prime field.
13:56 < maaku> my diff I mean what I called an "operational proof" in the previous BIP - a list of key,value pairs to insert/update, a list to delete, and paths through the merkle structures to accomplish that
13:56 < maaku> a forward-diff would take you from prevBlock to currentBlock (e.g. summarize the effect the block has on the index structure)
13:57 < maaku> a reverse diff is an undo block : take you from the current block to the previous block
13:57 < maaku> it should be possible to turn a forward diff into a reverse diff and vice versa
13:57 < nsh> gmaxwell, right. i think it's much closer to a curiosity than a catastrophy for the foreseeable future. but i don't know the math at all, so can't guess at the likelihood of eventual generalization of the technique
13:57 < maaku> since you have both the information being added (explicitly) and the information being removed (from the path)
13:58 < petertodd> maaku: so what's the use-case for those deltas?
13:58 < maaku> petertodd: well, a reverse delta could be used to recover from a reorg during pruned operation
13:59 < maaku> but beyond that, that's why I'm asking :)
13:59 <@gmaxwell> nsh: it's only like the Nth attack on characteristic 2 things, so I don't think any engineering-cryptographers (as opposed to theoretical-cryptographers) are the least bit excited by it.
13:59 < petertodd> maaku: but why does that need to be committed?
13:59 < petertodd> maaku: having explicit committed deltas would also make proving fraud even more complex, because now the deltas themselves may be fraudulent
14:01 < nsh> gmaxwell, the paper mentions "medium" characteristic too so perhaps there's some ground being made. dunno
14:01 < maaku> petertodd: a delta would give you a listing of the inputs spent just in that block though
14:01 < maaku> i know that's something you've advocated - is it still relevant if there is a committed validation index?
14:01 < nsh> medium appears to mean "3" though
14:02 < nsh> in which case practical applications should properly be described as employing fields of "unfathomable" characteristic :)
14:02 < petertodd> maaku: ah, good point. :) of course, I advocated *just* having the deltas
14:03 < petertodd> maaku: see, for a wallet syncing txs, they want to know two things: a new txout exists relevant to them, and a txout was spent that they owned
14:03 < maaku> another point is storageless mining / validation - the delta (forward in this case) provides the information you need to update mempool proofs
14:03 < petertodd> maaku: so if you only have deltas, you want both. if you have utxo + deltas, then you only need the "was spent" delta, the "is new utxo" is provided by the utxo set commitment
14:04 < petertodd> maaku: for memoryless operation you don't need to commit the forward delta: you provide it to update the UTXO set, and the fact that the forward delta applied to the existing UTXO set results in the new set is the proof
14:06 < maaku> which is what the forward delta is - it contains the relevant portions of the utxo set
14:07 < petertodd> maaku: yes, but my point is there is no reason to commit it
14:07 <@gmaxwell> nsh: I mean, ec with highly composite fields is subject to index calculus and is known insecure forever. People use "unfathomable" characteristic now in practice (this isn't to say that there aren't commercial characteristic 2 systems, there probably are
14:07 < petertodd> maaku: committing it just fixes the way it's designed in stone
14:08 < petertodd> maaku: and come to think of it, the same argument applies to the reverse delta: you're better off just proving to SPV clients that the UTXO still exists in the set for every block when it comes to showing them their utxo wasn't spent
14:08  * nsh nods
14:08 < petertodd> maaku: there's some size tade-offs here, but the difference isn't much and I'm very hesitent to make things more complex for a minor decrease in bandwidth
14:10 < maaku> petertodd: what about truly storageless nodes (which just keep the current merkle root + mempool + some temporary space for proof processing)?
14:10 < maaku> my thought was that by committing the reverse delta they can work backwards
14:10 < petertodd> maaku: again, there's no need to commit the deltas
14:11 < petertodd> maaku: they know the deltas are valid by the fact that the UTXO root matches after the deltas are applied
14:12 < maaku> ah, so I can just query the network "what's the delta from A to B?" and verify what I get back
14:12 < maaku> ok
14:13 < petertodd> yup
14:13 < petertodd> which means if we figure out a better way to describe the deltas, we can change that without a fork
14:13 < maaku> ok i had some fuzzy thinking - i was thinking they would query for proofs by hash (of the delta itself)
14:13 < maaku> but that's silly
14:15 < maaku> on another note, I had a complex mechanism for structuring the final txout of the coinbase transaction, but I don't think that's necessary
14:15 < nsh> mathematically, is there likely to be a "canonical" way of describing the difference in the utxo set structure? (modulo some symmetries that are orthogonal to security/accounting)
14:15 < maaku> here's an easy rule: if last txout starts with OP_RETURN, concat the remainder of the script with the coinbase string
14:17 < maaku> nsh: it's a weird question. there are arbitrary choices and tradeoffs made in choosing/designing a Merkle structure
14:17 < maaku> but it's definately a requirement that there exist a canonical form of that structure
14:17 < nsh> well, many of those choices will be fork-constrained, i'd imagine
14:18 < maaku> fork constrained?
14:18 < petertodd> maaku: whats the op-ret rule for?
14:19 < maaku> petertodd: you start stuffing Merkle roots in the coinbase string and you quickly run out of room and/or crowd out other uses
14:19 < petertodd> maaku: right, but, how does that rule help?
14:19 < maaku> and changing the size of the coinbase string is a hard-fork ... so overflow to the last txout
14:19 < maaku> also, allows midstate compression
14:19 < nsh> nm, i gtg sociability :) merriment to ye all
14:20 < maaku> nsh: happy holidays
14:20 < petertodd> maaku: the only thing in the coinbase that's consensus right now is the height, so I'd be inclined to leave that situation the way it is rather than add even more complexity
14:20 < petertodd> nsh: later
14:21 < maaku> nsh: when you come back, there's a long debate in the UBC thread about what structure to use for the index
14:21 < maaku> prefix trees were chosen because anyone could reconstruct the canonical structure without knowing the entire spend history
14:22 < petertodd> right, but with needing to know the entire UTXO set, and with the disadvantage that adding anything to the set requires having to have the entire set
14:22 < petertodd> (though you can outsource the storage to others)
14:23 < maaku> petertodd: in a series of bips I will be proposing committing three 256-bit hashes (validation index, wallet index, arbitrary data committment)
14:23 < petertodd> maaku: what's the validation and wallet indexes exactly?
14:23 < maaku> validation is txid -> CCoins
14:24 < maaku> wallet index is what I've been calling the address index: txid:n -> unspent txout
14:25 < maaku> sory, scriptPubKey:txid:n -> unspent output
14:26 < maaku> i find it easier to explain to muggles if I call them based on what they are used for: txid keyed index for blockchain validation, scriptPubKey:txid:n index for lightweight wallet apps
14:26 < petertodd> maaku: suggestion: explain in detail how some examples of compact proofs could be made for various frauds
14:26 < maaku> petertodd: will do
14:26 < petertodd> maaku: being able to prove fraud compacting is a huge use-case for all this stuff
14:27 < petertodd> maaku: for instance you do need a merkle-sum-tree in there for txin/txout values
14:28 < maaku> petertodd: yes, both indices have nValue summation in the "extra" field
14:28 < petertodd> maaku: and while a bit less efficient, I'd be very inclined to ensure that tree must be distributed as part of some other use-case so we don't get into a situation where nodes stop passing it around
14:28 < petertodd> maaku: good
14:29 < petertodd> maaku: also, it should be easy to prove part of a transaction exists, IE, I shouldn't need the whole tx to just prove a single txout existed in it
14:30 < petertodd> maaku: now I guess  scriptPubKey:txid:n -> unspent output works for that, but there needs to be something similar for the scriptSig case too - txid -> CCoins would probably better be txid -> merkle tree of txins + merkle tree of txouts
14:30 < maaku> petertodd: can you elaborate? I'm using a modified version of sipa's CCoins data structure which is basically metadata + compressed unspent outputs
14:31 < maaku> i see
14:31 < petertodd> maaku: suppose I have a 100KB transaction, can I prove it had a txout with a specific form without providing the whole transaction?
14:32 < petertodd> maaku: that txid tree is the perfect place to sum fees too: sum all transaction inputs and outputs, sum that, then sum all tx fees
14:32 < maaku> yes you'd only be providing the compressed outputs (33 bytes * number of unspent outputs, if they are standard form, plus a few bytes metadata)
10:39 < gigavps> my pool caps at 600k with 150k minimum
10:39 < Emcy> why 600
10:40 < gigavps> completely arbitrary
10:41 < gigavps> it was at 350k before, and we rarely create blocks that large
10:41 < gigavps> because of the recent ramp up of the network hashrate and tailing difficulty
10:42 < Emcy> see id have though most miners are actually pools where the node is in hosting of at leat 100mbit
10:43 < Emcy> so surely just pumping out 1mb blocks wont make relatively jack shit difference to orphan rate
10:43 < Emcy> specifically orphan rate due to fat blocks, instead of normal orphan rate due to sods law
10:43 < Emcy> if such a thing can even be measured
10:47 < jgarzik_> You don't just push out the block once, if you are a miner creating one
10:48 < Emcy> well really how many uploads does it take to seed into the network
10:49 < gigavps> Emcy jgarzik is saying that you push the block to every node you are connected to. so if you are connected to 125 nodes, then it is 125 * blocksize
10:49 < Emcy> maybe 3 or 4 to diverse subnets until it flood nicely?
10:49 < Emcy> how many sockets does a pool node usually have
10:51 < gigavps> Emcy we have many pool nodes
10:52 < Emcy> ok say top ten pools youre pushing to
10:52 < Emcy> thats just over a second even at the minimum of 100mbit right
10:58 < Emcy> oh theres something on the list about someone got some actual metrics about it. and im here on irc pulling numbers out of my ass
10:58 < Luke-Jr> gigavps: coming to the meetup?
10:58 < gigavps> what meetup?
10:58 < Luke-Jr> gigavps: same as last year, but in Brooksville!
10:59 < gigavps> probably won't make it, have a lot going on
11:00 < Luke-Jr> aww
11:00 < Luke-Jr> if you leave now you might make it in time!
11:00 < Luke-Jr> <.<
11:01 < gigavps> ahhh
11:01 < gigavps> thanks for letting me know
11:01 < Luke-Jr> XD
11:01 < Luke-Jr> next year we'll have to plan more in advance
11:06 < Luke-Jr> looks like forrestv is MIA anyway
11:53 < cfields> Ryan52: ping
12:30 < Ryan52> cfields: pong
18:22 < gmaxwell> Did I kill the thread here, or what? https://bitcointalk.org/index.php?topic=346008.0
18:25 < gmaxwell> maaku: when you get a chance, please help me understand how you think we can MMR a spent token database. I'm not getting it.
18:25 < gmaxwell> mmring a unspent token database is easy, because its naturally append only.
18:26 < maaku> it isn't append-only like peter's MMR
18:26 < maaku> it's an ordered tree of spent tokens
18:27 < gmaxwell> oh and you know your token ID in advance, so you know what part of the tree you need to maintan a proof for, even before you spend?
18:27 < maaku> to insert, you provide the path to where the spent token would go (demonstrating that the token has not been used)
18:27 < maaku> -- yes
18:28 < maaku> so you watch spends as they go by and update accordingly
18:28 < gmaxwell> Sorry, I don't know why that wasn't obvious to me 10 minutes ago. I've got it now.
18:28 < gmaxwell> Yea, that would work. Okay we really can oursource all these costs.
18:29 < gmaxwell> though we can't shrink the tree, any such system is going to have to be able to cope with a potentially very tall tree. (to some extent thats okay, the ZKP stuff really wants you to set the circuit execution time in advance)
18:31 < gmaxwell> The unspent token side has the nice property that its truly append only and write once, so tracking the proofs is really cheap. Alas we can't get that for the other side.
18:34 < maaku> yeah
18:35 < maaku> There is some small messiness, namely that proofs have to be updated for *every* spend in the series (although, 50% of the time it only requires modifying the top level, 25% the top two levels, etc.)
18:35 < gmaxwell> Is there a way to privately start tracking the required proof up front that doesn't require having the whole spent tree?
18:36 < maaku> Miners would have to do that themselves if there is more than one spend in a block.
18:36 < gmaxwell> maaku: I don't think so: I think you could accept a ... right I was about to say that.
18:37 < maaku> Still thinking about your question.
18:37 < maaku> In general, no, I think you would need to replay history
18:38 < maaku> Or otherwise have access to a whole tree
18:38 < maaku> This successfully moves work out of the validator, but is less than ideal in other respects :\
18:39 < gmaxwell> yea, okay, well thats alright, we basically get back to the MMR argument: there is now an economic incentive for people to keep the whole tree: people can show up and say "here is a transaction, and oh it pays you, but its proof is incomplete. Can you help?"
18:39 < maaku> Yeah.
18:39 < gmaxwell> and if you're worried about getting extorted in the future: keep your own copy of the data.
18:39 < gmaxwell> and it means we can pay people to run archive nodes.
18:40 < gmaxwell> and if you only recover the proof right at spent time there is no loss of anonymity.
18:40 < maaku> I can think of some very dumb ways to avoid that which people will undoubtably do and get themselves in trouble
18:40 < maaku> E.g, choose a secret within a range exposed by a recently seen proof, and start updating from there
18:41 < gmaxwell> well, if your token id is required to be the output of a hash function thats a bit hard.
18:41 < maaku> Ah that's true
18:42 < gmaxwell> I'm imaginging a system where your "token"  is actually  sha256(scriptPubkey),coinvalue
18:42 < gmaxwell> e.g. basically a bare p2sh utxo.
18:44 < maaku> Might as well even do that directly: ripemd160(sha256(scriptPubkey)), coinvalue, (4 bytes for something else?)
18:46 < gmaxwell> well maybe, in thinking about improved systems, I think at some point we should probably go to 256 bit security.   Also the size of the unblinded coin isn't important for communicating to someone who wants to pay you, the only time its seen is on spend.
18:47 < maaku> 256-bit security as in 512 bit key/hash sizes?
18:47 < gmaxwell> maaku: well 256 bit security against second preimages. (which only requires a 256 bit output, so long as the hash's state space is large enough)
18:49 < maaku> Not against that in general, but the rest of the system is only 128-bit security, right? Are you in favor of increasing the security bits of the rest of bitcoin too (if possible)?
18:52 < gmaxwell> maaku: well you can more easily change the other things. E.g. adding another checksig operator is easy.
18:52 < gmaxwell> and non-hardforking.
18:59 < petertodd> maaku, gmaxwell: sounds very much like my TXIN commitment thought experiment - I simply incentivized miners to hold the relevant data by defining mining as some PoW on that data
18:59 < petertodd> maaku, gmaxwell: http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03307.html
19:00 < gmaxwell> I don't even see a reason to incentivize miners to hold it.
19:00 < petertodd> gmaxwell: me neither, just incentivize someone too in such a way that there can never be incentives to withhold
19:01 < petertodd> gmaxwell: though you need to be very careful to ensure that the system can recover if some of the data gets lost
19:02 < petertodd> Note how bitcoin recovers from blockchain data getting lost: this causes a fork which is overtaken sooner or later.
19:03 < maaku> petertodd: you mean permanently, 100% globally lost?
19:04 < maaku> how does bitcoin recover from that?
19:04 < maaku> -- oh wait, i get it
19:04 < petertodd> maaku: lost from the public sphere yes
19:04 < maaku> the new "fork" starts from where the history was lost
19:04 < maaku> not from the current block
19:04 < gmaxwell> petertodd: well if you can get paid helping people complete their proofs, thats a pretty awesome incentive.
19:04 < gmaxwell> way better than mining, IMO
19:05 < petertodd> maaku: mainly I'm more worried that you can easily create systems that give people incentives to withhold data and just broadcast the PoW - bitcoin is way too close to being such a system itself
19:05 < petertodd> gmaxwell: yeah, although be careful it's not the main way to earn income in the scheme - that's a business that naturally centralizes so it must be independent from the PoW security of the system
20:11 < cfields> Ryan52: sorry, missed your pong earlier today
20:11 < cfields> Ryan52: was just curious if you got any further in reproducing the build
22:05 < gmaxwell> I laughed too much at this: http://www.smbc-comics.com/?id=3186#comic
22:15 < petertodd> gmaxwell: Meanwhile the mathematician: "Let I, the Iliad, be a spherical novel of unit radius..."
22:17 < petertodd> wait, no, a mathematician would generize to non-euclidian novels as well...
22:17 < petertodd> *generalize
22:17 < gmaxwell> I suppose an epic poem is isomorpic to a novel upto projection.
22:18 < petertodd> Right! and a "...enter a bar" joke is isomorphic to an epic poem! ah, good, we've reduced this one pretty quickly to something we already know.
22:44 < warren> "mcxNOW is shutting down for a period of time - "Withdraw all your coins before December 20th"
22:44 < warren> anyone surprised?
22:44 < warren> realsolid is very solid
23:10 < gmaxwell> very surprised.
23:10 < gmaxwell> that it wasn't "omg hax, oh look no coins"
23:14 < phantomcircuit> gmaxwell, that's a far more economically effective ploy
23:17 < pigeons> seems weird
23:20 < phantomcircuit> pigeons, what about it seems weird?
23:21 < pigeons> "i'm making money off you, i'm gonna stop now"
23:21 < phantomcircuit> pigeons, accounts that will be unclaimed before december 20th are almost certainly worth more than running it for decades
23:21 < pigeons> ah
23:22 < phantomcircuit> if i pulled that shit with intersango right now i'd be laughing all the way to the bank
23:22 < phantomcircuit> well actually i'd probably be laughing all the way to jail
23:22 < phantomcircuit> but nobody knows who he is
23:24 < gmaxwell> well, as I've lamented before, a friend of mine lost 20 BTC in the tradehill shutdown and hasn't yet been able to recover it
23:24 < gmaxwell> At some point it'll be worth the lawsuit.
19:31 < petertodd> gmaxwell: right, although you could do a checksig that did bip32 with some kind of crazy 1-of-m multisig essentially, although at the cost of privacy
19:31 < gmaxwell> And they're planning on doing this with the ed25519 curve.
19:31 < gmaxwell> And I don't think they've yet realized that they won't be able to use the standard implementation
19:31 < jtimon> separate issue, does what I said here make any sense? Is Flavien right? https://groups.google.com/d/msg/bitcoinx/Nq_8dkC3zqU/h_aqRA5A7TkJ
19:31 < gmaxwell> (I only realized this because I went and tried to implement ed25519 for bitcoin)
19:32 < gmaxwell> petertodd: BIP32 perhaps, but not the privacy purposes of it.
19:32 < gmaxwell> Or stealth addresses.
19:32 < gmaxwell> Which is basically the same usecase tor has.
19:32 < petertodd> gmaxwell: yup, although OTOH a merkle tree would do it, at the cost of size
19:32 < gmaxwell> (and incidentally, tor is working on a rigorous security proof for their derrivation scheme, though last I checked they hadn't made much progress)
19:33 < gmaxwell> petertodd: not for privacy, I could see your hashroot was the same. :P
19:33 < petertodd> jtimon: it makes sense
19:34 < petertodd> gmaxwell: no, the hash root would be of n pubkeys, and if you could spend any one of them you can spend the txout. each pubkey is still bip32-style secure, although there is a 1 in 2^256 chance of not being able to spend the txout (or whatever the math is)
19:34 < jtimon> petertodd: thanks, so Flavien is wrong saying you can reuse an address to sign securely 100 times a day even if you don't care about privacy
19:35 < petertodd> jtimon: well, the bigger thing is that you should just have the definition of a valid ccoin txout be "whatever the issuer signs", with a separate merkle sum tree for auditing purposes
19:36 < petertodd> jtimon: your proof that your ccoin is valid just needs to be that the signature on the genesis txout was valid
19:36 < maaku> jtimon: the chance of choosing the same K value is exceedingly low ... unless you have a bad RNG, in which case it is exceedingly high
19:36 < gmaxwell> petertodd: oh god, you mean using lots of bip32 keys just to make sure you get one where the MSB is 1?
19:37 < petertodd> gmaxwell: yes! not that I ever said it was a good idea :P
19:37 < gmaxwell> petertodd: dear god, that idea ... so bad. ... must stab
19:37 < jtimon> petertodd, flavien is talking about "inflatable colored coins" in which the same address can be used to just issue more
19:37 < maaku> If you assume your RNG is good or use deterministic signatures, key reuse is not a problem (from that perspective only)
19:37 < petertodd> gmaxwell: pity you can't stab someone over the internet
19:37 < jtimon> so maaku says flavien is right...
19:37 < gmaxwell> I'm pretty sure there is an onion site for that.
19:37 < petertodd> jtimon: yes, which is a dumb idea, just use the signature to sign a message saying some arbitrary txout is colored
19:38 < maaku> but you still wouldn't want to tie it to an unchanging address anyway, for a multitude of other reasons
19:38 < maaku> jtimon: he is not factually incorrect when he says "Signing a billion transactions per second, it would still take you hundreds billion times the age of the universe before you have 1% chance of collision."
19:38 < maaku> (assuming perfect RNG or deterministic signatures)
19:39 < gmaxwell> petertodd: you ever hear about how the signature systems which are based on one-time-hash based signatures but allow ~infinite signatures work?
19:39 < maaku> but those are invalid assumptions for real-world cryptography
19:39 < petertodd> gmaxwell: of course, which is why I expected the idea to raise your blood pressure :P
19:40  * petertodd has been paid off by the NSA to kill gmaxwell via heart disease
19:40 < maaku> where with a bad RNG (or a reused seed value on a VM) it only take two signatures to give up the key
19:44 < jtimon> maaku I was going to answer something like "thank you for the clarification, then addresses is still the right approach for inflatable basic CC, but since we have tokens in freimarkets for other reasons, they're still more convenient for re-issuance as well"
19:46 < maaku> jtimon: it's not just a matter of convience. it lets you have more control over operational security, for example by having one key per signing server and local protections against K reuse
19:47 < maaku> which would protect you against spinning up two separate servers, who each sign separate messages with the same K value
19:47 < warren> petertodd: I knew it!
19:47 < maaku> (due to saved random state in the VM image and a lack of entropy)
19:47 < justanotheruser> Is bitmessage off topic here?
19:48 < maaku> justanotheruser: so long as it involves arcane spell
19:48 < maaku> s
19:48 < justanotheruser> ?
19:48 < jtimon> well the "one address" in colored coins could be a p2sh multisig or whatever, by convenience I also mean that more control
19:49 < maaku> jtimon: yes, but in the example I gave you need tokens because you need a new key every time you spin up a server, and eventually you run out
19:50 < jtimon> tokens allow you to change the p2sh one addres doesnt
19:50 < maaku> although if you had bip-32 in script...
19:50 < maaku> yes
19:50 < maaku> if you could do bip-32 derivation in script though, you could get by with a single address
19:51 < justanotheruser> Anyways, how well does bitmessage scale? Would it work with 10 million users?
19:51 < jtimon> not if you want to radically change the config
19:51 < maaku> yeah
19:52 < gmaxwell> justanotheruser: scaling is largely in terms of the anonymity set size.
19:53 < gmaxwell> justanotheruser: they kinda waved their hands at the streams stuff in their initial writeup though so the mechnisms needed to get people onto different streams is unde(rde)fined.
19:53 < justanotheruser> Nice use of parenthesis there. How is scaling in terms of the anonymity set size? Will the network break into sections or something?
19:54 < gmaxwell> justanotheruser: the idea is that the POW would increase to keep the datarate in a stream sane. And thus that would push people off onto other streams where the pow was lower (but the anonymity set smaller).
19:55 < petertodd> ...which is basically what sane people propose for consensu blockchains in general.
19:55 < justanotheruser> I see. And there is no in depth explanation for their streams?
19:55 < petertodd> it's just that how that'll actually work in bitmessage si a lot more obvious - no "oops I let a tx spent a bit of dust that didn't actually exist" problem
19:55 < petertodd> justanotheruser: not that I've seen
19:56 < gmaxwell> there is a stream setting on addresses, so the stream stuff is implemented but no 'fee intelligence' if you will.
19:56 < petertodd> justanotheruser: you can also do steams based on sharding H(addr) space (roughly speaking)
19:56 < gmaxwell> I think they don't quite have the incentives well aligned. they guy sending to you pays the pow for your choice of stream.
19:57 < gmaxwell> so, duh, yea, of course I'm going to pick stream 0.
19:57 < gmaxwell> let you suckers pay the cost of messaging me.
19:57 < petertodd> gmaxwell: yup, although another way to look at it, is the person messaging you is picking the size of the anonymity set thye want *their* message to be in
19:57 < justanotheruser> Well there is an incentive to have someone message you right?
19:57 < justanotheruser> I mean to send a message
19:58 < justanotheruser> So if you don't agree on the stream then it wouldn't be sent
19:58 < petertodd> justanotheruser: yup, and stream would be part of addr
19:58 < gmaxwell> petertodd: well no the recipent picks the the stream. Not the sender, and thats generally good because its the recipents privacy that is triciker.
19:58 < gmaxwell> I think the incentive issue is probably not fatal, as justanotheruser says
 people want to recieve messages.
19:58 < gmaxwell> But it is interesting.
19:59 < petertodd> gmaxwell: right, but you can easily imagine a system where you have receivers listening to some fraction of the addr space by prefix, and senders get to pick how much of the prefix they match based on how much pow they spend
19:59 < petertodd> gmaxwell: limit bandwidth based competition for a given prefix specificity
20:00 < petertodd> gmaxwell: hilariously, that matches really well to what PoW algorithms actually do... but in the exact wrong way
20:01 < justanotheruser> How does the reduced anonymity effect the anonymity of coinjoins? Does it even matter?
20:01 < petertodd> justanotheruser: depends on how anonymous you want to be...
20:01 < gmaxwell> I don't know that it even matters. ... though I assume anyone would use bitmessage over tor.
20:03 < petertodd> justanotheruser: oh, you mean coinjoin over bitmessage? meh, bitmessage isn't a great message layer for cj anyway from a usability perspective
20:04 < gmaxwell> petertodd: there are no more sutiable traffic analysis resistant privacy networks.
20:04 < justanotheruser> petertodd: Why not? I would think it is great, it just needs a layer on top of it to handle it
20:04 < petertodd> justanotheruser: needing a PoW to send a message is ugly vs. using fees for it
20:04 < petertodd> justanotheruser: and you can use fees to pay for it with the nLockTime trick
20:05 < justanotheruser> petertodd: I think gmaxwells idea of using PoS is better.
20:05 < justanotheruser> People don't really want to pay double fees, one for the message and one for the coinjoin.
20:06 < petertodd> justanotheruser: you don't have too though, you make a nLockTime'd tx spending one input, and then respend it in the coinjoin
20:06 < petertodd> justanotheruser: either way you spend some tx fee, and you can arrange all of this such that the attacker doesn't learn much
20:06 < justanotheruser> petertodd: how would you determine the coinjoin tx without being able to communicate with the network first?
03:57 < warren> hence you charge more
03:58 < warren> it can spit out VM's for block explorers, *cointalk.org SMF, bribe form letter to <exchange>
03:58 < warren> make it very easy
03:58 < warren> programmatically create a shill army too
03:58 < warren> mechanical turk?
04:00 < sipa> [ ] Use less than 2 year old Butcoin source code {+.3 BTC}
04:00 < sipa> ehm... that actually is a typo, i meant Bitcoin
04:01 < BlueMatt> well if you dont pay it forks buttcoin instead
04:01 < gmaxwell> well buying and selling accounts on bitcointalk is permitted.
04:01 < gmaxwell> so you can even one-stop buy your shill army.
04:02 < warren> would you sell after-sale support?
04:02 < warren> 1 BTC/hour
04:02 < warren> NO WARRANTY
04:03 < sipa> [ ] Use doge-styled shill army posts
04:04 < sipa> actually, the opposite perhaps should cost money
04:04 < sipa> so we'll get easily recognizable dummy posts by defauly
04:06 < warren> http://aurawallet.com/	 somehow this site causes chrome to use 100% of 4 cores. maybe I'm mining for them. =P
04:08 < midnightmagic> lol
04:12 < midnightmagic> it would be an excellent example of why scamcoins are pointless.  what a statement.
04:14 < warren> what's up with this Nxtcoin thing?  written in java.  entirely premined.
04:14 < _ingsoc> 100% PoS apparently. 71 one people own all of it. Yup. :/
04:15 < _ingsoc> No mining! It's a winner.
04:15 < _ingsoc> They figured out to do what Bitcoin does and more with no mining necessary. I bet you're all feeling pretty dumb right now.
04:15 < gmaxwell> 100% PoS? does it suffer from the nothing-at-stake attack that PPC originally did then?
04:16 < gmaxwell> or is it a consenus that requires quadratic communication, requires all nodes with stake to be online, and is trivally jammed by any participant?
04:17 < warren> the PoA design sounded great in that regard, except after we realized it encourages banking cartels.
04:18 < gmaxwell> well, glad to hear that its something different.
04:18 < gmaxwell> "Nxt doesn
 aka predicates.  This simplifies and accelerates transaction processing.  Advanced features like multisig will be created on top of the core as 3rd party services."
04:18 < gmaxwell> hopefully '3rd party services' means something domain specific.
04:19 < warren> sounds like they will have centeralized issuers like ripple
04:19 < warren> sounds very much like ripple
04:19 < warren> including the not open source part
04:19 < gmaxwell> yea, indeed not open source 0_o crazy
04:21 < _ingsoc> warren: That was my first thought too.
04:22 < gmaxwell> apparently it's currently being dossed and they are trying to train a "Neural net" to remove spam.
04:23 < _ingsoc> gmaxwell: Nxt?
04:23 < gmaxwell> yea, I can't find anything about how it works though.
04:23 < gmaxwell> apparently it's a blockchain, so that probably rules out it being a standard quadratic consensus.
04:23 < gmaxwell> which probably means its vulnerable to the nothing at stake attacks.
04:27 < warren> I was thinking, woudl there be a way to cancel out the extra orphan risk of larger blocks
04:27 < gmaxwell> oh wow, this is partially the work of that Come-from-Beyond guy...
04:28 < warren> if the difficulty was fudged by some factor of the transactions (quantity, days destroyed, fees, or something)
04:28 < _ingsoc> gmaxwell: Has he done anything else?
04:28 < _ingsoc> That we know of.
04:29 < gmaxwell> beyond being a confused jerk on the forums?
04:29 < gmaxwell> what a bummer.
04:29 < gmaxwell> after seeing that I'd estimate less than 1% chance that it works.
04:30 < _ingsoc> xD
04:30 < gmaxwell> I guess thats part of why I didn't see it, I have him on ignore on the forum.
04:30 < gmaxwell> https://bitcointalk.org/index.php?topic=352286.msg3794431#msg3794431
04:31 < _ingsoc> Hahaha.
04:31 < _ingsoc> Do you know why he's on ignore?
04:31 < _ingsoc> Not to detract.
04:35 < gmaxwell> no idea, but it would be the same as anyone else
 nasty*ignorant > threshold.
04:35 < midnightmagic> but..  it's in java. who cares if he releases the code?
04:35 < _ingsoc> ^^
04:37 < gmaxwell> I don't agree. I don't personally like java, but its currently the language I'd prefer any mediocre programmer use if I'm ever to run their software at all.
04:38 < midnightmagic> oh I just meant that unless he's running weird obfuscators it can be decompiled to fairly readable
04:38 < _ingsoc> I couldn't care less about all these coins. They should have the right to present their ideas and get the support if people want to. I just wish it wasn't so damn sketchy. How many people now have just taken money or made absurd promises? Countless people have been suckered into that type of belief system, and that sucks.
04:38 < _ingsoc> gmaxwell: Mediocre programmers should be roping people in. :/
04:38 < gmaxwell> uh.. nxtcoin addresses appear to be 20 base 10 digits... 66 bits? 0_o
04:39 < _ingsoc> shouldn't*
04:42 < gmaxwell> this thing is amazing.
04:42 < gmaxwell> it's like every bad idea multipled into an swimming orgy of bad ideas.
04:43 < gmaxwell> it _forces_ you to use brainwallets.
04:43 < gmaxwell> and the addresses are ~20 base 10 digits, based on a kind of first bits system where the system remembers the first pubkey it's seen spend for any prefix and then always uses that pubkey.
04:44 < sipa> wait, parts are closed source?
04:45 < gmaxwell> sipa: it's all closed source except for some small parts they released.
04:45 < _ingsoc> Reasoning?
04:47 < gmaxwell> well it's an entirely premined coin.
04:47 < midnightmagic> so..  much..  development effort that could have been put to constructive use. :( gaw how disappointing.
04:47 < gmaxwell> it doesn't appear to actually be that much.
04:48 < sipa> "a single source file", "no comments"... these guys are satoshi reborn!
04:48 < _ingsoc> Hahaha.
04:49 < maaku> _ingsoc: the problem is that ignorant people with money to invest actually find these things more credible than real projects :\
04:50 < gmaxwell> here is their PoS mining code in their early source release:
04:50 < gmaxwell>									int elapsedTime = getEpochTime(System.currentTimeMillis()) - lastBlock.timestamp;
04:50 < gmaxwell>									if (elapsedTime > 0) {
04:50 < gmaxwell>
04:50 < gmaxwell>										BigInteger target = BigInteger.valueOf(Block.getBaseTarget()).multiply(BigInteger.valueOf(account.getEffectiveBalance())).multiply(BigInteger.valueOf(elapsedTime));
04:50 < gmaxwell>										if (hits.get(account).compareTo(target) < 0) {
04:50 < gmaxwell>
04:50 < gmaxwell>											account.generateBlock(user.secretPhrase);
04:50 < _ingsoc> maaku: I think you'd be surprised. There are so many people who are new to this field looking to be part of something that they can grow with. That's the appeal. So they justify "investing" money they might not have because their urge to be part of it outweighs rational thought about the project itself.
04:52 < gmaxwell> no, having talked to VCs, maaku's characterization appears to be spot on.  Wild, unsupported, even impossible claims add credibility.  I think people seem to believe that you'll actually accomplish some fixed percentage of what you claim to, so the guy who claims infinite things is obviously the best.
04:53 < _ingsoc> True, I'm not denying there wouldn't be bigger money involved, but you bet there are smaller guys getting burned by these things.
04:54 < _ingsoc> But I guess you do your research and go with what you believe in.
04:54 < gmaxwell> yea, this is totally vulerable to a nothing at stake attack.
04:55 < gmaxwell> they create ECDSA signatures of a candidate block and hash them, then compare them to a target that depends on time and the value of that account.
04:56 < gmaxwell> so of course, the same attack PPC got nailed with applies trivially.
04:56 < maaku> yeah Jorge and I have talked to quite a few VCs trying to get funding for Freimarkets. it always seems like we're at a perpetual disadvantage by only claiming what we think can be reasonably achieved
04:57 < sipa> gmaxwell: yes, but if the mining code is not open sourced, that is no problem, right? :p
04:57 < maaku> and in VC eyes, a project that got funding is treated as credible (assuming that someone somehwere did due diligence, I suppose)
04:59 < gmaxwell> pretty sure I can just hack the java bytecode directly here to make it mine all the blocks.
04:59 < gmaxwell> it just needs one extra wrapping loop, with a break when its actually successful. :P
05:05  * midnightmagic grits teeth and discovers more reasons why macports feels broken
05:06 < midnightmagic> https://trac.macports.org/ticket/35358#comment:28
05:40 < gmaxwell> wow: ... this thread has gone a bit pear shaped since I last looked at it!!! https://trac.torproject.org/projects/tor/ticket/8106
06:22 < jtimon> gmaxwell what java bytecode can you hack?
06:28 < _ingsoc> jtimon: Nxt.
06:40 < jtimon> oh, Nest, thank you
06:41 < jtimon> wasn't that source closed? I assumed it was a ripple fork
06:52 < _ingsoc> They've released some snippets apparently.
07:15 < gmaxwell> So random not very bitcoin idea.
07:16 < gmaxwell> Tor HSs have had some amount of problems with attackers exploiting the now-popular vanity addresses.
07:16 < gmaxwell> onion addresses are only 80 bits long, 5 bits per character, and there are super fast gpu vanity generators, so some not nice people have been generating lookalike names and then leaving links around.
07:18 < gmaxwell> Some future HS system could make lookalike attacks much harder by requring any HS address generation to also generate a lookalike address.  You prove you have your required lookalike by just disclosing the second address inside your HS directory entry, so the urls are no longer.
07:19 < gmaxwell> And the advantage of this is that since it's a collision a 64 bit lookalike takes only ~2^32 operations. But someone trying to pick a specific value instead of pick only any two similar ones, has a much harder time.
14:19 < nsh> petertodd, i'd enjoy reading such a description
14:19 < maaku> oh maybe we mean different things
14:20 < nsh> or such a write-up, even
14:20 < petertodd> well, I was thinking "this is how you use UTXO commitments to make namecoin work, and/or make namecoin on the bitcoin blockchain because I'm evil"
14:20 < maaku> oh ok yes, I would like that to understand better your worry
14:21 < petertodd> yup, and it's actually rather relevant to my new dayjob too... utxo commitments could be quite handy for things like mastercoin data feeds
14:21 < maaku> so this is totally offtopic then, but my namecoin 2.0 in a nutshell:
14:21 < nsh> not enough essay titles end with the phrase "...because i'm evil"
14:22 < petertodd> nsh: lol
14:22 < maaku> add another coinbase committed prefix tree that persists from block to block
14:23 < maaku> and add soft-fork opcodes to insert/update into this tree, using pushdata proofs
14:24 < maaku> and signatures for updates (the first bytes of the value field being a length-prefix encoded scriptPubKey)
14:24 < petertodd> right, basically you're adding state to the scripting language
14:24 < nsh> (what could go wrong...)
14:25 < petertodd> what vitalik's ethereum thing should have focused on rather than getting into the nitty-gritty of the language IMO
14:26 < maaku> nsh: so you can have another way to double-spend a transaction, in a way that is observable to anyone who understands this soft-fork. what's the issue?
14:26 < petertodd> nsh: well, the key thing is to charge fees for every time the scripts run rather than allow them to run unhindered, on every block, multiplying and multiplying, consuming, EVERYTHING
14:26  * nsh nods
14:27 < petertodd> (though petri-coin is suddenly sounding *really* attractive...)
14:27  * nsh registers graygoocoin
14:27 < maaku> hehe, jtimon and I said basically the same thing to vtalik...
14:31 < petertodd> yeah, although that still assumes a model where you are outsourcing validation to miners - pure proof-of-publication schemes are IMO superior
14:31 < maaku> but anyway, that's part of why I find it a little hard to follow the UTXO namecoin objection ... there's a very easy pathway to namecoin-over-bitcoin which is stateless, scales better, and requires very little validation effort
14:31 < maaku> petertodd: you need consensus, no?
14:31 < petertodd> maaku: the only consensus you need is what data has been published and in what order
14:32 < petertodd> maaku: the objection is that things never expire out of the UTXO set, and to insert new items into it you need the whole damn thing
14:32 < maaku> ok, so you can do the same thing with the document-timestamper solution and not even need the soft-fork
14:32 < petertodd> maaku: maybe not you personally, but someone has to have it
14:33 < petertodd> maaku: actually no you can't - timestamping is only part of proof-of-publication
14:33 < maaku> and have people's view of the DNS database be eventually consistent
14:33 < maaku> petertodd: what's the other part?
14:33 < nsh> bunga bunga parties on the moon
14:33 < petertodd> well, the proof that your data actually got to people
14:34 < petertodd> IE, I can timestamp data that I have kept hidden all to myself
14:34 < nsh> well, proof-of-existence should be differentiates from proof-of-dissemination
14:34 < petertodd> only proof-of-publication can be used to solve the double-spend problem
14:34 < nsh> *differentiated
14:34 < maaku> yes, which is why I suggested soft-fork miner verification (although they throw away the data as soon as it is published)
14:34 < jrmithdobbs> ya, you need timestamps from observers and then the rabbit hole starts getting deeper and deeper
14:34 < petertodd> jrmithdobbs: no, not timestamps, proof-of-work/sacrifice
14:35 < maaku> really? why?
14:35 < maaku> if you have the data, you can broadcast it anytime at your convenience
14:35 < petertodd> right, which is the *problem*
14:36 < jrmithdobbs> petertodd: well, signed timestamps from observers is a (bad) form of proof-of-work
14:36 < jrmithdobbs> petertodd: ;p
14:36 < petertodd> for instance, you timestamp your transaction, but don't publish, you then make a subsequent transaction spending the same coins, and do publish, I only see the later timestamp, and then you can take the money from me later by publishing the earlier one
14:36 < maaku> you can't have your cake and eat it too ... you need a distributed consensus mechanism
14:36 < petertodd> jrmithdobbs: assume frictionless spherical cow timestamps
14:36 < maaku> do you have a solution to this?
14:36 < jrmithdobbs> petertodd: come again
14:37 < jrmithdobbs> maaku: noone has to my knowledge
14:37 < petertodd> jrmithdobbs: assume timestamps are free, infinity timestamps is still zero work
14:37 < petertodd> maaku: yes and no
14:37 < petertodd> the yes is that bitcoin is a proof-of-publication system, so obviously the problem can be solved.
14:38 < petertodd> the no is that if you want a scalable system, you still need some notion of "audience size" so to speak, and your security is better if you can prove the data was published to a larger audience
14:38 < jrmithdobbs> petertodd: the signatures on the timestamps aren't free though
14:40 < petertodd> jrmithdobbs: this is -wizards, we're mathematicians here :P
14:41  * nsh smiles
14:41 < maaku> Merkle-tree validation is pretty cheap though right? and the added size is paid for in fees
14:41 < jrmithdobbs> petertodd: my point was the timestamp isn't the proof, the multiple signatures from separate observers on "close" timestamps can serve as the proof of publication time
14:42 < petertodd> jrmithdobbs: only if I have some notion of observer - without proof-of-work every observer claimed has zero weight (sybil problem)
14:42 < jrmithdobbs> petertodd: you need a mechanism for defining what are enough and that's where it starts falling apart imho
14:42 < petertodd> jrmithdobbs: exactly, and proof-of-work is what fixes that mechanism
14:43 < petertodd> (I *really* need to write a book on this as fast as possible so I can cement as much terminology as possible from the fine art world into this field...)
14:43 < nsh> please do
14:44 < nsh> i am happy to contribute by poking you daily with an imaginary irc stick if that helps
14:44 < nsh> (was actually wondering what "weight" means here...)
14:45 < maaku> petertodd: that doesn't seem to address the issue very well
14:46 < petertodd> oh man, the crazy thing is semiotics terminology actually makes sense here too, sign, signified, signifier...
14:46 < maaku> so i burn some coins or electricity to get enough sybil identities to double-spend
14:46 < nsh> oh good, let's invite umberto eco to keynote the next bitcoin conference
14:46 < maaku> it puts an economic cost on it, but not one that can be too big
14:47 < petertodd> maaku: they're not sybil identities, the notion of identity is really kinda irrelevant at the theory level, what matters is a certain amount of electricity was destroyed in support of a particular history
14:47 < petertodd> nsh: lol
14:47 < maaku> maybe if I'm "selling" superpreciousname.bit it's worth while
14:48 < maaku> petertodd: you mean like mining proof-of-work?
14:48 < maaku> sorry to come back, but this is sounding like "let's reinvent bitcoin!"
14:51 < petertodd> maaku: not reinventing, expalining what it's really doing
14:52 < petertodd> maaku: first of all, do you see how if miners did no validation at all, bitcoin can still work just fine?
14:53 < maaku> no
14:53 < jrmithdobbs> can you clarify that? what do you mean by that
14:53 < maaku> not for my definition of fine at least
14:54 < jrmithdobbs> petertodd: you mean that even if they didn't verify the actual contents as part of the pow the verification would happen by being rejected by peeers on the network? or are you after something else?
14:55 < andytoshi> i think he means, the order of transactions would be set in stone by the POW
14:55 < petertodd> andytoshi: exactly
14:55 < andytoshi> and the ordering is the only thing that nodes can't agree on by themselves
14:56 < petertodd> andytoshi: and nothing else, dups, invalid, whatever would all be allowed
14:57 < andytoshi> it occurs to me that growing up is in some sense a POW, you can't sybil irl because humans take so long to spam
14:58 < petertodd> andytoshi: indeed
14:58 < petertodd> jrmithdobbs: well, wallet software would ignore the invalid transactions basically
14:59 < jrmithdobbs> petertodd: but it wouldn't "work just fine" in that case as the clients would have to do a lot more filtering and processing wouldn't they? you get the ordering from the pow but you don't know how much of it is valid, doesn't that open up real spam issues?
14:59 < petertodd> jrmithdobbs: after parsing through the entire blockchain
14:59 < petertodd> jrmithdobbs: oh sure, but other than bandwidth and storage the system *would* work just fine
14:59 < petertodd> jrmithdobbs: IE, miner validation is an *optimization*, it's not fundemental
15:00 < maaku> ok yes, i get that (i wouldn't say "just fine" either, but let's not argue sematics)
15:00 < petertodd> maaku: "just fine" to a mathematician :)
15:00 < jrmithdobbs> petertodd: i see your point but would like to point out that the basic mechanisms for all this have been around for several decades and the optimizations are what made it feasible ;p
15:01 < jrmithdobbs> damn you beat me to the academic joke ;p
15:01 < petertodd> jrmithdobbs: well no, proof-of-work consensus in any form *has not* been around for long
15:02 < jrmithdobbs> petertodd: but it's building blocks have been
15:03 < maaku> petertodd: requiring nodes to validate by processing the entire block chain themselves is not scalable. so how do you determine with certainty whether the inputs to a transaction are valid without processing the whole block chain?
15:03 < amiller> jrmithdobbs, no one thought of doing proof of work consensus, it's an out-of-the-blue idea
19:21 < gmaxwell> "Uh. maybe there is a NTP reflection DDOS attack" "oh look, one was recently found and is being exploited"
19:21 < petertodd> lol
19:23 < andytoshi> petertodd: suppose that you've got like a 1btc bond, and it's only considered valid by fast food restaurants and groceries (who want the bond value to be some large multiple of the product value)
19:23 < andytoshi> then to get a net win a scammer would have to get to a whole ton of physical stores within a blocktime or two
19:23 < andytoshi> (and any more than a blocktime would require some sort of mining-based attack)
19:24 < petertodd> andytoshi: sure, but that just goes to say you have to take countermeasures against that kind of thing or it's easy to rip off
19:24 < phantomcircuit> andytoshi, or coordinate with lots of other scammers
19:24 < gmaxwell> andytoshi: really these things make more sense in the context of an anti-doublespending signer service rather than personally, as the signer service could afford a bond a huge multiple of the typical transaction prices.
19:24 < phantomcircuit> (organized russian crime groups do this fairly regularly with atm heists)
19:24 < gmaxwell> (and could also be secured by hardware remote attest)
19:24 < petertodd> gmaxwell: esp if the signing service provides some kind of proof of how many uncommitted btc they've signed for
19:25 < andytoshi> phantomcircuit: right, derp
19:25 < andytoshi> gmaxwell: neat, then you've got a traditional debit-card system but with a bit less trust
19:26 < gmaxwell> petertodd: if only someone recently described how to run a cryptographically private accumulator...
19:26 < petertodd> gmaxwell: I know 'eh?
19:26  * andytoshi has one last exam tomorrow, better get off -wizards before somebody posts a link
19:26 < phantomcircuit> lol
19:39 < maaku> petertodd gmaxwell: I had a "duh" moment, but if prefixed proofs become *required* for transaction and block propagation, then it doesn't matter how the (U)TXO index is keyed, right? or the size of the UTXO set?
19:40 < petertodd> maaku: it's impossible to require them effectively
19:40 < maaku> well, setting that aside...
19:40 < maaku> spherical cow analysis, if you could get every node to upgrade, etc.
19:41 < petertodd> then you'd get collusion between miners who greatly reduce their bandwidth to each other by leaving out proofs they don't need because they have parts of the utxo set cached
19:42 < maaku> i'm not sure that's a problem, except as it applies to decentralization
19:43 < petertodd> well if it's not a problem, then why did you want to require them?
19:43 < gmaxwell> perhaps I'm missing some context, as I don't see what maaku is talking about (maybe it was something too obvious?)
19:43 < petertodd> I assume for fairness, otherwise you might as well just only provide proofs when needed
19:44 < maaku> well it's very obvious now that i think about it, but the trigger was that I as assuming you need to store the UTXO twice to support scriptPubKey-indexing
19:44 < gmaxwell> the whole idea of the MMR-structured data was that it let you make a storage/bandwidth tradeoff if you could always demand a peer give you proofs with their transactions.
19:45 < gmaxwell> oh no, you wouldn't though you should note that scriptPubKey-indexing isn't naturally computationally balanced
 so its a poor index.
19:45 < justanotheruser> petertodd: do you think blockchain sharding will be implemented some time soon?
19:45 < petertodd> justanotheruser: heck no
19:45 < gmaxwell> (also making address reuse cheaper is unfortunate)
19:45 < maaku> but if a proof comes with a transaction, you could just mandate that proofs contain the paths to the inputs in the scriptPubKey index, and a mapping of txid:n -> scriptPubKey
19:46 < justanotheruser> petertodd: what is the number of full nodes drops below 2k?
19:46 < gmaxwell> yea, sure. Doesn't mean that indexing by scriptPubKey is actually desirable, but if you change how transactions look up their inputs, then indeed, you don't need two indexes.
19:46 < maaku> "<gmaxwell> (also making address reuse cheaper is unfortunate)" <-- yes i'm onboard with that. this is more of a -wizards hypothetical
19:47 < gmaxwell> ::nods::
19:47 < maaku> yeah ok i was stupid for not realizing that earlier
19:47 < petertodd> justanotheruser: sharding requires miner co-operation and a soft-fork
19:47 < justanotheruser> petertodd: yes, wouldn't it be necessary because the number of full nodes is dropping?
19:48 < sipa> well, if we can create a currency from scratch, with outputs being (value, merkle-ast-root) and inputs being (merkle-script, script inputs), you can easily (except for potential unbalancing) have your UTXO tree indexed by (merkle-ast-root, txid)
19:48 < maaku> justanotheruser: re "blockchain sharding" sortof, that will come soon
19:49 < maaku> if, that is, you mean pruning where some nodes only store ranges of blocks
19:49 < maaku> not tomorrow though, but soon
19:49 < justanotheruser> maaku: I mean blockchain sharding as in https://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03307.html
19:50 < sipa> so you only need a single UTXO data structure for both validation lookups and lightweight node balance checking
19:50 < gmaxwell> The unbalancing could be avoided by just prohibiting reuse.  You end up with a design close to an anonymous coin then. E.g. where outputs do blinded inserts into a existing coin list, and where inputs unblind coins, prove the coins exist, and they are added to a spent coin list.
19:51 < petertodd> justanotheruser: necessary doesn't make stuff actually happen you know, more likely lack of full nodes just pushes people to use web-wallet stuff
19:52 < petertodd> justanotheruser: with so few pools the politics of the situation are unknown and may not be what we want...
19:52 < justanotheruser> gmaxwell: btcguru in #bitcoin is linking to a sketchy website. No results on google
19:53 < justanotheruser> petertodd: why would the number of pools effect that?
19:53 < petertodd> sipa: ugh, I really think we're best off avoiding that kind of single-scriptPubKey balance checking stuff
19:53 < petertodd> justanotheruser: because they're large enough that more centralization and fewer nodes out there may be in their interests
19:54 < maaku> sipa: yeah that was more my line of thinking. indexing by txid or by insertion order isn't really useful, other than that's how bitcoin is structured (scriptPubKey isn't available in the input)
19:54 < maaku> and, i guess, useful in that it doesn't encourage bad, bad things like dumping data on the block chain
19:55 < petertodd> maaku: or address re-use
19:55 < sipa> petertodd: maybe - i don't like the privacy implications of that either
19:56 < maaku> petertodd: yeah, although I don't know how to support looking up bip 32 or keypool addresses without also encouraging address reuse :(
19:57 < petertodd> maaku: use fixed prefixes so all you're reusing is the prefix, which still gets you a decent anonymity set (see my recent post on blockchain data)
19:58 < petertodd> maaku: for change I think we can get away with totally random change addresses as the set of *unspent* change txouts doesn't have to grow
20:03 < gmaxwell> Man, people are going to love anonymous coins where efficient lookups for payments to you is impossible.
20:04 < petertodd> gmaxwell: ?
20:06 < gmaxwell> petertodd: if you have an truly anonymous cryptocurrency, e.g. one that worked by committing to blinded coin values in an insertion ordered tree.. there is no way to tell someone paid you from just inspecting the currency.
20:07 < gmaxwell> They'd have to tell you out of band, or you'd have to have a seperate channel e.g. for storing ECDH keyed encrypted messages "hey, I paid you, the blinded coin has value X"
20:07 < petertodd> gmaxwell: oh sure - all this business about stealth addresses is just a way of relaxing that anonymity a bit so you can recover the payment. even a fully anon cryptocurrency can always bolt on a messaging layer to provide that channel
20:08 < gmaxwell> yea, but interestingly the messaging layer could easily break the privacy.
20:08 < petertodd> gmaxwell: if bitmessage was reliable, you'd just use it, but it's not for non-interactive use
20:08 < gmaxwell> e.g. if the messages have a visible to it likely removes it completely.
20:08 < petertodd> gmaxwell: well, if you re-use something like bitmessage, at least your anonymity set also includes random messages unrelated to payments
20:09 < gmaxwell> an interesting point.
20:09 < justanotheruser> Are you referring to zerocoin?
20:09 < petertodd> Anyway, figuring out how to make the user-experience of "must send this packet of data for foo to get their coin at all" to be acceptable might come in handy for other crypto-currency schemes like txin commitments where the network doesn't have the data at all.
20:10 < gmaxwell> petertodd: well in general seperating the accumulator operation from notice is interesting. Esp since there are different durability requirements.
20:10 < gmaxwell> e.g. losing old notices, ::meh::
20:11 < petertodd> gmaxwell: yup
20:11 < gmaxwell> justanotheruser: no.
20:20 < phantomcircuit> Morici v Hashfast Technologies
20:20 < phantomcircuit> and so it begins
20:20 < phantomcircuit> Case5:14-cv-00087
20:26 < gmaxwell> phantomcircuit: do you have some data feed of bitcoin relevant docket entries?
20:27 < phantomcircuit> gmaxwell, yes
20:28 < phantomcircuit> fun with lexus nexus
20:28 < gmaxwell> Is anyone aware of any fully homorphic encryption schemes can have a plaintext output? e.g. the code inside the FHE decides to write to a plaintext output
20:28 < gmaxwell> phantomcircuit: any details on it?
20:28 < phantomcircuit> gmaxwell, i'll upload the complaint in a minute
20:31 < phantomcircuit> gmaxwell, also it should be on RECAP now
20:34 < phantomcircuit> huh not working
20:36 < gmaxwell> and of course, pacer's password recovery takes like ... days
--- Log opened Tue Jan 07 00:00:00 2014
--- Day changed Tue Jan 07 2014
00:00 < wyager> There is no proof that finding primes is particularly difficult
00:00 < wyager> but I suppose the same is true about the discrete log problem haha
00:00 < wyager> Namecoin is actually useful
00:00 < gmaxwell> primecoin is pretty uninteresting, its not a problem anyone cared about before.
00:01 < gmaxwell> Namecoin might be interesting but it's mostly abandoned and has some serious problems.
00:01 < wyager> Yeah, sadly
00:01 < wyager> I think the tech could seriously replace DNS
00:01 < wyager> Scaling might be a bit of an issue, but maybe not
00:02 < gmaxwell> basically nothing else has done much of anything. peercoin and feather coin have solved their consensus problems (in one case PoS doesn't really work, in the other because their blocks are too fast) with developer controlled selection on the best chain.
00:02 < Luke-Jr> something similar to namecoin could..
00:02 < gmaxwell> wyager: you can't do a secure lite client resolver for namecoin with the current design. it can be done, but namecoin doesn't do it.
00:02 < wyager> SPV?
00:02 < gmaxwell> I'd suggested how back in 2011, but by then namecoin development was mostly dead.
00:02 < wyager> Or SNV, rather
00:02 < gmaxwell> wyager: can't work in the current system.
00:03 < wyager> Really? Why's that?
00:03 < gmaxwell> (vulnerable to replay of old records)
00:03 < wyager> Don't records expire?
00:03 < wyager> Ah
00:03 < wyager> I see
00:03 < wyager> records can be updated before expiration
00:03 < gmaxwell> easily enough fixed: https://bitcointalk.org/index.php?topic=21995.0
00:03 < gmaxwell> and the record expiration is rather long.
00:04 < wyager> clever
00:05 < gmaxwell> state proofs have a lot of other advantages, e.g. like being able to prove to a lite node that a block is invalid.
00:06 < gmaxwell> in any case, I have an old (and lost past due for updates) list of alt ideas I think are interesting: https://en.bitcoin.it/wiki/User:Gmaxwell/alt_ideas
00:09 < wyager> hahahaha
00:09 < wyager> I love the timelock chain idea
00:09 < wyager> that would provide a very useful public service
00:10 < wyager> Do you sit around all day and think of clever crypto ideas? It seems like it would be a nice hobby :p
00:11 < gmaxwell> wyager: I mean, it's taken years to produce these.
00:11 < gmaxwell> actually I have a ton more of them that aren't there.
00:11 < wyager> Yeah, but a lot of these are great
00:11 < wyager> People have built entire altcoins on less
00:11 < gmaxwell> correction: no altcoin has ever been built on anything as cool as anything on that list. (except maybe merged mining in namecoin) :P
00:12 < wyager> hehe
00:12 < gmaxwell> well okay, peercoin's PoS was the same scale of an idea, but it doesn't really work
 but perhaps some of those ideas won't work either (well, almost certantly some won't work)
00:13 < wyager> What is wrong with PoS? I haven't actually researched any criticisms of Peercoin
00:13 < wyager> But PoS seemed OK
00:13 < gmaxwell> yea, I think the timelock is sexy. I came up with it midsentence while I was telling someone that timelock appears impossible. :P
00:13 < gmaxwell> wyager: the nothing at stake problem.
00:13 < justanotheruser> gmaxwell: What do you think of nxt's PoS? nxt doesn't have checkpointing.
00:13 < wyager> Which is? Aren't you giving up scare coin-days?
00:13 < wyager> *scarce
00:13 < gmaxwell> justanotheruser: lollollol
00:14 < justanotheruser> gmaxwell: I realize it is 100% premined which is why I specified their PoS
00:14 < gmaxwell> Basically in POW you're incentivzed to mine on the ONE TRUE most likely to ultimately survive chain
 because they're burning a costly resource forever every attempt they make, and their only compensation is getting a block in that one true chain.
00:15 < gmaxwell> The nothing at stake problem is that since you don't really burn anything there isn't any reason not to mine many forks
 in fact its the rational optimal strategy to mine all forks you don't hate.
00:15 < wyager> I see
00:15 < wyager> don't they waste compute power as well though?
00:15 < wyager> by mining on every random ass chain
00:15 < justanotheruser> gmaxwell: To fork PoS you wouldn't have to expend additional resourced, but you would still need more PoS "mining" power than the main chain.
00:15 < gmaxwell> Including all possible hypothetical forks. There was a neet attack once PPC started pos mining: someone programmed their system to consider all possible forks to find the ones where their stake was selected over and over again as the block winner.
00:16 < gmaxwell> wyager: yes and at the limit it just becomes POW in disguise when that happens.
00:16 < Taek42> that's a pretty cool attack
00:17 < gmaxwell> PPC "fixed" that bug by forever requiring POW blocks, and setting it up so the identity of the stake depended on nothing after the last POW block.. which makes the specific all-blocks-are-mine attack harder (requires some POW power), but kinda breaks the energy argument and still leaves weird incentives to mine forks.
00:17 < gmaxwell> justanotheruser: Oh is nxt's fork out? I'll tell you what lines of code to change so you can mine all the blocks.
00:23 < Taek42> I had an idea, 'Proof-of-Storage'
00:23 < wyager> I also like merkelized AST P2SH
00:23 < gmaxwell> wyager: I really wish I knew a way to make POS work, but the best I can offer is if you have one cryptocurrency you could mine another by moving/destroying/etc coins in the first.
00:23 < wyager> Oh, and gmaxwell, my IRC client crashed so I may have missed a few things you said
00:24 < gmaxwell> Taek42: do you mean something like https://bitcointalk.org/index.php?topic=310323.0
00:24 < Taek42> not quite
00:25 < Taek42> the idea is that nodes contribute storage to the network, that can then be sold over the same network
00:25 < Taek42> like distributed cloud storage
00:25 < Taek42> where being a storage host gives you coin mining
00:26 < gmaxwell> Taek42: yea, I don't know how to do that except via proof of throughput which may not be what you want.
00:26 < wyager> Didn't cryptosphere or something try to do something like this?
00:26 < gmaxwell> And I've thought long and hard about how to actually do that.
00:26 < Taek42> where I'm currently stuck is the blockchain
00:26 < gmaxwell> the problem is that if you prove you have storage via a fiat-shamir of a cut and choose over it, you can just POW grind the proof to hit a fraction of the data you've kept.
00:27 < gmaxwell> ... and worse, its delegatable.
00:27 < Taek42> delegatable?
00:27 < gmaxwell> e.g. a pool can keep the data, and answer queries for other miners.
00:27 < gmaxwell> so you'd only get one copy of the data, which wasn't your goal.
00:28 < Taek42> ah yes, we did think of a solution to that
00:28 < Taek42> a partial solution, that is
00:29 < wyager> gmaxwell: What if you did something like this: You only want to verify that the other guy is keeping a backup (you also have a copy), so you make him XOR the data he's supposed to be keeping with the output of a stream PRNG (you do this as well) and then make him give you the hash of this data. You can't spoof this without actually having a copy of the
data. That would work for distributed backup systems, at least.
00:29 < Taek42> the goal would be perfectly distributed data with a tunable redundancy such that nodes go offline over a perfect random distribution.
00:30 < Taek42> anytime nodes go offline in some fashion that doesn't follow a perfect random distribution, you assume they are somehow correlated
00:30 < gmaxwell> wyager: but who are "you".. distributed system, right?
00:31 < wyager> Alice wants Bob to keep a backup of her super important file. To make sure Bob doesn't delete his copy and say he still has it, Alice makes Bob modify the file and hash it. Alice does the same on her end, and if Bob can't produce the correct hash, he no longer has the file
00:31 < wyager> So it's not the same thing as distributed storage
00:31 < wyager> it's just distributed backup
00:31 < gmaxwell> wyager: thats really inefficient too.
00:31 < Taek42> (maybe they were all sharing a file - so they were pretending to be redundant but they weren't, or maybe they were all in Afghanistan and then Afghanistan decided to remove itself from the internet the way (Iran?) did - either way they were correlated in some way, which is against the goals of the network)
00:32 < wyager> Meh
00:32 < gmaxwell> wyager: e.g. forget the stream cipher whatever. Just challenge bob to provide a couple blocks at random from the file.
00:32 < wyager> Yeah, true
00:32 < gmaxwell> (or, if you want, the hash of a couple blocks at random)
00:33 < gmaxwell> wyager: a point there is that no matter which of those you do, bob can turn around to proxy the requests to mallory. Mallory has the data and answers.
00:33 < gmaxwell> wyager: if you had ten bobs you wanted to store the data, perhaps they're all just proxying through to mallory.
00:34 < Taek42> so when multiple nodes go offline in a correlated way, you punish them for 'false redundancy'.
00:34 < wyager> Unless Alice sends copied encrypted with a different key to all people
00:34 < wyager> Then at least she knows that Mallory must be using space to store the file
00:34 < gmaxwell> Taek42: how can you make a consistent observation of "offline" in a decenteralized system?
00:34 < Luke-Jr> ^
00:35 < gmaxwell> Or is your system merely distributed and not anonymous?
00:35 < wyager> And Bob has to pay Mallory anyway, so he's probably keeping it on his own unless the cost savings Mallory offers are worth more than his reputation if he gets discovered
00:35 < Taek42> they don't participate in N consecutive blocks
00:35 < gmaxwell> wyager: yea sure, though that gives alice n-fold communications cost.
00:35 < Taek42> wyager you can do better:
00:36 < Taek42> use something like LT-Codes or Reed-Solomon codes to produce the file
20:05 < phantomcircuit> even after adding a bunch of debugging stuff to cpuminer it's still not matching
20:56 < gmaxwell> amiller: it would also be very simple to implement.
--- Log closed Wed Sep 18 00:00:51 2013
--- Log opened Wed Sep 18 00:00:51 2013
11:48 < gmaxwell> oh here is an interesting idea for an evil altcoin:  some portion of the coin's supply comes from converting bitcoins... but instead of making you burn bitcoins, thus increasing their scarcity... it makes you turn them into far futured nlocked anyone can spends... so that bitcoin value isn't increased by the removing coins from circulation, since everyone
knows that they'll flood back in later.
11:53 < sipa> what's evil about it?
11:57 < gmaxwell> well, not that evil. I don't have _that_ much capacity to think evilly. :P  But it's something of an economic attack, in that it attacks confidence about the level of coin scarcity in the future.  Basically it removes use of bitcoin by removing coins from circulation, but not far enough so that bitcoin is more scarce.
11:57 < gmaxwell> not that different from something like the mastercoin exodus address, but there is no conversion to a private value.
16:08 < warren> did mastercoin actually destroy BTC?
16:11 < jgarzik> I don't know if that's happened..  their protocol described creating unspendable outputs
16:11 < warren> He raised a lot of money for doing nothing.
16:11 < warren> it took us two months to raise 10% that much
16:12 < jgarzik> a fixed asset within a fixed asset.
16:12 < warren> an asset entirely in cash with poor management can be worth less than the value of cash.
16:13 < jgarzik> it can be worth more.	it can be worth less.  yes :)
16:13 < jgarzik> it's basically pybond-like scheme
16:13 < jgarzik> everyone must conform to the additional protocol
16:14 < sipa> he seems to be just using bitcoin as a very expensive replicated append-only log
16:15 < sipa> by encoding data into fake addresses
16:15 < warren> jgarzik: I also wonder if Mastercard will try to crack down with a "confusingly similar" trademark infringement claim
16:19 < gmaxwell> warren: he's destroying very tiny amounts of btc, but his fundraising was just to a vanity address.
16:19 < gmaxwell> (though this was a bit confusingly marketed, at least some people thought the "exodus address" was some kind of special gateway address and not just going into his pocket.)
16:19 < warren> at least prunable?
16:19 < jgarzik> warren, not v1, no
16:20 < warren> fun
16:20 < jgarzik> warren, v2 is multisig, where 1-of-3 is valid, 2-of-3 are data
16:20 < jgarzik> so still bloating UTXO
16:20 < Luke-Jr> jgarzik: but nothing is actually implemented, AFAIK?
16:20 < jgarzik> yah.  people are "working on things"
16:20 < gmaxwell> nothing is implemented but they're still making "v1" transactions by hand using blockchain.info!
16:22 < sipa> jgarzik: but are those outputs actually spent?
16:22 < sipa> the muktisig onea
16:22 < sipa> multisig ones
16:22 < jgarzik> sipa, eventually
 creating other 1-of-3 multisig data carrying outputs
16:23 < sipa> ic
16:23 < sipa> that better than unspendable in any case
16:23 < sipa> but i think it's wrong talk about spendable or not
16:23 < warren> sounds like a parasite
16:23 < sipa> it's about whether they're getting spent
16:23 < Luke-Jr> is it doing *anything* that can't be accomplished with merged mining?
16:24 < sipa> i doubt that
16:24 < Luke-Jr> how much did he raise again? <.<
16:24 < sipa> no idea
16:24 < jgarzik> dunno
16:24 < jgarzik> presumably bc.i or be will tell you
16:24 < gmaxwell> ~4000 btc?
16:24 < gmaxwell> 4740 BTC.
16:25 < Luke-Jr> pfft
16:25 < Luke-Jr> give it all to sipa to do the coding for a year
16:25 < Luke-Jr> :P
16:25 < sipa> daaaamn
16:25 < gmaxwell> giving money to sipa would only save the world, not create some toy asset that you can pump and dump.
16:26 < warren> only
16:26 < Luke-Jr> hehe
16:26 < gmaxwell> warren: what, are you some kinda socialist??
16:26 < Luke-Jr> O.o
16:26 < jgarzik> Luke-Jr, well if it follows the pybond pattern, mastercoins are tradeable, normal transactions, with a little bit of protocol-specified data attached.  merged mining would be far less efficient than a simple purchase via atomic coin swap.
16:26 < gmaxwell> It's a joke.
16:27 < Luke-Jr> gmaxwell: I think the lossy IRC lost the humour XD
16:28 < gmaxwell> jgarzik: yea, the zero trusted party atomic coin swap is easer to accomplish with their blockchain fattening approach.
16:29 < gmaxwell> Of course, if you have a trusted party (or even a smart property agent) that is giving value/meaning to the colored coin, then you could instead just instruct it to watch the bitcoin chain for a payment (or show it proof of one) in order to make an atomic transaction.
16:30 < gmaxwell> but if the thing you are trading for is just "mastercoins" then there is no such party.
16:31 < jgarzik> sure, that's a design choice, not having a centralized party ;p
16:31 < jgarzik> you pick a shared protocol rather than a common party
16:33 < gmaxwell> jgarzik: well, not quite
 in some cases, e.g. trading shares of some business there actually is a centralized party. Not making use of them doesn't make them stop existing.  Most of the colored coins usecases are like that.
18:17 < amiller> "<sipa> he seems to be just using bitcoin as a very expensive replicated append-only log"
18:17 < amiller> yeah.
18:18 < amiller> i think things like that will happen more until bitcoin prices them out somehow, you can't prevent someone from putting the junk data in there if they want to otherwise
18:18 < sipa> well... texhnically, so is bitcoin
18:18 < amiller> all the colored coin schemes are defective for the reason that they don't put any data in the utxo
18:18 < sipa> it's alao using the blockchain as an exensive replicated log
18:18 < amiller> so no one really has any incentive to actually maintain the indexes that will be needed to prove things
18:19 < sipa> hmm, how do you mean?
18:19 < sipa> they need an annotated utxo set
18:19 < amiller> suppose i want to do a complicated mastercoin query
18:19 < amiller> yeah
18:19 < amiller> they have so much functionality that they will need a whole giant sql database
18:20 < amiller> a lot of work (well, you in particular do all of it :p) goes into keeping the utxo managable sized
18:20 < amiller> which is good because everyone replicates it
18:20 < amiller> but only "mastercoin" nodes will replicate the special mastercoin indexes, which will probably be enormous
18:21 < sipa> well, right now everyone with the UTXO set also has the blockchain
18:21 < sipa> so people are not pointed to the fact that they have very different replication needs
18:21 < amiller> yeah but if i want to answer a mastercoin query i might have to go take a very long walk through it
18:21 < gmaxwell> yea, the functionality they have described requires doing O(N^2) accesses to the set of all existing mastercoins. There isn't even an O(mastercoins) way to get just a list of currently existing mastercoins.
18:22 < sipa> oh my
18:22 < gmaxwell> And can't be. Even if the mastercoin is in the UTXO and you have a UTXO proof, you still need to do the history tracing unless nodes enforce the mastercoin rules on the UTXO.
18:22 < amiller> they're bolting on functionality left and right, it's a whole spreadsheet application
18:22 < sipa> i'm suddenly not worried about it anymore
18:23 < gmaxwell> basically all the colored coins proposals have these problems.
18:24 < gmaxwell> bitcoin at least gets you a computationally cheap verification because you can forward produce your own utxo. Mastercoin could do that too but you'd need special mastercoin nodes that examined the whole blockchain and built mastercoin indexes.
18:24 < sipa> i always imagined colored coins schemes as just augmenting the utxo set, with a "colors" tag for each coin
18:24 < gmaxwell> sipa: yea but mastercoin's "feature" list has things like automated trading with an orderbook in the blockchain.
18:25 < gmaxwell> so you'd have to do order matching against all the eligible coins...
18:25 < sipa> uhhhh
18:25 < amiller> no one is going to realize/notice/viscerally feel the problem until it's filled with junk and no one can afford to run a full mastercoin node and so everyone's security relies on checking mastercoinexplorer.info
18:25 < gmaxwell> and supporting multi-leg trades, like my 1 btc for your 1 mcUSD for amiller's 1 mcLTC.
18:26 < sipa> amiller: and i'm sure mastercoinexplorer.info will just scrape blockchain.info :)
18:26 < amiller> well that's not sufficient
18:26 < amiller> i mena
18:26 < amiller> it will have to maintain its own ridiculous index
18:26 < amiller> in addition to scraping
18:26 < amiller> good thing they've raised enough money to afford one instance of that for a cuople years!
18:26 < gmaxwell> amiller: the funny thing is that they'll probably be fine with that. Annoyingly the'll shit all over the distributed system instead of just putting all that centeralized stuff in a central place to begin with.. just because the pretext of decenteralization raises money.
18:26 < sipa> they may come up with some checkpointing scheme, that includes the "index"
18:28 < amiller> opencoin/ripple also has this problem
18:28 < amiller> it just sucks that eveyrthing will seem like it's working as long as not too many people use it and no one minds that only a few people run nodes
18:30 < amiller> it wont crumble until it has a SatoshiDice moment
18:30 < gmaxwell> Centeralized systems (even ones pretending not to be) are just fundimentally easier.	It won't even crumble in that case, just throw more resources at it.
18:30 < amiller> bitcoin hit that hurdle and just leveled up, so to speak
18:31 < amiller> so suppose they're centralized (but no one notices because of confusing greypapers) and reasonably efficient as long as you don't run a full node, will they just gain users until there's an actual security breach or something?
02:10 < petertodd> zooko: kinda: https://en.bitcoin.it/wiki/Fidelity_bonds
02:10 < nejucomo> Hello.
02:10 < zooko> Thanks.
02:11 < petertodd> zooko: logs: http://pastebin.com/Rj4bshY3
02:11 < zooko> Thanks.
02:13 < realazthat> mmm
02:13 < midnightmagic> hey nejucomo
02:16 < zooko> Hey, you folks were talking about the danger of miners discriminating among txns. (In http://pastebin.com/Rj4bshY3 .)
02:16 < Luke-Jr> zooko: O.o?
02:16 < Luke-Jr> miners are supposed to do that
02:17 < petertodd> Yeah, that's part of Adam Back's thing with his commit coins stuff.
02:17 < petertodd> Luke-Jr: we mean mike-style blacklists
02:17 < Luke-Jr> mike-stlye blacklists?
02:18 < petertodd> Luke-Jr: Yes, as in centrally/semi-centrally issued lists of coins that must not be allowed to move.
02:18 < zooko> Luke-Jr: the minimal service that we need from miners is just to not include conflicting double-spends in their block.
02:18 < Luke-Jr> petertodd: I don't see a problem, as long as it's not enforced on blocks miners make
02:18 < petertodd> zooko: assuming a limited blocksize...
02:18 < zooko> Other than that, if they could be blinded to the contents of transactions that would be good.
02:18 < Luke-Jr> zooko: also spam filtering
02:18 < zooko> petertodd: why?
02:19 < petertodd> zooko: With unlimited, then you *do* want spam filtering to keep UTXO set size sane.
02:19 < zooko> Luke-Jr: well, inasmuch as something is imposing an externality that it doesn't pay for, then yes.
02:19  * zooko nods.
02:19 < petertodd> Anyway, Luke and zooko are really talking about different things here...
02:20 < petertodd> zooko: I guess the key-value store stuff is about halfway down that paste.
02:21 < zooko> petertodd: still reading that paste...
02:29 < zooko> rs
02:29 < zooko> oops
02:32 < gmaxwell> petertodd: a position I've taken before is that we'd much rather have the miners not able to pick and choose, but if we can't eliminate that choke point and its costs and risks, then we darn well better also exploit the public benefits of having it there.
02:34 < petertodd> well, I'm not that concerned about UTXO growth with small blocks, so I figure if mining is decentralized enough, miners will greedily choose tx's by fees, and I consider fees apolitical
02:38 < petertodd> adam back's tx hiding stuff is nice, among other similar solutions, but if you are thinking about scenarios where it's needed for more than just plausible deniability, users will be forced to prove what's in the opaque containers anyway
02:38 < petertodd> meanwhile, being able to implement IsStandard() and similar has strong practical benifits
02:40 < gmaxwell> I'd give up all that in exchange for a non-problematic blinding... esp if blocksize is not infinite fees should also stop spam. But not that I think we have non-problematic binding.
02:40  * zooko too.
02:41 < Luke-Jr> SCIP could solve so many problems, that if I could be convinced it worked I'd be happy to depend on it :P
02:42 < Luke-Jr> maybe even could solve double spending. maybe.
02:42 < gmaxwell> Luke-Jr: well, that will just take time. It also will need to improve in performance before it solves many of them.
02:42 < gmaxwell> Nah, it doesn't prevent replay. I can't prove that I didn't seperately spin up another computing instance and do some computation twice.
02:42 < Luke-Jr> gmaxwell: will it? verifying one SCIP signature for the entire blockchain sounds nice XD
02:42 < Luke-Jr> gmaxwell: well, you could prove you delete the private key
 then the question is can you prove you never copied it?
02:42 < petertodd> Luke-Jr: that's what the sales guys at amazon ec2 said as well
02:43 < petertodd> Luke-Jr: of course not
02:43 < realazthat> but you could make secure distributed cloud computing perhaps
02:43 < realazthat> I dunno if that is suggested anywhere
02:43 < realazthat> where people offer their computer time in exchange for bitcoins
02:44 < realazthat> all sorts of crazy ideas
02:44 < petertodd> realazthat: that's a long-standing problem with a whole bunch of efforts trying to solve it. Standard hardware and OS's just aren't up to the task
02:44 < realazthat> but SCIP can do it, no?
02:44 < petertodd> realazthat: TPM hardware is just too brittle
02:44 < zooko> Well, I'm not going to finish reading this chat log tonight...
02:44 < realazthat> I don't mean secret computing, just authenticated
02:44 < zooko> I'll leave it open in a browser tab...
02:45 < realazthat> ie. you can ask someone to do a job
02:45 < realazthat> they give you answer + signature
02:45 < petertodd> zooko: heh, it's deep, but hey, I did say "zooko's triangle" at one point in it :P
02:45 < realazthat> so you can make any problem verifyable
02:45 < petertodd> realazthat: yes, SCIP allows for that
02:45 < petertodd> realazthat: but you have to be very careful about what exactly you are saying the security is
02:46 < realazthat> so you can have people doing cloud computing
02:46 < realazthat> for things like protein folding etc.
02:46 < zooko> petertodd: cool!
02:46 < zooko> petertodd: we didn't speak at the conference.
02:46 < realazthat> in exchange for bitcoins
02:46 < gmaxwell> realazthat: they can monitor the computing though, it's not private when someone else is running it.
02:46 < realazthat> right
02:46 < realazthat> but public good projects don't care about that
02:46 < petertodd> zooko: oh, you were there? too bad
02:46 < gmaxwell> realazthat: they can
 go conduct an election.
02:47 < zooko> I saw you arguing heatedly with PVessenes at the core developers huddle. I said to him that the obligations for accounting are not expressed at the level of the Bitcoin protocol, they are merely that you have to "be able to identify+match" customers and their transactions.
02:47 < realazthat> gmaxwell: I don't understand
02:48 < petertodd> I remember that... he really should have kept his mouth shut. Lots of people have taken that as the foundation being actively anti-privacy.
02:50 < gmaxwell> realazthat: conducting an election is obvious public good thing, and the integrity and confidentiality of the election is important.
02:51 < realazthat> ah ofc
02:51 < realazthat> I meant the famous public projects like SETI@home
02:51 < realazthat> and Folding@home
02:51 < realazthat> and other scientific projects like that
02:52 < realazthat> ofc there wouldn't be confidentiality
02:52 < realazthat> but integrity, yes
02:52 < realazthat> homomorphics stuff could do confidentiality perhaps, but AFAIK that is totally impractical ATM
02:53 < petertodd> realazthat: unlikely. SCIP has a pretty big speed penalty, big enough that the usual method of just running work units on more than one computer would be far faster in practice.
02:53 < realazthat> mmm
02:54 < realazthat> interestingly, if SCIP is somehow used for proof-of-work for mining or somesuch, there would be huge incentives to improve it :D
02:54 < petertodd> and/or break it
02:54 < realazthat> yes lol
02:54 < realazthat> but imagine dedicated SCIP hardware
02:55 < petertodd> dedicated hardware typically only makes sense for simple algorithms - I'd be surprised if SCIP qualified
02:55 < realazthat> well, it needs to run a specialized assembly, essentially a VM
02:55 < petertodd> it's a lot more complex than that...
02:55 < petertodd> but I could be wrong
02:55 < realazthat> I think it makes sense to implement the virtual architecture, and take the signing to another CPU or w/e
02:56 < realazthat> maybe
02:56 < realazthat> I look forward to the source codes :D
02:56 < petertodd> I think you need to accept that neither of us know enough to have any idea if that's possible. :)
02:56 < realazthat> end of august for phase 1
02:56 < petertodd> which august? :P
02:56 < realazthat> this august if things go as planned, I guess
02:56  * petertodd works at a 12 year old startup
02:56 < realazthat> lol
02:57 < realazthat> software engineering
02:57 < realazthat> fun
02:57 < realazthat> always ontime :D
02:57 < petertodd> some problems are hard, and just become harder when you try to solve them
02:57 < realazthat> yes
02:57 < realazthat> I am being optimistic
02:57 < realazthat> because I wanna experiment with the so many practical ideas
02:58 < realazthat> that would come to be if it were usable
02:58 < realazthat> mmm
02:58 < realazthat> how about this,
02:58 < petertodd> well, look at how the existence of the blockchain has spawned all sorts of clever ways to use that magical data strucutre
02:58 < petertodd> er... almost none of which are implemented
02:59 < realazthat> mmm
02:59 < realazthat> yeah
02:59 < realazthat> if you have something very interesting that is easy, tell me
02:59 < realazthat> I'll implement it :D
03:00 < realazthat> most of the things I heard were nice ideas, but not very practically applicable
03:00 < petertodd> I'm probably the world leading expert on how to sacrifice your Bitcoins (a rather dubious honor...) and I've done exactly one such sacrifice, and I did it by hand
03:00 < realazthat> unlike SCIP
03:00 < realazthat> haha
03:00 < petertodd> implementing stuff is a lot of work...
03:01 < realazthat> mmm
03:01 < realazthat> I have yet to find something really worth implementing though
03:01 < realazthat> ie. I've seen things that sound nice
03:01 < realazthat> but have no practical purpose in the near future
03:04 < realazthat> (if you do have some ideas that are practical, lay them on me)
03:05 < Luke-Jr> realazthat: any ideas? :P
03:05 < realazthat> well I still get to choose to do them or not lol
03:05 < realazthat> bite sized ideas preferable :D
03:06 < Luke-Jr> realazthat: https://gist.github.com/luke-jr/5409899
03:11 < realazthat> mmm
03:11 < realazthat> both interesting ideas hehe
03:11 < realazthat> so what does ctx accomplish though
03:11 < realazthat> saving space?
03:11 < Luke-Jr> saving blockchain space, lower fees, more privacy
03:12 < realazthat> ah yes
03:12 < realazthat> makes sense
03:12 < realazthat> I don't understand how it works exactly, but thats ok
13:00 < adam3us> petertodd: i think h(d,m,ctr) is enough.  the main point of the determinism is to avoid relying on the rng.  so its a kind of deterministic rng seeded with d built in sw so ou dont have to trust the OS nor support libraries + the idempotency fix
13:00 < adam3us> petertodd: but idempotency anyway still works if the prefix target is deterministic
13:01 < petertodd> adam3us: but remember my point about coinjoin: you don't know m at the point when you want to specify the address
13:01 < adam3us> petertodd: i see.  didnt get you before
13:04 < petertodd> adam3us: the frustrating thing is that it'd be possible to wind up with everyone using stealth addresses, and all this effort being wasted when a simple marker would suffice :P
13:06 < adam3us> petertodd: yeah (i didnt think about stealth, just about changing).  but i wonder if stealth has a problem: how does the sender know what prefix to put?  i suppose the prefix is like leading bits from H(d*P) where P is the sender address? that would be safe as it requires d to indentify
13:06 < petertodd> adam3us: it's encoded in the address of course
13:07 < adam3us> petertodd: which address? sender, recipient base, or recipient randomized?
13:07 < petertodd> adam3us: the stealth address
13:07 < petertodd> adam3us: or more accurately, the scriptPubKey creation instructions making use of stealth
13:08 < adam3us> petertodd: well the stealth address becomes public after its spent, and so if the prefix of R is matching some bits from the S = dQ = zP if we call S the stealth address, then it becomes distingusihable after spend
13:09 < adam3us> petertodd: (which are hidden before spend because Saddr = H(S))
13:09 < petertodd> adam3us: huh? spent or not the derived one-time-only address is indistinguishable from any other random address modulo the prefix
13:10 < adam3us> petertodd: what i mean is spending reveals the pubkey hidden inside the address.
13:11 < petertodd> adam3us: prefixes would be on H(pubkey) or more likely H(scriptPubKey)
13:11 < petertodd> adam3us: only that is likely to be indexed for other purposes
13:11 < adam3us> petertodd: P is the senders pub key, Q is the recipients pub key, S is the stealth pub key.  S=dP=d'Q where Q=dG and P=d'G, and Saddr=H(S) etc
13:13 < petertodd> adam3us: I don't see how that makes it distinguishable to an obverser who only knows P and Q
13:14 < nsh> what's the topic?
13:15 < petertodd> nsh: stealth addresses, address is public, but only the recipient knows what payments are made to them
13:15 < adam3us> petertodd: ok maybe i am confusing it; point is recipient scanning looks for sender pub key P, multiplies by d to get S=dP=d'Q.
13:15 < nsh> oh, interesting
13:16 < adam3us> petertodd: then he can ask for prefix of H(S)
13:16 < adam3us> petertodd: but how does he know d*d'  he needs taht otherwise he has an unspendable addr
13:17 < petertodd> adam3us: no, you've got it backwards, recipient asks for all txs matching a specific prefix, and then for the matching transactions he scans
13:17 < adam3us> petertodd: how does the recipient know the prefix
13:17 < petertodd> adam3us: the recipient *specifies* the prefix
13:17 < adam3us> petertodd: how.. there is no comms channel
13:18 < adam3us> petertodd: the sender has only a compressed public key Q in QR form on a bizcad
13:18 < petertodd> adam3us: there doesn't have to be: the recipient specified it in conjunction with their pubkey
13:18 < petertodd> adam3us: the point is the sender is sending to a derived address, such that the address matches the prefix, and the recipient can calculate the privkey
13:18 < adam3us> petertodd: ok; and now everyone who he gives that bizcard to can also link his payments?
13:18 < adam3us> petertodd: (within the anonymity set of people with the same prefix)
13:19 < petertodd> adam3us: NO! because sender and recivers pubkey/seckey are combined with ECDH so the only parties who can calculate the shared secret are them
13:19 < petertodd> for any given sender/receiver pair there is exactly one shared secret, that only they know
13:21 < adam3us> petertodd: but more fundamentally how does the recipient know the private key for S.  teh shared secret coming from k=H(dP)=H(d'Q) is not usable to find d'*d
13:21 < adam3us> petertodd: you need some message space to communicate , and further you dont want to give the recipient d' or he double spend race your payment
13:22 < petertodd> adam3us: the recipient knows their secret key, and the pubkey of the sender (it's in the scriptSig). The sender knows the recipients pubkey, and their seckey. Thus they both arrive at shared secret x, and that can be combined similar to BIP32 to form a pubkey that only the receiver has the seckey too.
13:22 < adam3us> petertodd: not trying to be obtuse btw - i want this to work too.
13:22 < petertodd> adam3us: heh
13:23 < adam3us> petertodd: so specifically sender pub key is P, sender private key is e, P=eG; recipient base key is Q, recipient private key is d, Q=dQ;
13:24 < petertodd> adam3us: right, so x=eQ=dP, x is the shared secret
13:24 < adam3us> petertodd: now DH says that P & Q can negotiate a shared secret as dP=eQ=d*eG=e*dG and often it is hashed to reove bias
13:24 < petertodd> adam3us: right
13:24 < adam3us> petertodd: ok now what can they do with this secret... they have to delegate to Q some way to be able to compute a private key
13:25 < petertodd> adam3us: well, this secret could be hashed and used as the private key for the one-time-only address
13:25 < adam3us> petertodd: ok say S=xQ=x*d*G
13:25 < petertodd> adam3us: more sophisticated is to do the BIP32 trick to derive a pubkey using that shared secret as a nonce
13:26 < petertodd> adam3us: now only the recipient can spend the funds and we're all good
13:26 < adam3us> petertodd: and yes actually x=H(eQ)=H(dP)
13:26 < petertodd> adam3us: right
13:27 < adam3us> petertodd: alrighty.  i am glossing over BIP 32 HDness but yes.  they can treat x as a chain code if they want.
13:27 < petertodd> adam3us: yup
13:27 < petertodd> adam3us: and you can use a nonce to grind until the resulting address has the right prefix
13:28 < adam3us> petertodd: grind address or signature? either could be done
13:28 < petertodd> adam3us: no, it has to be grinding the address because we can only count on address indexes existing
13:28 < adam3us> petertodd: ok its good for existing infra agreed
13:29 < petertodd> adam3us: well, infrastructure that can be reasonably expected to exist in the near future :p
13:30 < adam3us> petertodd: nevemind; call me a spherical cow.	so point is now the prefix is linkable modulo overlap if it small enough
13:30 < petertodd> adam3us: yeah, e.g. if it's an 8-bit prefix your anonymity set is 1/256th of all addresses
13:31 < adam3us> petertodd: and i guess its not going to be too big becauase you're grinding it through EC operations like vanity address levels of cost
13:31 < petertodd> adam3us: yup, and the *sender* needs to do it which kinda sucks
13:31 < adam3us> petertodd: and the generator maybe a smart phone
13:32 < petertodd> adam3us: you can be a bit clever, and abuse multisignature w/ fake pubkeys, but that's the best you can do
13:32 < petertodd> adam3us: (that makes the inner-loop SHA256)
13:33 < adam3us> petertodd: yes or maybe p2sh with random unused value on stack
13:33 < petertodd> adam3us: well, that's no longer a standard transaction format
13:33 < adam3us> petertodd: p2sh restricted that much?
13:33 < petertodd> adam3us: might as well just do a marker explicitly
13:34 < petertodd> adam3us: that too... IsStandard() is applied to P2SH inner scriptPubKeys
13:35 < adam3us> petertodd: i dont think it matter so much actually to hide that it is a sender generated addr.  its not like one use addresses are not allowed or that there is any stigma to using them
13:35 < adam3us> petertodd: so i view the encoding as more a way to do it without introducing a new format
13:35 < adam3us> petertodd: and without requiring a new index
13:35 < petertodd> adam3us: with regard to coinjoin you're better if you stick to something standard
13:36 < petertodd> adam3us: a subtle point with that too is you probably want to make your change look like a stealth payment if you are distinguishable
13:37 <@gmaxwell> 07:50 < adam3us> btw the card thing P(52,26) is conveniently > 2^128.  course then you have to keep them from getting accidentally shuffled
13:37 <@gmaxwell> ^ the case where you care about the permutation is kinda lame because you'd have to capture the data twice.
13:38 <@gmaxwell> if you only care about assignment, you walk into a drug store, buy a cheap pack of cards,  shuffle and split and depart.. then later capture the data from your cards.
13:38 <@gmaxwell> If you exchange via a permutation you have to shuffle and digitize without breaking the permutation.
13:40 < maaku> gmaxwell: slide the deck on a flat surface
13:41 < adam3us> gmaxwell: yes.  well also you dont know the other guys permutation, unless you do some card game/trick on a table to co-sort them
13:41 < nsh> hm
13:41 <@gmaxwell> right but the split method (where you only gain bits from the assignment of which person got the card) doesn't care about the permutation.
13:42 < adam3us> petertodd: so full nodes are no problem anyway.  1 byte was my guess for 'bloom bait' also. is that small enough for SPV efficiency?
13:42 <@gmaxwell> You just take the card deck(s) shuffle, and split between the two people. No prep required, and no issues with accidentally reordering them.. though you only get on the order of 50 bits (1 deck) or 100 bits (2 decks).
13:43 < petertodd> gmaxwell: it's interesting how for cards that have a top and a bottom you could shuffle their orientations, draw a line with a marker across one side, and then you have a 52-bit secret in a card deck that's highly subtle
13:44 < petertodd> adam3us: 1/256th is ~4KB/block, not a big deal at all
13:44 < adam3us> petertodd: yeah but say scan a few weeks worth.
19:06 < warren> the mac builds are 32bit
19:06 < sipa> ah
19:06 < gavinandresen> I was running a bitcoind compiled with clang when I got corruption
19:06 < warren> gavinandresen: 32bit or 64bit?
19:06 < phantomcircuit> personally i suspect there is an issue with the ioctl sync function
19:06 < phantomcircuit> but who really knows
19:12 < Luke-Jr> cfields: have you published any of the Mac stuff yet?
19:17 < cfields> Luke-Jr: i'm just now starting to get it packaged up. It looks about like this right now: http://www.digitalmediatree.com/library/image/12/beautiful_mind_2.JPG
19:17 < cfields> should have something presentable in a few days i'd think
19:21 < cfields> it will initially be missing some of the dmg fluff. compression, background images, drag+drop, etc. But i'll publish before tackling those in the hopes of finding some help along the way
19:27 < warren> cfields: is the plist working in your build?
19:27 < cfields> basic, not fancy
19:27 < sipa> plist?
19:28 < cfields> which is why drag+drop and background images aren't hooked up yet
19:28 < cfields> we'll have to port that stuff
19:30 < cfields> sipa: i assume he was alluding to the 'fancy' dmg generation options. customizations for how the dmg should present itself when opened
19:38 < Luke-Jr> wtf, why could callq ever segfault?
19:40 < warren> cfields: no
19:40 < warren> cfields: the context menu on the dock when you right click
19:44 < cfields> warren: hmm, no. tbh i'm not sure where that comes from?
19:46 < gavinandresen> warren: clang 64-bit.	All of the speculating "maybe it is this, maybe that, lets try putting a full-sync here" is unlikely to be productive. In my humble opinion, somebody who knows a lot about the OSX filesystem needs to instrument leveldb (maybe stream a log of operations over-the-network to a second logging system???) and either figure out how
the corruption could happen theoretically or capture an actual case of corrupti
19:48 < gavinandresen> (I'm hoping somebody who knows a lot more about filesystems than I do will tell me why I'm wrong, and what actually needs to be done is to run the FroBaz Filesystem Widgetizer to catpure all low-level disk activity and analyze it with the FileWizPro doo-hickey)
19:49 < gavinandresen> (
 after installing some hardware on the EIEIO hardware bus)
19:50 < cfields> gavinandresen: i was discussing with warren a bit yesterday. Seems to me it would be a reasonable first step to throw an assert() and output some useful data (like what the actual/expected read data was) in the case of a crc mismatch
19:50 < cfields> or is the read data completely unhelpful, and only the failed write is interesting you think?
19:51 < gavinandresen> dunno, haven't thought about it.
19:52 < warren> gavinandresen: I'm convinced that the wild guesses earlier (fsync blah) actually did fix things, the errors we have now are more consistent.
19:52 < gavinandresen> warren: okey dokey.  Just don't forget that we're pattern-seeking monkeys....
19:53 < cfields> warren: i just compared my linux-built dmg to mainline bitcoin-qt. They seem to have the same options/actions
19:54 < warren> cfields: great
19:54 < cfields> afaik dock handling is done in code. I'm not aware of anything to mess with in packaging
19:54 < warren> there's python scripts that fiddles with the plist stuff
19:55 < cfields> other than maybe ensuring the icon finds its way to the right place
19:55 < cfields> yea, i hacked those up to make em work in linux
19:55 < warren> ooh, I'm intersted in that
19:58 < cfields> ok
19:59 < cfields> i'm off for tonight. I've got the rest of the week to spend on this, though. And I'll get the qt updates in somewhere in there as well.
--- Log closed Wed Nov 20 00:00:39 2013
--- Log opened Wed Nov 20 00:00:39 2013
10:06 < adam3us> hmm HD wallets, armory use of the concept, does the chaincode of an offline wallet get copied to the watch only online wallet?
10:07 < adam3us> ie if someone has a copy of the root key, is that enough to recovery the wallet and access funds if they also got all the info out of the online wallet?
10:18 < sipa> do you mean BIP32, or armory's deterministic wallets?
10:18 < sipa> or did armory already adopt BIP32?
10:30 < adam3us> hmm i am not sure - i thought because alan had commented on bip 32 and been involved with it that was the same thing
10:33 < sipa> they both use a 'chaincode'
10:46 < adam3us> i am wondering if the online wallet is a sub-wallet or shares the same chain code
13:07 < cfields> anyone happen to be around and running windows?
13:49 < BlueMatt> hah
13:49 < BlueMatt> windows?
13:52 < cfields> heh, exactly. hacking on win32, but i have to trust wine to verify. in this case i really can't
14:01 < BlueMatt> this is what kvm is for
14:18 < phantomcircuit> BlueMatt, yeah but who has a retail license to install with anymore?
14:18 < phantomcircuit> i still use windows xp since its the only thing i have a disk for...
14:19 < BlueMatt> university licenses :)
15:20 < warren> I'm trying to figure out a quick hack (for modeling purposes only) that removes all UTXO that is 1-satoshi in value after reindexing to X height.
16:10 < BlueMatt> warren: try using the new drop-unspendable code and replace the unspendable check with 1-satoshi?
16:10 < BlueMatt> (and then short-circuit the return falses for now-invalid txn?)
16:11 < warren> BlueMatt: tried that, that only works during reindex, it works until I hit a block where someone spent a 1-satoshi (which is extremely rare in litecoin)
16:12 < warren> BlueMatt: I could find the small number of spent 1-satoshi txo and whitelist them to allow reindex to succeed.
16:12 < warren> this isn't meant to be committed, just testing stuff
16:12 < BlueMatt> or just consider all unknown-txin to be 1-satoshi and all spends of them correct
16:13 < warren> hah
16:13 < BlueMatt> if its just for analysis, why not
16:13 < warren> where's the code for that part?
16:13 < BlueMatt> in ConnectInputs?
16:13 < warren> looking
17:07 < warren> BlueMatt: back from lunch.  it appears I need to construct a fake CTxOut
17:08 < warren> oh, screw it, just consider everything valid
17:09 < michagogo|cloud> 04:41:28 <warren> I'm not sure why people downvoted the bounty thread.
17:09 < michagogo|cloud> Unless the total score is negative, there may be no downvotes -- reddit adds random equal numbers of upvotes and downvotes to avoid gaming the system
17:18 < michagogo|cloud> 23:41:42 <cfields> Luke-Jr: unfortunately, the cleanest approach to the next step is to begin modding the hfs+ kernel module. And at that point, I don't think it's really worth it
17:18 < michagogo|cloud> Am I wrong, or would that break gitian builds with LXC? (IIRC, some trouble we were having had to do with a kernel module Wine tried to install or something like that?)
17:18 < cfields> michagogo|cloud: nm that, i got it working
17:18 < michagogo|cloud> Oh, awesome
17:19 < michagogo|cloud> (I'm still at Wednesday morning, midnight UTC+2 in the backlog)
17:24 < michagogo|cloud> 00:31:41 <cfields> as an osx user (i hate admitting that), any download that's not a dmg gets on my nerves
17:24 < michagogo|cloud> 00:31:48 <cfields> unless it's a .pkg for good reason
17:24 < michagogo|cloud> I'm not a Mac user, but I've been told (somewhere, don't remember exactly -- I think it was in the context of bitcoin, so maybe #bitcoin-build?) that among Mac users, any non-.dmg software downloads are treated with extreme (or at least much) suspicion
17:24 < cfields> michagogo|cloud: keep reading ;)
17:25 < cfields> deterministic dmg's are working
17:25 < michagogo|cloud> cfields: Yeah, I saw that :-)
17:26 < cfields> but yea, i agree with the above. If it's not a dmg, it's usually a pkg because it requires root (like an sdk). If it's neither, it usually goes in the trash
17:26 < cfields> for me, anyway
17:26 < adam3us> sipa: about bip32 vs armory alan says its not a sub-wallet the same chain code is in the online watching (read only) wallet
17:26 < adam3us> sipa: so its not hierarchical, just using public derivation
17:26 < michagogo|cloud> cfields: Actually, I've seen even pkgs be distributed as dmgs
17:27 < michagogo|cloud> (I have used Macs some, just not a full-time user)
17:30 < cfields> michagogo|cloud: yea, that's reasonable too
17:31 < michagogo|cloud> cfields: So you managed to get bare-bones deterministic DMG working?
17:31 < michagogo|cloud> (bare-bones, meaning without all the fancy dmg features, AIUI?)
17:31 < cfields> yep, passes basic sanity checks anyway
17:32 < michagogo|cloud> That's great :-)
17:32 < michagogo|cloud> Nice work.
17:32 < cfields> thanks. but hold that until there's some proof ;)
17:33 < warren> hmm, what part is signed to distribute in Apple's app store for mac os x?
17:33 < warren> or would it be rejected like they rejected bitcoin apps from the iphone?
17:34 < cfields> the dmg is signed, i believe
17:34 < cfields> any signatue would break determinism ofc
17:34 < cfields> rather.. provable determinism
17:34 < warren> gavinandresen: ever considered submitting Bitcoin to the MacOS X app store?
17:36 < warren> cfields: for developers and power users determinism is great, the only way to prove safety
17:36 < michagogo|cloud> cfields: MAS uses dmg?
17:36 < warren> cfields: but or end users who mess up downloads ... MITM ... DNS redirection ... an app store might be safer.
17:39 < cfields> might be possible to add a comment, not sure. if so, the comment could contain the original checksum
17:45 < michagogo|cloud> warren: Looks like the process is running https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/codesign.1.html#//apple_ref/doc/man/1/codesign
17:45 < michagogo|cloud> and then https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/productbuild.1.html#//apple_ref/doc/man/1/productbuild
17:45 < michagogo|cloud> (https://developer.apple.com/library/mac/releasenotes/General/SubmittingToMacAppStore/)
13:09 < gmaxwell> He's currently trying to negoiate with the SMF folks to get SMF 1.0 open sourced so he can opensource the whole forum. Dunno ho[D[D[Dw thats going.
13:09 < sipa> what? the forum code is not open source? :o
13:10 < gmaxwell> no, apparently the later versions of SMF are but the earlier (and more popular) versions are not or something.
13:10 < gmaxwell> And the one bct runs is heavily modified, including a lot of security fixes.
13:11 < gmaxwell> (like, uh, hashed and salted passwords 0_o)
13:13 < TD>  from what i know of SMF open sourcing it would probably be a security disaster ...
13:13 < TD> vanilla forum is nice
13:14  * sipa mumbles "security through obscurity"
13:20 < gmaxwell> adam3us: https://bitcointalk.org/index.php?topic=258678.msg3698304#msg3698304 < what are your thoughts on a simple delegation like this?
13:21 < gmaxwell> adam3us: it doesn't have the nifty information-theoretic blinding, so it makes the KDF weak to an attacker who has already performed the KDF for the user.
13:21 < gmaxwell> adam3us: but I think the prospect of getting people to implement the RSA blinding scheme is ~0, plus I think we really do want memory hard KDFs.
13:27 < gmaxwell> sipa: I dunno if you saw, but a while back adam3us pointed out that using a group that permits a trapdoor permutation you could have a delegatable blind KDF.  E.g. you pick a random blinding factor and blind your password, then give it to miners who crunch on it then give you the result, and then you unblind the password.
13:27 < gmaxwell> sipa: and the work they did is of no use to them trying to also crack your key, because they don't know the blinding factor.
13:28 < sipa> i'm not following
13:30 < gmaxwell> E.g. You can	Encrypt(password,nonce) -> Epwd    and give Epwd  to 'KDF miners' who do expensive computation on it and return Eresult   and then you can Decrypt(Eresult,nonce).
13:30 < sipa> right
13:30 < gmaxwell> But in doing so they learned nothing that would help them shortcut cracking your wallet.
13:30 < gmaxwell> e.g. if later they got a copy of your wallet.
13:30 < gmaxwell> (or even if they already had it, and simply wanted you to pay for the work of cracking it)
13:31 < gmaxwell> I think its neat though I dunno if its useful, simply because its complicated to implement, more complicated to explain, and we'd probably prefer memory hard KDFs.
13:32 < gmaxwell> Though the notion of delegation is probably a good one: any of these wallet encryption schemes should be setup so that you could ask a marginal trusted party to do the expensive KDF for you, without totally giving away your keys.
13:32 < gmaxwell> might make them easier to tolerate for things like hardware wallets.
13:33 < gmaxwell> Sadly the simple way of constructing these things means the party you delegate to at least no longer has to face the difficult kdf anymore.
20:32 < midnightmagic> what?!  smf isn't open source?
20:33 < theymos> 1.x uses a non-free license. 2.x is open source.
20:33 < theymos> I asked them for an exception to the 1.x license so I could distribute my modifications, and even offered to pay, but they never got back to me.
20:34 < sipa> that doesn
20:34 < midnightmagic> Ah. It's open source, but it's not licensed openly. You need permission to fork.
20:34 < sipa> wait, what meaning of open sourc... right, that
20:39 < midnightmagic> theymos: That's b-s man. They should've given you an answer.
20:39  * midnightmagic is grumpy now
20:41 < phantomcircuit> theymos, i guess they dont understand how much you could pay
20:41 < phantomcircuit> lol
20:41 < theymos> bitcointalk.org even has some small modifications by Satoshi. I might publish those in isolation for historical interest. I think that this is legal.
20:50 < cfields> https://github.com/theuni/bitcoin/tree/deterministic-dmg
20:51 < cfields> how do you guys recommend i start the discussion? RFC pull-request?
20:51 < cfields> dmg's are deterministic via gitian and verified working fine on 10.6 and 10.8
20:52 < Luke-Jr> Meetup at [or near] my place tomorrow, anyone? (Broooksville, Florida)
20:54 < cfields> in its current form it's not really reviewable. I'll need to break it up into chunks. But it'd be nice if I could convince someone to verify my gitian results
20:55 < Luke-Jr> cfields: throw the gitian files in a temp git repo somewhere?
20:55 < cfields> Luke-Jr: they're in there
20:55 < Luke-Jr> ah missed that
20:56 < cfields> osx-native -> osx-depends -> osx-qt -> osx
20:57 < Luke-Jr> I'd have split each depend out individually
20:57 < cfields> Luke-Jr: you'll need the sdk too. I can spare you the trouble of registering and extracting it if you'd like
20:57 < cfields> Luke-Jr: i did all the work native. Gitian was an afterthought
20:58 < Luke-Jr> what *is* osx-native? O.o
20:58 < cfields> Luke-Jr: https://github.com/theuni/bitcoin/commit/8a64fb98370ccc299d73111bbf97cdde23f681b1#diff-8
20:58 < Luke-Jr> yes, that's what I'm looking at
20:59 < cfields> osx-native builds the build-side tools
21:01 < cfields> er, i suppose osx-native is confusing, since that probably implies that they run on osx
21:01 < cfields> rather, it means the tools for the native arch to build osx binaries
21:03 < Luke-Jr> IMO everything except the final Bitcoin-Qt .yml file should probably live in its own git repo
21:03 < Luke-Jr> independent of any program
21:03 < cfields> Luke-Jr: it's just in one repo for convenience right now
21:03 < Luke-Jr> sure
21:04 < Luke-Jr> I presume you saw my cross-osx repo
21:04 < cfields> translation: don't bother pointing out how ugly it is, i already know :)
21:04 < cfields> i'd just like a little input as to what people want before i sit down to actually organize it
21:05 < Luke-Jr> any reason not to use CXXFLAGS for -target?
21:05 < cfields> for ex, to me, it's important to be able to build without gitian. Imo that's a nasty dependency
21:05 < cfields> but if i'm alone, i'll toss that out
21:05 < Luke-Jr> what if gitian produces archives usable by other OS?
21:06 < cfields> hmm?
21:06 < Luke-Jr> otoh, as long as it's outside the bitcoin repo, I guess it makes just as much sense to have it designed to build outside too
21:06 < Luke-Jr> cfields: I was thinking "let gitian build the cross development stuff, and make it usable without gitian"
21:07  * Ryan52 waves
21:07 < cfields> it can build anywhere, its location is arbitrary
21:07 < cfields> you can just cp -rf the folder wherever you want
21:07 < Luke-Jr> but it might make better sense to just have the new cross-osx git repo work without gitian to do the same, and just a few .yml files to utilise that
21:07 < warren> cfields: I have Ryan52 looking into the integrity of all your gitian mac inputs, comparing downloads from multiple Linux and ports distros, looking at diffs from previous versions to look for compromised source, then generating a list of identical download URL's	and sha256sums
21:08 < warren> cfields: https://github.com/bitcoin/bitcoin/pull/3191  that'll allow adding simple integrity checks like this.
21:09 < cfields> warren: yep, i'll add those
21:09 < cfields> warren: as a quick hack though, you saw this: https://github.com/theuni/bitcoin/blob/deterministic-dmg/contrib/macdepends/download.sh ?
21:10 < warren> cfields: ooh, ok, so Ryan52 should just verify that things match your checksums
21:11 < warren> Ryan52: sorry, didn't know he already had checksums.  This is just another sanity check.
21:11 < cfields> ./download.sh is all that's necessary, yes
21:11 < cfields> Ryan52: if you're going to verify sanity, the one you really need to target is the MacOSX10.6.pkg
21:12 < cfields> that's a pain in the ass to get. So i assume it will end up being passed around privately rather than being extracted from the source
21:12 < cfields> for ex, i was about to send Luke-Jr a link to it so he could avoid the hassle
21:12 < cfields> so if you could verify that, it'd be a big help
21:13 < warren> cfields: it's a good idea to have https://github.com/bitcoin/bitcoin/pull/3191 style build-time checks too.  When Litecoin began gitian I didn't give the team URL's to download inputs at all.  told them to find it from random locations.
21:13 < cfields> warren: sure. I just threw that together quickly. I agree with your approach
21:13 < warren> cfields: ok great, Ryan52 knows what to do.
21:14 < warren> Ryan52: please document all paranoid extra checks done, it will be part of the code review for that massive PR.
21:14 < cfields> i really can't stress it enough: It's not worth reviewing that commit. It's still very chaotic. Only worth ack'ing that it works, then discussing wtf to do with it
21:14 < cfields> at that point, i'll organize it into something more reasonable
21:16 < Ryan52> warren, cfields: will do, thanks for the advice.
21:19 < cfields> Ryan52: you have a mac at your disposal?
21:19 < warren> cfields: oh yeah, please ask Ryan52 for help with QA.  He's a good coder too.
21:19 < warren> cfields: we'll donate to him for specific goals that we think are important
21:19 < cfields> ok
21:20 < cfields> verifying that .pkg will be much easier in osx
21:21 < Ryan52> cfields: yes, I do, but I'm not too familiar with development on osx yet to be honest (mostly a linux dev historically)
21:22 < cfields> Ryan52: no worries. register for an app dev account at apple, grab the dmg, mount it, cd into it from a shell, and md5 it
21:22 < cfields> https://developer.apple.com/devcenter/download.action?path=/Developer_Tools/xcode_3.2.6_and_ios_sdk_4.3__final/xcode_3.2.6_and_ios_sdk_4.3.dmg
21:23 < Ryan52> cfields: thanks!
21:25 < Ryan52> cfields: sha256, or md5 too?
21:26 < cfields> Ryan52: sorry, i'm used to md5ing for quick verification. sha256.
21:26 < Ryan52> heh, thought so, me too :)
22:08 < warren>  https://bitcointalk.org/index.php?topic=337294.0;all  MacOS X corruption fix bounty now increased to 10 BTC + 200 LTC thanks to new a pledge from BitcoinTalk.
22:13 < cfields> Ryan52: i had to step away for a bit. having any luck?
19:34 < andytoshi> sorry, i can't join, all my money is in the one i just did with petertodd :P
19:34 < petertodd> andytoshi: ha
19:39 <@gmaxwell> andytoshi: heh one lame thing with the rotation is that if you only get one other player the timer really doesn't have time to go solicit more.
19:40 < andytoshi> yeah, my original plan was to make it be open for 24 or 48 hours
19:41 <@gmaxwell> thats so long people will lose attention though.
19:41 < andytoshi> i joined this one with a small 0.008 input and spent it all to the donation address..
19:42 < andytoshi> gmaxwell: yeah, it's a tough balance
19:42 <@gmaxwell> hah. I guess thats something you have the ability to do! :P
19:42 <@gmaxwell> easier if in the future there is a autosigner.
19:42 < andytoshi> :P i am actually doing the spent-through-coinjoin trick we talk about
19:48 <@gmaxwell> andytoshi: the sound thing works, no color change? :P
19:49 <@gmaxwell> I feel like window 3.1 encountered an error.
19:50 < nsh> ehehe
19:51 < petertodd> andytoshi: looks good this time
19:51 < petertodd> andytoshi: dunno why it says "this transation has a non-standard input" on bc.i though
19:52 <@gmaxwell> it does?
19:52 < petertodd> gmaxwell: https://blockchain.info/tx/33854f625c90e3287eae951103489a2449f91bfe039aa4d4c810bd66450edbf1
19:54 < CodeShark> someone could run a bot that constantly submits transactions at specific demoninations for inputs with random outputs
19:54 < CodeShark> so that there are always enough "participants" :)
19:54 < petertodd> CodeShark: the bot to run is one that matches other peoples outputs and/or input combinations on demand
19:54 < CodeShark> right :)
19:55 <@gmaxwell> petertodd: doesn't say that for me.
19:55 < CodeShark> so you could specify a minimum number of participants and a maximum amount of time to wait - if in that time, the number of participants is below what you asked for, a bot fills in the rest
19:55 < petertodd> gmaxwell: the little triangle thing in "estimated confirmation time"
19:56 <@gmaxwell> what is a "_none_ standard input"
19:56 < petertodd> beats me
19:57 < CodeShark> you'd want the bot to fill each of the remaining slots using a separate wallet
19:57 <@gmaxwell> isn't the fee a bit high?
19:57 < petertodd> no, 1.5x minimum
19:57 <@gmaxwell> got it.
20:15 <@gmaxwell> petertodd: it seems to me that pond could be combined with bitmessage ... where bitmessage was used for small messages and notifications that you had messages waiting ... so that it didn't have to constantly poll.
20:16 <@gmaxwell> the polling probably makes parties substantially more vulnerable to traffic analysis should their pond server be compromised.
20:16 < petertodd> gmaxwell: makes sense, better bandwidth utilization too
20:17 < BlueMatt> gmaxwell: wasnt pond supposed to be constant-bandwidth?
20:17 < nsh> what's this pond thing now?
20:17 < BlueMatt> or am I thinking of a different one?
20:17 < BlueMatt> nsh: https://pond.imperialviolet.org
20:17 < nsh> ty
20:18 <@gmaxwell> BlueMatt: it doesn't appear to be but if it is that still doesn't prevent traffic analysis. E.g. if your pond server is compromised it still knows when you (by your group ID) poll.	and the fact that you keep polling over and over and over again (10 minutes appears to be the default) makes tracing the tor a lot easier.
20:19 <@gmaxwell> petertodd: depends on usage patterns. ... you'd have to have a very high number of users who never had any traffic then perhaps a flooding network for you-have-new-messages may well indeed be more efficient. Certantly pond for large objects is way more efficient than bitmessage.
20:19 < BlueMatt> well, yes, if your server is compromised, but at least thats stronger than if the encrypted links to your server are compromised
20:20 <@gmaxwell> pond also doesn't seem to have any real way of handling "your server got taken down" that I can see, it looks like you have to start a totally new identity and rebuild your contacts?
20:24 < BlueMatt> are there any actually good products for having secure group messaging today?
20:24 < andytoshi> gmaxwell: that chime is actually me on the piano
20:24 < petertodd> BlueMatt: oh, interesting bugs in bloom FWIW
20:24 < andytoshi> i was quite sad to discover it was the win3.1 chime :P
20:25 < petertodd> BlueMatt: define "secure" and "group" :P
20:25 < nsh> you should sure microsoft for retroactively stealing your chimetulectual property
20:25 < BlueMatt> petertodd: oh?
20:25 < nsh> *sue
20:25 < petertodd> BlueMatt: I mean, what you were telling me - I need to think about that stuff some more
20:26 < BlueMatt> petertodd: oh, yes
20:26 < BlueMatt> its possible to fix, but not in a clean way afaict
20:26  * BlueMatt fucked it up...suppose thats what I get for running out of time and just trying to get it done...
20:26 < CodeShark> could coinjoin be defeated by someone who inserts the vast majority of requests?
20:27 < CodeShark> you join a transaction, think there are 10 participants, when actually 9 of them are an attacker
20:27 < BlueMatt> petertodd: secure: otr-like security, group: >= 3 technically-minded people
20:27 < petertodd> BlueMatt: yeah, good example of how important analysis is up front :(
20:27 < petertodd> BlueMatt: right, where the group can trust each other not to leak
20:28 < BlueMatt> petertodd: well, I did analyse it, and had a good design....then it needed tweaking to make it more useable, but I was out of time, so I tweaked it until it worked
20:28 < BlueMatt> now I realize I tweaked it until it broke...but it works
20:28 < petertodd> BlueMatt: do you have that original analysis written up somewhere? good starting point for fixing it
20:29 < BlueMatt> writeup? noooo
20:29 < petertodd> BlueMatt: stained napkin?
20:29 < BlueMatt> stained braincells, sure
20:30 < BlueMatt> anyway, my brief thoughts over the past two days dont indicate any clear way of keeping the "efficiency" (ie not making it worse than it already is for serving nodes) while improving the privacy
20:30 <@gmaxwell> andytoshi: where is the actual url to your chime?
20:31  * nsh is starting to think computers should not ever have access to plaintext
20:31 < nsh> that decoding of anything into human-comprehensible form should only be done by an input-only device you wear as glasses or something
20:31 < CodeShark> homomorphic encryption? :)
20:32 < nsh> aye, it's at least a weekend project :)
20:32 < petertodd> BlueMatt: figures
20:32 < petertodd> BlueMatt: I think it's just a fundemental problem where it's a tradeoff between efficiency and anonymity set size
20:33 < petertodd> BlueMatt: I'm actually thinking we might be better off with this stealth address idea/reinvention of mine and just using a fixed % of all addresses as your anonymity set
20:33 < BlueMatt> petertodd: no, I mean its very possible to get that tradeoff decent, you just have to do something like make the server Hash256^2 all elements tested against the filter as well as the element itself
20:33 < BlueMatt> or push the hash160 of the pubkey onto the scriptSig as an extra element
20:34 < BlueMatt> s/Hash256^2/hash160/
20:34 < BlueMatt> you can get verry good download speeds with a fp rate of like 0.005% or so, which gives you a pretty big anonymity set
20:34 < BlueMatt> or even 0.01%
20:34 < BlueMatt> hell, a desktop does fine higher than that
20:35 < petertodd> andytoshi: interesting, I did a tx where I was all parties, and sent it on my own node, and it just said "invalidated"
20:35 < BlueMatt> should have you a litecoinj as a christmas present...
20:35 < petertodd> BlueMatt: maybe we're thinking of different things; I'm more talking about a perfect bloom filter with optimal behavior
20:35 < BlueMatt> ehhh, damn missing /msg
20:36 < petertodd> BlueMatt: heh, I could go for that
20:36 < petertodd> BlueMatt: maybe a mastercoinj while we're at it
20:36  * petertodd ducks
20:36 < CodeShark> haha
20:36  * BlueMatt kicks petertodd's ducking head
20:36 < CodeShark> that's not very nice...
20:37 < CodeShark> I mean, to bring up mastercoin :p
20:37 < petertodd> CodeShark: lol
20:37 < BlueMatt> petertodd: well, ok, but as far as I'm concerned, having an anonymity set of a few thousand addresses besides your own is perfectly reasonable for 99% of people
20:38 < BlueMatt> the rest can damn well run full nodes
20:38 <@gmaxwell> it's not quite that simple, because there are usually several other bits of deanonymizing data available.
20:38 <@gmaxwell> and so a set of thousands is quite often a set of 1.
20:39 < petertodd> for instance the nTweak itself can be a deanonymizer...
20:39 <@gmaxwell> at least bloom only reveals it to your servers.
20:39 < BlueMatt> I dont think its nearly /that/ bad, sure you can get rid of lots of fps with some analysis, but getting it down to 1 would require as much (or far less) effort than just breaking in and stealing a computer...
20:39 < BlueMatt> petertodd: how?
20:39 <@gmaxwell> BlueMatt: getting it down to a few is how you figure out which computers to go steal. :)
20:40 <@gmaxwell> (go look at that bomb threat moron.  They simply enumerated all the people on campus who had used tor near the time in question and went and intimidated them all and the guilty party confessed)
20:41 < petertodd> BlueMatt: by reusing it multiple times you have a 32-bit unique value that identifies you across multiple connections
20:41 < BlueMatt> petertodd: so...dont use it multiple times?
20:42 <@gmaxwell> I don't know why you'd reuse it?
20:42 < BlueMatt> gmaxwell: I'm not sure we're thinking of the same threat model here...
20:43 < BlueMatt> the main threat model a bloom filter addresses is your upstream nodes finding out who you are
20:43 < petertodd> gmaxwell: if you don't reuse it, and someone matches multiple instances of bloom filters to you, they can AND all the addresses matched by the filters to narrow down the actual ones in your wallet
20:43 < BlueMatt> not the network tracking down where given addresses lie
21:10 < warren> Yes it's not difficult to bypass, just annoying.
21:10 < gmaxwell> I haven't upgraded to fedora >17 because I feel kinda blah about its future... I'd probably be moving to gentoo but it just doesn't have enough active development.
21:10 < gmaxwell> I'll probably end up moving all my stuff to F19 by default, but not really excited about it.
21:18 < warren> jgarzik: can you chain load ubuntu's EFI loader to fedora's boot loader? =)
21:18 < warren> hmm... how to you add a ssh git remote with a non-standard port number...
21:19 < warren> it turns out stackexchange has this answer.
21:23 < warren> sipa: PM.  Ignore the Coin Control stuff which isn't part of litecoin.  I used that as a lazy way to visualize the available inputs.
21:26 < warren> sipa: shoot, you'll have to let me know your IP address, it doesn't allow incoming connections. =(
21:26 < warren> nevermind, I'll just open the firewall for now
21:27 < warren> ok, opened
23:01 < gmaxwell> fuck: http://blockchan.org/
23:08 < amiller> wat
23:12 < warren> gmaxwell: looks like a highly secure online service
23:13 < gmaxwell> it's 4chan implemented
 using data storage transactions.  You pay for access, and that funds the spam.
23:21 < warren> gmaxwell: coblee and I are considering a radical change to fees where we charge primarily for outputs and make inputs a lot cheaper.  This means you are charged for the quantity of outputs, and even higher fees for dust outputs.  Inputs would have a cost but much lower.
23:21 < gmaxwell> warren: and change your blocksize rule to be based on that?
23:22 < warren> well, we're only thinking about this.  It needs a lot of testing.  I haven't thought of a way to exploit this yet.
23:23 < gmaxwell> The obvious metric is the make the transaction size for blocksize rule the utxo set change plus some constant factor (e.g. 1% of the size of the transactions) so that you can't get an infinitely large block that is just cleaning up the utxo.
23:23 < gmaxwell> and then make fees based on the same metric.
23:23 < gmaxwell> it doesn't solve uneconomic utxo but makes it much harder for them to exist.
23:24 < warren> The general idea is to indeed use fees to discourage the growth of UXTO.
23:28 < warren> gmaxwell: a major flaw in that plan is how would pools pay miners and "stocks" pay dividends.  That may scuttle the plan.
23:30 < gmaxwell> warren: why? I mean these things have a cost... failing to charge for it doesn't make the cost go away.
23:31 < warren> Wouldn't that encourage paying the miners through side-channels to include their massive tx's at sub-normal costs?
23:32 < warren> Or perhaps it's cheaper for many-dust-payers to pay using Bitcoin instead, since TXO's would be so much cheaper there. =P
23:33 < gmaxwell> uh. ... like. you guys are going to just produce failure if your ideas include things like trying to rule-specify fees in transactions!
23:33 < warren> "include things like trying to rule-specify fees in transactions!" isn't that what litecoin already does?
23:35 < gmaxwell> no.
23:35 < gmaxwell> or well, you know it better than I do
23:35 < gmaxwell> Is it that stupid?
23:37 < warren> trying to find the URL...
23:38 < gmaxwell> warren: litecoin will reject blocks that don't have some particular fees? thats nuts you can trivially pay outside of the blocks or have rebates outside of the blocks, or mine fake fees to yourself.
23:38 < warren> gmaxwell: no, I think we misunderstood each other.
23:39 < gmaxwell> thats why I asked the clarifying question, okay.
23:40 < gmaxwell> <foamy> so lets say tomorrow i wanted to start a website that needed login credentials.
23:40 < gmaxwell> ^ it's rude of me to snark behind his back, but I don't really mean this personally
23:40 < gmaxwell> this is an example of many other people too
 ... are we doomed because people want
23:40 < gmaxwell> to use bitcoin inefficiently because it's the only #$@#$@ public key signature system they know how to use?!?
23:42 < zooko> It is a great leap forward over others because it doesn't have a "name" field.
23:42 < zooko> (Tahoe-LAFS has that feature too, but it is relatively obscure.)
23:42 < zooko> Don't worry! Once people learn the new payment protocol and its x.509 names then they'll find bitcoin just as hard to use as the others.
23:42 < gmaxwell> well this guy wants a name field. "addresses are too hard"
23:42 < gmaxwell> :P
23:43 < zooko> Haha!
23:43 < zooko> I think there's a deep truth lurking in here somewhere.
23:43 < zooko> Trying to grab my ankles and drag me to the depths.
23:43 < warren> arm wave and tell him to reuse namecoin in some bad way.
23:44 < gmaxwell> he doesn't have a consensus problem, he doesn't need a blockchain at all.
23:44 < gmaxwell> I told him to use Persona.
23:44 < zooko> Ooh, nice.
23:45 < gmaxwell> he just wants a portable identity service without a centeral identity provider.
23:45 < zooko> Yeah, I think Persona was the right answer. Nice one.
23:45 < amiller> does anyone understand bitmessage
23:45 < amiller> it's an entirely separate blockchain right it doesn't try to be merge mined like namecoin?
23:45 < gmaxwell> there is no blockchain
23:45 < gmaxwell> it's just hashcash flooding messages.
23:46 < gmaxwell> (which is fine)
23:46 < amiller> er, hm well there's no incentive argument
23:48 < gmaxwell> if it's cheap enough to run because the hashcash ratelimits it, then there doesn't need to be an incentive beyond "have a useful system, and have your own participation be anonymized by the fact that you're running it"
23:48 < gmaxwell> they divide the anonymity set to scale better. ('channels')
23:49 < amiller> i'm still sort of looking for an application where extra consensus storage in the utxo is worthwhile and then maybe that's a good way to prototype utxo storage fees
23:49 < amiller> the only reason not to use Namecoin as that application is because there's this additional complexity about how to handle initial allocation of names and such
23:50 < warren> what ever happened to namecoin?  why was it never updated?
23:50 < warren> the lack of a GUI to make names might have limited its appeal?
23:51 < warren> Or it tried to solve a problem that people really didn't care about?
23:52 < gmaxwell> those two, also developers lost interest (somewhat the case in litecoin too), also the developers were pissed about speculation and adjusted the cost of names way down and people then registered every possibly interesting name
23:54 < gmaxwell> also merged mining gave a ton of namecoin to people who didn't care about names... making it more expensive for people who did.
23:54 < gmaxwell> not only didn't care about names, but had never even run the software and couldn't register one!
23:55 < gmaxwell> also their design had no mechenism for a secure lite mode resolver
 which got lamer as the chain grew...
23:55 < warren> I'm guessing that chain would be really cheap to spam to death.
23:55 < gmaxwell> (though I 'solved' that by inventing committed utxo sets! well kinda, I didn't instantly see how to prevent tree unbalancing attacks)
23:56 < amiller> fuck it just use tries
23:57 < gmaxwell> I didn't think of that at the time, but didn't think too hard ... I did think of "just use a self balancing tree" except I worred about the worst case complexity of an update.
23:57 < gmaxwell> but yes, a prefix-trie is the obvious thing to do.
23:58  * amiller stopped worrying and loves tries, w/ev
23:59 < amiller> namecoin would likely suffer from utxo bloat though
23:59 < gmaxwell> also, the namecoin community provided insufficient on-ramping. E.g. if they'd raised money and bought .bit (the real TLD) and proxied to it... I bet namecoin would be dominating the world of something now.. but back then raising a few hundred K in the bitcoin community wasn't obviously possible.
23:59 < gmaxwell> amiller: it has renewals required every 30k blocks. ... so not name utxo bloat!
--- Log closed Wed May 22 00:00:03 2013
--- Log opened Wed May 22 00:00:03 2013
--- Day changed Wed May 22 2013
00:00 < warren> If someone UXTO spammed that chain, it would be weeks before anyone noticed.  "Why is namecoind using 1.5GB of ram?"
00:00 < amiller> ok well not from dead lost txs but like, just having lots of names registered
00:00 < amiller> i don't remember the financial model for namecoin whether there's a fee per name or w/e
00:00 < gmaxwell> amiller: good problem to have. use utxo-spv resolvers and a lot of caching. :P
00:01 < gmaxwell> amiller: mining gives you 'namecoins' and there is a system imposed minimum fee for names. the idea is that its a closed loop ... miners get coins to make the chain go.. people buy them to get names.
00:02 < gmaxwell> merged mining meant the 90% of the hashpower was a couple miners that didn't really give a shit about the whole thing... and so no one manually propped the fees up when the system minimums became obviously too low.
00:02 < amiller> ok so the minimum fee + renewal rate, at least is a bounded kind of per-storage fee
00:02 < amiller> what's the bloatiest thing you can put in a namecoin registration, some weird mappings or sub rules or something?
00:03 < gmaxwell> the minimum fee geometrically declined however ... even faster after the merged mining hardfork because the dev was pissed off at speculation of the coins.
00:03 < gmaxwell> amiller: I think you can mine 10kb of whatever the @#$#@ you want.
00:04 < amiller> why mine as opposed to just make a tx
00:04 < amiller> unless your point is specific to coinbase tx outputs
00:05 < zooko> gmaxwell: exciting idea about launching a namecoin with integration to the legacy name system!
00:05 < zooko> Somebody get a few million from a VC and do that.
00:06 < zooko> I had thought that a really good hack would be to grant the new-name to anyone who proved ownership of the old-name. Grandfather-in as many people as you can.
00:06 < zooko> By "new-name" I mean namecoin-like-thing, and by old-name I mean DNS/PKI.
14:05 < Luke-Jr> adam3us: to fix the param problems with Litecoin's PoW, you'd introduce an algorithmic problem because you'd expose validators to the memory requirements
14:06 < adam3us> Luke-Jr: I love what you are doing with eligius policy.  My point was more in the long term/theoretical - the fact that a miner can make decisions about payments might lead to censorship, coin blaclisting if miners get too large and centralized
14:07 < adam3us> Luke-Jr: this risk is what led me to think of committed tx where the miner cant see the coin contents until after it is mined
14:08 < Luke-Jr> adam3us: that was already a risk
14:08 < amiller> gmaxwell, you see the post about bitter to better and hash locking?
14:08 < amiller> i'm familiar with that paper but somehow didn't understand that.
14:10 < adam3us> Luke-Jr: yes i am talking about the 5 year old risk.  like I say your new policy i think is awesome :)
14:16 < K1773R> adam3us: how should a miner (were talking about bitcoind in this case) decide which txs are valid and which not if he dosnt know what it is until it founds a PoW?
14:17 < gmaxwell> K1773R: becuase in such schemes it doesn't matter if its not valid.
14:18 < adam3us>  K1773R: the commited tx is a hash of the tx and a cleartext fee, only the recipient gets to see inside it, and technically its only recipients who care.
14:18 < K1773R> gmaxwell: so i could fill someone else blocks with trash (invalid txs which will be later droped/ignored) to minimize the amount of valid txs? that seems even more horible than it is now
14:19 < gmaxwell> K1773R: you'd have to pay fees, same as always. You're replaying my objections now. :P
14:19 < K1773R> adam3us: so i can spent coins from someone else with no signatures attached and the system would mine a block with it? ugh :S
14:20 < K1773R> gmaxwell: ah i c, so you pay the fee even if the tx will be later droped (after its contents are known)?
14:20 < adam3us> gmaxwell, K1773R: (yes) btw similar objections could probably be made of mastercoin and colored coins and the new message packet - people ay to use the block chain in ways even less useful to bitcoin
14:21 < gmaxwell> K1773R: yea. you can imagine it as a normal fee paying txn plus a blinded txn stuffed inside it.  And no, if it's used right someone can't block you with an invalid txn.
14:21 < amiller> damn this bitter to better proposal is actually really cool....
14:21 < adam3us> K1773R: it also cant be double spent, even though its in commited form
14:22 < amiller> i didn't realize it but it successfully provides no way to link the two transactions involved
14:22 < gmaxwell> amiller: it doesn't work in bitcoin today.
14:22 < amiller> why not
14:22 < amiller> looks like it does to me?
14:23 < gmaxwell> IIRC it requires arithemetic in script.
14:24 < maaku> adam3us: fyi i object to "committed tx" because that terminology is misleading. people think committed == confirmed == validated.
14:24 < maaku> you might have an easier time explaining it if you adopt "hidden tx" or some other terminology
14:25 < adam3us> maaku: yes.  was thinking of bit-commitments when i came up with the name.  it might be better yes.  howeve it is only temporarily hidden typically.  so in some way it is rather like a classical bit commitment - you fix a value for the duration of the protocol and then reveal
14:25 < amiller> gmaxwell, i just checked and no it doesn't require any airthmetic in the script
14:25 < amiller> i thought it did too, but it doesn't
14:25 < adam3us> amiller: link?
14:25 < amiller> https://crypto.stanford.edu/~xb/fc12/bitcoin.pdf
14:25 < amiller> scroll to section 7.1 a fair exchange protocol
14:25 < amiller> alice and bob can swap coins in two transactions without linking the two transactions to each other
14:30 < maaku> really? it looks to me like they're linked by the hashes
14:30 < maaku> it'd be easy to build an index of transaction matching this form, matching them together
14:31 < amiller> they're not
14:31 < amiller> i totally misread this paper as i think everyone else did
14:31 < amiller> a1,a2,a3,... are alices secrets
14:31 < amiller> b1,b2,b3 are bobs secrets
14:32 < amiller> what happens is that one transaction contins H(b1),H(b2),...
14:32 < amiller> while the other transaction contains H(a1+b1), H(a2+b2), ... etc
14:32 < amiller> so you can only link the transctions if you know a1,...
14:32 < maaku> a1 + b1 meaning a1 XOR b1?
14:33 < amiller> ye
14:33 < maaku> ok they could have been much clearer
14:33 < amiller> so alice begins with a1,... and bob learns a1+b1 throuhg the protocol
14:33 < amiller> however no one else learns them.
14:34 < amiller> er i mean bob learns a1,... throughout the protocol by observing a1+b1 and alreayd knowing b1,... but no one else learns b1 etc
14:35 < maaku> b is revealed when alice claims her amount, yes?
14:35 < amiller> b is revealed yes
14:36 < amiller> everyone learns b
14:36 < amiller> no one other than bob and alice learn a though
14:39 < adam3us> maaku: btw the other day on here you mentioned about combining chaum certified issue for a external issuer and ZC.  maybe with lower overhead for the network you could have chaum certs exchangeable with the issuer, and use the blockchain only for recording spent coins
14:40 < gmaxwell> maaku: basically its a similar protocol to my first coinswap attempt, but they didn't move as much of the protocol out of band as petertodd did.
14:41 < maaku> gmaxwell: where's the latest protocol?
14:41 < gmaxwell> instead, they just moved the script execution out via the cut and choose thing.
14:41 < gmaxwell> whereas PT's approach was to move the entire hashlock out via escrows and refunds.
14:42 < maaku> adam3us: yes, if someone has rights to issue currency, trusting them for double-spend validation is no less secure
14:42 < maaku> issuing more currency or allowing double-spends amounts to the same thing
14:42 < maaku> it requires them to be online, however
14:43 < maaku> i see a use for that with private accounting servers, where the server itself can act as signer
14:43 < maaku> not so sure about the public chain though
14:43 < adam3us> maaku: i was wondering also if you could prevent overissuing.	say the issuer key is offline, but thre is an online refreshing key.  the block chain validates that no more than the issuer number exist
14:45 < adam3us> maaku: i think the main problem is it conflicts with privacy - if the refreshed coin has to be block chain validated, it is obvious to the issuer who the owner is
14:46 < maaku> adam3us: how?
14:46 < adam3us> maaku: timing
14:46 < maaku> i'm not sure I follow
14:47 < maaku> there are 20 coins in existance in this series, say, and when I send a token for redemption, how does the server know which one prior --
14:47 < maaku> oh you mean because the person claims it and uses it
14:47 < adam3us> maaku: so say th eblock chain provides a way to count how many coins are in circulation, because they are recorded as confirmed
14:48 < maaku> yes everyone knows where coins enter and leave the chaum system. that's assumed
14:48 < adam3us> maaku: yes the recipient swaps it for a fresh one, and then has to confirm it.  the old serial number must be recorded, and the new blind coin
14:48 < maaku> but if it's chaum -> chaum, there's no linkage
14:49 < adam3us> maaku: the timing is the issue - the user would like to hold it off chain until he wants to spend it ,if he does that the online issuer could overissue wrt to the offline issuer intended share pool size (eg if it was hacked)
14:49 < maaku> why? there's no privacy risk to confirming the redemption
14:50 < maaku> because it's not linked to future or past transactions
14:50 < maaku> it's completely anonymous
14:50 < maaku> input: unblinded token (not linked to past), output: blinded token (not linked to future)
14:51 < adam3us> maaku: i am making assumptions about how to enforce the limit.  maybe there is a better way.  at time of issue, 100 shars are issued (blind certs).
14:51 < adam3us> maaku: whenever they are traded the old serial number is given to the block chain by the recipient for validation, and used as proof to the online issuer to get a fresh coin
14:54 < adam3us> maaku: you want the network to be able to help the bearer share holders know there are only 100 in circulation still.	seems tricky
14:55 < maaku> adam3us: that could be kept in an index
14:58 < adam3us> maaku: seems like the online issuer could issue 101, 102 etc because the recipients hold them offline until use
15:12 < adam3us> gmaxwell: you mentioned yday or so that the idea of sending keys from committed/hidden coins via the p2p network without mining validation would conflict with confirmed utxo.  is the utxo set view of he miner included in the coinbase to facilitate spv?
15:18 < gmaxwell> adam3us: it isn't included today, we've talked about including it.. not just spv but "spv that can validate", for use in rapid full node bootstrapping and other things.
15:20 < gmaxwell> adam3us: on a seperate subject, I was thinking: It's actually really sad that our native signature scheme can't do efficient 2-of-2 multisigning ("split key"), because if it could the anonymity set of 2-of-2 escrows (like coinswaps) would include all the regular transactions too.
15:23 < adam3us> gmaxwell: yes this is why i keep on about EC schnorr it supports n of n without prior arrangement, just add up Q1 and Q2 and sign with d1 and d2
15:24 < adam3us> gmaxwell: schnorr also supports simple k of n (again with public key of size one key) and the observer never knows if a signature is one public key, 2 of 2 or k of n.  its all invisible to the veifier
15:25 < adam3us> gmaxwell: ec schnorr also supports very simple efficient blinding (unlike ec dsa), an extends into brands credentials which open a whole realm of compact, similarly efficient to ECDSA per term ZKPs of selective disclosure and formulae on attributes, which probably something interesting can be done with
00:03 < realazthat> so I was asking the other day, if it is a good PoW
00:04 < realazthat> even if it is an easy problem, just a bad algorithm
00:04 < realazthat> answer is yes
00:04 < realazthat> Q: "Is there a guarantee that there is no way to generate a signature if a correct answer is otherwise found in a quicker manner than running `P`, the original program, via running `Q` instead?"
00:04 < realazthat> A: "Yes, the only way (assuming you cannot break crypto) is to run P, not Q."
00:04 < realazthat> Q: "I heard a rumor that you are using LLVM; if so, is it possible that any/most (possibly restricted?) LLVM programs can be used to generate such a proof (obviously can be done via the defunct "C back end" as well)? If not, disregard this question."
00:04 < realazthat> A: Wrong rumor. The top level uses a gcc backend. But really our pixie-dust is sprinkled after we have assembly code for a specific virtual machine and we would like to get a decent LLVM compiler for it as well.
00:05 < realazthat> mmm I would be interested in doing that
00:05 < gmaxwell> their machine code is really simple.
00:05 < realazthat> yeah
00:05 < realazthat> mmm can you link their stuff on that if there is any?
00:05 < realazthat> I want to see the vm
00:05 < realazthat> tinyram?
00:06 < gmaxwell> shits, mul, add, sub, cmov, add, xor,not, load, store, and ~5? iirc compare operators. 32 32-bit registers.
00:06 < realazthat> mmm
00:06 < realazthat> dunno why they didn't just do LLVM in the first place
00:06 < gmaxwell> (er replace second add with _and_)
00:07 < gmaxwell> because they need to know how to convert each of the operators to a set of constraints on how it updates the program state.
00:07 < realazthat> oh no I know that
00:07 < realazthat> thats fine
00:07 < realazthat> I mean LLVM => tinyram
00:07 < gmaxwell> Ah. Yea, no clue.
00:08 < gmaxwell> probably the compiler person on their team knew gcc internals already?
00:08 < realazthat> this would be a really sweet LLVM backend hehe
00:08 < realazthat> yeah
00:08 < realazthat> as soon as its out, I'll see if I can do something with LLVM
00:08 < realazthat> LLVM has a defunct C backend as well
00:08 < realazthat> but I'd rather see something more direct
00:08 < realazthat> seems simple enough
00:09 < gmaxwell> I imagine a lot of the most interesting stuff will just end up as handcoded tinyram eventually... C gives you rapid bootstrapping.
00:09 < realazthat> mmm maybe
00:09 < realazthat> because of performance?
00:10 < gmaxwell> Yea, at least their first generation stuff requires a lot of fast memory to compile to their constraint program. It's polynomial, but the constants are big enough that hand optimizing will be worth it for many things.
00:11 < realazthat> yeah the 1st gen is .. not optimal
00:11 < realazthat> I saw that slide
00:11 < realazthat> er
00:11 < gmaxwell> also, dunno if you've spent much time looking at compiler output ... well, there are a lot of sins which are more forgivable on modern hardware with things like branch prediction and reordering nearly free register to register motion, etc. compared to this enviroment.
00:11 < realazthat> or do you mean in general, 2nd stage included
00:12 < gmaxwell> No, I meant first. I don't quite fully grasp the performance implications of the second generation stuff.
00:13 < realazthat> mmm, I'll write up a second email with some followup questions
00:13 < realazthat> including my recursion idea
00:14 < gmaxwell> The recusion idea sound like the ram binding stuff itself, to some extent.
00:14 < realazthat> ah I am not familiar with that; probably over my head :/
00:15 < gmaxwell> (the idea that if you prove the state transistions and you prove the ram state you can arrange these operations in graphs and prove the compositons then the compositions of the compositions)
00:15 < gmaxwell> it's in that paper I linked to the other day.
00:15 < realazthat> ah
00:16 < gmaxwell> It's a little frustrating to me, because I have enough background to undersand basically all of the parts... but the whole of it is a bit too specialized for me to follow in detail.
00:16 < realazthat> yeah I was thinking about how SCIP would work internally (without ever having read anything on it)
00:16 < gmaxwell> er understand.
00:16 < realazthat> heh, for me it is hard to imagine
00:16 < realazthat> but I imagine it is a bunch of cool tricks in this vein
00:16 < gmaxwell> the RS code and proximity proofs for the PCP stuff was pretty mind blowing to me.
00:18 < amiller> does this even need any PCP
00:19 < amiller> i can't figure out how to reconcile all the different terms, many verifiable computing things explicitly say they don't need any PCP which is desirable because PCP usually implies exponentially additional work for Prover
00:19 < gmaxwell> go read Eli's paper on how they solve that.
00:19 < gmaxwell> lemme find link
00:21 < gmaxwell> http://people.csail.mit.edu/madhu/papers/2005/rspcpp-full.pdf and then http://eccc.hpi-web.de/report/2012/045/
00:23 < amiller> i see "Although we also construct simpler PCPs, our approach by contrast relies on adding algebraic structure instead of combinatorics."
00:23 < amiller> they also mention something by Dinur that presumably also gets quasilinear blowup (which is probably tolerable)
00:28 < amiller> ok so fuck it we'll be able to code a single utxo branch checker and then validate the whole block chain in constant time, that's totally exciting
00:29 < amiller> then the splitting hairs thing is to try to get these proofs constructed collaboratively
00:30 < amiller> they're already set up to be built incrementally which is good
00:30 < gmaxwell> (the second cite I just gave even mentions "recursively compose non-interactive proofs")
00:39 < realazthat> mmm
00:39 < realazthat> that sounds something like what I suggeste
00:40 < realazthat> at least by the name lol
--- Log closed Sun Jun 02 02:09:08 2013
--- Log opened Sun Jun 02 02:09:22 2013
02:50 < amiller> every advanced crypto concept is just a) complicated thing b) compicated thing c) merkle tree on top of complicated things d) complicated thing
02:50 < warren> Don't forget the hand waving.
12:09 < realazthat> I invited eli to #bitcoin-dev and #bitcoin-wizards
12:09 < realazthat> dunno if he has the time lol
12:09 < realazthat> but would be cool
22:04 < realazthat> mmk
22:04 < realazthat> got eli's response
22:04 < realazthat> Q: How does SCIP cost O(T(P)) time to generate P' for Alice, if there is no way of knowing how long P will run (halting problem)? I assume there is some bound that must be chosen then? If Bob runs longer then this bound, I assume it will fail?
22:04 < realazthat> eli: Part of the problem definition is a time bound. And we assume wlog that if the execution shoots over it then it fails. Thus, the halting problem is not an issue.
22:05 < realazthat> Q: Why can't a simple 1-level recursion reduce Alice's required generation time? That is, Alice verifies a verification function was run on chained runs of a smaller task, which sum up to P? I think this can get the generation time to sqrt(T(P)). And possibly lower, if it is done with more levels of recursion.
22:05 < realazthat> eli: Good idea, this is known as "bootstrapping" but getting it right is far from trivial. There are a few works on the topic, such as by Paul Valiant (titled "incrementally verifiable computation"), and by Chiesa and Tromer (called "Proof carrying data and heresay arguments") and more recently by them+Bitansky, cannetti, titled  Recursive composition
and bootstrapping for SNARKS and proof-carrying data.
22:05 < realazthat> PS. if you have time to answer more questions, I would love to chat with you and/or other people knowledgeable/interested about the project on IRC. Several interested people hang out on the freenode network in #bitcoin-dev and #bitcoin-wizards.
22:05 < amiller> righteous
22:06 < realazthat> eli: I would be happy to hang out some time with some of my collaborators, how does this work?
22:06 < realazthat> PPS. I would also love to attempt/start an LLVM backend to tinyram for my personal gratification of playing with LLVM and tinyram.
22:06 < realazthat> Will forward this to my co-PI and let's see how to get it to work, will get back to you on this.
22:06 < realazthat> mmk, now I have to give him instructs on getting on here :D
22:09 < realazthat> I wonder if we should setup some sort of official Q&A
22:10 < realazthat> in #bitcoin-dev
22:10 < realazthat> because his wording indicates a one-time deal
22:42 < amiller> mailing list threads are usually pretty good too
22:55 < realazthat> oh shall I invite him to the bitcoin ML?
22:55 < realazthat> I am not subscribed myself
22:55 < realazthat> subscribed to too many MLs lol
22:59 < amiller> maybe it would be nice to make a forum thread about his talk and how to actually begin a project on it?
22:59 < amiller> if you want to solicit more open ideas / support / help from the community
22:59 < amiller> or if you want to do it mostly yourself you could just pick anyone you can find (maybe people in here i guess) and include them on an email
23:00 < realazthat> mmm
23:01 < realazthat> I assumed there were people talking about this elsewhere on the forums
23:01 < realazthat> I don't really follow them
23:01 < realazthat> but I have his attention, I am just wondering where it is best to direct it
23:01 < realazthat> as for working on applications of it, that's a separate story I think, no
23:02 < amiller> link to the forum threads?
23:03 < amiller> (why not look for them)
23:03 < realazthat> mmmyeah
23:03 < amiller> i'm also not sure where best to direct it
23:03 < realazthat> it seems a bit silent about SCIP hehe
23:03 < realazthat> on the forums that is
23:04 < realazthat> google doesn't turn up much
23:04 < amiller> but i definitely have the sense that it's really exciting to have high powered cryptographers taking nontrivial (grr, adi shamir) looks at bitcoin and offering to help
16:39 < gmaxwell> yea, okay, but if it fails you could just ban the host... doesn't seem like a very useful attack. "I can make you do one pointless sha256 operation per IP!"
16:41 < gmaxwell> Luke-Jr: what? if someone submits something that isn't valid work (either a share or a block solution), why not short term blacklist them? could even just be for 10 seconds.
16:41 < phantomcircuit> gmaxwell, you cant do that, a significant enough % of shares submitted are invalid that you'd block legitimate clients
16:42 < gmaxwell> phantomcircuit: invalid as in the hashes aren't good?!
16:42 < Luke-Jr> gmaxwell: becuase it happens normally
16:42 < Luke-Jr> not often, but it does
16:42 < Luke-Jr> especially with stupid miners
16:42 < gmaxwell> Luke-Jr: uh why aren't miners checking work before they submit it?
16:42 < Luke-Jr> dunno
16:42 < Luke-Jr> I guess that's harder to screw up with GBT..
16:43 < warren> gmaxwell: certainly we've seen that all miners and mining pool ops know what they're doing.
16:43 < phantomcircuit> gmaxwell, yeah i dont get it either but some % of shares submitted by cgminer end up missing the target
16:43 < warren> and understand the code they copied from a random github
16:44 < phantomcircuit> lol
16:45 < Luke-Jr> gmaxwell: heh, denying the authority we basically have seems futile - I'm just going to blame the community that empowers us by not make decisions
16:45 < Luke-Jr> making their own*
16:45 < Luke-Jr> phantomcircuit: well, that's cgminer
16:46 < phantomcircuit> Luke-Jr, i think i've seen it with bfgminer also over stratum but only at trivial amounts
16:46 < phantomcircuit> but certainly banning for a single failed hash wouldn't be a good idea
16:46 < gmaxwell> Luke-Jr: I think his comment is just psycho. he's railing about the bitcoin foundation as if that has anything to do with it.
16:46 < gmaxwell> (especially as if it had anything to do with bfgminer!)
16:46 < warren> bitcon foundation g*something miner
16:47 < Luke-Jr> lol
16:47 < warren> I couldn't think of an amusing g word.
16:47 < Luke-Jr> gmaxwell: well, it doesn't help that someone got a cert to sign B-Qt as "Bitcoin Foundation" :/
16:47 < Luke-Jr> warren: Bitcoin Foundation/Google Miner
16:47 < Luke-Jr> obviously
16:59 < BlueMatt> amiller: http://i.imgur.com/wGNyKLX.jpg (yes, the position of the title is rather arbitrary, but it works well as my desktop background)
17:00 < amiller> :)
17:00 < amiller> i'll let you know if we make a more accurate one :)
17:01 < BlueMatt> meh, I figure its probably pretty far off, but I dont care all that much
17:01 < BlueMatt> still looks cool
17:03 < amiller> :)
17:03 < gmaxwell> https://bitcointalk.org/index.php?topic=325737.msg3492937#msg3492937
17:12 < phantomcircuit> Luke-Jr, does #allblocks work if the stratum server supports get_transactions?
17:13 < Luke-Jr> no
17:13 < phantomcircuit> gmaxwell, sometime later this week i'll work on preventing amiller's mapping method
17:14 < amiller> pls dont
17:14 < phantomcircuit> gmaxwell, any suggestions beyond just improving the trickle out stuff?
17:14 < phantomcircuit> amiller, the problem is you could be mapping nodes to wallets
17:14 < phantomcircuit> which is a general privacy problem
17:15 < phantomcircuit> im sure you're not but
17:15 < gmaxwell> phantomcircuit: well mapping the network increases dos risks. e.g. map the connectivity in the region of a node of interest and DOS its peers.
17:15 < gmaxwell> Now you've isolated it.
17:15 < phantomcircuit> right
17:15 < phantomcircuit> im sure he isn't doing that
17:16 < phantomcircuit> but there are all kinds of problems with beign able to map the network
17:16 < gmaxwell> he's not, but his technique could be used to do so, if it were accurate enough.
17:16 < amiller> well, figure out how to fix it and just let me collect results before deploying it :o
17:18 < gmaxwell> sure sure
17:18 < phantomcircuit> amiller, i would assume that such a fix wont be part of a release for several weeks minimum
17:18 < phantomcircuit> you've got plenty of time
17:18 < amiller> k
17:18 < phantomcircuit> also fun fact i tried to record every message from the entire network but gave up after i filled a 2TB hdd in 15 days
17:18 < amiller> the grad student who's working on this has basically been working on it for 2 years now, he codes slowly
17:19 < phantomcircuit> (yes with extensive deduplication)
17:19 < phantomcircuit> amiller, you maybe want to put a fire under his butt then :/
17:19 < amiller> yep.
17:41 < MC1984_> amiller how are nodes grouped on that graph
17:52 < amiller> MC1984_, arbitrarily
17:52 < amiller> something about mutual connectedness
17:52 < MC1984_> i wondered if the orange cluster on the right was bci
17:53 < MC1984_> and the big yellow one top middle is probably the nsa amirite
17:54 < amiller> petertodd, did you make a javascript bitcoin network simulator and tell me about it some time
17:59 < petertodd> amiller: nope, never written a line of javascript in my life
17:59 < amiller> good, keep it that way
17:59 < amiller> petertodd, are you reeep
18:00 < amiller> not retep, but reeep
18:00 < petertodd> lol, nope
23:12 < midnightmagic> it's 25% iterative, capped when the queue for that peer fills up with enough waiting messages (in which case it floods it out), with a 100 millisecond granularity.
--- Log closed Wed Nov 06 00:00:26 2013
--- Log opened Wed Nov 06 00:00:26 2013
08:25 < adam3us> can you put a locktime inside a script address? or is the locktime an attribute of the transaction only
08:26 < sipa> it's a transaction attribute
08:26 < adam3us> sipa: eg can i pay you, in such a way that I cant later (after confirmation) spend the inputs; and you can only onwards spend after  locktime
08:27 < sipa> yes, that's what locktime does
08:28 < sipa> it prevents putting the transaction in a block until a certain timestamp or block height has passed
08:28 < adam3us> sipa: well the first transaction must be confirmed, but i suppose eg the script requires two signatures, and i give the recipient one signature that is on a transaction serlaiziation with a	locktime
08:28 < adam3us> sipa: i guess that is how you would do it
09:58 < amiller> i'm starting to feel more concerned about the selfish mining attack
09:58 < amiller> first of all i think the thing to focus on is th 1/3 limit
09:58 < amiller> since everything else really gives the attacker too much control over latenc
09:59 < amiller> as an impossibility result you'd want to say that we're screwed even with a weak adversary
09:59 < amiller> so here's the thing, previously we thought there was no direct way to profit disproportionately even with a 51% attack
10:00 < amiller> the thing is, this closes the gap between 1/3 and 1/2 because once you hit 1/3, you can gain disproportionate profit
10:00 < amiller> you don't even have to commit fully to the selfish mining!
10:00 < amiller> if you are above 1/3, you can withold blocks for a little bit, some of the time, and still get the benefit
11:00 < petertodd> amiller: announce/commit sacrifices to fees are an excellent example where withholding blocks for just a little bit can be worth it
11:01 < petertodd> amiller: basically, the sacrifice unlocks at some block height, so anything you do to keep the rest of the network at least a block behind can be very profitable
12:54 < amiller> it's hard for me to understand how trickle could actually slow tx propagation much
12:54 < amiller> every inv has a 1/4 chance of getting sent, every 100 ms or so
12:55 < amiller> since that's how often each peer is processed
12:55 < amiller> the chance of a tx not getting sent after a couple seconds is really low
--- Log closed Thu Nov 07 00:00:33 2013
--- Log opened Thu Nov 07 00:00:33 2013
06:25 < midnightmagic> hrm.
06:26 < midnightmagic> petertodd: Did you see the FAQ entry in Sirer's blog? "Our attack does not rely on network position or well-connectedness. It does not require Sybils. It does not require a fast connection to other miners. Anyone who claims otherwise does not understand the attack."
06:47 < petertodd> midnightmagic: yes I did, and the way they describe their attack is its one where it's made better by all those things
06:50 < midnightmagic> Sneaky wording then. Doesn't *rely* on it, and works without it. I wonder if "minimal advantage" is thus how they consider the attack as a currency-destroying revelation.
06:51 < petertodd> They're assuming that miners will shift to the pool with the higher profit margin
06:52 < midnightmagic> i wonder if the math were done right now it would compare against just making a bunch of blank blocks
06:52 < midnightmagic> s/now/how/
06:53  * midnightmagic solicits headache cures
06:53 < petertodd> Look at it this way: their attack, without any low-latency insight into the network, devolves into my attack!
06:56 < petertodd> Or less charitably: I had a great bit of intuition months ago, was lazy and didn't develop it properly, and someone else re-invented it with the twist that if you also have low-latency you can exploit it at less than 30% hashing power.
06:57 < petertodd> or heck, maybe that's where they got the idea... they tell me that they don't understand how my attack works, but I don't exactly trust those guys :/
07:13 < midnightmagic> petertodd: I read -wizards as much as possible but I missed your attack. What's your attack?
07:14 < petertodd> It's something I posted ages ago to bitcoin-development - like last january - showing how contrary to popular belief miners had an incentive to publish their blocks to only a majority of hashing power rather than all hashing power if their goal was to get more blocks than other miners.
07:15 < petertodd> My original analysis was overely simplistic, and when I applied a bit of math to it I realized I was wrong and the threshold was actually only 30%
07:20 < midnightmagic> petertodd: ah cool thanks for the pointer
14:25 < maaku> I haven't studied SIN / identity protocol much at all
20:50 < fagmuffinz> justanotheruser: you could have people agree to some protocol that would operate the same way some central authority would, and if compliance with that protocol can be algorithmically guaranteed, then you could decentralize it
20:50 < fagmuffinz> Thinking on that algorithm
20:55 < fagmuffinz> I mean, you don't need a proof of work for it at all
20:55 < fagmuffinz> If you actually count the vote right...
20:55 < fagmuffinz> There's no incentive to keep recounting it
20:55 < fagmuffinz> All you care about is verification
20:55 < fagmuffinz> Which is easily agreeable in a shared protocol
20:56 < justanotheruser> fagmuffinz: how do you do this anonymously?
20:56 < justanotheruser> while verifying that everyone who started with a vote, and only those that started with a vote are counted
20:56 < fagmuffinz> That's harder
20:56 < fagmuffinz> First part is easy, just random key generation every time
20:57 < fagmuffinz> Now you're asking about assigning people keys
20:57 < fagmuffinz> Let's say...
20:57 < fagmuffinz> Everyone agreed to do a shamir's secret sharing algo
20:57 < fagmuffinz> And you could generate M keys...
20:57 < justanotheruser> fagmuffinz: If the central authority can make 10000000 votes for themselves, then it is no better than the current situation
20:58 < fagmuffinz> The M keys could be applicable to use, then, for signing given enough length
20:59 < fagmuffinz> Thinking about retooling shamir's
21:00 < fagmuffinz> I think this would work...
21:00 < justanotheruser> When assigned keys, you either need to say who you gave them to, which would remove anonymity, or not say, which would allow them to make as many votes as they wanted
21:00 < fagmuffinz> Is it important to outside parties to verify the result of an election?
21:00 < fagmuffinz> No
21:00 < fagmuffinz> I've already gotten past that
21:01 < justanotheruser> What, using shamir?
21:01 < fagmuffinz> Yea
21:01 < fagmuffinz> I've got it actually
21:01 < fagmuffinz> As long as outside parties don't need to vote
21:01 < fagmuffinz> Or verify
21:01 < fagmuffinz> Whatever
21:01 < justanotheruser> How would you use shamirs for voting?
21:01 < fagmuffinz> lmfao
21:02 < fagmuffinz> God, that's gorgeous
21:02 < fagmuffinz> Ok
21:02 < fagmuffinz> Let's say there's a blockchain that starts with some initial seed
21:02 < fagmuffinz> Everyone shamir's secrets that seed
21:02 < fagmuffinz> And generates M keys to vote with
21:02 < fagmuffinz> Encrypt this initial seed with the key Shamir's secret sharing generates
21:03 < fagmuffinz> Save it as the next seed for the next "voting block"
21:03 < fagmuffinz> Everyone who's in knows it
21:03 < fagmuffinz> Those people then use their M keys to cast a vote
21:03 < fagmuffinz> Moot after that point
21:04 < fagmuffinz> You could add people potentially
21:04 < fagmuffinz> Everyone agrees that each key also gets to elect one new person to join
21:05 < fagmuffinz> Eh...
21:05 < fagmuffinz> Fuck
21:05 < fagmuffinz> Sec
21:06 < justanotheruser> fagmuffinz: Wouldn't everyone know everyone elses votes if there was a shared seed that was the other half of everyones secret?
21:06 < fagmuffinz> Yea
21:06 < fagmuffinz> But you can make that pseudononymous
21:07 < justanotheruser> So there are pseudonyms associated with the votes? Meaning the votes aren't guaranteed to be associated with a person?
21:07 < fagmuffinz> Correct
21:07 < fagmuffinz> The issue I'm running into right now mentally...
21:08 < fagmuffinz> Is ensuring the keys generated that suffice shamir's secret sharing...
21:08 < fagmuffinz> Can be isomorphic to a private/public key pair...
21:08 < fagmuffinz> Or guarantee some private/public key pair
21:12 < fagmuffinz> If p and q were your public/private key pair
21:12 < fagmuffinz> You could do something like...
21:12 < fagmuffinz> G = p^q
21:12 < fagmuffinz> Then sign G with p
21:13 < fagmuffinz> Or...
21:13 < fagmuffinz> One of the M keys
21:13 < fagmuffinz> Sign (G,p)
21:13 < fagmuffinz> All of this modulo some N
21:21 < fagmuffinz> K, scratch part of that.  All that's necessary to ensure that whoever had the key actually cast the vote is signing off an (p,N) message with one of the shamir's keys, for a p/q mod N public/private key pair.  I currently have no way of guaranteeing good behavior to those included in the vote, aside from the protocol penalizing them during the next voting round(s)
21:27 < fagmuffinz> Is that sufficient?
21:40 < justanotheruser> sorry, I was away, you still there fagmuffinz
21:40 < fagmuffinz> yea
21:41 < justanotheruser> I don't really understand what you mean by penalizing them
21:42 < justanotheruser> brb
23:40 < fagmuffinz> I'm not exactly sure what I mean either thinking about it
23:40 < fagmuffinz> Or any good way of enforcing it
23:40 < fagmuffinz> The issue is in verifying everyone else's key in the SSS (Shamir Secret Sharing), you could easily use any of their keys to vote
23:41 < fagmuffinz> So you're assuming good behavior amongst the voting population
23:41 < fagmuffinz> That's probably a no-no
--- Log closed Wed Jan 01 00:00:44 2014
--- Log opened Wed Jan 01 00:00:44 2014
01:15 < midnightmagic> fagmuffinz: man you have a terrible nickname
01:18 < gmaxwell> fagmuffinz: I'm not sure what you're trying to accomplish, I missed the history.
01:19 < justanotheruser> gmaxwell: It was the voting thing again.
01:35 < phantomcircuit> midnightmagic, maybe he likes his muffinz with fags
01:35 < phantomcircuit> although that sounds a bit gritty
14:38 < maaku> can Grover's algorithm be used for quantum mining?
14:39 < gmaxwell> sure, in theory, if there existed hardware that could run it.
14:40 < gmaxwell> it's only a sqrt speedup. It would unhinge the difficulty update somewhat. (though if it got far out of wack it would still have quadratic convergence)
14:44 < maaku> Some FUD on lesswrong about quantum computing leading to centralization
14:45 < warren> No tech breakthroughs are needed for human behavior to cause centralization.
14:46 < maaku> heh, yeah
14:49 < gmaxwell> I don't see where that conclusion comes from, unless it's just some assumption that only one party will have access to the faster miner.
14:50 < maaku> gmaxwell: yes, that's the (rediculous) assumption
14:50 < gmaxwell> Not only that
 Its quite likely that should someone successfully use Grover it'll be _slower_ for some time. Simply because the quantum machine runs at 100khz or whatever.
14:50 < maaku> that someone will invent a quantum computer capable of doing more work than the entire bitcoin network
14:51 < Alanius> isn't the "quadratic speedup" irrelevant when considering sha 256?
14:52 < Alanius> it's quadratic only for large enough problems
14:52 < Alanius> but the problem size is fixed in this case
14:54 < andytoshi> maaku: lesswrong link? istm that any non-infinite speedup would be covered by the difficulty algo
14:54 < maaku> Sybil successfully Sybil-attacked psychiatrics: http://www.npr.org/2011/10/20/141514464/real-sybil-admits-multiple-personalities-were-fake
14:54 < sipa> Alanius: the quadratic speedup is about finding a preimage
14:55 < Alanius> ... isn't that what Grover's algorithm does?
14:55 < sipa> yes
14:57 < maaku> andytoshi: http://lesswrong.com/r/lesswrong/lw/je7/a_proposed_inefficiency_in_the_bitcoin_markets/a8xl
14:57 < sipa> Alanius: right, it's only quadratic if you see the size of the hash output as variable
14:58 < andytoshi> sipa: is it correct to think of mining that way,
14:59 < andytoshi> "find a SHA16 preimage of 00", then a SHA32 preimage of 0000, and so on
15:00 < Alanius> I guess you could devise a variant of Grover's algorithm that finds a partial collision instead of a full one, and you'd probably see that quadratic speedup with regards to the inverse of the target :)
15:02 < andytoshi> Alanius: yeah, that's what i'm trying to say
15:03 < sipa> right, it's grover on truncated double sha256, with variable truncation length
15:07 < gmaxwell> Alanius: If you're saying that you're going to find complete preimages (size at maximum) than the work factor is still 2^128, which is infeasable.
19:19 < phantomcircuit> ffs
19:19 < phantomcircuit> bought a cable modem
19:19 < phantomcircuit> no coax cable
21:59 < maaku> merged mining attack I hadn't considered : https://bitcointalk.org/index.php?topic=394388.0
22:01 < maaku> somone solo mining altcoin could double-count proof-of-work by merge mining the fraud chain against their solo blocks
22:06 < gmaxwell> maaku: namecoin ended up deploying a specific defense against this
22:06 < gmaxwell> that requires the namecoin chain to be at a particular position
22:09 < maaku> gmaxwell: i'm aware of that one - it protects against having multiple auxblock committments in the same coinbase
22:10 < maaku> but the twist here is namecoin merged mined against namecoin
22:10 < maaku> so the attacker has the choice of using the outer block or the inner block
22:11 < warren> maaku: wouldn't that only be an issue in practice if the value of NMC were much higher?
22:12 < maaku> warren: eh? it depends on the size of the double-spend you are trying to make
22:13 < Niko_B> Get some easy bitcoins all you need is a web browser  http://t.co/RFLekya7Hc
22:13 < maaku> the fact that you can build up he public chain, while double-counting work towards a secret attack violates some security assumptions
22:14  * maaku needs to learn how to use +o
22:14 < gmaxwell> maaku: oh I don't think you can mergemine namecoin against namecoin.
22:15 < maaku> gmaxwell: yeah i'm not certain if it'd actually work.. but this wasn't something I'd previously thought about
22:15 < gmaxwell> maaku: if you can thats dumb and should be fixed, but its a purely academic attack right now since you'd have to forgo substantial bitcoin income.
22:15 < maaku> and it would have worked in the system I was designing
22:15 < maaku> it's easily fixed though
22:15 < gmaxwell> should be trivial to fix if so
 just don't accept non-mergedmined blocks.
22:16 < maaku> yeah
01:33 < gmaxwell> andytoshi: example https://bitcointalk.org/index.php?topic=393593.msg4274997#msg4274997  (thats just one post in a six page thread of people who were ripped off)
01:35 < gmaxwell> suggestions that people publish their loan amounts in OTC in the ratings list have generally been met with unwelcome sounds wrt privacy... though people do it sometimes, esp for smaller amounts with newer traders.
01:35 < andytoshi> ok, i see now, this is really cool .. i think it has the highest usefulness/computational hardness ratio of anything you've posted involving zk proofs
01:35 < gmaxwell> yes, also ... implementable outside of bitcoin.
01:36 < gmaxwell> (Any idea where step 1 is change bitcoin ... is just a lot harder to do, regardless of the details)
01:36 < andytoshi> i'm going to go post this in #coindev and see if anybody wants to implement it..
01:37 < gmaxwell> also, since it involve loss of currency, the CRS-assumption ZKP systems (where you trust that some key creator has thrown away a master key) aren't so bad.
01:38 < gmaxwell> e.g. you're trusting someone to not have kept data that would allow them to make fake loan accumulators. whoptiedo.
01:38 < andytoshi> i wonder if there's a stronger/simpler zk proof system for updating merkle trees like this
01:38 < andytoshi> which maybe doesn't work for general computations
01:38 < gmaxwell> maybe, though as soon as you need proofs for bitcoin thats right out.
01:40 < warren> I suppose this is why the credit agencies ding you for hard pulls.
01:40 < gmaxwell> in any case, proving a very simple function like this should actually be quite realistic, e.g. cpu time of tens of seconds.
01:41 < gmaxwell> warren: hah you could actually make number of proofs a metric that it tracks and extracts.
01:41 < gmaxwell> (e.g. to do a proof for someone they give you nonce, which you must insert into a pulls counter tree.)
01:42 < gmaxwell> it's not quite so cheap that my trivial NIZK would be useful, I expect.
01:42 < gmaxwell> but I guess I should go count how many AND-gates sha256 has.
06:49 < nsh> happy new year, wizards :)
09:57 < jtimon> https://bitcointalk.org/index.php?topic=396991.0
10:08 < tholenst> 24 coins built there already...
10:08 < tholenst> and that's not even counting the ones which prefer to remain private
10:10  * nsh considers a "proof of quality" based blockchain
10:10 < nsh> difficult, all involve voting i suppose
10:11 < nsh> e.g. new block whenever someone comes up with a joke that is considered funnier by >75% of people
10:16 < tholenst> The new scip paper http://eprint.iacr.org/2013/879 seems promising, but they still don't give a download link
10:30 < nsh> hmm, ty
10:32 < tholenst> How long does verification of a ECSDA signature take?
10:34 < nsh> depends on the library, etc.
10:34 < nsh> (and scheme)
10:35 < nsh> --
10:35 < nsh> Wow, it's great.
10:35 < nsh> 187us versus OpenSSL's 1008us, on my test laptop.
10:36 < nsh> -- sipa's implementation of sepk256k1, last July
10:36 < nsh> https://bitcointalk.org/index.php?topic=236477.0
10:38 < tholenst> So they talk of 5ms verification time for a program, but that's not on a lapt, so one would probably have to verify a few hundred signatures -- but they only run their program for 32'000 instructions, so it doens't seem quite useful for signature verification yet
10:39 < tholenst> also they talk of a 16 bit machine...
12:06 < andytoshi>  oh my god, the comments on BlueMatt's altgen thread..
12:09 < nsh> always wear appropriate protective eyewear. do not stare directly at derp
12:10 < adam3us> andytoshi: on bct?
12:10 < andytoshi> adam3us: yeah, https://bitcointalk.org/index.php?topic=396991.0 -- jtimon posted it a few hours ago
12:13 < adam3us> andytoshi: lol 'bulk discounts' etc
12:13 < jtimon> yeah, this was hilariously absurd: https://bitcointalk.org/index.php?topic=398272.0
12:14 < nsh> "We will hard fork you out, then we will have to continue with GPU without you."	(imagines set to all your base graphics...)
12:17 < nsh> or
12:17 < tholenst> It's awesome. It essentially says: "If you give me money, that'll help me to fraud people!"
12:17 < nsh> there's reductio ad absurdum and then there's straight out building a highway to absurdity.
12:30 < jtimon> hehe highway to absurdity...
12:40 < Luke-Jr> "Yes, it works fine and you do not end up on the wrong chain as long as you have a different network packet magic - as your node will never peer with another node with a different magic."
12:40 < Luke-Jr> hahaha
13:59 < jtimon> does anyone know if any of the results have been launched on the alts subforum already?
14:26 < Luke-Jr> nsh: can I quote you? [17:17:31] <nsh> there's reductio ad absurdum and then there's straight out building a highway to absurdity.
14:26 < Luke-Jr> (I already did, but I forgot to ask first..)
14:27 < nsh> sure
14:27 < nsh> :)
14:27 < Luke-Jr> thx
14:31 < Luke-Jr> "hello, is there a way to set a permanent change address?"
14:31 < Luke-Jr> why do I get these PMs now?
14:32  * Luke-Jr replies "No, because that would be broken and stupid."
15:44 < _ingsoc> Does anyone mess around with Go?
15:45 < gmaxwell> tholenst: their scaling is nearly linear, so you can scale up the cycle count. Also, 32000 instructions is enough to do hash based signing. In any case, the tinyram stuff is always going to be less efficient (by ... 10 to 1000 fold) than direct circuits specialized for the task at hand.
15:58 < nsh> tinyram is just a didactic model though. there's no reason you couldn't adapt it to specialized problems
15:58 < nsh> (that i can think of, at least)
16:00 < gmaxwell> nsh: well kinda, there are ways of using this stuff where you want the circuit under evaluation to be a constant thing.
16:01 < nsh> mmm
16:01 < gmaxwell> and with tinyram you could make it constant (or at least constant up to some execution length) and the hash of the program being run is just a public input.
16:01 < gmaxwell> so it really can be useful to have a fully generic circuit.
16:01  * nsh nods
16:03 < gmaxwell> you could, of course, add extra instructions. e.g. for our applications a SHA256 operator would be super useful.
16:03 < nsh> hmm, good point
16:05 < tholenst> gmaxwell: yes, i know... i was trying to get a grasp of whether it would be useful for example just to batch all signature verifications... but I found it difficult to assess. Would be nice if there was an implementation available
16:06 < gmaxwell> tholenst: yea, I don't know why they haven't made it available. They're using the same backend math as pinocchio, so you could look that up.
16:06 < tholenst> I could just ask them :)
16:07 < gmaxwell> tholenst: IIRC only a few of the pairing operators are input specific, as I recall.
16:07 < gmaxwell> So I think that if your circut is constant you can precompute a fair bit.
16:08 < gmaxwell> (A few, being like two pairing operations I think)
16:08 < tholenst> i don't acutally have a specific application in mind...
16:11 < tholenst> I was thinking more about extending the scripting language recently anyhow :)
16:12 < tholenst> It should be like this: if you have a reserved opcode in the pubkey script, the script should automatically accept no matter what happened before.
16:14 < gmaxwell> tholenst: well it's not. Its easy to build extensions that work like that anyways.
16:14 < gmaxwell> e.g. just different OP_EVALs for new P2SHes that make transactions look hashlocked to the old nodes.
16:16 < tholenst> do you mean exactly the same as P2SH, but a different op-code instead of OP_HASH?
16:16 < tholenst> i don't see right now how you mean that
16:18 < Luke-Jr> tempting to revise Script in a P2SH^2
16:21 < gmaxwell> tholenst: effectively.
16:22 < tholenst> oh i see -- you can just take one which is effectively a NOP now
16:47 < tholenst> btw i was thinking more about what it would need in scripting to implement the idea that you can have deposits for your transactions; i.e., if you double spend you lose money
16:47 < tholenst> i think it's reasonable
16:51 < sipa> that implies scriots can access state outside of the chain they operate on
16:51 < sipa> which is extremely jard to get right, i think
16:51 < sipa> scripts, hard
16:51 < tholenst> no
16:52 < tholenst> i don't need thta
16:52 < sipa> double spends don't exist within one chain
16:52 < sipa> if you're even using that word, it implies you're observing other state
16:53 < Luke-Jr> tholenst: double spending is not detectable technically really
16:53 < Luke-Jr> two signed transactions spending the same coin, is not necessarily "double spending"
16:53 < Luke-Jr> it can occur in legitimate circumstances too
16:53 < tholenst> well, the idea is different: I give you a transaction which essentially says: "If you find messages m_1 != m_2, signed with SecretKeyA, then you can have this money here"
16:53 < sipa> ah!
16:54 < sipa> you'd need some higher order construxt in transactions
16:54 < sipa> but indeed, that doean't require access to other data
16:54 < tholenst> yes, you need improved scripting, but it suffices to look at the chain
16:54 < nsh> hrmmm
16:54 < sipa> just means you need to embed the two different spending transactions inside your script
16:54 < nsh> interesting idea
16:55 < sipa> no it does not suffice to look at the chain
16:55 < sipa> within the chain double spends are impossible already
16:55 < tholenst> Luke; I know that; a bit more work is necessary for that
16:55 < tholenst> no you just need to embed the two signatures in the script; I can do that
16:55 < sipa> right, indeed
16:56 < tholenst> the chain will get two signatures, from the same secret key, which I assemble from the double spend; thus, the scripting doesn't look outside the chain
16:56 < sipa> yup
16:56 < sipa> but you need some meta construct
16:57 < sipa> where you embed the two previous conflicting signatures as proof that a double spend existed
16:57 < sipa> which is possible and sane
16:57 < sipa> but doesn't exist currently
07:27 < jtimon> bitcoin solves seignoriage by trying to destroy that value
07:28 < deantrade> For example, the Fed not being able to steal my bitcoins unlike they'd be able to steal my gold or my gold in a bank is really really awesome.
07:28 < jtimon> that's true for freicoin too
07:29 < jtimon> there's no need to give 100% of the initial supply to miners to have that
07:29 < jtimon> not to long ago gmaxwell was saying that 5% of the total supply anually for miners is wasteful
07:30 < jtimon> then the initial subsidies have to be much more wasteful
07:30 < jtimon> we need proof of work for security, totally agreed
07:30 < deantrade> "waste"?  wasting what?
07:31 < jtimon> but I don't think we need ti for issuance too
07:31 < deantrade> How else do issuance?  Have the group of developers that made it each get some number of coins?
07:31 < jtimon> electricity, conductors to build more asics than we need instead of general purpose computers
07:32 < jtimon> deantrade, it's not an easy issue
07:32 < jtimon> we've looked for ways in the freicoin forum and many have appeared
07:32 < jtimon> we hope to find a purely p2p one
07:33 < jtimon> for example, subsidizing scientific computations demonstrable with spark/scip
07:34 < deantrade> "electricity, conductors to build more asics than we need instead of general purpose computers" -> just like all of the effort used to mine and refine and make jewlrey out of gold.
07:34 < jtimon> isntead of getting money for random hashes, get it for submitting folding@home work units or something else
07:35 < deantrade> It takes effort to make bitcoins, they don't just come into existence willy nilly.
07:35 < jtimon> that's purely a design decision as demonstraded by freicoin
07:36 < jtimon> only 20% of the initial freicoins come to existence through mining
07:36 < jtimon> yet the freicoin network is secure and their miners get profits
07:37 < jtimon> miners don't create the value, users and merchants do
07:37 < deantrade> folding@home = centralized acceptor no?  I agree it would be cool if the work could be towards something like organic chemistry simulation, but I'm not really an expert in that field in order to really know if there is anything practical that we could do that would be hard to find a solution for but easy to verify work on.
07:39 < deantrade> Miners do create some value: we use the ledger made by the person who proves to do the most work, rather than just going with ledgers that are made by valueless lazy losers who just would want to double spend or spam
07:40 < jtimon> hard to find a solution for but easy to verify work -> that's what spark/scip is about
07:40 < jtimon> yes, miners provide security
07:41 < jtimon> I agree it's a complex problem
07:41 < jtimon> for now mining is the only 100% p2p distribution mechanism I know
07:42 < jtimon> all I'm saying is that if we had another one, issuance could be completely decoupled from mining
07:43 < jtimon> miners will live only on fees, and if that's not enough security then the system is not sustainable in the long run and the current subsidies are blinding us
07:44 < deantrade> Yea its a system that hasn't been tested yet.
07:45 < deantrade> Thinking about it while sleep deprived now...
07:51 < jtimon> think of ripple's xrp for example
07:51 < jtimon> their security mechanism is not pow
07:51 < jtimon> they could have distributed it through proof of work
07:52 < jtimon> but that wouldn't haven't made any economic sense
07:52 < jtimon> that doesn't mean the distribution mecanism they've chosen is cool
07:52 < deantrade> ripple is crap, not pow, its mob vote rule
07:53 < deantrade> good night!
07:53 < jtimon> Ryan Fugger's Ripple is a great concept
07:53 < jtimon> ripplelab's implementation is not good enough, I agree
07:53 < jtimon> ok, good night, I have to code
16:09 < warren> jgarzik: you had people at the office who could reproduce the mac corruption?
16:10 < warren> Please ask them to test the new builds?
16:10 < Ryan52> cfields: submitted my verification of sources in deterministic dmg builds, as a comment to your commit.
16:10 < cfields> Ryan52: great, thanks
16:11 < warren> Ryan52: URL?
16:11 < warren> cfields: zero reports of testing your memory barrier patch so far
16:11 < warren> from people who were able to make it fail
16:11 < cfields> warren: the more i read, the less convinced i am that it will do anything significant
16:11 < warren> cfields: oh?
16:11 < Ryan52> warren: https://github.com/theuni/bitcoin/commit/8a64fb98370ccc299d73111bbf97cdde23f681b1#commitcomment-4708754
16:12 < cfields> asm dumps seem to show that the asm memory hack is enough to get the compiler to avoid reordering
16:12 < warren> Ryan52: btw, for gitian you need to have an established GPG key and identify
16:12 < warren> identity*
16:14 < Ryan52> warren: Sadly, my 1024 bit key is not well connected and my 4096 key is not really connected at all. :(
16:14  * Ryan52 needs to get out more, or something.
16:15 < warren> Ryan52: I started a 8192 bit key only a few months ago
16:15 < warren> Ryan52: what state are you in now?
16:16 < TD> cfields: hmm i thought you said you checked that and saw reorderings across the barrier
16:16 < Ryan52> Gah, guess I didn't even get my 4096 key usable before it was obsolete, that is sad. I actually do have one more signature sitting in my INBOX from recently, though, when I get the chance to pull out the disk with the private key storage from my safe.
16:16 < cfields> TD: i do with some compilers, with some flags
16:16 < Ryan52> warren: Oregon
16:17  * Ryan52 travels to Washington frequently, too
16:17 < cfields> TD: i think the change is necessary, but i'm not sure that it will affect the way we currently build
16:17 < TD> ok
16:17 < TD> hmm too bad. i thought that might have been it, for a moment
16:18 < cfields> the asm diffs are pretty hard to read since it changes a bunch of stuff around. it's still possible they're necessary, but i'm not as confident as i was yesterday
16:44 < maaku> Ryan52: 4096 bits is obsolete?
16:45 < cfields> warren: have you heard of the corruption happening to anyone running a 64bit osx binary?
16:46 < sipa> yes, gavin is running a 64-bit build and has seen corruption
16:46 < maaku> cfields: yes, it's happened to me
16:46 < cfields> the current corruption? not the ones that have been fixed already?
16:46 < sipa> i have no idea what has been fixed
16:47 < sipa> i don't have any iThings
16:47 < maaku> it was either v0.8.3 or v0.8.5, but not trunk
16:47 < cfields> the fdatasync commits a while ago, i meant
16:47 < maaku> i don't know about gavin
16:47 < cfields> ok
16:47 < sipa> gavin has seen corruption on master a month ago or so
16:47 < maaku> gavinandresen: ^^
16:48 < phantomcircuit> Ryan52, 4096 bit keys are probably safe for a decade assuming no major quantum computing improvements
17:20 < amiller> hey does anyone here understand iddo's protocol er adam back's version of it
17:21 < amiller> adam3us, does this post work and not rely on currently disabled opcodes? https://bitcointalk.org/index.php?topic=277048.msg3210328#msg3210328
17:22 < amiller> i don't see how you can guarantee that you can add a + b, does addition in the script just do overflow with mod?
17:27 < amiller> so each number must be 4 bytes or else it fails
17:27 < amiller> and it's signed
17:28 < amiller> what you'd want to do is typecheck the b preimage of h(b)
17:28 < amiller> in other words you don'tw ant to allow  b to be a 5 byte number, becuase then b could claim his side but a wouldn't be able to take it anyway
17:28 < amiller> so it would time out
17:28 < gavinandresen> hmm?  I've had three instances of corruption over the last six months, all running at-the-time-git-HEAD, compiled 64-bit with clang3.3 (my development environment builds)
17:29 < amiller> but you can typecheck b by making b have to do an OP_ADD 0 to it, which guarantees that if B can spend it, A can spend it
17:33 < warren> cfields: the distributed bitcoin binaries are built with xcode 3.2.x on MacOS 10.6.x
17:34 < warren> cfields: gcc-4.2 based
17:34 < cfields> gavinandresen: ok, thanks
17:43 < warren> cfields: so would test results of my builds with your patch built by gcc-4.2 32bit be useful?
17:44 < cfields> warren: erm, what else would they be built with?
17:44 < warren> cfields: you're asking about 32bit vs 64bit and different compilers
17:45 < warren> cfields: these are built in the "standard" release way
17:45 < warren> gavinandresen: quick question
17:45 < cfields> warren: i saw an oddity in leveldb that would only be a problem for 32bit builds. If the error manifests in 64bit as well, there's no need to investigate it
17:47 < warren> gavinandresen: https://github.com/bitcoin/bitcoin/blob/master/doc/release-process.md   my Bitcoin builds using this documented process ending with "contrib/macdeploy/macdeployqtplus" works in creating .dmg's, but their plist is missing menu options.  Are you following exactly this documented process?
17:48 < gavinandresen> warren: yes, I copy and paste from that document when I do the builds
17:49 < gavinandresen> warren:
 and that's really not a bitcoin-wizards type of question.
18:11 < adam3us> amiller: iddo wrote it up later in the same bct thread as https://bitcointalk.org/index.php?topic=277048.msg3220019#msg3220019 and there he used (A xor B) mod 2 == 1 as the test.  however xor is disabled.	similarly add is enabled but aborts if the input is > 4 bytes.	i guess thats a problem too because a hash of a 32 bit number is trivial to brute force.
cat is also disabled, and hash takes one input only
18:13 < amiller> adam3us, so what about what i suggested
18:13 < amiller> you can hash a 4 byte number
18:13 < amiller> ah but that's not very high entropy.
18:13 < adam3us> amiller: yes but then its brute forceable and cat is disabled etc yep
18:13 < amiller> you can basically enumerate the hashes of the 4 bytes
18:13 < amiller> so without cat you're screwd
18:13 < amiller> okay right.
08:31 < adam3us> jgarzik_: apparently it originally stood for ex-google btc list, but is some kind of invite only ? bitcoin list that some bitcoin bigwigs are lurking on , or so i was told and found via a fwded mail from that list, from someone who got htemselves onto it
08:31 < adam3us> jgarzik_: i am not so much a fan of closed/moderated/non-open lists myself - i was kind of irritated at the concept
08:31 < HM2> jgarzik_, you're obviously not a bigwig :P
08:31 < jgarzik_> obviously :)
08:31 < adam3us> jgarzik_: so my buddy charles said let me find the mail (his words)
08:33 < adam3us> jgarzik_: (and its ridiculous to me that something relatively closed coudl be formed to talk about bitcoin with any coverage without having folks like this irc chat as first invitees) thogh i even dislike elitist closed lists on principle
08:36 < adam3us> charles said "it is the who's who of btc so need to get you on it" i am guessing maybe a bunch of mostly ex-googlers plus some bitcoin startup bizdev/ceo types... i'll find out soon (what was fwded to me was some discussion about some kaminsky intel-cpu-only mining function idea)
08:38 < adam3us> the list gatekeeper is bendavenport@gmail.com if you're not someone who refuses to partipate in closed lists on principle (i'm largely of that mentality...)
08:40 < sipa> is any of the core devs on that list?
08:40 < sipa> i had never heard about it
08:42 < adam3us> sipa: i dont know whos on it, i have the list invite, but i didnt click on it yet ecause it sends email to your gmail acct if you fwd your email to gmail which is a nuisance because i dont read my gmail
08:42 < adam3us> sipa: i saw peter vessenes name in the thread
08:43 < adam3us> sipa: there is a way to avoid supposedly  that but its complicated involves editing gmail urls and stuff
08:43 < sipa> meh :)
08:44 < adam3us> sipa: yeah maybe its more a bitcoin angel/mba/bizdev club
08:44 < sipa> sounds like it
08:44 < adam3us> sipa: so they think they're the who's who but we think they're n00bs in suits
08:46 < sipa> loi
08:48 < adam3us> jgarzik_: have an email for this Patrick Murck guy? i found his linkedin profile only
08:49 < jgarzik_> adam3us, https://twitter.com/virtuallylaw on twitter, gotta search for other.  bug me in 12 hours, after coding session ;p
08:52 < adam3us> jgarzik: google name, @domain -> patrick@engagelegal.com
08:53 < adam3us> jgarzik_: brain dump about strong need for bitcoin MAD/defensive pool heading patricks way  :)
08:56 < adam3us> jgarzik_:  i get the brunt of patent shit as my day job is crypto consultant to multiple companies... every time I open my mouth i have to watch what i say or i nor anyone else will be able to use that idea again, have to minimize damage by pointing them at open, prior art ideas only - though that can be partially succesful as patents "innovation" doesnt
mean what it means in english
09:02 < jgarzik_> adam3us, patrick@bitcoinfoundation.org
09:18 < adam3us> btw about patents, i dont mean to imply any reason to doubt sincerity of the defensive motivation for bitcoin startups to apply for patents; just that history has shown it is not uncommon for such patents within 5-10 year in the normal chance of small companies going bankrupt and their investors selling the assets
09:40 < adam3us> is it matonis@btcf also?
12:03 < adam3us> amiller: about second ZKP there is a technique called limited-show which can prevent showing more than n times (eg more than 1 time) on pain of disclosing your private key via simultaneous equation if you do
12:06 < adam3us> amiller: the way to do that is restrict the owner to using only one initial witness, if he uses two different ones his private key can be calculated for analogous reasons to reusing k in DSA
12:06 < adam3us> amiller: its decribed in the extended schnorr context in http://cypherspace.org/credlib/brands-technical.pdf p23
12:33 < adam3us> amiller: for example in relation to dsa, that means r=g^k becomes part of the public key, and you're only allowed to use r by definition (not r'=g^k' for any other k'), eg say bitcoin address was H(r=kG,Q)
12:34 < adam3us> amiller: then, as bitcoin anyway always spends the entire input, bitcoin addresses could be strictly one-use, and if you double-spend you reveal your private key, to all miners, who take your coin for themselves instead of mining it - a crypto way to deter double-spending :)
12:35 < gmaxwell> adam3us: unless you're a miner, win win.
12:35 < adam3us> amiller: (of course you cant use that address to control multiple transactions, or you have a problem
12:36 < adam3us> gmaxwell: yes - i suppose the point is it may make certain kinds of bribe other miners to block competing transactions untenable
12:36 < adam3us> gmaxwell: its always going to be more profitable for them to take your coin rather than your bribe
12:38 < adam3us> gmaxwell: i mean then instead of it being plausible to send spend one to victim, and spend2 to some miners, or try to segment the entwork via network hacking or bribe to not-mine, double-spending becomes risky: anyone and everyone is on the hunt for double-spent transactions, because to a miner they are 100% fee :)
12:43 < petertodd> adam3us: meh, we've already got a way to deter double-spending: replace-by-fee scorched-earth. And it turns out double-spending is actually ver useful for a lot fo stuff.
12:47 < adam3us> petertodd, gmaxwell: could probably extend that to one spend per txout without having single use keys.  eg put r=kG in the txout but reuse Q
12:49 < adam3us> petertodd, gmaxwell: then a double spend of any of them allows all balance by any txouts controlled by that key to be cashed by miners
12:50 < petertodd> yeah, you could do lots of things, but double-spends aren't such a bad thing! there's no good way to resubmit a transaction if you don't allow them.
12:51 < adam3us> petertodd: well the reason i like looking at the double-spend mechanism is it is the core of the mining entanglement in the overall design - if there were  a way to do it without mining validation that could be a component of a scalability improvement
12:52 < petertodd> adam3us: why do you say it's the core of the mining entanglement?
12:53 < amiller> it would matter for a different network
12:53 < adam3us> petertodd: well to guarantee order is defined is why there is a single chain partly
12:53 < amiller> if we had like subchains that we wanted to merge
12:53 < amiller> in order to support higher transaction volume without making everyone have to hear them all
12:53 < amiller> then it would be useful to have ways of discouraging noncommutativity
12:53 < amiller> i.e. doublespends
12:53 < amiller> hardly matters for now though
12:54 < petertodd> right, but I think I solved that pretty decently the other day :)
12:54 < petertodd> (FWIW I'm halfway through writing up all that in a semi-proper paper)
13:02 < adam3us> amiller: so constitutional enforcement attached to sigs: single-show (as above), signature of knowledge (and the transaction) that either you know the discrete log of Q or currentReward() != blockreward
13:03 < adam3us> amiller: however i dont think it quite works, probably someone can make a 2 stage soft-fork to remove such checks from majority of clients, if they want to revise the constitution, an most of the users agree
13:04 < adam3us> petertodd: didnt the discussion get to sharding and trie representations within the shard, but still have to somehow avoid hashrate dillution weakening mining vote
13:05 < adam3us> petertodd: you did say something about that but i didnt understand it at the time and channel history gone
13:06 < petertodd> adam3us: I'll send you my logs
13:07 < petertodd> adam3us: but yeah, so basically *if* the blockchain data gets published by miners, it all works out and the hashrate dillution isn't a big deal: the resistance to changing historic data is still there, and because there's no validation required in the scheme that's much less of an issue
13:08 < petertodd> The problem is sharding inherently makes it easy to not publish that data, and essentially have the rest of the hashing power build upon state changes that only you can prove.
13:10 < petertodd> One approach there is to basically say "It's everyone's job to mine"
13:10 < petertodd> (if you withhold your block data, and don't have a local hashing power majority, the non-withholders will overtake you)
13:26 < adam3us> petertodd: maybe it can work, security for individual coins doesnt depend on cross shard mining, because their double-spend information is definitionally in the same trie-shard.
13:26 < adam3us> petertodd: additionally because we dont care which version of history is recorded, just that one is, the other shards can just hash the top of the other shard-chains best effort with out looking at or validating the contents of it
13:27 < petertodd> adam3us: yeah, I'm pretty much at the point where I think that in terms of resistance to rewrite, you just need timestamping, and that's what "cross shard hashing" is doing
13:27 < adam3us> petertodd: yes
13:27 < petertodd> It's the incentives to actually distribute the data that's ugly, and the resistance to rewrite can be a bad thing if someone does a 51% attack with the intention of destroying the data later.
13:28 < adam3us> petertodd: because you dont care what they said in their timestamp output, you're just preventing htem changing their mind later
13:28 < petertodd> yup
13:29 < adam3us> petertodd: you could even make a k-ary tree of time-stamp servers rather than a broadcast network of them, i think same principle applies
13:29 < petertodd> So one thing that can help, is for mining to be strongly coupled to the blockchain data: make a pow solution involve a non-interactive selection of some of the data, and make it only valid if that data is attached.
13:30 < adam3us> petertodd: well presumably at least the miners can validate the size of the pow on the shard mined blocks they include
16:05 < adam3us> maaku: they are discussing safe curve RFC on CFRG which i am on, which include ed25519, is there a separate place that a EdDSA RFC is being discussed? or is that what you meant
16:05 < kinlo> gmaxwell: I kinda like the happiness and fun the people have in #dogecoin with using the meme.  It will die out ofcourse, but they do have a strong community
16:05 < gmaxwell> maaku: if its not mandatory then the amlcoin risk exists. "not our problem your wallet isn't showing our payment, durn off this switch, it's broken"
16:06 < andytoshi> michagogo|cloud: strange, i'll refresh the download, one sec
16:06 < maaku> adam3us: I think that's the discussion I heard about
16:07 < andytoshi> michagogo|cloud: that is a bad hash, thx for letting me know, fixed now
16:07 < maaku> gmaxwell: with sufficient user level protections I don't rate amlcoin as a serious existential risk
16:08 < michagogo|cloud> ;;cjs
16:08 < gribble> Coinjoin Status: There is no currently open session. Visit https://www.wpsoftware.net/coinjoin/ or http://xnpjsvp7crbzlj3w.onion/ to start one.
16:08 < michagogo|cloud> andytoshi: woot
16:09 < michagogo|cloud> (so far, so good... no errors this time, it knows there's no open session)
16:09 < andytoshi> michagogo|cloud: excellent :) sorry, i forgot to stand up the testnet instance of the server, will do that now
16:10  * adam3us is old enough to remember people making analogous claims to reason about systematic MITM, CA malfeasance in the CA security model.
16:11 < michagogo|cloud> andytoshi: What's the format of cjclient.conf?
16:11 < michagogo|cloud> atm I see joinerserver = https://wpsoftware.net/coinjoin/cj-client.php in there
16:11 < michagogo|cloud> and that's it
16:11 < adam3us> maaku: (i was complaining at the time.. 1993ish that a dissident trusting CA infrastructure is crazy)
16:11 < maaku> adam3us: so? that was as sensible a thing to say then as now
16:12 < maaku> that doesn't mean you're right on this issue
16:12 < adam3us> maaku: people had all kinds of reasonable arguments how they'd never do that.	it could be detectable.  it was unreasonable etc.  i am seeing analogies in your assumption that viral ecosystem features would not be abused
16:12 < michagogo|cloud> andytoshi: (I mean, what are the other options)
16:12 < maaku> apples and oranges
16:12 < andytoshi> michagogo|cloud: rpcconnect, rpcuser, rpcpassword and rpcport all work as in bitcoind
16:13 < maaku> if the NSA demands the root cert from the CA, it *is* undetectable
16:13 < michagogo|cloud> So to use testnet I'd set rpcport = 18333?
16:13 < michagogo|cloud> 18332*
16:13 < andytoshi> michagogo|cloud: yeah, that should work
16:13 < michagogo|cloud> And what's the URL?
16:13 < maaku> covenants, on the other hand, by their very nature are prominently part of the script
16:13 < andytoshi> http://testing.wpsoftware.net/coinjoin/
16:13 < adam3us> maaku: alternatively then what makes you confident it would not be abused?  good behavior of the incumbent power bases?  the possible motivated parties  include the combined weight of the banking lobby and governments.
16:14 < maaku> to do... what exactly?
16:14 < michagogo|cloud> andytoshi: bleh...
16:14 < michagogo|cloud> Syncing with joiner, session ID unknown
16:14 < michagogo|cloud> Join server: SSL: no alternative certificate subject name matches target host name 'testing.wpsoftware.net'
16:14 < maaku> force me to convert a coin into something which is unspendable because it fails IsStandard, is not relayed, and not accepted by anybody?
16:14 < adam3us> maaku: anything that is expedient if history teaches us anything.  mandate viral amlcoins per example
16:14 < andytoshi> michagogo|cloud: sorry, testing.wpsoftware does not have an SSL cert, just use HTTP
16:15 < michagogo|cloud> Ah, k
16:15 < adam3us> maaku: no thats my point.  things which are not supportable by the infrastructure of all users are harder to foist on the users.
16:16 < adam3us> maaku: its not a given, and its a possible risk point, that all bitcoin wallets will remain open source, depending n the parties that get into the wallet & wallet integration/bundling business
16:16 < andytoshi> michagogo|cloud: ok, how about we do a 1.1 testnet join?
16:16 < michagogo|cloud> andytoshi: "Joiner status: session not found."
16:17 < andytoshi> michagogo|cloud: oh :P click "Session->Forget Session"
16:17 < andytoshi> oh, wait..
16:17 < maaku> adam3us: at least where there is rule of law, taking away someone's capability to use their property is amount to theft
16:19 < adam3us> maaku: i agree, and thats a libertarian argument, but even neutral biz people will propose doing something pragmatic that appeases the regulator so they personally can make money fast.  its not that they are evil, just that they dont care.  if people with this mentality have software deployment power the can cause a lot of damage.  eg apple?
16:21 < spenvo> #go-nuts
16:21 < adam3us> maaku: back on interest and contracts.  is there another way to achieve that?	when i was thinking about extrospection i found it curious that much was achievable via hashlock and dependent transactions
16:21 < spenvo> sorry about that
16:22 < adam3us> maaku: jtimon gave an example of something he claimed was impossible without covenants?
16:22 < maaku> adam3us: but my point is how could their proposal ever fly? people would reject it because their coins would suddenly become unspendable, there'd be lawsuits, etc.
16:22 < maaku> all before it gets far enough along to be entrenched
16:23 < maaku> adam3us: yes, restricted buy-back (of IOUs, to use his example)
16:23 < adam3us> maaku: i dont know.  but the adversary is adaptive and intelligent also.  coinvalidation would itself be viral
16:24 < maaku> you issue an asset with 1% demurrage with an attached covenant allowing you to buy it back at any time for principle + interest (implemented by sending regular coins to the script stripped of the covenant)
16:24 < maaku> /demurrage/interest/
16:24 < michagogo|cloud> andytoshi: I ticked my inputs and clicked view transaction
16:24 < michagogo|cloud> Now it's frozen
16:25 < adam3us> maaku: so what about a micro-channel.	either party can pull-out and claim whats paid to date.  interest paid periodically.
16:25 < andytoshi> michagogo|cloud: aw, shit
16:26 < michagogo|cloud> andytoshi: Oh, wait
16:26 < maaku> adam3us: tx replacement? vulnerable to double-spend
16:26 < michagogo|cloud> Just opened up a tailf on bitcoin's debug.log
16:26 < michagogo|cloud> Looks like it's busy drawing addresses
16:27 < andytoshi> how many output did you ask for?
16:27 < maaku> not to mention you wouldn't be able to move around ownership (resell debt)
16:27 < andytoshi> it shouldn't do an infinite loop if that's what you're seeing
16:27 < adam3us> maaku: or is there a less powerful language feature that could enable the class of use cases?
16:27 < maaku> adam3us: that would be entirely missing the point
16:28 < maaku> we *want* these crazy covenant use cases
16:29 < maaku> it's just doing so with the decentralized host currency that is problematic
16:29 < michagogo|cloud> andytoshi: My output is in the 5 digits
16:29 < adam3us> maaku: most of the examples on the covenant bct thread looked grey-goo like in their end game.
16:29 < michagogo|cloud> andytoshi: I think it's drawing ~21k keys...
16:29 < maaku> well that was the point of the covenant thread
16:30 < andytoshi> michagogo|cloud: hahahaha, ok, i should definitely do a sanity check there
16:30 < andytoshi> (and you probably want to kill it)
16:30 < adam3us> maaku: what i suggested to vitalik whe he asked me something about something  ethereum was using  is that scripts be certified.  then at least users can see who is proposing they do this as a sanity check.
16:30 < michagogo|cloud> It's about half-way done
16:31 < maaku> adam3us: that's something for the payment protocol
16:31 < adam3us> maaku: (he's using some PoW thing i mentioned to him in ethereum it seems)
16:32 < justanotheruser1> maaku: I see. Do you think anything but PoW could work?
16:32 < adam3us> maaku: i mean of the script itself, like maybe you dont want to accept financial covenants unless they are certified as safe and fair by a competent
16:32 < andytoshi> michagogo|cloud: ok, if you're willing to let it go that'll be a good test to see if you can break something
16:32 < maaku> justanotheruser1: what for consenus? no. proof-of-work is absolutely perfect
16:33 < maaku> the defficiencies people often quote are actually what makes it work
16:33 < Luke-Jr> O.o
16:33 < Luke-Jr> far from perfect imo
16:33 < justanotheruser1> maaku: No it isn't. Someone 20% of the processing power could reverse 6 confirmations within a day
16:33 < adam3us> maaku: missed this bit "just doing so with the decentralized host currency that is problematic" thats interesting.  so u think it could be safe for issued assets (peer issued or central issuer issued)
16:34 < maaku> Luke-Jr: idk, the only viable improvement I've seen is gmaxwell's timelock-encryption, although that has more problems than it solves
16:34 < maaku> at the moment
16:34 < michagogo|cloud> 2014-01-15 21:34:29 keypool reserve 17592
16:34 < Luke-Jr> maaku: I didn't say I knew something better, just that PoW isn't perfect :P
16:34 < adam3us> maaku: well i guess eg an issuer like a gold depositary or a mortgage issuer might put some pretty bad terms in the fine print that u are not qualified to evaluate
16:35 < maaku> justanotheruser1: and there's no getting around that. not without compromising what PoW gives you
16:35 < maaku> don't mistake a rule of thumb (6 confirms) with the actual security model of proof of work
16:35 < justanotheruser1> maaku: I never said there is a way to get around that. I just am pointing out that it is an imperfection.
16:35 < maaku> adam3us: sure, who cares if you put a crazy grey-goo covenant on your personally issued asset?
16:36 < maaku> in freimarkets at least, where user assets aren't host currency
03:42 < gmaxwell> and when someone shows up and wants to rewrite some big chunk of the wallet it would be much easier to accept ... or even offer in parallel.
03:42 < gmaxwell> right now its a pain to run more than one or two bitcoin daemons on a host.. but it would be nice to be able to try out a couple different wallet types.
03:43 < wumpus> right, that's the advantage of modularization
03:43 < gmaxwell> "oh, you want the ultra fancy mode with coin control? no problem run wallet-advanced-qt "
03:43 < wumpus> keep the consensus part in a locked-down repository, and allow freeer experimentation with the rest
03:45 < wumpus> and 'berkelydb wallet' and 'fancy new append-only wallet' could exist in parallel for a while
03:45 < gmaxwell> http://www.jocm.us/uploadfile/2013/1125/20131125103803901.pdf < 20 bits per second across 20 meters, using high pitched (e.g. near inaudiable) sound from a laptop.  So much for your airgapped wallet. :P
03:45 < wumpus> (I forgot "deterministic" somewhere in there)
03:48 < warren> I'm pushing Bitcoin and Litecoin mac builds to the people who complained about corruption.
03:48 < Emcy> noticed the trend against modularity or even customisation in end user software though?
03:48 < warren> we'll see ...
03:48 < wumpus> An Acoustical Multi-hop Keylogger
03:49 < wumpus> warren: hopefully
03:50 < Emcy> gmaxwell what was the mic?
03:50 < warren> gmaxwell: white noise jamming
03:50 < wumpus> wouldn't white noise be easy to filter out?
03:50 < gmaxwell> warren: with a sutiable design thats actually very hard.
03:50 < gmaxwell> Emcy: it's between laptops, they built a mesh network
03:51 < Emcy> thats frankly cool and how could we use this power for good instead of evil
03:51 < wumpus> I guess it could also work with webcams and screen patterns, at least if they're in each others line of sight
03:52 < gmaxwell> warren: it's possible to have modulation schemes that are very difficult to jam without knowing the right cryptographic keys. ... and jamming those is basically only effective via overpowering.
03:52 < warren> sounds about as monetizable as the patented qrcodes that contain audio recordings.  The MBA program tried to make us do a consulting project on saving that stupid company.  I dropped the class because I didn't appreciate the professor using his own crappy portfolio companies.
03:52 < Emcy> i could hear 21khz last time i checked with a signal generator though so im good :)
03:53 < Emcy> wumpus there was a casio watch in the 90s that used flashing bars on your monitor for data downlaoding
03:53 < gmaxwell> Emcy: yes I can too, _however_ your and my sensitivity to that frequency is very weak even though we can hear it.
03:54 < Emcy> and gmaxwell is right about jamming, im reminded of how GPS gets a signal through from orbit with some sort of notch frequency thing
03:54 < gmaxwell> Emcy: which means the computer can be moderately loud but still seem quiet to us.
03:54 < gmaxwell> Emcy: orbit is easy! it's stright up1
03:54 < gmaxwell> and gps birds have a fairly low orbits. :P
03:55 < Emcy> gmaxwell the sound coming from old tube displays frequently caused me physical pain
03:55 < Emcy> i lucked out being born in time for the age of flatscreens
03:56 < gmaxwell> Emcy: there is some crazy person a few blocks from where I live that has some kind of pest repeller or something that produces a ~20KHz tone. I plug my ears when I walk by.. it's super loud.
03:57 < warren> does it work?
03:57 < gmaxwell> it repels me, does that count?
03:58 < warren> that could mean it is successful, it just doesn't discriminate
03:59 < wumpus> so it keeps humans away as well, terrific
04:00 < Emcy> some shops here started putting those things above the door specifically to keep chav kids from hanging around the front drinking
04:01 < Emcy> obviously completely discriminatory and not just against chavs
04:01 < gmaxwell> non chavs can afford earplugs?
04:02 < wumpus> their reasoning is probably that the younger kids hearing is still more sensitive to those frequencies
04:02 < gmaxwell> it's generally true, though also women.
04:02 < gmaxwell> which might not be their goal
04:02 < Emcy> lol im not putting in earplugs just to go into your shitty overpriced spar
04:03 < Emcy> the ironinc thing is everything in these shops is overpriced except the cheap gutrot cider
04:03 < wumpus> here they use classical music for that, in some places
04:03 < Emcy> lol really
04:04 < gmaxwell> "Well, we still have bums at the door; but at least they're classy bums now"
04:05 < wumpus> hah
04:09 < warren> http://download1.rpmfusion.org/~warren/bitcoin-0.8.5-OMG4/macosx/
04:09 < warren> http://download1.rpmfusion.org/~warren/litecoin-0.8.5.2-rc6/macosx/
04:11 < Emcy> omg?
04:12 < warren> Emcy: OMG!
04:13 < warren> grr
04:13 < warren> I built the wrong branch
04:17 < deantrade> gmaxwell: thanks.  I'm guessing I won't bother you as much posting in here, but I'll still be able to toss my ideas out on more experimental things
04:20 < deantrade> Did you see my comment on trashing DiskBlockIndex.pnext and storing height->mainChainBlockHash key/value table instead?
04:20 < Emcy> just remember the first rule of wizards
04:20 < Emcy> you dont talk about wizards
04:23 < deantrade> I thought it was something more along the lines of "People believe invalid things for all sorts of motivations, such as fear, instead of believing by evidence/reason."
04:24 < Emcy> wheres that from
04:24 < deantrade> Sword of Truth series
04:50 < deantrade> On UTXO aging:  I was thinking of having a system like this: The money supply inflates at some constant % increase each year.  Say something like 1% per year.  Then in 70 years (when the money supply doubles) you do a reverse stock split, and anything that gets rounded to zero coin value is thrown out.
04:52 < deantrade> 2% per year: 35 years to double money supply.  3% per year: 23.5 years.  4% per year: 18 years.
04:54 < gmaxwell> "inflates" so what winner are you going to transfer the results of everyone in the economies labor to?
04:55 < gmaxwell> ... because if you simply scale the value of all existing coins, none will ever fall under your thresholding.
04:56 < deantrade> Lets say you had 1 satoshi.	If there was a reverse stock split where 2 satoshis were then stored as 1 satoshi, then 1/2 = 0.
04:57 < deantrade> Winner of the inflation would be the block solvers (via proof of work).
04:58 < gmaxwell> deantrade: right, so depending on how much coin was lost you might be transferring some huge percentage of the economy to miners
 who sets that and keeps it sane?. this doesn't sound like a grand plan.
04:59 < deantrade> No, when you reverse stock split nothing goes to the miners
04:59 < jtimon> that's escheatment we have thought about it for freicoin (which has demurrage instead of inflation)
05:00 < jtimon> at some point some outputs will approach zero value
05:00 < jtimon> should we still allow to spend them?
05:01 < jtimon> the anti-dust stuff limits that a little bit but you still can't take them out of the utxo set
05:01 < jtimon> with custom assets the problem gets worse I guess
05:02 < go1111111> gmaxwell: the miners would bid up the mining difficulty until they were barely making a profit. a 2% per year inflation forever (once the existing rate would otherwise fall below 2%) would just enhance the strength of the network, assuming it didn't cause people to be less enthusiastic about the currency
05:02 < deantrade> I don't think you guys are getting what I'm trying to say
05:02 < jtimon> I don't know, the incentives are complex, but didn't users already paid the transaction fees?
05:03 < jtimon> deantrade I really think I do, just replacing inflation with demurrage
05:04 < jtimon> in freicoin, for example, there will always be 5% (aprox) demurrage going to miners
05:04 < jtimon> in this case you don't need to "double the minimum expressable quantity"
05:04 < jtimon> because some outputs nominal values will go under 1 satoshi through demurrage
05:06 < gmaxwell> go1111111: yea, or cause starvation because 40% of the econonmy is going to build spheres capture all the sun's energy to power miners.
05:06 < deantrade> Yes, it is effectively demurrage.  I guess the problem with this system is that its not really a great thing that the miners get paid via inflation rather than via tx fees.
05:08 < jtimon> gmaxwell maybe 5% is "too much security", we've discussed that a lot on the freicoin forums
05:08 < jtimon> that ultimately depends on monetary velocity
05:09 < gmaxwell> jtimon: it depends also on prior lost coins and a bunch of other factors.
05:09 < jtimon> with V=10, 5% of the nominal supply is less than 49% with V=1
05:09 < jtimon> with demurrage lost coins are eventually recycled (even without escheatment)
05:10 < jtimon> in any case, many freicoiners believe that we need another p2p distribution mechanism besides mining
05:10 < deantrade> I guess maybe the best solution would be that unspent transactions would just be thrown out after X number of years.  And then coins would just need to be made more divisible if that became a problem.
05:11 < deantrade> So when you throw out coins, it effectively reduces the money supply, causing people to realize they now own a larger fraction of the total money supply.
05:12 < jtimon> I've heard that proposal before "escheatment if funds aren't moved in X blocks"
05:13 < jtimon> that would solve the "utxo size problem" too
05:14 < jtimon> but I'm not sure something like that is even necessary
05:14 < deantrade> But its not that the coins go to someone in particular who gets richer.  It just reduces the money supply, making everyone realize they are now effectively some fraction "richer".
05:15 < jtimon> as explained by go1111111 nobody gets necessarily richer
05:15 < jtimon> if you give coins to miners you subsidize security, that's all
05:16 < jtimon> in prefect competition profits still tend to zero
05:16 < jtimon> but your proposal is polemic
20:43 < petertodd> Luke-Jr: exactly!
20:44 < gmaxwell> at best you can say it's probably inconsequential.
20:44 < petertodd> gmaxwell: yes, but if you are running a node *on behalf of merchants* the incentives are different!
20:45 < gmaxwell> I'm sure if we're thinking at all we're spending 1000x more thought than any bitcoin merchants are likely to put into anything in the near term.
20:45 < gmaxwell> oh well.
20:45 < petertodd> Yeah well, if we're going to eventually design better systems, understanding the incentives of the one we have right now is very valuable.
20:46  * gmaxwell goes off and continues to sulk that he found _yet another_ very high profile bitcoin service provider that was trivially exploitable.
20:46 < petertodd> gmaxwell: that we're all still whitehats says a lot about our incentives :P
20:47 < Luke-Jr> gmaxwell: to be fair, BitPay did hire jgarzik; that counts :P
20:47 < gmaxwell> petertodd: what good are awesome exploits if you can never brag about them?
20:47 < petertodd> Luke-Jr: heh, cavirtex tried to hire me
20:47 < petertodd> gmaxwell: what good is bragging rights if you don't have hired strippers and the hot tub?
20:48  * petertodd brb, snorting coke
20:48 < gmaxwell> hah
20:48 < Luke-Jr> gmaxwell: next time maybe you should say "if I demonstrate how I can steal 50 BTC from Coinbase, can I keep it?" ;)
20:48 < Luke-Jr> s/Coinbase/whatever service/
20:48 < Luke-Jr> s/50 BTC/something reasonable at the time/
20:48 < petertodd> Luke-Jr: heh, that's why I demonstrated that zeroconf attack on bc.i rather than just told piuk it was possible :P
20:49 < petertodd> Luke-Jr: figured I had a 50:50 chance he'd let me keep it
20:49 < Luke-Jr> <.<
20:49 < gmaxwell> I don't even want the 50 BTC, I want the bitcoin economy to not be super fragile.
20:49 < Luke-Jr> petertodd: if you don't ask in advance, there's a question of legality
20:50 < petertodd> Luke-Jr: meh, I didn't know if it could be done, which puts you in a catch-22 between responsible disclosure and actually doing the attacks
20:50 < Luke-Jr> petertodd: that's why you ask :P
20:50 < Luke-Jr> once you have permission to try, then go for it :D
20:50 < sipa> "Hi, I think there's a bug in your systems. If I can exploit it tovgain no more than X btc, can I keep it?"
20:50  * Luke-Jr glares at Litecoin for not giving permission
20:50 < petertodd> Luke-Jr: that's my point, by asking I would have been irresponsibly disclosing the attack!
20:51 < Luke-Jr> petertodd: ?
20:51 < petertodd> sipa: yes, which I probably should have done, but I figured $50 wasn't a big deal
20:51 < petertodd> Luke-Jr: the nLockTime zerocoin attack was embarassingly obvious once you got at all clued in on it
20:51 < gmaxwell> At least with bc.i I've had bad expirences with them ignoring reports, and then claiming that an attack wasn't ever possible after I do finally get their attention. Mostly I just try to not load their pages, lest I find _yet another_ exploitable vulnerablity and have to deal with the stress of convincing them to fix it.  Fortunately most other services
I've reported to are more responsive.
20:52 < gmaxwell> TD seemed to be saying bc.i is still mostly a one man operation, so I guess that explains part of it.
20:52 < petertodd> Luke-Jr: I basically went through every service I could think of and did the attack - only bc.i was really vulnerable to it.
20:52 < Luke-Jr> "Hi, I offer penetration testing services. You owe me nothing if I don't find anything, but if I do, I keep up to x BTC of what I acquire using the discovered exploit, and deliver to you documentation on how I did it. If this offer interests you, please sign and email this permissions contract."
20:53 < petertodd> Luke-Jr: meh, for now you can be pragmatic - give it another year or two and my advise would be don't
20:53 < Luke-Jr> ?
20:53 < Luke-Jr> with permission, hard to see how it can go sour
20:54 < Luke-Jr> of course, in a year or so hopefully there won't be anything so obvious I could actually get anywhere XD
20:54 < petertodd> Luke-Jr: as bitcoin gets bigger and the companies have more to lose permission is both more important, but also, doing stuff out in the open is legally risky
20:54 < gmaxwell> Luke-Jr: one limitation with that is that some attacks require collateral crime... a real attacker isn't constrained to not defraud other people, but you are.
20:54 < petertodd> Luke-Jr: even really whitehat-acting people ahve been rail-roaded in the real world
20:54 < gmaxwell> e.g. those people trying to compromise mining pools by social engineering datacenter operators.
20:54 < Luke-Jr> petertodd: with permission?
20:55 < petertodd> Luke-Jr: yes, define "permission" - companies have later claimed whitehats didn't have permission for instance
20:57 < Luke-Jr> petertodd: signed document
20:58 < petertodd> Luke-Jr: "That employee never had authority to sign that document/you and him were conspiring." (e.g. if an attack somehow goes worse than expected, say takes down a whole site accidentally)
20:58 < Luke-Jr> hrm
21:01 < petertodd> Legality is hard. Speaking of, it's going to be fascinating to see the first time someone threatens to prosecute a miner for mining a zeroconf double-spend...
21:02 < petertodd> ...or assisting in one, as you do with Elgigius by not following the same mempool rules re: satoshidice as everyone else. Or as you do every time you upgrade...
21:02 < gmaxwell> how can you even establish which one was the right one?
21:02 < gmaxwell> e.g. the doublespender could have just given you the other one first.
21:02 < petertodd> gmaxwell: Sworn testimony in court obviously.
21:03 < petertodd> This isn't a technical question.
21:03 < gmaxwell> I suppose. The doublespender has no assets and cooperates?
21:04 < petertodd> No, e.g. a *dice site: the site would swear that according to their logs GHash.IO allowed a double-spend to be mined on multiple occasions, or Eligius *through negligence* allowed it to happen.
21:04 < petertodd> "Accepted practice in Bitcoin is to not mine double-spends and to peer well enough that they don't happen."
21:04 < Luke-Jr> petertodd: good thing everyone here is able to be an expert witness against such nonsense
21:05 < Luke-Jr> petertodd: Eligius didn't neglect anything
21:05 < petertodd> Just for the record, for a sufficient amount of money I'll be a expert witness on the opposite side...
21:05 < Luke-Jr> petertodd: you'll lie under oath?
21:05 < petertodd> (might as well say that given that is the reality...)
21:05 < petertodd> It's not a lie, it's... a different interpretation of the facts.
21:05 < Luke-Jr> that statement would be a lie.
21:06 < Luke-Jr> every double spend ever, has been mined
21:06 < petertodd> Luke-Jr: what do you mean by that?
21:06 < Luke-Jr> petertodd: exactly what I said
21:06 < petertodd> Well I've personally used that exact mempool trick to demonstrate that zeroconf isn't safe, so I'm not sure what you mean there.
21:06 < Luke-Jr> for any given conflicting transaction pair, one of them has appeared in a block eventually
21:07 < Emcy> anyone surprised how many people sont appear to like the eligius address reuse patch thing
21:07 < Luke-Jr> Emcy: I'm surprised
21:07 < Luke-Jr> partly my fault though
21:07 < Luke-Jr> the original plan was to make a set of multiple competing patches
21:07 < petertodd> Right, but I'm saying you could convince a court that because "accepted practice" was to not allow double-spends in mempools, failing to do that is negligence, or perhaps conspiracy if an attacker keeps doing that and Eligius doesn't change their policy.
21:07 < Luke-Jr> but it was taking up too much time
21:08 < Emcy> ar they just ignrant/misinformed or do they not want anything to rock the price boat
21:08 < Luke-Jr> petertodd: either of the transactions is equally valid
21:08 < Luke-Jr> and accepted practice is that nodes are free to choose which transactions they relay or mine
21:08 < Luke-Jr> and often DO discriminate
21:09 < petertodd> Luke-Jr: no, one was broadcast first. By the *accepted practices* the first was the valid one. Eligius allowed a double-spend to enter its mempool even 5 minutes later!
21:09 < petertodd> Luke-Jr: No it's not. Look at how angry people were at GHash.IO.
21:09 < Luke-Jr> petertodd: miners have a duty to filter spam. even if Eligius were the only one to be fulfilling this role (we're not), it is the *other* miners who are neglegent
21:10 < Luke-Jr> petertodd: they were mad at GHash.IO for actually PERFORMING the double-spend
21:10 < Luke-Jr> not for merely mining it
21:10 < Luke-Jr> also, that thread was surprisingly not-very-angry
21:10 < petertodd> Luke-Jr: "Duty to filter spam? What duty? Accepted practice by all by one rogue pool is to follow the Official Bitcoin-QT Implementation."
21:11 < Luke-Jr> petertodd: that's not true
21:11 < petertodd> Luke-Jr: Truth is established in a court of law in a process that may have results you do not like.
21:11 < Luke-Jr> petertodd: no, truth cares not what any court says
21:12 < petertodd> Luke-Jr: ok, whether or not the government has a judgement for damages and/or an arrest warrent for your name has nothing to do with your definition of truth
21:12 < Luke-Jr> petertodd: whether you have committed perjury does
21:13 < Luke-Jr> "Accepted practice by all but one percent of businesses is to use USD cash"
21:13 < Luke-Jr> ^ about as good as your argument
21:13 < petertodd> Hey, we can sit here all day if you want to be a engineer and ignore the complexity of the legal system.
21:14 < petertodd> Reality is, my line of argument is one that a court may very well accept, resulting in real world and undesirable consequences.
21:15 < Luke-Jr> not after I demonstrate how you're lying :P
21:15 < petertodd> if you truly believe a court would be guaranteed to think I was lying I suggest you spend some more time with your lawyer
21:18 < Luke-Jr> I don't believe a court would hear a case from a criminal enterprise plaintiff
04:40 <@gmaxwell> hah.
04:40 < warren> I personally would want work on this, to setup a non-profit and a legal structure that states clearly the project's goals (safety, security, anti-spam) but disclaims liability.
04:41 <@gmaxwell> if someone wants to find implied liability ... the fact that someone took donations or didn't isn't going to matter.
04:41 < warren> TRC dev really fucked up.  I doubt anyone will sue there.
04:42 < sipa> trc?
04:42 < warren> sipa: another alt coin, sha256-based.  They had ~4-5 mandatory version upgrades over a week because their bad design was destroyed repeatedly by a single avalon
04:42 < sipa> ha
04:42 < warren> sipa: TRC's "innovation" was super fast difficulty changes
04:43 < warren> It broke in a different way with longer 30 block intervals
04:43 <@gmaxwell> it's not even the first time someone has made that innovation with the same consequences!
04:43 <@gmaxwell> solidcoin 1.0 failed that way.
04:43 < warren> Attempt #4 made it far worse!
04:44 <@gmaxwell> yea, well I called that (or was that #3?) with ten seconds of code review
04:44 < warren> They added a testnet-like difficulty reduction if there were no blocks in the last 10 minutes.
04:44 <@gmaxwell> yea, that was the one I called. :P
04:44 < warren> I pointed it out first, and you agreed. =)
04:44 < warren> Shortly thereafter, someone did the time traveling attack.
04:45 < warren> during these attacks, btc-e added  TRC to their exchange, and they were wondering why nobody was trading
04:45 < warren> great due dilligence folks
04:45 < warren> That was a huge opportunity to rob the exchange
04:45 <@gmaxwell> You knew before I told you there about the reseting difficulty attack?
04:45 < warren> yes
04:45 <@gmaxwell> cool. someone else paying attention.
04:45 <@gmaxwell> oh well, in any case, Lolcust is back around so you can expect more really super awesome altcoins.
04:45 < warren> I remembered seeing it in the testnet code while I was studying litecoin.
04:47 < warren> If I had time, I'd like to release a tool that forks Bitcoin, mass string replace, generates a new genesis, makes deterministic builds and uploads to a new git.
04:47 < warren> Then those fools can make a 100 new coins.
04:47 < warren> Then *maybe* people will realize how stupid it is.
04:48 < warren> gmaxwell: Can you help me approach MtGox on that idea?
04:49 <@gmaxwell> I suggested that idea in #bitcoin-mining with an added twist: you should make the cgi charge a nomial fee (in btc), and partner with a large pool, with merged mining, so that instead of premining them the creator can just recieve the pools worth of mining.
04:49 <@gmaxwell> warren: making 100 new coins?
04:49 < warren> no
04:49 < warren> sponsor dev of their new coin to reduce their financial risk
04:49 < warren> because there's literally no reference client devs
04:50 <@gmaxwell> Well, I can
 however, magical tux doesn't talk to me too much, and the last time he talked to me
 it seems like he outright lied to me. So...
04:51 < warren> gmaxwell: oh, you mean make it super easy for the creator to pre-mine?
04:51 <@gmaxwell> nah, not pre-mine
 but to have a large amount of hashpower on the coin right from the start which the creator is getting paid for.
04:51 <@gmaxwell> a slightly more equatible premine that also provides some security.
04:52 < warren> huh.
04:52 < warren> which would be the aux?
04:52 <@gmaxwell> it would be the aux. It'd be merged mined against bitcoin (or litecoin, I suppose if you wanted)
04:53 < warren> are any of the merge mining methods reliable now?
04:53 < warren> such that it won't slow down the main coin
04:54 < warren> gmaxwell: well, I suppose an introduction might help.  This seems like a good idea for both parties.
04:54 <@gmaxwell> luke's code is
 and I assume doublec's too
 considering both have basically merged mined everything mergminable.  Luke stopped mming namecoin recently mostly because the daemon itself was crapping out.
04:54 < warren> doublec?  what pool did he write?
04:55 <@gmaxwell> http://mmpool.bitparking.com/pool
04:55 < warren> hmm, no source I guess
04:56 <@gmaxwell> no, but it wouldn't be useful to you, you don't have a big installed base of bitcoin hashpower
04:56 <@gmaxwell> my suggestion was to partner with someone who already did.
04:56 <@gmaxwell> luke was all for the idea
 can't stop the altcoin folly directly, so make it more obvious with infinite worthless altcoins.
04:57 <@gmaxwell> I sometimes joke about gmaxwellcoin ... but then everbuddy could have their own altcoin, for the low low price of 0.5 BTC!
04:58 < warren> On a more serious note, how do you feel about a blockchain-based solution to reward full verifying nodes?
04:58 <@gmaxwell> blockchain-based? huh?
04:58 <@gmaxwell> I like puppies and apple pie.
04:59 < warren> OK, I haven't thought this through yet, just wondering if its possible to have a POW that proves you have all the tx's and you are relaying.
05:00 <@gmaxwell> amiller proposed to use queries against a committed utxo set as a memory hard function as the system POW.
05:01 < warren> who would do the query?
05:01 <@gmaxwell> and it seems like a generally reasonable idea to me, though I have some skepticism that the result will actually be hardware thats good at validation: if there is _any_ way to make it faster by cheating people will.
05:02 <@gmaxwell> warren: you'd query to mine. e.g. H(header||nonce) forms a random sequence which you use to query the UTXO set.. then you hash up the result append that to the header.. and hash that to see if you've met difficulty
05:03 < warren> and if you met difficulty, what do you get?
05:03 <@gmaxwell> a block
05:04 < warren> This is a secondary blockchain to somehow reward full nodes?
05:05 < warren> hmm
05:06 <@gmaxwell> ...
05:06 <@gmaxwell> Amiller's suggestion is to make it _the_ proof of work.
05:06 < warren> oh
05:06 <@gmaxwell> In order to align the interests of the network.
05:07 <@gmaxwell> If you just want a full node lottery
 get pay2ip reenabled and probe nodes and then randomly pay them if they've been good. reasonably hard to fake if you pay them proportional to their throughput.
05:07 < warren> how about ... for each BTC block round, the highest difficulty from valid proof of uxto set from all nodes gets <reward> which is set aside in the next BTC block?
05:08 < warren> with some limitations to prevent ballot stuff
05:08 < warren> stuffing
05:09 <@gmaxwell> uh.
05:10 <@gmaxwell> well good luck with that.
05:11 < warren> what?  not technically possible?
05:13 < warren> Oh.  Not highest.  More like a lottery where the winning number is derived from the next block.
05:17 < warren> I don't have this fully thought through.  I'll think more about this.
05:18 <@gmaxwell> I don't see how I don't just enter that lottery unpteem billion times per second. Or how you're going to convince the network to take awards away from miners. (amillers stuff seems obviously enough not-for-bitcoin
 but if you're going to be all hardforky about it might as well go full amiller time)
05:19 < warren> The hard part is to prevent folks from making many artificial nodes on many IP's they control. yes.
05:21 < warren> I think the lottery could be limited by having random peers check then sign if they pass certain rules.
05:22 < warren> best we can do is limit by public IP, and maybe also only one per subnet randomly chosen.
05:25 < warren> gmaxwell: Divert a really tiny portion of fees to the full node lottery.  Since running a node is much cheaper than running a miner, even a tiny lottery reward would be sufficient to encourage many more relays.
--- Log closed Thu Apr 25 07:21:17 2013
--- Log opened Thu Apr 25 07:21:34 2013
10:43 < warren> There are aspects of this I haven't figured out yet, and a major drawback of it being decentralized might be lots of extra tx's per round.
10:47 < warren> gmaxwell: Oh, another aspect of the p2pool dust problem: The litecoin users began taking matters into their own hands by forking p2pool, cutting forrest out entirely.  There are at least two other p2pool instances in litecoin now.
10:50 < warren> "<gmaxwell> [23:07:25] If you just want a full node lottery
 get pay2ip reenabled and probe nodes and then randomly pay them if they've been good. reasonably hard to fake if you pay them proportional to their throughput."
10:51 < warren> I'm afraid this will create perverse incentives to intercept traffic
10:51 < warren> (yes, we talked about this before)
--- Log closed Thu Apr 25 11:29:38 2013
--- Log opened Thu Apr 25 11:28:19 2013
--- Log closed Thu Apr 25 11:28:29 2013
--- Log opened Thu Apr 25 11:29:04 2013
15:09 < HM2> cryptography is a fascinating field
15:09 < HM2> obvious ideas can sneak up on you
15:10 < HM2> i'm reading a paper on permutations over arbitrary domains. e.g. using a key to remap the numbers from 0 to 1 million to a permutation
15:11 < HM2> simplest algorithm: use a symmetric cipher to encrypt all the numbers, sort the ciphertext, replace each number with it's ordinal index
15:11 < HM2> such an obvious idea
15:12 < sipa> it will also never be a true random shuffle :p
15:13 < HM2> why so?
15:14 < sipa> your keyspace sie would need to be a integral multiple of the number of permutations ((=n!, with n the number of elements)
15:15 < HM2> Hmm?
15:16 < HM2> Your domain needs to be smaller than the block ciphers
15:16 < HM2> it doesn't matter if you're encrypting 4 digit pins with a 128bit cipher though, it's still going to result in 10000 unique 128bit ciphertexts?
15:16 < sipa> not just smaller, an integral divisor of it
15:17 < sipa> (and that's a necessary requirements, not a sufficient one)
15:17 < HM2> How?
15:18 < HM2> http://www.cs.ucdavis.edu/~rogaway/papers/subset.pdf
15:18 < HM2> method 1, page 6
15:19 < sipa> i didn't say it would be insecure
15:19 < sipa> just that it can't be a true random shuffle
15:19 < HM2> how do you define true random?
15:19 < HM2> it's obviously pseudorandom
06:19 < warren> gmaxwell: among other problems, they went quiet around August, and a few weeks ago people figured out that BFL was violating paypal's TOS, so paypal began seizing funds from them.  whoever figured it out first and used the secret escalation procedure got refunds until the seized funds ran out.
06:21 < gmaxwell> yea, I know. They were litterally calling some guy inside paypal who was hand processing it.
06:21 < gmaxwell> I deleted that guys phone number and name from the forum a bunch of time so people wouldn't mob him.
06:22 < warren> I sold only the 30GH unit that I got with the 6 months no interest paypal loan
06:22 < warren> I tried to get paypal to seize that but I learned about the escalation procedure too late.
06:23 < warren> BFL apparently began generating fake tracking numbers to stop paypal from giving refunds.  real shady.
06:24 < gmaxwell> wow, I'd missed that. Interesting. I saw some people getting tracking numbers when they canceled.
06:24 < gmaxwell> But I assumed that was someone lying to try to cause a run on cancelations.
06:24 < gmaxwell> warren: sorry, If I'd realized you were in a position where you might want to refund I would have prodded you personally.
06:26 < warren> I feel bad about the pre-order buyer so might just give him his money back.
06:26 < warren> dunno
06:38 < gmaxwell> warren: http://www.reddit.com/r/Bitcoin/comments/1o2zo0/just_got_email_confirmation_from_bfl_that_my/
06:41 < warren> gmaxwell: I managed to cancel all of my other orders before they stopped giving refunds ... so it's just one 30GH miner remaining from early April 2013
07:26 < gmaxwell> oh got.
07:27 < gmaxwell> that quantum wingnut guy apparently spoke at the Amsterdam bitcoin conf?
07:27 < sipa> what's a wingnut?
07:27 < gmaxwell> american term for crazy or weird.
07:28 < gmaxwell> I have an "investor" person emailing me asking for advice because he wants to invest in this guys super plan for BQP in polytime on clasical computers for mining.
07:28 < sipa> lol
07:28 < sipa> say you want 10%
07:29 < gmaxwell> hah
07:29 < gmaxwell> awful.
07:31 < wumpus> lol
07:36 < warren> "american term for crazy or weird." it's all relative in bitcoinland.
07:55 < warren> are we still switching to testnet4 for 0.9?
07:56 < sipa> what is testnet4?
07:56 < sipa> i don't object to resetting testnet, but i haven't heard about any specific plans or rule changes
07:57 < warren> oh, there was previous discussion about resetting it to discourage storing stuff there
10:01 < jgarzik> sipa, I had suggested resetting it proactively on IRC.  gmaxwell seemed to agree, but I don't think it was ever more concrete than that.
10:02 < jgarzik> testnet IMO should not be a permanent side channel database
13:52 < gmaxwell> jgarzik: I agree, but before we do that, we really ought to go figure out where the distributed tests are.... several useful tests were added to that chain later on (including ones that forked bitcoin 0.8-prerelease, bitcoin ruby, electrum, and btcgo) so we can make sure to add them to the front in the replacement.
14:17 < maaku> gmaxwell: if anyone does that, it'd be *really nice* to package that up into a bunch of transaction-generating scripts
14:18 < sipa> how about running pulltester on testnet? :p
14:18 < gmaxwell> sipa: pulltester tests reorgs.
14:18 < sipa> ok ok
14:18 < gmaxwell> maaku: Well the first 500 block of testnet are full of test cases.
14:19 < sipa> i mean, taking the transactions in pulltester, and puttiing them in the chain
14:19 < sipa> though i suppose there aren't that many
14:20 < gmaxwell> yea, reasonable way to go about it.
14:36 < BlueMatt> petertodd: no, if you are an spv node you shall not relay data you cannot fully verify
14:36 < BlueMatt> petertodd: this has been an unspoken network rule for a long time
14:37 < gmaxwell> BlueMatt: oh hai.
14:37 < BlueMatt> hi
14:37 < gmaxwell> BlueMatt: we probably should have CVEed the debian contrib init script stuff that set an rpc password. :(
14:37 < BlueMatt> petertodd: spv nodes shall only relay transactions they created
14:38 < BlueMatt> gmaxwell: probably, but debian should have done that themselves, really
14:38 < gmaxwell> BlueMatt: some guy with a fedora rpm was shipping it. I'd missed it when it was removed, but I caught it when auditing his package.
14:38 < BlueMatt> hmm
14:40 < BlueMatt> (I didnt publicize the removal of it because I wasnt sure when debian was gonna/did ship the fix)
14:42 < gmaxwell> well I've made it public (half on accident because I thought I was in /query with warren and not #bitcoin-dev ... :( though its not the end of the world I don't think that _that_ many were using that fedora package)
14:42 < BlueMatt> and hopefully people have been paying attention to the long-standing recommendation that rpc interface not be public, even if password protected...
14:42 < BlueMatt> but I suppose we can never depend on that :(
14:44 < warren> why do we allow one distro's packaging stuff into upstream at all?
14:48 < maaku> holy cow, there's a C++ REPL? http://root.cern.ch/drupal/content/about
14:50 < maaku> warren: there are many debian/ubuntu based distributions. it makes sense to put that stuff in contrib
14:51 < gmaxwell> warren: projects also do that as a way of having some amount of control/influence/visibility into how they are being packaged. ... though it doesn't stop distributions from ignoring it and patching the crap out of their software...
16:49 < amiller> ugh i'm really bothered by a couple more things now
16:49 < amiller> 1) i've been starting to think about how BTC (the currency) can be thought of as 'legal tender' within Bitcoin (the system) because of how it can be used for tx fees
16:50 < amiller> i'm trying to understand the implications of overlay currencies like in freimarkets and colored coins
16:50 < amiller> but actually since there are no mandatory fees
16:50 < amiller> it *doesn't* even enjoy any privileged status in that regard
16:50 < amiller> you could probably pay miners in colored coins, if the 'color kernel' supported that
16:51 < amiller> it's really entirely up to the miners what motivates them to include your tx
16:52 < amiller> i don't nkow of any colorcions that do that, but in freimarkets you can explicitly pay miners with portions of the self issued currencies
16:52 < amiller> an individual miner may or may not value these of course
16:52 < amiller> but for the sake of hard fork rules it doesn't matter
16:52 < amiller> 2) so this brings me to the second thing that's bugging me today
16:54 < gmaxwell> amiller: well, so long as the coloring rule inherits across fees.
16:54 < gmaxwell> oh you said that.
16:54 < gmaxwell> and yea, people have previously noticed that you can pay miners in other ways.. and in fact there is a history of that already.
16:55 < amiller> what kind of history?
16:55 < amiller> side deal or just with the tx broadcast?
16:55 < gmaxwell> (E.g. eligius providing free priority processing for mtgox as part of their hosting arrangement)
16:56 < gmaxwell> It's one of the reasons that "figure out what fees you should pay from recent blocks" is somewhat iffy.
16:56 < amiller> the second thing is that even if miners can't easily vote to change rules (because of some kind of constitutional interweaving somehow),
16:56 < amiller> i can't figure out what rationale prevents a couple mining pools from "discouraging" a particular transaction, perhaps temporarily
16:57 < sipa> they can perfectly vote to softfork
16:57 < sipa> censorship is only a softfork
16:57 < gmaxwell> (eligius also lets you pay fees by including outputs to the pools' donations addresses)
16:57 < amiller> i'm thinking of something in between a softfork and a hardfork
16:57 < gmaxwell> amiller: mining pools already discourage paritcular transactions.
16:57 < amiller> a hardfork is when you absolutely will not mine a block that has predicate x
16:57 < sipa> no
16:57 < amiller> a softfork is when you do not include in your block, transaction with predicate x
16:57 < gmaxwell> For example, many block correct horse stapler battery.
16:58 < amiller> mine on top of*
16:58 < sipa> amiller:
16:58 < sipa> no
16:58 < gmaxwell> amiller: no thats not the common convention.
16:58 < sipa> a hardfork is allowing something that used be illegal
16:58 < sipa> a softfork is disallowing something that was legal
16:58 < sipa> the rest is just policy
16:58 < amiller> oh.
16:59 < sipa> a softfork requires 51% from miners
16:59 < gmaxwell> What you're describing as a hardfork is a softfork. What you're calling a softfork is just policy.
16:59 < sipa> a hardfork requires 100% from everyone
16:59 < gmaxwell> Everyone that remains at least! :P
17:00 < amiller> i see.
17:00 < amiller> hmmmm
17:00 < sipa> there has exact
17:00 < sipa> ly one hardfork that i know of
17:01 < gmaxwell> and even that one is a little debatable! there are still old nodes running and current!
17:01 < warren> how?
17:01 < gmaxwell> because the bdb large block failure is non-determinstic.
17:03 < amiller> that makes a lot of sense, i don't know how i haven't understood this before, thanks.
17:04 < sipa> a hard fork is called that way because it inevitably forks off old clients
17:04 < amiller> actually i'm not sure where anyone would go to read that description clearly, i can't find it on the wiki
17:04 < sipa> a soft fork only causes an actual fork in case a majority of hash power is on the old code
17:05 < sipa> better explanations on the wiki would be great
17:05 < sipa> many things are just outdated or missing
17:06 < amiller> okay so then what i'm talking about is a softer-fork
17:06 < amiller> i can make my own predicate, or even just a temporary special case, and threaten to try hard to prevent it
17:07 < amiller> it's potentially costly for me in wasted-work if i ignore a block that has a transaction i don't like
17:07 < sipa> you're only threatening yourself
17:07 < sipa> unless you find a 51% hashpower to go along with you
04:03 < jgarzik> petertodd: You are required to file a Suspicious Activity Report (SAR) for a transaction >= $10k, anything that might be a group of transactions >= $10k, or anything that might be an attempt to evade these limits by breaking up transactions
04:04 < petertodd> Per-vendor volume requirements are strange too... what happens with your herd of bots ideas when each one is processing a tiny volume, or collaboratively processing a tiny volume?
04:04 < warren> Why are people trusting a random person on a forum for legal advice?
04:04 < petertodd> warren: It's better than the alternative of having no advice at all.
04:04 < jgarzik> petertodd: I've heard that banks err on the side of the caution, and file SARs for just about anything
04:04 < jgarzik> warren: gathering additional data != trust
04:04 < petertodd> jgarzik: DDoS attack against the regulators... althoguh their analytics tools are probably pretty good.
04:04 < warren> petertodd: if this person is pointing at citations so you can learn more yourself, then OK.
04:05 < petertodd> jgarzik: Chaum tokens definitely evade the "group of transactions" principle, and probably anythign automated does.
04:05 < jgarzik> petertodd: I imagine a truly decentralized bot network would fall outside these regulatory params
04:05 < jgarzik> petertodd: a simple one-owner IRC bot OTOH...
04:05 < petertodd> jgarzik: Yeah, at least the act of *writing* one is probably safe... running one, who knows?
04:06 < warren> jgarzik: the encrypted RAM-only bot?
04:06 < petertodd> jgarzik: Let alone your AI organism stuff...
04:07 < jgarzik> warren: thereabouts
04:08 < jgarzik> I wonder if North Carolina has any laws that would nix an escrow bot
04:09 < petertodd> What exaclty do you see an escrow bot doing?
04:11 < warren> Hmm, by those regulations things like localbitcoin are pretty illegal
04:11 < petertodd> warren: Good point.
04:11 < warren> unless each person registers and follows regulations
04:11 < petertodd> Bitcoin-otc too probably
04:12 < warren> petertodd: I see nothing in there that makes virtual/virtual regulated by that agency though.
04:13 < petertodd> warren: That particular ruling no, but what others might there be? Regardless I suspect there is nothing other than inertia protecting virtual/virtual from regulation.
04:13 < warren> petertodd: yeah, especially otc, given you almost never verify someone's identity.  in-person has what the legal scholars called "self-authenticating" properties.  Like you obviously don't sell cigarettes to someone who looks too young.
04:14 < petertodd> warren: Yes and no. OTC involves either virtual/virtual, or virtual/online-real, or virtual/in-person. The former is allegedly unregulated. (for now) The latter two either give you dientity by the service (PayPal for instance) or by the person-to-person contact. Legally the last of the three is probably not enough.
04:15 < petertodd> warren: Also interesting how OTC has some people doing fiat/fiat conversions via paypal and similar.
04:15 < warren> yeah, wtf?
04:15 < warren> and why are people trading with non-hard transfers?
04:15 < petertodd> Lack of alternatives.
04:16 < warren> what's the point of fiat/fiat?
04:16 < petertodd> Trust works too with well-known community members - I've had an easy time buying BTC with paypal myself.
04:16 < warren> that seems more fishy
04:17 < petertodd> Presumably the exchange rates on paypal make it make sense; haven't looked.
04:19 < warren> Graet: btw, if I make 0.01 LTC per round on ozcoin and I opt to be paid at say 5 LTC, will the payment be from the rounds I participated in (lots of dust), or is it some more optimal tx?
04:30 < jgarzik> petertodd: an escrow bot[net] would be an open source bot run by a neutral party, that holds funds until some predefined conditions are met
04:31 < petertodd> jgarzik: I guess the key issue is if the bot can spend the funds without consent of either party. (non-multisig)
04:32 < Graet> warren, it isnt split up by round,
04:32 < jgarzik> warren: It's not strictly fiat/fiat.  It's fiat-service/fiat-service.  Each fiat service has its own barriers to entry and exit.
04:32 < jgarzik> and fees
04:32 < petertodd> jgarzik: After all, there are always scriptPubKeys of the form OP_HASH <digest> OP_EQUALVERIFY {other ops} where the escrow bot is really just providing an oracle service.
04:33 < jgarzik> yep
04:33 < jgarzik> petertodd: in a component sense, I would rather have the escrow bot be a very dump transaction approval machine, that would query oracle bot(s) for the necessary information
04:33 < jgarzik> *dumb
04:34 < jgarzik> anyway, way too late here :)
04:34 < petertodd> ha, same
04:34 < petertodd> Quick q: do you have any code yet?
04:34 < petertodd> Especially for more general off-chain tx stuff...
05:56 < Diablo-D3> can I ask bitcoind to compute a transaction but not send it?
09:10 < warren> Diablo-D3: can coin control?
09:14 < Diablo-D3> I think I found what I wanted in the rpc
09:14 < Diablo-D3> https://en.bitcoin.it/wiki/Raw_Transactions
10:20 < sipa> Diablo-D3: createrawtransaction can do that
10:20 < Diablo-D3> sipa: see above url =P
10:20 < Diablo-D3> details that whole family of api
10:46  * sipa will attend the conference
18:05 < warren> "lead developer" implies he has a lot of decision making power, which makes me kind of nervous by who pays for his paycheck.  should I be concerned?
18:07 < warren> nevermind
18:23 < jgarzik> warren: ?
--- Log closed Wed Mar 20 00:00:37 2013
--- Log opened Wed Mar 20 00:00:37 2013
03:43 < warren> sipa: aside from ec and ecdsa, do we rely on anything else in openssl?
03:44 < warren> sipa: whenever you have a full openssl replacement I'll do all of my testing on your lib, but for now I'm going ahead with a stripped down openssl.
04:56 < warren> done!
06:17 < sipa> done what?
15:22 < warren> I decided to just build openssl and boost within the RPM itself, because RHEL5 users can't upgrade their system boost, I'm giving everyone a static build.
15:22 < jgarzik> warren: makes sense
15:23 < warren> It's a little extra slow to build this way. =)
15:23 < jgarzik> warren: RE "rely on openssl"...  we use sha1/sha256/ripemd160, ec, and bignum
15:23 < jgarzik> warren: the hash bits are trivial to replace
15:24 < warren> jgarzik: src/util.cpp:#include <openssl/rand.h> ?
15:24 < jgarzik> warren: that too
15:25 < warren> Maybe I should make a compat-boost package and have bitcoin static link it, so I don't have to rebuild boost every time, and users don't need to download compat-boost.
23:50 < warren> https://bitcointalk.org/index.php?topic=18313.msg1650231#msg1650231  Whoa.  wtf is going on here?
23:50 < warren> that's some hostility and serious accusation
23:51 < gmaxwell> Kano is not a nice person, this isn't news.
23:51 < warren> ok, I don't know who these people are.
23:52 < gmaxwell> He's one of the cgminer developers, but mostly con's pet troll.
23:52 < warren> con is known for his niceness too.
23:52 < gmaxwell> Right. Now imagine his less well socialized sidekick.
23:54 < jrmithdobbs> warren: what's going on there is you read butthurttalk for some reason? your own fault really ;p
23:56 < gmaxwell> If you're interested in the nonce range stuff
 For a long time eligius was unique in using coinbase based payments. One side effect of this, however, was that it was more computationally costly to issue work compared to other pools.
23:57 < gmaxwell> Back when miners were slower it wasn't a crazy idea to split up the range of a nonce scan among multiple users in order to reduce that cost. Thus the nonce range support.
23:57 < gmaxwell> No one other than luke ever cared about it much, a number of larger pools just banned slower miners.
--- Log closed Thu Mar 21 00:00:09 2013
--- Log opened Thu Mar 21 00:00:09 2013
--- Day changed Thu Mar 21 2013
00:00 < jrmithdobbs> oh, just someone calling luke a process whore, that's not interesting at all ... can't believe you tricked me into clicking on that
00:00 < warren> oh.  I understand it now.  He's being accused of enabling botnets.
00:00 < jrmithdobbs> (and i remember that clusterfuck  re: nonce range and that kano guy is right, it's not in the bip ;p)
00:01 < jrmithdobbs> (but i don't know what that botnet nonsense is)
00:01 < gmaxwell> ironically, luke's been pretty agressive at going after botnets.
00:01 < jrmithdobbs> ya, that part is out of nowhere
00:02 < warren> It would be easier if there were a decentralized batshitcrazy consensus system.  I'd be at 55%.
00:02 < gmaxwell> jrmithdobbs: the noncerange stuff is in the BIP, its in the pooled mining half.
00:02 < jrmithdobbs> there is
00:02 < jrmithdobbs> gmaxwell: oh that's right, it got split
00:02 < gmaxwell> (arguably it should have been left out of the bitcoind pull, but it must have been missed when that stuff was split out)
00:03 < jrmithdobbs> then ya, i have NO idea what he's talking about then and hate that someone tricked me into reading something on that forum ;p
00:03 < jrmithdobbs> warren: i keel you
00:03 < gmaxwell> I don't know that anyone noticed it was there.
00:03 < gmaxwell> (probably luke included, as jeff notes
 it doesn't do anything)
00:03 < jrmithdobbs> ya
00:54 < jgarzik> gmaxwell: I noticed, and filed it under "harmless as implemented in bitcoind, must be needed for that crazy BIP 23 stuff"
00:55 < jgarzik> BIP 23 still makes my head spin; 180 degrees from how I would extend getblocktemplate for pools
00:56 < jgarzik> jrmithdobbs: tl;dr: kano accused luke-jr of putting botnet support into bitcoind.  I replied, because sometimes newbies believe that shit.
00:56 < jgarzik> jrmithdobbs: just a normal day on trolltalk
--- Log opened Thu Mar 21 15:17:14 2013
20:11 < HM2> sipa: how'd you get on with your fast verification work?
20:11 < HM2> did you polish out the bugs?
21:33 < sipa> HM2: added signing, refactoring the code somewhat, ...
--- Log closed Fri Mar 22 00:00:01 2013
--- Log opened Fri Mar 22 00:00:01 2013
18:37 < petertodd> https://bitcointalk.org/index.php?topic=395761.0;all
18:38 < petertodd> hilariously the scheme seems to be using OP_RETURN "CNTRPRTY<ProofOfBurn" outputs, yet the actual burn is in a non-prunable output
18:39 < petertodd> though that's not very surprising when you consider the psychology of it: a standard address for the burn lets people easily see how much has been invested, fueling additional investment...
18:41  * nsh blinks
18:42  * nsh reads harder
18:43 < nsh> nope. can you explain in more simple terms, petertodd?
18:43  * nsh looks at the thread
18:45 < petertodd> nsh: OGG CAVEMAN BURN TASTY MEAT IN FIRE BECAUSE NOG CAVEMAN SAID MUCH MORE MEAT IN FUTURE IF OGG BURN MEAT NOW
18:45 < petertodd> nsh: OGG STUPID CAVEMAN, NOG CAVEMAN HAVE NO PLAN FOR MORE MEAT
18:45 < nsh> right, i'm basically at that stage
18:45 < nsh> but the bit where it actually makes sense to someone (and how) is beyond me
18:46 < petertodd> nsh: well I'm basically saying the intelligence of the people who throw away six figures is similar to that of a caveman
18:46 < nsh> sure
18:46 < sipa> what does 'OGG' refer t?
18:46 < sipa> to?
18:47 < nsh> but pretending this guy is actually some satoshi-level genius. what are people gaining by burning these coins? stake in some future system
18:47 < nsh> but how?
18:47 < petertodd> sipa: ogg is a standard caveman name in western english culture
18:47 < petertodd> nsh: basically, by the definition of the system, much like mastercoin was done, only with (arguably) even less chance of future success
18:47 < sipa> at least it sounds less scammy, as the exodus address is an actual burn here...
18:48 < petertodd> sipa: indeed, OTOH that can also mean less chance of success, as who'se paying for development?
18:48 < sipa> agree
18:48 < nsh> you'd want to be really really confident of everything working out to actually boot-strap the thing with real sacrifice from early-adopters...
18:49 < petertodd> nsh: yup, in this case actually it doesn't look like the creator of the scheme has any ill-intent, more that the investment community around it are idiots and will jump to throw money at anything
18:50 < nsh> well, i suppose you can take an ecological view: at the worst, something nontrivial will have been tried and lessons can be learnt, and those people who threw money in probably could afford it
18:51 < nsh> (and everyone who has btc gets slightly richer from the deflation)
18:52 < petertodd> nsh: quite likely true, although I'm going to let someone else pay to learn those lessons for me :P
18:52  * nsh smiles
23:15 < phantomcircuit> hmm
23:15 < phantomcircuit> cookies
23:37 < andytoshi> petertodd: can you give us a preview of the OP_RETURN based stealth addresses scheme you hinted at in your latest email?
23:52 < petertodd> andytoshi: writing it up now :)
--- Log closed Mon Jan 06 00:00:29 2014
--- Log opened Mon Jan 06 00:00:29 2014
--- Day changed Mon Jan 06 2014
00:26 < brisque> coingen.io has forged 67 new altcoins. I'm impressed.
00:32 < BlueMatt> brisque: those are just the non-hidden ones, too
00:32 < kyrio> oh yeah
00:32 < kyrio> there's an option to pay to keep it private
00:33 < jcorgan> BlueMatt: of all the ways to earn BTC with a website, coingen.io is the most subversive :)
00:33 < brisque> BlueMatt: I'm extremely impressed. you've done a good job with it.
00:33 < BlueMatt> heh, anyway...its ot for here
00:47 < brisque> almost on topic, can anybody come up with a reasonable explanation for the behaviour of blockchain.info in regards to it's "peers connected" number? they seem to manage to get up to around 1500 connections before dropping them all and starting again.
00:47 < brisque> graph - http://i.imgur.com/iiJYOjo.png
00:48 < brisque> time timeframe is around 30 minutes before each big drop, so they're churning through a lot of connections.
01:19 < phantomcircuit> brisque, they dont understand what the limits of select() are so their client keeps crashing when they go past those limits
01:19 < phantomcircuit> which i personally find hilarious
01:25 < brisque> surely they'd notice the bi-hourly crashes and return the connection limit to something sane. surely.
01:25 < brisque> 72,000 reconnections a day.
01:26 < phantomcircuit> brisque, surely they have no idea what they're doing and haven't noticed
01:27 < phantomcircuit> hint, it's my thing
01:36 < brisque> phantomcircuit: really not sure what the hint means
01:36 < phantomcircuit> <phantomcircuit> brisque, surely they have no idea what they're doing and haven't noticed
01:37 < brisque> ah.
04:22 < gmaxwell> petertodd: P2SH^2 2.0:  Take H(script) as a private key in a pairing crypto group. Compute G1*private = pubkey.   scriptpubkey contains H(pubkey),sign(H(H(pubkey)||txid))
04:23 < gmaxwell> er sorry pubkey,sign(H(H(pubkey)||txid))  (because you can't to the pubkey recovery for a pairing short signature)
04:23 < gmaxwell> petertodd: so tada, data storage in txouts completely prevented. Overhead of one group element (e.g. 32 bytes)
04:24 < gmaxwell> Why not ECDSA?  because signers choice of K can be used to store data in the blockchain... e.g. pick a well known K, and recievers use it to recover the 'private key' (the data)
04:26 < brisque> I'm interested in what The Pirate Bay is planning to do with Bitcoin. by the sounds of their post it is almost like they intend to be storing identifiers in the blockchain, just as you're trying to prevent.
04:27 < maaku> what would be the point?
04:27 < gmaxwell> because omg bitcoin such VC money WOW
04:27 < gmaxwell> people mistake bitcoin for a jamming free network, constantly. ugh.
04:28 < brisque> have you read the article, gmaxwell?
04:28 < brisque> http://torrentfreak.com/how-the-pirate-bay-plans-to-beat-censorship-for-good-140105/
 registrations will be Bitcoin authenticated, on a first come first served basis. After a year the name will expire unless it
Site owners will be able to register their own names, which will serve as an alias for the curve25519 pub-key that will identify the site,
 the Pirate Bay insider notes.
04:36 < Emcy> gmaxwell youve been saying jamming network a lot recently. Brief explanation?
05:20 < brisque> just as a thought, the entire sticking point of having a SPV p2pool is that we can't prove to a SPV client that the inputs are unspent, right? we can prove that they exist at some point, but not that the block the p2pool node creates with it will be valid to the wider network (the inputs were spent elsewhere).
05:34 < maaku> Emcy: jamming-free
05:34 < maaku> meaning it is a reliable mechanism for transmitting messages that can't be forceably censored
05:34 < maaku> (which bitcoin is not)
05:37 < gmaxwell> you can have different kinds of jamming freeness, like all or nothing channels.. If you're a >50% hashpower miner bitcoin is arguably an all or nothing jamming resistant network, but it's not to anyone else. :P
05:53 < adam3us> about XCP PhantomPhreak (one of the authors) seems to have changed from spend to fees to proof of sacrifice which they are calling proof of burn but seems to be the same thing, in reaction to someone pointing out that a miner could take their own fees (and maybe worse by the sound of it)
06:08 < nsh> yeah, seems to be a very improvised affair
06:18 < gmaxwell> adam3us: do you have a EC discrete log formulatio nof my above P2SH^2 2.0?
06:18 < gmaxwell> the idea is basically to have a hash function where you can prove that the value in question is a hash and not data stuffed into the same spot.
06:21 < adam3us> gmaxwell: i read it earlier, its a subliminal channel suppression, seems a bit analogous to the wallet with observer protocol that relies on blind schnorr.  but i dont think that helps because there is no semi-trusted hw wallet in this picture.
06:22 < adam3us> gmaxwell: one thing that occurred to me is the one-use signature or limited use sig, where the extended address is H(Q,r) so r is precommitted.  then you are only allowed to make signatures with r.	maybe you could prove something about r?
06:22 < gmaxwell> I thought perhaps one of those protocols for schnorr where there is one allowable nonce per private key?
06:22 < gmaxwell> ha
06:22 < gmaxwell> But I didn't quite know how those work.
06:23 < gmaxwell> ah there is an extended address. hm.
06:23 < adam3us> gmaxwell: yes same thought... thats it above, its just to say that you choose the nonce(s) at time of address generation
06:23 < gmaxwell> oh darn.
06:23 < gmaxwell> yea, I think that wouldn't work for the namecoin application.
06:26 < adam3us> gmaxwell: i dont get the namecoin connection.	(subliminal channel free signatures would be independently nice however to stop stuffing junk in the block chain:)  btw if its purely hash based there is a small subliminal channel in grinding the hash if there is any mutability of the serialization or value hashed.
06:27 < gmaxwell> sure, but the grinding subliminal channel isn't huge and you can reduce it further by requring grinding normally. :)
06:27 < gmaxwell> adam3us: it's just the stop stuffing junk application, I'd fleshed that out a little more in particular to namecoin, https://en.bitcoin.it/wiki/User:Gmaxwell/namecoin_that_sucks_less
06:28 < adam3us> gmaxwell: yes.  curious thought that the wallet with observer can have 0 subliminal channel due to the blinding and yet still end up with a valid normal (ec)schnorr sig.  actually i saw Brands argue that it has 1-bit channel left: fail or not fail :)  (simulated hw wallet death)
06:30 < gmaxwell> hahaha
07:02  * nsh exercises blinking muscles
09:30 < andytoshi> gmaxwell: sorry, i'm not following your scheme: how is privkey == H(script) enforced here (or even exists(privkey) enforced)? what is txid and why doesn't it depend on its own hash?
09:35 < andytoshi> my concern is, pubkey,sign(H(H(pubkey)||txid)) gives you all of 'pubkey' as a subliminal channel
12:36 < gmaxwell> "This is why we are very glad that the SSL used on government census reports does not provide non-repudiation)
12:36 < gmaxwell> "
12:38 < petertodd> yup...
18:17 < gmaxwell> petertodd: thanks for the laugh.
18:17 < gmaxwell> I am now imagining transactions that have spinning hubcaps.
19:08 < petertodd> oh, that's a good idea!
19:09 < gmaxwell> petertodd: you do realize that my covenants thread is largely intended to be a cautionary tale, right? :P
19:10 < petertodd> you've said it before that I am excellent at coming up with cringeworthy ideas...
19:12 < gmaxwell> If I knew a way to forbid perpetual covenants I would, but I'm pretty convinced its impossible short of a freicoin route of forcably recycling coins.
19:13 < gmaxwell> (ones of finite duration, esp one level deep, are insanely useful though, I agree)
19:16 < petertodd> yeah, even the existing scripting system is really close to allowing covenants - it just needs data access to scriptPubKeys, which a modular checksig probably would have given
19:18 < gmaxwell> Some of the script limitations were clearly intentional, though I don't know how much of the covenant like behavior was excluded.
19:20 < gmaxwell> though another point you can take from my message, I think, is that denying covenants is probably moot in the very long term. ... because SCIP is just too compelling, and I'm reasonably sure you can't escape covenants as a side effect.
19:21 < petertodd> yeah, and most of the really nice fidelity bond stuff w/ blockchain support, even without SCIP, was really covenants in disguise, albeit ones that could be special-cased
19:23 < gmaxwell> petertodd: also, wtf, I started working through code for SCIP blinding of fidelity bonds...
19:24 < gmaxwell> Bitcoin makes it FAR more computationally expensive to verify the damn things than it could.
19:24 < petertodd> how so?
19:24 < gmaxwell> The fact that you have to @#$@#$@# fetch the @#$@#$ inputs to fetch the @#$#@$@# values to compute the @#$@# fee.
19:25 < gmaxwell> especially when there could be multiple ones in multiple blocks.
19:25 < gmaxwell> (I realize you can constrain the bond shape to improve this)
19:26 < petertodd> oh, yeah that's why I told jeff to use a anyone-can-spend output
19:27 < jgarzik> I still like miner fees
19:27 < jgarzik> at bootstrap, anyone-can-spend equates to self-payment
19:27 < jgarzik> until miners automate detection and spending
19:27 < petertodd> i say we solve that problem with some bounties :)
19:28 < gmaxwell> I do too, but holy crap.  It's a multiplicative increase in sha256 operations.  This is probably actually irrelevant for most applications, but for running it under SCIP  (to turn your bond into a service specific blinded bond) its perhaps problematic.
19:29 < petertodd> it's a good argument for doing OP_BLOCK_HEIGHT or something
19:29 < gmaxwell> meh.
19:30 < petertodd> gets you down to one tx...
19:34 < gmaxwell> *pop* (the sound of Carlton Banks's head exploding)
19:35 < petertodd> ?
19:35 < gmaxwell> SCIP-covenants thread.
19:36 < petertodd> ah
19:36 < petertodd> "Nakamotish" <- you mean "gmaxwellish"?
19:39 < gmaxwell> I do need to try to extract from Eli's group a simpler explanation for the whole thing, when I talk to people about this stuff the reaction I instantly get is that it can't be possible (they also equally reject PSPACE in IP, just as much and thats a pretty old result now). I can only explain parts of it.  And a bunch of this stuff I can kinda explain as
interactive proofs but can't bridge the gap to verifyier-oracle secure ...
19:39 < gmaxwell> ... non-interactive.
19:41 < petertodd> for sure, I mean, hell I only claim to kinda understand it because I believe in magic
19:41 < petertodd> I'd love to see a decent visualization of it
--- Log closed Wed Aug 21 00:00:27 2013
--- Log opened Wed Aug 21 00:00:27 2013
--- Log closed Thu Aug 22 00:00:30 2013
--- Log opened Thu Aug 22 00:00:30 2013
--- Log closed Fri Aug 23 00:00:33 2013
--- Log opened Fri Aug 23 00:00:33 2013
00:01 < gmaxwell> petertodd: has anyone written about using 'micro'payment channels to enable interservice instant confirmation? I was arguing with phantomcircuit earlier and came up with a protocol.
00:02 < gmaxwell> E.g. say inputs.io and mtgox are mutually distrusting but would like to enable off-chain instant payments between their services. Also assume they've solve the problem of figuring out whos addresses are whos.
00:03 < gmaxwell> Each of them puts up a escrow of bitcoin. Multisigned by both of them with a precomputed nlocktimed refund transaction.
00:03 < gmaxwell> Then they do micropayment-channels against the escrowed funds as transactions happen.
00:04 < gmaxwell> when the escrow(s) are used up they just make a joint transaction resetting them to their current balance and commit it to the blockchain.
00:05 < gmaxwell> by doing this the most their risk is just that the other party vanishes and they have to wait till the timeout to get their escrow back.
00:06 < gmaxwell> it also means they need to lockup their daily transfer amount between the parties, but, meh. I imagine that the vast majority of transactions are small.. and you just don't allow large transactions that would use up to much of the escrow to be instant.
00:08 < gmaxwell> perhaps some protocol modification
 like where the payments just move money from one escrow to another
 could make it so the escrows had to only cover the imbalance, but I'm not sure.
01:38 < petertodd> gmaxwell: surely someone has? seems so obvious, but maybe not
01:39 < gmaxwell> thats why I'm asking here rather than just posting on it.
01:39 < gmaxwell> I'll try asking mike, I guess.
01:39 < petertodd> yeah, give it a go
07:15 < Luke-Jr> gmaxwell: I *thought* the payment protocol did that :/
--- Log closed Sat Aug 24 00:00:36 2013
--- Log opened Sat Aug 24 00:00:36 2013
19:48 < gmaxwell> oh.. forum, you amuse me so.
19:49 < gmaxwell> "These are computer scientists with the desire, knowledge and expertise to create bitcoin. [...] They have access and knowledge of LaTeX [...] LaTeX was used to publish the bitcoin white paper"
19:49 < gmaxwell> Access and knoweldge of LaTeX!
19:49 < Luke-Jr> lololol
19:49  * gmaxwell imagines that in court. ... "BUT! you had knoweldge of LaTeX! didn't you!?!"
19:50 < gmaxwell> of course, you'd have to be absent of knoweldge of LaTeX to think the bitcoin whitepaper was typeset in it.
19:51 < Luke-Jr> I am absent knowledge of LaTeX!
19:54 < gmaxwell> it's just a full just openoffice document. There are a bunch of indicators. Including the fact that not every third line is hyphenated. (TeX is way to jumpy with the hyphens, unless you go and modify the weights in the justification search)
21:32 < gmaxwell> Anyone see a merkle signature scheme where a CSPRNG with a matching tree structure was used to generate the private keys instead of a straight random access CSPRNG?
21:32 < midnightmagic> gmaxwell: do you get the feeling it's "over" for the bitcoin devs? There's a half-mil in funding, that's like..   ten guys for a year man!
21:32 < gmaxwell> midnightmagic: hah.
21:33 < midnightmagic> TEN GUYS IS MORE THAN ..  uh..  SEVEN!
21:34 < gmaxwell> The reason I ask about tree strcutured CSPRNG, consider how you can compress a lamport signature when there is a dyadic partitioning with all 0's or all 1s... you can avoid revealing the indivigual 1s or 0s preimage and just reveal a hash branch up. But you still have to reveal the indivigual private keys.
21:34 < gmaxwell> But if the private keys are tree structured, you could instead reveal a private key root to reveal all the child private keys.
21:35 < gmaxwell> this doubles the compression that prior compression scheme gives.
21:36 < gmaxwell> midnightmagic: did you see the thread, "oh that was just a placeholder" ... sheesh.
21:36 < gmaxwell> So much for opensourcing their code... who's going to bother auditing it if their respond is to claim that every flaw is a placeholder.
21:38 < gmaxwell> midnightmagic: They say that the effectiveness of competent software developers has a range over more than 10:1. (e.g. you have some guys who are 10x more valuable than some others).
21:38 < gmaxwell> I can only imagine that the range of people working on this stuff is greater.
21:39 < gmaxwell> I am not the smartest, or most productive man.  ... But I turned their POW into quivering jelly with little more than a glance. I'd hate to see what someone really good at this stuff would do to their codebase (er, or bitcoinds... !)
22:11 < amiller> gmaxwell, yeah that kind of hash signature is worked on
22:11 < amiller> there's this confusing paper http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.45.6964&rep=rep1&type=pdf Optimal Tree-based One-time Digital Signatures Schemes
22:43 < gmaxwell> hahah. see, this is why I don't publish anything in this space. It's a simple idea, and not hard to work out the expected sizes, I couldn't bring myself to obfuscate it so much.
22:55 < gmaxwell> amiller: know of anyone writing on tree signature schemes where the prior distribution of number of items signed is not uniform?  E.g. few-time use is more likely, so you construct an unbalanced tree so that the public keys are shorter if you only sign a few times? :)
22:57 < amiller> hm, actually no i've not heard of that
22:57 < amiller> cool idea
22:58 < amiller> i know someone trying to work on a stateless multi-signature one
22:59 < gmaxwell> yea, for bitcoin we'd want a tree with probablities like 0.5 {0.5 {{}{}}} or something. super cheap for one time use, still cheap for two time use, and then uniform probablity (log n()) after that. But whatever, the shape of the tree is the huffman coding problem, so any dyadic probabilities you can express can get a tree.
--- Log closed Sun Aug 25 00:00:38 2013
--- Log opened Sun Aug 25 00:00:38 2013
--- Log closed Mon Aug 26 00:00:41 2013
--- Log opened Mon Aug 26 00:00:41 2013
15:00 < maaku> the history of bitcoin is that making sane, conservative, paternalistic choices in the the operation of the reference wallet(s) sufficiently influences the community to keep all but the most determined people from shooting themselves in the foot
15:01 < maaku> but on the whole there are some definite advantages, such as the p2p lending case which was an outstanding unsolved problem
15:01 < maaku> and it has the advantage of the covenant rules being unchangeable / unbreakable. our existing KYC system for example gave the authorizer the ability to vet transactions involving their assets using whatever metric they want at the moment whereas covenants require them to commit to rules upfront.
15:01 < maaku> that's a definate improvement from the user's perspective.
15:02 < maaku> jtimon: you can save significant block chain space, as well as avoid many difficulties with demurrage / interest if you have explicit assets at the protocol level, in which case it also makes pragmatic sense to have token-based issuers
15:02 < maaku> you could do away with token-based authorizers, although adding them would only be a couple of lines of code at this point. they have somewhat different properties
15:02 < maaku> adam3us gmaxwell: please correct me if i'm wrong, but I think greg's opinion is that permanent covenants attached to a non-demurrage host currency is a Bad Idea. I concur. But make the covenants temporary, the coins themselves perishable, or applied to user issued assets (not colored coins but separately issued assets a la freimarkets), and it is a different story IMHO.
15:02 < maaku> justanotheruser1: yes, PoS is an extremely valuable tool. Just not for consensus. People see "proof of X" and assume they substitute for each other. In fact they are entirely different tools with entirely different uses.
15:02 < justanotheruser1> maaku: what?
15:03 < justanotheruser1> Where was I talking about PoS
15:04 < maaku> [08:16:06] <justanotheruser> Do you think PoS could ever work in a currency?
15:08 < andytoshi> michagogo|cloud: i think it's working, now i ship a certfile (which i got from mozilla) along with libcurl DLLs that i built myself
15:08 < andytoshi> http://download.wpsoftware.net/bitcoin/cj-windows.zip
15:08 < jtimon> yes, maaku, we wouldn't remove the tagged assets with defined interest/demurrage
15:09 < jtimon> I'm thinking we might be able to replace validation scripts, thought I would like to check that case by case
15:11 < maaku> what for offers and stuff? I don't know, maybe
15:11 < maaku> it'd be a little convoluted
15:11 < maaku> /offers/options/
15:11 < maaku> the delegation opcode is pretty elegant
15:12 < jtimon> well, we use them in most of our examples
15:12 < maaku> you could move the relevant coins into an output with a covenant attached governing their next use in the option or whatever
15:12 < maaku> obviously that would work
15:12 < jtimon> I was thinking about using the same opcodes somewhere else, but I haven't thought about it deeply enough
15:12 < maaku> but I don't think it's a very natural, succinct, or satisfying situation
15:14 < maaku> i think there are many use cases where the conditions are most naturally applied to the transaction itself
15:14 < maaku> e.g. you are saying "I commit these coins to this particular transaction, but only so long as these additional constraints are met"
15:14 < adam3us> maaku: covenants do allow some things that are currently painful  think for example things involving hashlock could be made trivial.  but i think the more dangerous things are viral covenants that can apply to all further respends indefinitely
15:15 < jtimon> yeah, as said I haven't tried yet, I was just thinking about what could be replaced and what not
15:15 < jtimon> "viral covenants that can apply to all further respends indefinitely" I thought that was the definition of a covenant
15:15 < adam3us> gmaxwell: btw i asked djb and cfrg some questions about ed25519, will see if we get some clarity.
15:16 < maaku> jtimon: we can probably shuffle stuff around, if we start over assuming a more powerful scripting language
15:16 < andytoshi> adam3us: thx much
15:16 < maaku> but i wouldn't get rid of tx-level validation scripts
15:17 < maaku> adam3us: isn't there an rfc process going on? you might want to forward comments to those relevant mailing lists as well
15:17 < gmaxwell> for something like a colored coin, it would be a viral covenant
 but one that would let you remove it if you ask nicely. It wouldn't allow you to _add_ it except under the right conditions.
15:18 < adam3us> jtimon: i am not sure.  i thought of something related, then found it described in freimarket, and finally read gmaxwell covenant thread.  maybe i am describing quinine vs covenant, in any case terminology aside a small group of transactions that restrict the next transation is useful, but recursive ongoing or language constructs that allow that by implication
are I think existentially dangerous
15:18 < maaku> adam3us: covenants also allow you to do things which you can't currently do, at all (like restricted buy back)
15:19 < gmaxwell> and yeam my covenants thread was intended to point out the existential danger, and also show how easy any sufficiently powerful script can achieve that danger.
15:19 < maaku> that's a very serious pro against a very hypothetical con
15:19 < jtimon> adam3us: not english but I thought: quine = reproduction of code, covenant = viral perpetual quine
15:19 < adam3us> gmaxwell, maaku: yes some kind of language restricted limitation on the power of covenants would be a min-bar for safety i think
15:19 < gmaxwell> adam3us: it seems really hard to achieve that.
15:19 < adam3us> gmaxwell: precisely.  i think ethereum is creating unlimited danger as there are no restrictions and it is intentionally as general as possible
15:20 < gmaxwell> (achieve that while also permitting the good use)
15:20 < adam3us> gmaxwell:  right, hence dont do that please :)  aka i think satoshi as a guess figured out this risk hence the non-extrospection and so non-virality
15:20 < maaku> i think (for reasons obvious in gmaxwell's thread) that the default position should be that if a script cannot be *proven* to come with no strings attached, then it should destroy fungibility and not be treated as bitcoins by the clients
15:20 < maaku> relegated to the equivalent of a spam wallet
15:21 < gmaxwell> adam3us: one thing they may have done right by accident in ethereum is that they seem to have confined the fancy behavior to agents,... which can own coins. It's just a conceptual difference but perhaps a useful one.
15:21 < maaku> we can then experiment and slowly add functionality to allow users to enable certain covenants, pattern matched or detected by theorum proving
15:21 < adam3us> gmaxwell: see i too, once i finally caught up a bit with the aggregate bitcoin brainstormings, though hmm extrospection/limits on outputs, ooh you could do lots of things with that.	and then realize similarly to your convenants thread that this would be a singularly dangerous thing to do, and hence script probably looks the way it does for a reson
15:22 < jtimon> adam3us what do you think about maaku's suggestion of killing fungibility in the clients?
15:22 < gmaxwell> well if you admit theorem proving then you can test for non-virality. But not if the script is turing complete, I suspect.
15:23 < jtimon> gmaxwell: I think the validators maaku has in mind would answer a) It is not a covenant b) I don't know
15:24 < adam3us> jtimon: but that is just a client restriction, not a language, nor protocol restriction.  its better than nothing as defaults carry weight i guess. but only to that extent.  seems like playing with fire and surely there must be other ways to make conveniently composable sub transactions
15:25 < gmaxwell> lol, post on liberation-tech:
15:25 < gmaxwell> As one anecdote, when I TAed the MIT Network and Computer security
15:25 < gmaxwell> course, we assigned "Why Johnny Can't Encrypt" as the first reading.
15:25 < gmaxwell> We asked the students to send us a PGP encrypted & signed message and
15:25 < gmaxwell> tell us how long it took.
15:25 < gmaxwell> If I recall correctly, it took an average of 30 minutes for
15:25 < adam3us> maaku: ie isnt there something one could do to make hashlock convenient, or part of an explicit transaction group, or something that doesnt involve increasing the language power
15:25 < jtimon> adam3us isn't your "all exchanges will port to kycCoin" concern eliminated?
15:25 < gmaxwell> non-existing users to figure out how to use PGP. Think about that.
15:25 < gmaxwell> These were graduate & upperclass undergraduate computer science
15:25 < gmaxwell> students enrolled in a network security course. Everyone had accounts
15:25 < gmaxwell> on the same university system and were mostly using standalone email
15:25 < gmaxwell> clients.
15:25 < gmaxwell> Best of all, someone decided it would be funny to generate a fake key
15:25 < gmaxwell> for me and post it to pgp.mit.edu. Several students fell for the
15:25 < gmaxwell> trick, didn't verify the key, and encrypted their homework with the
15:25 < gmaxwell> wrong key.
15:25 < maaku> gmaxwell: sure you can, an inconclusive result is assumed to be worst-case
15:26 < jtimon> adam3us: the point of all this is precisely to increase the language power
15:26 < adam3us> jtimon: amlcoin via virality risk reduced not eliminated
15:26 < gmaxwell> maaku: ugh, okay I suppose. But you're going to be inclusive an awful lot of the time.
15:26 < adam3us> jtimon: well the point should be to allow contracts to be conveniently expressible  language power = danger also.
15:27 < maaku> over all of program space? sure. but that just means you restrict actual scripts used in the wild to those which are provable
15:29 < jtimon> gmaxwell do you share adam3us concerns on all btc becoming amlcoins without the dumb users noticing?
23:28 < amiller> okay so i think i figured out the implication of all my prospect theory crap.
23:28 < amiller> it relates to allowing people to choose their own difficulty
23:29 < amiller> ah this is going to be too complicated to finish
23:31 < amiller> nevermind
23:37  * Luke-Jr wonders if sharing a private key between secp256k1 and Ed25519 would expose it
--- Log closed Wed Oct 30 00:00:21 2013
--- Log opened Wed Oct 30 00:00:21 2013
01:56 < gmaxwell> I went to the Silicon Valley Bitcoin Users meetup today. It was interesting.
01:57 < gmaxwell> amiller: I wouldn't say that it's strictly superior to coinjoin, as it requires four transactions in total, so it's not as good for casual usage. And it cannot be completely blind like coinjoin.
01:58 < gmaxwell> However of 2 of 2 wallets became popular the transactions would be higly inconspicious.
01:58 < gmaxwell> the anonymity set could be much larger than coinjoin.
01:59 < gmaxwell> Also petertodd deserves some credit too, my initial protocol was bugged, and he fixed it and the fix made it vastly better (e.g. made the transactions indistinguishable).
02:00 < gmaxwell> amiller: I think you're a little overly pessimistic with coinjoin and DOS, but yea, tolerating dos is a major potential source of complexity.
02:01 < gmaxwell> And sure, I love all manner of ZKP. But well, fuck coding. Real cypherpunks transact. All the pretty protocols in the world are nothing but angles dancing on the head of a pin if no one uses them.
02:02 < Luke-Jr> gmaxwell: interesting how? :p
02:03 < gmaxwell> lots of people. uh.. maybe 30?  All nice and excited about bitcoin, and basically all of them would make the least sopiciated users that show up in IRC seem like technical geniuses.
02:03 < Luke-Jr> lol
02:04 < Luke-Jr> did any of them recognise you or your name? :p
02:04 < gmaxwell> there was some debate about what a hash tree was between some of the more technical people there, and one thought to ask me to explain it, and I spent 10 minutes on the subject and blew their mind.
02:05 < Luke-Jr> rofl
02:05 < gmaxwell> No. Well, I was kinda keeping a low profile. So more might have if I'd talked to more.
02:06 < gmaxwell> There was someone presented on their site where people can play board games against each other for btc, looks pretty neat. during his presentation someone asked how he was processing payments, coinbase API and he made some offhand comment about how he keeps his coins in a dozen online wallets because you never know which one is going to get hacked or shut
down next, and the room is nodding.
02:07 < gmaxwell> He demoed the site by logging into his coinbase account to transfer some coins into it ... everyone at the room is seeing their username and the length of their password... and the $40k in bitcoin in their account.
02:08 < Luke-Jr> >_<
02:08 < Luke-Jr> sounds like a.. profitable.. group
02:08 < pigeons> what's his mother's maiden name?
02:08 < gmaxwell> in any case, they all seemed nice, even intelligent folks, but really clueless from my perspective. A lot of them inhabit a very different bitcoin world than I do.
02:09 < Luke-Jr> wait, he knew how to run a site?
02:09 < Luke-Jr> omg, what if these kind of people run some of the exchanges?
02:09 < gmaxwell> I was thinking it would be fun to give some presentations
 they have a fantastic meeting space, but after meeting the people there, I'm unsure where to find the greatest overlap between my interests and their interests.
02:10 < gmaxwell> Luke-Jr: primarly a business person, hired coders in like serbia apparently. He extolled the virtues of offshore coders. :)
02:10 < pigeons> Luke-Jr: http://coinjar.io/about "Ryan is a veteran entrepreneur and Bitcoin guru. Technically and commercially adept, he
s founded several successful startups and remains a prominent figure in the Bitcoin community. "
02:11 < Luke-Jr> gmaxwell: somehow that didn't make me feel any better
02:11 < Luke-Jr> pigeons: "He [Asher] also brings lunch for the CoinJar team." <-- at least he does something
02:12 < pigeons> heh
02:12 < Luke-Jr> is that the exchange Gavin said he uses? <.<
02:12 < pigeons> yes
02:13 < gmaxwell> before going I thought if they asked me to talk about something I might talk about the transaction teleportation (Which jcorgan suggests calling CoinSwap) stuff, since its fresh on my mind, but like.. I think I'd have to spend an hour on bitcoin 101 before I could explain anything more that "coin starts here, ends up there, you can't explain that." :)
02:13 < gmaxwell> (I think they'd be interested in more technical things, but for many of them there appeared to be a big knowldge gap)
02:14 < gmaxwell> And well, I guess thats victory that you don't have to be a cryptographic protocol guru to build a bitcoin business.
02:15 < Luke-Jr> that'd be victory if he had a security expert on his staff who didn't let him touch the wallets..
02:17 < Luke-Jr> (suddenly I understand what bankers' real job is..)
02:32 < petertodd> gmaxwell: we've created a monster
02:33 < petertodd> gmaxwell: yeah, I'm fairly active in the toronto bitcoin community, and I always get the impression I've got at least an order of magnitude more clue than anyone else :(
02:33  * Luke-Jr blames petertodd
02:33 < maaku> gmaxwell: was this the hacker dojo group?
02:34 < petertodd> Luke-Jr: heh, if you want to give me all the credit go ahead :P
02:34 < Luke-Jr> petertodd: so you admit to being Satoshi?
02:35 < petertodd> Luke-Jr: yup, and jdillon, and gavin. (the latter because a good actor has versatility)
02:44 < gmaxwell> petertodd: I'm still editing but: https://bitcointalk.org/index.php?topic=321228.new#new
02:51 < petertodd> make sure you mention how in an actual implementation Alice can also play the role of Carol; specifically how a p2p network doing this would have people play either role depending on what is convenient
02:57 < gmaxwell> jcorgan had initially suggested eliminating bob and making it just alice and carol and alice prime.
02:57 < gmaxwell> But I think it's still easier to follow imaginging it as three parties.
02:58 < petertodd> I explained it to two of my coworkers yesterday, and they got hung up on Bob as well
02:58 < gmaxwell> Another way to represnet it as four. e.g. Alice, Carol, Carol', and Alice'
02:58 < petertodd> Alice, Carol, Carmen and Amy
02:59 < petertodd> ...shit, I've dated all those girls
02:59 < petertodd> Heck, I'd leave Bob in the protocol, but have Bob be a passive recipient only.
03:00 < gmaxwell> Yea, well a version could be drawn with Alice Carol, Carol', Alice', Bob
03:00 < petertodd> right, well, Bob and Dave
03:00 < gmaxwell> so a month or so ago someone was on IRC I think proposing a protocol like this, but without the hashlock so it was totally holdup vulnerable.. e.g. just 2 of 2 escrows.
03:00 < gmaxwell> I ought to credit that person but I can't remember who it was.
03:01 < petertodd> yeah, I think that's come up a few times. Heck, I probably mentioned it at some point in relation to fidelity bonds.
03:11 < petertodd> gmaxwell: CoinSwap is more efficient than four transactions per swap: if the software lets you either play the role of Alice or Carol two simultaneous payments from Alice and Amy to Bob and Bryan take four transactions.
03:12 < gmaxwell> petertodd: well not if alice has to play the role of Bob in order to make your implementation easy and avoid having to coordinate three people.
03:12 < petertodd> gmaxwell: no, even in that case it's fine, because the transactions moving coins from the escrow simply move them to Bob and Bryan
03:13 < petertodd> (for instance five transactions is never required)
03:15 < gmaxwell> K, fair point.
03:22 < petertodd> oh nice: with replace-by-fee we can make CoinSwap be as efficient as a regular transaction: Alice and Amy want to pay Bob and Bryan respectively, so they first jointly author tx0 which sends their coins partially to fees, partially to an unspendable address. Both parties don't want tx0 to be broadcast. Then they author tx1 and tx2, paying Bryan with
Alice's coins, and Bob with Amy's. If either party cheats, broadcast tx0.
03:22 < gmaxwell> there is still a chance that the cheat is successful
03:23 < gmaxwell> CoinSwapOfFaith.
03:23 < petertodd> Yes, a chance, for instance if tx1 and tx2 don't get mined at the same time, but you can probably reduce that chance to the point where a fidelity bond can cover it.
03:24 < gmaxwell> petertodd: speaking of bonds, someone is talking about doing something mintchip like with bitcoin private keys.
03:24 < petertodd> I think I'm going to call this new protocol DangerSwap
03:24 < gmaxwell> ohhh. :P
03:24 < petertodd> oh yeah?
03:24 < gmaxwell> ChickenSwap.
03:25 < petertodd> haha, ChickenSwap is good. Or NashSwap
03:25 < gmaxwell> petertodd: it's like a Casascius coin but implemented via something like mintchip.
03:26 < gmaxwell> https://bitcointalk.org/index.php?topic=321085.0
03:26 < gmaxwell> petertodd: NashSquareDance.
03:27 < petertodd> gmaxwell: the latter is wonderfully misleading with its politeness
03:27 < petertodd> gmaxwell: The Great Canadian Coin Swap
03:28 < petertodd> "Armed with cryptographic proof of any fraud, we can force the participants to apologise."
03:31 < gmaxwell> hahahaha
03:34 < Luke-Jr> lol
03:37 < petertodd> Announce/commit sacrifices: The better way to say "Sorry!"
03:39 < Luke-Jr> someone in #bitcoin-otc claims Coinabul is being investigated by the FTC? :o
03:39 < petertodd> ?!
03:41 < Luke-Jr> [07:33:57] <diakin564> FYI - BBB and FTC reports now launched on scam site Coinabul
03:41 < Luke-Jr> [07:34:05] <diakin564> and started FBI investigation
03:41 < petertodd> what scams are they accused of?
03:43 < Luke-Jr> a bit ago, I read bitcointroll threads claiming the (p.m.) coins were "lost" in the mail and coingenuity saying his insurance refused to cover it or something
03:43 < Luke-Jr> dunno much about it
03:51 < gmaxwell> that thread is boring and bogus.
23:46 < jorash> Latest outside analysis of our approach, from lead of the Quantum Information Science Group, MITRE CORP, Princeton: "I follow the logic of your claim but am not familiar enough with the papers you reference to properly say whether or not I agree. However, I do understand your interest in applying QEC only once and I think that my work has something to contribute in that respect. "
23:47 < jorash> QEC = Quantum error correction
--- Log closed Sun Sep 01 00:00:57 2013
--- Log opened Sun Sep 01 00:00:58 2013
00:52 < amiller> gmaxwell, why ban him?
00:54 < gmaxwell> because he's been going on and on forever in all the other bitcoin channels begging for money.
00:55 < gmaxwell> amiller: if you want to debate him, I'll invite him back. :P that would be fun.
00:55 < amiller> i missed the part where he's begging for money
00:57 < amiller> anyway i think of this channel as less regulated than -dev
00:57 < gmaxwell> yea, I just didn't want me (or anyone else) to lose another two hours debating with him.
01:01 < amiller> meh, don't ban him for that, just tell him he sucks
01:05 < gmaxwell> (weird, didn't work the first time)
01:11 < Luke-Jr> gmaxwell: too late XD
01:12 < Luke-Jr> gmaxwell: ever hear of Gross-Pitaevskii?
01:12 < Luke-Jr> that's what he's claiming breaks SHA-2 entirely
01:14 < gmaxwell> as I said, dudes a net kook. He's not only arguing that he can do quantum computation on a classical computer, but something more powerful than quantum computation. (If only you'll pay him 5 million dollars to hire the researchers to make it work)
01:15 < amiller> he must have adapted to just probe the room with buzzwords before making it clear he's asking for money
01:15 < amiller> i can't find the panhandling in my scrollbacks
01:16 < gmaxwell> I wasted about two hours on him in #bitcoin and, before I realized that he didn't think _he_ could do that but was just a "business guy", I even offered to pay someone a subsistence living (but not zillions of dollars) to work on BQP in P if he thought he could make concrete progress on it. But he doesn't want ramen, he wants rolex. :P
01:17 < Luke-Jr> he "only" wants 2000 BTC :P
01:18 < Luke-Jr> tempted to email these people on his R&D team and get their perspective
01:19 < gmaxwell> oh, he told me 50k btc.
01:19 < Luke-Jr> cute
01:19 < Luke-Jr> did he send you a budget plan too?
01:20 < gmaxwell> Luke-Jr: no!
01:20 < amiller> ah i found it, here's the grep jorash scrollback from #bitcoin https://gist.github.com/amiller/e6ecfd166a19c6fcecf2
01:20 < amiller> <jorash>	the only thing we disprove is the *hubris* of scientific *assumption*
01:21 < amiller> that's a good business plan tagline :o
01:21 < amiller> <jorash>	*excuse me, human assupmtion!
01:26 < amiller> so i've been working on this problem that's a really stylized version of bitcoin consensus
01:26 < amiller> it's meant not to resemble bitcoin closely but to resemble the standard distributed systems models as closely as possible, with the only difference being the lack of PKI assumption
01:27 < amiller> where in every standard setup there's n parties and they all know each other's names and can set up secure channels triviailly
01:28 < amiller> rather than consensus, i'm basically saying that the problem is to build a PKI from scratch by agreeing on a set of public keys to be included
01:29 < amiller> to make it as simple as possible just for the first go at this, i'm using pretty strong/unrealistic assumptions, like that there are exactly n players and everyone knows that
01:29 < amiller> also each player has exactly the same hashpower
01:29 < amiller> and no communication latency
01:30 < amiller> and that a puzzle of difficulty d takes *exactly* d units of time to solve for one party and costs nothing at all to verify
01:32 < amiller> i *think* that given all this, there should be a simple deterministic algorithm that does this, but i haven't been able to work it out
01:33 < amiller> then like the realistic versions that are randomized and more efficient would resemble bitcoin more
01:35 < amiller> so this is just a curiosity but it would help me make my argument that the real reason bitcoin is novel / caught everyone by surprise is that almost everything else assumes a PKI, not assuming a PKI is important but really difficult, and adding computational power assumptions is a suitable substitute
01:35 < amiller> i'm frustrated because i've tried to work this out for over a week and haven't gotten it :(
02:07 < gmaxwell> so.. N players, each has a marble factory that produces marbled at exactly 1 marble per second. The marbles can have things written on them, so they write their public key on them.
02:08 < gmaxwell> After X units of time, where X is some number which is large with respect to both n and the respective jitters of your clock, you expect to have ~X/n marbles from each player. For those you do, you've learned their pubkeys.
02:09 < gmaxwell> I don't think you can ever learn a cheating player's pubkey, but he can't fake it under your assumptions, I think.
02:42 < amiller> the problem is you might see ~X/n from the attacker, but someone else might see fewer
02:43 < amiller> basically the attacker gets to selectively pass his messages to some nodes but not others
02:44 < gmaxwell> oh, I see, his marbles might not be uniformly distributed to other players.
02:44 < amiller> i have a procedure that i think works but i haven't been able to explain why clearly
02:45 < amiller> basically you want to make sure that the attacker hasn't just produced enough signatures, but that he's gotten his signatures included in everyone else's signatures too
02:47 < gmaxwell> I can sort of wave my arms and start making a argument that if the honest clique is larger and they recursively include the marbles they've seen in their marbles (analogy fail) then the honest clique will be able to correctly assign keys.
02:47 < amiller> yeah that's about where i'mat
23:04 < gmaxwell> Anyone see anything stupid in this simple idea for oracle enabled instant transactions: http://0bin.net/paste/JCtxYmKrRXfGE6jw#M2b+70sG971rHdEmDKIDgz2PT/zlgSDa8zCTLHE1xbM=
23:07 < jgarzik> gmaxwell, identity key?  sounds like it would work great with https://en.bitcoin.it/wiki/Identity_protocol_v1	;p
23:07 < gmaxwell> jgarzik: yup. I'd expect the oracle itself to be bonded.. and anyone could show that an oracle screwed up just by showing people a bogus extra signature.
23:08 < jgarzik> gmaxwell, BTW the SIN record was recently specified, and looks suspiciously like the merkle pattern employed by CBlock
23:08 < gmaxwell> Main ideas there are (1) precomputed refunds so you're never stuck if the oracle dies,  and (2) oracle doesn't need to understand or parse bitcoin transactions.. just a few lines of calls to ecc functions.
23:09  * jgarzik always thought about being N semi-trusted oracles
23:09 < jgarzik> then if one dies, no problem
23:10 < gmaxwell> Yea, you could do that too
 but in this case, you don't even need it: before you pay into your escrow you've already computed your refund. The cost is the oracle will need about 512 bits of storage per user for the life of each short term key.
23:11 < jgarzik> gmaxwell, this scheme seems sane at first glance
23:11 < gmaxwell> Alternatively instead of the oracle remembering the first singing, you could reduce the oracle's storage to more like 256 bits (for anti-replay) if you made it parse transactions and be willing to sign unlimited transactions with nlocktimes past the expiration date.
23:11  * jgarzik finished reading
23:11 < gmaxwell> But I thought making the oracle see and parse transactions was kinda lame.
23:12 < jgarzik> nah, great anti-velocity measure
23:15 < amiller> is there anything this oracle is supposed to do that couldn't be built into the blockchain?
23:16 < amiller> i guess it's just like a green address
23:17 < gmaxwell> amiller: it's a "green address" anyone can have. Also: unlike a stupid green address it doesn't deanonymize your usage. (the key it signs with looks random to people who aren't party to the transaction)
23:17 < gmaxwell> (the oracle could tell it signed though, but presumably you contact the oracle anonymously)
23:18 < gmaxwell> you can do this same protocol using the counterparty of your transaction as your "oracle", but that only works if you know who you might be paying in advance.
23:19 < gmaxwell> this lets you lock up some spending money to be controlled with the help of some signer who is trusted to not replay, and thus pay instantly... but never transfering the funds to someone who could lose or steal them.
23:19 < amiller> i don't see why we don't just call the oracle a trusted or semitrusted third party
23:19 < amiller> since that's what it is
23:19 < amiller> but yeah that makes sense
23:20 < amiller> this is basically similar to an escrow transaction but for the purpose of immediate confirmation if the third party is trusted
23:21 < gmaxwell> amiller: sure, thats what they are.  There are engineering considerations that are being incorporated in this, e.g. I think that oracle can be <1kloc in straight C (except for the ecc signing code)
23:21 < gmaxwell> amiller: the precomputed refunds are somewhat special to the "immediate confirmation" case.
23:21 < gmaxwell> As they remove escrow risk, but don't break 'immediate confirmation' so long as they're far enough out in the future.
23:22 < amiller> i like that actually
23:23 < gmaxwell> that the oracle could only tell who he was signing for at most after it was all over also may reduce the motivation to try to censor the third party.
23:24 < gmaxwell> (and the small code size makes it easier to be confident that it's secure, and easier to run it in special remote-attest hardware)
23:25 < gmaxwell> (the remote attest hardware also protecting privacy, you could make it so the remote-attest has to be violated for the oracle operator to learn which transactions were the oracle's)
11:16 < brisque> oh yes, intentionally destroyed
11:19 < michagogo|cloud> Just for fun, I'm trying to create a pool for it
11:19 < brisque> not much point though, any share for a given client will also be a block
11:20 < brisque> I suppose you're close to a difficulty adjustment now anyway, which solves that issue
12:08 < pigeons> andytoshi: are you still doing daily coinjoins? about what time? maybe the web page could note that?
12:36 < adam3us> want to think more about incentives & 51% security of secure 1:1 peg mechanism
12:37 < adam3us> seems like it would be a very interesting and useful feature, but can it be incentive and 51% secure, and can it go beyond SPV security?
12:48 < andytoshi> pigeons: not regularly (yet)
12:48 < andytoshi> i'll set up an IRC bot to show up on #bitcoin and remind people a few times a day
12:53 < andytoshi> also, for those wondering about the "poetry" gmaxwell said exists in solidcoin 2, you can download the source from solidcoin.info on the wayback machine, the commentary starts at util.cpp:1618
12:54 < gmaxwell> Did I describe it accurately?
13:13 < andytoshi> you undersold it, i think
13:14 < andytoshi> one moment, i'll post it here, i guess it's public in some sense anyway
13:14 < andytoshi>     static unsigned char SomeArrogantText1[]="Back when I was born the world was different. As a kid I could run around the streets, build things in the forest, go to the beach and generally live a care free life. Sure I had video games and played them a fair amount but they didn't get in the way of living an adventurous life. The games back then were
different too. They didn't require 40 hours of
13:14 < andytoshi> your life to finish. Oh the good old days, will you ever come back?";
13:14 < andytoshi>     static unsigned char SomeArrogantText2[]="Why do most humans not understand their shortcomings? The funny thing with the human brain is it makes everyone arrogant at their core. Sure some may fight it more than others but in every brain there is something telling them, HEY YOU ARE THE MOST IMPORTANT PERSON IN THE WORLD. THE CENTER OF THE UNIVERSE. But
we can't all be that, can we? Well perhaps we
13:14 < andytoshi> can, introducing GODria, take 2 pills of this daily and you can be like RealSolid, lord of the universe.";
13:14 < andytoshi>     static unsigned char SomeArrogantText3[]="What's up with kids like artforz that think it's good to attack other's work? He spent a year in the bitcoin scene riding on the fact he took some other guys SHA256 opencl code and made a miner out of it. Bravo artforz, meanwhile all the false praise goes to his head and he thinks he actually is a programmer. Real
programmers innovate and create new work,
13:14 < andytoshi> they win through being better coders with better ideas. You're not real artforz, and I hear you like furries? What's up with that? You shouldn't go on IRC when you're drunk, people remember the weird stuff.";
14:24 < gmaxwell> petertodd: https://eprint.iacr.org/2013/155.pdf  I thought you might like the unusually clear explination of how LEGO garbled circuits achieves high security with modest amounts of cut and choose.
14:41 < sipa> ;;later tell BlueMatt you have a typo on coingen: eactly
14:41 < gribble> The operation succeeded.
16:18 < gmaxwell> petertodd: that paper also suggests to me a simple protocol for non-interactive zero-knowelge proofs of execution which is based entirely on symmetric cryptography and which I could explain to a layman.  Though it's not succinct, the proofs would scale with n^2 in the number of gates in the circuit.
16:20 < tholenst> may I ask: what paper is that?
16:20 < tholenst> (i was late ^^)
16:20 < gmaxwell> 11:24 < gmaxwell> petertodd: https://eprint.iacr.org/2013/155.pdf  I thought you might like the unusually clear explination of how LEGO garbled circuits achieves high  security with modest amounts of cut and choose.
16:21 < tholenst> ty
21:27 < BlueMatt> lololol...first payment for coingen...jesuscoin
21:27 < BlueMatt> well, ok, second to nexuscoin...how much you wanna bet thats copyright infringement?
21:28 < kyrio> lol
21:28 < kyrio> bluematt, give me some free coin generation
21:28 < kyrio> i want to make Meinkoin
21:28 < kyrio> neonazis need love too
21:28 < sipa> haha
21:28 < kyrio> someone stole my shekels coin idea =/
21:29 < kyrio> i was going to release them both at the same time
21:30 < sipa> can you take this to #bitcoin or something? :p
21:30 < BlueMatt> sorry, /me was trying to keep coingen here while it was still in early alpha, but considering its already out there, oh well
21:31 < justanotheruser>  BlueMatt is nexus copyrighted? Blade Runner used "nexus" in '82 way before the Nexus came out
21:32 < justanotheruser> BlueMatt: anyways you have 2 people already making coins?
21:32 < justanotheruser> *made
21:32 < sipa> well, i don't care about coingen itself, it's sort of fun to trivialize altcoins
21:32 < sipa> but when someone is actually serious about using it...
21:33 < BlueMatt> well it has to be used before altcoins are actually trivial...
21:33 < sipa> a "make random bitflips in the source code until it compiles" option would be fun
21:33 < BlueMatt> heh
21:34 < justanotheruser> a coingen could make a lot of money
--- Log closed Fri Jan 03 00:00:49 2014
--- Log opened Fri Jan 03 00:00:49 2014
01:12 < gmaxwell> jgarzik: second thoughts yet? http://www.reddit.com/r/Bitcoin/comments/1uagqx/if_you_dont_know_bitcoin_has_just_included_an/
01:13 < gmaxwell> Luke-Jr: ^
01:17 < Luke-Jr> gmaxwell: it doesn't help that Gavin pretty much said exactly this in his blog -.-
01:26 < gmaxwell> BlueMatt: I've got a feature for your coin generator.
01:27 < gmaxwell> BlueMatt: there should be something that lets you punch in a formula for a future exchange rate to be displayed in the client.
01:27 < gmaxwell> (some altcoins have an exchange ticker in their clients
 screw that. Just have them provide a formula as a function of time/height/txn volume)
05:17  * michagogo|cloud wonders why Magiccoin's difficulty didn't go up upon passing the 2016 block maek
05:17 < michagogo|cloud> mark*
05:19 < brisque> michagogo|cloud: maybe BlueMatt was messing with the parameters?
05:19 < michagogo|cloud> brisque: Hmm? You can't mess with the parameters
05:19 < michagogo|cloud> Just name it, pick a port, upload an image
05:20 < BlueMatt> michagogo|cloud: I didnt change the genesis, so...it took years for the first block set...
05:20 < michagogo|cloud> Ahhhhhhhh
05:20 < brisque> michagogo|cloud: you can now, but maybe magiccoin was one of bluematts creations.
05:20 < michagogo|cloud> That'll do it
05:20 < michagogo|cloud> brisque: You can? :O
05:20 < michagogo|cloud> Ooh
05:20 < brisque> you can now, it's got a tonne more features.
05:20 < brisque> by the looks of it you'll need a petahash machine to manage to get above diff 1 though
05:22 < michagogo|cloud> brisque: Nah, should rise at the next 2016, I think
05:22 < michagogo|cloud> "Port must be divisible by 2 if the PoW is SHA256"?
05:22 < michagogo|cloud> Why?
05:24 < BlueMatt> michagogo|cloud: thats an artifact of me creating a little node that lets you auto-bootstrap your network
05:24 < BlueMatt> (it manages peers and such)
05:24 < BlueMatt> but needs to know what genesis block you're gonna be using
05:25 < BlueMatt> michagogo|cloud: anyway, this is ot for -wizards
07:16 < brisque> did anybody have a look at the "descendant of Bitcoin" ala NXT?
07:16 < brisque> they released the source of an older client, a single monolithic file
07:20 < brisque> releasing a broken version that can't connect to their network was a stroke of genius.
07:21 < sipa> i's pure proof-of-stake, which suffers from the "nothing at stake" problem (you can mine on all forks independently without spending more resources than on one, leading yo oroblems in convergence if a significant portion if hashpower does this)
07:21 < sipa> but i'm sure that's not the only problem
07:28 < brisque> if nothing else, I'm very glad Bitcoin doesn't use raw integers for it's addresses, the NXT ones are almost indecipherable when you look at them in the source.
08:25 < maaku> BlueMatt: people are actually using it. crazy
08:25 < maaku> you should have made the fees higher
09:12 < adam3us> maaku: its the beauty of it ... say it relatively dead pan and different people think its the best thing since sliced bread for very different and conflicting reasons, and yet all end up achieving the desired outcome :)
14:50 < jtimon> that one bothers me because it is proprietary software, but it was sad to hear Bill Still "I'm a non-techincal newbie but I've chosen Quark because it has the more secure algorithm"
14:51 < jtimon> some part of me was happy for seeing this "greenbacker" interested in p2p currencies, the other part of me was a facepalm
22:50 < gmaxwell> Been talking about people getting scammed in another channel (geesh, some scammer on the forum just got 200 btc from a single person!) Posted this: https://bitcointalk.org/index.php?topic=398041.0 "
22:50 < gmaxwell> Cryptographically private loan risk management "
--- Log closed Sat Jan 04 00:00:52 2014
--- Log opened Sat Jan 04 00:00:52 2014
01:25 < andytoshi> gmaxwell: why can't alice just sybil that?
01:25 < andytoshi> if she wants to borrow more than her lenders want, just restart with a new tree
01:28 < andytoshi> or better, have a new tree for each lender -- then they all see a proof that their entry was added, and each sees only their own total
01:32 < gmaxwell> andytoshi: note the first line
 assumption is that the reputation system is already preventing that.
01:32 < andytoshi> oh, derp, i read right through that
01:32 < gmaxwell> andytoshi: a common pattern we see on otc and bitcoin talk is that someone starts an account and makes boring breakeven trades for a year, gradually increasing the amounts, and then does tons of large loans all at once.
01:32 < andytoshi> the line "she publishes the root hash and the proofs in the rep system"
00:50 < petertodd> Heck, I sold someone a Bitcoin back when they were over $200 in person - I didn't have a bitcoin on my phone, so they gave me the $200, I gave them my business card, and I sent them the Bitcoin a few hours later.
00:50 < amiller> petertodd, so a -10 confirmation transaction :p
00:51 < petertodd> Absolutely
00:51 < petertodd> Heck, about a -50 confirmation transaction.
00:51 < amiller> so even if you know them
00:51 < amiller> like you said
00:51 < amiller> you should make it so that they can't blame it on someone else
00:51 < amiller> like if they send you a transaction that they only received 1 block agin
00:51 < amiller> ago
00:51 < petertodd> They didn't know me at all or anyone else in the group, but they did know it appeared a bunch of people recognized me.
00:52 < amiller> petertodd, maybe think of it this way
00:52 < amiller> suppose you're a bitcoin business
00:52 < amiller> you might want bitcoin business insurance!
00:52 < petertodd> Point is, people tend to overestimate SPV security, because they think in terms of "an attacker is trying to attack *me*" which is dead wrong.
00:52 < amiller> how would an insurance company decide what to quote you for insurance against fork-attack double-spends?
00:52 < amiller> a risk manager for a bitcoin business would want to develop a policy for how many confirmations to wait before doing something irrevocable
00:52 < petertodd> First they'd call up myself and jdillon and ask us how replace-by-fee is going...
00:53 < petertodd> (0.25% hashing power jdillon figured, at least a month ago)
00:53 < amiller> if you don't have any transactions in flight and a bunch of noobs get double spent after 2-confirmation transactions, then it doesn't really effect you
00:53 < amiller> affect*
00:54 < petertodd> Frankly I think the best way is to arrange things such that you can't lose an unacceptable amount in one go, and continuously, and automatically, watch for fraud, triggering behavioral changes when you see it.
00:54 < petertodd> This isn't like the weather where the underlying mechanisms are well understood,
00:55 < amiller> yeah, and we still fall for the old "natural disaster" attack often enoguh
00:55 < petertodd> When jdillon and I were initially promoting replace-by-fee, we contacted a number of zero-conf accepting merchants, and nearly everyone followed that exact line of thinking and almost without exception the merchants said they weren't worried about replace-by-fee at all.
00:55 < petertodd> (that's before jdillon realized the scorched earth strategy can even make it fairly safe)
00:56 < gmaxwell> amiller would like the scorched earth strategy point if he hasn't heard it.
00:57 < amiller> i don't think i've heard it
00:57 < amiller> in any case this still supports my point
00:57 < petertodd> https://bitcointalk.org/index.php?topic=251233.msg2669189#msg2669189
00:57 < amiller> SPV is bad for *everyone else* to use
00:57 < amiller> but it isn't unsafe for an individual to use
00:57 < petertodd> fourth paragraph
00:58 < amiller> it's a social cost / public good problem
00:58 < amiller> not an individual security problem
00:58 < petertodd> agreed on that point
00:58 < amiller> like voting
00:58 < petertodd> especially when we're talking about tiny sums
00:58 < petertodd> applies to general network scalability too, which itself is a security issue
00:59 < amiller> yeah, i'm all for that.
01:00 < petertodd> Note that scorched earth is subject to most of the technical risks that the current defacto zero-conf is - differing ideas of what is a valid tx - although those risks are lessoned because we only need to be pretty sure a really high fee tx propagates well, and that's obviously not a DoS attack.
01:00 < amiller> it's what i assume is part of the "rational bitcoin client"
01:00 < petertodd> Yeah, bit of hand-waving there because you don't get paid to relay transations of course, but so long as wel keep full/partial nodes cheap we're ok there.
01:01 < amiller> yeah and fees dont' make terribly much sense overall anyway yet, but it's a step in the right direction
01:01 < jgarzik> That's the $10,000 prize:  figure out how to compensate people for being full nodes
01:02 < jgarzik> Something that cannot be *for the most part* gamed, a la click bots
01:02 < amiller> jgarzik, yes, move to a Proof-of-Retrievability based puzzle rather than empty hashes
01:03 < petertodd> Well, the logical extension of scorched earth is to make fees part of the *consensus* algorithm: IE burn money instead of burning electricity. This gets your "infinite mining capacity" in real life, almost, which means a 51% attacker needs to spend more than the entire value of the currency. (roughly speaking)
01:03 < petertodd> Problem is, systems like that aren't SPV compatible unless you're clever about it...
01:04 < amiller> petertodd, do you have an idea how you can make it so you have to expend the cost *just to try*?
01:04 < petertodd> They're also disturbingly close to proof-of-stake...
01:04 < petertodd> amiller: Fraud proofs.
01:04 < petertodd> But that only works with the jam-proof-network assumption, and depends on that assumption very heavily.
01:04 < amiller> so you're money is deleted if anyone provides evidence that you used the same money twice?
01:04 < amiller> yeah
01:04 < amiller> your
01:04 < amiller> *
01:05 < petertodd> jgarzik: Very easy to do if we're willing to add extra data to transactions and do probabalistic payments.
01:05 < petertodd> amiller: Yeah, and your fee sacrifice is still sacrificed if someone proves your block was invalid.
01:06 < amiller> petertodd, do you imagine that could ever be money-sacrifice all the way down?
01:06 < amiller> that cpu burning isn't even necessary as a bootstrap step?
01:06 < petertodd> amiller: You get into the nothing at stake problem... at some point *something* has to be costly in terms of energy.
01:06 < amiller> my intuition is that it's not but i haven't made any progress in clarifying what that means
01:08 < petertodd> Non-interactive proofs can work, but they tend to depend on computational limits...
01:08 < petertodd> It may be that the issue boils down to how do you do initial coin distribution fairly.
01:11 < amiller> so i meant to lead into this new topic i want to ramble about....  SPV security is a key point in composition for bitcoin (i.e., multiple chains, and smart coins)
01:11 < amiller> the idea is you can have a heterogeneous network where some people do full validation, and other people just do SPV validation
01:12 < amiller> i am working right now on a "Bitcoin extension" project that lets you pay for outsourced storage
01:13 < amiller> by Bitcoin extension i mean that i am just pretending i can tweak the transaction scripts however i like to define smart contracts and assign value to them
01:14 < petertodd> remember we *can* soft-fork to add all the opcodes we want
01:14 < amiller> so the idea is i write a script that defines a proof-of-retrievability "verification" routine, and i attach some money to it to be paid out every so often
01:14 < amiller> now there is a public bounty on answering proofs-of-retrievability, which means storing my data!
01:14 < petertodd> ha, lovely
01:14 < petertodd> problem is, how many copies?
01:15 < amiller> right! so that's where it gets interesting
01:15 < petertodd> so nLockTime these txs
01:15 < petertodd> or better yet OP_BLOCKHEIGHT them
01:15 < amiller> i have to do some weird sorts of economic modeling here, but it is likely that because of economies of scale
01:15 < petertodd> (so you can't double-spend the txout)
01:15 < amiller> the most cost effective way to participate in my challenge is just to pay some server farm to do the storing for you
01:16 < petertodd> yeah
01:16 < amiller> bitcoin makes it pretty easy to enter into a mining-for-payment contract
01:16 < petertodd> one issue: how do you incentivize retrieval?
01:16 < amiller> basically you just do something like reencode the puzzle
01:16 < amiller> and you pay them when they prove they're working at least on valid 'shares' that would benefit your public key
01:16 < amiller> so my solution to that is to change the proof of work so it's not just a hash, but a signature
01:16 < amiller> in other words, each time you scratch of a ticket, you have to use your private key
01:17 < amiller> this would make it much more difficult just to outsource mining
01:17 < petertodd> ah I see
01:17 < petertodd> yeah, I noticed that issue too with proof-of-stake stuff - allowing for separate stake proof and spend proof keys is a bad thing
01:18 < amiller> i'm having a really hard time defining that intuition any more clearly though
01:18 < amiller> it seems to relte to program obfuscation
01:18 < petertodd> unfortunate, but it has to be done
01:18 < amiller> there are results for general outsourcing of private programs
01:18 < amiller> but they are definitely more expensive
01:19 < petertodd> hmm... go back to your concrete use-cases though, I'm not sure you have to do anything fancy for them
01:19 < amiller> so i'm at this point moving on and just saying, assume i can make a proof-of-work based on signatures such that it's infeasible to outsource, then i can assume somehow that individuals who participate won't just hire the central amortized server
01:19 < amiller> so the next question is what you asked
01:19 < amiller> how to incentivze the actual retreival
01:19 < petertodd> right
01:19 < amiller> and i have no idea
01:19 < petertodd> how big is the data?
01:19 < amiller> just because someone collects the reward by proving they *have* my data doesn't mean they're going to transfer it to me on demand
01:20 < amiller> petertodd, well so far we're considering like storing the library of congress
01:20 < petertodd> it's easy to just make a tx that requires providing the data itself to spend it
01:20 < amiller> it doesn't need to be public data
01:20 < amiller> but it's fun to think of it that way as a start
23:44 < andytoshi> (if NSA excluding these from analysis, then you can get all your ordinary transactions excluded just by spending to several outputs -- then you win)
23:44 < gmaxwell> nsh: because even without participating in an actual CJ you can form a txn all by yourself that looks like one (a bunch of equal sized outputs) and then various automatic deanonymization methods would hit it and fire of their CJ huresitic and give up.
23:45 < gmaxwell> yea, as andytoshi says.
23:45 < nsh> right
23:45 < nsh> though in practice it might rather go as "okay all of these guys are definite terrorists. *dronestrike*"
23:45 < gmaxwell> well different threat model.
23:45  * nsh nods
23:46 < gmaxwell> Either dumb web tools that automatically trace coins frequently gives BS results from CJs in which case they're easily debunked and few trust them... or they ignore CJs and you just make some fake ones and basically opt out of their tracing. win win.
23:46 < gmaxwell> NSA .. I can't help you with. You're probably screwed. :P
23:46 < andytoshi> if SR were still up i'd be sending all the donations there :P
23:46 < gmaxwell> andytoshi: you could send them to the FBI. :P
23:46 < andytoshi> hahaha
23:46 < nsh> people are still "sending" money to that addresss...
23:46 < nsh> but that's another subject
23:47 < gmaxwell> whatever jackass hacked john dillon sent a bunch of btc there that he'd sent me in a private key for the CJ fund. :(
23:47 < nsh> sucks :(
23:54 < andytoshi> ok, i tried doing the max(unsigned tx count, mpo count) thing
23:54 < andytoshi> we'll know in a minute or so if it worked..
23:54 < gmaxwell> andytoshi: perhaps the count should actually be min(distinct_in_addresses,max(ntransactions,n_most_pop_outputs))  .. otherwise on this one it would have displayed 10 which was clearly impossible vs 9 which is at least more credible.
23:55 < gmaxwell> I suppose there really should be some maximum_credible_amount  which does some value analysis.
23:57 < andytoshi> hmm
23:57 < andytoshi> the point of this display is to give people a swag of their anonymity
23:58 < gmaxwell> right, but e.g. if I submit to you a txn that itself looks like a coinjoin, e.g. two addresses each with enough to form a uniform output, the display shouldn't leak that.
23:58 < andytoshi> ah, i see
23:59 < gmaxwell> maybe it should work from a pure analysis of the transaction submitted so far, just some metric some attacker might use to guess the participants.
23:59 < andytoshi> i think i'll modify coinjoin to calculate how many participants it thinks its merging
--- Log closed Sat Dec 28 00:00:01 2013
--- Log opened Sat Dec 28 00:00:01 2013
--- Day changed Sat Dec 28 2013
00:00 < andytoshi> "maximum plausible participants"
00:00 < gmaxwell> I wonder if this is some crazy maximal matching problem.
00:01 < andytoshi> yeah, i'll get some paper and see what happens :P
00:01 < andytoshi> i haven't thought about this in any detail up to now
00:08 < andytoshi> ok, i've translated this into a graph theory problem, i'll type it up and post it
00:08 < andytoshi> it's actually pretty neat, maybe it's something well-known
00:15  * gmaxwell waits for the max-flow problem
00:16 < andytoshi> i don't think it's that, i'm looking for a graph on a given vertex set with the maximum number of disconnected components
00:16 < andytoshi> with the edgeset satisfying a bunch of conditions
00:21 < andytoshi> does this look right?: http://download.wpsoftware.net/bitcoin/coinjoin.pdf
00:22 < andytoshi> sorry, it took me forever to find a latex template..
00:24 < gmaxwell> andytoshi: 2.1 is incorrect. You could have a fee only input.
00:24 < gmaxwell> oh nevermind misread
00:24 < gmaxwell> 2.1 is just that the graph is biparte.
00:25 < andytoshi> that's right, i knew there was a word for that..
00:25 < andytoshi> but i do fix the input and output sets, and i want to ensure these are the same across every plausible join
00:25 < andytoshi> so i'm not sure how best to say that
00:29 < andytoshi> so, my hunch at this point is that "sort the inputs and outputs somehow then match greedily" will provably give the best plausible join
00:29 < andytoshi> based on, that is how literally every school graph theory problem goes
00:29 < gmaxwell> hahahah
00:30 < gmaxwell> I'm trying to figure out how to refactor this into finding a maximal cut.
00:36 < gmaxwell> I don't think the greedy solution works.
00:37 < gmaxwell> say you have an input of 1.55   which was split into 1.4 and .15 and you greedily assign it a 1.5 output. then you'll be left with a straggler.
00:38 < nsh> greedy doesn't work so well when you have inequalities, i'd guess
00:42 < gmaxwell> andytoshi: hitting set problem
00:56 < andytoshi> oh thx, i'll look that up
01:00 < andytoshi> this is not quite the set hitting problem, that would be if we are trying to cover all the outputs with the least number of inputs
01:00 < andytoshi> here a want a cover by the greatest number of disjoint subsets of inputs
01:01 < gmaxwell> yea.. :-/
01:01 < BlueMatt> who would be interested in getting a -wizards meetup together at some point in the late march/early april timeframe?
01:02 < andytoshi> BlueMatt: i will know in a week or two what my midterm schedule looks like, but i'd be down
01:03 < andytoshi> i also don't think a greedy algorithm works, this problem does not quite have the right structure
01:03 < gmaxwell> andytoshi: amusingly even that little transaction from tonight is intractable if evaluated via a maximally dumb algorithim that selects all solutions.
01:03 < gmaxwell> s/selects/tests/
01:04 < andytoshi> cool, do you know how many tests would need to be done?
01:04 < gmaxwell> e.g. there are 9*13=117 edges in the graph, so 2^117. (9 because I merged the dupe address inputs)
01:04 < warren> BlueMatt: will there be a minimum bar of entry?
01:05 < BlueMatt> warren: well, I'll be there, so the bar is set pretty low
01:05 < BlueMatt> in other words...lurkers welcome
01:05 < andytoshi> i think "no floating outputs" is a reasonable assumption, so 117 is a bit high
01:05 < andytoshi> but not by much
01:05 < warren> BlueMatt: what would goals be there?
01:05 < andytoshi> woah
01:06 < BlueMatt> warren: get together, discuss -wizards concepts in person (with whiteboards...), and personally, I'd like to see discussion of moving more things towards implementation
01:06 < andytoshi> i've noticed how hard this is, for example when i was testing the "display max(unsigned txs, mpo outputs)" code (which didn't work, i forgot to update the copy of coinjoin that the site uses :}), some stranger joined with me
01:06 < andytoshi> i was distracted and i trust my joiner, so i just signed what came out without looking at whose outputs are whose
01:07 < gmaxwell> andytoshi: yea, I was just thinking about the dumb algorithim, because sometimes it obviously yields some kind of recursive structure that turns straight into a dynamic programming solution, but I'm not seeing one here.
01:07 < andytoshi> yeah, i'd like to be able to say "if there is a better solution, we can move toward it somehow", but it's not clear at all how different solutions are related
01:07 < gmaxwell> andytoshi: lol, I was thinking it would be good to have a simple tool where you feed it two raw transaction
 your merged one and the orignal one, and it just checks that one is a proper subset of the other.
01:08 < gmaxwell> andytoshi: I suspect in most cases there are bunch of "forced edges", and then there are bunch of "equivilent edges" which can be assigned in a greedy way.
01:09 < andytoshi> yeah, for example, can we assume every component is a complete bipartite graph?
01:09 < andytoshi> yes: that doesn't affect any of the three plausible join conditions
01:09 < gmaxwell> Yes.
01:10 < andytoshi> awesome, that feels like a big simplification
01:15 < gmaxwell> so, does that reduce the search
 it's obvious to me thats enough to make this sufficient: consider all permutations of inputs, all permutations of outputs, all partitionings of inputs, all partitions of outputs. = 9! * 13! * 2^(9-1) * 2^(13-1)
01:16 < gmaxwell> there, I made is 7e13 times faster.
01:17 < andytoshi> yeah, that's about where i am
01:17 < andytoshi> but maybe there is a smarter way to match up partitions of inputs and partitions of outputs (?)
01:19 < andytoshi> is that the right number for 'partitionings of inputs' tho? don't you want http://oeis.org/search?q=partition ?
01:21 < gmaxwell> they're ordered.  So it's just like sticking a edge between each vertex whic is either cut or not.
01:21 < andytoshi> oh, yeah, i see
01:21 < andytoshi> right, i definitely don't want integer partitions, those compensate for overcountings which are completly unrelated to this
01:22 < gmaxwell> well the permute/partition is wasteful, since we don't care about orders within the partitions.
01:23 < gmaxwell> which might just be the partition numbers /me thinks
01:23 < andytoshi> yeah, sounds like it, i think that's what set me looking at partition numbers in the first place
01:24 < andytoshi> but i wasn't explicitly thinking about permutations, so when you brought them up i confused myself
01:26 < andytoshi> OK, for each n from 1 up to the number of outputs, consider the partitions of outputs into n subsets, and also the partitions of inputs into n subsets
01:26 < andytoshi> call the number of output partitions O_n, the number of input partitions I_n
01:26 < andytoshi> then the number of plausible joins with n participants is at most O_n*I_n
01:27 < andytoshi> so we can reduce the space to sum_n O_nI_n
01:27 < andytoshi> which is ugly to write, but probably easy to compute, and might even be tractable
01:28 < gmaxwell> numbpart(13)*numbpart(9) = 3030
01:28 < andytoshi> that gives us an upper bound on the sum, right?
01:29 < andytoshi> yeah, it does, write each numbpart() as a sum of O_n's or I_n's, then their product will be the dot-product sum_n I_nO_n plus a bunch of nonnegative cross terms
00:36 < wyager> Bitmessage ping?
00:36 < wyager> Or something?
00:36 < Taek42> each person gets a piece, redundancy is N
00:36 < Taek42> then select a random piece of the file to test
00:36 < Taek42> everybody produces that piece
00:37 < Taek42> and if you can use the LT-Codes to resolve it, you know they have the actual file
00:37 < Taek42> if you are worried about somebody waiting, you have them produce a hash first
00:37 < Taek42> but this solution is still delagatable
00:38 < gmaxwell> yea, (you'll note the thing I linked to isn't... but at a cost of not actually being able to store anything. :P )
00:39 < gmaxwell> hm. I guess encrypting can solve that.
00:39 < Taek42> I'm pretty sure that if you want to store actual data AND have a redundancy, hosts will be able to delegate.
00:39 < Taek42> encryption could solve that?
00:39 < gmaxwell> Taek42: you really want to code it using a locally decidable code.
00:40  * andytoshi-logbot is logging
00:40 < gmaxwell> Taek42: you code your data with a locally decidable code, and then encrypt the codewords. then you issue the codewords to peers.
00:40 < gmaxwell> the peers cannot recover your data because its encrypted.
00:40 < gmaxwell> you can test small fractions of the data by requesting and decrypting and then using the local codeword test.
00:41 < gmaxwell> (I guess the term is actually "locally testable code")
00:42 < Taek42> so the sacrifice would be that you are the only one who is able to repair the file if nodes go offline
00:42 < Taek42> as opposed to the network self-repairing
00:43 < gmaxwell> Yes. though you could have two levels of redundancy which enabled that.
00:43 < gmaxwell> e.g. for the network self-repair you don't need as much correction because the network will respond fast.
00:45 < Taek42> I think though any time you have a self-repairing network, a large set of collaborating nodes could cheat on the redundancy
00:45 < Taek42> which you would block through penalties for correlated downtime
00:46 < gmaxwell> I still don't see how you hope to achieve that, but I'm not that curious. :)
00:46 < Taek42> hmm
00:48 < Taek42> would you consider it mandatory to a cryptocurrency that when you receive a transaction, you don't need to vest trust in some subset of the network?
00:48 < Taek42> because I've been thinking about building a distributed block chain
00:48 < gmaxwell> you mean trust in Igor and hist 999,999 botnet nodes?
00:48 < wyager> lol
00:48 < Taek42> no
00:49 < Taek42> it would be a randomly sampled subset based on how much work they are contributing
00:49 < gmaxwell> 1,111,111 nodes?
00:50 < wyager> If they don't make more money contributing hashing power to the network than they would contributing hashing power against the network, they can't be trusted
00:50 < Taek42> so Igor would need to control a large % of the work on the network (51% is reasonable) as opposed to merely needing a sufficient quantity of nodes
00:50 < wyager> Which is why we pay people who make the blockchain
00:50 < Taek42> wyager I'm pretty sure you could build it such that you always make the most money contributing towards the network as opposed to against it
00:52 < gmaxwell> it's actually pretty easy to break that.
00:53 < gmaxwell> in any case, as I said in bitcoin we trust to trust the absolute minimum possible, and even then we are not sure the system will survive.
00:53 < gmaxwell> many altcoins have been destroyed by attacks by miners.
00:59 < Taek42> hmm
00:59 < Taek42> also, is bytecoin still actively developed?
00:59 < Luke-Jr> scamcoins are almost never actively developed at any point..
01:01 < Taek42> would it be bad form to steal their name?
01:02 < Luke-Jr> it would be bad form to steal ByteCoin-the-person's name again.
01:03 < Luke-Jr> imo
01:03 < Taek42> oh is he a person too?
01:04 < gmaxwell> yea, bytecoin is a cryptographer who was very active in bitcoin's early days.
01:05 < Luke-Jr> note: no relation to the scamcoin
14:51 < fagmuffinz_> justanother
14:52 < fagmuffinz_> What's up
14:52 < justanotheruser> fagmuffinz_: hi
14:53 < justanotheruser> You should change you're name. I think it's borderline banning territory
14:54 < fagmuffinz_> I would hope the nature of movements like this would line up with free speech well enough to overlook something trivial enough like a name
14:54 < fagmuffinz_> A name is a handle - nothing more.  You can identify me, and you can identify that I prefer to remain pseudonymous
14:55 < justanotheruser> I wouldn't ban you for it, but free speech doesn't prevent you from getting kicked for having an inflammatory name, it just prevents you from being arrested for having one.
14:55 < fagmuffinz_> Also, who doesn't like muffins?
14:56 < fagmuffinz_> On a more serious note - I meant to get back to you on your decentralized voting scheme, but I've been traveling
14:57 < gmaxwell> (FWIW, a different name would probably be preferable, I had the same initial response... but you were saying thoughtful things, so I didn't bring it up. :) )
14:58 < fagmuffinz_> Have you made any progress on it, or are you still where you were ~2 weeks ago?
14:59 < justanotheruser> fagmuffinz_: I was just asking if the system would work. I think jamming may be able to be prevented by requiring a certain number of transactions per block.
15:00 < justanotheruser> And a "vote/coin" can only go through a certain number of transactions from its creation
15:01 < justanotheruser> enough to do coinswaps and joins to anonymize them
15:02 < justanotheruser> along with that you wouldn't be able to have unequal inputs and outputs meaning you couldn't turn 1 vote/coin into 1000 divisible units to fill up the block transaction requirement
15:03 < gmaxwell> I don't know why y'all are wasting cycles on blockchain things for voting. (1) minors can trivially censor votes, (2) none of the anonymity procedures for transactions work without an underlying anonymity network, and if you've got one of those, you don't really need more than that for the anonymity part.
15:06 < justanotheruser> gmaxwell: (1) eventually once [vote recipient A] has all their votes, the miners would have to start accepting votes for B because blocks have to have a certain number of transactions. (2) You need to associate votes with real people in the first place so you know everyone is getting a vote. What you don't know is who they are voting. The anonymity
network wouldn't do anything unless you mixed the votes before voting.
15:08 < gmaxwell> justanotheruser: if you must have X votes in total, then you don't need the miners at all. Just have some designated party collect the votes.. pick them at random, hell pick 10 of them to each get a copy.
15:08 < nsh> also voting is basically broken by mathematics
15:09 < nsh> there's no right way to do it, and all the wrong ways suck
15:09 < gmaxwell> electronic voting has a ton of research behind it, solving tricky problems you're not even thinking about (e.g. coercision / vote-buying). You're everything-is-a-nailing it with the blockchain as far as I can tell.
15:09 < gmaxwell> There is basically nothing useful bitcoin adds to to this particular problem.
15:10 < justanotheruser> gmaxwell: how do you verify that all in the voting set had their votes counted and that they are real people with "some designated party"
15:10 < justanotheruser> gmaxwell: I don't think coercion or vote buying can be solved in any voting system
15:11 < gmaxwell> justanotheruser: except they do solve these things. (largely)
15:11 < justanotheruser> the only person who can determine if there is coercion is an all knowing state
15:11 < gmaxwell> justanotheruser: Usually voting systems use verifyable reencryption mixes.
15:11 < gmaxwell> justanotheruser: you cannot be reliably coerced if you cannot prove to a third party how you voted.
15:12 < justanotheruser> gmaxwell: yes, but people can bring cellphones to voting booths pretty easily
15:12 < justanotheruser> "Take a picture of you voting for Putin or I will kill you"
15:12 < gmaxwell> justanotheruser: they're prohibited, including by observers. (and even if you had one, it's not hard to take a picture then vote another way)
15:13 < gmaxwell> Seriously, there are hundreds of people working on this domain, and they have good systems proposed. And their solutions do not need and would not benefit from a blockchain. They can make concrete statements about the security.
15:14 < justanotheruser> gmaxwell: I see. What happened in Florida? The government hacking together their own voting system?
15:30 < adam3us> justanotheruser: just another example of real-life-stupidity.	dunning-kruger in action etc
15:33 < gmaxwell> certantly had little to do with cryptographic voting systems (none was in use)
15:41 < adam3us> justanotheruser: not directly bitcoin related but if you're interested in voting there are some papers on it, once is damgard-jurik's threshold extension of paillier's crypto system which gives split trust vote validation, user verifiable counting of votes, and summing via homomorphic encryption.  phun stuff if u like crypto-math.  there's a whole load of
other papers, thats just one i happened to have read.
15:41 < fagmuffinz_> (Back)
15:45 < fagmuffinz_> Oh, cool, nsh is in here also.  Was wondering if anyone here was working on 3301
15:45 < nsh> s/on/for/
15:53 < maaku> :)
15:55 < justanotheruser> adam3us: link?
15:57 < adam3us> justanotheruser: hmm one sec http://en.wikipedia.org/wiki/Damg%C3%A5rd%E2%80%93Jurik_cryptosystem there's an author home page paper link from there, if that doesnt work try citeseer.
15:57 < justanotheruser> thanks
16:00 < adam3us> justanotheruser: i only read it because i knew what pallier was and it is necessary to use DG extended pallier tricks to get a blind signature out of DSA (it sucks that badly compared to Schnorr, its horrendous the complexity of blind DSA, blind ECDSA i am not sure is known to be possible).  pallier itself is a nice little RSA related crypto system thta
20:34 < phantomcircuit> (i think i should double check)
20:34 < nanotube> does addnode?
20:34 < jrmithdobbs> phantomcircuit: but on the other side the slots might have been taking is what he's saying
20:35 < nanotube> connect iirc says 'connect only to this node and nothing else'
20:35 < nanotube> addnode says 'add this to whatever else is going on'
20:35 < phantomcircuit> nanotube, connect does prevent connecting to anything else
20:35 < nanotube> so obviously connect would reserve.
20:35 < phantomcircuit> nanotube, i dont think what you're trying to do will work
20:35 < jrmithdobbs> sorry i meant addnode and it doesn reserve if i remember the code correctly
20:35 < jrmithdobbs> *does
20:35 < nanotube> ah so if addnode reserves, guess that's fine
20:35 < jrmithdobbs> but only on connecting-from (client) side
20:35 < gmaxwell> Addnode reserves.
20:36 < gmaxwell> yes only on the from side.
20:36 < jrmithdobbs> but if you have a pool of say 20 bridges that all -connect to each other's onions ... problem solved
20:36 < nanotube> ah, so the scenario of 'tor dies, slots fill up' is still a threat to tor bridging?
20:36 < jrmithdobbs> s/-connect/-addnode
20:36 < nanotube> at any rate, in the meantime, throw me your tor node addresses and i'll addnode them. :)
20:37 < jrmithdobbs> took mine down due to lack of interest/connections
20:37 < jrmithdobbs> months ago
20:37 < nanotube> hum.
20:37 < phantomcircuit> i wonder how much effort it would take to add a gui for adding reserved slot peers
20:37 < gmaxwell> jrmithdobbs: huh? mine usually has >30 HS inbounds...
20:37 < phantomcircuit> so normal people could connect to their friends (or at least try to)
20:38 < nanotube> forget gui, a config option would be nice. :)
20:38 < nanotube> iow, if addnode reserved a slot.
20:38 < jrmithdobbs> gmaxwell: mine didn't and "months" is actually almost a year now
20:38 < phantomcircuit> nanotube, if gmaxwell says it does it probably does
20:38 < gmaxwell> well you can't reserve HS inbound for specific HS peers sadly.
20:38 < phantomcircuit> :)
20:38 < phantomcircuit> oh i didn't mean inbound
20:38 < nanotube> he says it doesn't
20:38 < phantomcircuit> reserved inbound slots isn't important
20:39 < gmaxwell> nanotube: addnode outbound always works.
20:39 < nanotube> anyway just a suggestion. it's a bit of an edge case.
20:39 < phantomcircuit> unless you're super popular you're not going to hit the 128 limit
20:39 < gmaxwell> or dos attacked.
20:39 < nanotube> i don't have the ram for 128, i'm running with 16 :)
20:39 < jrmithdobbs> phantomcircuit: the node i turned tor off on had 512 max cons with ~300-380 constant non-tor and 5-10 unconnectable tor nodes
20:39 < nanotube> will see how it behaves and maybe up it a bit
20:39 < phantomcircuit> gmaxwell, shrug
20:39 < jrmithdobbs> (plus sipa and gmaxwell's tor nodes)
20:39 < gmaxwell> nanotube: since 0.8.1+ you shouldn't need a lot of ram for a lot of inbounds.
20:40 < nanotube> so going from 16 to 128, what's the impact?
20:40 < phantomcircuit> gmaxwell, possibly select should be replaced with epoll()
20:40 < gmaxwell> nanotube: dunno, haven't measured lately. if this is a non-wallet node running the disable wallet patches will also save you 50 mb.
20:40 < phantomcircuit> nanotube, select() is slower but only marginally so and you're using up file descriptors
20:40 < nanotube> currently i have 268/585 res/virt ram use with 16
20:41 < phantomcircuit> nanotube, running what version
20:41 < nanotube> latest release .8.4
20:41 < phantomcircuit> also have you synced
20:41 < nanotube> yes
20:41 < phantomcircuit> this have an active wallet attached to it?
20:41 < nanotube> well, not active, it's the empty default wallet
20:41 < gmaxwell> I'm 262mb res, but at the moment I only have 11 peers.
20:41 < phantomcircuit> weird
20:42 < nanotube> well, i'll run at 16 for a day or two and see how it is, then up it to 128 and see what it does.
20:44 < phantomcircuit> blargh debian ftp mirror rate limiting me
20:45 < nanotube> hm, guess the network has plenty of open slots - i'm running at 15 connections heh
20:46 < phantomcircuit> nanotube, it's exceptionally random how many inbound connections you'll get
20:46 < nanotube> or maybe my fresh node hasn't yet been discovered by much of the network.
20:46 < nanotube> mm
20:47 < phantomcircuit> nanotube,     "connections" : 81,
20:47 < phantomcircuit> very long lived node
20:47 < nanotube> nice
20:48 < nanotube> 2013-09-11 00:47:14 Warning: Local node 127.0.0.1:36029 misbehaving (delta: 0)! heh well and there's some indication that i have tor peers. :)
20:50 < gmaxwell> nanotube: what I want to do for inbound is this something like this: Once every few minutes: If your inbounds aren't full, do nothing. If your inbound is full select a peer to evict with an algorithim like this:
20:50 < gmaxwell> Remove addnoded peers that we're not also outbound to from consideration.
20:50 < gmaxwell> Protect up to 8 longest connected localhost / local subnet connections.
20:50 < gmaxwell> Protect 10% of the remaining peers, ortered by most useful to us (e.g. most times the first inv for a new good block)
20:50 < gmaxwell> Protect 10% of the remaining peers, ordered by the lowest ever minimum ping latency, iff they have the useful flag, limited to one peer per netgroup.
20:50 < gmaxwell> Protect 10% of the remaining peers, ordered by H(secret IP), iff they have the useful flag, limited to one peer per IP.
20:50 < gmaxwell> Protect 10% of the remaining peers, ordered by longest connected
20:50 < gmaxwell> sort the rest by connection time divided by the number of peers on the same ip, select one to kick randomly weighed to pick short connections.
20:51 < nanotube> well according to netstat, i have 4 tor peers. \o/
20:52 < nanotube> ah so the idea is to prevent a node from being too static in the network, ic
20:53 < nanotube> i guess tor nodes would fall under localhost connections
20:53 < phantomcircuit> nanotube, getpeerinfo rpc call
20:54 < phantomcircuit> gmaxwell, instead of doing it when the slots are full, accept 129 connections and then select a peer to evict
20:54 < gmaxwell> nanotube: actually what I'd like to do is split this all by netgroup first, and handle tor peers totally seperately. e.g. move tor inbound to another port to distinguish it.
20:54 < phantomcircuit> i actually have a patch that does this which makes the simplest slot filling problems disappear
20:54 < gmaxwell> phantomcircuit: I think thats not right, in fact! because then someone connecting really fast can quickly use up all your probablistic slots.
20:54 < phantomcircuit> (magic)
20:55 < phantomcircuit> gmaxwell, well of course the disconnected slot could be the newly connected peer
20:55 < gmaxwell> and N in my example should actually be an exponential random variable.
20:55 < phantomcircuit> ie you could give a lot of weight to connections to your probabilistic slots which are new
20:55 < gmaxwell> phantomcircuit: I suppose that would be fine, or adjust the weigh-for-lowest duration to strongly prefer them. Fair enough.
20:56 < gmaxwell> In any case each of my "protect" groups is based on something which is hard for an attacker to fake.
20:56 < phantomcircuit> otoh i was actually considering randomly evicting peers even when you're not full
20:56 < phantomcircuit> just to churn the network and make it harder to do latency based analysis
20:57 < gmaxwell> Being on your local subnet, being net-geographically close is unfakable,  giving useful data (blocks) is not really fakable, having an IP that meets our secret criteria is only fakable with great expense, being connected for a long time is harder to 'fake'.
20:57 < gmaxwell> phantomcircuit: for outbound I think we should churn, for inbound I think not.
20:58 < gmaxwell> for outbound sipa has a proposal that randomly changes peers with a weight that prefers to evict the shortest connection. I suggested augmenting it by always keeping
 the two most useful peers, so you don't rotate yourself into a useless partition of the network.
21:15 < nanotube> phantomcircuit: getpeerinfo - thanks. :)
21:16 < nanotube> if the shortest connections always get churned, they never get a chance to become long connections.
21:16 < nanotube> so some clients may forever be relegated to the churn pile?
21:19 < nanotube> i don't suppose it is possible to change maxconnections without restarting the client?
21:20 < gmaxwell> nanotube: unless they end up in one of those several protected classes I gave.
21:21 < nanotube> which as you yourself said, is not easy to do intentionally.
21:22 < nanotube> i guess eventually it'll end up somewhere which is relatively close with a low ping...
21:23 < nanotube> but wouldn't that make the bitcoin network more closely mirror physical geography
21:23 < gmaxwell> nanotube: thats also why it would only be a limited number of connections in that class. All those other connections are getting used by someone.
21:24 < nanotube> yea just wanted to make sure that a new node doesn't have trouble getting stable peers.
21:24 < gmaxwell> wrt becoming the longest, thats the idea of it being random though
 it wouldn't punt the shortest life, it would say have a x% of the shorest a x/1.5% of the next... etc.
21:25 < nanotube> ah so weighted, not absolute, ok
21:26 < gmaxwell> yea, absolute would be broken. Sipa did some simulations for the weights for outbound and got some nice properties.
21:27 < nanotube> cool
21:27 < gmaxwell> but absolutely, the latency bias is dangerous if carried too far: you can get networks that self-partition.
21:27 < nanotube> right
21:27 < gmaxwell> Thats one reason I enumerated a class the H(secret+ip) one which is purely random, and not at all uptime or latency sensitive.
21:28 < nanotube> \o/ for randomness. :)
21:32 < nanotube> if nodes are going to be penalized for low uptime, could be a good idea to allow changing conf parameters without restarting the node via rpc. like bitcoind maxconnections X
05:46 < maaku> well the historical analysis, repeated many times is that once you subtract out the risk, the costs, and any other identifiable factor, there's 4-6% left over
05:47 < maaku> it fluctuates a little bit based on global and local economic conditions, but has remained remarkably steady since they started tracking this
05:47 < petertodd> how was the cost of determining credit risk factored out? and for that matter, the way credit risk can often be amortized and so on
05:48 < maaku> unsatisfyingly, i'm going to have to go to bed soon (almost 3am here)
05:48 < maaku> but i believe in these studies they just use the banks own numbers
05:48 < maaku> credit risk is what the bank thought it was
05:48 < petertodd> right, but even the banks might be fooling themselves
05:49 < petertodd> heck, with the last crash, I'll say that's guaranteed in some sense
05:49 < maaku> right, but every banker in the world fooling themselves the same amount?
05:49 < petertodd> they're all human... I hope
05:49 < petertodd> or heck, it's all the same amount because of good competition :P
05:50 < maaku> well that is quite the point
05:50 < maaku> the banks compete and they end up at the same amount
05:50 < maaku> that is, charging extra by the same amount, the most they can get away with
05:51 < petertodd> yup, and they all think they're making out like bandits, and like most people they're discounting all kinds of risks, like black swan events, which leaves them at break-even
05:51 < maaku> competition doesn't drive it to zero, as you might think, because the bank would rather have money under the matress than a loan with expected 0% return
05:51 < petertodd> well... it drives it to zero in *some* sense
05:51 < maaku> opportunity cost and all that
05:52 < petertodd> hence why rather than "zero" you could wind up at that 5% and wonder why it's not zero - when a broader picture is that rate is 0%
05:53 < petertodd> an interesting analysis comes from civil aviation, where a lot of people have come to the conclusion that in the entire history of it, the industry has lost money
05:54 < petertodd> but equally, aviation is full of dreamers...
14:21 < jtimon> maaku petertodd I thought the demurrage rate would be fixed and PoS only votes on the % to the miners % to something else
14:22 < jtimon> "in the zerocoin application, the entire tree is recoverable from the spend history in the block chain, but nodes don't have to keep it resident in the UTXO set"
14:22 < jtimon> how do you do that?
14:46 < gmaxwell> what are you quoting?
14:46 < gmaxwell> In any case, look at the little MMR writeup I did:
14:47 < gmaxwell> https://bitcointalk.org/index.php?topic=314467.msg3371194#msg3371194
15:34 < maaku> he's quoting me
15:35 < maaku> updating the chaum double-spend database using proofs provided with the transaction
15:35 < maaku> like we talked about a week or so ago
15:36 < maaku> jtimon: this is just to keep a list of which chaum tokens have already been spent
15:36 < maaku> you put them in an ordered tree structure, and to perform a spend you have to provide an insertion-proof showing that the token is not already in the db
15:37 < maaku> the validating nodes only have to keep the root hash around
15:37 < maaku> since each spend references the previous hash, and they update the hash afterwards
15:37 < maaku> update the root hash
15:38 < maaku> you still have to use some sort of ZKP or centralized signing to create the chaum tokens and validate that the token provided is from the original issuance set
16:07 < maaku> i wonder if there is a subset of the SHA-3 and AES contendors which are particularly amenable to small circuits in ZK proofs
16:17 < gmaxwell> 22:36 < gmaxwell> It would be interesting to evaluate all the well studied cryptographic hashes and see which would result in the most efficient quadratic span program proofs.
16:18 < gmaxwell> but I suspect sha2 is not so bad. likewise with aes.
16:22 < maaku> yeah i was thinking rijndael is probably better than all the others
16:23 < maaku> but keccak is probably worse than sha2
16:41 < jtimon> maaku in the context of freimarkets, would there be a "chaumian tree" per asset?
16:44 < maaku> well there'd be a tree per mint series
16:44 < maaku> and a mint series would be presumably limited to a single asset
16:45 < jtimon> I see
16:46 < jtimon> did you read pertertodd's proposal for indexing the inputs set instead of the output set?
16:46 < jtimon> I'm not sure I undesrtand it but it looks very interesting
18:30 < jtimon> petertodd I'm re-reading this http://sourceforge.net/mailarchive/forum.php?thread_name=20131119110023.GA24068%40savin&forum_name=bitcoin-development
18:30 < jtimon> I have several questions
18:31 < jtimon> the first is how are tx fees paid?
18:31 < jtimon> maybe you have PoW per transaction to prevent spam DoS?
18:39 < jgarzik> jtimon, TX fees are paid by providing input bitcoins > output bitcoins
18:39 < jgarzik> jtimon, the difference is the fee
18:39 < jgarzik> jtimon, e.g. 2 BTC inputs, 1 BTC outputs == 1 BTC fee
18:40 < jtimon> that's how bitcoin works, but I'm not so sure that is how petertodd's proposal works
18:40 < jtimon> miners see no outputs if I understand correctly
18:47 < jgarzik> ah, apologies
18:47 < jtimon> jgarzik no problem
19:24 < maaku> petertodd: what are the advantages of keeping a spent-txin set instead of an unspent-txo set?
--- Log closed Sat Nov 30 00:00:20 2013
--- Log opened Sat Nov 30 00:00:20 2013
05:12 < gmaxwell> erp. So either someone has a secret ltc asic farm, or LTC mining is consuming .5x - 2.5x the electrical energy of Bitcoin mining.
05:13 < gmaxwell> (range due to the huge spread of bitcoin asic efficiencies and me not knowing what the builk of the hashrate is)
06:09 < Ryan52> gmaxwell: interesting! I heard from somebody, who is way less technical, that all attempts at ASICs for that, were at laughable hashrates currently.
08:00 < Luke-Jr> gmaxwell: I'd suspect the former
08:51 < Emcy> i still dont know what ltc actual utility is
08:51 < Emcy> it might have had a reasonable one, it it had managed to stay an x86 coin given the momentum of that architecture
08:53 < _ingsoc> People don't want to be locked into a monoculture.
08:54 < Emcy> what does that actually mean
08:54 < _ingsoc> We could argue about the technical justification for something all day. Fact of the matter is, if it can be forked, it will be forked.
08:55 < _ingsoc> If Bitcoin is the only crypto-currency with any swing, we're screwed.
08:55 < wumpus> it's useful for experimentation
08:56 < _ingsoc> If Bitcoin is supposed to be our God, then you might as well just worship the dollar. Push out as many crypto-currencies as technically possible and let the market decide - that's one form of reasoning.
08:56 < _ingsoc> But then markets aren't always "right".
08:56 < Emcy> i dont think  ltc does much experimentation, it jsut seems to be a place to go for people who are asspained about not buying btc when it was $10, and who have gpu farms that are now useless for btc
08:57 < Emcy> do you know how many ltc pump threads are on /g/ these days
08:57 < _ingsoc> Rectal pain is the most powerful force in capitalism.
08:57 < _ingsoc> It literally fuels innovation.
08:57 < wumpus> I mean, if people want to find out for themselves why a block per 10 seconds is a bad idea, let them
08:58 < _ingsoc> Sure.
08:59 < _ingsoc> Dare to experiment!
08:59 < _ingsoc> With real-world data.
08:59 < Emcy> so is 2.5m
08:59 < Emcy> it doesnt really add anything apart from giving people fuzzies when they dont understand how confirmations work
09:00 < _ingsoc> How do you know you know?
09:00 < Emcy> eh?
09:00 < _ingsoc> How do you know you know how it works?
09:01 < Emcy> um
09:01 < Emcy> osmosis from my intellectual superiors?
09:01 < _ingsoc> Well that's a tyranny!
09:02 < Emcy> ive been meaning to ask if a block that took 20 minutes is statistically more secure than one that took 2, actually
09:02 < Emcy> btc block that is, or in the same chain atleast
09:04 < Emcy> _ingsoc i dont beleive everything i read, but theres only so much critical thought one is qualified of doing on a subject. There will always be knowledge brokers in this world.
09:05 < Emcy> we all have people we generally trust to be talking sense, the trick is to watch out for the ones trying to feed you bilge for one reason or another
09:07 < _ingsoc> I agree. I just don't want to crap on things all day.
09:07 < _ingsoc> The LTC devs aren't stupid.
09:08 < Emcy> whos crapping on anything?
09:08 < Emcy> i dont begrudge litecoins existence or anything
09:08 < Luke-Jr> _ingsoc: LTC provides nothing beyond Bitcoi
09:08 < Luke-Jr> at all
09:09 < _ingsoc> I completely understand why you feel that way.
09:09 < _ingsoc> Someone obviously thought it was interesting enough to explore to do it.
09:09 < _ingsoc> And I respect that decision.
09:10 < Emcy> Luke-Jr do you think a super secret ltc asic farm is really likely at this point?
09:10 < Luke-Jr> or FPGA at least
09:11 < Emcy> yeah i never understood why it would be so hard to join a cpouple of gb of dram to an fpga on a board
09:11 < Luke-Jr> LTC scrypt doesn't really even need RAM
09:11 < Emcy> gfx cards are up to like 12gb now
09:12 < Emcy> just for me, it spoke volumes when the first ltc gpu miner came out and the scrypt WASNT tweaked via community consensus to stop it
09:13 < Emcy> i mean if it was billed as something to do with your bitcoin gpus then fine
09:13 < Emcy> makes me wonder if bitcoin could ever break one of its core and fundamental promises and get away with it
09:14 < Luke-Jr> probably by that time people had accepted the fact that CPU-only is a bad thing
09:14 < Emcy> i think the answer would be yes as long as everyone was still getting paper rich
09:14 < Luke-Jr> Emcy: not likely
09:14 < Luke-Jr> Bitcoin isn't Litecoin
09:14 < Luke-Jr> Litecoin is just a get-rich-quick scheme
09:15 < Luke-Jr> while there's no doubt GRQers using Bitcoin, there's a lot more non-GRQ too
15:19 < sipa> TD: i haven't benchmarked, but i doubt it's more than 2* as fast as libsecp256k1
15:20 < TD> right, i haven't benchmarked either
15:20 < sipa> (it.l's fully constant time though, and has other nice properties)
15:20 < TD> and 2x is not to be sneezed at
15:21 < sipa> the question is: do computers get 2x faster in the time you need to deploy a hardfork + wallet upgrade :p
15:21 < TD> hah
15:22 < sipa> (it may be just 1.5x as well)
15:22 < TD> well, i dunno. every time i think intel can't push things any further, they find a way to squeeze a bit more out
15:22 < petertodd> sipa: depends if you do it now or in fifteen years after moores law's good and dead
15:22 < TD> but 2x is a big improvement
15:22 < sipa> anyway, meaningless discussion without numbers
15:22 < TD> yeah
15:22 < TD> true
15:22 < TD> it might be 11x. then we could take it to 11
15:23 < petertodd> TD: or 1.1x, and we'd need our glasses off to take it to 11
15:23 < sipa> accorsing to the webaite, it needs (iirc) 260k cycles for a verification
15:23 < TD> for which impl? there is a C one and an asm one, right
15:23 < sipa> asm
15:23 < sipa> the c one is ridiculously slow
15:24 < sipa> as in 10x slower than openssl ecdsa
15:24 < TD> ah
15:24 < TD> ok
15:24 < sipa> i think libsecp256k1 does a verification in 300k cycles on modern hardware
15:25 < sipa> but i'm sure my benchmark is on much more recent hardware than theirs
15:35 < adam3us> sipa: i think your code is probably so close based n what you said & before that for speed alone EdDSA is not worth it
15:36 < TD> petertodd: btw i didn't really grok your comment about double spends - i'm missing something, not sure what it is
15:36 < TD> petertodd: w.r.t. coinjoin
15:36  * TD didn't think about it much though, this is a tv and beer weekend
16:00 < adam3us> TD: for your beer: comparing ECDSA and ECSchnorr:
16:00 < adam3us> ECDSA: R=kG, r=R.x, s=(H(m)+rd)/k, Q=dG verify: sR=?H(m)G+rQ
16:00 < adam3us> ECS:	    R=kG, r=R.x, s=k+H(r,m)d,	  Q=dG verify: sG=?R+H(r,m)Q
16:00 < TD> petertodd: you mean this don't you: https://bitcointalk.org/index.php?topic=300809.msg3227294#msg3227294
16:00 < TD> petertodd: i guess i had not envisioned people making payments directly from a coinjoin. i am not sure that's a great idea
16:00 < adam3us> TD: very similar, except no /k part which is unknown so bollocks everything up in any kind of 2 of 2 or k of n
16:01 < TD> ok
16:01 < TD> thanks
17:03 < adam3us> btw more schnorr fun if you call c=H(r,m) from above, then send sig as c,s instead of r,s the verify is c=?H([sG-cQ].x,m) which is the same, as R=sG-cQ, but then you can use a 128-bit (truncated hash) so the sig is 48byte vs 64byte HOWEVER its actually a spurious claim by Schnorr (and most people since) because they assume the attacker cant chose R.
Well what if the attacker IS the signer.  doh.	academics...
17:10 < maaku> anyone have technical details for this : https://twitter.com/matthew_d_green/status/401798811070107648
17:12 < adam3us> maaku: no seems nothing on the zerocoin.org site
17:13 < gmaxwell> maaku: I know things about it, but I don't know if it would be polite to comment.
17:15 < adam3us> unless i'm missing something ZC is still stupidly expensive even if they got the proof down to 10kB per coin, because for anonymity all the coins are the same denomination imagine paying $1000 in .01c increments
17:19 < gmaxwell> In any case, when the paper is public I'll make sure to update everyone here on it.
17:19 < gmaxwell> for now I refer to my initial ZC comments: "On the plus side
 approaches can only get better."
17:19 < maaku> adam3us: have multiple mint series, with different denominations
17:20 < adam3us> maaku: indeed, but then the anonymity set drops, and you can trace amounts
17:20 < adam3us> maaku: so then it ends up being maybe no better than bitcoin as is practically
17:21 < maaku> adam3us: with a handful of standard denominations, there's no reason you can't still have a sufficiently large anonymity set
17:22 < maaku> the killer limitation of ZC is the super-long verficaiton times
17:22 < adam3us> maaku: yes it can help, something reasonably pragmatic could be done
17:22 < maaku> i've found pragmatic solutions for everything else
17:22 < maaku> but requiring 1-2s per coin redemption is orders-of-magnitude unacceptable
17:23 < adam3us> maaku: their problem is the cut & chose in their ZKP, if they could find a way to get a direct ZKP it might be  different story
17:24 < adam3us> maaku: you know even to create a coin takes 1sec because it must look like c=g^x*h^s mod p and c must also be prime
17:24 < adam3us> maaku: at least when i tried it myself using openssl (before they had the code out)
17:24 < maaku> adam3us: i don't care if it takes 1hr to create a coin
17:24 < maaku> so long as it takes milliseconds for nodes on the network to validate
17:24 < adam3us> maaku: you might if you had to use it much, but yes that is the least worrying part
17:25 < maaku> well yeah, i do care (ideally it should all be fast)
17:25 < adam3us> maaku: if nly there was a way to have the validation work be part of the PoW :)
17:25 < maaku> but if you had to choose..
17:25 < adam3us> maaku: agreed
17:26 < adam3us> maaku: also the trap door in the accumulator is kind of scary
17:26 < adam3us> maaku: if someone keeps that they can print coins at will
17:26 < maaku> adam3us: that is trouble
17:27 < gmaxwell> well you can engineer around that a little bit: e.g. you can make sure that no more comes out than went in.
17:27 < gmaxwell> so at worst an accumulator break is you steal all its coins, not inflation.
17:33 < adam3us> gmaxwell: well if there are a lot of hoarded coins might not be much consolaton
17:49 < adam3us> gmaxwell, maaku: the accumulator is fixed size, you cant tell how many coins are left in it, all you see is the spent ones serial numbers and a zkp that they are in the accumulator, so i think the limit is if you saw more coins come out of it than went in
18:55 < warren> gmaxwell: why isn't mastercoin threads moved to the alt forum like other alt coins?
19:14 < sipa> if only it was an altcoin :)
19:16 < warren> wow.  jdillon seems to have been completely pwned.
19:16 < warren> bitcointalk and GPG key cracked.
19:20 < Luke-Jr> sipa: it isn't?
19:48 < adam3us> nasty business eh - hacking people's emails
19:54 < warren> adam3us: seems he was totally pwned, far more than e-mail
19:54 < adam3us> warren: hope he didnt lose bitcoins
19:55 < warren> adam3us: given his GPG key was compromised, only way he wouldn't totally lose bitcoins would be offline wallets.
19:55 < adam3us> yes
19:56 < Luke-Jr> brain hacking?
19:56 < adam3us> warren: if he was a windows user (or even linux) he'd be nuts to keep btc on an onine puter
19:56 < Luke-Jr> adam3us: why?
19:57 < Luke-Jr> you don't have a hot wallet?
19:59 < adam3us> Luke-Jr: amory offline i think is the way to go, it even worries me about the usb bad bios!
20:17 < warren> https://bitcointalk.org/index.php?topic=319465.msg3607494#msg3607494
20:17 < warren> this is a bit concerning
20:19 < Emcy> wuts btc-ethz
20:29 < maaku> Swiss Federal Institute of Technology
20:29 < maaku> http://whois.domaintools.com/129.132.230.0
20:30 < warren> https://bitcointalk.org/index.php?topic=319465.msg3607734#msg3607734   This isn't without problems, but I think this would help to protect the entire network.
20:30 < maaku> maybe sipa can kindly go tell them to stop?
20:30 < petertodd> adam3us: he lost some: https://blockchain.info/address/1BDSZMaUvrbTjWsSgLA4XqYUK4dDzxREEV
20:31 < petertodd> People have tried to use webbugs on bitcointalk and on the foundation forums lately in discussion related to coin taint; obviously some people are taking ugly actions.
20:33 < petertodd> that 5.11BTC was a private key that it looks like he sent to gmaxwell for the CoinJoin bounty :(
20:34 < warren> why did he give a private key instead of sending it he normal way?
20:35 < petertodd> warren: guess he wanted to make sure coin tracking wouldn't help?
20:36 < warren> coin tracking indeed didn't help in this case.
20:37 < maaku> warren: any link do details on how this happened?
20:37 < warren> maaku: no idea.  just everything he has seems to be pwned.
20:37 < petertodd> maaku: we're not going to know unless he tells us, and with his PGP key compromised we're not going to know it's actually him :/
20:38 < warren> petertodd: I at least don't suspect you are jdillon anymore.
20:39 < petertodd> warren: gee, makes me feel so much better...
20:39 < warren> (sorry, bad joke)
20:39 < petertodd> heh, I know
20:40 < petertodd> seriously maybe one good thing to come out of this would be for people to take security more seriously, but, damn...
20:41 < maaku> until there is a trivial to use, secure by default setup that prevents these sorts of things, our work is not done
20:42 < petertodd> maaku: agreed
20:42 < warren> maaku: setup of what?  his entire OS was owned
20:42 < petertodd> though I always got the impression that john was a very careful and clueful guy, which just shows how hard this all is
20:42 < maaku> warren: well, his keys could have been on a TPM or hardware wallet
20:43 < petertodd> maaku: if he was smart, he took gmaxwell's advice and was doing his browsing in an isolated VM
20:46 < warren> petertodd: webbugs, where?
20:50 < petertodd> warren: http://i.imgur.com/EnHNE4k.png
20:52 < warren> petertodd: hmm, I've received localbitcoins phishing e-mail recently
20:52 < warren> they went to (do not click) llocalbitcoins.com/accounts/login
20:53 < petertodd> sheesh
21:00 < Emcy> shame about jdillon
21:01 < Emcy> how do you bootstrap a new identity when you get pwnt that hard
21:02 < petertodd> yeah, I dunno, timestamp a key in advance is the only option. downside of pseudonyms
21:03 < Emcy> no one knows him irl
21:04 < petertodd> yup, early on he offered to meet me at the conference, and my advise to him was don't if he does want to keep his IRL identity separate
15:21 < jgarzik> (the identity version of "scale up Bitcoin to Visa/MC levels RIGHT NOW NOW NOW")
15:21 < jgarzik> "how dare you limit our identity block size"
15:21 < petertodd> absolutely, although at least the scaling limits are about bulk bandwith, rather than the blockchain's race issue
15:21 < petertodd> and consensus can take longer
15:23 < jgarzik> For most identity users, I imagine the _personal_ volume of changes would be rather low.  You create an identity, maybe have IC Inc. verify your real world id and provide an attestation, then the record sits unchanged for months or years.
15:24 < petertodd> Yeah, the PGP strong set is only 50k, and all the keys on the key servers are just a few GB worth.
15:24 < petertodd> 240 million domain names in total
15:28 < petertodd> re: creating blocks, but not revealing them until later, an interesting trap is that the naive way of doing that means that the worst case PoS is the sum of all unrevealed blocks
15:28 < petertodd> so part of the PoS should include what previous PoS it builds upon
15:29 < petertodd> though that can actually replace the namespace hash, so the in-btc-blockchain data doesn't increase
15:31 < jgarzik> interesting metric, total-PoS
15:31 < jgarzik> I still wish there was an efficient "burn money" standard bitcoin transaction, e.g. zero outputs.
15:32 < petertodd> yeah, because you want to be sure no unrevealed chain could supercede your k-v's
15:33 < petertodd> jgarzik: well, we need to do OP_RETURN <prev-pos-tx:n> <block hash> anyway, so zero outputs doesn't help directly
15:33 < jgarzik> true
15:33 < jgarzik> alas, either are non-standard (if not invalid, like zero output)
15:34 < petertodd> however an output that is guaranteed to be spendable only after n blocks would be perfect, right now all we have is the coinbase
15:34  * jgarzik ponders PoW + PoS
15:34 < petertodd> I'm really inclined to support OP_RETURN {anything you want} to be honest
15:34 < jgarzik> small PoW, mainly PoS
15:34 < petertodd> once pruning is implemented
15:35 < petertodd> I dunno, given that the PoS is denominated in Bitcoins, I'm unconvinced there really is much value, the Bitcoins can just as easily buy mining time
15:35 < jgarzik> petertodd, That's the current IRC rough-consensus proposal for shipping small bits of data, OP_RETURN output, one per transaction.
15:35  * jgarzik should make the requisite patch, just to have it ready
15:35 < petertodd> I know, but notice how we already came up with an example that absolutely needs two hashes to work?
15:35 < jgarzik> :)
15:36 < petertodd> and actually, in this case, what we really need is scriptPubKey <prev-pos-tx:n> <block hash> OP_TRUE, because that saves one useless output - it's a sacrifice anyway
15:36 < petertodd> (optionally, drop the OP_TRUE, but I like making the standard mandate it so it's less likely to be generated by mistake)
15:38 < petertodd> also, in general two hashes basically let you do an alternate UTXO set for your application, subject to different pruning rules, not unlike what we're doing now
15:39 < jgarzik> Choosing the amount of sacrifice is another annoyance.  Starting out, might just pick an arbitrary value like 0.000075 ($0.01)
15:39 < jgarzik> Need to figure out a self-balancing metric
15:40 < jgarzik> Not too big to scare away users, not too small to enable spam
15:41 < petertodd> But, see this is the thing, unlike in Bitcoin provided you are willing to monitor the chain, you *can* do an adaptive sacrifice based on actual attacks.
15:41 < petertodd> Especially if you set a probationary period of n blocks before a given k-v setting (via the consensus) comes into affect
15:42 < petertodd> Basically pick how much time you think your counter-attack will take to implement.
15:43 < jgarzik> indeed
15:47 < petertodd> Oh, and come to think of it the k-v history proof isn't a problem after all: since every block hash is a merkle tree of the k-v set, that hash can simply include the hash of the mmrange accumulator tip, if the k-v isn't changed, just re-use the old value, if it is changed, provide the delta to prove why.
15:47 < petertodd> For the SPV node, provide the full history from the genesis of the key, and one step back to prove the key *didn't* exist prior, along with the appropriate history.
15:48 < petertodd> Now the rules for making a block are always that the delta must make sense, regardless of how small a change you make.
15:49 < petertodd> So finally, how does a SPV client make a change? They ask a full node for the correct merkle paths, and check that their k-v makes sense and leads to a long sacrifice chain.
15:49 < petertodd> *sacrifice dag
15:50 < petertodd> The sacrifice dag will be more bulky than a blockchain, but making that the minimum resource size is acceptable, especially with some manual checkpoints.
15:50 < petertodd> *than blockchain headers
15:50 < jgarzik> just don't want to depend on checkpoints ad infinitum
15:51 < petertodd> Indeed, a full node doesn't have to, and a SPV node that is willing to bootstrap from genesis doesn't have to either: they just need to ask for proof that the keys they are interested in *didn't* exist in the blocks going back to genesis.
15:52 < jgarzik> about to disappear for several hours
 saving this chat to a log ;p
15:53 < petertodd> So basically, I know that zero-trust full nodes are possible, and I think zero-trust SPV nodes are also possible, although I have to think some more about motivations.
15:53 < petertodd> Ha, same
15:53  * petertodd archives irclogs forever on amazon glacier...
15:53 < petertodd> lol, I'll timestamp this one for patent priority :P
15:53 < petertodd> dammit, why do I have to have a day job...
15:54 < jgarzik> bah :)
15:54 < jgarzik> evil patents
15:54 < petertodd> right, but see, this is a public forum, so all the priority can do is defend against a patent
15:55  * jgarzik should check out Glacier
15:55 < petertodd> $0.01/GB*month is amazing
15:55 < petertodd> I use it with git annex
15:55 < petertodd> a few hundred GB stored, and git annex can do encryption too
18:14 < gmaxwell> I guess we can all go home now: http://arxiv.org/pdf/1305.5976v1.pdf
18:16 < realazthat> oh I think I saw a video by that guy a while back
18:17 < realazthat> I remember the data structure
18:17 < realazthat> mmm get that onto the pvsnp page
18:20 < realazthat> mmm
18:20 < realazthat> gmaxwell: I actually have a hobby to try and run the algorithms from the pvsnp page
18:20 < realazthat> so wrt hamiltonian cycles, random testing doesn't cut it
18:21 < realazthat> but I have the infrastructure setup to go FACT=>SAT=>HAMCYCLE
18:21 < gmaxwell> somewhere on his blog he says that someone has a reduction from SAT to his MSP thing directly
18:21 < gmaxwell> and there is lots of stuff to reduce $randomthings to SAT.
18:21 < realazthat> yes
18:21 < realazthat> but plain random SAT isn't good either
18:21 < realazthat> it can be solved in polytime by well known algos with very high probability
18:22 < realazthat> FACT=>SAT makes for very useful benchmark
18:22 < realazthat> because if you can solve that ...
18:22 < realazthat> then you break RSA
18:22 < realazthat> mmm I'll look into it
18:22 < realazthat> maybe I'll implement it, and email the guy with a counter example :D
18:23 < realazthat> he seemed very sincere in the vid I watched a long time ago
18:23 < realazthat> so I sorta feel bad
18:24 < gmaxwell> realazthat: if you do happen to find that it solves RSA,  I recommend factoring the RSA challenge 4kbit number, then making an gpg key out of it, and then posting to sci-crypt a signed message:  "You should stop using RSA" and see if anyone notices. :P
18:25 < realazthat> haha
18:25 < realazthat> that would be the day
18:26 < realazthat> even if it would solve it, it would take forever
18:26 < realazthat> I think I saw O(n^5)s being thrown around
18:26 < realazthat> in that pdf
18:26 < realazthat> from experience, its hard(er) to find counter examples to algorithms that run so long :D
23:50 < realazthat> omg I want that SCIP
23:50 < realazthat> so many possibilities
--- Log closed Thu May 30 00:00:47 2013
--- Log opened Thu May 30 00:00:47 2013
00:20 < Luke-Jr> if it works
01:05 < midnightmagic> so glorious, thank you for telling me about this place gmaxwell
01:06  * zooko revels in the glory
01:06 < Luke-Jr> lol
01:06 < zooko> Nice meeting you in person at Bitcoin2013, Luke-Jr.
01:06 < midnightmagic> zooko: they linked to http://arxiv.org/pdf/1305.5976v1.pdf in here, which is the first I saw of it.
01:06 < Luke-Jr> zooko: you too, though I have no idea who you were! :P
01:06 < midnightmagic> I'm busy scaring all my friends right now.
01:06 < Luke-Jr> midnightmagic: told you, you should have gone!
01:06 < midnightmagic> heh heh
01:07 < realazthat> midnightmagic: there is a whole list of proofs on the PvsNP page
01:07 < realazthat> (if you weren't aware)
01:07 < zooko> Luke-Jr: we spoke for about 10 seconds. I said I wanted to meet you because my friend amiller said he liked you.
01:07 < midnightmagic> realazthat: I was just about to look that up actually. I wasn't aware.
01:07 < zooko> Luke-Jr: you didn't really make eye contact with me.
01:07  * Luke-Jr wonders if he made eye contact with anyone O.o
01:08 < realazthat> midnightmagic: http://www.win.tue.nl/~gwoegi/P-versus-NP.htm
01:08 < realazthat> they tend not to ... pan out
01:10 < midnightmagic> realazthat: Indeed. My non-keeping-up first sanity check is that magic isn't happening yet.
01:11 < realazthat> mmm
01:11 < realazthat> I didn't read the paper
01:11 < midnightmagic> realazthat: Thanks for a link. I was combing through pvsnp on google.
01:11 < realazthat> but I did watch one of his vids from a long time ago
01:11 < realazthat> midnightmagic: it does leave some out actually
01:11 < realazthat> you can find more if you comb google
01:12 < realazthat> like this one
01:12 < realazthat> anyway I watched the vid from this guy a long time ago
23:36 <@gmaxwell> maaku: because the size of your hashed nodes is always >512 bits, you'll be invoking the compression function twice. There may be some advantage in ordering the data so that the extra data is in the second compression function invocation, in order to use midstate compresison.. but I'm not sure, mostly I'm bringing it up to ask if you've already considered this.
--- Log closed Fri Dec 20 00:00:12 2013
--- Log opened Fri Dec 20 00:00:12 2013
00:29 < Emcy> merge avoidance needs a nifty name
00:31 < Emcy> offramp? something that lets you demerge from a general serial stream of traffic......
00:35 < Emcy> lol mergepurge.
00:36 <@gmaxwell> SPUI
00:37 < Emcy> wut
00:37 <@gmaxwell> google it
00:38 < Emcy> oh a spaghetti junction
00:38 < Emcy> i thought of that but didnt know what it was called
00:39 < Emcy> coinspui
00:39 < Emcy> coinspew? lol
00:42 < Emcy> i didnt know peter todd was involved with the darkwallet stuff
00:43 < Emcy> that best practices list seems reasonable so far
00:44 < BlueMatt> petertodd: btw, thought bloom filters can be expensive if you're looking at the whole chain, they certainly arent n^2...
00:46 < BlueMatt> (and though I agree other things are probably better than them, saying that wallets shouldn't rely on bloom filters now just introduces development overhead for something thats largely unnecessary currently)
01:06 < maaku> gmaxwell: whoops, correct extra should go after value
01:06 < maaku> that's why the branches come last - they are most likely to update
01:07 < maaku> so you could cache midstate, at least for the first few levels where it makes sense
01:09 < maaku> gmaxwell: varchar is length-prefixed, i should have defined that
03:08 < petertodd> BlueMatt: they're n^2 work summed over all users and all nodes is my point
03:08 < BlueMatt> no, they're not
03:08 < BlueMatt> as an spv client downloading blocks, you only download blocks from some subset of your peers
03:09 < petertodd> BlueMatt: ok, you have n users, they make 1 transaction each, that results in blocks with n transactions, for each user to scan a block via bloom filters is thus n work per block, or n^2 work total
03:09 < petertodd> BlueMatt: doesn't matter how you divide it up among your peers
03:10 < petertodd> BlueMatt: it's not so bad if they're scanning a new block, because that's just memory IO bandwidth, but what's particularly bad about the design is that we use it for archival history too, and thus get n^2 IO bandwidth load too
03:11 < petertodd> BlueMatt: compare to prefix-filters which is roughly n*log(n) total work
03:11 < petertodd> BlueMatt: (for n users)
03:11 < BlueMatt> your definition of n is...varying. Realistically you have n users, they each download each block from 1 peer, each peer spends O(|tx|) per client, so O(|txn|*|peers|) sure, but calling that n^2 isnt quite right...
03:11 < petertodd> Again, I'm talking about work done by the system as a whole.
03:12 < petertodd> Consider the most efficient case where there's exactly one Bitcoin supernode out there...
03:12 < BlueMatt> yea, Im not saying they're ideal
03:12 < BlueMatt> just that saying "nodes SHOULD NOT depend on bloom filters" seems very premature
03:13 < BlueMatt> (for non-archival nodes)
03:13 < petertodd> It's not really a "best practices that you should adopt right now", it's a "best practices that you *will* be adopting in the future as all the underlying tech gets developed"
03:13 < petertodd> e.g. practically everything it recommends doesn't exist yet
03:14 < petertodd> The whole point of the document is to guide development efforts so we make exist the most important stuff first; prefix-filters is in there because electrum already implements half of what's needed for them.
03:14 < BlueMatt> well if you're talking 10 years down the road a) dont think we can plan that far ahead, b) probably should say dont use bloom filters at all, not optional
03:15 < BlueMatt> really? nice
03:15 < BlueMatt> if youre talking entirely "down the road" you should probably say you cannot sync from the chain at all
03:15 < petertodd> I'm probably talking about 1 year down the road for everything in there depending on how much man-power proves to be available - note how nothing in there depends on soft-forks although takes the possibilities of them into account.
03:16 < petertodd> Right, which is why I also say that wallets shouldn't depend on the existance of UTXO-set prefix filters because TXO commitments looks to be the front-runner in that space right now.
10:52 < adam3us> petertodd: so how is TXO commitment better than UTXO-set prefix now?  by TXO commitment you mean what? that the TXO is included in a merkle tree the root of which is mined; but a recipient needs to know the unspent state of that, which is what tries are being propose for (which i expect you mean with UTXO-set prefix)
13:37 < maaku> adam3us: TXO commitment, minus the U, is petertodd's scheme for building an append/modify-only list of transaction outputs and spend status from genesis block to present
13:38 < maaku> which has the not insignificant disadvantage that you can't lookup spend status by txid
13:39 < maaku> the onus is on the holder of the coins to keep and maintain an unspentness proof which they *must* prefix to the transaction broadcast to spend
13:40 < maaku> petertodd: elaboration on the evil things that either txid-indexed validation trie, or scriptPubKey-indexed wallet trie makes possible would be appreciated
13:41 <@gmaxwell> maaku: the onus isn't on the holder of the coin exactly.
13:42 <@gmaxwell> Rather it's not necessarily on any _more_ than the holder of the coin.
13:42 <@gmaxwell> maaku: or perhaps I should say "holder of the coin is sufficient"
13:43 <@gmaxwell> I don't think anyone (except maybe pt?) think that all holders would do that themselves, I think they'd go get the utxo from archive nodes that kept the data.
13:54 < phantomcircuit> hmm
13:54 < phantomcircuit> theoretically you shoudl be able to merge the bloomfilters for multiple peers
13:58 < maaku> gmaxwell: yes, which is why I don't really understand the objection. in either case you will be using an archival node (the use and maintenance of which can be paid for with explicit fees)
13:59 <@gmaxwell> maaku: because you're not forced to use an archival node, and every full verifiying node isn't forced to be one (in order to verify the utxo updates)
14:01 <@gmaxwell> in any case, I wouldn't have posted PT's no stop message.  Though I do think that some of the more recent thinking has made straight utxo commitments less shiny.
14:01 <@gmaxwell> As far as I'm concerned the verdict is out until someone sits down and really figures out exactly what the overheads would be for the proofs in the model.. or. um.. maybe actually writes some code for it.
14:02 < maaku> "and every full verifiying node isn't forced to be one (in order to verify the utxo updates)" <-- this isn't required
14:02 < maaku> with updatable proofs
14:02 < petertodd> gmaxwell: remember that the archival nodes require much less data in my model - older data that's rarely needed can be dropped by everyone but a few specalized services
14:04 <@gmaxwell> maaku: Whats the prefix compression part of the spec fro then?
14:04 < petertodd> gmaxwell: whereas for utxo indexes that a new utxo can be inserted anywhere requires anyone who wants to keep up with the set and serve requests to store some fraction k of the whole set at best
14:06 < maaku> gmaxwell: to keep the serialization small, and level-compressed hashing variant is for other applications like document timestamping in the coinbase
14:06 < maaku> which don't require "rebasing" proofs
14:07 < petertodd> maaku: again, why does timestamping require anything more than a dumb tree? I mean, I've actually implemented this...
14:07 < maaku> petertodd: what type of tree?
14:07 < maaku> some applications require key uniqueness, which your tree structure has to provide compact proofs of
14:08 < petertodd> maaku: yes, timestamping is definitely not one of those. and strictly speaking, I only say tree for efficiency, opentimestamps handles arbitrary dags for a reason
14:08 < maaku> and the level-compression is a bonus for merged mining, where you don't want 128+ hashes to validate a pow
14:09 < petertodd> maaku: right, but direction-based proofs with randomized keys get you the exact same thing with far less complexity
14:10 < maaku> yuck. so what, every altchain picks a random value? or some central authority assigns them?
14:10 < maaku> that's the kind of thing the current merged mining code does that I want to avoid
14:11 < maaku> re: complexity, we're talking about a few dozen lines of code
14:11 < petertodd> heck, with per-block randomization like I suggested, every altchain could literally use their name and it'd work out fine
14:13 < maaku> to be clear, your path-based tree is the same underlying data structure as this
14:13 < maaku> i just have a fancier serialization
14:13 < maaku> (assuming you don't level compress, which I would suggest doing in this case)
14:15 < petertodd> yup, and with randomized keys there's no need to level compress
14:16 < petertodd> anyway, it'd help if I write up txo commitments properly for once :)
14:16 < petertodd> your BIP is a good model there
14:16 < maaku> yes, i was going to recommend that
14:17 < petertodd> I should raid unicode and draw up some nice looking mountain ranges with all the special characters!
14:17 < maaku> i'd like to reference TXO commitments in the followup BIP that discusses UTXO commitments
14:17 < petertodd> likewise
14:18 < petertodd> and I should also write up a description of how you'd do something like namecoin with utxo commitment indexes
14:19 < maaku> yeah i've got a whole solution for that worked out
14:19 < maaku> on the backburner though
14:19 < maaku> it's also stateless
14:19 < petertodd> you mean, solution to make namecoin work on the btc blockchain or block it? :P
00:43 < petertodd> It could be a week and people would still have an incentive to set nTime + 1 week - 1 second
00:44 < Luke-Jr> if nTime is future, wait until that time before relaying it? <.<
00:44 < gmaxwell> and once people did that, you'd want to start accepting blocks that where nTime + 1 week because god knows you don't want to reject a block if your clock was 2 seconds slow and most hashpower accepted it.
00:44 < petertodd> About the only thing that might change that is if the rule was nLockTime > nTime of last block, and then after that being allowed to include a tx was based on H(txhash, last hash) or similar
00:45 < petertodd> gmaxwell: exactly, the fundemental issue is there is no good incentive to set nTime accurately other than miners rejecting your blocks, and nLockTime sabotages that
00:45 < petertodd> gmaxwell: (timestamping could do, but the cause->effect is less obvious)
00:45 < Luke-Jr> I guess I just incentivized always setting nTime to the minimum then
00:45 < Luke-Jr> [04:32:26] <Luke-Jr> petertodd: will you be rebasing it despite its closed status? (block-uneconomic-utxo-creation)
00:46 < petertodd> Luke-Jr: again, relaying does nothing - consider the case of nLockTime'd fidelity bonds where it's guaranteed 100% of the hashing power know (why I wrote the spec as by-block-height in the first place)
00:46 < petertodd> Luke-Jr: sure
00:46 < Luke-Jr> petertodd: I mean delaying relaying the BLOCK
00:46 < Luke-Jr> ie, increasing the risk of it being stale
00:47 < petertodd> Luke-Jr: then you have your mining pool connect directly to other mining pools playing the same game
00:47 < petertodd> you have to assume perfect information knowledge in this stuff, at least if you're writing worst-case academic papers
00:48 < gmaxwell> petertodd: so ... prior block vs minimum time.
00:48 < petertodd> see, that's why I was talking about timestamping, because it provides a way for all users to set their clocks to what the majority of hashing power thinks nTime is, sidestepping the problem
00:48 < gmaxwell> petertodd: what are your arguments there?
00:48 < petertodd> gmaxwell: minimum time is definitely stronger because it involves more hashing power
00:49 < petertodd> gmaxwell: users would prefer minimum time - easier to understand why the tx isn't getting mined
00:49 < gmaxwell> sidestepping the problem < that doesn't sidestep the problem, it would allow the majority of hashpower to mine difficulty down to 1; also moots nlocktime as _time_ being more reliable than a height.
00:49 < gmaxwell> petertodd: plus, you can just add a constant offset to your nlocktime to adjust for the expected minimum lag.
00:51 < petertodd> gmaxwell: yes, it creates a new problem, but it did sidestep the existing one :P
00:51 < gmaxwell> petertodd: yea, lol, creates an inflation attack. Keep it up and you'll be qualified to create an altcoin. :P
00:52 < gmaxwell> (sorry, hah, I'm not poking fun at you, I'm poking fun at all the altcoins that "solved the Foo problem" where foo is something no one else thinks is a problem and they totally broke security as a side effect)
00:52 < petertodd> gmaxwell: yup, now you see how it only sidesteps the problem truly when there is enough hashing power setting their clocks back, IE 50% honest, which is better
00:53 < petertodd> gmaxwell: without the timestamping, nodes have the consensus failures, which can be attacked, likely it trades off one risk for a more existential risk
00:53 < petertodd> gmaxwell: and it's a good excuse for timestamping, lol
00:54 < gmaxwell> I thin the min solves the consensus failure so long as hashpower is well distributed.
00:54 < petertodd> yeah, I'm thinking min is probably the best we can do
00:55 < petertodd> other than disabling nLockTime of course
00:55 < gmaxwell> only time based, height is still safe.
00:55 < petertodd> it'd be good if miners had a "fuzzy" window too, so if they get a block really close to the 2hr window, they'll delibrately try to orphan it, but such stuff can't be more than "it's in the codebase so hopefully people will be slightly economically irrational"
00:56 < petertodd> gmaxwell: of course
00:56 < petertodd> nLockHeight is ok :P
00:56 < gmaxwell> doesn't even have to be in the codebase, natural clock skew accomplishes that.
00:57  * Luke-Jr decides it makes sense to increase the accepted timespan on blocks for Eligius
00:57 < Luke-Jr> :p jk
00:57 < petertodd> hopefully... I suspect pools, and miners in general, are much more likely to be running Linux and thus will have ntp enabled
00:57 < gmaxwell> their time still gets randomized due to the goofy medianing stuff.
00:57 < petertodd> measured skew on my nodes, IE ntp vs GetAdjustedTime() is almost always under a second or two
00:57 < Luke-Jr> doesn't Windows enable NTP by default now?
00:57 < gmaxwell> which, btw we've _still_ never closed that vulnerability.
00:58 < petertodd> gmaxwell: Yeah, all this stuff gets even more interesting if you sybil even part of the network...
00:58 < gmaxwell> petertodd: GetAdjustedTime has been bad in the past but seems to be okay since I reset it like.. two years ago now.
00:59 < gmaxwell> I wonder how it got goofy in the first place... but stays pretty good since it was initially fixed.
00:59 < petertodd> In fact, adding pow-timestamping to the GetAdjustedTime measurement could have value.
00:59 < petertodd> gmaxwell: oh, so previously you were seeing much bigger skews?
01:00 < gmaxwell> petertodd: the vulnerablity I was speaking of was the the maximum GetAdjustedTime skew could get a node and a miner producing blocks that the other will reject.
01:00 < gmaxwell> petertodd: yea, IIRC > 30 seconds.
01:00 < gmaxwell> Then I sybled the network and reset it.
01:00 < gmaxwell> and it seems to have stayed reset.
01:00 < petertodd> wtf
01:01 < gmaxwell> may have just been some initial symetry breaking when the network formed that made it get stuck offset.
01:01 < petertodd> Maybe we should randomize the GetAdjustedTime() calculation a bit to try to make sure symmetry is broken again naturally?
01:01 < petertodd> ...though I'd rather thoroughly understand how that happened first...
01:02 < gmaxwell> I mean, it's just applying a median operation to the peers median operations. So if there ever was a wrong majority it would take over the network and then stick.
01:02 < petertodd> Makes sense
01:03 < gmaxwell> e.g. if you had a network of three nodes, then you add 4 more who all had times +30 seconds off.. the three would also jump to +30 and then so long as you never introduced a majority all at once again it would stick that way.
01:03 < petertodd> Then don't give our peers out adjustedtime, give them our localtime.
01:03 < gmaxwell> giving adjtime is good for consensus.
01:03 < gmaxwell> but not accuracy. :)
01:04 < gmaxwell> I suppose it could give adjtime +
*error for some small
01:04 < petertodd> Yeah, and calculate what's needed to break the consensus.
01:04 < petertodd> semi-break it
01:04 < petertodd> Heh, my patch to add adjustedtime to getinfo was probably more useful than I thought...
01:05 < gmaxwell> e.g. if adjtime is higher than local, give adjtime-1. if the whole network gets ahead then everyone will be -1... and it will slide to that.
01:05 < petertodd> Ah, that'll work
01:07 < gmaxwell> I think
1 is actually sufficient. it doesn't matter if it adjusts slowly...
1 is both necessary and sufficient.
01:08 < petertodd> We should also make bitcoind use local time for block creation, not adjusted time.
01:08 < gmaxwell> I dunno about that.
01:09 < petertodd> It's a more true vote about what miners clocks are set too.
01:09 < petertodd> And you can take the min of both in cases where clocks are ahead.
01:09 < petertodd> IE, if my local clock is ahead, don't create a block that the local adjustedtime consensus would reject.
01:10 < gmaxwell> alternatively, I'd offer that it should just stop mining if its too far off.
01:10 < petertodd> That too, but people will be pissed at losing revenue...
01:10 < gmaxwell> yea, well, fix your clock. :P
01:10 < gmaxwell> too far could be
01:11 < petertodd> Using local, but sanity checking it against adjusted, has pretty much all the benifit minus the risk. (modulo adjusted < getmintime, but that can be the "stop mining" condition)
01:11 < gmaxwell> the key point is just making it so that a network attacker can't max-skew two nodes in opposite directions.
01:11  * Luke-Jr ponders if miners would be agreeable to randomizing their nTime within
90 minutes just to discourage timestamping abuse <.<
01:12 < gmaxwell> petertodd: I would be willing to bet a minority of hashing power is run on systems with NTP setup and working.
01:12 < petertodd> Sure, but having an accurate vote for time could be useful by letting you see if such max-skew is being attempted. (for non-miners)
01:12 < gmaxwell> I would also be willing to bet that a majority of that which is using ntp can have their time reset by comproming two hosts.
01:13 < petertodd> Luke-Jr: timestamping doesn't give a damn about +-hours - bitcoin is too inaccurate for that
01:13 < gmaxwell> petertodd: a 'vote for time' is worthless unless there is a strong incentive to be honest about it.
01:13 < petertodd> Yeah, ntp compromiseis scary...
01:13 < Luke-Jr> :P
01:14 < petertodd> I'm not suggesting this to make timestamping applications more accurate, I'm simply suggesting this as a way for nodes to better know if the miner consensus is different than their local adjusted time.
01:14 < gmaxwell> petertodd: and more recent ntp software no longer does the 128 second stuff anymore, you could move chrony 10 years into the future with a majority of peers, IIRC (unless they've fixed that)
01:15 < petertodd> It's too bad the atmosphere is so thick: we could figure out local time by running memtest and analyzing the rises and fall as the earth blocks the radiation coming from the sun.
01:15 < petertodd> (then set the window to 1 week)
20:29 < gmaxwell> (and checks that it matches the chain)
20:30 < petertodd> Yeah, the checkpoint operator might make more sense, although it is a bit tricky as that means someone else could make the fees of your whole tx not apply unless you're careful. Maybe a non-issue though.
20:30 < gmaxwell> (which may really be the best way to go)
20:30 < petertodd> Though remember we want to encourage people to use checkpoints, so make them mandatory.
20:30 < gmaxwell> I mean, if they added it to your txn without you being able to know, a miner could take it out again.
20:31 < gmaxwell> petertodd: right putting them in the header makes that easier.. it's just part of the structure. Though pushing things onto the signature stack is useful.
20:31 < petertodd> Heh, which actually is ok in the case of someone taking your tx, and adding some inputs to it.
20:32 < petertodd> Heh, one crazy thing about all this, is it suggests maybe the entire block should be nothing more than a single transaction, with signatures signing that they want part of the block to exist basically.
20:32 < gmaxwell> also, I think its moderately important that checkpoints be not prunable or at least seperately prunable from the scriptsigs.
20:32 < gmaxwell> because I am imaginging a future where the scriptsigs are eventually completely pruned and forgotten by everyone.
20:33 < petertodd> Hmm... though what's special then about the checkpoints vs other parts of the tx?
20:33 < gmaxwell> actually no nevermind, the checkpoint isn't actually useful anymore without the scriptsig. it really could go into it.
20:33 < petertodd> Cool
20:34 < gmaxwell> just as a special operator which checks the checkpoint and if its valid pushes it onto the sigstack (otherwise pushes 0 or something)
20:34 < petertodd> In this world, the checkpoint should be just <block id>, and at the same time we should add a merkle-mountain-range'd version of the block hash index to make proofs small.
20:34 < gmaxwell> if you want to make it mandatory, do so with an isstandard sort of rule.
20:35 < petertodd> Well, but why not just make a CTxIn include it as a hashed field?
20:35 < gmaxwell> petertodd: I actually think there should be a real (partial) block hash there so that you can validate the transaction statelessly.
20:35 < gmaxwell> E.g. "assuming the checkpoint is good,  is this txn valid?"
20:35 < petertodd> Oh, sorry, by <block id> I mean <block hash>
20:35 < gmaxwell> ah okay.
20:36 < petertodd> And yeah, I'd say just put the whole hash in there and be done with it.
20:36 < gmaxwell> well if its useless if you've pruned the signatures, then it should always be pruned with the signature.
20:37 < gmaxwell> likewise, thats how nlocktime should work.
20:37 < petertodd> Yup, hence put it in CTxIn(2)
20:37 < petertodd> Oh, that's an interesting point
20:37 < gmaxwell> 12345 PUSH_CHECKTIME. also some care needs to be required to prevent emulation.
20:37 < petertodd> emulation?
20:38 < gmaxwell> e.g. say I sign a list of only outputs  0xDEADBEEF,0xBEEFBEEF ... and then some wiseass removes the deadbeef output and replaces my signature with 0xDEADBEEF VERIFYPUSH CHECKSIG
20:38 < gmaxwell> e.g. every kind of insertion into the verify list needs a unique prefix that can't be emulated.
20:39 < gmaxwell> TXOUT|0xDEADBEEF,TXOUT|0xBEEFBEEF   vs PUSH|0xDEADBEEF,TXOUT|0xBEEFBEEF
20:39 < petertodd> Ah right, yeah, I was gonna say you need to do HMAC(subtree-digest, magic) at various points in this tree.
20:40 < gmaxwell> I don't actually think there is any tree on the signature parts.
20:40 < petertodd> IE the scriptSig is still just a bunch of bytes?
20:40 < petertodd> Makes sense
20:40 < gmaxwell> Well I mean that the data its signing is just a list of leaf hashes, not trees. If you make it a tree it makes the neighboring parts of the tree (outside of the masking) non-malleable.
20:41 < petertodd> Oh, right, I see what you mean.
20:41 < petertodd> The magic's I was referring too was more to make sure proofs of merkle paths in the tree can't be faked.
20:41 < gmaxwell> so the scriptsig  should be  nlocktime PUSH_LOCKTIME blockehckpoint PUSH_BLOCKCHECKPOINT txoutrlecode PUSH_TXOUT CHECKSIG
20:42 < petertodd> Ah ok, so we're pushing a bunch of validation values to a stack, and then a tree is made of that stack, and the signature is on the digest.
20:42 < gmaxwell> and the data signed is NLOCKTIME|nlocktime,CHECKPOINT|blockehckpoint,TXOUT|0xDEADBEEF,TXOUT|0xBEEFBEEF
20:42 < petertodd> Right
20:43 < gmaxwell> yea, I don't even think you need to make a tree. I don't think it has any particular value to do anything but hash the stack. But maybe there is a reason.
20:43 < gmaxwell> and in particular if you don't want to hash say, the value of a txout you could choose to seperate that stuff out.
20:44 < petertodd> Hmm... could come in handy to make fraud proofs smaller.
20:44 < petertodd> IE find the one part of the tx that was wrong, and prove just that.
20:44 < petertodd> Although I guess that doesn't actually work...
20:45 < gmaxwell> E.g.   <1 btc> <tx_index> PUSH_CAPACITED_TXOUT   which pushes  <TXOUT_MAXBTC|H(scriptpubkey),1,max(1,value)>
20:46 < petertodd> makes sense
20:46 < gmaxwell> (or really, instead of txindex, it would be an RLE code that could match multiple ones)
20:46 < petertodd> Yup
20:46 < gmaxwell> (RLE meaning run-length encoding)
20:46 < gmaxwell> though I don't know how useful value masking it.. not sure what your goal was there.
20:47 < petertodd> One issue is it might be nicer from the point of view of merging tx's if what selects what part of the tx is "visible" to the scriptSig was not actually in the script, and not actually specific to a particular form of script.
20:47 < gmaxwell> well thats why I'm talking about making the entirity of the scriptsig largely seperate.
20:48 < gmaxwell> I'd even suggest using as txid the transaction without the scriptsigs. The only problem I have there is that people could reorder the damn outputs still and then fixup the scripts to still validate. Which is something I wan't but not if its used maliciously. :)
20:49 < petertodd> I guess my point is if I'm spending "weird ass txout", that means the scriptSig that satisfies that txout is also strange, and anyone who wants to merge their tx with my tx now has to understand what my tx is doing.
20:49 < gmaxwell> do they care so long as it passes validation?
20:50 < petertodd> Point is though all these indexes need to be changed in the merge process.
20:50 < petertodd> But what is index, and what is some other data, is specific to the scriptPubKey.
20:54 < petertodd> Oh, and a thought on backwards compatibility, re soft-fork: for every txin:txout, take the hash of the relevant part of the v2 transaction, and put it into the corresponding scriptSig or scriptPubKey. That'll always be spendable from the viewpoint of non-upgraded nodes.
20:55 < petertodd> You should be able to define a 1:1 transformation from new-style blocks to old-style blocks that way.
20:55 < petertodd> (obviously if it's spending a v1 tx, put an actual scriptSig in the right place)
20:56 < petertodd> Though from the point of view of not changing too much code in one go, it may be better to try to keep everything such that it fits in the existing transaction serialization.
21:05 < amiller> so, fuck it, we're going to have arbitrary recursive snarks
21:06 < amiller> the crypto theory for this stuff is so weird but it's plausible enough that no one might care
21:06 < amiller> the approach to theory seems to be like, we wanted a unicorn but unicorns don't exist, so instead we'll ask for a time machine
21:07 < petertodd> amiller: Why not a movie set?
21:07 < petertodd> amiller: Or CGI...
21:08 < amiller> i'm going to add snarks/pinocchio/tinyram to my ads language so that you can compress functions with snarks, in addition to compressing data with hashes
21:08 < amiller> everyone will like it and 'maybe' it's secure who knows/cares
21:10 < amiller> probably even will be practicalish, just would require implementing all the elliptic curve operations from scratch in c
21:32 < gmaxwell> amiller: well and the pairing operations too.
21:32 < gmaxwell> this is using tate pairing right?
21:32 < amiller> yeah
--- Log closed Fri Aug 30 00:00:28 2013
--- Log opened Fri Aug 30 00:00:28 2013
--- Day changed Fri Aug 30 2013
00:00 < gmaxwell> amiller: so what you're doing will break the signature of knoweldge proof, right, because you won't know how to build an extractor?
00:02 < amiller> if i only use "standard" knowledge assumptions, then i can build an extractor but it might be exponential sized, which is vacuous
00:03 < gmaxwell> right if the extractor is exponential sized then it just tries all inputs. :P
00:04 < gmaxwell> amiller: having a weak proof of knoweldge would kinda suck. well, there are lots of cases where weak security is okay...
00:05 < gmaxwell> I'm still annoyed about 3/4 of MPC papers using this "semi-honest" model, and not even all that obviously from their text.
00:05 < amiller> the thing is, these knowledge assumptions are on really shaky ground anyway
00:05 < amiller> they're "non falsifiable" assumptions
00:05 < amiller> they reguire "non black box" access to the adversary
00:06 < amiller> they are basically non-constructive reductions about obfuscation being hard
00:06 < gmaxwell> I know, right, if you have a prover who produce a valid proof, and you have full open access to his state, you can extract a witness with realistic work.
00:09 < amiller> so basically i think i should just use the recursive extractor and leave worrying about it to future owrk
00:09 < amiller> it's sound in any 'oracle' model
00:09 < amiller> it's more plausible that this is a problem with the knowledge definition than a problem with using snarks this way
00:10 < amiller> it's a weird situation
00:10 < amiller> it's not even clear what an "attack" on this knowledge assumption would be
00:10 < amiller> to do something without knowing it
22:02 < nsh> i think you could set up an adaptive cracking challenge via a set of clues running on daemons spread about place such that the Nth clue is published encrypted with a puzzle of difficulty chosen on the basis of how quickly the N-1th puzzle was cracked
22:02 < gmaxwell> e.g. you could do this very simply, with all of us here.. but a year from now many of us may have moved on, gotten hit by bussess, become pissed off at the group. And a bunch of new people would have arrived. Maybe N/2 is unfindable a year or two from now. or you just barely have N/2 still standing, and a few people decide to hold the group randsom.
22:03 < nsh> the general principle of "topping up" the multiparty pool seems a pretty useful one
22:04 < gmaxwell> and this isn't just wank, you could use something like this to enable p2pool to hold a abalance. e.g. have a private key escrowed to the p2pool hashrate, and keep "topping up".
22:04 < nsh> but perhaps open to sneaky people who (being coerced to) fake absence until a threshold is reached
22:05 < nsh> it might be possible to modulate each share when topping up such that people who have dropped out are no longer able to partake in revealing
22:05 < gmaxwell> sure, well one thing about the SMPC approch to it is that you could totally redo everyone's shares. The original interpolation way I was thinking about this was vulnerable to people "leaving" in ordre to come back and get someone elses share.
22:05 < nsh> right
22:06 < gmaxwell> yea, you could achieve that at least under the SMPC case... where you have no risk of an incremental break as the shares are just unrelated. (e.g. you have an encrypted secret which is shared, and inside the smpc you reencrypt, so the shares are unrelated)
22:06 < nsh> right
22:07 < gmaxwell> I guess one problem is being at all confident that "there is anything in the box".
22:08 < gmaxwell> e.g. a bunch of jokers begin such a system with an encryption of nothing, but promising it is the key to great riches. And they all gradually leave, selling their share in the pot to other people.
22:08 < nsh> heh, sounds like religion
22:08 < nsh> :)
22:09 < gmaxwell> but I guess that too isn't bad in the SMPC model, since the SMPC could just produce a proof of knowledge (E.g. signature) as a side effect at every remix.
22:09 < gmaxwell> ohhh I found a problem.
22:09 < gmaxwell> A old majority could fork a past state.
22:09 < nsh> (there was a schoolboy prank where you'd get a bunch of people to stand at the corner of a tall problem and all point up and look excited. then wait for more people to arrive until it was sustained enough for the original pranksters to wander off)
22:09 < nsh> fork?
22:10 < nsh> s/problem/building/ # heh..
22:10 < gmaxwell> e.g. people leave the system until none of the original players are left. The one day the original players meet up and go, "oh I wish we still controlled that key" ... "But wait! I saved my old share, if we all did!"
22:11 < nsh> ah, right
22:11 < gmaxwell> so that would bugger the timelock case where you can't usefully rotate the keys as topups happen.
22:11 < nsh> well, there's no way around that i can think of that doesn't require a T3rdP
22:12 < gmaxwell> but it wouldn't hurt the p2pool "keeps a balance" case, since the pool could just keep moving the funds. (e.g. the bitcoin network is the trusted third party)
22:12 < nsh> right
22:12 < nsh> i think ways of using the bitcoin network as a trusted third party will be a pretty big area of research in future
22:12 < gmaxwell> and tada, if we had scalable threshold signatures in bitcoin we wouldn't need anything else for the p2pool case.
22:13 < gmaxwell> you take your N p2pool hashes (selected by their shares in the p2pool sharechain), and you assign funds to them... then late a largely overlapping new N are selected, and the they generate a new threshold key, and the old N move the funds to the new threshold key.
22:13 < nsh> (are there any threads/mailpost/notes on scalable threshold signatures?)
22:14 < gmaxwell> nsh: they're straightforward if you use schnorr instead of DSA, or so says adam3us
 I've not personally implemented. At least the N of N case is obvious enough.
22:14 < gmaxwell> basically for the N of N you can just directly compose the public keys.. and to sign directly compose the signatures.
22:15 < nsh> mmm, right
22:15 < gmaxwell> The N of M works based on schnorr basically testing a linear relation, but I've not actually worked through how it works.
22:16 < gmaxwell> lack of scalable threshold signatures I think is a major shortcoming in bitcoin, probably the script limitation with the greatest impact on other protocols.
22:16 < nsh> hmmm
22:16 < gmaxwell> esp because other limitations you can generally work around by invoking multisig.
22:17 < gmaxwell> e.g. how coinswap makes any complicated protocol look like a multisig. :P
22:17 < nsh> assuming schnorr sigs allow for M-of-N, could you add the functionality via a new OP without changing out ECDSA completely?
22:17 < gmaxwell> correct.
22:17 < nsh> right
22:17 < nsh> we definitely need to have a script-extension playground
22:17 < gmaxwell> it's a little tricky to make it backwards compatible.  you just can't add a OP_NEWCHECKSIG
22:17 < nsh> that would be very useufl
22:18 < gmaxwell> e.g. it would need to be somehting like a P2SH style change.
22:18 < nsh> what does P2SH style mean?
22:19 < nsh> a generalization of payability?
22:19 < gmaxwell> the reason you can't just take one of the existing NO_OP opcodes and make it into a OP_NEWCHECKSIG is that I could write a transaction that did OP_NEWCHECKSIG OP_NOT OP_VERIFY.
22:19 < gmaxwell> e.g. this transaction is only valid if the newsignature fails.
22:20 < nsh> hmm, and this shoots other places than your (transaction sender's) own foot?
22:20 < gmaxwell> what I mean by p2sh style is that the whole _new syntax_ script is completely hidden from old nodes, they just see a boring hashlocked transaction.
22:21 < nsh> oh, i see
22:21 < gmaxwell> nsh: yea, if OP_NEWCHECKSIG looks like OP_TRUE to old nodes, then I could author a transaction which new nodes would accept but old nodes would reject, and that forks the network.
22:21 < gmaxwell> but no biggie, just hide the whole new script from old nodes completely.
22:21  * nsh nods
22:22 < nsh> so it's as solved as backwards compatible P2SH, at least
22:22 < gmaxwell> though I don't know if any future script extensions are realisitc at all. There are now several actually functional full node implementations, whos going to make those people implement any particular change?
22:24 < nsh> hmm
22:25 < nsh> there should be families of end-to-end functionality for which it doesn't matter if there exist nodes that are blind to the internals maybe
22:26 < nsh> it's not a problem for using P2SH if older nodes don't recognize them?
22:26  * nsh needs to read more about the proposals
22:32 < andytoshi> P2SH uses the same set of opcodes that have always been around
22:32 < andytoshi> older nodes might think they're nonstandard, but they'll just not relay them
22:34 < nsh> hmm
22:35 < gmaxwell> andytoshi: older nodes don't even _see_ the interior script opcodes.
22:35 < gmaxwell> They just see some binary data on the stack.
22:36 < nsh> what i meant was, if we can implement p2sh without unduly worrying about old nodes, shouldn't the same logic hold for implementing threshhold sigs?
22:37 < gmaxwell> only if it were implemented in the same way.
22:37 < nsh> right, so only people who want the new functionality are required to run nodes implementing it
22:37  * nsh nods
22:37 < gmaxwell> no. ugh
22:37 < nsh> oh
22:37 < gmaxwell> none of these changes are secure unless at least a majority of hashpower enforces them.
22:37 < nsh> ah
22:38 < nsh> right, sorry.
22:38 < nsh> so the concern is that at some point changes to the reference client might not necessarily lead to 50(+whatever)% hashpower realization
22:39 < gmaxwell> the trickyness in deployment is that if its not done carefully you can end up where the new feature creates a fatal forking bug even if 90% of the hashpower deploys. P2SH shows one way to do it safely.
22:39 < nsh> although there was some talk about disentangling validation from mining the other day...
22:39 < gmaxwell> nsh: I don't even know what you mean there, it's already quite disentangled.
22:39 < nsh> neither do i, never mind... :)
22:39 < gmaxwell> Most "miners" have never participated in validation. :(
22:40 < nsh> i can't remember exactly what was said such that i took that away from it. was probably not paying much attention
22:40 < gmaxwell> in any case, it's not just hashpower. lets say 80% of hashpower were to have deployed p2sh, but most full nodes don't.
22:41 < gmaxwell> that means that later some super majority of the miners might go "hey, lol, we could make a lot more if we rob all those suckers using p2sh and assign all their coins to us"
22:41 < gmaxwell> e.g. if ~everyone doesn't eventually deploy the new rule it leaves the mining incentives potentially out of wack.
22:42 < gmaxwell> a majority of hashpower is necessary for the new thing to be safe, but it's not really sufficient.
22:42 < nsh> hmmm
22:42 < nsh> i'd love if some student made pretty diagrams illustrating all these things graphically for a thesis or something
--- Log closed Sun Dec 29 00:00:36 2013
--- Log opened Sun Dec 29 00:00:36 2013
00:45 < BlueMatt> is anyone working on the altcoin builder?
00:46 < BlueMatt> otherwise I'm gonna hack one together and at least provide bitcoind/bitcoin-qt (for a neat price)
00:46 < justanotheruser> BlueMatt: I think I read that some russian guy is
00:48 < andytoshi> hahaha go for it BlueMatt, it'd be awesome if someone on this channel was behind it
00:48 < andytoshi> we could just quietly slip experiments into other peoples' alts ;)
00:49 < BlueMatt> yea, plus I plan on charging for use of a fork based on anything past 0.8
00:08 < gmaxwell> basically, their fix makes a sufficently large pool (e.g. btcguild) _always_ have an incentive to delay, even if they're not doing any fancy stunts with annoncements of their delayed blocks.
00:08 < midnightmagic> gmaxwell: The fact that randomly switching to a second-heard block means half the hashrate switches to the new block and potentially erases the strength of growth of the longest chain?
00:08 < gmaxwell> (because you can announce late and half the honest miners (and yourself) will still mine on your blocks.
00:08 < gmaxwell> )
00:09 < midnightmagic> okay.
00:09 < petertodd> gmaxwell: yeah, interesting that they put that fix in their paper, and then on the list pointed out the other idea they had was a deterministic scheme
00:09 < petertodd> gmaxwell: I'll bet you the former was easier to analize....
00:13 < midnightmagic> :-(  may I trouble you to tell me which list? I'm on the bitcoin-development mailing list but I don't see any references to neither Sirer nor Eyal.
00:13 < midnightmagic> i guess that's either-or
00:13 < petertodd> midnightmagic: oh, I'll bet you they're stuck in a mod queue :(
00:13 < midnightmagic> doh
00:14 < midnightmagic> k, thanks.
00:14 < petertodd> midnightmagic: I can forward them to you, email?
00:14 < midnightmagic> sure. thetanix@gmail.com
00:16 < petertodd> sent
00:16 < midnightmagic> cool
00:22 < midnightmagic> wouldn't random-switch decrease overall blockchain growth rate the moment anyone began late-broadcasting?
00:23 < midnightmagic> and so.. yeah everyone would instantly switch to late-broadcasting, which kills it further
00:25 < midnightmagic> what happens when 4 or 7 blocks are late-broadcast?
00:25 < gmaxwell> you start getting big reorgs.
00:38 < petertodd> midnightmagic: you don't need to broadcast more than a single block at a time late
00:38 < petertodd> midnightmagic: in fact, you're better off only revealing your lead the minimum amount possible at a time, which will almost alway sbe a single block
00:41 < petertodd> midnightmagic: oh nvm, I missed the "everyone" part of what you're saying...
00:42 < gmaxwell> most departures from earliest best win are hard to analyize for convergence properties when you have multiple parties. :(
01:37 < pigeons> invite artforz, i mean jdillon
04:46 < pigeons> jeesh reporter, did the paper even claim things like "Bitcoin Protocol Vulnerability Could Lead To a Collapse"
04:50 < gmaxwell> pigeons: go look at the authors blog post thing, it made a bunch of over the top claims.
04:59 < pigeons> wow yeah they make good blog authors
05:01 < pigeons> well most people seem to agree mining needs to decentralize more, and yet the trend hasn't reversed yet. maybe scary headlines will work
05:02 < gmaxwell> no, because it's just being understood as "wrong"
05:02 < gmaxwell> It's hard to sell a nuanced message like "not wrong, but also not very urgent or um. doomful, and with limitations"
05:03 < pigeons> yeah
05:03 < sipa> "Some unknown combination of circumstances may be less safe than previously assumed, which may or may not apply to reality."
05:52 < TD> well
05:52 < TD> the good news is that some journalists do use the press center.
05:53 < TD> i was explaining all this to a guy from new scientist last night
10:56 < phantomcircuit> warren, man why are the centos people so annoying
10:56 < phantomcircuit> "hey guys i need python with hahslib and MySQLdb"
10:56 < phantomcircuit> "HAHAH UR GAY NOOB"
12:59 < K1773R> phantomcircuit: because they use centos ;)
13:40 < BlueMatt> amiller: thanks again for the network map/desktop background ( :) ), any luck figuring out what the patterns were?
13:41 < amiller> hah! no, not yet, the kid working on it disappeared
13:41 < amiller> he must have learned too muhc
14:16 < BlueMatt> amiller: heh, damn grad students
15:31 < gmaxwell> amiller: that connectivity graph looks concerning to me, but perhaps its an artifact of the visualization process.
15:31 < amiller> what about it?
15:32 < gmaxwell> amiller: can you generate some stats like the distrubition of path lengths between nodes?
15:32 < amiller> uh... diameter 8
15:32 < amiller> i have a degree distribution chart somewhere
15:32 < amiller> there are any number of ways in which our analysis can have errors/omissions and the clustering is just some default toy that came with our graph program gephiz
15:32 < gmaxwell> Yea, degree distribution and you have connectivity so you should be able to make a chart of shortest path distances.
15:33 < gmaxwell> Yea, I know your analysis has limits.
15:33 < amiller> what trends are concerning?
15:33 < amiller> (those would help us figure out what to ask, which we don't really have the best ideas for)
15:33 < gmaxwell> If there are discrepancies in the degree/pathlength distribution compared to what we'd expect for how we think it should be wired I'd like to figure out if thats just your measurment method or if something is wrong.
15:34 < amiller> mainly we'd like to try to identify by name/purpose the handful of extra high degree nodes, and understand the group of orange slightly-higher-than-average nodes that also seem mostly connected to each other
15:34 < amiller> here's degree distribution, we don't have shortest path length though but we should http://apps01.mywebapps.net/ajp/bc/degree.pdf
15:34 < gmaxwell> amiller: I think the graph seems to be showing a higher amount of sparely connected clustering than I expected.
15:35 < gmaxwell> also min-cut stats might be interesting.
15:36 < amiller> we have a lot of 1-connected nodes which i think is most likely a problem of us omitting things
15:37 < amiller> it kind of relies on us just connecting to everyone we can, and we can only connect to like half the public nodes because other nodes are saturated already
15:37 < amiller> and we don't particularly try very hard/long
15:46 < adam3us1> so with this selfish-pool attack - did anyone figure out if they are taking into account that the selfish-pool re-actively racing the honest miners, the miner or mining pool they are reacting to will not be convinced
15:49 < phantomcircuit> gmaxwell, the graph is certainly incomplete, indeed i believe it's impossible to come up with a complete network graph without all the remotely connectable peers cooperating
15:51 < gmaxwell> phantomcircuit: sure, since you can't even connect to a lot of nodes.
15:51 < phantomcircuit> gmaxwell, right and you cant know who is connected to peers you can connect to
15:51 < gmaxwell> adam3us1: yea, would be interesting to see their simulation code.. "you can never beat a block in a race to reach the announcer."
15:52 < phantomcircuit> so basically the graph ends up being a graph of connections to your listening nodes
15:52 < gmaxwell> phantomcircuit: you can, thats amiller's magic.
15:52 < phantomcircuit> how?
15:53 < gmaxwell> phantomcircuit: by taking advantage of double spend mutual exclusion. :)
15:53 < phantomcircuit> oh
15:53 < adam3us1> by which I mean say btc guild (30%) http://blockchain.info/pools used the selfish-pool algorithm, it is likely it will compete against ghash.io (20%) eligius (15%) etc as 82% of the network is pooled (possibly more) and so 52% is not controlled by btc guild
15:53 < phantomcircuit> interesting
15:53 < gmaxwell> phantomcircuit: its a cute idea, one which we should eventually build some countermeasures for. We kinda have some already.
15:54 < gmaxwell> amiller: you know that nodes don't immediately relay to all their peers, right?
15:54 < phantomcircuit> adam3us1, the orphan rate they calculated is lower than it would actually be due to there being large pools
15:54 < gmaxwell> we could probably make that more agressive.
15:54 < amiller> how don't they gmaxwell ?
15:54 < phantomcircuit> ironically large pools make the economics of their attack worse
15:55 < phantomcircuit> amiller, trickle
15:55 < amiller> trickly in terms of letting the thread wake up
15:55 < amiller> but no substnatial delay
15:55 < adam3us1> phantomcircuit: right, thats my point
15:55 < phantomcircuit> adam3us1, they did not even try to take that into account
15:55 < gmaxwell> amiller: the trickle sends some right away, some when the queue fills up.
15:56 < phantomcircuit> amiller, see SendMessages
15:56 < gmaxwell> amiller: I assume to close your probing we'll eventually make that more powerful, I've wanted to do that anyways.
15:57 < amiller> more powerful meaning more trickly or transmit faster?
15:57 < gmaxwell> amiller: more trickly
16:00 < amiller> our technique really doesn't rely on precise timing so i don't think that would help
16:02 < gmaxwell> amiller: it's not about timing, is that you can't tell a link exists if the transaction never traverses it.
16:02 < amiller> ok i thought i understood how trickle worked but i might be getting it wrong
16:03 < amiller> i thought trickl just sends them all out over a short period of time, with 25% probability each time it passes over the queue
16:05 < gmaxwell> amiller: no, it's basically 25% upfront, and then otherwise it only gets sent when a queue fills up, and only if it hasn't learned the transaction from the peer already.  But the effect is that e.g.  if node C is connected to both A and B  you might not be able to observe the B<>C link because B->C trickels and so C shows up via the A exclusion.	I think
right now it won't stop you, but if made more powerful it might.
16:06 < amiller> interesting.
16:06 < gmaxwell> (the trickel is partially a bandwidth optimization today, it reduces the amount of INVs crossing in flight)
16:07 < gmaxwell> e.g. no point in A->B _and_ B->A
16:07 < amiller> the main observation we have made is that any obvious attempt at keeping node connections hidden leads to some kind of dos compromise
16:08 < gmaxwell> I think thats generally true but may not be meaningful. E.g. I could connect my node only to committers to bitcoin-qt. There is a "dos compromise" (they could all conspire to isolate me) but its not a meaningful one.
20:21 < petertodd> gmaxwell: and yeah, a inconsistent hardforking glitch is a consideration
20:22 < petertodd> Luke-Jr: correct, and you'd only sanely do that if its palce in the chain was very recent
20:23 < gavinandresen> right, I mean relay-all-blocks-at-current-best-block-height-that-I-think-are-valid
20:23 < gavinandresen> Having nodes only relay blocks that they are mining on top if might, indeed, be the best policy
20:24 < gavinandresen> ^on top of^
20:24 < petertodd> gavinandresen: which is the current policy...
20:25 < Luke-Jr> petertodd: if so, only recently?
20:25 < Luke-Jr> IIRC there was a fingerprinting bug that allowed you to fetch old stale blocks
20:25 < gavinandresen> Right, but we could change the "what should I do if I get another block at current best height" policy different-- could be switch to it, and relay it....
20:25 < petertodd> Luke-Jr: if you relay non-recent, at some point it makes some types of DoS attacks possible
20:25 < Luke-Jr> petertodd: no, I mean until recently, we *did* relay old stale blocks
20:26 < gavinandresen> we wouldn't relay them, but we would serve them up
20:26 < petertodd> Luke-Jr: not relay, we'd give the data for them if asked
20:27 < petertodd> gavinandresen: note that from a technical point of view checking that the second one is actually valid kinda sucks - easier to ignore the txin validity and just relay
20:27 < Luke-Jr> hmm, I need to rebuild #bitcoin-watch's bitcoind branch
20:27 < Luke-Jr> it keeps crashing
20:28 < Luke-Jr> I wonder if it would make sense as a block-preference policy, to use "has all the same outputs as the current bestblock, but fewer transactions"------ selfanswer: no, since coinjoin changes txid
20:28 < Luke-Jr> too bad txids/outputs aren't referred to by hash of scriptPubKey
20:28 < petertodd> Luke-Jr: rational miner policy in some cases is to prefer blocks with the fewest transactions
20:29 < petertodd> Luke-Jr: or, to be exact, smallest fees
20:29 < gavinandresen> petertodd: meta-rational policy is to prefer larger blocks
20:29 < Luke-Jr> rational policy IMO is to prefer the first one you saw :p
20:29 < petertodd> gavinandresen: meta-rational policy to hold hands and sing songs about world peace
20:29 < Luke-Jr> because it means whoever broadcast it might have better peering than the later-seen one
20:30 < gavinandresen>
 and if you discourage blocks that are "too small" then you can FORCE minority assholes to do the right thing
20:30 < Luke-Jr> and you don't want to get in a stale-block-war with him
20:30 < gavinandresen> (well, incentivize....)
20:30 < Luke-Jr> gavinandresen: the smaller blocks are probably better than the bigger ones!
20:30 < petertodd> gavinandresen: there's already that incentive because you don't want 100% propagation
20:30 < gavinandresen> Luke-Jr: better how?
20:30 < petertodd> Luke-Jr: heh, the small blocks are less spam of course :P
20:30 < Luke-Jr> gavinandresen: likely to have better spam filters, and not full of spam
20:31 < petertodd> Luke-Jr: given we somehow are meta-rational about resource use...
20:31 < petertodd> *don't want 100% propagation in the cases where wanting small blocks apply
20:31 < gavinandresen> Luke-Jr: okey dokey.  That's why I say "too small" -- that can be a miner policy preference, too small versus too big
. "this one is Just Right."
20:31 < Luke-Jr> gavinandresen: also, if you ever prefer larger blocks, you incentivize the miner to make spam if there isn't any left
20:31 < petertodd> Luke-Jr: indeed
20:31 < gavinandresen> sigh.  okay, fine, "includes the right number of transactions that are/were in the mempool"
20:32 < Luke-Jr> gavinandresen: then you punish miners with superior spam filters than whatever-the-relay-nodes-run
20:32 < Luke-Jr> and/or incentivise spam-filling miners to broadcast the spam
20:32 < gavinandresen> who is "you" ?  This would be general-consensus-of-the-network
20:32 < petertodd> There's also the strategy that if you know another block has been created, only mine much smaller blocks until you verify it - but that's only really applicable if mining has forced verification...
20:33 < Luke-Jr> gavinandresen: if it's hardcoded in mainline code, there is no consensus-of-the-network, just core developer fiat
20:33 < gavinandresen> I would give miners the knobs to decide whatever policy they liked, and have them figure it out based on their best judgement.
20:33 < petertodd> gavinandresen: why does the network matter? pools can and should connect to each other directly in most models
20:33 < Luke-Jr> I like knobs.
20:34 < petertodd> In which case, if we're going to talk about rational strategy for non-mining nodes, we're back to "do good for our clients", and they'd like to know if an orphan exists that might suddenly unconfirm a transaction they thought was confirmed...
20:34 < Luke-Jr> ^ best reason yet to relay stale blocks imo
20:35 < Luke-Jr> in fact, I think it outweighs all the costs
20:35 < gavinandresen> petertodd: sure, pools will directly connect to each other. I assume pools will listen to their users about what their block creation policy should be, and if the policy is way out of whack for what the users want (e.g. their users cannot transfer their payouts to Mt.Gox because transaction fees are too high) then they will lose hash power.....
20:35 < petertodd> Luke-Jr: there's strong incentives to do it too once merchants get sophisticated software
20:35 < Luke-Jr> *maybe* it even makes sense to relay *invalid* blocks that meet the POW requirement, for that reason
20:35 < petertodd> gavinandresen: users of pools != users of bitcoin
20:36 < petertodd> Luke-Jr: yeah, and technically relaying regardless of validity is way easier to implement
20:36 < gmaxwell> who the heck knows anything anymore, see ghash.io/cex.io 0_o
20:36 < Luke-Jr> petertodd: point is, users of pools have the influence here
20:36 < gavinandresen> petertodd: really?  There are still pools that payout usi
ng PayPal instead of bitcoin?
20:36 < Luke-Jr> gavinandresen: yes
20:36 < petertodd> Luke-Jr: yes, but how? that's a hard question
20:36 < Luke-Jr> I think Eclipse does still
20:36 < petertodd> gavinandresen: huh? that's what I said
20:38 < gmaxwell> relaying invalid blocks is just irrational though, not only does it use your resources, it helps the network achieve a difference consenus from you. At best it's probably not usually harmful. If it were limited to valid that would be less concerning to me, but it's still helping the network achieve a different state than your current node, but at least
one your node would find acceptable.
20:38 < petertodd> gmaxwell: look at it from a merchants perspective: relaying invalid blocks tells them something useful: an invalid block was created.
20:39 < petertodd> gmaxwell: That could mean "I should trigger safeguards because something went wrong."
20:39 < Luke-Jr> gmaxwell: but it might help you spend your money easier
20:39 < Luke-Jr> since merchants will know if someone is trying to build a different consensus of almost any sort
20:39 < gmaxwell> petertodd: Other people doing it helps them in that case, but it's not personally rational.
20:40 < Luke-Jr> they can then afford to accept 1 block deep confirmation
20:40 < gavinandresen> Relaying invalid blocks seems like angels-dancing-on-the-head-of-a-pin
 there should be approximately zero invalid blocks created
20:40 < gmaxwell> (except in the good for everyone sense, perhaps, but relaying invalid blocks is also not good for everyone, I dunno if on the balance it's helpful
 just relaying compeating headers is just as good for knowing bad things are happening, I think)
20:40 < Luke-Jr> gmaxwell: if you're the only one selfishly relaying blocks, it won't matter
20:40 < petertodd> gmaxwell: In the spherical cow model you would relay anything at all and have infinite bandwidth - relaying the fact that someone threw away $12,500 due to a bug is worth knowing.
20:41 < Luke-Jr> gavinandresen: but if there are, we want people to know about it
20:41 < gavinandresen> meh. Throwing away $12K will be a self-correcting problem
20:41 < gavinandresen> (and QUICKLY self-correcting)
20:41 < petertodd> gavinandresen: eventually, in the meantime it means you probably don't want to accept zeroconf at the very least
20:41 < Luke-Jr> gavinandresen: it might not be thrown away in some case
20:41 < gmaxwell> gavinandresen: except when they are. E.g. if not for the fact that two directly connected pools with >>50% hashpower were running 0.8 the <0.8/0.8 fork would have self-cured due to nodes not relaying it.
20:42 < gavinandresen> hmm?  relaying double-spent transactions is a good idea.
20:42 < petertodd> Besides, implementing relaying based on valid PoW and nothing else is way easier to implement and still DoS resistent.
20:42 < gavinandresen> that's completely separate from invalid blocks
20:42 < gmaxwell> and instead we got a rather large reorg out of that.
20:42 < Luke-Jr> gavinandresen: so pull the transactions out of the blocks?
20:42 < Luke-Jr> at least the blocks have a proof-of-work - hard to DoS with that
20:43 < Luke-Jr> mere transaction double-spend notification is riskier IMO
20:43 < petertodd> gmaxwell: pools connecting directly to each other is just going to become more, not less, of a thing in the future
20:43 < Luke-Jr> (although possibly still necessary)
20:43 < petertodd> Luke-Jr: yeah, relaying headers is even easier to defend
20:43 < gavinandresen> Luke-Jr: sure, if they're valid and haven't already been relayed, you could pull them out of the block.	There's going to be a very strong incentive not to put non-relayed transactions in your block, though
20:43 < Luke-Jr> petertodd: if both blocks have your transaction, you care a bit less ;)
20:43 < gavinandresen> (because it'll increase your orphan cost by quite a bit)
20:43 < gmaxwell> petertodd: none of this changes that fact that relaying a block you don't personally like is not something that helps you.
14:45 < amiller> bitcoin mining competes directly for the same market as satoshi dice imo, and bitcoin's reward system is suboptimally designed by not having smaller scratchoff contests (but pooled mining makes up for that a bit) or larger prizes for that matter
14:46 < gmaxwell> amiller: with pooling you can get whatever variance tradeoff you want though, up to the pool size.. and its easy to have smaller variance when someone wants to buy pure variance.
14:46 < gmaxwell> No one wants to buy my eligius shelved shares.
14:46 < jgarzik> heh
14:46 < jgarzik> that would be a neat market
14:46 < gmaxwell> amiller: and yes, I've told people to mine instead of play a gambling game.
14:46 < gmaxwell> amiller: but they don't seem to believe it, I cannot explain why.
14:46 < jgarzik> gmaxwell,  I guarantee you would sell them, if there was an automated interface for trading them
14:46 < amiller> that's interesting, it's straightforward to use pooling to make a smaller variance lotto out of a larger variance one
14:47 < amiller> it's less obvious that you can make a higher variance pool
14:47 < jgarzik> gmaxwell, it's like bad debt resale.  just need to proper mechanism for price discovery -- and I think bitcoin makes that pretty easy.
14:47 < gmaxwell> jgarzik: yea, thats probably the missing piece. Luke and wiz aren't eager to do that because they don't want share reassignment to be a hacking target.
14:47 < jgarzik> selling digital property is, like, ya know, a forte.  :)
14:48 < gmaxwell> amiller: it's really eager to make any sort of tradeoff you want, though some tradeoffs require counterparties willing to take the opposite side of the bet.
14:48 < jgarzik> $idea: offload it.  transfer all shelved shares to an agent, who holds shelved shares or transfers them depending on signed message.  the agent enables trading further, or handles shelved share payouts.
14:49 < gmaxwell> amiller: e.g. you can get ~zero variance mining from me, right now. Send me your hashpower, I'll extract a
 cut and just pay you for diff 1 shares exactly what their ev is. :P
14:50 < gmaxwell> jgarzik: yep, I think wizkid himself suggested a one time transfer to a market when we discussed this (uh, in the eligius development channel about two months ago)
14:50 < amiller> gmaxwell, it's easy to make an unenforceable contract like that
14:51 < amiller> gmaxwell, essentially you can't absorb all that risk unless you have deep enough pockets
14:51 < amiller> if you go bankrupt i get nothing
14:51 < gmaxwell> amiller: yes, but I pay you frequently.
14:51 < amiller> well again it's easier in the lowering-variance directoin
14:51 < gmaxwell> There are _tons_ of PPS pools, and some have fees low enough that they are mathmatically sure to go bankrupt eventually. Yet people mine one them in large numbers.
14:51 < amiller> but you could make the same contract with higher variance
14:51 < amiller> that's what satoshidice does basically right
14:52 < amiller> you could have a dozen people win the 64k prize
14:52 < amiller> and obviously they cannot pay out
14:52 < gmaxwell> who knows about SD, after it was "sold" its traffic dropped off ~99%. I don't know that its too useful to generalize anything from it
14:52 < jgarzik> Just-Dice is freakin' awesome.  Not because they killed spam by off-blockchain betting, but because of an interesting innovation:  insta-investing
14:53 < jgarzik> You can become an investor, or withdraw your investment, at any time.	 I predict that becomes a trend.
14:53 < amiller> i'm just saying abstractly, unless it has a big amount of money in escrow, you could get 'lucky' but it wouldn't be able to pay out
14:54 < jgarzik> also RE SD:  blockchain.info's TX stream sure does show a lot of BetCoin transactions, sometimes more in a time period than SD
15:03 < gmaxwell> amiller: yes, for a higher variance you'd want the party providing it to be able to show they have the funds to back it.
15:11 < Luke-Jr> jgarzik: nice, but any idea what the US laws about investing in it are?
15:12 < jgarzik> Luke-Jr, if eligius just sells it, responsibility is transferred, I would think
15:12 < Luke-Jr> jgarzik: huh?
15:12 < Luke-Jr> I was talking about the investing in Just-Dice thing
15:12 < jgarzik> Luke-Jr, oh
15:12 < gmaxwell> luke was asking about the gambling site, jeff was answering about selling shelved shares.
15:13 < jgarzik> indeed
15:13 < Luke-Jr> oh
15:13 < jgarzik> Luke-Jr, most securities laws do not seem to punish investors for investing in [possibly illegal or fraudulent] securities, IIUC
15:14 < jgarzik> they mostly aim to punish issuers
15:14 < jgarzik> I would think being an investor is OK
15:14 < jgarzik> but dooglus should have his T's crossed, and I's dotted.
15:14 < maaku> jgarzik: well, ok until your investment goes south
15:14 < jgarzik> maaku, so?
15:14 < jgarzik> maaku, SEC will not prosecute you for that.
15:14 < Luke-Jr> maaku: meh, bad investment is distinct from going to jail for investing
15:16 < jgarzik> Luke-Jr, if you scroll up, some of the earlier discussion was about creating a market for shelved shares.  Enable people to sell them -- which automatically creates a market
15:16 < jgarzik> there is -some- value in there, just like selling bad debt
15:16 < Luke-Jr> jgarzik: possibly - but there's a lot of complexity to it as well :/
15:17 < jgarzik> and people might appreciate an opportunity to get paid $now
15:18 < gmaxwell> it would make eligius a true pps pool (at some price determined by the market)
15:19 < gmaxwell> it would also enable people to "gamble" in a way that is less objectively unfair
 basically just making bets on eligius' future luck but at market rates instead of against the house.
15:19 < gmaxwell> it would also encourage people to help improve eligius, since the bigger and better eligius is, the greater the odds of big luck in the future.
15:20 < gmaxwell> but shelved shares are a weird asset. I dunno how you run a market for them.
15:20 < jgarzik> IMO the main complexity is what to do with existing shelved shares, RE property ownership
15:21 < gmaxwell> jgarzik: I think some signmessage thing to assign all your addresses current and future shelved shares to address X (which would be controlled by the exchange in an exchange case) solves that.
15:22 < jgarzik> an interesting case is that each share is more valuable, the closer to the top it is
15:22 < jgarzik> maybe run a Dutch auction weekly, for shelved shares
15:22 < gmaxwell> right, valuing them is tricky, but this means that you need to actually know the index of each of them.
15:23 < jgarzik> need to package them in blocks of X shares, for sanity's sake
15:25 < gmaxwell> I don't know how bad debt is normalized and sold. I assume it would be similar.
15:37 < jgarzik> It's ranked according to various generally agreed factors, which hopefully sum up to a value that predicts how likely the debt will be repaid:  debt lifetime, time since last payment, credit score of holder, ...
15:37 < jgarzik> after rank, debts are grouped together and sold in packages
15:38 < jgarzik> occasionally you will have a company just want to dump everything, and bad debt investors must pick through the garbage themselves, but usually things are a bit sorted
15:38 < jgarzik> for shelved shares, probably sell in blocks of 50,000 shares or whatnot, each indicating an index or timestamp or some other ordering position in eligius payment queue
15:39 < jgarzik> on the eligius side, I guess the main thing would be reassigning shares to new owners
15:42 < gmaxwell> amiller: did you see the link I gave peter todd above for the aggregate signature stuff.  It would have some interesting implications for relay incentives.
15:42 < gmaxwell> amiller: as it would allow relayers to take transaction fees.
16:18 < K1773R> Luke-Jr: did was your pull request "child pays for parent" rejected?
16:18 < K1773R> s/did //
16:22 < gmaxwell> K1773R: you should probably be asking about this in #bitcoin-dev ... sounds like bitcoin development discussion!
16:28 < K1773R> gmaxwell: uh yea, clicked a bit below #bitcoin-dev :P
16:35 < amiller> i like this paper.
16:35 < amiller> hm
16:35 < amiller> it's the first one that treats the ledger/utxo properly imo but that's not a big point
16:36 < amiller> still don't grok the actual idea yet though
16:36 < gmaxwell> the OWAS signatures?
16:37 < gmaxwell> It's really pretty simple.  the signing scheme has a Genkey() Sign() Verify() Aggregate()  Aggregate takes two signatures (or prior aggregates) and does a one way composition.  So at the end you have a set of {public keys} {messages} and one signature and you don't know which key signed for which message.
16:38 < gmaxwell> they propose adding it to bitcoin by having a new output type that pays to an OWAS public key.  When you spend from it you reference it by blockhash : public key    the reason it has to be this way is if a public key gets reused in different blocks you need to know which one you're spending.
16:40 < amiller> i think it's like incremental coinjoin
16:40 < amiller> coinjoin works but all the outputs have to be constructed before anyone signs the tx
16:40 < amiller> here you can make your signature
16:40 < amiller> then give it to someone else in a coinjoin channel and they can add their signature and now it's unlinkable as long as they forget about it
16:41 < gmaxwell> It has a number of conseqneuces.. e.g. you can make the outputs sum to less than the inputs.. and then someone on the relay path can add an output with more value than the inputs to claim that value.
16:42 < gmaxwell> amiller: yea, it's a one-way incremental coinjoin.
16:43 < gmaxwell> It also has an anti-censorship property. If a miner recieves an aggregate signature and there are some blacklisted coins, his option is to ignore the whole aggregate (and hope that he gets resent the partials before some else mines it) or take it anyways.
16:45 < amiller> i don't know, i am not sure this makes any sense
14:15 < petertodd> jtimon: obviously they're not actually doing full validation here, but you can set things up so that all the blockchain data is "covered" by multiple partial validators
14:15 < jtimon> the smaller the prefix, the bigger part of the uxto you have
14:15 < petertodd> jtimon: with fraud proofs if anyone finds a problem, everyone can be informed that the block needs to be rejected
14:15 < petertodd> jtimon: exactly
14:17 < adam3us> petertodd: ok read.  i think i skimmed it a bit before (remember the bloom issues you identified.. i asked TD about it early on and he said yes there are a few bugs)
14:17 < jtimon> ok, I'm trying to compare it with maaku_'s stateless validation proposal...
14:17 < jtimon> in that one, miners only have the root of the utxo
14:18 < petertodd> jtimon: this *is* his proposal
14:18 < petertodd> jtimon: it's something you can do with it basically
14:19 < jtimon> ey, wait
14:19 < petertodd> adam3us: good, now see my point how this stealth structure fits in very well with where blockchian indexes are going? this is something we can actually get implemented, and solve a lot of real problems very quickly
14:20 < adam3us> petertodd: block chain indexes? you mean the above koorde like sharding of data?  (nodes store things near to them in some artificial space)?
14:20 < petertodd> adam3us: yeah exactly
14:21 < petertodd> adam3us: remember, the big issue with bloom is it's not indexable
14:21 < petertodd> adam3us: to query against a bloom filter requires matching against all transactions for every query, which sucks
14:21 < adam3us> petertodd: i dont quite accept that as a valid design rationale though.  'could shard this way' for a speculative what-if => lets do prefixes even though they have self-admitted linkability problems
14:22 < adam3us> petertodd: yeah bloom has its issues.
14:22 < petertodd> adam3us: there's nothing speculative about it, electrum does just that, and will add prefix queries soon
14:22 < adam3us> petertodd: maybe there's a third way
14:22 < adam3us> petertodd: speculative in there being full-nodes that focus on some prefixes only.
14:23 < jtimon> petertodd: with your proposal, how miners validate foreign blocks that contain tx that refer to a part of the utxo they don't have?
14:23 < jtimon> Are miners also supposed to send the full update proofs to each other like with maaku_'s?
14:23 < jtimon> If so, what do miners hold any of the utxo at all (apart from the root)?
14:23 < petertodd> adam3us: electrum servers *are* an example of a full node serving SPV clients
14:23 < petertodd> adam3us: SPV != bloom you know
14:23 < petertodd> jtimon: in the current design of bitcoin that's not really possible
14:23 < adam3us> petertodd: yes i know, and i agree
14:25 < jtimon> petertodd: which of the two things are not possible?
14:25 < petertodd> adam3us: yes, so, the question really is how do you index data such that you can match approximately, with the in-chain data being less approximate then the indexes the SPV-serving nodes have, gmaxwell has a proposal, but again, how would you ever end up with a miner committed index of it?
14:26 < petertodd> jtimon: the validate txins referring to utxo they don't have
14:26 < adam3us> petertodd: well bloom results are not committed
14:27 < petertodd> adam3us: I know, and like I said, stealth addrs could be implemented as "match this bloom filter index with this nTweak"
14:27 < adam3us> petertodd: or are they.  hmm.	i mean can you verify the entire result set from the fuzy bloom query tie into the containing block hash?
14:27 < petertodd> adam3us: but that's not scalable on the index side becuse of all the possible nTweak's
14:27 < jtimon> petertodd: I think maaku's proposal with updatable trees require clients to send the complete proofs miners need to check validity having only the root of the utxo
14:28 < petertodd> adam3us: obviously miners could commit to boom filters, but then you'd run into the problem that to use gmaxwell's solution you have to have them commit to n different versions of the filter
14:28 < petertodd> jtimon: ah, sorry, yeah, if you adopt that then miners can do that
14:29 < jtimon> that's stateless validation
14:29 < jtimon> it seems better than sharding for miners
14:30 < adam3us> petertodd: getting sleepy but it seems more like a public key watermarking problem.  ie there are people who thought about and may be even have solutions to this problem.  i am not sure if they are going to be indexable or not.  but we could explore it.	if its expensive also maybe there could be fees.
14:30 < petertodd> jtimon: think about how much bandwidht they're using in that example...
14:30 < jtimon> maybe all the proofs should go hashed in the block
14:30 < petertodd> adam3us: it has to be a solution that isn't expensive or this isn't gonna happen and we'll still have address reuse
14:30 < jtimon> petertodd yes, bandwith is the bottleneck in this case
14:30 < petertodd> adam3us: hell, this has to be a solution with pretyt damn low programmer complexity to have any hope of being adopted
14:31 < jtimon> petertodd but your approach is not secure for miners
14:31 < petertodd> jtimon: wait, the sharding?
14:31 < petertodd> jtimon: forget miners
14:31 < jtimon> yes
14:31 < adam3us> petertodd: yea yeah.  i know the life of a privacy tech crypto guy, people emand the impossible and then turn their noe up when you pull some minor miracle that its not as easy or as cheap as doing something privacy invasive.  been there. done that. got the t-shirt
14:31 < petertodd> jtimon: sharding for miners is a much harder problem then sharding for full-nods that want to serve SPV
14:32 < maaku_> jtimon: i got stateless validation from petertodd
14:32 < petertodd> adam3us: exactly, OTOH we've got this stealth addresses proposal that's gotten like three reimplementations in a few days, and we can actually get adopted. Let that process happen and we can *upgrade* it later to be even better.
14:32 < jtimon> petertodd, full nodes too, but miners are spending money hashing....oh, ok, you're not talking sharded miners
14:32 < petertodd> adam3us: I'm specifically trying to design stealth addresses themselves to be backwards compat upgradable you know.
14:32 < maaku_> or it came out of a discussion between petertodd and gmaxwell, iirc
14:33 < maaku_> here on -wizards
14:33 < jtimon> petertodd I thought you needed prefixes in stealth addresses for sharded mining
14:33 < petertodd> adam3us: when we figure out a more clever way of doing prefixes, we can add a field to the stealth addr data that says "Hey! if you know how to handle this, you can also pay me with this fancy index scheme, but otherwise do the old thing."
14:34 < petertodd> jtimon: sharded mining eventually, sharded full nodes soon
14:34 < adam3us> petertodd: so maybe could it reasonably said that stealth addresses are used only here in the vanity/bizcard kind of use case.  or is this going to turn into another 'yeah address reuse, sorry cant persuade user or wallet maker to stop' scenario
14:35 < adam3us> petertodd: ie they just jam them into their wallet, and reuse them ad nauseum for plenty of non-bizcard scenarios
14:36 < jtimon> petertodd sharded mining is what's hard for me to believe you're near to solve, but sharded full nodes seems a good enough use case to justify prefixes on stealth addresses
14:36 < petertodd> adam3us: hey, at least with an upgrade path we only have to convince the wallets incrementally
14:36 < adam3us> petertodd: btw i have another solution to address reuse.  one-show signatures.  (reuse it at your peril, do that and it leaks your private key via simultaneous equation) the tech is very simple to do it too.  how about i propose that on bitcoin-dev and draw some diagrams about the advantages of a final solution :)
14:36 < petertodd> adam3us: meh, users reuse addrs if you let them
14:36 < petertodd> adam3us: pff, good luck, that's user obnoxious
14:37 < adam3us> petertodd: well the client sw would say "error cant reuse"
14:37 < petertodd> adam3us: that's the kind of thing you build into a new system, not something you do as a *downgrade* to an existing one (form the users perspective)
14:37 < petertodd> adam3us: we can hardly convince wallet authors to not reuse change addrs, give it up
14:37 < petertodd> adam3us: never mind you're risking user funds
14:38 < Luke-Jr> lolwut, someone emailed me a complaint - they don't like me using proper nettiquite on bitcoin-dev
14:38 < adam3us> petertodd: well i guess i was just going with the flow you know... proposing things that are risky, and using first to implement arguments for my being right :P
14:39 < adam3us> petertodd: it has uses too.  double-spending becomes much harder!
14:39 < petertodd> adam3us: no, you're doing almost the exact opposite to what I'm doing: "I got this idea and lets impose it because it's good, fuck users."
14:39 < Luke-Jr> you all coming to Miami? :p
14:39 < petertodd> adam3us: I'm saying "How can I offer something to users that they'll actually accept and make things easier?"
14:39 < petertodd> Luke-Jr: nah
14:40 < adam3us> Luke-Jr: someone paying flights?  kind of far for a weekend...
14:40 < Luke-Jr> far from where :P
14:40 < adam3us> Luke-Jr: malta (europe)
14:41 < Luke-Jr> ah, yeah that's a bit far
14:41 < jtimon> yeah spain's far too
14:41 < maaku_> jtimon (and anyone else) : I'm reaching out to the concatenative language community to see if they have any input for a joyscript. let me knkow if anyting is missing : http://0bin.net/paste/kMkgAK+zO2+mTK0E#Lua4/1g5fGVyv44fpRkftnd37RetgnrDrItXAp9FyvA=
14:43 < petertodd> bbl
14:43 < adam3us> petertodd: i get that they might accept it and find it easier (they already like reusing addresses because its conceptually simpler) but it cant replace one-use adresses, because other than for full node (0-length prefix) its strictly worse on privacy.  i mean the whole thing is about privacy, so you cant say its easy to use or they accept, if it makes
22:38 < Emcy> petertodd snowden walked out with a ton of shit - if they have compartmentalisation theyre not using it properly
22:38 < Emcy> same as the reams of stuff manning got off the sipernet
22:38 < petertodd> Emcy: yes, but he was a sysadmin, and he had to use social engineering to get a lot of that data too
22:38 < warren> the media reported that he used authentication of other people to get more data
22:39 < petertodd> Emcy: if you're an average employee playing by the rules you're still compartmentalized
22:39 < Emcy> social engineering definitely counts on your overall security makeup
22:39 < Emcy> so
22:39 < Emcy> id give them a D-
22:39 < phantomcircuit> Emcy, nothing is truly compartmentalized
22:39 < phantomcircuit> anybody can lookup anything
22:39 < phantomcircuit> but everything is audited
22:39 < phantomcircuit> you look up something you shouldn't have
22:39 < phantomcircuit> go to jail
22:39 < phantomcircuit> right?
22:39 < Emcy> well nothing can be, or you dont have a functioning organisation
22:40 < phantomcircuit> except no because he's in russia
22:40 < Emcy> assange was supposed to be a total freak about compartmentalisation
22:40 < phantomcircuit> Emcy, if all the intelligence was actually compartmentalized it would be worthless
22:40 < Emcy> to the point where lots of people left wikileaks...
22:40 < petertodd> phantomcircuit: yeah, and if you don't already know about something, it's hard to know what you are supposed to be searching for... making it even more likely that the auditing will catch you
22:40 < phantomcircuit> petertodd, yup
22:41 < phantomcircuit> im guessing he was basically looking at stuff using other peoples credentials
22:41 < phantomcircuit> and they couldn't figure out what was going on until it was too late
22:41 < phantomcircuit> or maybe he really did just pull it all in at once and left for hong kong
22:41 < petertodd> yup
22:41 < petertodd> he was pretty lucky to pull that off
22:41 < Emcy> he said in that interview he just came accross these examples of casual disregard for the constitution in the course of his job
22:41 < Emcy> and that piqued his interest
22:42 < Emcy> thats how it starts, people dont go into these orgs looking to rock the boat
22:42 < phantomcircuit> Emcy, sounds about right
22:42 < Emcy> the ones with ethics change gradually, the ones without keep pulling the levers
22:43 < Emcy> similar story with manning
22:43 < petertodd> yeah, I get the sense that it's easy for people to rationalize their actions. and heck, if you don't see evidence of abuse, it's easy to figure that "well, my organization is behaving responsibly, and we really do have enemies"
22:43 < Emcy> petertodd you dont know how strong diffusion of responsibility is
22:43 < Emcy> it lefs people step literally over people dying in the street
22:44 < petertodd> Emcy: indeed
22:44 < Emcy> i have become interested again recently in the inherent cognitive defects of humans
22:45 < Emcy> to which of course i am subject as much as anyone else, if not more of course.
22:46 < phantomcircuit> Emcy, that's less of a cognitive defect and more of an evolutionary advantage
22:46 < phantomcircuit> but yeah still
22:46 < Emcy> the study about how people mental arithmetic *on an unrelated maths problem* actually gets measurably worse after being shown statistical evidence which contradicts one of thier political beliefs
22:46 < Emcy> that fascinated the shit out of me
22:47 < petertodd> phantomcircuit: an advantage in the small-group societies that we evolved in
22:47 < Emcy> phantomcircuit depends whether you think we should be bound to baser behaviours gained from our old evolutionary road, or try and be better
22:48 < phantomcircuit> Emcy, sure but it's not really a defect
22:48 < Emcy> were supposed to be sentient and sapient, we could choose not to be such slaves to instincts. But its harder work.
22:49 < phantomcircuit> it's merely a cold fact of survival that is probably not necessary anymore in relatively wealthy countries
22:49 < phantomcircuit> (im not so sure about developing countries)
22:49 < Emcy> evolutionary advantage becomes disadvantage and vice versa
22:49 < Emcy> we just havent caught up yet
22:50 < Emcy> saying that i dont think "tribes" of tens of millions is doing up much good either
22:56 < Emcy> oh wow i guess they took that 5.1btc too if they got all his pgp keys
22:56 < Emcy> nice political statement asshats, if that was the intention
--- Log closed Sun Nov 17 00:00:01 2013
--- Log opened Sun Nov 17 00:00:01 2013
02:35 < skinnkavaj> are we still going to have centralized security exchanges or do you think coloured coins will help with that? everyone is working on coloured coin decentralized exchanges right now but i don't understand how it will not be centralized in some parts.
02:39 < warren> skinnkavaj: they are all centralized in some way.
02:52 < Guest12085> warren: not true there are fully decentralized colored coin proposals (e.g. freimarkets)
02:52 < Guest12085> skinnkavaj: concensus by block chain will always be expensive, period.
02:53 < maaku> but decentralized exchanges will exist for the rare cases in which they are needed
02:53 < maaku> such as ripple-like settlement
02:54 < maaku> but high volume exchange will always be centralized in some way
03:01 < Luke-Jr> there's already a decentralised bitcoin exchange, for like a year + now..
03:02 < Luke-Jr> coloured coins don't really have a viable use case
03:04 < skinnkavaj> (09:01:35) (Luke-Jr) there's already a decentralised bitcoin exchange, for like a year + now..
03:04 < skinnkavaj> are you talking about Localbitcoins?
03:05 < maaku> Luke-Jr: you see no use for user-issued assets?
03:11 < Luke-Jr> skinnkavaj: #bitcoin-otc
03:11 < Luke-Jr> maaku: I see no need for a decentralised blockchain for centralised assets.
03:13 < Luke-Jr> nor any benefit from it
03:13 < gmaxwell> Any of you feel like buying $800k in coins? that all it'll take to get mtgox usd to $500/btc.
03:14 < Luke-Jr> I don't have that much in MtGox
03:14 < maaku> Luke-Jr: freimarkets allows issuance from a multi-sig address, for example. useful perhaps for settlement at the highest level of a cartel
03:14 < maaku> which wouldn't trust any of its members individually to run the accounting server
03:15 < Luke-Jr> maaku: someone is going to be giving the shares value.
03:15 < gmaxwell> but why does it need a global decenteralized blockchain instead of some closed distributed system?
03:15 < gmaxwell> (closed as in predefined members)
03:16 < maaku> gmaxwell: i never said "global" ;)
03:17 < gmaxwell> okay I could but that, but such a system probably wouldn't be ideally constructed a a POW blockchain.
03:19 < maaku> true, this is probably a good application for (a modified version of) OpenCoin's concensus mechanism
03:20 < maaku> which i shouldn't be giving them credit for since it's basically two-phase-commit
04:58 < warren> anyone know adam3us's bitcointalk name?
05:40 < warren> adam3us: ping
05:40 < adam3us> warren: 'hello
07:35 < adam3us> btw it seems to me the limitation with CoinJoin is that it takes active participation of the participants; hence if CoinValidation virality takes hold people will have an economic incentive to stop using CoinJoin because it is not part of the protocol
07:35 < adam3us> CoinJoin as is, is a fantastic idea and the best we have deployable now.
07:37 < adam3us> my stab towards doing one more is RingCoin.  a ZKP that allows you to mix your coins with other people's coins without their participation, its like CoinJoin but whre you can chose other peoples coins to mix with, but without their participation... very cool IMO, the limitation is the mix is like 3kB per mixed value
07:39 < adam3us> if that was part of the protocol, it would be game over; taint tracing ramps up, someone takes it upon themselves to taint the lot, evenly for a modest fee; and repeat - that is in their economic interest because it protects their bitcoin holdings (and everyone else's) from a viral run on bitcoin fungibility increasing transacton costs and maybe crashing
bitcoins price as everyone has a race to buy clean coin insurance - no one wants to be l
07:40 < adam3us> i believe there is hope of finding a much better than 3kB per mixed value.. gotta figure out another unpublished Schoenmakers footnote (what is it with the guy- has genius ideas and doesnt bother to publish them!)
07:44 < adam3us> i guess we know a number of other people like that here - its "done" once they've convinced themselves that it works, and finding energy to write in a digestable, never mind peer-reviewable form is like work its hard to find energy for, but schoenmakers is an associate prof at tue.nl and publishes lots a fair bit of other stuff.
07:45 < adam3us> btw i saw in jdillon's hacked email dump of various private IMs that gmaxwell also thought of the same direction - ring signatures are an interesting direction
12:47 < maaku> adam3us: you don't need complex crypto. just let people create composable components of transactions
12:47 < TD> warren: where's that?
12:56 < TD> i see
15:15 < warren> TD: where's what?
15:15 < TD> the jdillon thing, but i saw the thread
15:15 < warren> what about it?
15:16 < warren> https://twitter.com/matthew_d_green/status/401797786347114496 Zerocoin claims to have reduced the proof size by "98%", is this the "it is still 10KB" thing people were talking about earlier?
15:17 < warren> oh, they claim transactions are down to 240 bytes now, while the first version was 25KB
15:25 < Emcy> didnt say anything about how long it takes to verify the proofs though
15:25 < Emcy> i think gregory mention it was like 2 per second on current hardware
15:25 < gmaxwell> Emcy: no point in speculating about it without their paper out.
15:25 < Emcy> or mayby that was the lamport stuff
15:25 < gmaxwell> Emcy: the new stuff works in an entirely different way.
15:26 < Emcy> so its not zerocoin its something new
18:45 < gmaxwell> From that single TPM enviroment you could do anything you'd want to have a tpm do.
18:45 < gmaxwell> Seems better than inventing a new TPM program for every usecase.
18:46 < gmaxwell> For reasons of efficiency you'd want varrious cryptographic operators available as instructions, but they could be generic ones.
18:49 < gmaxwell> Arguably TPM is dumb and should have just invented that in the first place. :P
20:34 < petertodd> gmaxwell: That approach makes a lot of sense to me, and not just technically. If you're creating abstract oracles, you can also safely sell hardware implementing these oracles publicly as they are general purpose and can be used for anything.
20:37 < gmaxwell> ah, so even if some oracle usages are prosecuted .. interesting.
20:38 < gmaxwell> I think the AST stuff adds a lot to the oracle, as it even prevents the oracle from knowing the complete program that it participates in, and also compresses large oracle programs.
20:39 < petertodd> Ah, the preventing full AST knowledge is a godo point there too.
20:39 < petertodd> Which in turn means there can be 1 to n oracles actually doing this stuff.
20:40 < petertodd> The crazy thing about this model, is n could actually be really small, and it'd still work, or really large, and it'd still work.
--- Log closed Sun Mar 24 00:00:04 2013
--- Log opened Sun Mar 24 00:00:04 2013
05:20 < warren> sipa:  spring break now.  I'd like to help complete your secp256k1 so I can build bitcoind entirely without openssl.  Do you have a list of tasks that need doing?
05:22 < warren> sipa: I suppose I'm supposed to not look at openssl in order to ensure secp256k1 has a clean, independent copyright?
05:23 < sipa> warren: cool!
05:23 < sipa> what i'm doing now is convert everything to C
05:24 < warren> ah, what's the goal there?
05:24 < sipa> easier to build, mostly
05:24 < sipa> i'm not using much of C++ anyway
05:24 < warren> me too, I've done mainly C and java
05:25 < sipa> apart from that, the largest blocker is import/export of secret keys
05:25 < sipa> which is only done in the wallet
05:25 < sipa> but you probably want to stay compatible with openssl-based builds
05:26 < warren> you mean implmeent the same interface
05:26 < sipa> no. serialization/deserialization of secret key data structures
05:27 < warren> have you been clean rooming this?
05:27 < sipa> the data structures are quite standard
05:27 < sipa> they are ASN.1 encoded
05:27 < sipa> i don't care about source API compatibility
05:27 < sipa> we can change bitcoin's code to match
05:28 < warren> Our API can be much simpler because it goals are limited?
05:28 < sipa> indeed
05:28 < sipa> right now, i have one public function:
05:28 < sipa> int VerifyECDSA(const unsigned char *msg, int msglen, const unsigned char *sig, int siglen, const unsigned char *pubkey, int pubkeylen);
05:29 < warren> sipa: can you list the current status and future TODO list somewhere?
05:29 < warren> sipa: what do you want the final library name to called?
05:30 < sipa> as long as we don't support anything beyond secp256k1, i think secp256k1 is fine as a name?
05:31  * warren checks to see what bitmessage uses.
05:31 < warren> My primary goal is here of course.
05:31 < sipa> i have personally no interest in bitmessage, but if it happens to be able to use it, no problem of course
05:31 < warren> checking
05:33 < warren> They have "secp256k1" in several parts of their code.
05:33 < warren> anyway, I'll worry about them later
05:33 < warren> so yeah, stick to this name.
05:34 < warren> sipa: you want me to autoconf/automake it?
05:34 < warren> autotoolize
05:34 < sipa> warren: if you have experience with that, sure!
05:34 < warren> haven't done it in 4 years, would need to relearn
05:34 < warren> sipa: what license you want it to be?
05:35 < warren> brb shower
05:35 < sipa> good question
05:43 < sipa> added a TODO file
05:48 < warren> sipa: I assume MIT-style to be compatible with bitcoin?
05:49 < warren> sipa: do you have your existing patches to bitcoind so I can use that as an example of the other interfaces that need replacement?
05:49 < warren> *pushed anywhere
06:03 < sipa> warren: yes, but not a complete one
06:03 < sipa> only for replacing verification
06:03 < sipa> which was probably the easiest change in bitcoin
06:04 < sipa> but the changes in bitcoind are easy, i think i know what has to be done for those
06:05 < warren> sipa: which randomness source do we want to rely upon for key generatoin?
06:05 < sipa> regarding the secp256k1 library: just take the nonce as a argument for signing
06:06 < sipa> so the caller can still use OPENSSL_rand if necessary, but i'm beginning to like the idea of deterministic nonces
06:06 < warren> I haven't learned what is the typical meaning of "nonce" in bitcoin.
06:06 < warren> I know the general meaning.
06:06 < sipa> oh, sorry
06:07 < sipa> you're talking about key generation, not nonce generation
06:07 < sipa> anyway, same thing
06:07 < sipa> ECDSA signatures need a secret nonce
06:07 < sipa> that is: a value that is not reused and not known to an attacker
06:07 < sipa> typically (and in OpenSSL), it is just randomly generated
06:08 < sipa> but it is in fact possible to just calculate it as Hash(message + pubkey + privkey)
06:08 < warren> and that's just as secure?
06:09 < sipa> well, i'm in an e-mail discussion with Dan Boneh (prof. cryptography at stanford) about BIP32
06:09 < sipa> and he actually suggested that himself, as ECDSA is otherwise very vulnerable to bad PRNG's
06:10 < warren> hm
06:10 < sipa> anyway, i want secp256k1 to just be a fast math library basically
06:11 < sipa> so anything that requires dependencies will likely be pushed to the caller
06:11 < sipa> so any key "generation" function will just take random bytes chosen by the caller
06:13 < warren> ok, so it isn't secp256k1's job to decide where hte randomness comes from
06:13 < warren> that's a bitcoin implementation detail
06:13 < sipa> indeed
06:14 < sipa> i'll try to get the C version + some rough ideas for the secp256k1 API done today
06:14 < sipa> that'll make it easier to contribute, i guess
06:15 < warren> cool
06:15 < warren> sipa: does bitcoind internally have more entropy sources?
06:15 < sipa> no, it relies on OpenSSL
06:17 < sipa> ask for an hour
06:17 < sipa> *afk
11:17 < jgarzik> sipa: C version?  w00t
11:28 < gmaxwell> warren: the determinstic nonce is used by Ed25519 and seems fairly obviously secure so long as the hash function meets the other properties we require from it.
11:28 < gmaxwell> though, ed25519's usage does have distinct state for the nonce key, which is nice.
11:31 < gmaxwell> sipa: You could do a hybrid solution where if the provided nonce pointer is null you do H(message||key) if it is non-null you do H(nonce||message||key). The idea being that even if their RNG is bad doing that bounds the baddness. And then you can still get determinstic tests.
17:38 < sipa> warren: sorry, been busy working on bitcoind network stuff today
17:38 < sipa> and next week i'll have little time i feat
17:39 < warren> sipa: OK, I have mostly family stuff this week during spring break.  if I don't make progress this week I'll have plenty of time from May to work on this.
--- Log closed Mon Mar 25 00:00:05 2013
--- Log opened Mon Mar 25 00:00:05 2013
17:38 < gmaxwell> 14:36 < randy-waterhouse> http://www.h-online.com/open/news/item/Weak-keys-in-NetBSD-1829336.html
17:38 < gmaxwell> 20:21 < gmaxwell> warren: "trust but verify"
17:38 < gmaxwell> 20:21 < gmaxwell> warren: if the kernel developers are malicious you're in trouble, if they make mistakes
 well no need for bitcoin to be utterly brittle to weaknesses  in the kernel rng.
17:38 < gmaxwell> :P
17:39 < warren> gmaxwell: fun
17:39 < gmaxwell> Seems the author of that article doesn't know about weak nonces.
18:13 < petertodd> Bitcoin really shouldn't be using the system PRNG directly IMO.
18:14 < petertodd> I figure we already have a good RNG pool with the keypool - hash in the last key generated with whatever the OS RNG gives us.
18:54  * gmaxwell sends email to the netbsd security list to point out that its probably somewhat worse than they though.
--- Log closed Tue Mar 26 00:00:07 2013
--- Log opened Tue Mar 26 00:00:07 2013
00:22 < jrmithdobbs> gmaxwell: ugh
00:47 < warren> I don't know anyone that uses NetBSD.
00:49 < gmaxwell> I have, but only on VAX. :P
00:51 < warren> heh.... "Thanks To ========= Thor Lancelot Simon for causing, finding and fixing the bug and helping with this advisory."
01:07 < gmaxwell> Has anyone given thought to what the Ultimate sighash types would look like?
01:15 < jgarzik> Ultimate?
01:35 < gmaxwell> Is there some simple(?) set of sighash features that actually captures all the sighash types we might wish for?
01:35 < gmaxwell> what we have now is clearly not ultimate since it's easy to come up with cases they miss in practice.
01:45 < jrmithdobbs> warren: lots of random embedded shit you'll never think of do
01:46 < jrmithdobbs> gmaxwell: i think it really needs to be revisisted as to whether specifying the hash/curve as part of the address might not be desirable
01:46 < jrmithdobbs> gmaxwell: as it relates to sighash, i'm not sure, i know it does but i'm rusty on the script ops
01:47 < jrmithdobbs> there's been too much random "we know this is good" shit being broken, at least academemically, recently =/
01:47 < gmaxwell> jrmithdobbs: you just use different address types for that.
01:48 < gmaxwell> Or really, P2SH and done.
01:48 < gmaxwell> I'm really not expecting much in the way of curve specific ECDSA attacks that don't undermine the whole thing.
01:48 < jrmithdobbs> gmaxwell: ya but might it be worth extending the base ops to include some things besides ripemd and sha2 in the base ops?
01:49 < gmaxwell> yes, well, when SHA3 is really finally specced we'll add that at least, I imagine.
01:49 < jrmithdobbs> that's the only related thing i've spent much time thinking about really
18:42 < petertodd> now systems where miners can mine pairs of blocks, one valid and one invalid, as gmaxwell has suggested, help here
18:42 < petertodd> jtimon: yes, which means we can trust them not too!
18:43 < jtimon> if you don't send me the proofs, I don't hash on top of your chain
18:43 < petertodd> why not? if I'm not hashing, I'm not making money 99% of the time where the block *was* valid
18:43 < jtimon> and because I want everybody to hash on top of my block, I send the proofs to every miner
18:43 < petertodd> I might as well take that risk
18:43 < petertodd> as I say, the incentive isn't as strong as you think
18:43 < jtimon> I prefer to mine block n-1
18:44 < petertodd> why? you'll make more money if you mine block n 99% of the time
18:44 < jtimon> ok, I don't trust your 99 but I get your point
18:45 < petertodd> remember, what the bitcoin sourcecode implements doesn't necessarily match what a rational miner will actually do
18:45 < jtimon> so miners would have the incentive to send fake invalid blocks to distract competition
18:46 < petertodd> right now that costs too much because you can only mine either a valid, or an invalid, block
18:46 < sipa> they have an incentive to send fake invalid blocks to 49% of their competition...
18:46 < petertodd> now, if the system allows you to mine both simultaneously, perfect!
18:46 < jtimon> so that 99 turns into a 1 and everybody is happy again
18:46 < petertodd> yes
18:47 < petertodd> and/or tie your PoW scheme to some subset of blockchain data, and the other miners simply can't mine on your block unless you give them the data, therefore they'll mine on block n-1 and eventually overtake you (unless you have 51%, but we're screwed there...)
18:47 < jtimon> what's the problem then? we only need miners to spam each other so that  they don't  trust new blocks without the corresponding proofs
18:48 < jtimon> oh, I see, I guess your solution is better
18:49 < petertodd> well, actually I think both solutions are good, and for different reasons: the "firedrill" one helps test fraud proof code and ensure it actually works, which is valuable in of itself
18:49 < jtimon> sorry, I forgot you were trying to explain me the problem that justified the solution but I forgot you had a solution
18:49 < petertodd> heh
18:50 < petertodd> now here's the next problem: suppose we decide to shard the blockchain, we'll say UTXO's starting with MSB=0 go on one side, MSB=1 go on the other
18:51 < petertodd> so that's basically two parallel chains, and and they timestamp each other (really forming a *timestamp* chain over both)
18:51 < jtimon> sorry, what was sharding again?
18:51 < petertodd> jtimon: shard as in how databases are split up
18:52 < jtimon> like partitioning the blockchain?
18:52 < petertodd> now miners only mine one or the other chains contents, but %100 of the hashing power goes to the timestamp
18:52 < petertodd> jtimon: yes
18:53 < jtimon> sorry again, what's MSB=0 ?
18:53 < petertodd> MSG=most significant bit
18:53 < jtimon> ok
18:54 < petertodd> now, suppose somehow one entity controls 95% of the hashing power on chain 0, and they just don't publish block contents, but *do* contribute to the overall timestamping hashing power
18:54 < petertodd> they can't attack the timestamp - they only have 40% of the total hashing power - but they can make it impossible for any transactions to happen on chain 0
18:55 < jtimon> sorry, I got lost here "now miners only mine one or the other chains contents, but %100 of the hashing power goes to the timestamp"
18:55 < petertodd> suppose then they stop their attack - you're left with a bunch of blocks that have been timestamped, but the actual contents of them have vanished, which means you can't modify the state of the chain unless you "roll-back" to whatever data is publicly available, but what's the right rule to handle that?
18:56 < jtimon> the purpose of sharding is to have lighther miners, I guess
18:56 < petertodd> jtimon: suppose a block header for the timestamp contains hashes of the most recent header in the subchains
18:56 < petertodd> jtimon: exactly, specifically spread the bandiwdth out so that you don't need to keep up with all tx's to mine
18:56 < jtimon> and who pows the timestamp?
18:57 < jtimon> nobody?
18:57 < petertodd> well, one easy way is to say that the two chains are merge-mined with the timestamp
18:57 < petertodd> and then set the pow difficulty to be exactly half of the timestamp difficulty
18:57 < jtimon> isn't merged mining like the opposite of sharding?
18:58 < petertodd> jtimon: no! in this case it's just a way of having a very strong pow for what orders transactions - the timestamp chain - while allowing for two separate chains
18:59 < petertodd> e.g. a block header in this scheme consists of PrevTimestampHash, MergeMineRoot, Time, etc.
18:59 < petertodd> and the subblock headers are just PrevSubChainHash, MerkleRoot
19:00 < jtimon> mhmm I don't know how something that is not powed can be very strong
19:01 < petertodd> jtimon: how is it not PoW'd?
19:01 < jtimon> oh, I see, each chain mines on top of the previous timestamp, not the previous block of the subchain, no?
19:01 < jtimon> what if one chain goes faster?
19:02 < petertodd> heh, well, interesting question!
19:02 < petertodd> you can probably come up with a scheme where the actual headers, just not the block contents, are known to both miners, and you adjust difficulties appropriately
19:03 < petertodd> but that's far from the most interesting part of this stuff
19:03 < jtimon> the most interesting part is having ligher miners, no?
19:04 < petertodd> jtimon: well, that's why you'd do it, but in the process you've made it succeptable to new attacks that didn't exist before
19:05 < petertodd> like I say, if the data for one chain isn't available for whatever reason, things get ugly, and less than 50% of total hashing power can attack the chain that way
19:08 < petertodd> one thing you can do is have "challenges": pick a nonce in the top timestamp chain, and make the rule be unless the data from that subchain turns up - along with an appropriate proof - the way you decide what is the best block changes such that you *can* reorganize that subchain with <50% hashing power
19:08 < petertodd> (normally you can't due to the timestamp property)
19:09 < petertodd> at least then if subchian data gets accidentally lost, somehow, the state of the system can recover.
19:10 < petertodd> that also somewhat protects you against malicious attackers, essentially because you can temporarily pay higher fees to get the rest of the miners to force some <50% attacker to spit up the data you actually need to make your transaction
19:10 < petertodd> and once you make a robust scheme with two subchains... it trivially extends to a full on tree
19:10 < jtimon> mhmm, I don't know...it seems very complex, maybe we just need to think about another way of sharding
19:10 < petertodd> it is very complex, but my suspicion is that sharding inherently is complex
19:10 < petertodd> just handwaving and assuming global consensus is *way* easier
19:10 < petertodd> pity it doesn't scale though
19:13 < jtimon> yeah, I've been thinking about other sharding-like schemes but for now they were broken (well, the first one actually just needs every node to trust each other, that is, is centralized)
19:13 < petertodd> heh, well doing it with trust is easy :)
19:13 < sipa> jtimon: nah, that's just called ripple
19:14 < jtimon> sipa: no, I don't mean ripple, I mean something scalable
19:14 < petertodd> jtimon: heck, just arbitrarily saying "OK! it's 8 block chains now!" will probably work in practice, even if really the security isn't as good as it could be
19:14 < petertodd> jtimon: ripple is scalable technologically, socially OTOH...
19:14 < jtimon> well, I haven't seen any centralized markets infinitely scalable
19:15 < petertodd> jtimon: ripple the idea isn't centralized
19:15 < sipa> i've mentioned it before, but i'd like to stop confusing the word 'centralized' with 'trust-free'
19:15 < jtimon> can the ripple.com network process 1 billion tx/s ? definitely no
19:16 < sipa> sorry, 'decentralized' with 'trust-free'
19:16 < jtimon> petertodd: 2PC ripple is compltely scalable
19:16 < petertodd> jtimon: exactly, ripple.com is an abomination and we shall not mention it again
19:16 < sipa> i shall resist.
19:17 < sipa> anyway, you could have a bitcoin-like system, where instead of script verification, there was just one huge datacenter computing zero-knowledge proofs of the validity of the chains
19:17 < sipa> it would be totally centralized (as in central point of failure), but to an extent trust-free
19:17 < jtimon> well, I think my centralized system is completely scalable, but maaku and I have to actually test that
19:18 < maaku> jtimon: another Joy-derived language that might be useful http://www.cat-language.com
19:18 < petertodd> sipa: which is roughly what my fidelity-bonded foo ideas were about, especially the fidelity-bonded ledgers version
19:18 < sipa> also, a bunch of N nodes all talking to eachother that all trust eachother is perfectly decentralized, but not trust-free at all
19:18 < jtimon> maaku I read that one has strong typing instead of dynamic
19:18 < maaku> yes, which would be a good thing i think
19:19 < petertodd> sipa: yes, and with some changes to the way blocks are structured you certainely could have groups of miners who trust each other co-operatively create and mine blocks with individually low-bandwidth nodes
19:19 < petertodd> sipa: I think you can even pull that off as a soft-fork
19:20 < sipa> anyway, i'm not making any particular suggestion here
19:20 < sipa> just trying to point out that 'decentralized' is ambiguously used in bitcoin context
19:20 < jtimon> well, I try not to use ZKP or snark/scip when designing, haven't learned black magic yet...
19:20 < petertodd> jtimon: if it can't be done with hashes, it's not really bitcoin
23:14 < sipa> gmaxwell: i don't
23:14 < sipa> mike worked on anti-abuse
23:19 < HM> I'm fairly bitter about Goog giving personal domains with Gmail the brush
23:20 < HM> I don't really see how the loss of "@gmail.com" mindshare is harmful to their brand at this point.
23:21 < HM> Let's hope people hosting their own bitcoin wallet isn't as bizarre as running their own email server, or at least using their own domain for email, in future
23:23 < gmaxwell> we have some say in that future... if the only way to get good wallet software is through a website ... welllllll.
23:27 < HM> I don't use the desktop client anymore. I just use Andreas' droid app
23:27 < HM> there's no real reason either
23:28 < gmaxwell> yea, so what you're telling me is that bitcoin is doomed. :(
23:28 < gmaxwell> oh well.
23:28 < HM> ikr
23:29  * gmaxwell wishes they taught kant's categorical imperative in school.
23:32 < HM> gmaxwell, Wikipedia can't teach it to me now, so I think school kids would struggle.
23:33 < HM> something like only do something according to some rule, if you would like to see that rule become the social norm
23:34 < amiller> do what you want everyone else to do too
23:38 < HM> that's kind of vague
23:40 < sipa> heh, i knew that summary
23:40 < sipa> though not the name or whom it came from
23:45 < gmaxwell> the WP article is confusing.
23:45 < gmaxwell> It's basically suggested as a basis for morality, though you can use it more pragmatically than that.
23:46 < gmaxwell> The idea is that you shouldn't do something that would produce bad outcomes if everyone did it.  Even if you don't buy into it as a basis for morality (I dunno if I do), it has a lot of pratical usefulness.
23:47 < gmaxwell> For the case of a SPV wallet: "I'll run both a SPV wallet (on my phone) and a regular one elsewhere"	and "I'll run a SPV wallet only, if and only if I honestly don't have the resources to run a full node"  both pass the catagorical imperative .. in that if everyone follows the same rules things should be okay.
23:48 < gmaxwell> vs, I think "SPV is easier for me, I'll just run that" I think does not, because it suggests a world where basically google (sorry googlers, you get to be the deathstar this week) runs the only full node. :P Once too many people run SPV nodes you're actually at more risk if you run a full node, since you want to be part of the majority of users consensus.
23:48 < gmaxwell> and the whole set of economic incentives around bitcoin start to break down. :(
23:49 < gmaxwell> unless their breakdown triggers people to run full nodes. But I'm not sure that works.. being the one full node against the world isn't a position anyone wants to be in.
23:49 < amiller> depends also on how specific you're willing to make your rule, like "i'll behave altruistically, unless i'm amiller, in which case i'll behave selfishly"
23:50 < gmaxwell> amiller: hahah indeed. well I don't personally really buy CI as a basis for all morality. It only works for that in contrived models, but as you note only ones with finite levels of being contrived. :P   But I think it's a useful way to think about things that have externalized costs/risks.
23:51 < HM> I won't steal this ladies hambag because if everyone stole everyones hambag life would suck
23:51 < HM> oh wait...i don't have a hambag...
23:51 < gmaxwell> HM: even if you don't... a world where handbags were stolen very frequently would suck in a bunch of ways that would harm you.
23:52 < HM> i really did type 'hambags'
23:52 < gmaxwell> twice!
23:52 < gmaxwell> I corrected it in my reading!
23:53 < HM> it's almost 5am
23:54 < sipa> 6am!
23:54 < gmaxwell> for example, people might not carry handbags anymore, and then they couldn't shop at your local businesses. Or they might carry exploding handbags which sometimes exploded accidentally. :P CI is not the golden rule, it's a generalization of it in some sense. It basically proposes a rule that if everyone follows it then as a whole society playing a gigantic
prisoners dilemma game, we all choose to not-defect without any coordination ...
23:54 < HM> if everyone went to sleep at 5am....
23:54 < gmaxwell> ... beyond the CI rule.
23:55 < HM> what if I advocate CI publically, but ignore it in private?
23:55 < gmaxwell> HM: it's fine so long as your rule is something like "I'll stay up to 5 am, but only if doing so doesn't make a mess for other people"
23:56 < HM> publicly* sigh
23:56 < gmaxwell> HM: that fails CI. It's not intended to be some maxim you hold people to (well, maybe Kant thought otherwise).  But it at least gives you a way to think about a consistent moral system, "if you were god", that helps seperate some of the subjectivity out of morality.
23:56 < HM> right
23:57 < HM> but it's not clear if everyone using SPVs would be bad. I mean it might force you guys to come up with a better solution that has many of the same advantages :P
23:57 < HM> and that would be good for everyone
23:58 < HM> likewise, handbag theft could spur on great innovation in other fashionable accessories
23:59 < sipa> hard to quantify those evolutions though
23:59 < HM> i don't see how you can apply CI without making a decision about what's better globally
23:59 < sipa> and certainly hard to ascribe them causally to handbag theft
--- Log closed Mon Sep 09 00:00:20 2013
--- Log opened Mon Sep 09 00:00:20 2013
00:01 < gmaxwell> HM: depends on what you mean by SPV.. also you.
00:01 < gmaxwell> keep in mind that I have an easy out here: I can just forget about bitcoin.
00:01 < gmaxwell> (which I will likely do at some point, in fact
 if I am to make a prediction)
00:02 < HM> Bummer
00:02 < gmaxwell> HM: if you (being the generalized representative of all man kind) are unwilling to take any cost at all to increase the collective security, then I don't think an improvement is possible.
00:03 < gmaxwell> If you're willing to take some small cost, which happens to currently be less than running a full node, then perhaps there are some things that can be done... but it's not clear to me that anyone will do them: too easy to just walk away from bitcoin.
00:03 < gmaxwell> Worse: if someone were to do such a thing they'd be personally better off (failing the CI) to go do it in an altcoin where they could go own a bunch of it upfront.
00:04 < HM> That's the thing though. Individual disregard for security effects the network in Bitcoin.
00:04 < gmaxwell> (plus have a much easier time doing it: to improve anything in bitcoin involves convincing a lot of people: some who are actually opposed to decenteralization, many who are just clueless, etc.. vs an altcoin you can just put it in.. Fiat Lux.)
00:05 < sipa> ok, let's start egocoin
00:05 < HM> Really you should be objecting to me using a thin client because it puts *your* security at risk
00:05 < HM> in theory
00:05 < sipa> depends what you're comparing it to
00:06 < gmaxwell> it's complicated, if your alternative is no bitcoin at all I'd rather you use the spv client.
00:06 < sipa> you running a thin client vs you not using bitcoin at all isn't a decrease in security
00:06 < sipa> !hi5
00:06 < HM> lol
00:07 < gmaxwell> Thats why I gave those CI passing examples above "I'll run a SPV wallet only, if and only if I honestly don't have the resources to run a full node" and "I'll run both a SPV wallet (on my phone) and a regular one elsewhere"
00:08 < gmaxwell> (the latter means that full nodes need to be cheap enough to run for many people, but at least thats a pure technical challenge)
00:09 < HM> the problem is, more and more people will likely be introduced to Bitcoin through thin clients or hosted wallets
00:10 < HM> you're then trying to argue for additional work that sees no personal or immediate benefit
00:11 < HM> that's a tougher position to start in than having people run full nodes and then saying "this is why you can have nice things"
00:12 < gmaxwell> maybe, we ultimately don't need _everyone_ to run one. But the problem is that what you're describing to me is basically where ~no one runs one.  Who would have more incentive to than you esp in a world where most people already weren't?
00:12 < gmaxwell> And I dunno about trying to argue: I'm just stating what I think is the logical conclusion. The things I am observing are telling me that bitcoin is doomed.
00:13 < HM> Some people can walk away from Bitcoin, some can't or won't for other reasons.
00:13 < HM> those that can't will run full nodes if it came to a crunch
00:13 < HM> those that can, know this
00:13 < gmaxwell> sure, and something called "bitcoin" might exist forever, but it wouldn't be the thing that I would call bitcoin.
00:13 < gmaxwell> This isn't clear to me.
00:13 < amiller> gmaxwell, thanks for listening to my idea and describing it as hiding the income, i hadn't thought of it that way but that totally helps
00:13 < gmaxwell> "if it came to a crunch" is too late.
00:14 < amiller> i'm going to use it immediately and remember to give you credit :o
00:14 < gmaxwell> amiller: thanks! I hope you're able to come up with something interesting!
00:14 < amiller> mooncoin
00:14  * amiller drifts off into space
00:14 < HM> fyi, i don't think bitcoin is doomed
00:15 < amiller> it's hard not to worry that the whole internet is doomed these days :/
00:15 < gmaxwell> HM: You could say that the users of the USD would reject inflation. Except that they don't. Incrementally everyone happily agrees a little inflation is A OK and good for expident interests.
00:16 < gmaxwell> HM: I don't know that its doomed, but patterns are suggestive to me that its initial argument for existance is not likely to be upheld. I'd probably just give it 50/50. I would give it less, but I've seen some remarkable arguments from people I normally wouldn't have expected to "get it" that show they really do get the motivations for such a system... and
I get a bit of hope from that.
00:17 < HM> I don't think people worry about central banks
00:17 < HM> they see them as benign
15:17 < gmaxwell> I've spent more time looking at the GGPR pairing based zk-SNARK though it's only smoke-and-mirrors publically verifyable, the linear PCP that eli et. al. have written more about is probably a better match to what we need but I haven't seen as much concrete performance numbers for it.
15:18  * nsh nods
15:18 < gmaxwell> nsh: well, sha256 has all those circular rotations, which don't express compactly in tinyram. and every tinyram cycle is ~1000 gates.
15:18 < nsh> hmmm
15:19 < gmaxwell> the tinyram stuff makes a lot of sense when you have control flow though.  In any case, a first prototype should absolutely be done via tinyram.
15:19 < nsh> right
15:20 < nsh> there was also mention of "non-standard assumptions" that were slightly glossed in this talk: http://www.youtube.com/watch?v=nS3smRAfUd8
15:20 < nsh> want to look into those a bit more
15:21 < gmaxwell> the non-standard assumptions is the non-falsifyability problem that all succinct NP argument systems have.
15:22 < nsh> hmm
15:22 < gmaxwell> The problem is that you can't prove it black-box reducable to any simple cryptographic assumption because you can imagine a black box system breaker that only lies in cases where no polytime bounded user could distinguish the lie. It's a kind of wanky argument.
15:23  * nsh muses
15:23 < gmaxwell> nsh: the key thing to watch out for is that the people working on this stuff frequently use a security model we'd consider generally stupid.
15:23 < nsh> which is?
15:24 < gmaxwell> Basically
 first you can have systems which are only designated verifier
 any interactive system is like this.  A singler verifier gets convined of the proof but the proof is not transferable to other parties.  Obviously thats not useful to us. The alternative to designated verifier is publically verifyable
15:24 < nsh> right
15:24 < nsh> but you still require a trusted generator of prover and verifier keys
15:25 < gmaxwell> well there is a bunch of "publically verifyable" work where it's assumed that all the verifiers have a common reference string. Some magical data which was securely generated which they trust.
15:25  * nsh nods
15:25 < gmaxwell> right. which is crap for us, generally.
15:25 < nsh> mmmm
15:26 < gmaxwell> There are systems which are publically verifyable without that assumption, but they are not as popular with the theoretical cryptographers mostly because they depend on fiat shamir, so they are secure only in the random-oracle model.
15:26  * nsh notes to google
15:27 < andytoshi> is there a good paper which explains the random-oracle model and how it relates to real life?
15:27 < gmaxwell> Eli has been working with two different backends
 one based on the GGPR work which is CRS-publically-verifyable and perfect zero knoweldge. And aparently one which is based on fiat-shamir transforms of some linear pcp. which should be verifyable without a CRS, though its not quite perfect zero knoweldge.
15:27 < gmaxwell> though the proofs would be larger (tens of kilobytes), though I expect more rapidly verifyable.
15:28 < nsh> hmm
15:28 < nsh> (CRS being common reference string, i presume)
15:28 < gmaxwell> right.
15:29 < gmaxwell> I think for us, especially for blockchain proofs, we'd prefer the later assumption. We're already slathered with random oracle assumptions. Also, we can do some novel things to boost the security of fiat-shamir-transform proofs that basically no other system can do.
15:29 < nsh> i guess generating and distributing the CRS isn't much different, security-wise than what's being done now with the blockchain torrents?
15:29 < nsh> but it's not ideal
15:29 < gmaxwell> nsh: eek. no. The blockchain torrents are completely untrusted and might as well be maliciously generated. We verify them.
15:29 < nsh> hmm, right
15:30 < gmaxwell> CRS = if you have the secret you can trivally (at least in the case of GGPR) generate fake proofs.
15:30 < nsh> oh, that's an issue
15:31 < nsh> what novel things can we do to boost the fiat-shamir-tranform security?
15:31 < gmaxwell> plus, you need a new CRS if you change the circuit. Which is a bit lame.
15:31 < Luke-Jr> someone mailed me ants o.o
15:31  * nsh nods
15:31 < Luke-Jr> http://flickr.com/gp/52549449@N05/54iQ5S
15:31 < gmaxwell> Luke-Jr: antminer?
15:31 < Luke-Jr> gmaxwell: no, real ants
15:31 < nsh> lol
15:31 < Luke-Jr> they crawl aroudn
15:32 < nsh> heh
15:33 < gmaxwell> Fita-shamir-transform basically amounts to "construct a hashtree over your data, use the hashroot to select which parts of the data to disclose" .. if the data in question is a probablistically checkable proof, you get a compact proof out of it.  You have to expand the number of points you disclose because an attacker could keep retrying junk proof until
he got one that happened to pick points that pass.
15:33 < nsh> hmm
15:34 < gmaxwell> nsh: what we can do in bitcoin is commit to a fiat-shamir hashroot in a block, then use a the successful block hash to pick the disclosed points. Because mining a block takes a whole lot of computation, its now _much_ harder to grind on your proof.. so you can disclose fewer points for equal security.
15:34 < nsh> ah, i think i see
15:34 < nsh> that's neat
15:34 < gmaxwell> though the reduction is probably not that great in practice, maybe you can halve the proof size that way.
15:34  * nsh nods
15:35 < gmaxwell> (also, it makes the proofs weaker against people with extreme hashpower ... but then again bitcoin kinda fails if those parties exist)
15:35 < nsh> right
15:38 < nsh> andytoshi: http://crypto.stackexchange.com/questions/879/what-is-the-random-oracle-model-and-why-is-it-controversial // http://en.wikipedia.org/wiki/Random_oracle // http://cseweb.ucsd.edu/~mihir/papers/ro.pdf
15:39 < nsh> http://blog.cryptographyengineering.com/2011/09/what-is-random-oracle-model-and-why.html // http://blog.cryptographyengineering.com/2011/10/what-is-random-oracle-model-and-why.html
15:42 < gmaxwell> Did andytoshi ask something here? /me doesn't see
15:44 < nsh> <andytoshi> is there a good paper which explains the random-oracle model and how it relates to real life?
15:47 < andytoshi> thx nsh
15:47 < nsh> np
15:47 < andytoshi> gmaxwell: i had just arrived, maybe my arrival did not reach your part of the network?
15:48 < gmaxwell> oh, it was here, I just missed it completely.
17:38 < amiller> Secure Multiparty Computations on BitCoin http://eprint.iacr.org/2013/784
17:38 < amiller> this is a pretty great paper
17:39 < amiller> this is the first time someones given a pretty clear way that bitcoin solves a problem that people in crypto theory would like to have solved
17:39 < amiller> fairness in multiparty computations, basically
17:39 < amiller> we've basically talked about all of these things before
17:39 < gmaxwell> amiller: yea, so it's generalizing the iddo stuff on the forum?
17:39 < amiller> yeah exactly
17:40 < gmaxwell> is it a pure theory paper or did they implement something?
17:40 < amiller> they say they implemented it all and used eligius to get the transactions in
17:40 < amiller> we should be able to track those down!
17:40 < gmaxwell> What MPC system are they using?
17:41 < nsh> "Abstract: itCoin is a decentralized digital currency, introduced in 2008...." bloody scamcoin pushers....
17:41 < amiller> Blum's coin flipping is all
17:41 < amiller> ah they actually give the transactions they use
17:41 < amiller> as blockchain.info indices
17:41 < amiller> https://blockchain.info/tx-index/97079150
17:42 < gmaxwell> ugh.
17:42 < gmaxwell> why would they do that... derp
17:42 < amiller> saves space :p
17:42 < amiller> (i see nothing wrong with that, tbh)
17:42 < gmaxwell> amiller: it'll be lost forever if bc.i reindexes again.
17:43 < amiller> well we should tag the paper with whatever relevant transactions they acutally have
17:43 < gmaxwell> those indexes are not determinstic.
17:44 < amiller> ok well besides that
17:45 < amiller> they didn't need to use any generic mpc compilers like garbled circuits or whatever, their example is just the coin flip game like iddo's protocol, so they used a preexisting coin flip mpc protocol
17:45 < amiller> but their general statement is about any MPC
18:19 < hno> nsh, itCoin is only a copy-paste typo in the online abstract and meant to say BitCoin.
18:19  * nsh nods, smiles
18:20 < gmaxwell> amiller: I expect iddo will be unhappy with that paper.
18:20 < gmaxwell> amiller: it doesn't really go too much further than the coinflip stuff other than to note that it could be applied more generally. And I assume iddo was working on a similar paper.
18:21 < nsh> link/ref for iddo's work?
18:25 < nsh> also a discussion on mitmtalk now: https://bitcointalk.org/index.php?topic=355174.0
18:25 < nsh> oh, that was you amiller
18:29 < gmaxwell> amiller: I edited your post to add some hyperlinks. I hope you don't mind.
18:55 < amiller> np gmaxwell
18:55 < amiller> i think i'll email them and suggest they review iddo's forum post
18:55 < amiller> btc community is basically doing a terrific job of publishing and archiving all these ideas where they're trivial to cite and in fact people build on each other's work quite well
18:56 < Luke-Jr> terrific? more like terrible :P
18:56 < nsh> amiller, where's iddo's forum post pls?
18:57 < Luke-Jr> at least on my part
18:57 < gmaxwell> nsh: I added links to amiller's post. Reload.
18:57 < nsh> oh, thanks
18:57 < gmaxwell> Luke-Jr: people post ideas, they're clearly explained
 or if not, people ask questions and explinations are forthcoming.
18:57 < gmaxwell> Luke-Jr: people are building of each others work and cooperating.
18:58 < gmaxwell> The work isn't super rigorous or deep, but it's making a lot of progress.. and it even sometimes has implementations
 which is something you can't say for many academic works.
19:01 < Luke-Jr> gmaxwell: a lot of the time it's just IRC chatter; even for forum stuff, it's hard to remember where what was said
04:04 < midnightmagic> nsh: We can't be friends anymore. I'm sorry.
04:04 < nsh> because gaiman? noes...
04:05 < nsh> if it helps, i was working in a call centre at the time and anything that wasn't market research questionnaires got a pretty big attentivity power-up
05:27 < justanotheruser> What are your thoughts on this? Can you route your bank website traffic through a third party safely? https://bitcointalk.org/index.php?topic=173220.0
05:34  * nsh frowns
05:35 < justanotheruser> In post 10 it looks like he proposes just giving the escrow the SSL key
05:36 < nsh> why not just get a receipt from the bank like everyone else does?
05:38 < justanotheruser> nsh: because that could be forged easily
05:44 < nsh> in any system where the bank has a private key, signing a receipt is going to be much simpler and more effective than keeping a log of http traffic
05:44 < nsh> i am probably missing something but this seems pretty absurd
05:44 < gmaxwell> nsh: that requires the bank cooperate.
05:45 < gmaxwell> this can work if the bank doesn't do jack shit beyond having an ssl website.
05:45 < justanotheruser> nsh: Banks don't sign receipts
05:46 < justanotheruser> they just encrypt it and send it to you
05:47 < justanotheruser> gmaxwell: have you seen the post I linked?
05:47 < justanotheruser> You're usually able to tell me some fundamental flaw in a system.
05:48 < gmaxwell> a while back, if it's the thread I think it is.
05:48 < gmaxwell> the proxy on aws that can extract a transcript of your bank session minus login credentials
05:48 < gmaxwell> which has enough remote attest to be relatively confident that it's legit
05:49 < gmaxwell> it's ugly, but what better can you do?  It would be vunlerable to misconduct on the proxy host hardware, or vulnerabilties in the software stack.
05:49 < justanotheruser> gmaxwell: can the transcript be forged?
05:49 < gmaxwell> avoiding leaking things like session cookies might be hard.
05:49 < gmaxwell> by someone with control of the proxy hardware or who has compromised its software stack.
05:50 < gmaxwell> I'd have to review again, I didn't look at it too deeply before.
05:50 < nsh> all seems very messy. i bet there are lots of ways to interact with online banking software that look right but cause a failure, or instantly cancelling it through another channel, etc.
05:50 < gmaxwell> my 30 second conclusions was 'yuck, well I suppose you probably can't do better right now'
05:51 < justanotheruser> gmaxwell: P2P exchanging with fiat is a pretty messy concept when you have banks that don't sign receipts and dollars that don't have proof they were transacted.
05:52 < gmaxwell> plus tons of corner cases.
05:52 < nsh> i wonder what a bank would say if you asked them to cryptographically sign receipts of purchase
05:52 < nsh> doesn't seem hugely onerous
05:52 < justanotheruser> gmaxwell: example of a corner case?
05:52 < gmaxwell> I'm sure there are all sorts of ways to make a ledger entry show up in the bank which means nothing.
05:52 < gmaxwell> I mean the transactions are inherently reversable.
05:52 < justanotheruser> nsh: they wouldn't go through that much work to keep a customer
05:53 < nsh> never ask for yourself. ask for you and your seventeen thousand friends :)
05:53 < gmaxwell> I pay you.. shows up in my bank. I get a transcript and call the bank. "sorry, I was drunk and some fraudster tricked me into it. please reverse."
05:53 < justanotheruser> gmaxwell: how do exchanges deal with that?
05:53 < gmaxwell> nsh: the problem is that we want to use this for applications the bank actually wants to block.
05:53 < nsh> oh, right
05:54 < gmaxwell> justanotheruser: long delays, invasive personal information collection... and profit margins big enough to absorb non-trivial losses.
05:54 < justanotheruser> gmaxwell: but if I wire money to btc-e in russia, it can't be reversed right?
05:55 < gmaxwell> it can be, sometimes.
05:55 < justanotheruser> wouldn't that involve russian banks cooperating?
05:56 < justanotheruser> Perhaps P2P exchanging can be achieved if we only trade with members of countries that aren't super good buddies with us.
06:31 < CodeShar_> gmaxwell: I got rid of that boost_log dependency :)
06:32 < CodeShark> gmaxwell: I got rid of that boost_log dependency :)
09:39 < Emcy> 30c3: To Protect And Infect, Part 2
09:39 < Emcy> is there actually a part one anywhere or is it called part 2 for another reason
10:57 < Emcy> i think appelbaum genuinely thinks he might wind up dead
11:27 < pigeons> it is scary to be messed with and have your family messed with by the people who are apparently messing with him
11:31 < Emcy> just how he joked about it at the end
11:31 < Emcy> just the way it came across
11:31 < Emcy> like he knows he is far past the point of no return so may as well press on
16:59 < andytoshi> a new snark paper from ben-sasson: http://eprint.iacr.org/2013/879
17:03 < andytoshi> 35 pages, has a bunch of tinyram benchmarks, looks really cool
17:53 < nanotube> fwiw, i enjoy both stephenson and doctorow >_> i wonder what that says about me. :)
17:56 < Emcy> doctorow i find a bit hard because the stuff he writes is preaching to the choir for me
18:01 < andytoshi> hey guys, who makes laptops like lenovo?
18:01 < andytoshi> who is not lenovo
18:08 < nanotube> haha good thing you qualified. or i might have said lenovo. >_>
18:09 < Emcy> whats wrong with lenovo
18:09 < nanotube> what particular qualities of 'like lenovo' do you have in mind?
18:09 < nanotube> i've been pretty happy with dells
18:09 < nanotube> they take well to linux
18:13 < andytoshi> well, the 440p no longer has the intel chipset, and rumor has it that the default one does not support linux
18:13 < andytoshi> also they don't have the eraser mouse
18:19 < andytoshi> by 'like lenovo' i mean i want a decent keyboard, and an eraser mouse, and ruggedization
18:55 < gmaxwell> maaku: in your blind signing investigation did you find an implementation for JS ready to go someplace.
18:57 < gmaxwell> ?
18:58 < gmaxwell> I'd like to ask wikimedia to just setup the donation form so that when you donate, for every
 $10 donated you get a blindsigned token which can be used to make an IP BLOCK excempt account in order to solve this problem: http://lists.wikimedia.org/pipermail/wikitech-l/2013-December/073764.html
19:45 < robert222> Bitmessage 2.0
19:45 < robert222> http://twister.net.co/
19:45 < robert222> "Introducing Twister: a fully decentralized P2P microblogging platform leveraging both the Bitcoin and BitTorrent protocols. "
19:50 < sipa> kthxbye
19:51 < CodeShark> https://github.com/CodeShark/bips/blob/master/bip-n2.mediawiki
19:51 < CodeShark> gmaxwell, sipa: please, tell me why this is a bad idea :)
19:52 < sipa> if a transaction gets included right at the edge, a reorganization could push it over the limit
19:52 < sipa> making it invalid
19:52 < sipa> and making any transaction depending on it invalid
19:52 < CodeShark> same could be said for double-spends, though, no?
19:53 < sipa> those don't happen without malice
19:53 < CodeShark> I gave some examples where they in fact happen without any malice at all
19:53 < sipa> malice or buggyness :)
19:54 < CodeShark> in practice you'd set the expiration sufficiently in the future and set the fee high enough so that this reorg risk is reduced
19:54 < gmaxwell> CodeShark: sipa was faster than me. This creates fungibility problems because now you have transactions dependant on spending recently mined expiring coins, where a perfectly ordinary chance reorg will invalidate enormous amounts of transaction potentially.
19:55 < gmaxwell> CodeShark: the risk is not just to the transaction user, the risk is to all downstream coins... and so you'd have to do blockchain analysis to figure out which coins have what exposure.
19:55 < gmaxwell> (preventing this is part of why the coinbases aren't spendable for 100 blocks)
19:55 < CodeShark> hmm - ok, this is a valid point
trying to think of a way around it
19:56 < sipa> in a world where nobody trust 0-conf transactions, and everyone waits N (with N>2 or so) confirmations before spending anything, that is likely much less of a problem
19:56 < gmaxwell> There are other script features people have wanted that had similar risks.
19:56 < CodeShark> yeah, what sipa just said: accepting transactions with low confirmation count is already somewhat risky - if some of those coins also happen to be near expiration, it's even more risky
19:56 < gmaxwell> sipa: except if you accept N>2  and someone has a transaction which would get killed by an N=3 reorg, you would really want a N>2+3 wait on that coin.
19:57 < CodeShark> the biggest problem, I think, is not so much the risk
this could be managed
but the potential complications in dependency analysis
19:58 < CodeShark> but nothing that couldn't be solved with some well-written code :p
19:58 < sipa> too tired to reason now, but i'm very wary about changing the (apparently very deliberately chosen) rule that a transaction, once valid, is always valid (modulo its inputs becoming unavailable)
19:58 < CodeShark> doesn't seem to be intractable
19:58 < gmaxwell> as far as expirations go, we already have a way to expire: spend one of the contributing inputs. :P
19:58 < sipa> CodeShark: it's completely impossible for SPV wallets to do such analysis
19:58 < sipa> without a local mempool
19:58 < CodeShark> sipa: true
19:59 < CodeShark> well, there could be other partial validation mechanism
19:59 < CodeShark> but that's perhaps a topic for another time :p
19:59 < sipa> that's perhaps more on topic here in the first place :D
19:59 < CodeShark> I'm running into this problem right now as we speak, though - here's the use scenario:
20:00 < CodeShark> (it's not hypothetical - I'm actually doing it for real)
20:00 < CodeShark> you create a joint account with two other people, 2-of-3 signature policy
20:00 < CodeShark> you want to initiate a payment, need approval from at least one other person
14:11 < petertodd> jgarzik: Well, half the cost is probably a decent number to make it clear that doing the right thing is the way to go.
14:11 < gmaxwell> jgarzik: I do think we should have some way of binding a hash to a transaction under signature, setup so the data is prunable and so the space usage is strictly limited.  Esp if such a tool makes it easier for people to use _hashes_ instead of raw data that just has a lot of additional problems for us.
14:12 < jgarzik> currently patch definitely provides that
14:12 < jgarzik> timestamping an entire transaction is another use case, which obviously requires more data transited
14:13 < jgarzik> cannot have proof of visibility otherwise
14:14 < gmaxwell> proof of txn visibility is an interesting special case, because the list of interested parties is 1:1 with miners, I think it would really unfortunate to enable random data storage just to enable txn timestamping.
14:14 < petertodd> We already have random data storage and can't do *anything* about it.
14:15 < gmaxwell> petertodd: That isn't the case for the utxo set.
14:15 < gmaxwell> oh but this is op_return.
14:15 < gmaxwell> Hm.
14:15 < petertodd> Lets suppose P2SH^2 was implemented and we even forced P2SH^2 spends to have signatures for every pubkey, you could *still* make special pubkeys by modular addition from a known point and just subtract that known point to recover the data.
14:15 < jgarzik> gmaxwell, "interested parties ?1:1" not really.  Or at least not right now.  The link just given is anyone-can-spend.
14:16 < petertodd> gmaxwell: Sheesh, took you awhile to notice that...
14:16 < gmaxwell> part of the problem is
 I can't prove an output was @#$@# OP_RETURN to you without actually giving you it. :(
14:16 < petertodd> But you can't prove an output was spent correctly without giving you it either.
14:16 < gmaxwell> jgarzik: well, at least interested in _theory_; not my fault that miners aren't economically rational in any simple sense. :P
14:17 < jgarzik> heh.  Well maintenance costs of carrying a patched bitcoind forever also factor into rational economic decisions
14:17 < petertodd> OP_RETURN isn't special in that regard, and future UTXO proof stuff will allow for pretty good certainty that a given txout was prunable because it never made it to the UTXO set.
14:17 < gmaxwell> thius 'simple sense' :P
14:18 < jgarzik> ;p
14:18 < jgarzik> petertodd, sipa's pullreq already does similar
14:18 < gmaxwell> petertodd: ideally it should be possible to sync a chain minus instaprunable data.
14:19 < petertodd> Remember that provided the inner tx of an announce-commit is standard interested *users* can always ensure sacrifices are actual sacrifices to keep whatever service they are using maximally honest.
14:19 < petertodd> gmaxwell: Yup, but that's going to require a soft-fork.
14:19 < petertodd> jgarzik: His prune OP_RETURN one? Yeah, it's not exactly rocket science...
14:20 < jgarzik> petertodd, nod.  proving an inner tx is already a known quantity
14:21 < gmaxwell> So?  For example, I'd rather require the OP_RETURN to only have 32 bytes, and then have a soft forking rule that there is additional out of transaction data required for you to accept the transaction near the tip. The fact that the soft fork would take a while to deploy is moot.. it will take years to deploy the sacrifices, so the fact that their security
is weak initially is no big deal.
14:21 < jgarzik> obviously you can only prove unspent at that point in time, but it's still a lot of validation
14:21 < petertodd> gmaxwell: Look, like it or not, all you can do is make data in the blockchain more or less expensive relative to standard transactions. That's *it*
14:22 < gmaxwell> lol. Are you pounding a table? Careful. You might break it!
14:22 < petertodd> gmaxwell: If you want to do something, submit a pull-req to make CHECKMULTISIG's not in a P2SH !IsStandard() for instance - it'll up the cost.
14:22 < jgarzik> gmaxwell, I'm working on the identity stuff now, and certainly won't wait years :)
14:23 < gmaxwell> petertodd: but it simply isn't so, I can many any of it get hidden behind hash preimages... from where it becomes much easier to cut-along-the-dotted-line
14:23 < petertodd> All limiting OP_RETURN does is sends a *social* message.
14:23 < jgarzik> gmaxwell, the alternative is simply yucky but still doable (1-of-X pubkeys is actually valid)
14:23 < gmaxwell> jgarzik: you don't have to wait years for it to be used.
14:23 < adam3us> could there be another store and forward channel for tx data that doesnt need to be in the block chain, so the data doesnt need to be in the block chain can still be sent if the users are not both online at the same time can do so without resorting to email; and then try to minimize the bytes on the block chain via commitments etc
14:23 < gmaxwell> petertodd: no, ithat really isn't true.
14:23 < petertodd> gmaxwell: "I can many any" <- ?
14:24 < petertodd> adam3us: We're talking about proof-of-visibility here.
14:25 < adam3us> yeah i know, was lurking, but also about bloating the blockchain
14:25 < adam3us> theres a diff between everyone must see (validation) and must be available/pruneable or not
14:26 < petertodd> gmaxwell: Right now I can put 360 bytes of data in a given OP_CHECKMULTISIG txout. Making OP_RETURN limited to 32 bytes when CHECKMULTISIG abuse exists is sending a social message. So if you want to do that, ban OP_CHECKMULTISIG's not in P2SH at the sametime.
14:27 < gmaxwell> jgarzik: basically an identity transaction whos visiblity proof depends on a soft forking change to not mine it unless you've seen the hash elided data is usable to you today. But less secure until the soft forking change happens.
14:28 < gmaxwell> petertodd: There is no reason that you have to do (B) before (A) when your concern is just that it remains possible to do (B) in the future.
14:28 < petertodd> gmaxwell: Yes, but until you do (B) all you are doing is sending a social message because anyone who actually has a use-case for the 360 bytes will just do (A)
14:28 < gmaxwell> And I do think it's important to not enable more random data storage in a manner which is incompatible with hiding it behind a hash.
14:29 < petertodd> gmaxwell: Be clear: are you talking about UTXO data or blockchain data?
14:29 < jgarzik> gmaxwell, in general I agree, hence the proposal of "80 bytes || standard tx"
14:29 < jgarzik> gmaxwell, because the latter is a special case (PoV)
14:30 < jgarzik> the vast amount of timestamping works just fine with a hash
14:30 < petertodd> jgarzik: and the "standard tx" option for data is just the Bitcoin developers saying "we think *that* use of data is cool, so we'll make it cheaper"
14:30 < jgarzik> petertodd, yes
14:30 < jgarzik> petertodd, which is what all the IsStandard rules are :)
14:31 < gmaxwell> jgarzik: Why quite so much as 80 bytes?   What I'm pointing out is that even the special visiblity stuff can work with a hash too: so long as we add a soft-forking rule that says you don't accept a block unless it comes with the preimage of the hash, when the block is near the tip of the chain. After that the data can be forgotten.
14:31 < petertodd> jgarzik: Emphasis on cheaper. It is *not* us saying blockchain data is banned, because we have no way to make that happen.
14:31 < gmaxwell> (if its not clear my last line was two totally distinct things)
14:32 < petertodd> gmaxwell: Forgotten in what context? UTXO or long-term blockchain data?
14:32 < midnightmagic> ;seen gavinandresen
14:32 < midnightmagic> ;;seen gavinandresen
14:32 < gmaxwell> Kinda crappy that we just needed to cut down on the additional message data, as that would have been a ducky channel to relay the preimages. :P
14:32 < gmaxwell> petertodd: forgotten in long term blockchain data.
14:33 < petertodd> gmaxwell: That's only possible by adding a proof-of-posession PoW mechanism and having a separate set of data storage.
14:33 < gmaxwell> Derp what?
14:34 < gmaxwell> You have a transaction with a hash in it. For the txn to be valid you must have the preimage of that hash. But this rule only applies when the block is sufficiently new.
14:34 < gmaxwell> You now have proven visiblity once the rule is widely deployed.
14:34 < jgarzik> gmaxwell, Definitely lost me there.  I'll have to ponder/parse :)  I don't see how it solves the proof of visibility, but maybe "hash" is vague
14:34 < gmaxwell> Without adding more than 32 bytes of hash to the long term visible block chain.
14:34 < jgarzik> hrm
14:35 < jgarzik> gmaxwell, in particular for identity, the full tx must be available for anyone to spend
14:35 < petertodd> Right, you've proven visibility in the sense that 1/2 * hashes/second * 10 minutes of hashing power saw it - that's not very good.
14:35 < gmaxwell> jgarzik: Think of it as making the visible data attached to the transaction with a perforation: Rip along the dotted line.  But you're not allowed to rip it until the block is sufficiently old. You can define how sufficiently (maybe even encode that in the txn).
14:35 < petertodd> All I have to do to make invalid sacrifices is temporarily hack into a few big pools for an hour.
14:36 < petertodd> s/sacrifices/proof-of-visibility/
14:36 < gmaxwell> petertodd: No, thats not the case.
14:36 < petertodd> gmaxwell: Why not?
14:37 < gmaxwell> petertodd: You can choose the security parameter to where that isn't an issue. If the rippable sections must be provided for 144 blocks
  are you speculating that someone will perform a 144 block reorg in order to make bogus sacrifices?  Might as well give up.   You've already accepted some maximum depth by virtue of the nlocktime offset.
14:38 < gmaxwell> I don't know what parameter makes sense. I'd have to think more. But the important thing is that you can make the data possible to rip out, so that _no one_ has to remember it once an adequate announcement window has passed.
17:22 < amiller> i'm pretty opposed to any change in behavior that addresses some particular deviant strategy without any way of showing that it doesn't introduce poor performance against various other possible strategies
17:23 < amiller> i guess the idea is with simulation you can take all conceivable strategies and let them battle it out...
17:24 < adam3us> gmaxwell: yes ntp security is bad, adding dependence on time accuracy also bad; hard to eval anything without simulation - game theory permutations too complex
17:24 < adam3us> gmaxwell: it might not be inherently bad in the sense that if you tried to replace an old block, chances are someone else would extend it in the mean time then you wasted time
17:26 < adam3us> amiller: if nothing else this selfish-miner paper proves this is very complex and hard to exhaustively reason about, so +1 i think its a given, cant make changes eg until litecoin has canaried a well simulated and argued proposal for a year+
17:26 < amiller> lol.
17:27 < adam3us> amiller: (i mean by fact that seemingly other than bytecoin and maybe petetodd, this >33% strategy existed for years without it registering to everyone there could be a problem)
17:28 < gmaxwell> the problem there is that all coins (other alts, litecoin, even
 bitcoin) have gone huge spans of time with _known_ eploitable vulnerabilities (e.g. to get a edge at mining) and without people exploiting them. live testing is very useful but doesn't really tell us an attack won't start.
17:28 < adam3us> gmaxwell: but i also was suspicious about the concept of relying on coordinated time, it doesnt really exist in a distributed system, and pretending it does is bad
17:28 < amiller> (i'm pissed i didn't think of it too, while thinking about related anomalously-large-txfee and feather-fork incentive-compatibility problems)
17:30 < adam3us> does bitcoin have some built in sanity check protocol for time
17:31 < gavinandresen> adam3us: yes, although there is a longstanding bug-- see discussions of "timejacking"
17:35 < adam3us> i liked the idea of discouraging blind pooled mining, maybe you could do it with a reward address being a chameleon hash, then the pool can be convinced reward is due, but the miners can selfishly withhold the key winning block and assign it to themselves
17:37 < amiller> adam3us, sounds like my non-outsourceable puzzle?
17:37 < amiller> i don't understand the difference if there's one
17:37 < adam3us> amiller: yes that was elicited the above
17:39 < adam3us> amiller: just suggesting the underlying problem is blind pools, and agreeing with your non-outsource motivation, and suggesting chameleon hash reward address could be an mechanism (i dint see a simple one in the thread)... in that way you can change the reward addr after the fact
17:41 < adam3us> amiller: (btw i was ging to ref the thread which i have open in a tab on other machine, but i couldnt remember if it was you or socrates ah.. you are socrates! that explains)
17:50 < maaku> adam3us: I haven't followed your latest discussions, but I understand it has something to with alternatives to blind signatures, right?
17:50 < maaku> I'm using 1024+ bit RSA blind signatures for CoinJoin
17:50 < maaku> is there a better primitive I could be using?
17:51 < adam3us> maaku: yes there is a schnorr blind sig which can be EC so thats more similar, n fact it can use the same keys and params as ECDSA
17:52 < adam3us> maaku: and if you need to encode a value to the blind sig, brands has an extended version of it i have code (non EC, but DL with openssl): google credlib brands
17:53 < maaku> adam3us: is there sufficient peer review of these schemes?
17:53 < adam3us> maaku: 1024 is weak you need really 3072 rsa to match 256 ec
17:53 < maaku> well, it's not long-term keys
17:53 < maaku> just need to be secure for the duration of the protocol
17:53 < maaku> hours to days max
17:53 < maaku> typically minutes
17:54 < amiller> adam3us, lol, yeah, i'm socrates1024. sock, for short
17:54 < adam3us> maaku: yeah brands phd supervisor was chaum (inventor of blind sigs & ecash) then when brands	fell out with him, rivest & shamir or somethign
17:55 < amiller> adam3us, anyway the construction for that approach has the advantage of using exactly SHA2 as the underlying hash, no need for chameleon hash, so that's a benefit to miners, although the zero-knowledge puzzle-stealing option relies on generic zk snark
17:56 < adam3us> amiller: yes i saw zk snakr and thought... hmm complex, unproven, impractical as a starting point (though i know they compile based on existing zk constructs)
17:56 < amiller> it's not unproven...
17:56 < amiller> "GGPR" is the underlying scheme and proof https://usukita.org/sites/default/files/P3_rgennaro_quatradic_span_programs.pdf
17:56 < adam3us> amiller: i mean as in hasn survived 20 years of academic prodding, not in sense of not coming with security proofs, many things with proofs got broken
17:56 < amiller> ok well yeah
17:57 < amiller> fair enough
17:57 < adam3us> amiller: whereas a chameleon hash can be very simple, posted one in gmaxwells' thread which is basically like a schnorr sig, ultra simple
17:57 < adam3us> amiller: conventional simple ECDL & hash assumptions
17:58 < amiller> i'm not sure it's suitable for proof of work
17:58 < amiller> i mean, proof of work relies on much more than collision resistance
17:58 < adam3us> maaku: doesnt privacy rely on the blind sig?
17:58 < amiller> you need like n^th unbounded partial preimage resistance
17:59 < adam3us> amiller: i dont mean as the work hash, just the reward address
17:59 < amiller> i don't think that's sufficient to get the strong work-hiding property
17:59 < adam3us> amiller: put i the coinbase, rewardaddr=CH(addr,x)
17:59 < amiller> in other words you could still embed watermarks in the work and therefore the mining pool could enforce it by requiring a bond to participate
18:01 < adam3us> amiller: yes you do need the mechanism to be ZK basically, so in the chameleon case you need there to be no coercion way for the miner to prove he has disabled the hash malleability
18:02 < maaku> adam3us: no, at least with RSA blind sigs, breaking the key means someone else can impersonate the faciliator
18:02 < maaku> ... i think, i would suggest double-checking that
18:02 < maaku> but the blinding factor should make sure that privacy is preserved
18:03 < adam3us> maaku: yes you are right, its info theoretic privacy
18:03 < adam3us> maaku: but if they factor your key, and its long lived, tey can take your money
18:03 < maaku> well, the key doesn't outputs in this case
18:04 < adam3us> maaku: but are you wanting a single denomination only?  chaum blind sig ecash has no denomination
18:04 < maaku> for a mixing coinjoin transaction, there's a pool of same-denomination outputs, and the facilitator generates a key specific to that pool
18:05 < maaku> the participants then blind their outputs, the facilitator signs them, then the participants disconnect, unblind, and reconnect anonymously to broadcast
18:05 < maaku> then the key is thrown away
18:07 < adam3us> maaku: ok; yes just to say if you want multi denomination brands can do it, though i suppose that wont be useful as diff denominations tend to correlate the inputs
18:07 < adam3us> maaku: ok; yeah rsa blind is very simple
18:09 < adam3us> maaku: i suppose rsa keygen is a bit entropy hungry and cpu expensive vs ec schnorr long term keys but otherwise it seems not much point switching
18:13 < adam3us> amiller: have to think about the zk coercion free possibility of chameleon hash for nonoutsourceable puzzle, seems like an interestingly simple mechanism if it could be shown secure
18:14 < maaku> adam3us: I'll probably continue to prototype with RSA (other advantage: implementation is dead simple)
18:14 < maaku> but it's nice to keep tabs on more efficient (space and time) solutions
18:14 < adam3us> maaku: yes exactly, simplicity tends to win
18:14 < amiller> adam3us, it seems like a premature optimization to me but i don't disagree really, i guess i'm personally more interested in seeing if i can get any better economic statement just by assuming we have a coalition-free puzzle
18:15 < maaku> i just wasn't aware there was much concensus on an EC blind signature scheme
18:15 < maaku> it's a primitive we need to have anyway for other uses...
18:17 < adam3us> maaku: yep its there i guess despite its brilliance no one really used brands stuff nor even chaum
18:22 < adam3us> maaku: btw p5 & 6 of this: http://www.di.ens.fr/~pointche/Documents/Slides/1996_asiacrypt.pdf talking about blind sigs mentions chaum and schnorr for backgrond
18:22 < adam3us> maaku: (gives the math on one slide)
18:33 < adam3us> amiller: btw in non-outsourceable puzzle thread you described motivation to prevent a hosted miner (by making it so the hosted miner could steal from the user) however i mean something related but different, discouraging pooled miners from not validating their own blocks (blind mining i mentionend it as)
18:35 < adam3us> amiller: you mention miner proving to the paying cleint that it is working for them, but i guess thats not how people are doing it, presumably they just audit loosely based on knowledge of power and expected return, and that could remain the case with a non-outsourceable puzzle
18:36 < amiller> well it guarantees you'll have no lucky streaks or something like that :/
18:37 < adam3us> amiller: however users blindly using miners is bad, without validating their own blocks so i was interested in ways to make that (not creating your own coinbase from tx you got yourself) unsafe for the pool
18:37 < amiller> i see
18:37 < adam3us> amiller: yes but thats not a big disincentive
18:38 < amiller> you're right it's unfortunately sort of tricky there
18:38 < adam3us> amiller: its kind of the same thing but in the opposite direction
--- Log closed Mon Nov 11 00:00:04 2013
--- Log opened Mon Nov 11 00:00:04 2013
04:20 < gmaxwell> if you mean some function of recent transaction fees
  the problem is miners padding up transaction fees with payments to themselves to manipulate prices (might as well just let miners set them)
04:20 < justanotheruser> gmaxwell: you could look at how much was paid in tx fee since the last difficulty adjustment (or some other arbitrary period of time)
04:21 < justanotheruser> gmaxwell: yeah, that is a problem
04:22 < justanotheruser> There's not really a way to evaluate how many namecoin users there are...
04:22 < gmaxwell> you can look at the registrations however.
04:23 < gmaxwell> (and also, it's easy to see it not being used anywhere, and even easy to see the lack of people asking how to use it)
04:23 < justanotheruser> gmaxwell: but you can't set the registration rate based on the number of registrations
04:23 < gmaxwell> yea oh sorry I thought you were back to suggesting that namecoin isn't currently a failure. :P
04:23 < justanotheruser> If there were only 500 domains offered per day, people would have to compete in price for registering.
04:24 < justanotheruser> Unfortunately namecoin isn't going to ever be stable, so you can't say "$10 for a registration"
04:24 < gmaxwell> yea, I've got no freeking idea.  yes, one possible way would be to make the database fixed in size or something like that.
04:25 < justanotheruser> if people compete in price it would have to be in mining fees, so the miners would be able to register however many domains they wanted...
04:25 < gmaxwell> well with 2 way-peg you could transfer bitcoins into the namecoin chain to pay for names, thus giving them to miners, who can remove them from the namecoin chain. (I mean, if we're talking about things which decidely aren't namecoin as it is today) so then the instability of namecoin as a tradable asset can be removed.
04:25 < justanotheruser> but I guess for every domain they buy, they lose one domain sale that day
04:25 < gmaxwell> justanotheruser: unless the system just limits it via a protocol rule.
04:26 < justanotheruser> gmaxwell: is there a way to have a decentralized 2 way peg?
04:26 < gmaxwell> I guess you missed those discussions. I believe it's possible, there are some security limitations.
04:27 < justanotheruser> also I don't think pegging something to bitcoin makes it stable. It makes it more stable relative to all other cryptocurrencies, but relative to almost every other asset/commodity bitcoin is incredibly unstable
04:28 < gmaxwell> basically I suggested a relatively minor softforking addition that would allow you to assign coins to another chain, and then carry a proof back from the other chain to bitcoin to allow you to very slowly teleport coins back and forth.
04:28 < gmaxwell> (slowly meaning like 100 blocks)
04:28 < justanotheruser> gmaxwell: would this allow for offchain transactions if the bitcoin chain was too big making transaction fees high?
04:29 < justanotheruser> well not "if", but for that reason would it be useful
04:29 < gmaxwell> it would. or more interesting it would allow altcoins to expirement with new ideas without also creating new currencies. (at least when the idea is just new payment network ideas)
04:30 < gmaxwell> e.g. you could have namecoin but without having a seperate namecoin currency.  or you could have some 10 second blockchain thing (0_o) or something with more powerful script.
04:30 < gmaxwell> (turing complete script, whoppie!)
04:30 < justanotheruser> gmaxwell: is the peg discussion in #bitcoin-dev logs?
04:30 < gmaxwell> it's in the logs here.
04:30 < justanotheruser> any public logs for this channel?
04:31 < gmaxwell> andytoshi-away: makes logs, dunno where they are.
04:31 < michagogo|cloud> (The logs should really be mentioned in the topic...)
04:32 < justanotheruser> I'll make a note to ask him for the logs
04:32 < gmaxwell> it's not a serious proposal at this time... but perhaps it will become one. The belief that it could work two ways is relatively new. (it's not that complicated an idea though, I'm sure I would have said it was obvious in 2011 if it had been suggested to me then)
04:32 < justanotheruser> gmaxwell: so would this pretty much remove the need for Open Transactions?
04:33 < gmaxwell> but in any case the idea is that you make a payment to a special scriptpubkey which basically says "these coins are now controlled by foocoin"   and then it's possible to spend from txouts to that scriptpubkey by showing up with an SPV proof "foocoin says you should give me X of those coins to scriptpubkeys Y and Z", plus some extra details.
04:34 < gmaxwell> justanotheruser: well it would allow the same kind of "binding" that open transactions could do already using multisig ... but allow it for other blockchain cryptocurrencies.
04:34 < justanotheruser> gmaxwell: isn't the only way for that SPV proof to exist by embedding all those block headers in the bitcoin blockchain?
04:35 < justanotheruser> Or is there some way that the miner can be proved that their blockchain says something without actually looking at anything other than the transaction
04:35 < gmaxwell> justanotheruser: sure, but 100 blocks is 8kb. whopptie do.  These transfers would generally be infrequent because they'd be used for bulk liquidity,	normally if you want coins on the other chain you find someone who wants bitcoin and you do an atomic coinswap.
04:35 < gmaxwell> But the coinswaps alone cant get you a 2-way peg because they can't provide long term liquidity.
04:37 < gmaxwell> justanotheruser: the proofs could also be structured so that they can be pruned. e.g. perhaps the only thing that gets stored in the blockchain directly is a summary of the proof. After all the proof only has SPV security, once it's thousands of blocks deep in bitcoin why keep it?  (and if that were done the proof wouldn't need to count against the block
size limit, or wouldn't need to count against it fully)
04:38 < gmaxwell> (also a single proof could actually be batching dozens of transfers, e.g. foocoin tells bitcoin a whole list of scriptpubkeys to pay, at least you can get batching in the foo->bitcoin direction)
04:39 < justanotheruser> gmaxwell: Seem expensive still. The blockchain could end up storing a dozen other blockchain headers in it
04:39 < gmaxwell> e.g. the foo->bitcoin instructions are generated by foocoin miners, summarizing actions commanded by transactions and validated according to the foocoin rules.
04:40 < gmaxwell> justanotheruser: well snarks can compress that kind of thing down to 384 bytes for 128 bit security, but I'd prefer to show it viable without any cutting edge cryptography.
04:40 < justanotheruser> I wonder if there's some crypto that could be used to do that proof in a size significantly smaller than the actual altchain
04:40 < gmaxwell> justanotheruser: and each of those dozens of other chains could have an infinity of transactions, seems like a good tradeoff to me.
04:41 < justanotheruser> gmaxwell: do you think that's more viable than sharding the blockchain?
04:41 < gmaxwell> justanotheruser: zk-SNARKs can have size only proportional to the security level. The size of the rule being proven or the data it accesses is irrelevant to them.
04:43 < gmaxwell> but the really small ones have some uncomfortable security tradeoffs (CRS assumption) the ROM ones are somewhat larger (eg 20kb, though I did invent a novel compression scheme which may help, so they may not be good for compressing header proofs, but then again they'd allow full security not just spv, potentially.. but this is all really cutting edge and
not yet totally pratical stuff.)
04:44 < justanotheruser> hmm
04:44 < justanotheruser> gmaxwell: do you have some cryptography PhD or something?
04:45 < gmaxwell> in any case, I don't think an 8kb signature intermittently per bound chain is a bad tradeoff. Especially knowing that application of sufficient magic could make it smaller in the future.
04:45 < gmaxwell> justanotheruser: No. I'm just some guy who enjoys math.
04:45 < justanotheruser> I see
04:45 < justanotheruser> This idea seems to have a lot of potential
04:46 < justanotheruser> Would this not require disabled opcodes to determine whether the transactions belonged to someone else on this other chain?
04:47 < justanotheruser> I guess you said it was a softfork, so my real question is why wouldn't it
04:47 < gmaxwell> I think it does too. well, and it also may solve a problem thats been bothering me
 which is that its hard to do novel cryptocoin expirementation.	We can't mess around with it in bitcoin because its too important. Alt systems generally get little love because they're worthless, unless you make a big thing about pumping their value and then that speculation
becomes all encompassing.
04:48 < gmaxwell> justanotheruser: we'd add a new opcode in place of a no-op today "the thing on the stack is a chain binding proof, this transaction is only valid if the proof is valid"
04:48 < gmaxwell> old nodes would just see a no-op transaction and permit it.
04:49 < gmaxwell> It would be safe to use once a super majority of hashpower agreed to enforce it as a rule in the chain
 same way p2sh was deployed.
04:49 < Taek42> gmaxwell, what's your opinion of XRP?
04:50 < gmaxwell> Taek42: https://bitcointalk.org/index.php?topic=144471.0 the whole thread is informative, I answer my own question and then get into a discussion with one of the ripple developers.
04:50 < Taek42> thanks
04:53 < justanotheruser> Any known weaknesses to the pegging system?
04:53 < gmaxwell> ohh "Crony Consensus"  I'll have to remember that.
04:54 < gmaxwell> justanotheruser: at least as I was describing above it only has SPV-like security. meaning that if you can outpace the second chain you can steal all the bitcoins assigned to it and leave it fractional reserve.
04:55 < gmaxwell> (which would be part of the reason it would need to be fairly slow)
04:55 < gmaxwell> (I mean the teleport operation would need to be slow)
11:19 < adam3us> jgarzik_: sure they do, but what i mean is i want a compact representation for the entirety of a snapshot of an OS (like a merkleroot for the OS at that point in time) so tthat it is safe to dowload modules
11:20 < petertodd> adam3us: right, but don't teach your offline wallet about base addrs, because then users will do dumb things like verify the base addr via PGP on a compromised computer - stick to matching the identity of the person they are transacting with and how they established that identity
11:20 < adam3us> jgarzik_: even if the signer does a poor job of managing his rpm signing key
11:20 < adam3us> jgarzik_: like you get an ISO checksum, but then most of these isos wont even install without a network connection!! (nutters if you ask me)
11:20 < jgarzik_> adam3us, interestingly, with some filesystems, that automatically happens at the filesystem level
11:21 < adam3us> petertodd: i a sayng lets at least make it work conveniently for the people who are trying to do things securely.  eg an exchange has a airgappe backoffice for enrollment.  users get a trezor in the snail as part of their exchange setup.	that prevents misdirecting deposit addresses
11:22 < petertodd> adam3us: right, which is a totally different tech than anything I was thinking about
11:23 < adam3us> jgarzik_: yeah.  you know zach brown?	btrfs, zfs have what you said  but thats about file system integrity.  you want that on the base iso and the merkle tree of all point in time snapshot of packages available for it.  then i can write the checksum down and I know for sure even if someone holds a gun to the head of the package signer he cant tamper with
code post-hoc or in a targetted way against me
11:23 < K1773R> why does bitcoin use /dev/urandom and not /dev/random?
11:24 < jgarzik_> K1773R, /dev/random takes forever for questionable additional security gain
11:24 < adam3us> K1773R: probably because /dev/random can block and /dev/urandom is good enough.  but there could be an argument for /dev/random for keygen only
11:24 < K1773R> jgarzik_: what about ppls whith HWRNG?
11:25  * jgarzik_ isn't familiar with the PPLS method of mining pool payouts
11:25 < adam3us> petertodd: point is even the tech users have no bitcoin internal tools short of calling the sender, per transaction, or scripting some pgp sigs on the offline machine (trezor wont do that as its not part of the protocol at present)
11:26 < K1773R> adam3us: well, i just had to debug something (ie, with strace) and saw it used /dev/urandom . which operations depend on /dev/urandom and how much bits/bytes are needed?
11:28 < petertodd> adam3us: indeed they don't, but lets not encourage tools that turn into extremely specific things...
11:28 < petertodd> adam3us: the fundemental issue is you have to verify against the identity that the other party communicated to you with in the first place - the example of a physically loaded key is an exception
11:29 < adam3us> petertodd: thing is airgap doesnt really fix the problem for people who actually do tranactions (biz, customers) it just moves it on to the insecure computer and hoping there's no malware on it - we know thats a lose even for revocable credit card payments
11:30 < adam3us> petertodd: what use is a payment request x509 sig against a malware loaded machine with installed malware fake CA, address replacing code, and at the high end stolen CA private keys (not like that didnt happen before)
11:36 < petertodd> adam3us: yes, but if the CA system is secure, then only thing that really helps is to verify the destination *on the offline wallet* against a payment protocol request
11:36 < petertodd> adam3us: equally, if PGP WoT is secure
11:36 < petertodd> adam3us: anything else means you can do attacks where you trick the user into accepting an identity for the key that had nothing to do with the identity of the person they thought they were transacting with
11:36 < petertodd> adam3us: (modulo entire CA systems meant to track other CA systems... ugh)
11:37 < adam3us> petertodd: right.  but people know how to do fact checking, due diligence and biz people do it al the time for high stakes decisions
11:38 < petertodd> adam3us: so what? there's no better alternative
11:38 < adam3us> petertodd: they'll research the company, call them up, go visit them, look at their paper work.  expect courier documents.   etc this can work for crypto currency exchanges also
11:38 < adam3us> petertodd: yes my assertion is you need the trust to be rooted in the financial identity because its the most critical and most secured part
11:38 < petertodd> adam3us: and yeah, I'm not saying that's a bad thing to do, I'm just saying if you *aren't* doing some fancy physical protocol, we have no other alternative
11:39 < adam3us> petertodd: ok, yes so then i'm saying so we need this signed addresses generated & validated by hw airgapped 'puters and trezor devices as a min bar as part of any bitcoin related transaction
11:39 < petertodd> adam3us: besides, mail has it's own set of security risks too... a SSL cert/PGP key + being told to verify a fingerprint isn't crazy (or make it that getting the fingerprint is the only way they can get the key)
11:40 < petertodd> adam3us: indeed, and the payment protocol is meant to solve exactly that!
11:41 < adam3us> petertodd: well except it is probably not the right flow as it needs the recipient key also, plus its so far (right?) tied to X.509 which is a sideways step
11:42 < petertodd> adam3us: no it's not tied to X.509 at all, look at the spec
11:42 < petertodd> adam3us: and what do you mean by flow anyway? you want to just select a recipient in your offline wallet as step one?
11:45 < adam3us> petertodd: i mean you are proving to the world (or giving a transferable proof) that this address belongs to this recipient maybe ok for a merchant, but the user doesnt have an SSL cert to issue a payment request with.  i wa meaning you could have a payment request request, where you said this is my public key, i want to buy one of those, and then the
payment request sends you an encrypted non-transferable signature (or encrypted signature i
--- Log closed Fri Nov 22 11:59:44 2013
--- Log opened Fri Nov 22 12:00:02 2013
12:07 < petertodd> adam3us: sorry, server crapped out, repeat that?
12:10 < adam3us> petertodd: seems like payment request does 90% of it, except you need the signature on the payment request to come from an airgapped key, or the key to carry its own proof it was originally generatd with the airgapped key before upload to the server.  the thing is if the server is handing out keys from a pool, you dont know if someone broke into the server
and re-served you with an address associated with their exchange account
12:11 < adam3us> petertodd: i mean having the server hand out signed requests but composed of an unsigned address from a pool in server ram or server disk is just inviting trouble mid-term though a short term improvement
12:12 < petertodd> adam3us: right, but if your website is insecure they can already redirect where the money goes anyway
12:12 < adam3us> petertodd: its not like people cnt break into servers, just that its not that interesting with credit cards because you the consumer pays the 3-5% fraud cost and the merchant lives with the chargeback
12:12 < petertodd> adam3us: the only way to improve upon that is to create a whole new CA system of bitcoin addresses + identities
12:13 < petertodd> adam3us: yeah, well, get better security for your keys: e.g. put the SSL keys on a HSM
12:13 < petertodd> adam3us: or, if it's with PGP, same idea
12:15 < adam3us> petertodd: yes thats what i'm saying.	i think bitcoin should form its own payment security based identification system
12:16 < adam3us> petertodd: preferably without trusted third parties (CAs) being trusted too much, or prominently displaying the static  merchant identity fingerprint (with airgapped private key) so you can check it manually
12:18 < petertodd> adam3us: check it manually how?
12:19 < petertodd> adam3us: I don't think we know what we should be doing in this space yet actually; get the payment protocol out there and start learning about how it works in practice
12:19 < petertodd> adam3us: what you're talking about, especially re: manual checking, really sounds like a job for PGP...
12:19 < adam3us> petertodd: yes.  but its quite predictable where the next week point is
12:20 < petertodd> adam3us: and again, what good is that vs. adding *manually checkable* OpenPGP to the payment protocol?
12:20 < adam3us> petertodd: i think it ideally should be soething simple, concise and built in.  the authenticity of addresses a core bitcoin internal critical requirement
12:21 < petertodd> adam3us: and simple and concise just isn't. The closest thing to simple and concise is a friggin address book with manually entered addresses (+HD wallet seeds if you want to get fancy)
12:21 < petertodd> adam3us: we've already got that
12:21 < adam3us> petertodd: and if we promote one-use addresses, whih we do for fungibility/privacy, then we have to somehow fix up the user experience and user comprehension and out of the box secruity of doing it (even if it means all users nee to use hw wallets for non toy amounts of spare change)
12:22 < petertodd> adam3us: yeah, and as I say, we've already got the single address thing covered, and adding derivation isn't rocket surgery
12:22 < petertodd> adam3us: anything beyond that and you're talking about identities, which are not simple or concise, (and frankly I doubt the trade-off is worth it - more people will lose coins due to malware than bad CA's)
12:22 < adam3us> petertodd: right.  i proposed another way to get fungibility by using a static address, that can be randomly derived from by senders without your chain code for this kind of reason.
12:23 < adam3us> petertodd: "single address thing covered" you mean one use address as transaction number (but not really address in name)!
18:54 < gmaxwell> right, and you can also have 100 gb of memory which you run 100 instances in parallel, and then you do this over and over again probalem after problem amortizing the hardware costs and shifting the costs towards operating costs.
18:55 < tromp__> this imposes a large cost if you want to run 1000s of attempts in 10min, because you need t have many GB now
18:55 < tromp__> ok, now consider the insalled base of comomodity hardware
18:56 < gmaxwell> sure but its linearish (actually better since manufacturing scales) upto the point at which you start exausting the earth's resources. :P   In any case, I'm not saying this tradeoff loses, but that you cannot compare it soundly without a model for the total cost, not just the upfront costs.
18:56 < tromp__> there may be 100M PC's that can run cuckoo
18:56 < gmaxwell> tromp__: right and that installed base gives the defenders an advantage, but that advantage may in fact be completely overcome by the operating costs.
18:57 < tromp__> so for someone to match that they'd have to invest in 100M *1GB
18:57 < gmaxwell> You can convert everything in this comparison into dollars (or dollar equivilent joules) if you like.
18:57 < gmaxwell> And hardware costs are one time, so they amortize.
18:57 < tromp__> that's WAY harder than in the bitcoin world, where a modest investment can match the combined gpu hashing power in the wrold
18:58 < gmaxwell> Thats the analysis which I have pointed out several times is flawed.
18:58 < gmaxwell> The operating costs are the supermajority of the costs, not the hardware costs.
18:59  * nsh wonders . o O {is progress-freeness definitely essential for consensus-POW?}
18:59 < tromp__> in any case, what you propose is that an "attacker" can basically buy a shitload of PCs to do cuckoo hashingm and amortize their cost
18:59 < gmaxwell> The advantage you can get in bitcoin comes from the fact that dedicated hardware is enormously more power efficient. (it's also worth noting that the speed of all the current bitcoin parts is predominantly power limited, they could run much faster, but they're require more expensive packages and/or exotic cooling)
19:00 < gmaxwell> nsh: if you're not progress free (at least on a large scale) you're unfair and you give superlinear rewards to larger participants, which would incentivize centeralization.
19:00 < tromp__> the operating cost of latency constrained RAM is pretty low
19:00 < nsh> hmm
19:00 < gmaxwell> yes, ::cries:: and thats bad!
19:00 < gmaxwell> I agree that its low.
19:00 < tromp__> no, that means an attacker is constrained by investment costy
19:00 < tromp__> by cost of buying tons of RAM
19:01 < tromp__> he'll never spend as much on operating cost as the investment in RAM
19:01 < gmaxwell> Sorry, I think we're wasting time now. I suggest we both take a break and consider this again later with fresh eyes.	By then I'll also read your paper, as I'm sure its independantly interesting regardless of this meta argument.
19:01 < tromp__> good idea.
19:02 < tromp__> thanks for your interest in my proposal
19:05 < tromp__> to summarize my aarguments: cuckoo is sequential latency constrained -> not parallellizable -> miner cost dominated by initial RAM investment rather than operating cost -> cannot match worldwide comodity PCs
19:07 < gmaxwell> Yes, this is also the argument advanced in the scrypt paper (just without the mention of operating costs). I am concerned, but not yet convinced that at least in the scrypt paper the argument is wrong, and I am nearly convinced that at least for some scrypt parameters that its wrong. This may not apply elsewhere, however.
19:08 < tromp__> also note that scrypt cannot increase RAM use much, because verification is alrd nontrivial
19:08 < tromp__> while cuckoo verification is always trivial
19:10 < gmaxwell> yes, I'm aware of this. It's inapplicable to the KDF case,  as I said before I think the PT was giving the wrong initial argument to you.  Collision like things usually fail to progress-freeness problems or TMTO, but they do achieve asymetric verification costs.
19:11 < tromp__> right, you cannot make a good KDF out of cuckoo
19:12 < gmaxwell> Why not? take your first solution from a determinstic start and hash it. The result is your key.
19:13 < tromp__> let me check my email correspondence on this
19:16 < tromp__> that does make a KDF, but it doesn' exploit the neat feature that cycles are trivially checkable. and memory hardness has to be taken more on faith than with ROMix based functions
19:17 < tromp__> so it's not an obvious improvement over other schemes
19:17 < tromp__> whereas for PoW it has ideal properties that no other PoW has
19:27 < tromp__> afk to dinner
22:35 < gmaxwell> man, the internet is so screwed up: http://thenextweb.com/socialmedia/2014/01/29/lost-50000-twitter-username/#!tV5FI	< this guy got his short twitter account name extorted out of him, and part of his advice is not to use your own domain names for registration because the domain names are so easily hijacked.
22:45 < c0rw1n> that's screwed up yes
22:49 < tromp__> with paypal you need to actively opt-out of being screwable. of course they have plenty other ways to screw you...
22:50 < tromp__> generally, the last 4 digits of cc shld be considered public knowledge
22:50 < tromp__> so godaddy was the bigger offender
22:54 < andytoshi> tromp__: agreed, i'd register a domain with realsolid before godaddy..
23:00 < tacotime_> andytoshi: I hear he's offering decent prices for fee shares on his exchange these days too
23:03 < tacotime_> It's a shame for SC2, I feel like if RS/CH hadn't gone so outrageous crazy on trying to manipulate the price it would still hold some value today as a litecoin competitor
23:06 < tacotime_> And I was surprised how long the trust node system stood up for.
23:06 < gmaxwell> it got abused by RS pretty quickly.
23:07 < gmaxwell> I think it was only two months or so before the first time he used it to force a subsidy change on the network.
23:07 < tacotime_> Yeah, that was the problem.	I mean, SK more or less does the same thing with checkpointing PPC, but SK doesn't mess with the chain.
23:08 < gmaxwell> yea the ppc mechenism is functionally quite similar though at least RS had an argument about how his thing would eventually be distributed. (though after he decreased the subsidy you could be pretty sure no one would ever have 1M SC)
23:08 < tacotime_> There's nothing super wrong with a temporarily forced centralization of the chain while it takes off and you mess with new features that could break it I think, but when you decide, "Hey, the price isn't high enough!  Let decrease subsidy 100 fold!"...
23:09 < tacotime_> Yeah
23:10 < gmaxwell> tacotime_: well PPC's think is not temporary, it was originally that way to bootstrap until POS took off, but most mining is POS now... and the new white paper points out that the checkpoints are needed to create a consistent baseline state for POS.   but yea yea.
23:10 < tacotime_> There's a new version?  I didn't know he'd changed that... that's unfortunate.
23:11 < gmaxwell> if I did an altcoin I'd have multisignature broadcasted checkpoints (e.g. distributed instead of fully centeralized) and I'd have the nodes disable them automatically at some high enough difficulty.
23:11 < tacotime_> That makes sense.
23:12 < gmaxwell> yea, the updated one he did after the initial attack on PPC POS where someone was mining all the blocks. (by grinding at block hashes to search for a history where his stake was selected in every block)
23:13 < tacotime_> Right.  I don't think that totally justifies complete centralization though... that's kind of an admission that you're not really confident in what you're doing functioning correctly on an indepedent basis
23:14 < c0rw1n> (or that you're a wannabe rent-seeking exploiter / future scammer / Ripple)
23:15 < tromp__> could you have checkpoints triggered by the blockhash being particularly far below the difficulty?
23:16 < gmaxwell> tacotime_: yea, well the bigger change that was made at that time was making it so that only pow blocks select POS miners, meaning that a POW majority can pick which stake can mine, and which makes high pow difficulty more or less essential to the security.
23:16 < gmaxwell> tromp__: I can't decode what you're suggesting.
23:16 < tacotime_> Oh, that's what that stake modifier thing was all about?  He refused to explain that to me
23:17 < gmaxwell> fortunately(!) his code is pretty readable.
23:17 < tacotime_> That's also kind of scary though, as it makes the network more open to attack if someone decides to DDoS all pools
23:17 < tacotime_> Also the reward algorithm itself makes that lucrative
23:18 < tacotime_> I wish he would have just said that sentence to me 12 months ago, because that makes total sense.
23:18 < tromp__> if the blockheaderhash has maybe 16+ more zeroes than required by the target difficulty, that could be considere a checkpoint trigger
23:18 < gmaxwell> I just assume he's one of us, I think its generally well executed, it suffers because the overall idea is kinda lame. I like bitching about him because he's probably here twiching that he can't reply without blowing his anonymity. :P
23:18 < tacotime_> Haha
23:19 < tromp__> so checkpoints wld happen about every 2^16 blocks
23:19 < gmaxwell> tromp__: you can get some awesome attacks out of that. e.g. mine such a thing and then delay announcing it.
23:19 < gmaxwell> totally pointless, you should probably erase the word checkpoint from your mind, only horrible things result from it.
23:19 < c0rw1n> ooh scary
23:19 < tacotime_> Yeah it's the reason you have to be cautious about using the total work of a chain as the selecting factor too.
23:20 < tacotime_> Because if you hide the block from the network and it represents a huge amount of work, doublespending becomes very easy.
19:07 < Luke-Jr> which tbh is more interesting to me than Freimarkets..
19:11 < maaku> ok so the story there is I've already gotten permission from the two major pools (>90% of the hash power) to add merged mining with the Freimarkets hard-fork
19:30 < Luke-Jr> maaku: hopefully an improved/fixed algo? :D
19:46 < maaku> Luke-Jr: yeah, basically a generic mechanism for committing arbitrary key/value data to the coinbase using Merklized indices
19:47 < maaku> also works for document timestamping, or other applications
20:21 < andytoshi> i'm going to delay the coinjoin another day because i'm close to having a tool which will merge the signed transactions for me
20:21 < andytoshi> so again i'm open to people joining in :)
21:36  * andytoshi-logbot is logging
22:25 < gmaxwell> andytoshi: if you've got a merging tool then you can probably go nag more people to join.
22:26 < gmaxwell> e.g. go post in the cj thread.
22:36 < andytoshi> gmaxwell: not yet
22:36 < andytoshi> i'm almost done the merger, but rust has no json-rpc support, so there'll be some more work
22:36 < andytoshi> it's no problem to just wrap a C lib, but those are hard to come by too :P
22:51 < gmaxwell> json rpc so that it yells if you try to add already spent coins? are you going to make it constrain outputs<inputs per user too?
22:52 < andytoshi> the latter
22:52 < gmaxwell> cool. make sure you shuffle the order.
22:52 < andytoshi> good call
22:53 < andytoshi> in about an hour i'll have something that can merge transactions and checks that they at least are all the same transaction
22:53 < andytoshi> i'd like to figure out RPC so i can check spending and value constraints
22:53 < andytoshi> and i'd also like to figure out CHECKSIG
22:54 < andytoshi> but those can wait for another day
22:54 < gmaxwell> I guess if you're fetching the inputs you can validate the sigs... but thats not super critical...
22:55 < gmaxwell> validating is a pita if you're not constraining the kinds of coins you spend.
22:57 < andytoshi> yeah, i read through the wiki pages and etotheipi's graphic..
23:18 < andytoshi> i think it's working (rust is incredible, first time it compiles it does the right thing)
23:18 < andytoshi> how can i verify that the signed transaction is valid?
23:35 < gmaxwell> andytoshi: there is no 'validatetransaction' rpc call, the best you can do is try it on testnet ... or an isolated node. (e.g. if the txn isn't relevant to your wallet, and you are -noconnect -nolisten ... it'll only ever be in memory on your node)
23:50 < andytoshi> done, will be on github in 5 minutes..
23:51 < gmaxwell> you may have the odd honor of having first publically posted rust bitcoin code.
23:56 < andytoshi> https://github.com/apoelstra/coinjoin
23:56  * andytoshi blushes
23:56 < jgarzik> gmaxwell, I'm pretty sure signtransaction will validate for you
23:56 < jgarzik> gmaxwell, it's not explicit, but there is a way
23:56 < jgarzik> one of the RPC calls will perform that function
23:59 < gmaxwell> maybe the complete flag there ... but I'm not sure, as I've run into it saying complete:false on a totally valid completed transaction in some case or another.
23:59 < gmaxwell> it won't tell you where it fails if it does, which I think is what andytoshi would want.
--- Log closed Wed Dec 11 00:00:11 2013
--- Log opened Wed Dec 11 00:00:11 2013
--- Day changed Wed Dec 11 2013
00:00 < andytoshi> hmm, running signtransaction on my supposedly-signed transaction changes the signature
00:00 < andytoshi> which is a bad sign i think
00:01 < andytoshi> but otoh running decoderawtransaction, i can see that my code is doing exactly what i would have done, had i merged them by hand
00:02 < andytoshi> it seems like signrawtransaction's signatures depend in a noticeable way on what the other inputs are
00:04 < gmaxwell> andytoshi: first, the signatures have a nonce and every time you sign will be different.
00:04 < andytoshi> oh, that's right
00:04 < gmaxwell> secondly, a normal sighash all signature covers all the input ids and outputs (but not the signatures themselves)
00:05 < andytoshi> yes, i'm aware of that
00:05 < andytoshi> but it zeros out the scriptSigs
00:05 < gmaxwell> right.
00:05 < andytoshi> my feeling is, i should just post this on the cj thread, and if it's creating invalid transactions, that's a safe failure mode
00:06 < BlueMatt> anyone want a google glass invite to work on bitcoin on glass? (or in general, but itd be cool to pay with bitcoin on glass)
00:07 < BlueMatt> (because thats not insecure or anything)
00:07 < andytoshi> yeah, there'd be bullies putting QR codes on peoples' feet then saying "your shoes are untied!"
00:07 < andytoshi> you look down and bam, lunch money stolen
00:08 < BlueMatt> well, someone who has time should think about how to make it secure, but first they need glass :)
00:08 < gmaxwell> the glass interface seems really twitchy
00:08 < BlueMatt> how so?
00:08 < gmaxwell> but there are buttons so you can use those.
00:09 < gmaxwell> BlueMatt: just easy to trigger the wrong thing.
00:09 < BlueMatt> yea, it can be
00:14 < gmaxwell> andytoshi: I don't see any huge risk from it, it's not an automated signer, user-beware that they check the decode before signing what it gives them.
00:14 < BlueMatt> it also doesnt even support passcode locks, so you'd have to do that yourself if you wanted anything like bitcoin
00:14 < BlueMatt> still, someone should do it...I'll throw in an invite if someone wants to
00:16 < andytoshi> grr, i typed up a nice message and bitcointalk deleted it..
00:17 < BlueMatt> why would you type a nice message for bitcointalk anyway?
00:20 < andytoshi> if you guys trust me, i can make linux 64 binaries as well, if you wanna play with this..
00:22 < andytoshi> http://download.wpsoftware.net/bitcoin/coinjoin/
00:56 < BlueMatt> andytoshi: I havent been paying attention, how is the matching process on there?
00:57 < andytoshi> hmm?
00:57 < BlueMatt> some magic p2p network that matches people who want to join, or what?
00:59 < andytoshi> BlueMatt: oh, i didn't solve that problem
00:59 < andytoshi> kjj was talking about it
00:59 < andytoshi> my thing requires you get together and exchange rawtransactions, it just simplifies the merge steps..
01:00 < BlueMatt> ahh, I was hoping for something that could get merged into wallets
01:00 < BlueMatt> :(
01:00 < andytoshi> not yet
06:14 < michagogo|cloud> 06:35:30 <gmaxwell> andytoshi: there is no 'validatetransaction' rpc call, the best you can do is try it on testnet ... or an isolated node. (e.g. if the txn isn't relevant to your wallet, and you are -noconnect -nolisten ... it'll only ever be in memory on your node)
06:14 < michagogo|cloud> Wait, is -noconnect a thing?
06:14 < michagogo|cloud> I knew of -connect=0.0.0.0
06:16 < sipa> -noX is interpreted as -X=0
06:16 < michagogo|cloud> Oh, cool
06:16 < michagogo|cloud> (and can you -connect=0?)
07:03 < wumpus> I don't think -noconnect is a supported option
07:04 < michagogo|cloud> BlueMatt: around?
07:05 < michagogo|cloud> er, wrong channel
12:25 < nsh> http://www.sparecoins.io/ <--- good / bad / ugly / dunno?
12:26 < gmaxwell> nsh: save us from clicking with a one line summary.
12:26 < nsh> browser-extension wallet, storing keys inside browser
12:26 < nsh> --
12:26 < nsh> Every week, another online Bitcoin Wallet gets hacked. SpareCoins, however, does not have a central point for attackers to target. Your private keys are encrypted and stored inside your browser, rather than an unsafe remote server. Your private keys can be backed up at anytime, and clearing your cache won
12:26 < nsh> --
12:27 < nsh> depends on the code quality i guess..
12:27 < nsh> --
12:27 < wumpus> don't bitaddress etc work the same?
12:27 < nsh> Sam Stewart5 hours ago
12:27 < nsh> It sends bitcoins. It's easy. It works. What more do you need?
12:27 < nsh> -- review. (this is the attitude that worries me...)
12:27 < nsh> unsure
12:29 < sipa> I consider every argument of the form "It is secure because ... only inside your browser" to be invalid
12:29 < sipa> which e-wallet did that, hack their JS to steal some coins back?
12:30 < nsh> aye. though this model is without a server, but just as succeptible to untrusted updates
12:33 < wumpus> well the advantage to this is that you can just host the .html files locally
12:34 < wumpus> and maintain them in (for example) a git repository so that changes are trackable
12:35  * nsh nods
12:35 < wumpus> but I'm also a bit wary to trusting my browser with a wallet, I prefer native applications for that
12:37 < wumpus> browsers have a reputation of having all kinds of suble security bugs which suddenly become fatal if you store high-valued private keys in them
12:38 < nsh> wumpus, this echoes my sentiments
12:39 < nsh> also browsers are an established target for malware/spyware/adware already
12:39 < wumpus> then again, they do accomplish the goal of being more secure than online hosted wallets
12:39 < phantomcircuit> sipa, i actually prefer my implementation, his is using the stdio functions for apparently no reason
12:54 < sipa> phantomcircuit: there was discussion about it on the mailing list
12:54 < sipa> i can't remember why, though
12:54 < phantomcircuit> their google groups is impossible to read online
12:55 < phantomcircuit> every reply ends up with at least 100 citations at the bottom
13:09 < nsh> it works for science...
13:10 < nsh> (fsvo 'works')
13:11 < maaku> nsh: meh, sometimes I wish paper writers would boil it down to the 4-5 actually useful citations
13:11 < nsh> indeed, or at least be able to click through to the relevant findings in the referenced papers highlighted
13:13 < nsh> at lot of it is formality though. you have to prove you're not replicating anyone else's work by laboriously referencing trifflingly similar paper
13:13 < andytoshi> it is also considered polite, to improve others' citation rankings
13:13 < andytoshi> <.<
13:13  * nsh nods
16:16 < pigeons> but some say it not requiring capital expense just allowing renting by the hour provides similar weird incentives like cex.io
16:17 < pigeons> some say it allows particpation by only people with funds to access such a platform
16:17 < pigeons> there are valid responses thought to those concerns sure
16:18 < iddo> maybe AWS is bad for decentralization because amazon itself can redirect their idle CPUs to mine cryptocoins?
16:18 < pigeons> but protoshares original marketing ws "cpu so anybody with a home pc can do it" which large server farms ran those people out
16:19 < maaku> iddo: because the premise of a GPU-hard, FPGA-hard, ASIC-hard, CPU-easy proof of work is that the network will be secured by actual users (1 CPU = 1 user)
16:19 < gmaxwell> maaku: except thats a false one too.
16:19 < maaku> when in reality, whoever owns the largest datacenter with idle CPUs (AWS), or argest botnet controls the network
16:20 < gmaxwell> also you can never be "ASIC-hard" you can only reduce the specialization advantage. ... and mining is perfect competition, even if the specialized thing is merely 2:1 it will eventually dominate. .. more realistically you're not getting the specialization gain under 10:1
16:20 < maaku> gmaxwell: yeah I'm definately not defending memory-hard proof-of-work. SHA-256 is perfect
16:21 < gmaxwell> and most efforts to be asic hard are really just NRE hard, which may lead to monopolies.
16:21 < maaku> unless you figure out a practical way to do your time-lock PoW
16:21 < nsh> you can beat individual (and successive) generations of asics by cycling through PoW schemes like a meany
16:22 < maaku> I was just explaining the (flawed) reasoning behind it...
16:22 < jtimon> maaku I don't think sha256 is perfect but I would only replace it if there's practical use for pow
16:22 < gmaxwell> maaku: I think to really do it
 beyond a bunch of basic pratical considerations, it really needs an asymetric crypto scheme which doesn't have any attacks better than exponential.
16:22 < jtimon> although I think some people here have problems with that
16:23 < jtimon> I admit I don't understand the problems with a theorical curecoin
16:23 < gmaxwell> (because attacker better than exponential seem to all result in it not being progress free)
16:24 < jtimon> gmaxwell, what could be the problem with say, SETI@coin?
16:24 < jtimon> assuming it is feasible in practice
16:25 < zooko> I love this channel.
16:27 < gmaxwell> jtimon: the standard litany, most of those are not sufficiently cheap to verify (e.g. hurts spv nodes, zero knoweldge proofs of tx data, and initial syncup),  they tend to be inadequately proven to be trapdoor free, high hardware implementation complexity (so may lead to asic monopolies)... if the work is not work you could get paid for, then at least it
should be free of some of the incentive concerns.
16:27 < gmaxwell> (though because of merged mining even bitcoin isn't free of POW incentive concerns)
16:28 < gmaxwell> jtimon: those sorts of issues aren't fatal, if there really were some task that was obviously a good enough fit .. it might make sense.
16:28 < jtimon> ok, so if implemented properly and for a task that enables the right incentives, would be ok
16:29 < jtimon> what's wrong with merged mining?
16:30 < jtimon> I'm assuming some ZKP efficient mechanism not to hurt SPV
16:30 < iddo> is there SETI@coin proposal that can work? needs readjustable difficulty, and seeded data so that each block depends on the previous block (so you cannot copy PoW) ?
16:30 < gmaxwell> It's not wrong, but it facilitates a possible bad outcome.  Right now 99% of the incentive in mining comes from getting your work in the best chain.	A rational miner doesn't do work which is doomed to not end up in the best chain, like go mine an earlier fork in order to fool an isolated node.
16:30 < gmaxwell> iddo: you don't need adjustable difficulty.
16:31 < iddo> no adjustable difficulty? how come?
16:31 < gmaxwell> iddo: computes H(seti(H(header)))<TARGET. :P
16:31 < gmaxwell> the seti itself doesn't need adjustable difficulty.
16:31 < iddo> hmm
16:31 < jtimon> gmaxwell I don't see how that changes with merged mining
16:31 < iddo> but then it's the usual hash-based PoW, no?
16:32 < iddo> ahh the hash doesn't have nonce
16:32 < gmaxwell> so w/ merged mining, lets imagine that someday 99% of the incentive instead is coming from a really valuable thing that youre merged mining.. the cost of the attack is only the marginal difference.
16:32 < gmaxwell> iddo: yea you have to grind the seti function.
16:33 < gmaxwell> but the problem is that if seti has a trapdoor, or some instances of seti are fast and you can detect them up front, ... uh oh.
16:33 < gmaxwell> or if seti costs $100 million to put into an asic but once you do it's 1000x faster/more power efficient... then perhaps you get a maker monopoly.
16:34 < jtimon> so let's say we have coins A (50%) B (30%) C (15%) and D (5%) being merged mined together
16:35 < jtimon> the percentages mean how much of the total reward for the merged miner comes from each ones in real terms (ie selling all rewards for bananas)
16:35 < maaku> jtimon: this is the same as the attack-a-merged-mine chain scenario
16:35 < gmaxwell> jtimon: the argument generally applies to making pow do something useful,  mining is nearly perfect competition, it adapts until its barely making a profit.. but it adapts on total income. So you can end up with 99% of your income not being from getting into the best chain, but instead being from finding aliens (assuming the aliens pay).
16:35 < gmaxwell> Merged mining potentially presents the same problem.
16:35 < maaku> if you own a big bitcoin mining pool, you can destroy a merged mined alt coin by overpowering it
16:36 < maaku> you can do the same to bitcoin, by offering to pay more (int altcoins) than a miner is receiving (in bitcoins)
16:36 < gmaxwell> it's not a problem so long as getting into the best chain is overwhelming your priority in your mining work. This is optimized by the work being totally usless except for that outcome.
16:36 < jtimon> but all rational miners will be mining currency D, it has almost the same security as currency A has
16:37 < gmaxwell> jtimon: no because you only lose some small amount of your income to switch from honestly mining D to maliciously mining it
 perhaps unsuccessfully.
16:37 < jtimon> no matter that only 5% of the reward comes from D, all miners are putting 100% of their pow in it, just like they put it in A
16:37 < maaku> jtimon: someone with a lot of C doesn't like D, so he offers 6% (in a trustworthy asset) to those miners which participate in an attack on D
16:38 < jtimon> yes, "you only lose some small amount of your income to switch from honestly mining D to maliciously mining it"
16:38 < jtimon> but that doesn't turn you into a D majority
16:38 < gmaxwell> you don't need to be a majority to attack a cryptocurrency.
16:38 < gmaxwell> even a few percent of hashpower is useful for making bogus sidechains for tricking network isolated nodes, for example.
16:38 < maaku> yes it does if you can convince a majority of the miners to go with you (remember, you're paying more than they're earning in D, in hard cash)
16:39 < jtimon> ok, ok
16:39 < gmaxwell> and yea, slippery slope, if miners are rational you can bribe them to attack.
16:39 < jtimon> but if 100% of miners are mining equally all currencies, D is just as secure as A is
16:39 < gmaxwell> In general none of this stuff is safe in a purely rational model, you need at least some alturists to stablize the system.
16:39 < gmaxwell> jtimon: it's really not. your 100% definition is weird.
16:40 < maaku> gmaxwell: of course, to be honest the argument is a little weak - it's basically "if bitcoin becomes undervalued, it could be attacked"
16:40 < maaku> to which my response is, "why was bitcoin undervalued?"
16:40 < jtimon> you mean undervalued with repect to mining costs?
16:41 < jtimon> ok, I see the point that the attack to D is cheaper if you bribe other pools
16:41 < gmaxwell> maaku: to some extent. But it's not just about undervalued, it's more like regardless of how valuable bitcoin is, it's not a big consideration to the miner's income, and that _could_ be the case at any value level.
16:41 < maaku> and if the situation was so dire that bitcoin was being replaced with an alt, hence leading to its undervaluation compared with the currency used to pay the attackers, then why care?
16:42 < gmaxwell> maaku: I've never presented this as an argument against merged mining except to point out honestly that when I talk about the downsides of "useful work" that we're already not completely free of it.
16:42 < maaku> ok, i wasn't considering he tragedy of the commons scenario, with btc txfees
16:42 < maaku> still had my freicoin-perpetual-reward thinking cap on
16:42 < maaku> yeah ok
16:42 < jtimon> because scarce monies are always over-valued, they're really a consented bubble, an implicit agreement
16:43 < gmaxwell> And I don't even know that w/ cancercoin if it's a big deal. I just like to point out that "useful work" is not all roses, that there are interesting complications.
16:44 < maaku> of course, *not* merged mining makes the situation worse
16:44 < gmaxwell> when MM was introduced I cheered saying hurray even if people lost interest in bitcoin then maybe bitcoin could still be secure in the future.
16:44 < jtimon> yeah, I know it is a very hard problem, but I believe it is the future
16:44 < gmaxwell> Having seen things play out I was slightly too enthuastic about it, I think.
16:44 < gmaxwell> But I still think its a good thing.
16:45 < jtimon> and not these "anti-asic"schemes
16:45 < maaku> jtimon: there are desireable properties of a proof-of-work which boinc-like work units don't have
16:46 < jtimon> yeah, I think it's cheaper security for everyone, even if the "bribe attack" makes D less secure than A
14:26 < petertodd> now the non-snark using version of that is easier to understand: fill up some ram with the function D[i] = H(D[i-1]), then do a merkle-tree over the ram and do samples to prove the transitions are honest, but the issue there is basically that the # of samples you pick relates very strongly to how parallelizable you can get away with without a high chance
of getting caught out on fraud
14:26 < petertodd> gmaxwell: yeah, faster than scrypt though right?
14:27 < gmaxwell> dunno. scrypt as used in ltc is slow but it might just be compariable.
14:27 < petertodd> gmaxwell: yeah, anyway, the PoW validation slowness isn't a deal-breaker, just annoying
14:27 < petertodd> gmaxwell: bigger issue is that really ASIC-hard PoW's are a lot slower anduse a lot more ram than scrypt...
14:28 < adam3us> petertodd: i think the fiat-shamir transform can make the failure from skipping calc steps start to lose fast.  this is what coelho merkle hash PoW introduced and dagger users even more links to reduce like 3% dow to < 1%
14:28 < petertodd> gmaxwell: (well, LTC-style scrypt params)
14:29 < petertodd> adam3us: yup, however what's nasty about it is if you start thinking about how fast actual hash primatives really are - a fair bit slower than main memory bandwidth right now
14:30 < adam3us> petertodd: indeed.  i would help if people used a faster hash or the custom design u mentioned yesterday (hash rounds spread across the tree)
14:31 < petertodd> adam3us: yeah, also re: my "fraud == parallelism" argument, maybe you want the bottom of the tree to be fairly big chunks of memory being hashed anyway, which makes spreading a strong hash out make more sense
14:31 < petertodd> adam3us: like I was sayng above about how ram is banked anyway
14:33 < petertodd> adam3us: oh, and here's a consideration: you probably want to minimize the time and space of the merkle tree over the data being hashed, because if you don't you can optimize by making a better merkle hasher
14:33 < gmaxwell> petertodd: sequentiality to some extent prohibits being progress free, so unless the sequential part is very fast you are creating an advantage for faster miners.
14:33 < petertodd> For instance, notice how the # of nodes in a full binary tree is 2x the bottom layer, so you do need the bottom layer work cost to be >> making the tree
14:34 < petertodd> gmaxwell: well how fast is fast enough? I'd argue keep the PoW creation to < 1s or so and it's in line with latency assumptions anyway
14:35 < gmaxwell> I think it has to be a small fraction of latency in order to not matter.
14:35 < gmaxwell> keep in mind wrt the snark idea: snark _creation_ will always be much slower than execution
14:36 < petertodd> gmaxwell: I would have thought a small fraction of block interval - network latency is a similar impact to PoW latency
14:36 < adam3us> he watching the dexel/alpha indian peoples video on their coming 28nm script asic.  did anyone figure out of their demo fpga version was a net win already?  this should be fun to watch if they deliver
14:36 < petertodd> gmaxwell: oh, obviously if you do it snark-style you've gotta have the snark proof finish in < 1s - very difficult
14:36 < petertodd> gmaxwell: although maybe ok if the snakr is only for the sake of SPV
14:36 < gmaxwell> adam3us: the ltc fpgas were a power usage win.
14:36 < gmaxwell> petertodd: well in particular because you could do proofs of the whole sum rather than a single header.
14:37 < petertodd> gmaxwell: note how with all this stuff I'll bet you having a FPGA attached to some RAM would be a power win
14:37 < petertodd> gmaxwell: good point
14:56 < adam3us> gmaxwell: i believe that is correct.  (progress freedom and ratio of minimum work unit on single core to block interval)
15:00 < adam3us> gmaxwell: it places a limit on how memory hard you can hope to be, which also relates to the fastest crypto hash that can drive the memory
15:00 < Luke-Jr> FPGAs were only a power win for Bitcoin as well
15:01 < andytoshi> petertodd: you don't need to have fast snarks if your block time is something like several hours
15:01 < andytoshi> that may be desirable anyway if you want an anonymous high-latency mechanism for getting txes to miners in the first place
15:01 < petertodd> andytoshi: true, although I suspect several hour block intervals have user-acceptance problems
15:02 < andytoshi> yeah, i really doubt such a system would be good for general use. but there are situations where several-day verification is ok (and it still beats visa :P), eg if there are long shipping or manufacturing times anyway
15:05 < gmaxwell> keep in mind that someday bitcoin might be several hour confirmations, if you can't count on the network to converge in one block anymore e.g. due to implementation inconsistencies, high latencies, bursty mining due to mining for fees, gnarly behavior from miners wrt "rational mining" that is willing to reorg if it's positive expectation
15:05 < gmaxwell> even with 10 minute blocks.
15:13 < adam3us> btw i was thinking part of the anti-litecoin fast confirmation argument maybe partly false.  it can be claimed that well 12 lite coin confirms (30min) is weaker than 6 bitcoin ones (60mins).  but consider  your probability as a selfish miner of winning with p^24 << p^6.  in fact even p^12 << p^6 etc.
15:14 < Luke-Jr> adam3us: consider the attacker doesn't need to worry about stale blocks also
15:14 < Luke-Jr> adam3us: there are a lot of factors involve
15:14 < Luke-Jr> d
15:14 < Luke-Jr> fast blocks = more hashes wasted by the legit miners
15:14 < Luke-Jr> scrypt = slower block propagation
15:14 < adam3us> Luke-Jr: oh yes (i said partly) the short block time is  worse for orhans and igives well connected low latency miners more advantage
15:14 < adam3us> Luke-Jr: that too
15:15 < Luke-Jr> adam3us: right; there's advantages and disadvantages
15:15 < Luke-Jr> IMO they more or less balance out
15:19 < adam3us> i wonder what it does for selfish mining attack though.  the ghost (hash in non-conflicting orphans) approach seemingly allows faster blocks becuase orphans are not wasted.  so hypothetically ghost + bitcoin/sha256 mining + eg 2.5min intervals.  and still 1hr confirmations .  i wonder if the selfish miner loses in that circumstance
16:54 < jtimon> Luke-Jr I don't see the balance, Scrypt is neither "anti-ASIC" nor anti-GPU
16:55 < jtimon> what's the gain Scrypt has over SHA256 ?
16:55 < phantomcircuit> jtimon, nothing
16:56 < sipa> scrypt is certainly anti-gpu, if it'd use more than 128 KiB of RAM...
16:56 < Luke-Jr> jtimon: there is none, that's my point
16:57 < sipa> despite that, i'm very unconvinced that it has any advantages for bitcoin or similar systems
16:57 < EasyAt> scrypt ASICs will have a giant die size, no?
16:57 < c0rw1n> aq@gfa128KB ram desn't take much die space
16:58 < sipa> well the point would be to make the cost of the ASIC be dominated by fast memory
16:58 < jtimon> "<Luke-Jr> IMO they more or less balance out" ok so this is just sarcasm?
16:58 < Luke-Jr> jtimon: no? we're talking about faster block times there, and how it doesn't make transactions any faster really.
17:00 < jtimon> Luke-Jr ok thans
17:00 < jtimon> thanks
17:00 < jtimon> sipa what's the point of "make the cost of the ASIC be dominated by fast memory"
17:00 < jtimon> ?
17:01 < sipa> not saying this is a good idea, just reasoning how you'd make an anti-asic pow
17:01 < gmaxwell> It's an attempt to reduce the gap between commodity hardware and specialized hardware.
17:02 < sipa> if the cost of the asic is dominated by memory, it's unlikely to provide much gain over state-of-the-art cpus connected to as much fast ram as you can find on the market
17:02 < sipa> as the cpu will not be the bottleneck
17:02 < gmaxwell> I think it's generally a poor idea for pow-consensus systems though. My reasoning is that at most you can probably do is get the gap down to 2:1 (or really probably more like 10:1), and even at 2:1 the commodity hardware will probably be completely excluded.
17:02 < gmaxwell> Vs in KDF usage getting the custom hardware advantage down to just 10:1 would be great.
17:02 < sipa> i think it's a great recipe if you want botnets
17:03 < gmaxwell> Well botnets too, if you don't pay for power because you're stealing it you don't mind that you're 10x less efficient than custom hardware.
17:03 < jtimon> I assume it also has to be anti-GPGPU, right?
17:04 < sneak> the nice thing about kdfs is that it's ok to use eleventy bazillion iterations too
17:04 < sneak> because most use-cases don't mind a 500msec wait
17:04 < gmaxwell> well KDFs want fast verification too, but a few hundred ms is okay usually.
17:04 < sipa> jtimon: unless GPUs would happen to have better memory bandwidth :)
17:05 < gmaxwell> They don't want generation / verification asymmetry, which we want for hashcash usage.
17:06 < gmaxwell> sipa: generally GPUs have had much better memory bandwidth than j-random-cpu. (though horrible memory latency relative to their clockrate)
17:07 < jtimon> sipa GPUs will have a better memory bandwith they're not only for graphics anymore, they're the present/near-future of supercomputing
17:07 < jtimon> and some problems have their bottlenecks in memory
17:08 < gmaxwell> jtimon: graphics work is generally memory throughput limited.
17:11 < jtimon> I'm just saying that GPU designers are not only optimizing for graphics, there's more problems being solved with other demands
17:11 < jtimon> GPUs architectures can change
17:12 < jtimon> maybe you're right and the GPGPU people won't ask for those constraints to be improved
17:12 < gmaxwell> jtimon: thats probably the same processor / coprocesor cycle that has gone on since the start of computing. Presumably GPUs will eventually go away and just be subsumed into cpus (or vice versa)
17:13 < gwern> the wheel of reincarnation
17:14 < gmaxwell> (e.g. how FPUs and stand alone short vector units became standard cpu features)
16:37 < gmaxwell> _ingsoc: thats really not true at all.
16:38 < amiller> andytoshi, :)
16:38 < _ingsoc> gmaxwell: How?
16:38 < gmaxwell> _ingsoc: if thats the kind of garbage nonsense that people repeat when its not true, consider what happens when it is true.
16:38 < _ingsoc> gmaxwell: What incorrect about the statement?
16:38 < _ingsoc> What's*
16:39 < Emcy> are you serious
16:39 < gmaxwell> _ingsoc: Bitcoin was public from the very start and considerable effort was made to make that provable.  (including, for example, reaching out to likely initial users, as adam back can testify)
16:39 < Emcy> he crafted a block then mined one on it to check
16:39 < gmaxwell> _ingsoc: there were mutiple people using it from the first day.
16:39 < _ingsoc> gmaxwell: I'm not saying he did it in secret. I'm saying he mined it when nobody care about it.
16:40 < _ingsoc> gmaxwell: What I'm trying to say is that what people like to crap on today is not very different from how Bitcoin came to be.
16:40 < _ingsoc> gmaxwell: I'm talking about the underlying economics.
16:40 < gmaxwell> _ingsoc: I don't even thing you can establish that satoshi actually mined it in any non-trivial amounts, in fact.
16:40 < gmaxwell> _ingsoc: and you're factually incorrect.
16:40 < _ingsoc> gmaxwell: You don't know that.
16:41 < _ingsoc> gmaxwell: You believe I'm incorrect, and that's fine, but for a lot of this stuff, we simply don't have the answers.
16:41 < gmaxwell> You're factually incorrect in saying that it was premined or similar to the people who created a ton of coin in the first block. Thats a matter of fact, not uncertanty.
16:42 < _ingsoc> gmaxwell: Ofc that's factually incorrect, but that's not what I was trying to say.
16:42 < gmaxwell> You can say these things to try to justfy whatever scheme you want, I wish you luck. But as you can see people don't tolerate that stuff. They refuse to use primined coins _generally_ though there are some exceptions.
16:43 < _ingsoc> gmaxwell: That's a bit unfair.
16:44 < _ingsoc> gmaxwell: I'm not trying to go on the offensive.
16:45 < gmaxwell> They don't accuse people of behavior that many consider unethical.
16:45 < gwillen> gmaxwell: I don't know that you're right about people refusing to use premined coins; I think most people just don't care that much.
16:46 < gwillen> gmaxwell: I see a lot of loud noise from Luke about how awful they are, and a little bit of loud noise from people who aren't Luke, but I still see plenty of people using them.
16:46 < gmaxwell> gwillen: Which premined coins are people using now, except for ripple?
16:46 < pigeons> why do people use litecoin and not its direct predecessors. why did btc-e destroy a large number of "novacoins"
16:46 < gwillen> gmaxwell: Well, most of them were pointless for other reasons
16:46 < gmaxwell> gwillen: novacoin had to destroy their premine.
16:46 < gwillen> gmaxwell: I mean, you don't see people using ixcoin, but you also don't see people using i0coin
16:46 < gwillen> they're both just as dead
16:46 < gmaxwell> and the litecoine predecessors were heavily premined and are not used though they're functionally identical.
16:46 < gwillen> hmm.
16:47 < _ingsoc> That wasn't my intention at all. I should probably have used a better explanation of what I meant. What I meant to say was that Satoshi sat there mining it whilst nobody really cared, and that's no different than someone mining it for contributors. Satoshi mined it for the ideas he contributed, or whatever drive to support those ideas.
16:47 < gmaxwell> there is a long history of premined coins failing, and/or being forked into non-premine versions.
16:48 < gmaxwell> _ingsoc: even that much is an assumption that may not be true. and the oppturnity to do that
 to mine where no one believed in even the _chance_ is probably gone, and never would have been a viable funding model in terms of net-expectation.
16:48 < gmaxwell> E.g. Satoshi wasn't doing an economically rational thing even though it may have turned out quite well for him.
16:49 < _ingsoc> gmaxwell: True, I can accept that. I'd have to add that we have no clue. God, Satoshi could be the CIA for all we know.
16:49 < gmaxwell> Probably a good assumption in terms of setting up the right defensive expectations.
16:49 < _ingsoc> Hah.
16:49 < Emcy> gwillen but premining a coin is such a blatant scheme that i feel the people who still get involved do so becuase they like the drama or some other werid psychological reasons?
16:50 < _ingsoc> Depends where the premine go to, Emcy.
16:50 < gmaxwell> _ingsoc: I mined bitcoin in 2009 and basically forgot about it, whatever coins I mined (which are probably now confused as being satoshi coins) back then got destroyed... bitcoin was so worthless that it wasn't worth keeping the software running.
16:51 < Emcy> shouldnt matter "where theyh go to", rationally
16:51 < _ingsoc> But it does.
16:51 < _ingsoc> All of this is in-group, out-group psychology.
16:51 < Emcy> yes, all that crap
16:52 < gmaxwell> I don't think it matters, you can just fork the coin remove the premine and tada, it's more "fair" .. and thats what people do.
16:52 < _ingsoc> Whatever succeeds Bitcoin will rise out of that crap.
16:52 < _ingsoc> It might be pretty good crap, but it's still crap.
16:52 < Emcy> i dont think it can be succeeded
16:52 < gmaxwell> maybe ripple soved it, but only through methods which have offended a lot of people.
16:52 < Emcy> not fairly
16:52 < _ingsoc> gmaxwell: That's success though - the tech propagates.
16:52 < _ingsoc> gmaxwell: Not Ripple, the fork.
16:53 < pigeons> well how do you distribute? you mean adding a mining mechanism to a system that doesnt mine or use PoW?
16:54 < gmaxwell> _ingsoc: yea, well it hasn't answered the question that started this discussion.  .. except "wait for someone to be stupid enough to think they can fund major public development with a premine; watch as the public forks their solution"
16:55 < _ingsoc> gmaxwell: I forgot the question. It's 6am here. :/
16:55 < Emcy> how do you fund anything with a premine. The coins are worthless.
16:55 < gmaxwell> :)
16:55 < _ingsoc> Emcy: The coins are sold for something of value.
16:55 < Emcy> unless you have exchanges ready to roll day 1 and stupid people pumping money in
16:55 < pigeons> mining may not be fair at all to distribute subsidy, but yea we don't know a better way, but any other ways will have loud objections of unfairness because it is the model for now
16:55 < Emcy> day 1 exhanges is another huge klaxon
16:56 < gmaxwell> Emcy: people have tried, the plan is "create premine coin, pump coin, coins gain value" and yes, it fails.
16:56 < _ingsoc> gmaxwell: That's not the plan at all!
16:56 < _ingsoc> gmaxwell: How would pumping something like that create any real value?
16:56 < gmaxwell> 'value'
16:56 < gmaxwell> _ingsoc: it's certantly the plan of some people, and anyone who has a distinctive plan is indistinguishable.
16:56 < Emcy> cos value is an illusion?
16:57 < _ingsoc> Value is better tech. That's the whole point of funding something like that.
16:57 < pigeons> heh new bitcoin forks list existing features as value-add. "Bitcoin fork with IPv6"
16:57 < _ingsoc> If the tech gets forked the tech is good (good enough for someone to fork it at least).
16:57 < _ingsoc> gmaxwell: People will always be full of shit.
16:58 < gmaxwell> _ingsoc: go explain to me the 12 million dollar feathercoin market cap. It's a copy of ltc with the blocktime set to a provably unsustainable value
 it was suffering convergence problems, so they paid the PPcoin guy for code to do centeralized block signing (like ppcoin uses)
16:58 < Emcy> people have forked coins just for the troll factor
16:58 < gmaxwell> (suffering convergence problems from the blocks being too fast)
16:58 < _ingsoc> gmaxwell: There's no doubt it has technical problems.
16:59 < Emcy> $12m according to whom?
16:59 < pigeons> is that float of mined coins existing?
16:59 < pigeons> assuming no slippage of course
16:59 < _ingsoc> Someone here should just take me up on it, get paid, make better tech, and then we can all go back to arguing.
16:59 < _ingsoc> Seriously.
16:59 < gmaxwell> Emcy: 'market cap', which is a but airy
 but you can still go extract a hundred thousand dollars instantly by emptying the orderbooks.
17:00 < Emcy> feathercoin has orderbooks? jesus wept
17:00 < gmaxwell> and in my opinion that coin should have a value of approximately nothing.
17:00 < pigeons> it even has apparent "true believers"
17:01 < Emcy> stuff like that makes me think even bitcoins "cap" of 4bn or whatever is bollox
17:01 < gmaxwell> Emcy: sure, its bollox, but the orderbooks at least are real.
17:02 < Emcy> the scheme i see a lot is people mining altcoins and cashing out to btc
17:02 < Emcy> since btc mining became impossible
17:02 < Emcy> thats kinda weird
17:02 < gmaxwell> Emcy: unless there are secret litcoin fpga/asic farms litecoin is probably using more electrical power now than bitcoin.
17:03 < Emcy> yeah thats bonkers
17:03 < Emcy> i prefer to think theres a secret fpga farm
17:04 < Emcy> yet i see threads the gist of which "check out my new 4 7790s for litecoin lol"
17:06 < gmaxwell> I think I pissed off people in #litecoin-dev suggesting otherwise. I find it hard to believe, if true it means there is a substantial multiple of gpus mining litecoin than ever mined bitcoin
 surprising to me but not impossible.
17:07 < zooko> Hey gmaxwell are you still working on opus?
17:07 < zooko> I was happy to see the 1.1 release announcement today.
17:08 < gmaxwell> zooko: Yes.
17:08 < Emcy> not impossible. I think word got around of how people funded thier new $2000 rigs with GPU mining back in the 2011 excursion.........people seem to think thats happening again with ltc
17:08 < Emcy> at least on /g/
17:08 < zooko> gmaxwell: nice work!
17:09 < Emcy> when is steam gonna pick up opus for voice :(
17:09 < warren> gmaxwell: people are indeed still buying GPU's now.
10:00 < warren> and a flat smushed face
10:01 < gmaxwell> the only unusual thing here is that they warned him a lot of people have just randomly had their accounts closed when their bank notices btc related txn.
10:03 < warren> "they"?
10:13 < gmaxwell> the bank
10:51 < andytoshi> i had wells fargo disable my account because i was connected through tor ... when i called them up the security guy asked "are you using tor?"
10:51 < andytoshi> i said yeah, he said "okay, i'll make a note of it"
10:51 < andytoshi> i was really surprised
10:58 < andytoshi> i stopped using tor anyway, i think the "note" he made was to NSA rather than anything that'd keep my account open..
10:59 < gmaxwell> andytoshi: on your manualcoinjoin you're doing, ... you'd mentioned txindex to me, but you can actually look up any spendable coin with gettxout.
11:00 < andytoshi> even without txindex?
11:00 < gmaxwell> yes.
11:00 < gmaxwell> it usees the utxo set
 obviously since the same operation is needed to validate!
11:01 < gmaxwell> thats also what any CJ tool should use for checking the availability of txins.
11:01 < andytoshi> oh, thanks
11:01 < andytoshi> i thought so, but gettransaction wasn't working...i guess i txindex'd for nothing
11:02 < andytoshi> and i guess gettransaction does not work with txouts
11:02 < gmaxwell> gettransaction would never return a non-wallet txn. Getrawtransaction would, depending on if its spent or not, but we've talked about changing that (e.g. by providing a new call) since its surprising to people.
11:03 < gmaxwell> (getrawtransaction has a nice verbose argument to get the verbose details)
11:03 < gmaxwell> You're the sort of person who should have a txindex=1 node anyways. :)
11:04 < gmaxwell> sorry, it was late last night or I would have thought to mention it then.
11:05 < andytoshi> no worries, i was off to bed anyway, i probably would have missed it anyway
11:06 < andytoshi> and i was asleep for the entire reindex, so it didn't bother me
11:06 < andytoshi> (linux bogs down horrifically during reindexing...there was a recent LWN article about fiddling some flush-rate parameters, but i didn't get around to doing that)
11:07 < gmaxwell> andytoshi: hm. never noticed it, but maybe I'm on overpowerful hardware relative to you. if you have a lot of ram you can make it a lost faster if you run with -dbcache=<big value>
11:08 < andytoshi> nope, i'm on a 2008 thinkpad which is maxxed out at 4gb :P
11:09 < gmaxwell> its annoying that its hard to get more than 16 gb in a laptop.
11:09 < andytoshi> yeah, i've spent forever on this hardware because i can't upgrade as much as i want
11:10 < andytoshi> i was also promised OLED screens every year since 2010..
11:11 < gmaxwell> yea, display tech stinking kept me on my older thinkpad until it basically fell apart.
12:47 < maaku> gmaxwell: i think the latest workstation lenovos can do 32gb
12:47 < maaku> i would love a thinkpad with 96gb though
12:48 < maaku> petertodd: do you have a link or log of the sacrfiicial key-value store discussion?
12:48 < maaku> it sounds similar to what we came up with
12:50 < maaku> in our system there's on-chain offers stored in a merklized prioritiy heap
12:50 < maaku> and the owner needs to pay rent equal to a percentage of the largest offer
12:51 < maaku> rent being paid by sacrifice
12:51 < warren> adam3us: blah blah, boring talk
12:52 < maaku> (if rent owed goes negative, the offerer can claim the property from the owner by paying the offer amount, but he doesn't need the owner's permission)
12:53 < maaku> This is basically using georgist land tax to solve the squatting problem
12:53 < maaku> Also, with the system we put together it has the nice advantage of being entirely in merklized structures that the validators don't have to keep
13:20 < helo> is there any writing about the idea of an altcoin that gets its coin only from bitcoin sent to unspendable addresses?
13:22 < maaku> helo: that's what mastercoin is supposed to be, no?
13:22 < maaku> s/unspendable/owned by JR/
13:23 < maaku> helo: in freimarkets we have primitives for issuance and cross-chain transfer
13:23 < maaku> it's meant for gateways, but you could probably use it for unidirectional sacrifice-transfer
13:24 < helo> neat, i'll look into those
16:07 < MoALTz> transaction fees proportional to the block subsidy?
16:14 < MoALTz> *minimum
16:24 < maaku> MoALTz: ?
16:25 < maaku> the block subsidy currently has more to do with initial distribution than an ideal steady state
16:25 < MoALTz> wondering what the effect of setting the minimum transaction fee to be proportional to the block subsidy would be. it would make fees replacing the subsidy take longer, but would it matter?
16:31 < sipa> i doubt any minimum fee policy isn't going to mean much in the future
16:32 < sipa> it exists to protect the network from spammy-looking transactions
16:32 < maaku> 1) what sipa said, and 2) the minimum tx fee and block subsidy are not corrolated
16:32 < sipa> but if the actual fee to have your transaction mined in reasonable time exceeds that anti-dos fee policy, it becomes useless
16:32 < helo> it would make the value of bitcoin go down, as future value would be reduced by exorbitant fees
16:33 < helo> but that is very long...
16:39 < MoALTz> the last question i have for now: would new altcoins with new (truly novel, not like all those forks) features be welcomed? or would they only serve as a distraction from bitcoin?
16:40 < sipa> i've been thinking (just thinking... i don't have nearly enough time to do so) to create an altcoin with many of the nice ideas that have been proposed over the years
16:41 < MoALTz> i think many of us have ideas that we'd like to embody into a new coin
16:41 < sipa> i'd consider it an experiment, though - not a currency
16:41 < sipa> like testnet
16:43 < MoALTz> one issue with a truly novel new altcoin being run as an experiment: people WILL try and keep the original experiment running, even if the creator tries to shut it down or change elements of it
16:43 < MoALTz> it's a genie out of the bottle sort of thing
16:43 < MoALTz> at best you'd be able to change it's direction gradually
16:59 < gavinandresen> Just build an alt-coin with an expiration date:	"There Will Be a New Block One Every January 1."
16:59 < gavinandresen> Call it JubileeCoin maybe
17:00 < sipa> or announce from the start that you've added a vulnerability that allows you to exploit the system in a serious way
17:00 < sipa> remaining vague enough
17:01 < MoALTz> that makes implementing it tricker though
17:01 < MoALTz> unless you mean issuing a fake threat
17:02 < sipa> that's *maybe* what i mean :p
17:02 < MoALTz> :)
17:03 < MoALTz> i overlooked the obvious though: just not releasing the source code
17:03 < sipa> that makes it pretty useless as experiment
17:04 < MoALTz> not at all, since you (the author) can still learn
17:04 < gavinandresen> sipa: the real problem is you don't really know you're secure until you have value. Because people won't spend lots of time attacking (or spend money defending) things unless they're valuable
17:04 < maaku> a lot of the stuff that's talked about here is getting added to freicoin ... eventually
17:04 < sipa> gavinandresen: i know
17:06 < sipa> i don't think you need actual economic value though, before people are interested in studying it
17:06 < sipa> anyway, all hypotehtical anyway
18:05 < helo> maaku: so i take it that freicoin is staunchly against increasing the bitcoin block size limit?
18:07 < helo> since presumably freicoin nodes would want to be able to sync the bitcoin blockchain as easily as possible
18:08 < maaku> i'm not sure I follow
18:08 < pigeons> freicoin uses its own blockchain
18:08 < maaku> and no, we're for increasing as quickly and as much as is safely possible to do
18:08 < maaku> without risking decentralization
18:08 < maaku> er, centralization
18:09 < damethos> hey guys. Just thought to share this with u here since u might find some use. Just finished integrating testnet to our blockexplorer. https://www.biteasy.com/testnet/blocks
18:09 < helo> maaku: oh. i haven't had time to read about freicoin yet, but i was thinking it will enable one-way bitcoin-to-otherchaincoin transfers
18:09 < damethos> still fixing bugs etc but we will get there
18:10 < helo> so to know how much coin otherchaincoin has, you'd have to stay current with the bitcoin blockchain
18:10 < helo> and would therefore want bitcoin blockchain to be as small as possible
18:11 < pigeons> ah freimarkets will be yet another chain
18:11 < maaku> freimarkets private accounting servers is what you're thinking of
18:11 < helo> oh -markets
18:11 < maaku> same developers, different project
18:12 < maaku> but freimarkets will be deployed to freicoin
18:12 < maaku> but only the private servers track public chains - bitcoin, or freicoin
18:12 < maaku> freicoin stays independent of bitcoin, except merged mined pow
18:45 < eristisk> maaku: Freicoin does not have a merge minable POW blockchain, or at least they did not create it to be merge minable with Bitcoin's POW chain
18:47 < gmaxwell> eristisk: Freicoin will be changing in the future.
18:47 < gmaxwell> (also maaku is an expert on what Freicoin does and will do. :) )
18:48 < eristisk> Ah, ok, I thought it was commentary on the current state of things.
18:50 < maaku> eristisk: Freicoin will get merged mining with the introduction of Freimarkets, or if that fails to happen then at the end of the initial issuance (2 years from now)
19:00 < Luke-Jr> maaku: why might it fail to happen?
19:03 < maaku> well it's not something we are actively working on at this exact moment, or funded to do, so I wouldn't want to say with 100% certainty that it would happen
19:03 < maaku> but it is a priority in the near term, just not this exact moment (unless someone stepped in to fund us)
19:03 < maaku> i assume you're talking about freimarkets
19:04 < maaku> "if Freimarkets fails to happen"
19:07 < Luke-Jr> I mean merged mining
12:01  * jgarzik helped in the US Senate hearing prep
12:02 < phantomcircuit> jgarzik, sure... but usually you'd at least try to pretend like you wrote it
12:02 < phantomcircuit> it seems like he hasn't even read the statement before
12:04 < phantomcircuit> lol question is lol
12:10 < TD> jgarzik: bitpay question for you. feel free to take it private if answers are sensitive in any way. how do you guys handle exchange rates for thinly traded currencies? it seems like CHF local trading has kind of broken today, because some wallets are showing	the bitcoinaverage global cross-rate and others are showing the rate they calculate from actual trading data
12:11 < TD> and the spreads are enormous, mind-bogglingly huge
12:11 < jgarzik> TD, my answer: dunno :)
12:11 < TD> that answer is pretty sensitive :)
12:15 < phantomcircuit> so what im hearing is
12:15 < phantomcircuit> i should start a company that does exotic transaction types
12:28 < phantomcircuit> these guys are silly
12:37 < michagogo|cloud> phantomcircuit: exotic? Like what?
12:37 < phantomcircuit> ahah
12:37 < phantomcircuit> he cant pronounce nascent
12:59 < gmaxwell> is it over yet?
13:05 < jgarzik> gmaxwell, no
13:05 < jgarzik> gmaxwell, and it's fucking fantastic
13:05 < jgarzik> a must-watch
13:05 < TD> it is ?
13:05 < TD> damn. wish i was watching it now :)
13:05 < TD> what makes it so fantastic?
13:05 < gmaxwell> I've captured it.
13:06 < c0rw1n> jgarzik is this one better than the senate hearing?
13:06 < jgarzik> much better
13:06 < gmaxwell> should probably get someone to transcribe.
13:06 < jgarzik> a very, very in-depth, smart discussion
13:06 < jgarzik> ++
13:08 < gmaxwell> As soon as its done I'll upload it so people can transcribe.
13:08 < TD> thanks guys!
13:08 < jgarzik> well, OK, in depth and part an opportunity for these guys to pump their bitcoin stuffs
13:08  * TD has to run
13:09 < nsh> what's being discussed, where?
13:10 < nsh> Department of Financial Services?
13:10  * nsh tunes in
13:10 < jgarzik> it is a loose, free-wheeling discussion
13:11 < jgarzik> IMO the first True Bitcoin Hearing, with people asking tough questions
13:12 < nsh> good
13:16 < andytoshi> is BPP != P open?
13:19 < nsh> the entire hierarchy is up for grabs
13:20 < nsh> (specifically, everything collapses to P if the universe is really silly)
13:20 < gmaxwell> damnit, my battery went dead, and so I missed a bit most likely. :(
13:20 < nsh> :(
13:22 < nsh> i like this line of argument
13:22 < nsh> (not sure it'll be as well received by others listening though)
13:23 < nsh> andytoshi: these talks look interesting http://terrytao.wordpress.com/2008/01/10/distinguished-lecture-series-i-avi-wigderson-the-power-and-weakness-of-randomness-in-computation/
13:23 < nsh> (regarding BPP=?=P)
13:26 < andytoshi> thx nsh. i'm putting together a talk of my own and trying to figure out how to briefly discuss complexity..
13:27 < nsh> oh, cool. for what purpose?
13:28 < nsh> (i'd like to hear that talk if you get a chance to record it. or see the notes at least)
13:28 < andytoshi> it's just a first-year "everyone gives talks to each other" thing at my school. so i want to explain my public-fhe problem..and snarks, because that's the coolest application i can think of
13:29 < andytoshi> but i only have an hour and these people are pure math folks. so i'm having a tough time compressing material :P
13:30 < andytoshi> if i think it'll work out i'll try to record it
13:33  * nsh nods
13:37 < jtimon> later charlee lee? let's see if he says things like "freicoin is like the usd" and "merged mining would destroy your alt because miners would mine it for free" again
13:41 < jtimon> I guess he won't be asked about that, but I'm always eager to hear new "sentences to remember" from him
13:42  * nsh smiles
13:42 < andytoshi> nsh: current plan is to run through complexity, "hard" problems, security models, several examples of cryptosystems which move information in weird ways with respect to the data flows, turing machines and arithmetic circuits, FHE, PCP and verifiable computing, SNARKs	public-FHE
13:42 < jgarzik> Some of the questions and some of the answers were silly or off
13:42 < jgarzik> but overall, pretty good
13:43 < jtimon> I can't see anything, did it finished already?
13:43 < jgarzik> yes. resumes at 2:30pm
13:43 < nsh> andytoshi, sounds good
13:44 < jtimon> jgarzik what time is it for you now?
13:47 < gmaxwell> https://people.xiph.org/~greg/bitcoin_ny_hearing_1.ts https://people.xiph.org/~greg/bitcoin_ny_hearing_2.ts
13:47 < gmaxwell> second file has about :30 left in the upload
13:48 < gmaxwell> maybe it didn't actually miss anything
 since the streams would start a bit before realtime and I was probably only offline for two minutes, it's possible. I'm not sure.
13:48 < gmaxwell> I missed a bit at the beginning for sure.
13:49 < jgarzik> 1:49pm
13:49 < jgarzik> jtimon, ^
13:49 < jtimon> thank you both
14:01 < andytoshi> nsh: thx much for that terry tao link. it covers a bunch of what i want to talk about, and has a zk proof of graph 3-colorability which (a) simple and (b) can be fiat-shamir transformed
14:02 < nsh> ah, great
14:03 < nsh> yeah, tao seems to be quite a mathematical legend
14:04 < gmaxwell> andytoshi: is it one where you give the labels or the edges?
14:04 < andytoshi> :P he is indeed.
14:04 < andytoshi> gmaxwell: you give the labels
14:04 < gmaxwell> if you only give the labels how do you know the graph is isomorphic to the query graph?
14:05 < nsh> i watched this talk by tao the other day -- very interesting:
14:05 < nsh> http://www.youtube.com/watch?v=PtsrAw1LR3E
14:05 < andytoshi> gmaxwell: there is no isomorphism involved, the graph and its edges are common knowledge
14:05 < gmaxwell> The classic ZK graph proof is that you commit to a bunch of permuted solutions and then the verifier challenges you to reveal either the labels or the edges.
14:05 < gmaxwell> (but not both, since that would give away the solution)
14:06 < andytoshi> yeah, i'm familiar with that one, that's why i was surprised to see this one
14:06 < andytoshi> i need to think about this, my first impression is that its OK because the verifier knows the graph under consideration
14:07 < gmaxwell> oh interesting.
14:07 < andytoshi> you don't use an isomorphic graph, you use an 'isomorphic' coloring
14:07 < gmaxwell> you randomly pick an edge and only reveal that the two colors are equal.
14:08 < andytoshi> for proving more structural things, eg the existence of hamilton cycles, you need an isomorphic graph..i'll be glad if i can avoid that because mathematicians never get that "isomorphic" does not mean "obviously the same"
14:10 < gmaxwell> well it's nice because you can just wave your hands and say "3-coloring is NP complete"
14:10 < andytoshi> yep :)
14:11 < justanotheruser> Given a network with topology like bitcoins, is it possible to send a message directly (not broadcasted to everyone else) in a zero-knowledge manner (your message somehow finds a path to him, but no one knows that path).
14:12 < andytoshi> justanotheruser: if you have a view of the network you can do onion routing. though it's a bit hard to do without timing side channels
14:12 < gmaxwell> andytoshi: Why can't you just paint everything blue?
14:12 < andytoshi> by 'a bit' i mean in the limit it's impossible, eg if you're the only one doing it everyone can see that it's you
14:13 < andytoshi> gmaxwell: are you talking about the graph problem?
14:14 < gmaxwell> andytoshi: the 3 coloring zk proof. Why can't I just commit to everything blue (e.g. all the edges at a vertex the same color). As it was described there appears to be no test for this.
14:15 < andytoshi> gmaxwell: you are coloring the vertices
14:16 < andytoshi> ..i'm having trouble in that i don't understand how you can commit to one of three colors that can't be forged with roughly 3 tries
14:16 < gmaxwell> oh derp, right, the test should be that they're not the same not that they are the same.
14:17 < andytoshi> :P. it seems to me that if you are doing SHA256(color + secret) or something, you can easily change your secret so you have no commitment. but if there is no secret then the verifier can see right through the commitment so it is not zk
14:18 < andytoshi> wait, i'm an idiot, never mind
14:20 < andytoshi> somehow i was thinking the colors were the commitment and the hashes were what you were proving you had :P
14:22 < justanotheruser> andytoshi: I had an idea to stop timing side channel attacks. But the real question was how to I get my message to someone without knowing their IP
14:24 < andytoshi> if all messages are broadcast, you can 'identify' people by their public keys. just broadcast a message that only your target can encrypt. but this is probably very easy to sybil.
14:25 < andytoshi> you need to have some information about the nodes your are hopping between to avoid sybils
14:25 < andytoshi> decrypt*
14:27 < justanotheruser> andytoshi: yes, nodes would have to have some PoW or PoS to prevent sybil
14:55 < nsh> gmaxwell, did you and/or andytoshi classify/specify the graph problem you were working out from coinjoin transactions
14:55 < nsh> iirc to give an estimate of the number of participants
14:56 < nsh> there were some brief notes or something, i last remember
15:58 < michagogo|cloud> Hmm, what plays .ts files?
15:59 < michagogo|cloud> (also, Chrome is trying to render those two files as text, rather than downloading them...)
15:59 < nsh> vlc generally plays anything that can be decoded into audio/video
16:00 < michagogo|cloud> Ah, I think I have that installed
16:00 < michagogo|cloud> Thanks
16:00 < nsh> np
16:03 < gmaxwell> michagogo|cloud: VLC, mplayer, ffmpeg
16:05 < andytoshi> nsh: not sure if somebody answered you about the coinjoin graph problem
16:05 < nsh> wb, not yet
16:05 < nsh> was interested because a problem in tahoe-lafs looked quite (superficially) similar
05:34 < adam3us> yeah I was wondering as a trend if FPGAs can get closer to ASIC in density, and reduce the ASIC/FPGA performance gap, and that as seemingly moore's law may top out with current fab around 5nm, then the next stage is more cores, more CISC designs, and reconfigurable - eg if you have some GPU units on the die, why not a slab of FPGA; we already have microcode,
why not lower (hw) level reconfigurabilty as an on die FPGA co-processor
06:03 < wumpus> adam3us: so you're counting on the overhead for (low-level) programmability to go down; any specific reason for that?
06:03 < wumpus> it would be great, agreed though
06:06 < adam3us> adam3us: they're running out of other options, and the intel & amd & arm chips are getting more and more cisc.  gpu, mmu, power regulator, level 4 cache, more simd instructions, special crypto instructions, codec instructions.  seems like the next step.	(I am not a hw person tho).  so if there is room, and fpga are maybe not so widely used vs cpu so maybe
with more r&d focus that asic/fpga gap could be closed somewhat
06:08 < wumpus> there certainly seems to be a trend toward lower-level many-core paralellism programmability in newer architectures (paralella, xmos), but not entirely at the gate level, it's more GPU-like from what I understood
06:10 < wumpus> one of the (sw) problems with FPGAs in general-purpose computers is sharing them between applications, it's a limited resource users may not easily understand. GPU vendors spend a lot of work on context switching / multitasking, but on a FPGA that may be harder.
06:15 < wumpus> of course, if you have a fast programmable FPGA or one that supports partial reprogramming you could maybe dynamically allocate gates, but from what I've seen up to now  reprogramming a FPGA isn't quite as granular/fast
18:23 < gmaxwell> Interesting: I emailed Colin Percival and expressed my concern that the scrypt cost assumptions may be inaccurate due to a failure to account for energy consumption and asked if he'd performed or was aware of anyone else performing an analysis which included energy consumption.
18:24 < gmaxwell> He responded and said "I'm not aware of any analysis which includes energy consumption.  I don't
18:24 < gmaxwell> know anyone who has looked at this who has the necessary expertise in
18:24 < gmaxwell> microfabrication technologies to accurately predict how energy-efficient
18:24 < gmaxwell> a *custom* circuit could be."
18:26 < phantomcircuit> gmaxwell, hmm?
18:31 < gmaxwell> phantomcircuit: New theory: Scrypt may be less effective as a KDF than the conclusions in the scrypt paper suggest because the analysis there did not include operating costs, just chip making: For number crunching chips the power cost outpaces the fabrication cost quite rapidly... and given a specific commodity hardware time budget scrypt cracker may
actually use less power (than say sha256-pbkdf2).
18:33 < phantomcircuit> gmaxwell, that is certainly correct
19:01 < midnightmagic> wow
19:01 < sipa> such theory
19:03 < gmaxwell> maybe I can extract some data from the gridseed folks to allow for a scrypt asic cost model that includes energy.
19:03 < gmaxwell> (what I can't just extract from their data sheets is how the energy usage scales with the memory hardness parameter, not without knowing how much of their power is used by the dram vs the rest.)
19:09 < Luke-Jr> Anyone have any tips on boarding in Miami Beach? :/
19:09 < sipa> don't tell them you have a bomb
19:10 < Luke-Jr> s/boarding/lodging/
19:12 < jps> sipa: the NSA will never let Luke-Jr board the plane now
19:12 < Luke-Jr> NSA has no authority over that :P
19:13 < sipa> TSA...NSA... just 3 bits difference
19:13 < Luke-Jr> lol
19:15 < jps> I'm sure those guys get a shot at the no-fly list
19:24 < petertodd> gmaxwell: I'm thinking of just hiring someone with ASIC design experience to look at this stuff frankly
19:25 < petertodd> gmaxwell: the EE I was talking to yesterday said he had some contacts
19:25 < gmaxwell> petertodd: actually having built a scrypt asic trumps abstract expirence. :P
19:27 < petertodd> adam3us: the FPGA overhead might get closer to ASIC overhead, but only in the sense of power limitations - you'll never get similar space limitations unless ASIC tech changes pretty drastically in ways that are rather unpredictable
19:28 < petertodd> gmaxwell: the ASIC was a single performance point - scrypt is tunable after all
19:29 < gmaxwell> petertodd: yes, but my _suspicion_ now that I've though about it is that the power usage per user-tolerance-unit will go down as memory usage increases.
19:29 < gmaxwell> esp once memory usage is high enough to not fit in cache on commodity hardware.
19:30 < petertodd> gmaxwell: as is mine, but does that make asics more or less attractive? potentially *less* if commodity dram can be tuned the way we want it to be
19:31 < gmaxwell> I don't follow your argument but I suspect its on an entirely different subject matter than I'm talking about. I'm specifically concerned with scrypt as a KDF here, and I think this thinking invalidates the argument given in the scrypt paper, and that the result might be that scrypt reduces security against a well funded attacker cracking your password.
19:31 < petertodd> gmaxwell: e.g. scrypt with 4GiB might stress random access latency so much that everything but the ram doesn't matter at all
19:32 < petertodd> gmaxwell: no, I'm talking about KDF's - they're an easier problem that ASIC-hard PoW functions
19:34 < gmaxwell> petertodd: right, and if the power costs dominate after N months of operation, and the custom cracker has 10 fold lower power usage than an alternative one that used the same amount of user-tolerance budget but used sha256, then it wouldn't be a win.
19:36 < petertodd> gmaxwell: that's the thing though, your random access related hardware needs to run at full power and high speed, so the rest of the system may not be a big difference in terms of power
19:36 < petertodd> gmaxwell: of course, down the road FRAM tech could blow all these assumptions out of the water too
19:38 < gmaxwell> petertodd: well one way of looking at it once thinking about energy
 given commodity hardware is actually often made using state of the art technology, the task is to make the most use of the hardware the user has
 so how can you make commodity hardware use the most energy possible. Grinding against dram is _not_ the way to do that.
19:39 < gmaxwell> on a desktop PC, sitting in a tight inner loop on the SIMD registers in the cpu is.
19:39 < petertodd> gmaxwell: Are you sure about that? Because I'm not.
19:40 < maaku> what gmaxwell just said is definately, 100% true
19:40 < maaku> waiting on the ram bus idles the CPU
19:40 < petertodd> gmaxwell: that *might* be true if the SIMD registers were power limited, but that's not at all a given
19:40 < petertodd> maaku: ram uses power to access
19:41 < maaku> very, very little power by comparison
19:41 < gmaxwell> it does but the power distribution is just not compariable. you're talking about 20w vs 100 watts.
19:41 < petertodd> gmaxwell: the problem is if you're algorithm ever winds up not being power limited, then someone can go build an ASIC for it
19:41 < gmaxwell> petertodd: yea sure, the assumption I started out with is that the commidity hardware is already an efficient implementation of everything it does, which isn't true... indeed.
19:42 < gmaxwell> But to the extent its true the KDF problem is just a matter of using all thats available... use the most gates the most power.. etc. make the most use.
19:42 < petertodd> gmaxwell: yeah, and that's an enormous problem. I'm sure you can make a PoW/KDF algorithm that targets *a* cpu family and uses it 100%, but that's not very interesting - you'd just as easily use a KDF with very tunable params to economically stay ahead of attackers with ASIC-dev costs
19:42 < poggy> is it plausable that energy costs would be a limiting factor or is this just a mental exercise?
19:43 < petertodd> poggy: it's plausible, but not certain
19:43 < gmaxwell> And if power costs dominate, you probably don't want to touch the memory at all... because the computer cannot burn 100watts accessing ram. and even if you imagine that its ALU is 4x less efficient than an optimized one, it probably still can burn more efficiency-weighed-power in the ALU.
19:44 < gmaxwell> poggy: it is the case that for computation tasks operating longer than a few months energy is more expensive than fabrication with modern processes.
19:44 < poggy> ah ok
19:44 < gmaxwell> How that balances out exactly is another question.
19:44 < gmaxwell> You have to run for a long time before fabrication is negligible.
19:45 < petertodd> gmaxwell: but look at the system as a whole: quite possible the lower power density of ram per unit area is irrelevant on a system wide level because you can't necessarily remove head from higher density effectively anyway
19:45 < petertodd> s/head/heat/
19:45 < gmaxwell> that works against the user, not against the attacker.
19:46 < petertodd> no, it works against the attacker for PoW for sure: removing low-grade heat cheaply with fans costs very little. For KDFs, that's less certain.
19:47 < petertodd> remember for PoW one argument for decentralization is that the heat can be useful - of course if someone comes out with a ASIC process that can run at hotter temps...
19:47 < gmaxwell> oh I misunderstood what you were saying, I was not arguing in terms of unit area.
19:47 < gmaxwell> I'm arguing in terms of whats actually in a PC.
19:47 < poggy> are there any hybrid functions?
19:47 < gmaxwell> e.g. how much attacker joules can 1 second of a PC possibly require.
19:48 < poggy> requiring both memory and gpu(or whatever)
19:48 < gmaxwell> And I believe that large memory memory hard requires fewer attacker joules simply because the PC only has
=Mined by AntPool bj1.:
# SMK Muhammadiyah 3 Yogyakarta Uw
17:11 < Emcy> and why didnt they use something better for the xbox. Im sure thier codec was some 64kbs cbr shit right up until last month. Everyone so scared of patents.
17:13 < zooko> patents are scary
17:14 < Emcy> yeah its a shame that a competitive free/libre/nopatents video codec will probably never happen cos of that shit
17:14 < zooko> HEy does anybody have a good list of patents that probably apply to NTRU cryptosystem?
17:15 < zooko> cryptosystems, I meant to type, i.e. PK encrypt and dig sig.
17:15 < gmaxwell> NTRU is such an engineering mess in general.
17:16 < gmaxwell> The history of commercial cryptosystems has been a sad one. No one wants patented crypto, even if its awesome.
17:16 < Emcy> i dont actually understand how you can patent maths
17:16 < zooko> OCB
17:17 < nsh> where's context-aware acronym-explainer-bot when you need her
17:17 < maaku> Emcy: you can certainly patent applications of math
17:18 < Emcy> but everything is applications of maths
17:18 < gmaxwell> if you can't patent applications of math then with enough layers of handwaving you can't patent anything, after all we could all just be running in a simulation.. and what is a cotton gin but a pattern of information? :P
17:19 < Emcy> thats one zinger of a reducto ad absurdum :P
17:20 < Emcy> but youre right, where does it end
17:20 < gmaxwell> well, so is saying that a pratical cryptosystem is "just math", in terms of the stuff the patent system was created to do
 a cryptosystem is something people work hard at to invent... sooo.  Of course, it doesn't usually work out, because trust in these systems generally requires them to be public infrastructure... and public infrastructure abhors the toll tax.
17:21 < Emcy> only if you want to make money off your system?
17:22 < Emcy> yes, lots of unfortunate opposing imperatives trying to Something Good under capitalism......
17:22 < gmaxwell> well, so long as things cost money doing things with no prospect of making money may be somewhat ill-advised. ::shrugs:: no easy answers.
17:22 < Emcy> also true
17:23 < Emcy> we need crypto-patrons.......
17:23 < gmaxwell> amiller: in any case, I think relatively compact snarks of sum-difficulty could be produced.
17:23 < gmaxwell> amiller: as in circuits that only take minutes to make a difficulty proof for some whole blockchain.
17:24 < amiller> i think so too.
17:24 < gmaxwell> though I think you'd want to be commiting to blocks included in a fork that way, instead of just hoping they show up.
17:25 < gmaxwell> did you guys resolve the objection about convergence I started?
17:25 < amiller> i dunno
17:27 < gmaxwell> I think it's resolvable by commiting all the blocks used in the calculation. ... but I think it must be solved. otherwise you could have two subgraphs of great additional difficulty each decided by an additional diff1 orphan added early to the fork... so you must relay the darn things
17:28 < sipa> any opinions about that israeli paper yet?
17:28 < gmaxwell> we were just talking about that, I think you weren't included on the email thread, you probably should be.
17:28 < gmaxwell> its has a lot of similarity to amiller's early ideas about orphan rate targeting blockchains instead of block time targeting them
17:29 < gmaxwell> Major unambigious downside is a six hundred fold increase in SPV base cost (bandwidth/cpu). Though perhaps that could be solved by using snarks to prove difficulties.
17:30 < gmaxwell> there is so discussion over if their specific description is actually convergent or not, I don't think it is
 though it's easily possible I'm missing something, as I have not read the paper yet
, but it could be fixed.
17:33 < nsh> i saw earlier that there's [some kind of] simulator. could that be used to test convergence?
17:34 < maaku> gmaxwell: they're suggesting lowering the interblock time, but i'm more interested in an apples-to-apples comparison: direct drop-in replacement for current fork-selection rules
17:38 < maaku> they seem to have focused on lowering the interblock time, but it's just as applicable to raising the block size
17:44 < amiller> nsh there's a nice simulator by ebfull that simulates mining and block propagation, especially to do the selfish mining simulation, and in your browser with a neat little visualization https://bitcointalk.org/index.php?topic=326559.0
17:45 < gmaxwell> maaku: ignoring the cost to lite nodes, why not increase the block size by lowering the time?
17:45 < amiller> it's basically fast enough with the graphics turned off to do simple monte carlo things
17:45 < gmaxwell> assuming you're willing to tolerate the reduction in goodput.
17:45 < nsh> amiller, ty
17:46 < gmaxwell> Probably the biggest thing to chase here is the goodput implications.
17:47 < maaku> gmaxwell: shorter cycles leading to centralizatoin, mainly
17:47 < maaku> goodput?
17:47 < gmaxwell> The impact on litenodes can be fixed by turning the linked list of the blockchain to a MMR or skiplist and by using snarks to prove difficulty.
17:48 < gmaxwell> maaku: goodput is the actual amount of useful block data you can send, after removing the overheads from sending around orphans.
17:49 < maaku> yes those are my objection to lowering the interblock times: lite client poor performance, decreased gootput, and centralization
17:49 < gmaxwell> maaku: yea, okay, low enough latency has centeralization issues, but so does large enough blocksizes. Figuring out how to navigate that is important.
17:49 < maaku> vs. the corresponding increase in block size
17:50 < gmaxwell> Yea, I think I already know how to solve liteclients well enough. The latter two are big open questions for me.
17:51 < maaku> i think we can probably get shorter intervals than 10 minutes. 1 second is ludicrous though
17:52 < andytoshi> fwiw, aviv says they looked at goodput in the paper, had calculated a worst case of 4%
17:52 < andytoshi> and he did some calcs which suggested that was tolerable
17:52 < andytoshi> from a bandwidth perspective
17:52 < gmaxwell> andytoshi: tolerlable for what?
17:52 < gmaxwell> tolerable on my DSL?
17:52 < gmaxwell> :P
17:52 < andytoshi> yeah, he was talking 320kbps
17:52 < andytoshi> so, tolerable if you are doing nothing else :P
17:53 < gmaxwell> 1 second is ludricrous just compared to the radius of the world. I am on a ssh right now with a 200ms rtt (to NZ)
17:53 < gmaxwell> but I don't think there is any reason to waste time worrying about the specific number.
17:53 < andytoshi> yeah, 1sec seems crazy, but his goal is to have massive scalability
17:53 < maaku> not to mention it cuts of the Moon from the economic sphere of the Earth ... but I'm probably the only one who cares about that ;)
17:54 < gmaxwell> maaku: it's probably better to do that. We've already excluded mars in any case.
17:54 < gmaxwell> maaku: good fenses make good neighbors. :P
17:56 < amiller> ahhh thanks gmaxwell i've been trying to think of what that quote was
17:57 < Emcy> are we really precluding economic warfare with the moon here? Wizards pls.
17:58 < amiller> bitcoins in spaaaaaace
17:58 < sipa> spacoins
17:59  * nsh is definitely in the pro-Moon-inclusion bloc
18:00 < nsh> it's the economic divisions that invariably lead to orbital colonies declaring independence
18:00 < maaku> well 10 minutes is inclusive of cislunar + l4/l5, so that's a pretty expansive area that would be able to participate in the bitcoin network
18:00 < Emcy> heh did you watch elysium too
18:02 < maaku> more seriously I'd love for someone to formalize the bang-for-buck advantages of increasing the block size vs. decreasing the interblock time
18:03 < maaku> my understanding is that we'd get higher tps for the same cost tradeoff by increasing the block size vs. faster blocks
18:04 < Emcy> the block interval is not changing ever
18:05 < maaku> Emcy: we'd be hard forking anyway to increase the block size
18:06 < Emcy> i just dont see it happening.
18:06 < maaku> I don't see the reason to lower the block interval either (unless you can get to to be sub-second, but relativity says that's not possible without centralization)
18:06 < Emcy> and i dont think the block size things is as much of a done deal as people assume either
18:06 < maaku> But that's what people want, and the hypothetical scenario being explored by aviv's paper
18:06 < maaku> So I'd kinda like a formal response
18:07 < Emcy> do it on testnet
18:07 < maaku> Emcy: either bitcoin will increase it's transaction throughput, or it will become irrelevant
18:08 < sipa> maaku: how do you see that happening?
18:08 < maaku> The only ways of doing that are decreasing the interblock time, increasing the block size, or moving to off-chain transactions (which eliminate the relevance of bitcoin-as-a-currency)
18:08 < sipa> no, they eliminate the relevance of bitcoin-the-network
18:08 < sipa> not of bitcoin-the-currency
18:08 < sipa> s/eliminate/reduce/
18:08 < nsh> why couldn't a second network be spawned?
18:09 < maaku> bitcoin-the-currency only has value because of bitcoin-the-network
18:09 < nsh> (not that this would be preferential to solving problems; just curious in theory)
18:09 < Emcy> i know which one id rather to fade in relevance
18:09 < sipa> maaku: i would like to agree with that, but i think that's completely untrue today
18:09 < nsh> why couldn't you have bitcoin-network-0 at saturation, and start another bitcoin-network-1 for spillover?
18:09 < sipa> what's the point?
18:10 < maaku> sipa: i think it's still true today. bitcoin-the-currency has speculative value because of the speculative future of bitcoin-the-network
18:10  * nsh shrugs
18:10 < sipa> maaku: i'm very unconvinced about that
18:10 < sipa> i think speculation happens because people see the value go up because of speculation because people see the value go up
18:11 < sipa> i think many, many speculators are actually very uncertain about the long term survival
18:11 < sipa> or maybe i'm just projecting my own opinion :)
20:24 < amiller> each party places down a *security deposit*, in addition to their bet, that is used to patch over the lack of computational ability in case one party doesn't cooperate
20:25 < amiller> so the choice in this paper is to make each deposit equal to N(N-1)
20:25 < amiller> in other words, the deposit is one *whole jackpot for every player*
20:26 < amiller> that's a pretty extreme deposit
20:26 < amiller> but it is giving the pretty much best possible guarantee, which is pretty cool
20:40 < amiller> i think i can do better
20:40 < amiller> i think there's a way to improve on the total amount of liquidity needed in their scheme
20:41 < amiller> suppose you're willing to wait for t rounds
20:42 < amiller> the first party puts in N coins, the second party puts in N-1 coins, the third party puts in N-2 and so on
20:42 < amiller> and you release people from their obligations in rounds :o
20:44 < andytoshi> so if parties do not show up, the number of rounds is reduced?
20:50 < typex> tl;dr
--- Log closed Fri Dec 06 00:00:35 2013
--- Log opened Fri Dec 06 00:00:35 2013
07:00 < typex> sorry about that. was drunk as fuck last night :-)
08:46 < Mike_B> cool paper! https://bitcointalk.org/index.php?topic=359582.20
08:46 < Mike_B> would love to hear gmaxwell's opinion when he gets up
08:46 < Mike_B> and has time to read
08:49 < _ingsoc> Mike_B: Would it have to operate as an alt?
08:49 < Mike_B> well, it seems like he's proposing a different way of considering transactions confirmed - orphaned blocks should also count as confirming tx's
08:49 < Mike_B> so you could adopt that rule in btc i guess
08:50 < Mike_B> but the idea is that once you adopt this rule it supposedly lets you shoot for a much shorter block generation time on average (1 sec he claims) without sacrificing security
08:50 < _ingsoc> Unlikely before getting some real-world data.
08:50 < Mike_B> right, i'm also skeptical
08:50 < Mike_B> i'm also curious if there are holes that can be poked in that... not entirely sure it's impossible to game it
10:20 < andytoshi> typex, probably the least regrettable drunk IRC posting I've seen..
10:23 < andytoshi> every bifurcation in a tree represents a halving of computing power, no?
10:23 < andytoshi> i'll have to read tho paper..
10:24 < andytoshi> and having one block per second is going to cause massive network split effects
11:35 < andytoshi> ok, the way this tree block thing works is, when determining which block continues the main chain, rather than looking at which extends to a chain with the largest total difficulty, you look at which one extends to a -tree- with largest total difficulty
11:35 < andytoshi> so you are still thinking in terms of chains, but your "which chain is best" algorithm considers all active forks along the way
11:37 < andytoshi> they prove that each block is eventually accepted or rejected (i.e. this does not cause permanent network splits)
11:38 < andytoshi> they point out that in the current system, if there are a lot of forks happening for some reason, this drops the effective hashrate because tons of work is being thrown away, thus making a 50% attack easier
11:38 < andytoshi> they claim that this does not affect their system as badly
11:39 < andytoshi> these are all proven, but the statements and proofs are technical and i don't have the time for a detailed analysis
11:41 < andytoshi> anyway my impression is that this is worth taking seriously
11:43 < t7> andytoshi what if two inputs are spent differently in two different chains ?
11:45 < andytoshi> eventually one side of the fork will "collapse" as there is a greater subtree weight on that
11:45 < andytoshi> and as blocks are piled on the usual more-time-means-more-confirmation heuristic applies
11:45 < t7> ah
11:46 < andytoshi> because everybody looks at the greatest subtree weight to decide what to mine on, there is an avalanche
11:56 < amiller> hm
11:56 < amiller> are there any risks of using this?
11:57 < amiller> i feel like we had a reason not to want to do it this way but maybe it's fine?
11:59 < amiller> i'm trying to read an undersatnd the security definitions...
11:59 < andytoshi> that was my thought too, but on a cursory review the math holds up
12:00 < andytoshi> so i'm trying to think about practical attacks, potential for DoS, storage/bandwidth usage..
12:00 < gmaxwell> amiller had suggested this before.
12:00 < gmaxwell> (or things substantially similar)
12:00 < amiller> so how did you talk me out of it, i don't remember :p
12:01 < gmaxwell> A couple reason, one is that its an enormous cost increase to lite codes (e.g. hundreds fold more bandwidth, potentially)
12:01 < gmaxwell> s/codes/nodes/
12:02 < gmaxwell> andytoshi: are they actually having new blocks commit to all branches of their past subtrees? amiller's idea was to do that. If they don't then I don't see how its convergent.
12:03 < andytoshi> no, blocks commit only to a single parent
12:03 < andytoshi> i'm not clear how the parent is chosen when there are multiple options with no existing subtree
12:04 < gmaxwell> andytoshi: uh, so why do you and someone who joined the system later than you pick the same solution at all?
12:04 < gmaxwell> e.g. you and I get the same longest tree, but different forrests, and so now later we choose different longest trees.
12:04 < andytoshi> after some time, new blocks will be mined on top of one or more of the options
12:04 < andytoshi> hmm, everyone starts from the same genesis..
12:04 < iddo> i think they say that each block does point to its
12:05 < iddo> ancestors
12:05 < iddo> maybe just for lite nodes optimization hmm
12:05 < gmaxwell> it has to be all of the ancestors needed to compute the highest difficulty, if they do that, then its what amiller proposed before.
12:05 < andytoshi> for a given leaf node, there is only one ancestor (and only one chain back to the genesis)
12:05 < gmaxwell> if they don't I don't see how it can be convergent, because nodes will pick chains based on data that has no strong synchronization method.
12:06 < andytoshi> so, algorithm 1 on page 18 says what i'm saying here, it's like 5 lines and a bit more precise
12:07 < andytoshi> there is an assumption that everybody eventually hears about every block, and synchronization happens because long-term forks are unstable
12:07 < andytoshi> one or the other will have a stronger POW on its subtree, and then everyone will mine on that
12:08 < gmaxwell> But what mechenism makes you know there are blocks in your subtree that you need to have? amiller's orphan-targeting stuff handled it by blocks commiting to the orphans their miners knew about.
12:08 < andytoshi> no such mechanism
12:08 < andytoshi> well, none that i saw
12:08 < andytoshi> the assumption is that every block propogates eventually
12:09 < andytoshi> so if you are missing blocks, that will give you a bad view of the network, but when the missing blocks come in your view will be corrected
12:10 < andytoshi> and since miners are incentivized to work on the strongest side of the fork, the likelihood that your view is so badly compromised that you think the wrong fork is correct, is very small
12:10 < gmaxwell> how do you prevent denial of service then? e.g. I constantly feed you difficulty 1 orphans for block 1?
12:10 < gmaxwell> you've got to take them, cause, you never know, all those diff 1 guys might eventually sum up to be greater than the current best.
12:10 < andytoshi> right, exactly
12:11 < andytoshi> i'm not sure
12:11 < andytoshi> hmmm
12:12 < gmaxwell> also, what about problems with goodput? lets imagine this with blocktimes of 1ms (e.g. way below the latency betwen nodes)
12:12 < andytoshi> not sure, i skipped over the propogation-time analysis
12:13 < gmaxwell> you would eventually converge on sufficiently old history, but you're spending all your bandwidth sending orphans.
12:13 < andytoshi> i think that's correct, my impression is that they did not look at bandwidth usage
12:14 < andytoshi> i wish they had published a shorter version that did not spend so much time discussing common knowledge about bitcoin..
12:14 < gmaxwell> liquidcoin (coin with fixed difficulty) basically melted down because it eventually was using all its bandwidth/cpu just switching between a zillion distinct forks and no longer making much progress.
12:14 < andytoshi> the opposite of solidcoin ;)
12:16 < pigeons> same as geistgeld but geistgeld was sha256 liquidcoin scrypt
12:16 < andytoshi> i expect if you were to ask the authors this, they would try to come up with some heuristic for ignoring spam blocks
12:17 < andytoshi> in the limit, you ignore all but the highest-difficulty chain, and you get bitcoin
12:17 < andytoshi> and it seems like anything weaker than that has the potential to cause forks when peoples' definition of "spam" diverges
12:17 < andytoshi> so you'd need to just accept everything, which is what this paper proposes
12:18 < iddo> gmaxwell: about DoS by feeding you diff 1 orphans for block 1, i think that they claim that your node can ignore the orphans until someone does enough PoW to send you many orphans together and prove to you that his subtree should win
12:18 < andytoshi> ...and then gmaxwell's "spam a trillion diff-1 blocks" attack would work
12:18 < gmaxwell> andytoshi: yea you could have any amount of difference between two subtrees.
12:19 < andytoshi> iddo: if a node doesn't know everything, he can't prove or disprove that a certain subtree will win
12:19 < andytoshi> and that'd certainly be the case for every node in a high-block-rate network
12:20 < andytoshi> so if you ignored blocks just because the sender couldn't prove they were worthwhile, you'd end up ignoring everything.
12:20 < andytoshi> and again your ignoring heuristic creates potential for a  long-term split
12:21 < amiller> maybe this is an important thing to simulate?
12:21 < amiller> they've gone through the trouble of formalizing what the algorithm should be
21:27 < gmaxwell> What I think their design is doing is taking advantage of the fact that the scrypt engine is area limited while the bitcoin work is thermally limited... so they get a part thats basically does both for the costs of one. (well, their prices are high, but thats markup)
21:28 < brisque> gmaxwell: oh I totally misread the email from the seller, I thought it was over 10W/gh for the sha256 side.
21:28 < andytoshi> nice interview adam3us1, i wasn't familiar at all with hashcash
21:28 < andytoshi> ..except there was a discover article which mentioned it in passing in 2004 or so
21:38 < gmaxwell> hm... this actually suggests a flaw in the scrypt paper. The argument for scrypt it based on chip area. But it really should be based on total costs including energy.
21:39 < gmaxwell> since a cracking chip ends up being thermally limited, increasing the area required may not actually increase costs much at all.
21:42 < brisque> rather than being thermally limited, couldn't it be that they just couldn't fit a second scrypt scratch pad in and just put a sha256d core there to fill the space?
21:42 < andytoshi> increasing the die size should increase the cost/unit proportionally, no? the wafers are a fixed size
21:51 < gmaxwell> andytoshi: no, not when you need to waste area just to act as heat spreading, and not when your total costs for your cracking infrastrcuture are dominated by energy.
21:51 < gmaxwell> In fact, it may even be counterproductive (e.g. reducing the energy ratio between attacker and defender enough that the attacker's advantage increases)
21:53 < gmaxwell> it's currently the case that any piece of high performance computing's energy costs surpasses manufacturing if its operated for more than a few months.
21:54 < brisque> is a piece of bitcoin mining gear worthwhile after a few months?
21:54 < brisque> currently it's not.
21:54 < gmaxwell> brisque: sure. lol. careful with those exponential extrapolations.
21:55 < brisque> gmaxwell: oh I'm not predicting based on them, just observing that it's currently fairly vertical.
21:55 < gmaxwell> my b1 avalons still mine 3x their power cost, ... and keep in mind that decrease in returns is exclusively driven by competition from more power efficient devices.
21:55 < gmaxwell> I'm not talking about mining now in any case, I'm talking about KDFs.
21:56 < brisque> any sensible KDF wouldn't have used the settings Litecoin picked though
21:57 < gmaxwell> yes, but the 'sensible' settings would make this discrepency worse, not better.
21:57 < gmaxwell> e.g. you can choose between two KDFs that take 500ms (user tolerance threshold). It's possible that the memory hard one is actually cheaper to attack once you've factored in power costs because it performed far fewer operations in that time because it was spending time waiting on memory.
21:58 < gmaxwell> the scrypt paper computed costs purely based on area, not power. This is clearly incorrect thinking because on any fixed computing infrastructure the power costs are greater. Though I don't know if it happens to break their conclusions.
21:58 < gmaxwell> The gridseed parts suggest its a wash at the parameters ltc used.
21:59 < brisque> if not memory hard, what is the ideal KDF?
21:59 < gmaxwell> But I'd expected that more memory usage would not increase power usage, but would make it slower on desktops (e.g. fewer operations within the user tolerance window). But that would be interesting to crunch through and see how the numbers work out.
22:01 < gmaxwell> brisque: well the correct question is given the commodity hardware the users have, the user delay budget, and the most optimal possible attacker hardware, what parameters minimize the attacker's advantage.
22:03 < brisque> 500ms is probably on the low side of what a user could tolerate. it's amazing what spinning indicators and progress bars can do to alter the perception a user has of a slow operation.
22:03 < gmaxwell> The Scrypt paper argues that very memory hard things minimize the attackers advantage because it forces the attacker to spend more mm of silicon. I now think this is suspect because mm of silicon is a minority of a large scale attacker's costs... though that doesn't mean that there isn't some particular non-zero memory hardness level that produces the smallest ratio.
22:04 < gmaxwell> It was a random number, it doesn't actually matter.
22:04 < gmaxwell> and fwiw, 500ms w/ bitcoind to authorize a transaction is actually irritating when its in the foreground.
22:05 < brisque> I know, but I've always found it fascinating how users perceive different delays. in a shell a few milisecond delay is horrible, yet people wait 20 seconds for microsoft word to start.
22:05 < gmaxwell> (our kdf is 100ms by default which is pretty much imperceptable... there seems to be a somewhat sharp wall on delay between imperceptable and annoying somewhere around .5s.)
22:05 < brisque> if the signing happened in the background and took half a minute it wouldn't matter in the slightest.
22:06 < gmaxwell> brisque: well except that it can't even tell you if you typed the key wrong until after the delay.
22:06 < brisque> well it would if the password was typed incorrectly, but it's the fact that the interface shows the latency rather than hiding it.
22:06 < gmaxwell> the fact that you need to be sure you can get the users attention again and that you can't report success until after its done makes it harder to hide.
22:07 < gmaxwell> in any case, as I said
 it's irrelevant. There is some budget, whever it is. The question is how do you best use it to increase the attacker's total cost.
22:09 < brisque> probably by avoiding both cases. a very complex algorithm would be a hindrance to hardware implementations, wouldn't it? you avoid the energy saved by waiting around for memory, and you avoid making very simple hashing cores like for sha256d.
22:10 < brisque> that is, you have the best of both worlds. high power cost for the attacker and massive die space.
22:15 < gmaxwell> brisque: no. a very complex algorithim just increases the engineering work, but thats probably small compared to other costs for a large scale attacker.
22:15 < gmaxwell> After all, your own computer runs the complicated algorithim.
22:19 < brisque> gmaxwell: right.
--- Log closed Wed Jan 22 00:00:50 2014
--- Log opened Wed Jan 22 00:00:50 2014
00:50 < petertodd> gmaxwell: nifty chips - vitalik claims they're going to do a PoW (+PoS) competition - I predict it's going to be a horrible failure because the don't even have the skills to properly vet candidate judges...
00:52 < petertodd> gmaxwell: incidentally, I was talking about PoW with a EE unfamiliar with the field, and he independently thought of the area-power re-use thing immediately, which I think indicates how utterly out to lunch 95% of the people here are (scrypt authors included)
00:52 < gmaxwell> petertodd: well and everyone participating has an incentive to play up their advantages. It's also predicated on a goal which is not proven to be objectively worthwhile.
00:53 < gmaxwell> yea, this wasn't obvious to me before.  Now it really would be interesting to go analyize scrypt power usage and go compute up the total costs.
00:53 < petertodd> gmaxwell: meh, the other thing the EE immediately saw was how important the goal was - he understood damn well how easily niche technology gets regulated out of existence
00:53 < petertodd> gmaxwell: it *is* an existential threat and figuring how how best to solve it is very important, even if only to make sure the threat doesn't actually happen
00:54 < petertodd> I really suspect there's some interesting games you can play with power gating memory and scrypt - for instance you could probably make a low-power dram implementation that doesn't refresh ram and accepts errors in exchange for low power (another thing that EE immediately thought of)
00:55 < gmaxwell> actually the lifetime of the required memory is so low it probably doesn't need refresh.
00:56 < petertodd> that's the *problem*! DRAM controllers already take that into account, but on top of that optimization you can probably push voltages even lower than standard, and maybe even use some simple, and custom, prediction stuff to shave it even further
00:56 < gmaxwell> scrypt access patterns are somewhat unpredictable so it would be hard to just size the capacitors so that it never failed, but you could still get failure rates as low as you want.
00:57 < petertodd> yeah, and economically optimal is going to be very high failure rates by conventional standards
00:57 < petertodd> probably orders of magnitude higher - so much so that the design will be 100% custom
00:58 < gmaxwell> yea, existing mining hardware runs fine at failure rates around 1%. e.g. stuff ships out of the factor with ~1% of returned nonces being wrong.
00:58 < petertodd> existing computers have failure rates probably... I dunno, twelve orders of magnitude less than that?
00:58 < gmaxwell> you can't run commodity silicon at those error rates because something important will glitch out and it'll wedge.
00:59 < petertodd> well... that's changing though, because designers are being forced into that kind of error territory - we're also lucky that GPU's can tolerate higher error rates than other computing stuff, kinda
00:59 < gmaxwell> (this was actually one of the reasons gpu mining headlessly worked better: most cards could be pushed a lot futher when they weren't displaying anything)
01:00 < petertodd> in any case, said EE thought my ideas about FPGA "cottage industry" PoW algorithms were feasible, because FPGA hardware these days can have a surprising about of power gating and similar tech
01:01 < petertodd> similarly things like DRAM often have a lot of control over how the internals work if you're willing to attach it to a custom controller, and those controllers are FPGA-implementable with good performance
14:24 < gmaxwell> one of the limitations in all this verifyable computing stuff compared to MPC is that you can't keep secrets from yourself. ... but MPC doesn't really get you security in an anonymous model. if you had what you want you could have a publically verifyable version of everything MPC can do.
14:25 < gmaxwell> For example, you could have a captcha POW coin.
14:27 < andytoshi> yeah, and the mere fact that we could get so much magic out of this suggests its implausibility. but idk, maybe we can get all or partway there. i'd like to spend some time researching this.
14:30 < andytoshi> probably 100% of what we've discussed in the last hour, if you asked me 18 months ago if any of it were possible, i'd have said not a chance. so i'm optimistic.
14:31 < gmaxwell> well, perhaps the existance of one way functions sort of suggests the possiblity of it.
14:32 < andytoshi> my money is on their existence being ZFC-undecidable :P
14:33 < andytoshi> halting-complete rather
14:45 < andytoshi> another problem i thought of is that the key-derivation scheme could be malleable. that is, you can tweak the circuit and this changes the key in some predictable way, so you can still steal information about the input this way. so i thought, the KDF should basically evaluate the circuit but attach to each gate a one-way function which is somehow specific
to that gate. and then i started to think
14:45 < andytoshi> it'd be very hard to preserve enough information through all this that i could decrypt the information in the end.
14:45 < andytoshi> decrypt the actual output*
14:46 < andytoshi> maybe you take the encryption key, run it though some shadow version of the circuit made of OWFs, then the output of that could be the trapdoor information needed to decrypt the output
15:47 < nsh> hmm
15:49 < nsh> occurs to me that the dynamics of difficulty adjustment are much more complex now you have pools supporting multiple-coins leading to positive feedback from hopping driving instability
15:51 < nsh> there was a significant first-mover advantage with bitcoin in that slushy liquid hashpower was not even a thing until it was relatively mature
15:51 < nsh> to what extent that is balanced by lessons (theoretically) learned is another question
15:56 < maaku_> nsh: fickle hashpower utterly destroys alts with bitcoin's stock difficulty adjustment algorithm
15:56  * nsh nods
15:57 < maaku_> most adjustment algorithms used by alt devs are broken, on the other hand
15:57  * nsh looking at vertcoin, which seems to be an actual effort, at least
15:58 < nsh> 67 pages of trollcointalk thread is quite depressing though. wish there was a way to getting the 5-10 posts that are actually worth reading out
15:58 < maaku_> amiller: do you have contact details for th type theory language person?
15:58 < maaku_> that's someone I'd want to talk to about scripting extensions
16:07 < maaku_> nsh: there's also this, which we spent considerable time crafting : https://github.com/freicoin/freicoin/commit/d82a66e10f413bc81889b48a498625829353d701
16:07 < nsh> looking
16:08 < maaku_> i think gmaxwell would have preferred using bessel functions, but an FIR filter has worked fairly well so far
16:08 < nsh> i recall gmaxwell demurring somewhat. but i guess it's held out pretty well?
16:08 < nsh> right
16:10 < maaku_> it has made the problem go from catestrophic to merely annoying
16:11 < gmaxwell> I watched it for a while and it seemed fairly poorly controled, but I never looked at it before the change.
16:11 < maaku_> there is still a major hopping pool which regularly hits us when profitability creeps up, but only snags a couple of dozen blocks before the difficulty adjusts back up
16:12 < gmaxwell> I'd worry that if there were two of those it might be unstable. but apparently not in practice.
16:13 < maaku_> I don't think there's anyone else using the same filter, but there are mare than two using fast-acting filters
16:13 < maaku_> and that's what the coin hopping pools are doing, jumping back and forth
16:13 < maaku_> i'd be interesting in hearing ideas about a better filter
16:14 < maaku_> although I think there are some fundamental problems here that won't go away
16:14 < maaku_> e.g. there's only so much you can do to mitigate the damage
16:15 < gmaxwell> creating strategic behavior isn't so hot though.
16:19 < nsh> a bunch of coins could probably dampen the effects of pools hopping with a profitability peg
16:19 < nsh> perhaps
16:19 < maaku_> nsh: vertcoin looks like stock bitcoin difficulty adjustment (+ time traveller patch)
16:20 < maaku_> nsh: well, you'd think profitability-seeking is, well, profitable. but it is not
16:20 < nsh> (could be. haven't quite figured out what the NFactor scrypt difference is they're pimping)
16:20 < maaku_> due to coinbase maturity & distribution delays, they get the coins *after* dips in prices due to their activities
16:20 < nsh> right
16:21 < nsh> i doubt the pool operators have analyzed it very deeply
16:21 < maaku_> i've seen people model this, and it's almost always 10% or so worse than mining a single coin
16:21  * nsh nods
16:21 < maaku_> although there could be other strategies - e.g., mine the 2nd most profitable coin, in order to stay in frant of the bigger pool hopper
16:21 < nsh> you could probably account for hysteresis to some degree but the uncertainty would eat into the profitability
16:22 < nsh> right, but that's not robust with many players
16:24 < maaku_> it does show that you'd have to do some serious game theoretic analysis to figure out what optimal strategies are
16:24  * nsh nods
16:24 < maaku_> and even then, you're battling human psychology, because we know that even the guiding hand of the market has led people to an inefficient strategy in practice
16:25 < nsh> i'm sure there's some law to the effect that people will always find a way to be more irrational than your models
16:25 < maaku_> so, in our case, we actually relied mostly on historical bitcoin data in the creation of our filter
16:25  * nsh nods
16:25 < maaku_> we figured it's better to design something which works well at that scale
16:25 < maaku_> than over-optimise to solve this particular problem, which by nature goes away if you are the chief coin (or MM against it)
16:26 < nsh> right
16:26 < amiller> maaku_, i don't want to say any more about it until i get his permission
16:26 < amiller> maaku_, but i showed him your utxo engineering page
16:26 < gmaxwell> maaku_: I'm not sure that I would have used that data in design other than a validation test. The problem you need to engineer for here is a dynamic system problem so just some static data trace from bitcoin doesn't show you data from miners switching on and off in response to the difficulty.
16:27 < maaku_> amiller: well if you want you can show him this too: http://pastebin.com/5ScNX7vy
16:27 < maaku_> it's what I want his opinion on
16:27 < maaku_> and sounds like it might be related
16:27 < maaku_> gmaxwell: we used bitcoin, litecoin, and freicoin data
16:29 < maaku_> and a success metric of how close the chain would have stayed to 10 minute block times
16:31 < maaku_> interestingly the curves (various parameters vs simulated performance) remained the same for all three coins despite the different problems encountered by each. just noisier in the case of litecoin and freicoin
16:31 < maaku_> so we picked the fastest-acting values which were noise free, which by coincidence were also the best for bitcoin
16:36 < nsh> how was noise-free defined?
16:37 < gmaxwell> maaku_: I'd think that what I'd want to do is use the bitcoin/litecoin blockchain and market data to derrivate parameters for a model of miner behavior. (e.g. how fast do miners add and remove hashpower when its (un)profitable.) and then calibrate the control system against the miner model.
16:53 < maaku_> nsh: 1000's of simulations run, results plotted, then eyeballed
16:53 < nsh> right
16:53 < maaku_> so, tight grouping of data points
16:53  * nsh nods
16:53 < maaku_> unfortunately all this work is on another hard drive
16:54 < maaku_> or i'd dig up some of the graphs
16:55 < nsh> no worries
19:30 < jtimon> gmaxwell maaku_ nsh I think it's the chain-hoping algos and not the filters what need to improve most, provided that you have a responsive enough filter
19:31 < jtimon> they are really dumb
19:31  * nsh nods
19:32 < jtimon> they believe anything that's in some webs that calculate profitability simply from spot price without any look to market depth, volume or vollatility
19:32 < jtimon> http://www.coinwarz.com/cryptocurrency
19:33 < jtimon> It's very easy to put a small coin on top of that list with little money
19:35 < jtimon> and hop-miners jump into shitcoin just to find out later that they broke the price when dumping their mined coins into the market
19:36 < jtimon> a good algorithm just needs to target a time period, the market should make profitability tend to 0%
19:38 < jtimon> just not yet
19:40 < jtimon> I think the non-merged-mined SHA256 are in the worse position for chain-hoping
19:40 < jtimon> so I'm pretty happy with freicoin's filter, things will only get better when MM
19:42 < jtimon> and other coins that don't use the block height for demurrage care less about not being always 10 min
19:43 < jtimon> even terracoin survives with its random-like filter
19:46 < gmaxwell> jtimon: I'm more worred about things like long term behavior with fees being compariable in magnitude to subsidy and miners mining near breakeven in power cost.
19:47 < gmaxwell> and then things like filter overshoot making huge chunks of hashpower go unprofitable and shut off automatically. such a system could very likely be quite unstable.
19:48 < gmaxwell> e.g. a small overshoot oscilation magnifies until all the hashrate is turning off.
19:48 < jtimon> for the filter it's the same, you need to adjust rapidly when big hashing comes and goes
19:49 < gmaxwell> "it's the same"?
19:22 < arbart> So is there anyone you've heard developing an open bitcoin bank API / system, meant so anyone (the world) can run an off-chain tx thingies to enable micro-transactions, and enabling a distributed nature of such (to allow people in different countries to implement them however works there), thus using something like probabilistic payments or something to
settle bitcoin transfers across the 'banks' in a trustless manner? :) all
19:23 < petertodd> arbart: None that I've heard of - doing all that is a tonne of work and tricky to monetize.
19:23 < petertodd> Small-value payments just aren't worth much... and improvements in blockchian tech, or just the community accepting less decentralization, could easily make all or effort in vain.
19:25 < arbart> Yes, well why i was wondering the state of the art, or I guess opinion on where it is at, in third party ideas, or native bitcoin protocol, or what :)
19:25 < petertodd> arbart: basically state of the art re: what we know can be done is way, way ahead of what people actually do
19:25 < arbart> oh, and they aren't worth much each, but together they are more useful/powerful
19:26 < petertodd> e.g. proving balances are backed by real bitcoins is pretty easy, yet no-one's bothered AFAIK even though there's all kinds of bitcoin funds popping up
19:26 < arbart> Well my mission is to discover all the boundries right now and then find which one I am best suited to help poke at :)
19:27 < arbart> oh interesting point
19:27 < petertodd> well, try writing one of these prove-a-balance schemes! it's reasonably easy, and would be a nice thing for us to be able to show as an example
19:29 < arbart> I can't argue any of that! That's an awesome idea then, thanks :)
19:31 < petertodd> np
19:32 < arbart> What were you thinking then, a whole system? As simple as an rpc call in bitcoind that is something like signs some proof message with the public key? (is that a good way to do it) Or what level of 'system' were you thinking?
19:34 < arbart> Oh, and thank you for the summary of the state of the art then :) Your tree-chain idea though is quite interesting and will plague my thoughts for some time to come I'm sure.
19:35 < petertodd> haha, mine too!
19:36 < petertodd> arbart: doesn't have to be fancy, just something that has some python or whatever functions that takes a list of balances, commits them to a txout, can spit out short proofs, and finally can verify those proofs is enough
19:36 < petertodd> that'd implement everything a cold-storage bitcoin investment fund would need
19:41 < arbart> I know C (enough ++ boost pain that I groked the original Satoshi client) and Java.
19:41 < arbart> Should I be learning python?
19:42 < petertodd> arbart: the python bitcoin libraries aren't great, python-bitcoinlib is one I've done some work on, a javascript implementation of this would probably be more useful to a wider audience
19:44 < arbart> In that case, scarily enough I might take a look at the javascript avenue then :)
19:44 < petertodd> arbart: heh!
20:02 < arbart> petertodd: In your list of requirements, I don't understand the 'commits them to a txout'. By that is it suggested the proof is a transaction that is output (just not published to network, but passed by hand / posted on /investors website)?
20:03 < petertodd> arbart: by "commit" I mean the txout is of some form that makes it impossible to make fraudulent proofs for a second merkle tree
20:05 < arbart> Oh I see, to actually transfer the bitcoins as part of the proof process?
20:05 < petertodd> exactly! otherwise it's just a merkle tree
20:10 < arbart> petertodd: Would you vomit, if I used supernode as a library to do this?
20:11 < petertodd> dunno what supernode is
20:12 < arbart> A BSD licensed java implementatation, not made by google.
20:12 < petertodd> ah, yeah, I dunno much about java anything
20:12 < BlueMatt> is anyone going to the financial crypto conf in march?
20:12 < petertodd> do what you want :)
20:12 < petertodd> BlueMatt: I am
20:12  * BlueMatt is pondering going...
20:12 < petertodd> BlueMatt: amiller is booked, and adam back said he was thinking of it
20:12 < BlueMatt> shit, now I have to go
20:13 < petertodd> BlueMatt: hehe
20:13 < jtimon> "commits them to a txout" sounds like "hash 'them' including a hashof a txout" I'm glad to hear I'm not the only one who gets confused when I hear that abstract data is "just simply" '"
commited!?'" to other abstract data. I'm definitely not one of the math guys here, but I miss definitions quite often...
20:13  * BlueMatt ponders where to get funding from
20:13 < petertodd> BlueMatt: I'd offer to share a room except I already cheaped out on a single :P
20:13 < BlueMatt> damn
20:13 < BlueMatt> maybe adam3us would
20:13 < arbart> petertodd: Just wondering if that would limit the usefulness to the community much, not sure how people feel on that. I certainly don't like it due to oracle at least.
20:14 < petertodd> BlueMatt: what'd airfare be for you? you can get the student rates for the conf itself right?
20:14 < BlueMatt> yea, I could get student rates I'd think
20:14 < petertodd> arbart: like I said, a javacsript implementation is probably most useful because it can go on a website to show people
20:15 < petertodd> arbart: beyond that, python is probably best, although python btc libs suck
20:15 < arbart> what js lib would you recommend, when I searched it looked the only one wanted node. Are there any that will run in a browser and do what I need?
20:16 < petertodd> BlueMatt: well work out the total cost, decent chance someone could make it happen
20:16 < arbart> jtimon: thanks for that btw, helps me understand my lack of understanding :)
20:16 < petertodd> arbart: I assume whatever kyle drake is using for coinpunk would work?
20:17 < petertodd> jtimon: correct, we need a -wizards glossery
20:17 < jtimon> python libs https://github.com/monetizeio/python-bitcoin didn't got my hands into it yet, but it's maaku's forking from jgarzik, maybe too focused on commited utxo's
20:18 < BlueMatt> petertodd: now...where to get $2k
20:18 < jtimon> petertodd a glosary would be definitely a good thing
20:18 < petertodd> jtimon: I prefer my 'pythonize' branch at https://github.com/petertodd/python-bitcoinlib myself, but I am a little biased...
20:18 < petertodd> jtimon: yup, and spellcheck in my irc client...
20:18 < petertodd> BlueMatt: that's what it is for you?
20:19 < arbart> petertodd: Awesome, thanks for the pointer to coinpunk.
20:19 < BlueMatt> petertodd: well, incl the hotel +/- sharing a room...the flight is ~700
20:19 < petertodd> arbart: kyle seems pretty competent, so whatever he uses is probably good :P
20:19 < BlueMatt> oh, sorry, +500 for the conf...dur
20:19 < petertodd> BlueMatt: I managed my hotel for like ~$200, but I really cheaped out
20:20 < Luke-Jr> I wish I could cheap out in miami :/
20:20 < jtimon> well, when I don't understand you is more often because you use foreign terms like I live in your head than because you  misspell
20:20 < petertodd> BlueMatt: of course, if you get desperate, ask, and we can swap bookings :)
20:20 < Luke-Jr> I'll be lucky to get hotel alone for under $1000
20:20 < BlueMatt> petertodd: heh, well I suppose I could look harder at finding a real hotel instead of the conf one.....
20:20 < petertodd> BlueMatt: oh, the conf one is insane, IIRC mine was $40 a night
20:20 < BlueMatt> yea, thought so
20:21 < petertodd> single room, shared kitchen/bath - kinda a hostel
20:21 < petertodd> problem is they seem to be booking out :(
20:21 < BlueMatt> petertodd: yea, I had it on my calendar to figure it out by I forgot until today
20:21 < jgarzik> BlueMatt, RE fin crypto, trying to get core devs there
20:21 < jgarzik> Barbados, March 3-7, IIRC
20:21 < BlueMatt> yep
20:21 < arbart> While I'm a math guy, so I really should learn python, however, one idea I have I have would actually need javascript in browser able to generate transactions, so I guess coinpunk it is :)
20:22 < petertodd> jgarzik: you're gonna make this conf go from academia to bitcoin-central :P
20:22 < jgarzik> hey, I didn't start it
20:22 < petertodd> arbart: python is the one true language :) but yeah, in-browser is great for demos for people
20:23 < petertodd> jgarzik: of course, the actual bitcoin part is like one day out of seven
20:23 < BlueMatt> the foundation is a big sponsor...
20:23 < jgarzik> indeed
20:23  * jgarzik would probably only come in for the bitcoin part
20:23 < jgarzik> too many confs.  if you go to them all, there's no time for real work.
20:24 < petertodd> BlueMatt: dunno I'd say "big" - they're sponsoring a one-day workshop, dunno what that means in terms of the whole thing
20:24 < Luke-Jr> jgarzik: no kidding, it's getting to the point where it's almost once every week it seems
20:24 < BlueMatt> petertodd: well...they have the largest logo, so that means they have no sponsors, really
20:25 < petertodd> BlueMatt: oh yeah? lol, the location is a bit suspect
20:25 < jtimon> another foundation, small sponsor, but funds free software more than PR, get listed can't lose anything http://foundation.freicoin.org/#/donations, sorry for the spam...
20:25 < Luke-Jr> jtimon: huh?
20:27 < jtimon> Luke-Jr was continuing this "the foundation is a big sponsor..." but yeah, sorry for the offtopic (if you're developing complementary currency-related free software [I think you are] then you should definitely get listed there to get 10% matched donations)
20:29 < petertodd> BlueMatt: you should prove your worthyness by writing up a quick app to do a SIGHASH_ANYONECANPAY fund for you to go :)
20:30 < Luke-Jr> petertodd: that also requires the donors to be "worthy" :P
20:30 < shesek> arbart, look into bitcoinjs-lib, vbuterin's fork is the most maintained one
20:30 < petertodd> Luke-Jr: the better the app is, the less worthy the donors need to be!
20:30 < shesek> and it works well in the browser with browserify
20:30 < Luke-Jr> petertodd: oh app :D
07:44 < petertodd> adam3us: yeah, something with just hashes is probably best - easier to be sure you have an efficient implementation
07:44 < adam3us> petertodd: so c= E_k( msg ), e = E_b( k )  publicsh c, e, bits b[32-255] and bits b[192-255]=0
07:45 < adam3us> petertodd: now you have to brute force decrypt e to find k by finding the missing 32-bit of b, hwen you find it its obvious its the right key
07:45 < adam3us> because its much harder to find a collision in the 64-bits of b set to 0 (adust to 80 or 128 even)
07:46 < petertodd> adam3us: yeah, but starting from random data I still can't prove I did that procedure honestly and came up with nothing
07:46 < adam3us> and so that allows fast verification, and then people can decrypt c and see what the msg looks like, even if its garbage they're pretty sure its the right key and proves work
07:47 < petertodd> oh I see, you're saying that there's only going to be one solution in the space... bit risky there
07:47 < petertodd> you don't want it to be possible at all for people to create false proofs to consensus will break down
07:47 < adam3us> petertodd: well it would be almost impossible to find b!=b' such that D_b(c)=mod 2^192==0 and D_b'(c) mod 2^192==0
07:48 < adam3us> petertodd: if its bits 128-255=0 there is no way they're going to be able to collide that.
07:50 < petertodd> adam3us: but that's not very adjustable re: difficulty - I either make it basically impossible to ever find that distinguished key in the space, or I make it possible to find one such key, and therefor possible to find a second
07:51 < adam3us> petertodd: well the bruteforce space is fromthe delete bits 0-31 so that can be tuned
07:52 < adam3us> petertodd: and the strength of the assurance that they didnt cheat and make two solutions is separately tunable as the trailing 0 bits (80 or 128 of those)
07:52 < adam3us> petertodd: so you can chose those strengths independently
07:53 < petertodd> adam3us: ok, but this is the issue: from random data you won't be able to find a distinguished solution at all, therefore have no way of proving you did the work
07:54 < adam3us> petertodd: well it is true that its a known solution proof of work... the person who did the encryption knows the solution so has a work advantage
07:55 < adam3us> petertodd: if someone sends random junk there is very likely no solution yes.
07:55 < petertodd> adam3us: but that's not the point! the point is to prove the case where no-one did any encryption and no solution exists
07:55 < petertodd> adam3us: what you're doing has a zillion easy ways to do it - it's not the hard part
07:55 < adam3us> petertodd: got it you want to prove this actually is random junk
07:55 < petertodd> adam3us: yes!
07:55 < petertodd> adam3us: I need to honestly prove that, so other people don't have to re-do that work!
07:56 < adam3us> petertodd: yeah i was never able to find a symmetric encryption PoW with no trapdoor that was efficiently verifiable... i tried back in 1997
ight, I'm assuming this needs moon-math
07:57 < adam3us> petertodd: and symmetric encryption search space was interesting because it has a maximum work.. ie we know it takes no more than 2^n work so you can not get more unlucky than that
07:57 < petertodd> well it's not about luck in this case: the work required is well-defined
07:58 < adam3us> petertodd: i left it as an open problem for research in the conclusion section in the amortitzable hashcash paper
07:58 < adam3us> petertodd: different use case.  but if we had that building block i think it could've been a solution
07:59 < petertodd> anyway bbl
08:01 < adam3us> petertodd: maybe u can get closer it by defining a verifiable problem instance defined by the ciphertext.  so like coelho merkle hash using he ciphertext a deterministic seed.  then the fiat shamir gives you possibility to only spot check the work.  still fairly expensive though
08:08 < adam3us> petertodd: you can probably do it reasonably efficiently with the asymmetric PoWs like dwork & naor's eg use the ciphertext as a seed to define a big num, compute the squareroot of it mod p a large fixed prime.  now people can veryify the root PoW by squaring, and then try to say hash the number and use it a sym key to decrypt.  there is only one solution. it
resonably efficiently verifiable.  p has to be quite big to create much work  they
08:11 < adam3us> petertodd: the down side of their approach is the asymmetry of work to verification is less extreme than with hashcash.  bigger work tends to require somewhat bigger verification cost.  you are basically using a signature algorithm with weak parameters and breaking them in their other scheme sothat maybe is a bit faster verification for reasonable work than square root
08:14 < adam3us> petertodd: unfortunately their non square root scheme has a setup time trapdoor like zerocoin (n=pq with p&q must be deleted and forgotten).  its the fiat shamir signature scheme (that introduced the fiat-shamir transform.)
11:01 < amiller> i was pretty interseted to see this RSA UFO paper mentioned in zerocoin http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.28.4015&rep=rep1&type=pdf
11:01 < amiller> you get a sort-of RSA without any setup trapdoor
11:02 < amiller> would be really thrilling to get this for snarks somehow...
12:23 < maaku> 1A9Px42draCmgcYLC3xcsVZVmQV8YuGxuD
12:23 < maaku> sorry wrong channel
13:09 < adam3us> amiller: yeah but its huge eh 40kbit key or something?  i was thinking you maybe able to shave some bits on it with a big online factorizing effort to see if you can find any feasible ones like any < 512-bit factors with some effort.  its a composite n=p1*..*pk for variable sized and unknown p, with  a statistical argument that at least two fo them should
be > 512-bit (or whatever the security margin is)
16:21 < petertodd> sigh, I'm going to miss playing the exciting game "Is that dewer full of liquid helium, or liquid oxygen?"
16:21 < petertodd> maybe I can convince mastercoin to fund some QC miner research?
16:22 < petertodd> I technically it'd be ASIC hard...
16:22 < petertodd> *I guess
16:24 < michagogo|cloud> petertodd: Do you mean Dewar?
16:24 < petertodd> michagogo|cloud: lol, yeah
16:25 < sipa> to dewar, that means to make peace?
16:25 < petertodd> sipa: I think you should stick to your day job... :p
16:25  * maaku groans
16:26 < petertodd> Trying to wrap things up at work... First time I've had to do that with non-trivial projects, and it's not proving to be very easy.
16:30 < michagogo|cloud> sipa: ...
16:31 < michagogo|cloud> I'm assuming that was a joke, but if not, http://en.wikipedia.org/wiki/Cryogenic_storage_dewar
16:32 < sipa> yeah, it was a joke :)
16:33 < petertodd> For the peanut gallery full of investors, the dewar I'm talking about is related to the quantum stuff I do for the mining company I was working at.
16:33 < petertodd> I suggest you sell all your Bitcoins right now.
16:54 < phantomcircuit> petertodd, why?
16:55 < phantomcircuit> just have to mine the transactions spending my pubkeyhash bitcoins to my lamport sig bitcoins
16:57 < petertodd> phantomcircuit: well actually in theory a QC computer can do a sqrt(bits) (or was it bits/2?) speedup compared to a conventional computer for even hash functions
16:58 < petertodd> phantomcircuit: though I suspect QC computers will never be developed - they're basically infinite precision analog computers and that doesn't sound very physical to me
17:07 < nsh> petertodd, at least one quantum computer exists.
17:07 < nsh> (unfortunately we're inside it)
17:08 < petertodd> heh
17:10 < maaku> QC works just fine for God, I don't see why you've got a problem with it :P
17:10 < helo> i was happy to read about the revelation that our brains/consciousness relies on quantum tricks
17:10 < maaku> helo: very off topic, but I wouldn't put much credence in that
17:10 < helo> yeah :/
17:11 < maaku> helo: mysterious answer for a mysterious question
17:21 < sipa> petertodd: not sure where i read this quote, but it says that QC is essentially trading NP-hard runtime for NP-hard engineering
17:22 < helo> heh nice
17:23 < petertodd> sipa: that's an excellent description - my coworkers echo that sentiment
20:38 < maaku> is there any reason to change the initialization values when performing truncated hashing, as NIST recommends for its
20:38 < maaku> *for its truncated modes?
23:10 < phantomcircuit> petertodd, it's /2
--- Log closed Tue Jan 21 00:00:48 2014
--- Log opened Tue Jan 21 00:00:48 2014
10:10 < jtimon_> fund Jamaican bobsled, such pump. fund dogemarket, to the moon http://maaku.github.io/dogemarket.org/
10:21 < _ingsoc> Hahaha. Nice.
12:02 < petertodd> jtimon_: the amoral marketer in me thinks maaku's use of dogecoin to pump freidmarkets is very shewed
12:03 < jtimon_> can't find shewed...
12:04 < helo> shrewd
12:04  * petertodd hooked on fonics worked for me
12:04 < jtimon_> we have more stuff in mind "Litemarkets: like gold to colored coin's silver"
12:05 < petertodd> jtimon_: I think you need a cheese analogy, because you can find that kind of thing on the moon
12:06 < jtimon_> apparently people didn't undesrtood what free software means and kept complaining about freicoin's demurrage and foundation when talking freimarkets
12:06 < jtimon_> so maybe people get it this way...
12:07 < petertodd> jtimon_: lol, though speaking of, I noticed that doge's issuing scheme is bugged and results in 5% inflation forever (notied == saw on reddit)
12:07 < petertodd> jtimon_: hilarious that actually matches almost what how I think crypto-currencies should workd!
12:07 < jtimon_> and if those dogs are funding the jamaican bosleigh team...
12:07 < petertodd> heh
12:07 < petertodd> I'll have to buy some
12:08 < jtimon_> maybe the perpetual inflation was on purpose, some other alts have it
12:08 < petertodd> well the github discussion seems to indicate it wasn't, but anyway, happy accident
03:40 < gmaxwell> This all sounds a lot like type-2 derrivation, but it doesn't have the unzip problem:  having the session private key doesn't help you derrive any other session private keys.
03:41 < gmaxwell> (In IBE (identity based encryption) this is all used a bit differently: the master keys are held by a CA, and the session ID is your email address, and now anyone can make a public key for you
 but you need the CA's help to get your private key)
03:44 < gmaxwell> In fact, if we use this only to encrypt bait, then we can make it more denyable by leaving authentication out of the cryptosystem.
03:45 < gmaxwell> E.g. the includes an encryption of a random value with the least significant 8 bits set to zero.  Incorrect decryptions will sometimes turn up fake matches.
03:49 < adam3us1> gmaxwell: ah nice.  its absolute worst case failure mode is what peter was proposing... bloom bait/prefix
03:49 < gmaxwell> yea, if you break the cryptosystem you just get bloombait.
03:50 < adam3us1> gmaxwell: yes i was thinking also you could send a few dud keys to confuse things, but this is better and could use your like 8 bloom baits, ie one could tune it
03:51 < gmaxwell> downside vs bloombait is that its not indexable.
03:51 < adam3us1> gmaxwell: i mean you could send the node your block priv key and a few random priv keys. but the extras will never match.  by doing bait  we get that ability
03:51 < gmaxwell> yea, I was thinking about that when I got to the encrypted bait construction... the never matching makes it obvious which ones are real.
03:58 < gmaxwell> one interesting thing about the encrypted bait construction is that its attack resistant.
03:59 < gmaxwell> a normal bait can be attacked by some high transaction volume jerks choosing the same bait as you.
04:10 < gmaxwell> downside is that the it has moderately high overhead, I don't see how to get the overhead under two group elements.
04:10 < gmaxwell> but perhaps when I think some more I'll see a way to get it down to one.
04:18 < adam3us1> gmaxwell: yes i thnk there maybe scope to go further or to non IBE potentially because the requirements are weaker than what it provides.  lets see - having one stepwise clear improvement often helps unlock thinking about the next optimization
05:37 < jtimon> oh dear, http://bitcoin.stackexchange.com/questions/21036/are-namecoins-obsolete-with-the-upcoming-bitcoin-0-9
05:38 < jtimon> how do we explain this?
05:38 < jtimon> why so many people think "bitcoin 0.9, now with arbitrary data"
05:38 < jtimon> ?
06:00 < wumpus> can doesn't mean will, certainly not on such a short timeframe
06:02 < _ingsoc> That's just what you say to keep people happy.
06:03 < _ingsoc> Innovation can end up hurting value because it's change.
06:04 < _ingsoc> So you naturally tend to avoid what you perceive as dramatic change.
06:05 < _ingsoc> If Ethereum could do what Ethereum wants to do by contributing code here, there wouldn't be Ethereum, would there?
06:05 < _ingsoc> As an example.
11:02 < tt_away_> Oh whoa, Gavin is here. :)
11:02 < tt_away_> Welcome
11:36 < adam3us1> can someone explain to me how the batching of an epoch of blocks works in bloom filtering?
11:37 < adam3us1> TD said it works via query for 500 blocks in a batch to reduce network round trips.
11:41 < gmaxwell> I don't know that it matters, in that since all this would need new network messages you could just also send a list of 500 keys along with the 500 blocks.  Though batching makes sense for another reason: since a txn isn't guarenteed to show up in the next block you need to use past keys too, and the matching has O(N*M) complexity.
11:42 < gmaxwell> so usinge fewer keys, say one for every 72 blocks, may make sense.
11:43 < adam3us1> gmaxwell: i was wondering re the second problem if the sender could identify the block they were thinking of when they derived it.
11:44 < adam3us1> gmaxwell: then they could be indexed by sender block and that bit could be deterministic and O(N) instead
11:46 < adam3us1> gmaxwell: the other thing is (and i started writing a reply to TD on bct) that i am not sure you gain security by using different keys in a batch because its anyway implicit (*) if all the queries are in the same request that they're yours (or candidates if you smear it a bit with your extended bait idea)
11:46 < adam3us1> gmaxwell: (*) the other possibility being to relay queries via a hop encrypted, then queries could be a mix of yours and other peoples
11:47 < gmaxwell> the batching doesn't hurt except in so far as it reduces your minimum connection granularity.
11:49 < adam3us1> gmaxwell: well if i connect from IP-addr#1 and request query of block 1,2,3 with key k1,k2,k3 chances are those tx are all mine, so the node learns those 3 are probably owned by one person across 3 blocks
11:50 < adam3us1> gmaxwell: whereas if i connect from ip-addr#1 and request query of block 1 with k1, then reconnect from ip#2 later, or connect to a diff node and ask for query of block2 with k2, then even if node 1 and 2 collude they dont know if thats one user... (and optional relaying of queries and responses could blur that together)
11:50 < gmaxwell> yes, right but say you make your batch 1000 blocks.  Then for blocks 0-100 you're connected to one node ... and 200-300 another node .. and so on.  If your batch had been smaller you would have leaked less.
11:52 < adam3us1> gmaxwell: smaller batch = less leakage, a tradeoff, but here the query data is presumably much smaller than a bloom filter, so it would be nice to aggregate multiple users queries into a block via relaying (maybe).
11:53 < adam3us1> gmaxwell: "batching doesn't hurt except in so far as it reduces your minimum connection granularity" i think you mean you optionall ramp it up, but by having epoch size 1 key derivation then you can go down to individual if you want later
11:58 < adam3us1> oh i guess another security argument weil pairing is probably stronger than connecting to random internet nodes and delegating query to them re node-capture sybil attack.  (ie the privacy security relies on avoiding node capture)
12:41 < adam3us1> gmaxwell: you know the weil pairing itself is significantly amenable to multiplicative derivation tricks.  you might be able to have each node multiply by its H(IPaddr#) or such querier known guid, or sent over comm channel on other connect time response, and then be able to make different query keys for the same data on different nodes, making it harder
to observe redundant checks without needing to use encryption between nodes
12:45 < gmaxwell> adam3us1: related, if the bait scheme were similar to the one I suggested, you could intentionally make your bait searching radius half sized and connect to two severs and give each of them half your radius. so some of your transactions would learn via one, some via another... though they'd have the same query key. Probably not worth the complexity.
12:49 < adam3us1> gmaxwell: yes.  overall seems quite exciting :) we could improve privacy & anon-set for SPV vs bloom, save bandwidth vs bloom query.	Abandoning one-use addresses seems risky because of the reliance on weil-pairing for privacy otherwise that would be a nice simplifying assumption and mesh with hard to shake user comprehension problem (or UX issues that
dont show that well).  Damn pity there so far no way to do it with ECDL
17:28 < comboy> hey guys, I keep thinking about some p2p web of trust + some pagerank alike algorithm, also I keep wondering if it would be possible to be able to get score for somebody (based on my trust weights), without trust weights being public, maybe you have some random association terms, links or papers to throw at me?
17:29 < c0rw1n> random association term : freenet
17:29 < c0rw1n> they have a web-of-trust, no idea how public it is
17:31 < gmaxwell> comboy: I've thought about this sort of things before, and the best I can come up with is multiparty computation.
17:31 < gmaxwell> one problem is that you have information leak attacks if someone can constantly query the system.
17:32 < comboy> c0rw1n: thx, good hint, but it seems just to fight spam and quite simplified compared to what I'm thinking of
17:32 < gmaxwell> E.g. say I want to know if you trust c0rw1n.	Okay, so I make a new sybil account which only trusts you, and then I query the system and find out the sybs trust of c0rw1n.  The result is that I know that either you trust him or at least that there is a transitive relationship.
17:34 < Alanius> comboy: there is some work being done on reputation in pseudonymous networks
17:34 < gmaxwell> with multiparty computation you could have N folks combine in order to answer queries on the transitive trust without disclosing the graph, and if you imposed some cost on queries (e.g. have to pay a fee to the bitcoin network per query) then you could prevent an attacker from constantly querying it to drag out the information. Downsides: multiparty
computation isn't pratical today, and the participants would need to be online.
17:34 < Alanius> not sure if it's what you're after, but you might want to take a look: http://freehaven.net/doc/cfp02/cfp02.html
17:35 < comboy> gmaxwell: yeah, that is a problem, but maybe you could send queries only to nodes who trust you for example.. I'm not even sure it would help... but if you would be not getting full info with some random noise..
17:35 < gmaxwell> Personally, I think reputation is nearly worthless in anonymous systems. :P
17:36 < nsh> could the graph not exist publicly (or queryably) in some heavily disjoint form that can be recovered using private correspondences (wallet-like identities)
17:36 < nsh> ?
17:36 < comboy> well it is without this kind of system
17:36 < Alanius> pseudonymous != anonymous :)
17:36 < comboy> yeah identities equivalent to addresses in your wallet would also be some idea
17:36 < Alanius> in anonymous systems reputation is indeed worthless
17:37 < comboy> yes
06:00 < gmaxwell> E.g. if your metric is voting with actual people (which we can't use because people aren't provable computationally) an attacker could use their excessive resources to make more people.
06:00 < Mike_B> oh, right
06:00 < gmaxwell> There is no finite resource, including humans, that you could count to decide a consensus which isn't potentially vulnerable to abuse by an overpowering attacker.
06:01 < Mike_B> i guess you could try some kind of reverse turing test of some sort
06:01 < gmaxwell> (though there are some constant factors: not everyone has a cpu, but everyone is already a people. :) so the honest side might have an initial advantage if we really could count people for the consensus)
06:01 < Mike_B> but yeah, if you have a ton of money you can just spend it on technology to beat that and then sybil your way to the top
06:02 < gmaxwell> right. This is why I roll my eyes on most "51% solution" proposals. they mostly either just shift around some constant factors, or replace one weakness with another.
06:03 < gmaxwell> (another .. usually worse one... like some clique of 10 people who can pick whatever state they want; e.g. in the case of solidcoin2.0)
06:03 < UukGoblin> well, they probably just do it to trick people into thinking their scamchain is "better"
06:03 < gmaxwell> or ripple's think which is ... hard to analyize.
06:04 < gmaxwell> UukGoblin: I'm sure most of the people doing that stuff believe it. Anyone can invent a consensus system which they don't personally think is flawed. And, hey, if I've got one of those signing keys: it's safe for me!
06:04 < Mike_B> maybe i'm ore interested in altcoins than the average person just because i find them to be interesting hotbeds for experimentation
06:05 < Mike_B> like something like litecoin i don't find interesting since it doesn't do much
06:05 < Mike_B> but some of these altcoins are pretty creative
06:05 < UukGoblin> I'm only interested in altchains to solve two issues: faster transaction confirmation and solving of the 7-transaction-per-second scalability limit
06:06 < UukGoblin> I have a feeling a solution with OpenTransactions may solve this stuff, but I don't yet know how
06:06 < gmaxwell> well most of them aren't there are a couple which have done some things, most of it is not so interesting.
06:06 < epscy> i would like to see a mining system that is more decentralized
06:06 < Mike_B> i thought primecoin was really interesting
06:06 < epscy> but so far litecoin and ppcoin have yet to convince
06:06 < UukGoblin> hence I'm looking forward to this thing you mentioned, gmaxwell - about OT people hacking something up
06:06 < Mike_B> i've been consumed with the problem of making POW useful, like coming up with a rePOW like there's a reCAPTCHA or something
06:07 < gmaxwell> Mike_B: yea, I don't think thats a useful thing in fact. If the POW has independant value that may lower the marginal cost of attacking.
06:07 < Mike_B> why?
06:07 < Mike_B> how so?
06:08 < gmaxwell> E.g. if 99% of your mining income comes from people buying cancer cures from you, and 1% from getting your block into the unique best chain... then you'll only lose 1% of your income by participating in attacks that put you on forks and lower your chances of getting in the unique best chain.
06:08 < gmaxwell> (and you can replace income with whatever utility-units power your motivation to mine. :) )
06:09 < Mike_B> that's a good point
06:09 < gmaxwell> Beyond that, cryptographic hashes have pretty good POW properties in general. You want the users to be very confident that the creator doesn't know some trapdoor that lets them mine fast for free.
06:09 < gmaxwell> You can potentially get that from other things but its surprisingly hard.
06:09 < Mike_B> that doesn't destroy the notion that POW could be useful though, it just argues against one system whereby computational time is purchased from you, and where that purchase works to double as POW for mining
06:09 < gmaxwell> You also want mining to have no progress... e.g. so being 2x faster than everyone else only gets you 2x more blocks, not all the blocks.
06:10 < Mike_B> but that's the exact system i had in mind, so, yeah, that's a good point.
06:10 < gmaxwell> Mike_B: yea, it's not a fatal argument. but it's a consideration.
06:11 < gmaxwell> I got past worrying that pow is "useless": it's quite useful, it makes bitcoin secure, and if you consider the cost of securing other currencies (which have enormous anti counterfeiting expenses, armored cars, guards, etc) perhaps its not so bad.
06:11 < Mike_B> well, i did think primecoin was fairly interesting in how it solves one piece of that problem. in a very broad philosophical sense, it treats the block it's working on as "found art" in a sense
06:11 < Mike_B> like any cryptocurrency has an enormous amount of data going through it
06:11 < gmaxwell> Though my alt idea list does have one not well fleshed out useful-pow that I'm kinda fond of.
06:11 < Mike_B> so primecoin is like, "check every single block to see if it divides the start of a cunningham chain"
06:11 < Mike_B> (or hash the block first or whatever it does, i don't remember the details but you get the gist)
06:12 < gmaxwell> ... which is the ticking of timelock encryption. ... which I'm fond of mostly because I don't think there is any other socially viable way to actually have functional trustless timelock encryption.
06:12 < gmaxwell> (Timelock encryption is encrypt data so that it can't be decrypted until ~xx years from now)
06:13 < Mike_B> hm, interesting
06:14 < Mike_B> well i don't think pow is "useless" in that sense
06:14 < gmaxwell> https://en.bitcoin.it/wiki/User:Gmaxwell/alt_ideas incidentally, if your head isn't yet full enough. Though I admit its not very readable
 has a lot of in-group lingo, I mostly made it as personal notes so I'd stop forgetting ideas.
06:14 < Mike_B> i know there's a lot of political tumult over whether hashcash is "useful"
06:14 < BlueMatt> ok smart people, if one has a lgn algorithm that only works on chunks of size power-of-two, and has arbitrary input, how does one go about efficiently breaking said input up into power-of-two chunks and running?
06:14 < Mike_B> i'm just talking from an engineering standpoint
06:15 < UukGoblin> can you use bitcoin for timelock encryption? :-O
06:15 < BlueMatt> UukGoblin: no?
06:15 < gmaxwell> UukGoblin: look at the altideas page.  not bitcoin as it is today, but I think it's possible with an alternative pow.
06:15 < UukGoblin> ah.
06:15 < Mike_B> gmaxwell: i read that page before but didn't understand some of the terms, i'll have to keep checking it as i get filled in on more of this lingo :)
06:16 < gmaxwell> UukGoblin: the ideas is basically that you make the pow into "take chunks of
 pi  as a ecc public key, and try to crack it"
06:16 < gmaxwell> UukGoblin: everyone knows pi in advace and thus can encrypt to it.
06:16 < gmaxwell> UukGoblin: and you encrypt your message with all the pi problems between now and when you want it opened.
06:16 < BlueMatt> gmaxwell: heh, literally turn bitcoin into one giant decryption cluster
06:17 < Mike_B> gmaxwell: thinking more about it, doesn't your objection about "useful pow" mining also apply to bitcoin once the block reward goes to 0?
06:17 < gmaxwell> all kinds of problems making it pratical.
06:17 < UukGoblin> gmaxwell, ah... but you still don't really know the speed with which the things will get cracked
06:17 < Mike_B> then 0% of income comes from mining (other than tx fees)
06:17  * BlueMatt puts "make april-fools-altcoin witch decrypts arbitrary constant data as its pow" on his calendar for march
06:17 < gmaxwell> Mike_B: no
 transaction fees. though bitcoin is toast, at least as it is currently designed, if there is no income for miners.
06:18 < gmaxwell> Mike_B: it works for txfees. You only get the txfees if your block successfully makes it into the longest chain.
06:18 < Mike_B> gmaxwell: why, just because miners will run away?
06:18 < gmaxwell> Mike_B: not just run away, but the difficulty will drop, and so it may become viable to buy up a lot of computing and overpower the network for short times to reverse transactions.
06:19 < gmaxwell> (I also propose on the alt coin page a tweak so that fees can only be collected if you are mining a chain the transaction author likes, so some successful reorg attacker can't get all the fees still)
06:19 < gmaxwell> (thats one I think we could perhaps someday do in bitcoin)
06:20 < Mike_B> gmaxwell: you could also have it so total coins asymptotically reaches something but never gets there
06:20  * BlueMatt wonders what would happen if all of #bitcoin-wizards were taken from their current dayjobs and hired to write an altcoin
06:21 < Mike_B> so a) there's always a block reward, and b) still a finite supply
06:21 < gmaxwell> BlueMatt: figuring out how to make an efficient discrete log solver progress free is one of the problems with that idea as I stated it. But the "Learning with errors" cryptosystem being used for fully homorphic encryption looks like it might be more agreeable... haven't thought about it too deeply though.
06:21 < gmaxwell> Mike_B: thats how bitcoin is already designed! except we eventually run out of precision!
06:22 < Mike_B> oh oh oh, that's why the block reward goes to zero? just because of precision?
06:22 < gmaxwell> Mike_B: its a geometric series with the limit after infinite time of 21 million, but the values are integers with 1e-8 being the smallest amount.
06:22 < gmaxwell> yea.
06:22 < Mike_B> oh, derp
06:22  * Mike_B pats self on back while saying derp three times
06:22 < gmaxwell> yea, hah, well you're not doing so bad when you're guessing how it already works.
06:23 < BlueMatt> gmaxwell: yes, that problem sounds exactly like something homomorphic encryption would be ideal for
06:23 < Mike_B> you could just have the precision automatically increase as the block reward decreases
15:42 < maaku> mempool gossiping and partial proof-of-work to "pre-validate" transactions of a large block
15:43 < maaku> these can lead to very low propogation times for large, intermittant blocks
15:44 < avivz78> you'll need to explain those :-)
15:45 < avivz78> batch validation for example,how do you get a speedup?
15:47 < maaku> well this is more software engineering, but there's ECDSA batch verification engines that are able to process signatures faster in a large group
15:48 < maaku> i assume batch-validation of entire blocks would be easier to do than multiple blocks at once  (given that these are presumably handled by separate threads, etc.)
15:49 < maaku> mempool gossiping and partial proof-of-work is allowing miners to send blocks which almost meet the threshold
15:50 < maaku> other nodes then fetch and pre-validate the transactions in these partial proof of works so as to reduce the amount of work that needs be done when a block is actually found (presumably by one of the miners that found a partial pow)
15:50 < maaku> validating the actual proof of work then just becomes a matter of fetching the transaction list, filtering out those already validated, and handling the remaining few
15:54 < avivz78> can't you pre validate transactions upon reception even if they're not in blocks?
15:55 < maaku> if you have them
15:56 < maaku> the partial proof of work provides a DoS-free way of guessing which ones will make it into the next block (including which ones you need to query the network for because you don't have)
15:57 < avivz78> I thought the fees took care of DOSing in this case. Am I missing something?
16:04 < maaku> fees are collected by miners not nodes
16:05 < avivz78> true, but they are anti-spam because the spammer would lose the fee if a miner includes the transaction
16:11 < maaku> avivz78: i think the work you all have done is very valuable
16:11 < zooko> Okay folks, I was stupefied by gmaxwell's and amiller's assertion that a "dual-use" proof-of-expense, with some beneficial side-effect, might cause instability, or facilitate attacks, etc.
16:11 < zooko> So I've been pondering it. I'm not sure I buy the argument yet.
16:11 < maaku> but what it will do is allow bitcoin to scale to larger block sizes, not smaller interblock times
16:11 < zooko> But I mentioned it to my friend Kiln Ham, and he said "What if the beneficial side-effect were a public good that couldn't be used to remunerate the miner individually."
16:12 < maaku> zooko: do you understand the argument that a merged-mined altcoin can be attacked by bitcoin pools?
16:12 < zooko> I thought that was pretty brilliant, so I decided to throw it out there even though I haven't really grokked the original argument.
16:13  * zooko thinks about maaku's question.
16:14 < avivz78> maaku:  thanks!
16:16 < avivz78> I should say that we gained a lot from reading Meni Rosenfeld's work on the security analysis
16:18 < maaku> zooko: it's the same argument, just with bitcoin placed in the position of a low-value altcoin
16:18 < maaku> and to your friend, i'd say please give an example
16:19 < maaku> (and if it really does provide value, I'd be willing to bet that enterprising miners would find a way to profit from it)
16:22 < avivz78> Well, time to go get some sleep
16:22 < avivz78> thanks for the fruitful discussion
16:22 < avivz78> I've learned a lot!
16:23 < zooko> maaku: yes, that's an interesting question about if a public good can be made excludable.
16:23 < gmaxwell> zooko: 13:27 < gmaxwell> jtimon: the standard litany, most of those are not sufficiently cheap to verify (e.g. hurts spv nodes, zero knoweldge proofs of tx data, and initial syncup),  they tend to be inadequately proven to be trapdoor free, high hardware implementation complexity (so may lead to asic monopolies)... if the work is not work you could get
paid for, then at least it should be free of some of the incentive concerns.
16:23 < zooko> Normally I'm wishing to figure out ways to make a public good excludable, but for this I would like to know a way to make it impossible to make it excludable.
16:23 < gmaxwell> yes, if it's work you can't get paid for then it probably eliminates that particular concern.
16:23 < zooko> gmaxwell: yes, that quote from you is what I meant about you have already stupefied me.
16:24 < gmaxwell> zooko: did you see my timelock encryption ticking meta idea?
16:24 < zooko> gmaxwell: I did not! Do tell!
16:24 < gmaxwell> zooko: https://en.bitcoin.it/wiki/User:Gmaxwell/alt_ideas  search for "tick"
16:25 < andytoshi> zooko: the premise is that the POW involves finding private keys...so you encrypt something with a public key, knowing that the network will crack it at some point in the future
16:25 < maaku> gmaxwell: how do you prevent someone from just skipping ahead in the sequence and decrypting what they're interested in?
16:25 < gmaxwell> Discrete log isn't so great though, you really need an asymetric encrpytion scheme with no solution path better than the exponential search.	It would need a lot of details to be worked out.
16:25 < _ingsoc> I really wish we could get someone who's interested in implementing some of those ideas.
16:25 < _ingsoc> How hard can it be?
16:25 < gmaxwell> maaku: you encrypt with all future solutions.
16:25 < maaku> hrm i see
16:25 < andytoshi> _ingsoc: very hard, you need to understand the math and also the engineering stuff, and you have to be a good programmer, and you need to have the time
16:25 < zooko> gmaxwell: neat!
16:26 < gmaxwell> maaku: I don't claim that the engineering works out neatly. What struck me about the idea is that it enables a public good, which you can't get paid for, and yet we have no other way to provide that public good.
16:26 < andytoshi> and then you have to deal with #bitcoin-wizards ripping your stuff apart
16:26 < _ingsoc> andytoshi: How many people realistically are around competent enough to do it? Assuming money can be arranged for it.
16:26 < maaku> _ingsoc: i see 61 users in this channel
16:26 < gmaxwell> maaku: this was yet another idea I've had while in the middle of lecturing someone that it wasn't possible. :P
16:26 < zooko> _ingsoc: where are you going to get the money?
16:26 < andytoshi> there are probably a dozen or three people on here who are competent enough
16:26 < zooko> gmaxwell: Haha!
16:26 < andytoshi> they are all very busy
16:27 < gmaxwell> zooko: step 1. Start altcoin	step 2. ???  step 3. Profit!
16:27 < gmaxwell> :P
16:27 < _ingsoc> zooko: Tons of people want to see this stuff. It's easy to get it funded.
16:28 < zooko> _ingsoc: somewhat self-referentially, I think implementing a lot of this would be a public good...
16:28 < zooko> gmaxwell: yes, exactly!
16:28 < _ingsoc> Make X amount of coins available for people who are brave enough to fund it ("early adopters"). Whatever is traded for X goes to the developer(s).
16:28 < _ingsoc> Pretty simple really.
16:29 < _ingsoc> Set your boundary so that you have enough for a development fund.
16:29 < gmaxwell> This has long been one of the linchpins of cryptoanarchism
 a lot of neat ideas depend on decenteralized trustless infrastructure which would be inherently a public good, and by virtue of being decenteralized and trustless, impossible to collect rents on which is the primary way that business monetize infrastructure.
16:30 < gmaxwell> the coin pump model has a lot of problems, in part because its hard to judge competence, so you see things like huge money flowing into coins which have developer signed blocks (feathercoin, ppcoin) and little to no technical innovation (feathercoin, for example but many others too).
16:31 < _ingsoc> gmaxwell: That's why I propose using the model for actual innovations. If you limit the amount of contribution per person, you get a little closer to make it fairer.
16:32 < _ingsoc> Ofc people will game it. Hell, people are gaming Bitcoin as we speak.
16:32 < _ingsoc> If at the end of the day every understands the risks and you end up with better tech, that's progress in my eyes.
16:32 < gmaxwell> the other problem you have is that if you do anything innovative in this space alternative coins will just copy it instantly. We even had a bit of problems with that in bitcoin-qt with altcoins being forumed out of draft features.
16:32 < zooko> gmaxwell: if you hit upon a hack to bypass that problem, please let me know.
16:33 < zooko> "that problem": the public good of a decentralized tech
16:33 < _ingsoc> gmaxwell: There's always the option to open source it after a while of maturation.
16:33 < amiller> ah cool aviv came here :)
16:34 < _ingsoc> gmaxwell: But if someone copies an open source coin, that's not bad in opinion. It's unlikely anyone is disadvantaged by that.
16:34 < gmaxwell> _ingsoc: sure they are, because then they get outmarketed by someone else who has thrown off the "unfair" premine baseload your funding model depended on.
16:35 < gmaxwell> why would I want coinX which had 10k coins premined for its creators when I can have coinY which is the same thing but without the premine?
16:35 < andytoshi> amiller: yeah, he was really cool
16:35 < _ingsoc> How long do you think that'll be sustainable for? Everyone will realise it's the contributors who made the coin happen in the first place.
16:36 < andytoshi> _ingsoc: bitcoin had some really good ideas, and it apparently has no inventor
16:36 < amiller> i am *so* happy that this thread is going on, this is how i was hoping academia and bitcoin devs would interact, and of course the eyal/sirer paper did not go that way
16:36 < andytoshi> so, the ideas hold up on their own
16:37 < zooko> What nym does aviv use for academic publications?
16:37 < amiller> Aviv Zohar?
16:37 < _ingsoc> gmaxwell: Satoshi pretty much premined Bitcoin to high heaven and nobody cared.
16:37 < andytoshi> amiller: aviv said, he was happy to find an audience with so much passion, this does not happen to most papers :P
03:36 < adam3us> maaku: i do not know - the last time i asked about this people told me GBT is the answer, and then after a bit they said however few are using it; if there is a reversal of that situ its good
03:37 < adam3us> why cant the same be done with leased equipment or user owned but datacenter hosted - user provides coinbase for mining
03:37 < adam3us> maaku: i think getwork is a confused design, the client miner can chose the work - thats the point of hashcash - its fully decentralized
03:38 < maaku> adam3us: that's how getwork was meant to be used
03:38 < maaku> satoshi did not foresee mining pools
03:39 < maaku> pools just adopted the same interface as the distributed client (getwork)
03:39 < adam3us> maaku: as i understand it getwork is a mechanism for a miner to ask a pool for a section of work, which is a misthink - no one needs to ask a pool for anything other than the pools current preferred reward address
03:40 < warren> adam3us: does it help at all that my key is here?  https://github.com/bitcoin/bitcoin/blob/master/contrib/gitian-downloader/wtogami-key.pgp
03:40 < adam3us> maaku: the search space is not scarce and does not need to be manually divided up; the client should pick a random starting point
03:40 < wumpus> getwork is confused design, but I thought about no one was using it anymore?
03:40 < maaku> adam3us: getwork predates pools
03:41 < wumpus> there have been plans to deprecate it
03:41 < maaku> getworks predates the idea of pools
03:41 < maaku> how does your mining program ask for a block from your locally running full-node bitcoind instance?
03:41 < maaku> getwork was the answer to that
03:41 < adam3us> maaku: what proportion of mining is happening using getwork do we think?
03:41 < maaku> ~zero
03:41 < wumpus> getblocktemplate
03:42 < maaku> at 4GH/s you are making 1 getwork call per second
03:43 < maaku> most of the hash power of the network is in asics orders of magnitude larger than that
03:43 < maaku> meaning 10's, 100's, 1000's of network calls to getwork
03:43 < maaku> doesn't scale
03:43 < adam3us> maaku: that seems silly and an invitation for network induced miner dead time - you need only to make 1 request per successful pool win (if the pool changes its reward address)
03:44 < adam3us> maaku: ok you are saying stall due to asic has pushed people off getwork, which is a good side-effect
03:44 < maaku> adam3us: yes
03:44 < adam3us> maaku: now what about proportion of pooled miners that are building their own blocks?
03:44 < maaku> as soon as asics hit the market, getwork died and getblocktemplate/stratum replaced it
03:45 < maaku> adam3us: 1%
03:45 < maaku> the p2pool miners
03:46 < adam3us> maaku: you think none of the miners are running full nodes, or if they are the full node is not used to construct the block to put in the coinbase?
03:46 < adam3us> maaku: (none of the pooled miners)
03:46 < maaku> adam3us: none of the pools that I am aware of let you construct your own blocks
03:46 < warren> adam3us: very few of the miners run a full node, maybe some do part time when they do wallet tx
03:46 < maaku> maybe Luke-Jr's does, I wouldn't be suprised
03:47 < maaku> the pool gets control over what goes in their blocks - that's part of the agreement
03:47 < maaku> if you want to construct your own blocks, that's what p2pool is for
03:47 < adam3us> warren: (pgp key) a bit maybe - is that some strongly controlled position of the bitcoin github?  (my main point was a gentle reminder - put your full fp on the card:)
03:48 < adam3us> maaku: well people tell me p2pool has scaling issues at present
03:48 < warren> adam3us: recent mining clients have the ability to do local block submission, it helps in block propagation (helps against orphans) and possible fallback to solo mining if the pool is down.  Not sure if any pool supports this yet.
03:49 < adam3us> maaku: and people complain about the centralization risks of pooled mining, where its not that expensive to maintain your own full node and construct your own block
03:49 < adam3us> maaku: why would the pool care or have a legitimate need to consider whats in the block? that sounds like a dangerous contract
03:49 < warren> adam3us: p2pool's scaling issues are partly psychological, partly dust, partly because it is a single thread.  It isn't THAT bad.  I invested a good deal of money into improving it further since I don't have time to code on it now.  https://bitcointalk.org/index.php?topic=329860.0
03:50 < adam3us> warren: yes i remember that thread
03:50 < warren> adam3us: there's considerable disadvantage to block propagation and losses to orphans for the average home solo miner.
03:51 < adam3us> anyway for whatever reason p2pool is 1% so defacto pools are controlling blocks which is bad
03:51 < warren> I agree.
03:52 < warren> p2pool even has a good solution against orphans with the tx pre-forwarding.
03:52 < adam3us> warren: wouldnt it be possible for the solo to tell the pool what the winning block serialization is, compactly
03:52 < adam3us> p2pool has no fee also
03:52 < warren> adam3us: sure, just few if any pools are doing it that way now, I think.
03:53 < warren> adam3us: the vast majority of pools are run by people who copied code from github and don't understand it.  They get exploited all the time and lose money.
03:53 < adam3us> warren: are there code/apis existing that even support a pooled miner uploading the winning block to the pool (in raw or compressed eg ref to txs + raw missing tx)?
03:54 < adam3us> warren: yeah we need an economy of clues factor (or a dis-economy of scale)
03:56 < adam3us> was talking to justus at the conf, he suggested maybe a not-very-decentralized kind of 'candidate block' and then users can encode an actual block compactly as a patch/diff to that
03:56 < warren> adam3us: looked at how p2pool does it?	It's already very good there.
03:57 < warren> it only works for immediate peers
03:57 < adam3us> warren: no i dont know p2pool low level details
03:58 < gmaxwell> So,
 tuning back to my computer for a minute to fill in some details here.
03:58 < gmaxwell> Getwork is mostly not used anymore for the reasons maaku named.
03:58 < adam3us> i just would like to see a way to reduce the centralization even if its something stupid like advertising p2pool if it can take the load (like why would someone pay 5% to big pool whos operator is doing stupid stuff)
03:59 < gmaxwell> The vast majority of miners use this protocol "stratum" that slush created which is somewhat poorly documented. It gives miners a coinbase transaction and a hashtree path to it. The miners can't see or control the transactions (though there are some not widely supported extensions to show them the transactions)
04:00 < gmaxwell> A few pools support using getblocktemplate directly. (Basically just ones running the pool server software luke wrote)
04:01 < gmaxwell> Though because it doesn't hide transaction data from the hashers it takes more bandwidth.
04:01 < adam3us> gmaxwell: whats the difference or benefit gbt offers over stratum?  it gets the to download the block?
04:02 < gmaxwell> If you're using GBT with bfgminer (luke's miner software) it can do useful stuff like locak submission.  The miner software also does some sanity checking of the work, but right now the most material check is just self-consistency, e.g. the hasher can detect (and will refuse to participate) if a pool directs them to fork back a chain they worked on previously.
04:03 < gmaxwell> GBT also allows malleability of the block, with the pool signaling what kinds of modifications the hasher is allowed to make.
04:03 < adam3us> as it stands would most of the network hashrate blindly vote that 1+2=100?  (create fake tx out value fooling spv clients) if a dozen hosts / routers on the internet were hacked
04:03 < gmaxwell> Though even that limited level of sanitization (and mutation) is only done by bfgminer, which is
 the somewhat less popular miner software.
04:03 < adam3us> gmaxwell: fork reject is good
04:04 < gmaxwell> adam3us: yes, pratically all the hash power would let the pool produce a billion bitcoin subsidy, I think. Though anything gbt mining gets enough data to do more.
04:04 < adam3us> gmaxwell: does gbt check values? or i mean does it receive enough info to check values?
04:05 < gmaxwell> A thing luke, myself, and peter todd were talking about a while back was getting software support for "coinbase only pooling"
 where you do a GBT request to a pool to get a permitted coinbase transaction, then get the rest of the block from a local (or just different) source.
04:05 < maaku> adam3us: i don't know what you mean by check values, but gbt provides enough information to fully reconstruct the block
04:06 < maaku> well, assuming you can fetch/find the relevant transactiosn
04:06 < gmaxwell> adam3us: it gets enough information to do stateless checks. Though without a trusted bitcoin there isn't enough data to check that much. BFGminer does a couple stateless checks. CGminer does no checks at all.  BFG can also do local submission, e.g. when it finds a block it can send it to a local daemon as well as the pool (or to multiple pools for that matter)
04:06 < gmaxwell> maaku: gbt sends the transactions.
04:06 < maaku> oh i thought it was just the tx hashes
04:06 < adam3us> maaku: i mean mining validates two things: non-double spend and that inputs add to outputs (i am not sure even spv nodes would accept a > 25 coin reward??)
04:07  * maaku goes to read the bip
04:07 < gmaxwell> Nope.
04:07 < gmaxwell> adam3us: they absolutely will accept a >25 coin reward, because the generated coins include _fees_ which are not statelessly verifyable.
04:07 < gmaxwell> As are no-double-spends unless you just mean doublespends within a single block.
04:09 < gmaxwell> (the local submission stuff, if anyone used it would break any pools attempt to do 'selfish mining' without the hashers being complicit in it)
13:24 < phantomcircuit> the ticket i opened asking apple to clarify msync MS_SYNC behavior has been tagged Rank:No Value
13:24 < phantomcircuit> so im just going to assume that msync w/ MS_SYNC does the stupidest thing possible
13:24 < phantomcircuit> which is to flush to the dirty page cache of the filesystem and not to disk
13:25 < phantomcircuit> meaning likely the mmap issues in leveldb could be corrected simply by swapping fdatasync->msync to msync -> fdatasync
13:44 < maaku> andytoshi: which is the problem, as a user of academic research: i'd rather useless citations weren't piled on to boost people's rankings
13:45 < gmaxwell> maaku: piled on to grease reviewers palms. :)
13:45 < maaku> heh, yeah
13:45 < gmaxwell> "You want me to cite what? ... ugh. fine."
13:47 < andytoshi> maaku: i concur, i think it's going to improve a bit as people tend to read preprints more, rather than published papers
13:47 < andytoshi> and gratuitous citations on preprints don't help anyone
13:47 < andytoshi> so as long as you just ignore all the actual journals... ;)
16:31 < andytoshi> everyone involved in my coinjoin, i'm going to publish it in about 90 minutes (3PM pacific), so if you want to bug me about it, just /msg
16:33 < jgarzik> andytoshi: this seems like #bitcoin-otc material?   bitcoin coin swap meets...
16:33 < andytoshi> hmm, good call
16:33 < andytoshi> it just happened this time that everyone involved (who would identify themselves to me) is a wizard
16:51 < Luke-Jr> andytoshi?
16:52 < Luke-Jr> publish what? :P
16:53 < andytoshi> Luke-Jr: a couple days ago a bunch of us got together on a coinjoin, and i'm just now getting to publishing the combined transaction
16:53 < andytoshi> there were some delays as i had to write tools to do the merger, and people were not always online
16:54 < amiller> oh my, coping with n parties some of which may or may not be online at any given time :3
16:54 < gmaxwell> jgarzik: yea, I'd suggested doing coinjoin tuesdays or whatever. But it sounds like andy might have something better.
16:56 < andytoshi> (i am working on a site which uses my coinjoin merger tool, and flips every N seconds between collecting unsigned transactions and collecting signed ones)
16:56 < Luke-Jr> andytoshi: ah, I thought you meant a paper or program :P
16:57 < andytoshi> nope, nothing so exciting
16:57 < andytoshi> though i do have a program at https://github.com/apoelstra/coinjoin which does the merging
18:24 < nsh> has anyone done an analysis to predict (in some model) when we might be likely to hit the 1mb blocksize limit due to transaction volume?
18:29 < andytoshi> so, the coinjoin transaction has been publish, and has drifted past my node at least
18:29 < andytoshi> which believes it is 100% fees
18:32 < andytoshi> ..well, it has all the relevant addresses and the correct 'send' and 'receive' amounts on each, it's just the total that's wring
18:33 < gmaxwell> andytoshi: actually it believes it has negative fees.
18:33 < gmaxwell> because it has money that came in from nowhere. :)
18:33 < andytoshi> oh :P it's the amount that's displayed as negative.
18:34 < gmaxwell> and yea, what it does for the fees displayed there is braindamaged.
18:34 < andytoshi> ok, and the output of listunspent 0 has all my money listed.. phew
18:34 < andytoshi> i understand how signatures work and it was still scary :)
18:34 < andytoshi> "somehow i lost everyone's money"
18:34 < gmaxwell> andytoshi: it's prudent to be a chicken, but you're still a chicken. :P
18:35 < andytoshi> this is so cool, that basically a bunch of strangers put $35000 into an envelope i held out, saying i'd mail it..
18:37 < gmaxwell> yea, because the envelope was magic and made it impossible (well, if their putting-in was well formed) for you to cheat. Someday all those fairy tales will sounds sensible.
18:39  * nsh smiles
18:39 < nsh> fools! it was a moebius envelope...
18:40 < nsh> andytoshi, is your coinjoin thing explained somewhere?
18:40 < andytoshi> well, the bitcointalk thread is at https://bitcointalk.org/index.php?topic=279249.0
18:41 < andytoshi> idk if anyone 'invented' the idea, i figured it out just from the name..
18:42 < andytoshi> to use my tool, the README on https://github.com/apoelstra/coinjoin should be sufficient
18:42 < nsh> ty
18:43 < gmaxwell> Petertodd invented the name at my request. The idea of making private transactions this way has basically been known forever. E.g. I recall some old post of hal's describing a higher level protocol for anonymous loans based basically on coinjoins.
18:43  * nsh nods
18:44 < gmaxwell> I was getting a bit frustrated with people fixating on "zerocoin" as a magical unicorn that was just around the corner(tm) to solve all privacy problems. ... and I decided that part of the problem with people fixating was that the alternatives didn't have _names_.
18:44 < gmaxwell> which sounds kinda weird but I think its true.
18:44 < gmaxwell> so then armed with a name I wrote up a description and a call to action.
18:44 < nsh> excellent
18:44 < andytoshi> i think it's true, back in 2011 when you had that coinjoining thread with no name, it looked very scary and technical
18:45 < andytoshi> and at the time i didn't look into it at all
18:45 < andytoshi> otoh, this time around i knew how transactions were structured, so maybe i didn't need the name..
18:47 < nsh> names act as conceptual anchors and nucleation points
18:47 < nsh> they can be very effecticious :)
18:48 < andytoshi> yeah, before it was "type some weird commands to get hex codes you are supposed to give to gmaxwell via PM, who totally can't get money out of them, and he'll give you some more hex codes to incant over"
18:48 < nsh> (or efficacious, which is apparently less made-up of a word)
18:48 < andytoshi> and then somehow people smarter than you would no longer be able to watch you so closely :)
18:49 < nsh> i think things where you could illustrate them with a silly simpsons aside cartoon sketch
18:49 < nsh> i picture a load of robed and hooded stone-cutter mason-types all gathering together solemnly in a circle and exchanging things from closed fists while blindfolded
18:50 < nsh> :)
18:50 < gmaxwell> What I observed is that zerocoin is even _more_ technically inaccessable but it had an accessible name and so many people were interested and a few people even learned about some of the details.  I also added the points that they could be done automatically, and that you could potentially use blind signing to even blind the merging party to the mapping,
and that you could use sorting networks to boost the anonymity to any size, none ...
18:50 < gmaxwell> ... of which are all that important to the idea.
18:50 < nsh> mmm
18:51 < gmaxwell> https://bitcointalk.org/index.php?topic=5027.msg73733#msg73733
18:53 < nsh> "There needs to be a system of anonymous payments, and a simple trusted machine called the Pot. (In practice, the Pot would be simulated by the participants, using a cryptographic multi-party computation.)"   boy, those parentheses sure make that sound simple...
18:53 < gmaxwell> what gets described there can be accomplished with a coinjoin and an inverse coinjoin coupled with blind signing to prevent DOS of the inverse coinjoin.
18:53 < nsh> hmm
18:54 < nsh> how are legs broken if someone welches?
18:54 < gmaxwell> the output of the coinjoin is not anonymous.
18:54 < gmaxwell> (and thus inputs of the inverse coinjoin are not anonymous)
18:55 < gmaxwell> e.g.	it takes random private amounts and makes N uniform public amounts. And then later N uniform public amounts come back (or else!) and random private amounts are dispensed.
18:57  * nsh nods
20:13 < maaku> TD: I think merge avoidance and coinjoin are solving two different (but important) things
20:13 < TD> could be, but can you elaborate?
20:14 < maaku> well, take your coffee shop example. what if alice doesn't want her employer to know how she is spending her salary?
20:15 < maaku> by running a wallet that continuously mixes through coinjoin (until some privacy threshold is achieved), she can mask that information
20:20 < maaku> i think they complement each other nicely
20:30 < TD> do you mean "when" or "how"?
20:30 < TD> because i don't see how the employer could know what she's spending her money on regardless
20:30 < TD> unless she spends to a well known address (solution: don't have well known addresses)
20:31 < TD> i guess they would know what proportion of the salary she had spent
20:33 < andytoshi> my feeling is that hiding from your employer is a special, very difficult case
20:33 < andytoshi> coinjoin alone should thwart data analysts
20:34 < andytoshi> to hide from somebody providing all of your money, you'd need to do an off
20:34 < andytoshi> off-chain mix
20:34 < TD> maaku is referring to an article i wrote that explores some cases where it doesn't
20:34 < TD> https://medium.com/p/7f95a386692f
20:34 < andytoshi> oh, thx
20:37 < TD> maaku: i think i may agree that they complement each other in some cases, for sure. coinjoin type systems give some degree of deniability. however, at significant cost. it would be nice if the same deniability could be obtained without the cost.
20:39 < maaku> TD: the employer knows where he sent payment to
20:40 < maaku> and therefore knows the denominations at the very least of where she sent the coins
20:40 < maaku> and by taint, can deduce who owns the address
20:40 < TD> i don't follow the last part. the employer only sees that alice spent some of her coins.
20:40 < TD> he can't know what she spent them on
20:41 < maaku> yes, but when those coins eventually do get spent by the third party, they link to other outputs, which can be traced backwards
20:41 < TD> traced backwards how? i feel you're assuming something that i'm missing, here
20:42 < TD> employer pays alice. alice pays bob. bob sees $TRANSACTIONS but beyond knowing the last hop (alice) doesn't know more than that
17:37 < gmaxwell> comboy: well, see for example some of the information theoretic PIR stuff that lets you have a database which can be privately queried and which is secret from the servers if some threshold of the servers do not collude. But I don't know how to create the initial database privately except via MPC, and I don't know how to reliably rate limit access. And
trusting servers to not collude is prety lossy.
17:37 < nsh> (reputation only becomes worthless asymptotically as the cost of newnym'ing goes to zero)
17:38 < gmaxwell> Alanius: even in pseudonymous systems. We see lots of cases in bitcoin-otc (one of few examples ofa pseudonymous wot system where there is actually something at stake) where scammers farm identities until they a trusted then rob people blind.
17:38 < nsh> to be fair, that's also a pretty stubborn feature of the non-technological world
17:39 < comboy> I mean as far as my quite dumb crypto mind was thinking it would require some p2p client running, I can't imagine it as just a static db somewhere
17:39 < gmaxwell> I think it's helpful to think about the benefit of 'reputation' systems in terms of "seperation" e.g. how powerful are they at separating good participants from bad ones.  And I think a lot of ideas actually turn out to have _negative_ separation: they actually increase the density of bad people because they impose costs and good people just walk away
since what they were going to do wasn't that profitable for them, whereas bad ...
17:39 < gmaxwell> ... people don't mind the costs because they're a minor cost of doing business (and because the learning how it works part is amortized against many identities)
17:40 < comboy> gmaxwell: theoretically pagerank + your connections could prevent farming, once somebody goes rogue, ranks of  whoever trusted him  goes down
17:40 < nsh> well, if you consider it as a separation/classification problem then the system has to be negentropic, which means some resource of order must be consumed
17:41 < gmaxwell> comboy: no, it doesn't because obviously your system needs to be welcoming to new people (or it will fail), and so they just simulate new people.
17:41 < Alanius> gmaxwell: that's a fine insight
17:41 < nsh> (external resource)
17:41 < comboy> it could be much more than such kind of separation, because weight could be vectors, this could be coding skills instead of trust, in an istant I know if I want to work on this guys project or find something else
17:41 < gmaxwell> nsh: except honest participatants often trade neutrally e.g. their gains are maginal in competition with others. So any resource costs on honest people are much harder than resource costs on dishonest ones.
17:42 < nsh> mm
17:42 < comboy> gmaxwell: you would have to get trust from somebody in the existing network, it could be partitioned though (but it's quite impossible it would on the large scale), so somebody is risking their trust to accept you
17:43 < gmaxwell> I saw this a long time on Wikipedia. Lots of antivandalism measures exclude vandals, sure, but they exclude even more grandmas. ... because grandma is not as eager to contribute as many vandals are. The result is negative separation though the absolute decrease in vandals is more salent.
17:43  * nsh nods
17:44 < gmaxwell> comboy: a while back I tried to float in OTC that we shouldn't be "trusting" each other, we should be insuring each other... that would make it have more meaning.. but I was never able to get traction for that.
17:44 < nsh> that makes sense, but it's got higher overhead and trickier
17:44 < c0rw1n_> oooh what a good idea
17:45 < comboy> yeah, probably insuring is a better term
17:46 < comboy> but I really like to hope it could be done with some crypto magic without revealing your weights... at least not to people above some connection degree level
17:47 < comboy> Alanius: thx for that link, I also need to read more regarding MPC
17:48 < Alanius> I think you could do it with cryptomagic
17:48 < RoboTeddy> could we have a combined proof-of-work proof-of-destruction blockchain? the more coins you prove you destroy in the block you're mining, the lower the required bound for your POW
17:48 < gmaxwell> well I had some success with the insuring thing, in that a couple times when people I knew from elsewhere showed up in otc wanting to trade but I didn't want to trade I publically offered to personally insure their trade and people rapidly traded with them on good terms too (e.g. not charging them like a risky transaction)
17:49 < gmaxwell> RoboTeddy: probably not, because coins destroyed in a non-successful blockchain are free.
17:49 < Alanius> imagine this: every node has an accumulator; nodes can increase other nodes' accumulators by an amount equal to how much their own was accumulated - which they keep secret in a zero-knowledge fashion
17:49 < nsh> gmaxwell, so could you script a multiparty vouching system using clever transactions?
17:50 < gmaxwell> RoboTeddy: e.g. I can make a fork where I destroy allmost all the coins and then it looks very attractive to you, so long as I'm confident it wont be the surviving fork doing this cost me nothing.
17:50 < nsh> (so that the more people vouch for someone before a trade, the lower their share of the insurance is it turns sour)
17:50 < nsh> *if
17:51 < RoboTeddy> gmaxwell: good point, thanks
17:51 < gmaxwell> nsh: well the problem you run into invoking transactions is that most fraud is not trustlessly decidable
17:51 < comboy> Alanius: yes that's the computation part, but this leaking information with checking your score on people depending on whether you trust somebody or not, example that gmaxwell gave at the beginning
17:51 < nsh> right
17:52 < gmaxwell> nsh: e.g. I think most of the cost in insuring another trader isn't the actual insurance, its the getting pulled into a dispute should one arise.
17:52 < comboy> this insurance thing reminds ripple a bit btw
17:53 < gmaxwell> my personal standard in OTC is that that I don't give higher ratings (e.g. greater than +1) unless I'd be willing to help someone collect on a debt that I agreed was real.
17:53 < gmaxwell> but I'm weird.
17:53 < c0rw1n> comboy well the rippling is a great idea
17:53 < nsh> hmm
17:53 < RoboTeddy> if one lengthens their fork significantly by destroying lots of their coins in it, they might not be able to safely assume their fork won't survive -- if it's the longest, people will adopt it
17:54 < gmaxwell> RoboTeddy: yes, but you weaken other security assumptions, e.g. bitcoin is generally pretty robust against short term network isolation attacks, when you can assume that the attacker doesn't have hashpower (or otherwise they'd prefer to just mine honestly)
17:55 < RoboTeddy> gmaxwell: ok, that makes sense, thanks
17:55 < gmaxwell> That kind of idea basically undermines the notion in POW that you're buring a scarce resource so you better darn well burn it on the one true successful consensus.
17:55 < RoboTeddy> gmaxwell: it makes a lot of sense when you think about it from that perspective
17:56 < nsh> hrmm
17:56 < gmaxwell> RoboTeddy: I think you can do things like burn resources in one place and use the evidence of the burn in another, and get something working there. E.g. burn bitcoins to mine teddycoins works so long as your bitcoin burn commits to a single unique teddycoin block.
17:57 < gmaxwell> it just doesn't obviously work internally. e.g. burn teddycoins to mine teddycoins. :)
17:57 < RoboTeddy> interesting; so, you could have a pair of currencies which each burn to prove work on the other
17:58 < RoboTeddy> brb mining genesis block for teddycoins
17:58 < gmaxwell> I think if the relationship was cyclic like that then you could attack them as a group.
17:58 < gmaxwell> e.g. tread it as a single system and attack both.
17:58 < gmaxwell> s/tread/treat/
17:58 < RoboTeddy> also a good point. so you'd need an acyclic DAG
17:59 < RoboTeddy> (along with an "ATM machine" -- I guess all DAGs are acyclic)
17:59 < gmaxwell> I think you can do things like have bitcoins mined by burning power, and teddy coins mined by burning bitcoins, and ninja coins mined by burning teddycoins, and that all works out okay.
18:00 < RoboTeddy> since the whole system is "grounded" by burning power/cycles
18:00 < nsh> as long as the bottom turtle is sitting on a pile of work (hash rounds)
18:00 < comboy> gmaxwell, regarding otc, if this would be insurance network, I wonder if disputes could be automated, I mean higher rank always wins, but I guess possibly taking some hit on it's rating (I'm kinda mixing insurance with public WoT here)
18:01 < gmaxwell> It doesn't have to be power but that works really well. The necessary criteria is that it burns something and that the burn can commit to the thing you're mining.   E.g. you could have a coin burned by getting hashes into court filings (if you assume there existed a court which cryptographically signed its document submissions)
18:01 < gmaxwell> You can't have your POW be smashing irreplacable artwork because there is no way to create a cheaply verifable proof that you smashed the artwork in the name of confirming a particular consensus state.
18:02 < RoboTeddy> unless you cut the artwork into the shape of particular hashes ;D
18:02 < RoboTeddy> (but could fake paintings, so not cheaply verifiable)
18:03 < gmaxwell> in particular, it's hard to decide if a painting (real or not) was valuable to begin with. :P
18:03 < gmaxwell> power/computation is a bit more objective. :P
18:06 < gmaxwell> I think this subject is interesting mostly not for the reason of building more resource-burning-consensus systems
 in part because I'm really unsure of how generally applicable resource burning consensus really is
  but because I think resource burning anti-spam/anti-dos is interesting and that since bitcoin is a cryptographically provable resource
you could use it in those systems.
16:52 < azariah4> "The twister incentive is: whoever finds the hash collision to validate a new block of transactions will be awarded with the right to send a promoted message. Promoted messages have a certain probability of being displayed by twister client."
16:52 < azariah4> hehe :D
16:52 < azariah4> at first I laughed, but thinking of it, it's not too bad for a microblogging platform
16:52 < azariah4> some company could throw hash power at it to push some ads
16:52 < michagogo|cloud> ...
16:52 < sipa> it's trivial to modify your client to just ignore such promoted messages, though...
16:52 < michagogo|cloud> except that you can just not display th-
16:52 < michagogo|cloud> what sipa said
16:55 < azariah4> well, adblock+ haven't killed the website ad industry
16:56 < jtimon> why didn't they just used namecoin for the user registration?
16:57 < sipa> reinventing the wheel is more fun, especially when the wheel can be made to look like a hammer
17:14 < adam3us1> azariah4: is twister an alt as well as a p2p microblog?
17:46 < andytoshi> john baez has a neat article about information complexity and bitcoin scarcity: https://johncarlosbaez.wordpress.com/2014/01/27/the-rarest-things-in-the-universe/
17:47 < andytoshi> i mean, bitcoin rarity. scarcity is an econ term that i don't mean to use
17:52 < andytoshi> he suggests a POW with a trapdoor function so that the key possessor (i.e. the government) can print coins. then you get the monetary control of fiat -and- the unforgeability of bitcoin :}
17:53 < gmaxwell> andytoshi: you don't need to use a pow for that, if you want to give someone the power to inflate the currency you can just let them (via a key) spend coins that don't exist just directly in the system.
17:54 < gmaxwell> POW = minting is a weird notion; in bitcoin pow = consensus, minting is just permitted as a rule in the blocks. :)
17:56 < andytoshi> yeah, i get that. baez is very unfamiliar with bitcoin and (i think) he thinks that the small hashes are the actual "coins".
17:56 < andytoshi> though, it is neat to see a complete outsider perspective from somebody as smart as him
17:57 < gmaxwell> yea thats not actually an uncommon belief.
17:58 < gmaxwell> I dunno where it comes from though.
18:06 < midnightmagic> password cracking analogies probably.
18:25 < CampyCoin> Any interest in domains?
18:26 < phantomcircuit> gmaxwell, ^
18:28 < CampyCoin> I'm confused here, let me know if I've done something wrong
18:44 < CampyCoin> anybody want some domains?
18:44 < nsh> that's off-topic here, CampyCoin
19:18 < adam3us3> gmaxwell, andytoshi: i think an interesting rule for fiat coins would be to encode the monetary policy into a smart issuance policy.	eg 2%/yr QE cap, things like that.  then they cant exceed it without a super majority vote of clients
19:20 < adam3us3> gmaxwell, andytoshi: cryptographic assurance against moral-hazard :)	ie cant panic bend the formal rules because a monetary policy committee cant withstand political pressure even though they know its a bad idea.
22:32 < Luke-Jr> new proof-of-<foo> system to be announced soon based on the efforts of BlueMatt, myself, and others!
22:37 < petertodd> Luke-Jr: curious
22:39 < Luke-Jr> petertodd: another guy is writing up the announcement post now
22:39 < petertodd> Luke-Jr: oh nice, you guys are serious?
22:39 < brisque> Luke-Jr: a serious POW, not like proof-of-twerk?
22:39 < Luke-Jr> petertodd: <.<
22:39 < brisque> well, proof of something.
22:40 < Luke-Jr> >.>
22:40 < brisque> oh.
22:40 < brisque> still interested.
22:47 < andytoshi> by 'writing up' you mean that if i stay up another hour i'll see it?
22:48 < Luke-Jr> andytoshi: not sure what the schedule is on it
22:49 < Luke-Jr> he said by this weekend :<
22:50 < Luke-Jr> .. but he might have a draft for me to look over in a few mins
23:29 < brisque> has somebody tried poking ghash.io and asking them to change their default block size?
23:30 < Luke-Jr> brisque: they intentionally have it set low because they can't afford a decent internet connection apparently -.-
23:31 < Luke-Jr> (and can't figure out how to run a pool with the block broadcasts colo'd)
23:31 < brisque> that's awful. I've seen them orphan their own blocks quite a few times too.
23:33 < brisque> it would be nice for them to make decent sized blocks though. surely they can manage the small influx of data they need to broadcast them properly.
--- Log closed Tue Jan 28 00:00:05 2014
--- Log opened Tue Jan 28 00:00:05 2014
05:30 < TD> good morning
05:34 < super3> TD, morning
10:11 < andytoshi> here is a cool paper suggesting a category-theoretic view of crypto: http://arxiv.org/pdf/1401.6488v1.pdf
10:11 < andytoshi> maybe nobody here wants that :}
10:16 < gmaxwell> I giggle at the abstract, in that the cryptographic functions whos defintions (rather than proofs) span pages are often the things that get not actual applications. :P
10:58 < jtimon> oh, "maxcoin uses a faster and more secure hashing algorithm for proof of work"
10:58 < optimator> in theory, if you wanted to send 10,000 outputs, would you send it in 1 transaction or split it into multiple transactions?
11:00 < jtimon> optimator: I'm not sure I understand the question, depends on what you want to achive?
11:02 < optimator> say I want to send to 10,000 different addresses using 10 inputs. Is there an advantage in splitting the send into multiple transactions rather than sending it as 1 large transaction?
11:02 < adam3us3> optimator: there is a practical limit n txouts 32 is it?
11:03 < optimator> oh
11:04 < optimator> is that limit detailed somewhere? I don't see it here - https://en.bitcoin.it/wiki/Transactions
11:04 < stonecoldpat> anyone body read the mixcoin paper?
11:05 < stonecoldpat> im going to read it this week - just want a heads up on quality
11:05 < gmaxwell> jtimon: faster?
11:07 < gmaxwell> jtimon: they should get on the horn with NIST,
 nist wanted something faster and more secure than sha2 for sha3 and basically no one achieved that. They mostly got equally fast and differently secure. :P
11:10 < adam3us3> optimator: maybe ask on #bitcoin-dev someone will know offhand it maybe in terms of isStandard which is a different limit to the msg format
11:11 < jtimon> gmaxwell: yes, it uses Keccak, but he said SHA256 is slower (sorry flash) https://www.youtube.com/watch?v=_Q684UxfDSU#t=907
11:12 < gmaxwell> jtimon: thats not true, SHA256 is faster than Keccak.
11:13 < gmaxwell> well it depends on your hardware, I'm sure on some things Keccak is faster.
11:13 < gmaxwell> They're nearly tied. It depends on how muc hdata you're hashing.
11:14 < jtimon> I imagined it was simply false, "it's a more fair hasing algorithm" isn't true either
11:14 < andytoshi> gmaxwell: i really like the first half of that arxiv paper actually, it has clear explanations of a lot of basic security ideas and their history. probably the category theory is obtuse if you haven't seen it before, but there isn't much of it. there's more in the second half and it goes over my head.
11:15 < gmaxwell> jtimon: lol they claim that too? 0_o
11:15 < andytoshi> as you say the really obtuse definitions that this work help are not anything that anybody would implement. but having a conceptual framework for this stuff could lead to existence/nonexistence proofs that would be good to have independent of any implementation
11:15 < wumpus> Keccak is supposed to be really fast when implemeted directly in hardware
11:15 < gmaxwell> wumpus: yes, though thats also true of sha256.
11:16 < optimator> adam3us3: thanks
11:16 < gavinandresen> optimator: No limit on number of transaction outputs, but transactions larger than 100Kbytes are non-standard, and larger than 1MB cannot get into a block.
11:18 < optimator> gavinandresen: is there any benefit to structuring the transactions smaller? Say in 10K chunks
11:19 < optimator> versus say a 50k transaction
11:19 < adam3us3> optimator: maybe re-ask that prev bit gavinandresen dropped & rejoined either side of it
11:19 < gmaxwell> optimator: I can't think of any benefit to chunking to 10k instead of 50k.
11:19 < gmaxwell> Other than if you're right on the edge of being included in a block some smaller lower fee paying transactions might scoot in where you don't fit.
11:24 < phantomcircuit> i do txs in 500 output chunks
11:24 < phantomcircuit> i doubt it helps much, but it doesn't reduce the overhead much to do larger chunks
11:25 < gmaxwell> yea, arguably once you get above 100 outputs optimizing for change size makes more sense.
11:38 < jgarzik> Did anybody ever work on background wallet defragmentation?  And perhaps changing the priority calculations to somehow reward shrinking UTXO?
11:38 < jgarzik> We are interested in that </vendor hat>
11:39 < gmaxwell> jgarzik: I believed we merged the priority change that made shrinking the utxo better, though we also capped free transactions to 1000 bytes so it probably matters less.
11:39 < jgarzik> oh, hearing time
11:40 < gmaxwell> (the change was to not count the size of scriptsigs in the size used for computing the priority)
11:40 < jgarzik> ah!
11:41 < jgarzik> http://www.totalwebcasting.com/view/?id=nysdfs
11:46 < gmaxwell> would be nice if someone could figure out how to download the file for later playback.
11:54 < jgarzik> indeed.  I also hit "pause".  The video stopped.  When unpaused... jumped forward in time, missing whatever had been said during the pause.  no buffering :/
11:58 < gmaxwell> okay I'm grabbing it now, but i missed the beginning.
11:58 < gmaxwell> and I may get cut off because I'll be too busy to supervise it.
11:58 < phantomcircuit> it should be available in the future
11:58 < phantomcircuit> it'll be expensive though
12:00 < sipa> the winkelvi!
12:00 < phantomcircuit> sipa, dat statement written by their lawyers
12:00 < sipa> of course
12:00 < sipa> i found their talk in san jose very unimpressive too :)
12:01 < jgarzik> you want the statement written by lawyers... it's on the record
20:13 < warren> adam3us: I don't have a p2pool fixing budget, I just made large donations out of pocket to the only person working on the problem to give him more incentive.  I'm not happy that the larger bitcoin community isn't taking the issue seriously, and I'm at my limit of what I'm willing to fund out of pocket.
20:13 < petertodd> warren: and you know, don'
20:13 < warren> adam3us: I paid about $30k out of pocket during 2013 to various people who helped upstream bitcoin or p2pool
20:13 < petertodd> warren: don't get me wrong, that was money well spent, it's just that in the wizards part of the community we should be working on better
20:14 < petertodd> warren: we're supposed to be thinking medium to long term here, fixing p2pool is short to medium
20:14 < jrmithdobbs> petertodd: but the p2pool thing highlights a real problem
20:14 < warren> adam3us: that money came from people who were concerned about litecoin dying entirely due to lack of developers.  I don't expect future revenue potential to be anything like that special case.
20:15 < jrmithdobbs> petertodd: we have functional-enough-for-now technical solution to this, but (practically) noone using it
20:15 < petertodd> jrmithdobbs: yes, that's because it's a tech solution operating in a vacuume, not one that actually takes economics and incentives into account
20:15 < warren> petertodd: p2pool and eligius are attacking the low hanging fruit.  I don't have the cycles or money to attack the long-term issues myself.
20:16 < adam3us> warren: i see.  (re money situ/history).
20:16 < jrmithdobbs> petertodd: but there's noone (very few) willing to pay the people capable of the technical solutions and give them the context
20:16 < petertodd> warren: that's fine, I do for now
20:16 < jrmithdobbs> petertodd: how do we solve that?
20:16 < adam3us> warren: low hanging short term is good too.  people are not even using what they could and yet we are concerned about that as a systemic risk.
20:16 < petertodd> jrmithdobbs: foundations tend to be good at that, but they aren't going to solve that if people don't even accept this stuff is a problem
20:17 < jrmithdobbs> petertodd: or when major players in said foundations deny it's a problem.
20:17 < petertodd> jrmithdobbs: I can hardly even convince people *here* that p2pool isn't a very good solution
20:17 < petertodd> jrmithdobbs: heh, that too
20:17 < jrmithdobbs> petertodd: that's not a solution, that's an admittence of failure, really
20:17 < adam3us> warren, petertodd: which says maybe boring things like user education, nicer UX, more bundling, advertisement are perhaps necessary strange as that seems to a tech mindset
20:18 < warren> adam3us: it's no secret that I've been planning a 501(c)(6) foundation that focuses on development, with issues like centralization as a top priority.	A few big players are interested in funding it.  I've been too busy with my own career to create it.
20:18 < petertodd> adam3us: I don't have a tech mindset remember... I know damn well boring stuff works in the short term, but I'm not foolish enough to think we aren't up against genuine economic perverse incentives
20:19 < adam3us> petertodd: agreed.  but sometimes short-term stupid action gains its own momentum and defacto "way-it-works" that leads to development cementing the stupidity.  so it maybe worth fixing these short-term what-users-are-doing when they coud do better issues
20:20 < jrmithdobbs> kinds are part of the types really
20:20 < jrmithdobbs> err wrong chan
20:20 < petertodd> adam3us: hence why I'm not against people improving p2pool; I'm against people who could use their talents to do even better spending their time on p2pool
20:21 < warren> adam3us: uncontroversial things for the new foundation to tackle: centralization, anti-DoS, anti-sybil, scalability, timestamping tech.  I rather not prioritize regulatory canaries when there are plenty of uncontroversial existential threats.  Others can work other issues.
20:21 < petertodd> adam3us: the people who can do that work can't do consensus system theory (and mostly vice-versa)
20:22 < adam3us> petertodd: yeah maybe	it just pains me to sit around watching needless stupidity create short term network scale risks.  like 40% miners (that can and did to double spend attacks) when there is no sane reason to do it.
20:22 < warren> Go ahead and call me chicken, after centralization is fixed.
20:23 < adam3us> warren: canaries are a special breed.	seemingly matthew green has what it takes :) he claim's he's gonna make an alt out of zerocash.
20:23 < petertodd> adam3us: well like I said, for that issue you've got a hell of an uphill battle... we just to complain about hashers to point their hardware at ghash.io, but the reality is from their point of view there's nothing very stupid about it
20:24 < adam3us> petertodd: actually ghash doesnt charge fees i think.	(like eligius and p2pool) otherwise often the big miners are charging like 5% and people are still using them over eligius or p2pool
20:24 < warren> ghash has other ways to make money (trading commissions...)
20:24 < petertodd> adam3us: I know, that's one of the reasons they're so big
20:25 < warren> If p2pool improved substantially, grew bigger and flexed its orphan advantage it might be able to compete.
20:25 < adam3us> petertodd: but i mean wtf why not put it up to 10% and see if they still stay there? do they even care about money?
20:25 < petertodd> adam3us: and 5% isn't much money - remember that when I talk about pools being "profitable" that includes non-monetary "compensation", as well as lower costs, and less perceived risk
20:26 < petertodd> adam3us: business risk is a funny thing - ghash.io has a perception to maintain
20:26 < adam3us> petertodd: u know there's one with 100% fee (aka it stopped paying out) and it still has significant TH
20:26 < petertodd> adam3us: equally, people's perception of value is often that higher cost == better
20:27 < adam3us> petertodd: i suspect its bigger == better thinking here.
20:27 < petertodd> adam3us: hey, if you look at that and say "WTF?!" rather than "yeah, I can see why" then you don't have the insights to understand this stuff
20:27 < petertodd> adam3us: yeah, well duh
20:27 < adam3us> petertodd: if u have no clue and someone forces you to make a too technical or arbitrary decision, you'll tend to follow what others are doing...
20:27 < petertodd> adam3us: that's why I said above you probably have to create tech where pools aren't just discouraged, but are actively disabled in various ways
20:28 < petertodd> adam3us: yup
20:28 < petertodd> adam3us: having to research the right way to do something is a huge cost
20:28 < petertodd> adam3us: heck, ahving to make choices at all is a huge cost
20:28 < adam3us> petertodd: but 5% eh.	maybe a 50point font mining pool fee % & profit calculator in the miner sw
20:28 < jrmithdobbs> petertodd: you're trying to say that not only do you need to be able to recognize that "bigger == better" thinking but realize that a) it's not necessarily wrong and b) it's ingrained for a reason and isn't something that can be ignored because "people are dumb"
20:28 < jrmithdobbs> pes?
20:28 < jrmithdobbs> yes?
20:29 < petertodd> jrmithdobbs: yeah, all those points.
20:29 < jrmithdobbs> petertodd: just making sure i was understanding your point (and I agree)
20:29 < petertodd> Now if we're willing to accept that, then how do you force pools completely out of existance? I thik it was you adam who was talking about stealable proof-of-work for instance.
20:30 < adam3us> petertodd: yeah thats more intersting (must get off fixating on irritating user stupiity:)
20:30 < petertodd> Similarly, how can blockchains be structured such that p2pool-like varience reduction is a given?
20:30 < amiller> loosen the difficulty restriction
20:30 < amiller> let people choose their own difficulty in some way
20:30 < amiller> that way you can still maintain the overall security invariant
20:30 < petertodd> And, how can we make mining something that you don't need a bunch of setup time and other work to get started in?
20:31 < adam3us> petertodd: i think it was amiller who said it first (stealable PoW) except i thik he was talking reverse ... for hosted mining
20:31 < petertodd> amiller: well, is that diff per-block then or what?
20:31 < amiller> i was talking about both equally, i gave an abstraction where both pools and hosted mining are equally a security violation!
20:31 < petertodd> amiller: or can we split blocks up? how does consensus work?
20:31 < adam3us> amiller: actually the whole pool choses work packet for miner is just wrong thinkin
20:32 < petertodd> amiller: yeah, I'm not sure if I have a solution to hosted mining yet
20:32 < adam3us> amiller: the whole point of hashcash is the user choses their own work packet
20:32 < petertodd> adam3us: yet, just saying that doesn't help :)
20:32 < warren> Lots of the Litecoin users are pushing for a PoW change because they don't want the same thing to happen with ASIC's.
20:32 < petertodd> adam3us: getblocktemplate is the perfect example of just saying that, and look where that's gone
20:32 < jrmithdobbs> petertodd: the only straightforward solutions i can think of require things that don't actually exist
20:32 < amiller> so the block selection function is
20:32 < petertodd> warren: Good!
20:32 < amiller> choose the lbock with largest sum difficulty
20:32 < warren> They're quite naive, suggesting just increasing the scrypt parameters.
20:32 < amiller> that's invariant to difficulty choice
20:32 < jrmithdobbs> but i've not spent much time thinking about hosted mining, ha
20:32 < amiller> the problem with difficulty choice is one of PoW basically
20:33 < adam3us> petertodd: whats wrong with GBT?
20:33 < amiller> er
20:33 < amiller> Dos
20:33 < petertodd> warren: heh, they willling to put money towards researching ASIC-hardnesss
20:33 < petertodd> adam3us: there's no incentive for individual hashers to use it
00:54 < gmaxwell> pigeons: did your arb script screw you with tradeforetress?
00:55 < pigeons> not at all
00:55 < pigeons> i don't trust tradefortress
00:55 < pigeons> i dont trust anyone who trusts him either
00:55 < pigeons> i dont value anything he issues
00:56 < pigeons> sometimes my paths do go trhough things i dont value though
00:56 < gwillen> gmaxwell: what happened with tradefortress?
00:57 < pigeons> like the other day i discovered someone issuing MXN i didnt know because the cheapest path to send myself bitstamp USD from a certain issuers GBP i had was to buy MXN for XRP that i acquired for selling GBP and sell the MXN for BTC
00:57 < pigeons> trades on the oprder books are treated as a node in the path
00:57 < gmaxwell> gwillen: I'm clueless, something like:  he got lots of people to trust him, issued a bunch of tradeforetress btc, lots of trades flowed through him leaving people with tf btc and he said LOL SOL SUCKERS.
00:58 < gwillen> gmaxwell: heh.
00:58 < pigeons> so you can go through a trust line BTC/bob -> btc/alice or you can go BTC/bob ->market BTCbob/XRP _.btc/alic
00:58 < gwillen> gmaxwell: do I understand the ripple system correctly that if you do not manually trust tradefortress, it should not be possible for him to screw you?
00:58 < gwillen> gmaxwell: even if, for example, you trust someone who trust him?
00:58 < pigeons> he posted in the newbie section offering free btc if you trust him for 100 btc
00:58 < gwillen> sigh
00:58 < gwillen> people are idiots, aren't they
00:58 < gwillen> I guess this is why the ripple people put 'trust' under 'advanced'
00:59 < pigeons> then if the user also had btc assets that actually were redeemeable and also trusted TF, or someone with redeemable assets was trusted by the guy who trusted TF, TF or his cohorts would take the BTC they were trusted to be allowed to take
01:00 < pigeons> he calimed he was trying to teach a lesson on the dangers of IOUS, I guess he tought that lesson again with inputs.io and coinlenders
01:00 < gmaxwell> oh did he rip people off on coinlenders?
01:01 < gmaxwell> he should team up with realsolid and zhou... it would be like a cryptocurrency learning expirence dream team.
01:01 < gwillen> pigeons: just to be clear, if I trust X and X trusts TF, the ripple system will leave X holding the bag, and not me, right? I will never end up with TF IOUs?
01:01 < gwillen> pigeons: The only way I could get screwed is if X, who is holding worthless TF IOUs, decides to then default on their own IOUs?
01:01 < pigeons> you can never hold or receive an asset you don't explicitly agree to hold
01:01 < gwillen> (which they might well do, having issued those IOUs without understanding how they could get screwed)
01:01 < gmaxwell> pigeons: you could still trade through those assets you haven't agreed to hold, in passing so no risk from them, right?
01:02 < pigeons> you can acquire assets you havent granted a trust line for by making a trade offer
01:02 < pigeons> but making the trade offer implies agreement to accept
01:03 < pigeons> in the case i mentioned with the MXN, the buy and sell was in one transaction
01:03 < gmaxwell> gwillen: yea, of course there is always the systemic risk. You trust A, A trusts B. B bankrups A and in doing so that bankrups you, even though you never trusted B, only trusted A too much.
01:03 < gwillen> right
01:03 < gmaxwell> I dunno if there was any systemic risk fallout with TF
01:03 < gwillen> just checking my understanding
01:04 < pigeons> we marked the accounts that were not TF himself but took advantage of the situation in our address books as TF.X1 TF.X@ etc
01:04 < gwillen> took advantage how?
01:05 < gwillen> Did they also default on IOUs?
01:05 < pigeons> took advantage by sending the user TF IOUS that the user niavely agreed to accept, in exchange for more trustworthy ious like from bitstamp
01:05 < gmaxwell> used tf IOU's to acquire real assets.
01:06 < gwillen> hmm
01:06 < gwillen> is it possible to implicate people for doing that on purpose?
01:06 < gwillen> as opposed to just treating those things as equivalent, and having the system rearrange them as part of some other transaction?
01:06 < pigeons> well the client gives a red warning "YOU ARE TRUSTING MORE THAN ONE ISSUER FOR THE SAME ASSET, THIS ALLOWS THESE ASSETS TO BE EXCHANGED AT PAR WITH EACH OTHER" or something
01:07 < gwillen> oh, that's new since I used it
01:07 < gwillen> interesting
01:07 < pigeons> gwillen: yes there are ways to assign different values to different lines, called "quality settings" but they are not exposed in the default client
01:07 < gmaxwell> hm. really?
01:07 < pigeons> for example one issuer i have to email to get my btc, so i give it a quality in of 0.95
01:07 < gmaxwell> I have two issuers trusted for btc in my ripple wallet, I have no clue who they are. I don't see any warning.
01:07 < pigeons> so if payment ripples through me i recevie 5% more than the other issue i give out
01:08 < gmaxwell> I was about to ask if there was a way to program in automatic spreads.
01:08 < pigeons> the warning comes when you assign trust
01:08 < pigeons> try it
01:08 < gmaxwell> pigeons: gimme an address?
01:08 < pigeons> the corrolary is 'quality out" which means if liquidity form this line is used, you get more than you give
01:08 < pigeons> i maintain a list of addresses here https://bitcointalk.org/index.php?topic=155236.msg1646402#msg1646402
01:09 < pigeons> dividend rippler is rfYv1TXnwgDDK4WQNbFALykYuEBnrR4pDX
01:09 < pigeons> bitstamp is rvYAfWj5gh67oV6fW32ZzP3Aw4Eubs59B
01:10 < pigeons> so you could set quality out of 1.01 on your trust line with BTC/Bitstamp since bitstamp is very liquid in ripple
01:10 < pigeons> so if you end up with dividend rippler at least you get 1% more
01:10 < gmaxwell> pigeons: hm. so you can turn a profit from acting as a liquidity provider ... interesting.
01:10 < pigeons> altough dividend rippler is immediately reedemable
01:10 < gwillen> what is 'dividend rippler'
01:10 < gmaxwell> rQay7bQ3XoZcT6E3c8uDopZdnWaMBxWea2 < any idea what that is?
01:11 < pigeons> one sec
01:11 < pigeons> i have that address as "jorgen"
01:11 < gmaxwell> "By pressing CONFIRM you are extending trust to multiple issuers for the same currency which may result in your account balances changing without your direct action. Make sure you understand these consequences, and that all your issuers are trustworthy." heh indeed.
01:11 < gwillen> is it not true that trusting a single issuer can cause your account balances to change without your direct action?
01:12 < gmaxwell> I have it, but trusted at 0.
01:12 < pigeons> gwillen: it cannot
01:12 < gwillen> hmm
01:12 < pigeons> trusted at 0 removes the trust line
01:12 < gmaxwell> yea, seems you can't label these darn things in the interfac.e
01:12 < pigeons> go to contacts and enter one and it will show in the trust tab
01:12 < pigeons> but yeah the client pretty much sucks
01:13 < pigeons> gwillen: dividendrippler.com is an automated way to send blockchain assets and get ripple assets issued and vice versa
01:13 < gwillen> hm, interesting
01:13 < gmaxwell> you'd think they'd make the quality stuff exposed, since I bet a lot of people would jump into this trying to make money as liquidity providers.
01:14 < pigeons> yes lots of people on the ripple forums complain that they would like to trust multiple issuers but dont want their balances changing
01:15 < amiller> in other words extend line of credit wihtout implicitly offering any exchange standing offers
01:15 < pigeons> i spoke with David Schwartz at a conference and was talking about my quality settings and he seemed to think that 1:1 acceptance was good for the network
01:16 < pigeons> you can also make explicit order book trades for USD/Foo vs USD/Bar
01:16 < gmaxwell> weird, I'd think that near but not quite 1:1 would be good for the network. Besides, taking a less trusted issuer exposes you to risk you should be compensated for.
01:16 < amiller> 1:1 accepts is basically the "i'm altruistic and trust everyone at my own avoidable loss" setting
01:16 < amiller> so yeah it's good for the network if everyone else does it
01:16 < pigeons> i do try to keep 1:1 if i can cashout easily and immediatly with little to no fee and the issuer has a good repuation
01:16 < pigeons> and then i discount from there
01:16 < gmaxwell> amiller: well not quite because if too many people lose their shirts thats bad for the network.
01:17 < pigeons> that's why i try to use quality in so i can charge a premium based on certain issues i receive instead of a quality out on a popular issue, cause that would affect the liquidty i offer to my friends in that issue
01:18 < pigeons> but the opposite is reccomended i dont know why
01:18 < gmaxwell> quality in sounds generally more reasonable. you have a cost in taking a non-prefered asset, not so much in giving out a preferred one.
01:19 < gwillen> just call it the "Gresham's Law multiplier" ;-)
01:19 < pigeons> sometimes if all my btc is immediatly flowing from bitstamp to say rippleisrael, but eventhough i know the guys at ripple israel and have an automated intefece to get real btc, i set the quality in on R.I. just cause it seems people are willing to pay it
01:19 < amiller> how many transactions go throuhg jeff cliff
01:20 < pigeons> amiller: not as many as in the old ripple system, but he's starting to catch up
01:20 < pigeons> "The Kevin Bacon of Ripple"
01:21 < gmaxwell> so what happens when fincen decides all ripple users are money transmitters? :P
01:21 < pigeons> well then we learn the consequences of the default UNL list issue, when those validators are asked to deny transactions from unlicensed folk
01:22 < gwillen> gmaxwell: http://www.quickmeme.com/Youre-gonna-have-a-bad-time/
01:22 < amiller> just the ones that make profit, rely on public reputations and the appearance of a "legal company", i.e., the only ones that ripple labs is encouraging to do this, aka gateways
13:38 < gmaxwell> (I have a sketch for a revocation solution too... but didn't post it because I felt the protocol was too complicted to bother implementing)
13:51 < maaku> gmaxwell: how do you get by on 30k/year here?
13:51 < gmaxwell> I don't have Kids
13:52 < gmaxwell> (I don't mean this to insult having kids, but its probably the first major factor! :) )
13:53 < maaku> yeah
13:55 < gmaxwell> Otherwise, heck if I know.  A moderate amount of lifestyle hypermiling. I don't drive. (I have an old truck, but I think I only used it a dozenish times last year). I cook.	I don't buy gizmos, though partally this is because I already own two lifetimes worth of gizmos from a decade ago before I intentionally started trying to minimize my cost of living.
13:58 < maaku> Yeah our rent alone is $20k/year
13:58 < maaku> If I were single, no kids, and had housemates I guess that'd be plenty doable
14:08 < petertodd> gmaxwell: re: msc/ether I've been arguing quite strongly that msc either be based on ethereum, do it better, or merge the projects
14:09 < gmaxwell> petertodd: sounds reasonable to me.
14:09 < gmaxwell> (whatever reservations I have on the ideas, they're not made worse by merging them, and may well be reduced by them)
14:09 < petertodd> gmaxwell: yup, and msc seems to have a number of people actually focused on gui's, workflows and other usually ignored details
14:13 < phantomcircuit> msc?
14:13 < petertodd> msc==mastercoin
14:13 < phantomcircuit> oh
14:14 < phantomcircuit> gmaxwell, it would be interesting to build a merged mine altcoin which does a bunch of stupid shit like that
14:14 < phantomcircuit> just to see what would happen
14:15 < phantomcircuit> gmaxwell, 2.5k/month in mountainview? im thinking the key is you split rent with your gf
14:16 < gmaxwell> phantomcircuit: no, actually the 30k figure is including all the shared expenses.
14:16 < phantomcircuit> does that include your electric bill? lol
14:16 < petertodd> gmaxwell, adam3us: still need to reply to your IBE ideas; got some paid work to get done first though on a deadline
14:17 < gmaxwell> phantomcircuit: It doesn't include my (e.g. mining) business expenses (which I already account for seperately), nor should it, since that stuff is self funding.
14:17 < phantomcircuit> i was kidding
14:18 < gmaxwell> my non-mining electricity usage is like $30/month. :P
14:18 < phantomcircuit> without monthly vehicle costs you can live pretty much anywhere in the us for relatively little
14:18 < phantomcircuit> rent/utilities/internet/food
14:18 < petertodd> phantomcircuit: aside from the problem that in many places in the us you can't live without that vehicle :)
14:19 < gmaxwell> petertodd: you _can_ but it requires careful consideration and effort.
14:19 < gmaxwell> at least any town with a population over 50k or so at least has some place in it that you could reasonably live without a car or at least without frequent use of a car.
14:20 < petertodd> gmaxwell: right, I'm including <50k in that statement
14:20 < gmaxwell> but some kung fu balancing of needs is required.
14:20 < maaku> phantomcircuit: i don't, rent is a big issue in many places (silicon valley, nyc, dc, ...)
14:20 < phantomcircuit> petertodd, i imagine it's fairly complicated to live in mountain view without a car also
14:20 < petertodd> gmaxwell: the US also has places >50k with no public transport what-so-ever
14:20 < maaku> my wife and I are considering a move to montreal just to cut expenses...
14:21 < petertodd> phantomcircuit: heh, when I interviewed at google in mountain view I took the bus to the airport to get a sense of how screwed up the place was...
14:21 < maaku> phantomcircuit: actually mtnview is not that bad. it's well connected by train, lightrail, and bike paths
14:21 < petertodd> maaku: where are you now?
14:22 < maaku> but the rent differential is many factors more than car payments would be
14:22 < maaku> petertodd: san jose
14:22 < maaku> used to live in mountain view
14:22 < petertodd> maaku: didn't realize montreal was an option for you
14:22 < phantomcircuit> maaku, if you're single and dont care about roommates you can get a room in sf for ~800/month
14:23 < gmaxwell> phantomcircuit: nah. not at all, at least without kids. There are three supermarkets within a 10 minute walk of where I live, and the caltrain station (though it's pretty expensive, so it would dent the COL if I had to use it daily and pay for it)
14:24 < maaku> petertodd: well it's not per se, but it's easier for freelance americans to get a visa to canada than many other places
14:24 < tromp__> a car also becomes something of a necessity when you're no longer single...
14:24 < tromp__> and not living in a big city
14:24 < petertodd> maaku: ah. why montreal vs. toronto or something?
14:25 < sipa> tromp__: so you go from 2 single people each having no car, to a couple of two people each having a car? :)
14:25 < gmaxwell> tromp__: I'm not single, I haven't been single for >10 years... and I live in the suburbs.  There certantly are places where a car really is mandatory, but in a lot of places (and not just crazy big cities) it is possible to organize your life so that you need to use a car very infrequently.
14:26 < tromp__> in my case my fiancee relied on a car alrd
14:27 < tromp__> when she moved here (selling her old car) i went and got my us driver's license and bought a car
14:27 < maaku> petertodd: I have a cousin who is a permanent resident in Montreal & I've stayed with him for some conferences. Love the city, local tech industry, and quebec culture.
14:28 < maaku> From what I hear toronto would probably be a 2nd choice, but I've never visited
14:28 < petertodd> maaku: imo montreal > toronto re: beauty/culture/etc.
14:28 < gmaxwell> e.g. choosing work that is in proximity to reasonably priced places to live and groceries, and then living close to work. Owning a bike with some reasonable cargo accommodations.
14:28 < tromp__> i commute by bike everyday
14:29 < maaku> petertodd: yeah for me now that's the bigger concern ... thanks to bitcoin we can live anywhere
14:30 < petertodd> maaku: you know, rural iran is really beautiful in the mountains
14:30 < maaku> hahahaha
14:33 < maaku> seriously, we considered places like bali and thailand. but having a family means giving priority to things like access to health care and schooling :\
14:33 < petertodd> maaku: heh, had a long discussion with my dad along those lines a few months ago actually - he job is head of regional economic development in the nwt (way north canada) and I was pointing out how in theory all these remote communities could easily have thriving economies with people doing remote telecommuting IT work and hunting... but of course that doesn't happen
14:33 < petertodd> maaku: yeah, I like first world for that...
14:34  * gmaxwell waits for adam3us to suggest malta.
14:36 < sipa> if you like high rent and public transport that actually works, zurich isn't bad :)
14:40 < maaku> petertodd: probably more potential for arctic air-cooled data centers like we see in iceland and sweden
14:40 < petertodd> maaku: potential maybe, but right now the electricity infrastructure sucks and would cost billions to improve
14:41 < maaku> ah
14:41 < petertodd> maaku: not much generation capacity up there
14:43 < petertodd> maaku: it's a serious problem for the mines - a few km from my parents house is the transfer station for diesel, which has a tank farm with the same volume as a large sports stadium, and that's not even a full season worth of fuel
14:44 < petertodd> maaku: I worked it out once and that one farm had capacity for something like 6 hours of the worlds supply of oil
14:45 < petertodd> (all the mines use diesel generators for their electric supply)
14:46 < gmaxwell> petertodd: electricity infrastructure: https://bitcointalk.org/index.php?topic=170332.msg4808083#msg4808083
14:47 < maaku> jeeze, you'd think there'd be wind, or geothermal (near the ring of fire at least)
14:47 < petertodd> gmaxwell: his electrician fucked that up big time...
14:49 < petertodd> gmaxwell: it should never be possible to do damage like that to any part of your electric wiring no matter how badly you abuse it if everything is done to code with proper-sized fuses
14:51 < gmaxwell> petertodd: yep, well apparently the _meter_ caught fire?!
14:52 < petertodd> gmaxwell: I have to wonder if someone modified it before, say to bypass something...
14:53 < petertodd> gmaxwell: I *think* meters are actually protected by a fuse at the pole in many places - haven't looked at the codebooks in years
14:55 < gmaxwell> petertodd: yes, they are protected by a pole fuse, though sometimes the pole fuses get shorted and don't work.
14:56 < gmaxwell> they're also really slow.
14:56 < gmaxwell> (I've blown one once, so I'm speaking first hand.)
14:57 < petertodd> gmaxwell: yup, probably a bad substitute. one of the harder parts of power engineering is that the timeconstants of your fuses matter and have to be matched to the equipment
15:27 < Emcy> impressive
15:28 < Emcy> not quite as impressive as the kid who gave himself brain damage by sleeping int he same room as 20 radeons or something
15:29 < petertodd> Emcy: heat exhaustion?
15:29 < Emcy> yea
15:29 < Emcy> heatstroke
15:29 < nsh> i once gave myself brain damage by inhabiting a space with 20 radians per revolution
15:29 < petertodd> I was worried you were gonna say EMF pollution :P
15:29 < gmaxwell> Emcy: Pretty sure that was BS.
15:30 < petertodd> nsh: non-euclidian geometry kills
15:30 < Emcy> gmaxwell perhaps but its a nice bit of bitcoin folklore
15:30 < nsh> hehe
15:30 < nsh> Riemannean Manifolds: Just Say No
15:31 < petertodd> nsh: I felt the brain damage coming on while trying to add ECDH support to python-bitcoinlib last night... manifolds >> openssl I'm sure
15:31 < nsh> eek. how did it go?
15:32 < Emcy> how many amps/watts can an american household push then
15:32 < Emcy> i think its surprisingly low? due to 120v
19:08 < c0rw1n> do ty _have_ to send your message in full? or could you be sending it .3kbps at a time?
19:08 < jron> after a over an hour, the most interesting quote to come out of the hearing has been: "...I think the level of engagement and the positive reception that bitcoin companies are now getting from certain banks has lead us all to believe that we're very very close to the banking industry opening up to bitcoin. I think we're probably 2 or 3 months away from some
well known banks coming out with kind of clear procedures on how to work with them as a bitc
19:10 < sipa> with them as a bitc[...]
19:11 < jron> with them as a bitcoin company and they'll position themselves as a bitcoin friendly bank." - Barry Silbert
19:11 < andytoshi> brisque: there is an example of the uncertainty principle for fourier transforms involving water waves, where you can't simultaneously determine the waves' frequency and breadth or something like that. using that idea you can smear out the actual changes in traffic volume
19:11 < andytoshi> i'll see if i can find that..
19:16 < jron> oh, and that someone is trying to remake e-gold\goldmoney.
19:28 < andytoshi> brisque: i can't find it, but i did find a paper by folland called "uncertainty: a mathematical survey" which gave the formulation that i wanted: there exists some number (1/16pi or something) which bounds below the product of your variance and your fourier transform's variance. for waves this means you can measure the water height arbitrarily well,
or the wave frequency arbitrarily well, but not
19:28 < andytoshi> both
19:28 < andytoshi> (though ofc you can just do two measurements)
19:29 < andytoshi> so the better you keep your chaff quantity following a sine wave, the worse time an attacker will have determining the actual data level
19:30 < andytoshi> since the attacker can only measure frequency in that case, he can't measure actual bandwidth without knowing what's real and what's not
19:32 < andytoshi> then for example if you can always keep your bandwidth uncertain within +/- 10kb/s, and don't increase the amount of chaff by more than 10kb/s/day, an attacker can only see changes in bandwidth usage with granularity of one day, thus defeating timing analysis
19:33 < brisque> hm. I've never believed that random timings and fake data really help to secure a service. if you're running something like RetroShare you're probably going to need to be attracting a lot of attention to yourself for anybody to bother doing traffic analysis. if they are, you can assume they're probably just going to get a warrant and bust your door down.
19:34 < jrmithdobbs> andytoshi: the shorter way of saying that is "run a bandwidth restricted tor relay on the same link"
19:35 < andytoshi> jrmithdobbs: yeah :} and randomly change the bandwidth cap
19:35 < jrmithdobbs> but i'm with brisque, I'm not so sure I buy shamir/etc's arguments on this topic
19:36 < jrmithdobbs> there's analysis to be done there but it's kind of like plugging the whole in a rowboat with your finger whene there's 500million more holes
19:36 < jrmithdobbs> s/whole/hole/
19:37 < super3> my question is what is the minimal amount of fake data you can throw around without just wasting bandwidth
19:37 < super3> i like the idea of just using it in random brusts rather than continual data usage.
19:37 < jrmithdobbs> and I don't think we really have a correct answer yet but i've not specifically read the paper andytoshi mentioned :)
19:38 < brisque> even a kilobyte a second adds up, especially over multiple peers.
19:38 < super3> where is this paper?
19:38 < super3> brisque, also makes you stand out on a network.
19:39 < justanotheruser> andytoshi: yes, every N seconds you broadcast data
19:39 < justanotheruser> to all your peers
19:39 < jrmithdobbs> super3: in fact, i'm not sure anyone's actually looked for *generic* traffic, the only stuff I'm recalling specifically involve using spam/smtp as transport
19:40 < andytoshi> jrmithdobbs: yeah, that's an example of what i'm saying about using periodicity to hide actual volume. so if you burst every second, and increase traffic whenever you need it, your attacker can see your volume changing with 1-second granularity
19:41 < andytoshi> i guess that's way way simpler than trying to shape continuous traffic to have decently periodic features..
19:41 < brisque> super3: like the guy who puts way too many locks on his door.
19:42 < super3> brisque, im that guy
19:42 < super3> brisque, rather too many locks than not enough
19:42 < jrmithdobbs> andytoshi: if anything normalizing like that may obscure the original intent but has the side effect of calling attention to the traffic because NOTHING is that normal
19:43 < brisque> super3: locks seem a little silly when people have glass windows.
19:43 < jrmithdobbs> heh
19:43 < jrmithdobbs> tbqh, having the lock makes the lock do it's job
19:43 < jrmithdobbs> don't even have to lock it
19:44 < jron> here is the e-gold like company the lawyer refered to: http://www.coeptis.com/
19:44 < jrmithdobbs> (in fact, i rarely do, lol)
19:46 < jrmithdobbs> super3: it's actually quite a fitting analogy
19:46 < jrmithdobbs> super3: you do realize that 98% of locks on the market can be opened in <15s with basically a week's worth of effort, right?
19:47 < jrmithdobbs> and said effort isn't salted so effort on one core of a similar type equates to effort on another core of the same design with different keying
19:47 < super3> jrmithdobbs, i agree with you
19:48 < brisque> locksport is great fun.
19:48 < jrmithdobbs> great party trick if nothing else
19:49 < jrmithdobbs> (and the "week's worth of effort" was from zero knowledge of how they work, not per core, to be clear ;p)
19:49 < brisque> I enjoyed the opening contests at defcon too, they even had casascius coins (to keep the comment on topic)
19:50 < jrmithdobbs> i like freaking out locksmiths
19:51 < jrmithdobbs> had one try and upsell me on some padlocks towing something recently, "Ya see this, this is so thieves can't get a pick in here" "what? yes you can, look: <opens lock>" ...
19:51 < jrmithdobbs> he almost called the cops, lol
19:51 < jrmithdobbs> (because said tools are illegal in tx unless licensed)
19:52 < brisque> well, be careful. fine line between a party trick and freaking people out.
19:53 < jrmithdobbs> it's more fun not to pick the locks and show people the releases on filing cabinets/etc instead ;p
19:53 < jrmithdobbs> *that* freaks people out .. noone thinks about this stuff, ha
19:55 < maaku> there's a great story about feynman 'picking' the combinations of his colleages safes in the manhatten project
19:55 < gmaxwell> where he went and precomputed the combinations and then appared to be able to do it instantly? :P
19:56 < gmaxwell> or was that where there was some bypass?
19:56 < brisque> combination locks are usually the easiest ones, all you need is a drink can and a pair of scissors.
19:58 < jrmithdobbs> gmaxwell: that sounds like a fun story hadn't heard it
20:00 < gmaxwell> one of the puzzles in this years MIT mystery hunt, part of the runaround at the end, was a pin-tumbler lock in the form of a pool-table sized 'bed'. (you had the manipulate slats on the sides of the bed to pick the lock, after first solving some nested trick with a magnetic trigger)
20:01 < gmaxwell> people in my team were kinda mobbing the bed and preventing effective work on it
 someone called out "who here has picked a lock before" and 3/4 of the room, including everyone within 10 feet of the bed raised their hands... so that wasn't a good distinguisher on who should be taking the lead...
20:01 < maaku> gmaxwell: correct, iirc he was able to feel the last two (of three) numbers on an opened safe, and most people kept their safes opened while they were in the office
20:01 < maaku> jrmithdobbs: it's in "surely your joking?" i think
20:12 < Emcy> anyone ever picked those eletronic dongle locks
20:12 < Emcy> the ones where the key sort of looks like a coin cell
20:21 < gmaxwell> Emcy: I believe I've seen those in the form of the 'keys' used for segways.
20:21 < gmaxwell> I'd _assume_ they're cryptographic.
20:22 < brisque> I wouldn't. I expected the one for my car to, but it just uses rolling codes like all the rest.
20:23 < brisque> if you really want to piss somebody off, go out of range of the car and punch the unlock button a few hundred times. once the keyfob rolls past the acceptable window for the car, it's useless.
20:24 < Emcy> therye rfid
20:24 < Emcy> i used to have one for my dorm door.....the lock seemed to have a nifty internal power source
20:24 < brisque> oh wait, there's stock standard RFID tags probably. I saw a store stocking them.
20:25 < gmaxwell> brisque: I know that some of the car ones are actually cryptographic because they've used snakeoil crypto that people have successfully attacked! (doh!)
20:25 < Emcy> and i once read something about those lock systems being able to form thier own sneakernet via a writable area of the rfid and keep logs of when and who opens doors etc
20:25 < sipa> gmaxwell: a friend of mine at university did :)
20:25 < sipa> (keeloq)
20:26 < gmaxwell> Emcy: I like the electronic locks that look like dial combination locks where spinning the dial powers it.
20:27 < Emcy> never seen that
20:27 < gmaxwell> They're pretty insanely secure because the only connection between the outside and inside is a couple wires, and all the locking is on the inside.
20:27 < brisque> gmaxwell: wonder how big a mechanical lock that used EC would be. it's presumably possible to make a mechanical computer that could do it, just it would be a little on the large side.
20:27 < gmaxwell> about the best attacks on a well built one are bugging the dial.
20:29 < brisque> bombe style with electromechanical calculation?
20:32 < Emcy> yep locks are pretty interesting
20:32 < brisque> likely impossible, but I'd pay big money to see a purely mechanical computer doing a SHA256 hash.
13:11 < realazthat> Yes, the only way (assuming you cannot break crypto) is to run P, not Q.
13:11 < petertodd> huh, crazy
13:11 < realazthat> so you can turn any useless algorithm into a PoW
13:11 < realazthat> and, you can make the lottery winnings be adjustable
13:11 < realazthat> depending on how you calculate the lottery "numbers"
13:12 < petertodd> oh, that'd be very good for combining multiple PoW's actually
13:12 < gmaxwell> eeh. still, you could optimize the hell out of the scip enviroment.
13:12 < realazthat> gmaxwell: yes :D
13:12 < realazthat> thats like someone running a GPU
13:12 < realazthat> except this is brains
13:12 < realazthat> and might interestingly lead to improvements in SCIP
13:12 < realazthat> lol
13:13 < petertodd> like if you had a hundred low-value PoW's, present a proof that they have been combined honestly, and, say, all depended on some initial value
13:13 < realazthat> ofc incentive is not to publicized
13:13 < petertodd> could be used to reduce varience
13:13 < realazthat> yeah a bunch of conflicting ideas along those lines
13:13 < petertodd> sure lends itself to a merkle-tree structure...
13:14 < petertodd> it'd be interesting if we could somehow make solo-mining low-variance
13:14 < realazthat> also
13:14 < realazthat> a compute market
13:14 < realazthat> this might be possible within bitcoin itself
13:14 < realazthat> https://en.bitcoin.it/wiki/User:Gmaxwell/why_hash_locked
13:14 < realazthat> gmaxwell: doooo that :D
13:15 < realazthat> though I was wondering if it were possible to somehow keep the actual program out of the blockchain
13:15 < realazthat> but thats a side issue
13:15 < gmaxwell> ...
13:15 < gmaxwell> I think you need to read https://en.bitcoin.it/wiki/User:Gmaxwell/why_hash_locked again. The whole point of it is that it makes bitcoin obvlivious to your scip dance.
13:15 < gmaxwell> :)
13:16 < petertodd> oh, shit, and I just realized that this same PoW merging thing applies to proof-of-sacrifice, which basically means you don't need to store the zillions of tiny individual sacrifices... damn
13:16 < petertodd> I've been really stuggling trying to find a decent way to keep my consensus key-value system unbloated...
13:17 < realazthat> gmaxwell: what am I missing?
13:17 < realazthat> why can't u use that to make a job worth running
13:17 < realazthat> and pay out to the 1st person with an answer
13:18 < gmaxwell> There is no need to have the program in the blockchain.
13:19 < petertodd> realazthat: it's a way of forcing the seller to proof they have the data from the output of a program, and at the same time, force them to reveal the decryption key to that data as part of receiving the payment
13:19 < petertodd> realazthat: (I think I got that right)
13:20 < gmaxwell> right. They prove to you that the encrypted output is X, and that the hash of the decryption key is Y.  And you make a payment that must provide the value that hashes to Y (the key to decrypt the solution)
13:21 < gmaxwell> For NP problems they don't even have to run the computation inside SCIP, only the validator.
13:21 < petertodd> very cool
13:21 < realazthat> mmm yes
13:22 < realazthat> ok this is interesting too, but not as universal I think
13:22 < petertodd> interesting too how it's dependent on the blockchain being reliably public information
13:22 < petertodd> hard to think of an example where that could be done in a non-bitcoin payment system
13:22 < gmaxwell> petertodd: yea... "if they can spend it, you can get the key they disclosed"
13:22 < realazthat> it would be cool if there was a way to post a SCIP program publically, and have an output script that verifies the answer to release payment
13:22 < realazthat> I guess this is a separate idea though
13:23 < gmaxwell> realazthat: requires putting the validator in the network rules, not really realistic at this time.
13:23 < realazthat> yes
13:23 < realazthat> I mean way later perhaps
13:23 < realazthat> or a way to bootstrap it in
13:23 < realazthat> without putting the validator itself in, I dunno
13:24 < realazthat> it can also be very unsuccinct for bitcoin
13:24 < realazthat> the response signature can be relatively big
13:25 < realazthat> something like a MB or something? I don't remember
13:35 < petertodd> so, the recursive bootstrapping SCIP stuff, any sense of how many months/years we're going to have to wait for it?
13:35 < petertodd> I mean, sounds like you have to implement a SCIP proof verifier within the system for one thing...
14:38 < realazthat> yes
14:38 < realazthat> I mean it seems a bit trivial to try to do my myself
14:38 < realazthat> but eli said there were more complications
14:38 < realazthat> and I didn't read the paper he named in response
14:38 < realazthat> and I prolly wouldn't understand it if it goes into the math
14:38 < realazthat> blackbox for me
14:39 < realazthat> I dunno what problems arise though; it *seems* like one could just ... do it
14:39 < realazthat> petertodd: I hope that if it is feasible, eli would start working on it as stage 3
14:39 < realazthat> I think stage 2 is supposed to be done at the end of august or something
14:39 < realazthat> or maybe that was stage 1
14:40 < realazthat> but things never get done on time :P
14:40 < realazthat> petertodd: mmm I asked eli if he could join us in IRC
14:40 < realazthat> PS. if you have time to answer more questions, I would love to chat with you and/or other people knowledgeable/interested about the project on IRC. Several interested people hang out on the freenode network in #bitcoin-dev and #bitcoin-wizards.
14:40 < realazthat> eli: I would be happy to hang out some time with some of my collaborators, how does this work?
14:41 < realazthat> but it seems like he wants a one-time thing
14:41 < realazthat> so I am thinking what the best medium for that is
14:41 < realazthat> #bitcoin-dev Q&A time?
14:41 < realazthat> forums?
14:41 < realazthat> ML?
14:41 < realazthat> I am not really involved in the community
14:41 < realazthat> so I don't know ..
14:43 < realazthat> I guess I could mail him asking him to sign up on the ML and introduce himself
14:43 < realazthat> and point him to the channels in the meantime
14:43 < realazthat> and tell him I'd get back to him about a possible set time
14:43 < realazthat> for a Q&A
14:44 < realazthat> if someone is active on the forums, maybe we can collect questions
14:44 < realazthat> or have a question thread
14:44 < realazthat> dunno if they do this type of thing on the forums
14:47 < realazthat> mmm should I point the webchat client to #bitcoin-dev or #bitcoin-wizards
14:49 < gmaxwell> there is a webchat on the bitcoin.org site that points to bitcoin-dev.
14:56 < realazthat> sent
15:19 < petertodd> realazthat: cool
15:24 < petertodd> Thinking about incentives re: proof-of-sacrifice (PoS) blockchains. Seems to me that the incentive for others to extend your view of history is good enough that people will both keep copies of the chain data, as well as calculate accurate k:v set (UTXO equiv) proofs.
15:25 < petertodd> It doesn't quite feel right though... Making a proof-of-sacrifice block is something you only do occasionally - there isn't any capital involved basically.
15:26  * Luke-Jr suggests PoX for proof-of-sacrifice :P
15:26 < Luke-Jr> as in x.x
15:26 < petertodd> Lol, alright, agreed.
15:27 < petertodd> The other nasty issue is that it's really hard to figure out good incentives not to just spam blocks. You can try to make your sacrifice worth less if it's associated with more data, but that leads to nasty edge cases like a big sacrifice for no data t all.
15:30 < petertodd> On the other hand, I'd argue it's a lot more stable than namecoin, which at any point in time could die due to lack of interest, especially given the huge speculation that it's currency has attracted.
15:32 < petertodd> Having said that, re: data size one nice thing you can do is for the DHT layer or whatever with the actual data the people volunteering their bandwidth have an easy way to filter spam by looking at sacrifice size.
15:33 < petertodd> (remember that PoX is for determining *what* is the valid value for a given key, it doesn't actually have to be associated with storing that value)
15:34 < realazthat> hmmm
15:34 < realazthat> how would namecoin die
15:34 < realazthat> (side interest)
15:34 < realazthat> does it not have merged mining?
15:35 < petertodd> pools turing off merge mining, and someone being an asshole. Running namecoind isn't free.
15:35 < petertodd> Eligius turned off namecoin merge mining a few months back for instance.
15:35 < realazthat> mm
15:36 < realazthat> I was thinking of what merged mining would mean for my SCIP PoW chain idea
15:36 < realazthat> ie. how to take advantage of merged mining
15:36 < realazthat> or,
15:37 < realazthat> how to merge mine in between two such chains
15:37 < realazthat> I have some ideas ...
15:37 < petertodd> Why would SCIP PoW with merge mining be special anyway?
15:38 < realazthat> well
15:39 < realazthat> by SCIP PoW, I mean that mining itself is any useful/non-useful program that the blockchain would run, and use SCIP to prove that the miners are actually doing the work
15:39 < realazthat> so essentially, miners doing something other than hashing
15:40 < realazthat> thus, you can't use hash-mining from bitcoin chain to this chain
15:40 < realazthat> it is simply not the same
15:40 < petertodd> right, and see, that's the thing, because it's not probabalistic a dead simple rule for the merge-mined chain is just "see this merkle path? notice how it leads to a valid PoW in the master chain?" problem solved
15:41 < realazthat> yeah
15:41 < realazthat> so my idea is to work the other way around
15:41 < realazthat> there are two ways to win the lottery
15:42 < petertodd> oh, mind, yeah, mining does need to stay probabalistic...
15:42 < realazthat> 1. you do the work from this chain, and have chance(s) to win
15:42 < realazthat> 2. or you can win in the traditional way
22:19 < brisque> oh, coinbase have changed their responsible disclosure police. it's now minimum $1000 rather than 5BTC. guess they got bitten by the exchange rate.
22:19 < gmaxwell> (it was at a time when mtgox was having problems, and I transfered from mtgox to coinbase, .. and mtgox made a conflicting doublespend... so not only did I withdraw unconfirmed coins, I did so at a time when .. if things confirmed in a different order it would have ripped them off)
22:19 < gmaxwell> ... to the tune of something like $30,000.
22:19 < gmaxwell> (I wasn't aware of the second mtgox payment... lol.. or I wouldn't have done something so potentially confusable as an attempt at theft!)
22:20 < brisque> either way, lucky you found it rather than somebody who would have exploited it.
22:20 < gmaxwell> in any case, if you look around you can find horrifying stories about almost every bitcoin service.
22:21 < gmaxwell> brisque: Well, maybe thats what the VC money is for: to cover hemoraging money from failures like that. :P
22:21 < gmaxwell> BTC-e has has some really severe money loss events and somehow keeps on trucking.
22:22 < brisque> fractional reserve?
22:22 < gmaxwell> maybe!
22:22 < gmaxwell> e.g. someone figured out how to impersonate the liberty reserve deposit callback and then gave themselves infinite btc-e USD.
22:22 < gmaxwell> and then bought up and withdrew all coins that appeared in the btc-e hotwallet.
22:22 < gmaxwell> ... for something like 12 hours.
22:23 < gmaxwell> btc-e price per bitcoin went to >$100 (when btc had been at like $10 or something) and so lots of idiots deposited more coin.
22:24 < brisque> you'd think a service like that would have some sort of checks and balances that sees someone with unlikely situations and freezes the site until it can be verified. better that than losing out.
22:24 < gmaxwell> mtgox now does some of that, though I think probably not enough.
22:25 < gmaxwell> at least these things should freeze deposits and withdrawls... anything purely internal can at least be made right later.
22:25 < gmaxwell> But I suspect that the pretty good incomes from running the sites coupled with fractional reserve can make up for a lot of mistakes.
22:26 < brisque> until there's a bank run, and then they're completely high and dry
22:27 < gmaxwell> Failure is always an option.
22:28 < gmaxwell> I'm not aware of a _single_ major bitcoin business operator who has faced _civil_, much less criminal, charges for their default.
22:28 < pigeons> i guess calling trendon sahvors/pirate@40 a business operator would be a stretch
22:29 < phantomcircuit> gmaxwell, er
22:29  * phantomcircuit raises hand
22:29 < gmaxwell> okay, fair, I'd even include that since a lot of people did think it was real. (::facepalm::)  has he actually suffered any consequences for it?
22:30 < pigeons> he got a default judegemnt by the sec cause he stopped responding to the court
22:30 < phantomcircuit> oh charges
22:30 < phantomcircuit> didn't see that
22:30 < gmaxwell> phantomcircuit: well I'm not counting bitcoinica because the actual owner and responsible party dropped the bag of shit in someone elses lap!
22:30 < pigeons> and now the fbi is finishing their investigation
22:30 < phantomcircuit> gmaxwell, charges usually refers to government action also
22:30 < phantomcircuit> gov can take civil action which i believe is what they did against shavers
22:31 < phantomcircuit> or however the fuck you spell his name
22:31 < pigeons> these are the shavers docs. http://ia800904.us.archive.org/35/items/gov.uscourts.txed.146063/
22:31 < gmaxwell> thats what they did against him, yea.
22:31 < pigeons> yes and i hear criminal is coming soon against shavers
22:31 < brisque> the point being that even under the most abstract failure, most sites simply disappear when something goes wrong.
22:31 < phantomcircuit> so looks like hashfast isn't going to delivery
22:31 < phantomcircuit> deliver*
22:31 < gmaxwell> phantomcircuit: nope, they're not.
22:31 < pigeons> not only do they disappear, they reopen using the same identity
22:32 < gmaxwell> They've also announced that they aren't planning to honor their original comittments to refunds.
22:32 < pigeons> coinjar.io
22:32 < brisque> I enjoyed the inputs.io thread particularly. by the looks of things all the "security" advertised either didn't work or didn't even exist in the first place.
22:32 < phantomcircuit> i actually knew this like two weeks ago
22:32 < phantomcircuit> but i find it amusing watching people find out they're fucked
22:32 < gmaxwell> I'm trying to figure out what I'm going to do about that, as I have two orders with them, along with email correspondance confirming that their refund commitment was to refund the full amount of BTC paid.
22:32 < gmaxwell> The problem, of course, is that if I sue them they'll just bankrupt themselves defending it, and there will be nothing to recover.
22:33 < brisque> they'll end up delivering something I assume
22:33 < phantomcircuit> gmaxwell, my guess is they dont have the capital to do a full production run and were delaying hoping to get enough new orders to do the run
22:33 < phantomcircuit> they didn't hit the target and are now completely screwed
22:33 < phantomcircuit> this is of course fraud
22:34 < phantomcircuit> gmaxwell, it's likely criminal
22:34 < phantomcircuit> but i doubt it's worth anybodies time to pursue
22:34 < brisque> is a poor lack of judgement criminal?
22:34 < gmaxwell> brisque: yea, but at this point its so late that anything they deliver will be a massive loss. To entice batch 1 customers they initially claimed target shipment on Oct 20th, and a full refund of the BTC amount paid if they don't make dec 31st.
22:34 < gmaxwell> brisque: Its become pretty hard to believe that they ever thought they could deliver on what they promised.
22:35 < phantomcircuit> gmaxwell, fun fact hashfast was trying to sell chips in bulk recently
22:35 < phantomcircuit> possibly they have the chips but they dont work
22:35 < phantomcircuit> or they cant put them on boards
22:35 < phantomcircuit> or they cant get components
22:35 < phantomcircuit> or ???
22:35 < gmaxwell> they have some demo videos now actually showing a test unit hashing,
22:35 < brisque> gmaxwell: from what I've read it looks like they underestimated the complexity, underestimated the power draw (needing new power supplies), and burnt all their funds trying to rectify it all.
22:35 < gmaxwell> and I believe that its real (esp since one of the people in #eligius went to visit them and saw it)
22:36 < gmaxwell> brisque: nah, their power was on target (you might have been duped by someone's joke post... which was sadly a little too believable)
22:36 < gmaxwell> this is the epic timeline post: https://bitcointalk.org/index.php?topic=391251.0
22:37 < brisque> gmaxwell: I wasn't duped by that post, there's a hashfast comment that they needed to order new PCB designs of a new revision.
22:37 < gmaxwell> brisque: oh that, yea, I assumed it was just a design error.
22:37 < phantomcircuit> gmaxwell, they might have the chips
22:37 < phantomcircuit> which i assume they could sell
22:37 < phantomcircuit> so possibly bankruptcy would actually be useful
22:38 < phantomcircuit> but there is no way they can actually refund people in btc
22:38 < Luke-Jr> phantomcircuit: yes there is
22:38 < brisque> hashfasts design is useless anyway. it's cheaper to just buy other designs at this point.
22:38 < phantomcircuit> Luke-Jr, if they kept the btc?
22:38 < Luke-Jr> phantomcircuit: exactly
22:38 < gmaxwell> phantomcircuit: it actually appears that they did though its hard to be sure.
22:39 < brisque> Luke-Jr: isn't there a comment about them using Bitpay, which would go to USD instantly?
22:39 < gmaxwell> brisque: they took both direct payments and bitpay, and bitpay lets the merchant choose.
22:39 < Luke-Jr> brisque: BitPay offers that *option*, but it isn't required
22:39 < phantomcircuit> gmaxwell, huh interesting
22:39 < brisque> Luke-Jr: I wasn't aware of that, interesting
22:40 < gmaxwell> the other fucked up thing is that they're claiming that you have only 15 days to request a refund, which they'll just refund a tiny fraction of the BTC paid (and a bit less than half of what you could expect to mine if they ship early january), and if you don't elect a refund in that window you can't have one.
22:41 < gmaxwell> so it looks like an optimal (scummy) strategy for them is to just build the boxes and start mining and say fuck you to everyone who doesn't refund until march.
22:41 < gmaxwell> so you either lock in an 86% loss by refunding, or take a risk that they'll do something shitty like that.
22:41 < brisque> I suppose they messed up and they're quite afraid of the consequences. I don't blame them for acting irrationally.
22:43 < gmaxwell> brisque: yea, though part of the issue is that no one has yet proposed a conceivable explination for their actions which doesn't involve fraud.
22:43 < gmaxwell> e.g. messing up doesn't explain why they were saying they were on time just a few days before they mised their original oct 20 target, and yet it turns out they didn't get anything from the fab until mid dec.
22:44 < gmaxwell> I guess the most charitable explination I can come up with is the one phantomcircuit mentioned
 that they didn't raise enough money for the fab run until fairly late... but that still involves them lying about their schedule continually since november.
22:44 < brisque> gmaxwell: I can certainly relate to them from reading that timeline. you mess up a little and tell yourself that it will be alright, you can save face if you just pretend you don't make it clear. things crumble under them and they've just got to keep continuing on so as to not admit they lied in the first place.
22:45 < brisque> it's schoolchildren mentality, but there you go.
23:20 < warren> I trust you will just delete it when you're done? It might be one of my live keys.
23:20 < warren> sipa: where's your GPG keyid?
23:21 < sipa> bitcoin.org/pieterwuille.asc
23:21 < sipa> 1DAAC974
23:21 < sipa> wait
23:22 < sipa> i don't have my private gpg key here
23:22 < sipa> warren: would you trust scp'ing it to my vps?
23:23 < sipa> (bitcoin.sipa.be)
23:23 < warren> do you have the ssh pubkey that you gave me a few days ago?
23:23 < warren> I can put it in the same place you loggedin earlier
23:23 < sipa> i have that one, yes
23:24 < warren> ok
23:24 < sipa> and yes, i promise to delete it after use
23:25 < warren> It's been years since ccache screwed up on me.
23:29 < sipa> warren: interesting, i didn't know that was permitted!
23:29 < sipa> i see why it fails
23:29 < warren> sipa: see ~/protocol.patch for the difference in address
23:29 < sipa> the private key starts with a 0x00, which is omitted
23:30 < warren> This has nothing to do with this?
23:30 < warren> -        PUBKEY_ADDRESS = 0,
23:30 < warren> +        PUBKEY_ADDRESS = 48, // Litecoin addresses start with L
23:32 < warren> but yeah, the vast majority of keys work just fine with secp256k1.  we've only found offending keys in old wallets.
23:32 < warren> sipa: are you able to tell which address is associated with that key?
23:33 < sipa> warren: i don't need to
23:33 < warren> I'm just curious.
23:33 < sipa> warren: i've just pushed a (potential) fix to secp256k1 repo
23:34 < warren> ok, i'll try it
23:34 < warren> sipa: just for my own education, I'd like to learn how to decode that dump
23:35 < sipa> http://lapo.it/asn1js/ :p
23:38 < warren> thanks
23:51 < gmaxwell> sipa: how could one of our own private keys end up starting with 0x00?!
23:51 < sipa> gmaxwell: ?
23:51 < gmaxwell> did openssl pad it?
23:51 < sipa> i mean in 32-byte notation it starts with a 0x00
23:52 < gmaxwell> oh. I see. the test was too agressive and didn't like it when it had less than 32 significant bytes. So about a 1/256 chance of happening.
23:54 < sipa> well, my ASN.1 deserializer is quite hacky and ad-hoc
23:54 < sipa> i somehow assumed it always dumped a 32-byte octet string
23:54 < sipa> but apparently not
23:54 < sipa> indeed, 1/256 chance to fail
23:55 < gmaxwell> you mean you didn't memorize the 500 whatever pages of ASN.1 specification first?!
23:55 < sipa> i actually read the relevant section when implementing it
23:56 < sipa> but that doesn't prevent making an incorrect assumption about how openssl represents things
23:57 < warren> The offending key was in my reserve keys.
23:57 < warren> so I can just delete it
23:57 < warren> sipa: want to add it to a test case?
23:58 < gmaxwell> should just add a privkey of 2 as a test.
23:59 < sipa> warren: but does it work now?
23:59 < sipa> i didn't test the patch before pushing it :p
23:59 < warren> testing now.  I spent all that time learning how to decode and figure out which key it was.
--- Log closed Fri May 24 00:00:19 2013
--- Log opened Fri May 24 00:00:19 2013
00:00 < sipa> (also, you _did_ check that site does the decoding locally before pasting a private key in it, did you?) :p
00:00 < warren> I copied the site to an offline browser
00:01 < warren> but I ended up adding more debug code to just tell me which key it was
00:01 < sipa> hehe
00:01 < warren> the client loaded without any wallet error
00:01 < sipa> \o/
00:01 < warren> that isn't proof of 'working'.  just the error is gone
00:02 < warren> want the entire pubkey and privkey for a test case?  It was a reserve key I can just delete.
00:02 < gmaxwell> sipa: maximum privkey and minimum privkey, would probably be reasonable tests to have.
00:02 < sipa> i always like this blog post (by roconnor!), when i don't really test code before pushing :p
00:02 < sipa> http://r6.ca/blog/20120708T122219Z.html
00:02 < gmaxwell> I wonder if there is any bitcoin assigned to the minimum privkey
00:03 < sipa> you mean 1?
00:04 < warren> ok, I guess not
00:04 < gmaxwell> I wasn't sure if openssl would permit 1.
00:04 < sipa> it should
00:07 < warren> sipa: want me to release the litecoin beta with secp256k1 and see what happens? =)
00:08 < warren> release both openssl and secp256k1.  "Uh... if this faster one blows up, use the other one."
00:09 < sipa> if you don't mind being a guinea pig :)
00:09 < warren> I don't mind.  They're the guinea pigs.  I'm just the guy who likes shiny stuff.
00:10 < sipa> you understand they may come after you with pitchforks? :
00:10 < warren> what's the worse that can happen? =)
00:10 < sipa> you
00:11 < sipa> slowly dying
00:11 < sipa> after being tortured
00:12 < warren> Giant disclaimer: The secp256k1 build is probably faster.  It might do bad things and lose all your money.  We don't know.  Use at your own risk.
00:12 < warren> how else will you find other corner cases?
00:12 < sipa> have it in giant red flashing marquee scroll across the screen, and you're good :p
00:13 < sipa> i'm not really afraid of corner cases hit by regularly usage
00:13 < sipa> i'm afraid of a genius hackr that finds a way to trigger edge cases
00:13 < warren> https://github.com/bitcoin/bitcoin/pull/2688  hmm, why didn't this go into rc2?
00:13 < warren> errr, rc3
00:14 < sipa> it was detected right after rc2 was tagged
00:14 < sipa> there is no rc3 yet
00:15 < warren> ok, I'll rebase onto rc2 and see if I can figure out the looping addrman thing.
00:15 < sipa> addrman has nothing to do with it
00:15 < sipa> it's just the only thing that happens to not be affected :
00:17 < warren> sipa: "genius hackr that finds a way to trigger edge cases" what parts are you worried about?  new keys generated by secp256k1?
00:18 < warren> I would imagine most cases of the client crashing are not really to worry about.
00:28 < gmaxwell> http://blockexplorer.com/address/1FYMZEHnszCHKTBdFZ2DLrUuk3dGwYKQxh :-/
00:30 < warren> what's the issue?
00:30 < gmaxwell> thats a privkey of 0
00:33 < gmaxwell> 0.32351356 assigned to 1 but gone now,  0.13 assigned to 1 compressed and gone.  0.0000384 to 2 uncompressed but spent. just recently..
00:38 < midnightmagic> lol is it a race to spend it now?
00:40 < gmaxwell> no 0 can't be spent.
00:40 < midnightmagic> Oh. That sucks. Why not?
00:40 < midnightmagic> Because it can't be multiplied.
00:41 < midnightmagic> Nevermind.
00:41 < warren> should bitcoin have a built-in limit that warns users away from small keys?
00:46 < zooko> We can't detect all guessable keys, but we could detect 0.
00:46 < zooko> "Check for 0" is actually a prophylactic practice that some crypto engineers have long used.
00:47 < zooko> Or more generally, check for invalid...
00:47 < gmaxwell> zooko: We do do that.
00:48 < gmaxwell> it's not a valid EC point, it won't be generated. Thats just someone being a clown there.
00:49 < sipa> technicaloty: it is a valid EC point, just not valid as a public key
00:50 < sipa> a technicaloty is a like a technicality, but a lot more pedantic
00:51 < sipa> warren: i'm afraid that some of the field/group code has very unlikely overflows or other edge cases, which won't occur for random keys/messages/nonces, but perhaps do happen for constructable inputs
00:52 < sipa> warren: which would be enough to cause a chain fork in that case
00:52 < sipa> or theft
00:52 < warren> If I understand that correctly, the risk of chain fork is nil if no miners use it?
00:52 < gmaxwell> otoh sipa's code may now be more tested than some of the in production ECC code out there
 but as we know, consistency matters more than correctness. :)
00:53 < warren> I could rip out getwork and GBT from the secp256k1 builds =)
01:01 < sipa> warren: if everyone but miners use it, there is just as much a problem
01:41 < sipa> gmaxwell: well, there are 8 config combinations possible...
01:42 < gmaxwell> Hm?
01:42 < sipa> 4 field implementations, 2 scalar implementations
01:44 < gmaxwell> oh of your code, indeed.
03:22 < warren> sipa: http://pastebin.com/tw3RgHGj   thread apply all bt full during the shutdown looping
03:22 < warren> sipa: this is litecoin-0.8.2rc2.  Let me know if you insist on me getting this from bitcoin-0.8.2rc2, and if all the debuginfo would be needed.
03:25 < sipa> hmm nothing suspicious
03:25 < warren> crap
03:26 < warren> gmaxwell: I'm still getting the assertion failure at shutdown with gavin's patch
03:26 < warren> I'm trying a gitian build to see if both bugs are present there.
03:29 < warren> hmm, my issue seems to be a diferrent assertion failure
03:31 < gmaxwell> _what_ assertion?
03:33 < gmaxwell> ah, you put it in the bug.
03:33 < gmaxwell> (should have put it on the patch :P )
03:34 < gmaxwell> warren: trigger it in valgrind, may get a more informative result on _which_ place its failing.
03:35 < warren> haven't used valgrind in years.  you need to run entirely within valgrind, you can't attach like gdb?
03:37 < gmaxwell> right. valgrind ./bitcoind -daemon=0  it's slow.. watch the log. ... and ... uh. you really should be familar with it, it will save your bacon.
03:39 < warren> how do I stop it during the loop to dump the state?
04:33 < warren> gmaxwell: oh, misunderstood you.   I thought you meant valgrid for the shutdown loop forever issue.  I see you mean the assertion.
15:56 < warren> gmaxwell: the shutdown hang seems to be limited to bitcoin-qt, and only my fedora native build, not gitian
15:56 < warren> jgarzik: hey
15:57 < gmaxwell> warren: your bug says the gitian hangs too?
15:57  * jgarzik waves
15:58 < warren> argh
15:58 < warren> gmaxwell: I'm mixing up the bugs again.  just woke up.
15:58 < warren> gmaxwell: the assertion failure is fedora specific.  the hang is both.
15:58  * jgarzik waves at warren.  Thanks for the openssl attention.  Now I need several hours to debug EFI ;p
15:59 < warren> jgarzik: let me know if you want openssl for Fedora 19
16:19 < maaku_> jtimon: iirc his proposal is to have script execution paid for in fees
16:19 < jtimon> is that it is protected through fees
16:19 < jtimon> yes
16:19 < maaku_> but if the script is invalidated by running too long, then how does the miner collect the fees?
16:19 < maaku_> *transaction is invalided by the script running too long
16:20 < jtimon>  you're paying fees as it is executed, so the execution is somehow "in-chain"
16:20 < jtimon> maybe the scripts are executed in several blocks
16:20 < jtimon> and only a max instructions per block is executed
16:20 < maaku_> then how do you reach consensus on it?
16:21 < jtimon> that was my thought at the time, but doesn't look very scalable
16:21 < maaku_> you bloat the chain with invalid transactions that steal a little bit of fees from its inputs nonetheless?
16:21 < jtimon> because everyone executes the number of transactions that can be paid or the max_per_block (if there's any)
16:22 < jtimon> as said, it doesn't look very scalable at a first glance
16:22 < gmaxwell> maaku_: they move the execution construct out of the transaction and make it free standing.
16:22 < jtimon> I guess he has solved TC by fees in a non-scalable way
16:23 < gmaxwell> e.g. you have an object that has a balance which it can use to pay for execution.
16:23 < gmaxwell> it stops executing when its balance is 0.
16:23 < gmaxwell> it create it at all requires positive fees.
16:23 < maaku_> so it's a distributed-replicated time-share system?
16:23 < gmaxwell> this isn't to say that any of its is good or makes any sense.
16:24 < gmaxwell> the fees are paying the wrong people... unless you convert mining to be a proof of agent execution. :P
16:24 < jtimon> and I hadn't even considered problems related to script-consensus
16:25 < jtimon> exactly miners will get fees, but the rest of validators will be screwed for nothing
16:25 < jtimon> is that what you're saying gmaxwell?
16:25 < gmaxwell> yes.
16:27 < jtimon> so let's go back to compressed scripts
16:28 < jtimon> you could have a list of addresses Lk
16:28 < jtimon> scriptPubKey only contains it's hash
16:29 < jtimon> with a byte or a short, you can select the order in which the scripts in Lk will appear
16:30 < jtimon> the Lk is 64 bit per variable
16:31 < jtimon> then you can have a list of lists OR_list
16:32 < jtimon> each of the lists is named AND_list_n
16:33 < jtimon> and you have another byte to select n
16:33 < jtimon> scriptPubKey contains a hash of Or_list + Lk
16:34 < jtimon> the AND list just contains bytes reffering to scripts in Lk
16:34 < jtimon> indexing
16:35 < jtimon> so the public keys can be presented in any order selected by order_byte
16:35 < jtimon> of the list Lk
16:36 < jtimon> to sign the AND list selected by logic_byte
16:38 < jtimon> there's plenty of redundancy to optimize here, I'm just using bytes for convenience
16:39 < jtimon> not redundancy, unused bits
16:40 < jtimon> well, I'll think more about this until I can express it in a way that can make sense or that helps me find the deficiency by myself
22:09 < jgarzik> bitcoin's scripts are "written in a programming language called Script"
22:09 < jgarzik> http://theumlaut.com/2014/01/08/bitcoin-internet-of-money/
22:10 < jgarzik> pretty good article though
22:32 < Luke-Jr> jgarzik: I'd concur with that statement.. :P
23:53 < maaku_> jgarzik: if that's the grossest error they made, i'd say that's doing pretty well :)
23:59 < phantomcircuit> lol
--- Log closed Fri Jan 10 00:00:20 2014
--- Log opened Fri Jan 10 00:00:20 2014
00:02 < Luke-Jr> maaku_: what error?
00:03 < Luke-Jr> that statement quoted is essentially correct
00:04 < maaku_> which is why i said it's pretty minor
00:04 < maaku_> more like bytecode than a programming language (which implies compilation)
00:05 < maaku_> and i don't know anyone who calls it Script with a capital S
00:05 < Luke-Jr> meh, we have an assembly-like form :P
00:05 < Luke-Jr> maaku_: it's not that uncommon
00:13 < justanotheruser> What do you guys recommend as a proof of sacrifice? Hashcash is more anonymous, but it doesn't work well (someone with a powerful hashing maching/GPU could make a ton of messages) and OP_RETURN associates the sacrifice with you to some extent and remove anonymity. Is there anyway I can get the best of both worlds?
00:16 < gmaxwell> justanotheruser: depends on the application, if you'd really be willing to use hashcash, perhaps mine.
00:18 < justanotheruser> gmaxwell: perhaps mine? What do you mean by that. I wouldn't want to use hashcash if it allowed people with special hardware to spam the network with as much electricity spent as a regular CPU user.
00:18 < justanotheruser> Application is bitmessage fork that isn't vulnerable to the problem I just described
00:20 < gmaxwell> justanotheruser: zero knoweldge proof of a bitcoin sacrifice using pinocchio.
00:21 < justanotheruser> gmaxwell: is that bleeding edge crypto?
00:22 < gmaxwell> yea? so. and a flooding messaging system isn't?  the harm of someone breaking it is they can flood your system, whoopiedo.
00:23 < justanotheruser> gmaxwell: I was just curious if there were any other applications in use, or if it was just knowledge from research papers
00:23 < gmaxwell> justanotheruser: I suggested pinocchio because you can go download an implementation.
00:25 < justanotheruser> gmaxwell: where would I find this? Every top google result is research papers and news
00:26 < gmaxwell> https://vc.codeplex.com/
00:26 < justanotheruser> gmaxwell: thanks a lot
00:26 < gmaxwell> They've annoying ripped out the pairing library so one will need to be pached back in.
00:27 < gmaxwell> justanotheruser: in any case, I think bitmessage pow would be a great application for this.
00:30 < justanotheruser> gmaxwell: ofcourse your anonymity is limited to the recent proof of burns
00:30 < justanotheruser> right?
00:32 < gmaxwell> you make a sacrifice that contains X=H(random_value)	and then to send a message you prove X is in a sacrifice of value >= Z in bitcoin (by evaluating a SPV proof for the transaction), and random_value is the preimage of X,  and that Q=H(random_value||date||hour), and that R=H(random_value||pubkey). And you show the network the proof and Q,R,pubkey and
sign your message with the pubkey.
00:32 < gmaxwell> you basically can get a new anonymous identity from each of your sacrifices once an hour, and then send however many messages the network will let you per identity (maybe just 1)
00:33 < gmaxwell> next hour you redo the proof with a new pubkey, and you have a new anonymous identity.
00:33 < gmaxwell> and you don't have to keep redoing sacrifices.
00:34 < gmaxwell> (unless you wanted to require that)
00:34 < justanotheruser> pubkey is separate from the pubkey I used to make the PoB right?
00:35 < gmaxwell> you wouldn't even need a ecdsa pubkey in the PoB, effectively H(random_value) is a pubkey in the proof of burn.
00:35 < justanotheruser> oh
00:35 < gmaxwell> You don't want to run ecdsa inside the zkp because its @#$@ expensive. Where running a hash inside the proof is more realistic.
00:35 < justanotheruser> what I mean by that is I use a pubkey to spend the output to OP_RETURN
00:36 < gmaxwell> yea, thats irrelevant. youd put H(random_value) in the OP_RETURN and the only thing the proof would look at is the txout value and H(random_value).
00:36 < justanotheruser> if that is the correct terminology, not sure what else you would call spending a transaction to something that always returns false
00:37 < justanotheruser> gmaxwell: I will be able to write stuff in OP_RETURN in v.9 right?
00:37 < gmaxwell> I'd say that even better than a scarifice would just be proving that you have possession of a bitcoin, but to do that you'd have to do a ecdsa signature inside the proof, and that would kinda suck.
00:37 < Luke-Jr> justanotheruser: no
00:38 < justanotheruser> gmaxwell: I don't see how proving you have bitcoins would help in the future when everyone might be transacting bitcoins
00:38 < justanotheruser> Luke-Jr: whenever the miners vote on it?
00:38 < Luke-Jr> justanotheruser: hopefully never
00:38 < gmaxwell> wtf. there is no "miners vote on it"
00:38 < Luke-Jr> and there will never be an interface to do it in any sane client
00:38 < gmaxwell> as of right now in git bitcoin allows data in OP_RETURN though given what people are saying I hope we back that out.
00:39 < gmaxwell> or at least cut it back to 32 bytes.
00:39 < justanotheruser> gmaxwell: I thought miners voted on whether or not they would mine a certain tx type and if a certain amount said yes it would be implemented and the miners would start mining it
00:39 < gmaxwell> justanotheruser: no.
00:39 < gmaxwell> dunno where the heck you got that idea!
00:39 < justanotheruser> gmaxwell: some other fork I remember miners including their votes in their blocks
00:40 < justanotheruser> maybe it's because that was a hardfork?
00:40 < Luke-Jr> there's no fork going on
00:40 < Luke-Jr> at all
00:40 < gmaxwell> why are you talking about forks?
00:40 < justanotheruser> gmaxwell: Well isn't OP_RETURN <data> an invalid tx?
00:40 < Luke-Jr> no
00:40 < gmaxwell> No.
00:40 < Luke-Jr> just a useless, spam tx
00:40 < justanotheruser> oh, well that's where I was getting that idea from
00:40 < gmaxwell> it's just not IsStandard
00:42 < justanotheruser> "So, with some reluctance, I recently merged
Relay OP_RETURN data TxOut as standard transaction type.
00:42 < justanotheruser> So will it be standard in .9?
00:42 < Luke-Jr> hopefully not
00:43 < justanotheruser> gmaxwell: also, how is it a sacrifice to prove you possess bitcoins?
00:43 < gmaxwell> 21:38 < gmaxwell> as of right now in git bitcoin allows data in OP_RETURN though given what people are saying I hope we back that out.
00:43 < justanotheruser> gmaxwell: oh, I missed that
17:43 < sipa> TD: people would not consider key hashes to be "addresses" or things that hold a balance
17:43 < TD> i see
17:44 < TD> well, addresses became dominant for a reason ...
17:44 < sipa> pay-to-IP was obviously broken
17:45 < TD> in lots of ways
17:45 < sipa> but replacing them by static addresses was the easy way out, and i really wish it would have been replaced by a payment-protocol like system back then
17:46 < TD> it was broken because the person you were wanting to send money to would often be offline
17:46 < TD> that's the reason i remember for not using it, when i first used bitcoin 0.1
17:47 < TD> and you wouldn't know their IP anyway. it wasn't a stable identity whereas an address was
17:47 < sipa> yeah, forcing an intermediary for transactions between end-users isn't the best thing either
17:47 < TD> anyway addresses do have a balance. it's the sum of the unspent outputs with scripts that pay to that key  hash :)
17:47 < sipa> of course they do
17:48 < sipa> but thinking about it that way pretty much immeditately leads to key reuse
17:48 < TD> key re-use happens for technical reasons. i don't think it's so much a conceptual issue for end users
17:48 < sipa> i think it is
17:48 < sipa> people think about it as "their address"
17:49 < sipa> rather than "some key in their wallet"
17:49 < adam3us> TD: its a complex concept that your address is authorized to move a tx out and not the balance on the address
17:49 < TD> mostly it doesn't matter
17:49 < sipa> i think it does
17:49 < TD> once the payment protocol is more widely implemented we just need a pastebin type site
17:50 < TD> and then people can have "pay.to/sipa" as their ID instead. all the site has to do is pop a payreq off a queue and serve it
17:50 < sipa> right, and it can work with deterministic wallets
17:50 < TD> minimal infra required, should be a competitive marketplace
17:50 < TD> yeah
17:50 < sipa> that's still forcing an intermediary, but indeed, i think it's a nice solution
17:50 < sipa> it's still simple enough to run your own if you want to
17:51 < sipa> the only question is to what extent the payment protocol will take off, now that people are already trained to think of base58 strings as wallets :)
17:51 < adam3us> sipa: it would be nicer if the sender randomized the recipients address, and encrypted the randomization factor for their public key, as you could do that even ffrom	astatic web site, email, newspaper qr
17:51 < sipa> adam3us: yup
17:51 < adam3us> sipa: however its more costly to scan for
17:52 < sipa> it means you need to be told about incoming payments
17:52 < sipa> and imho, that's a good thing, but very different from how things work now
17:52 < adam3us> removes need for chaincode, counter, address pool
17:52 < sipa> it's still a privacy problem: everyone can see your transactions
17:53 < adam3us> maybe there's a way to do a bloom filter on it
17:53 < adam3us> sipa: no cos its encrypted
17:53 < sipa> oh right
17:53 < TD> or the wallet app can just upload a bunch of files
17:53 < TD> simple > complicated
17:53 < adam3us> sipa:	i mean a variant of bip 38 where Q'=xG+q and E(x) for recipient
17:53 < sipa> adam3us: yeah, i think ByteCode came up with something like that a long time ago
17:53 < sipa> *ByteCoin
17:53 < sipa> loi
17:54 < adam3us> sipa: yes gmaxwell mentioned that we were talking about it yday
17:54 < gmaxwell> 13:22 < gmaxwell> I know, bytecoin proposed exactly that a long time ago.
17:54 < gmaxwell> 13:28 < gmaxwell> adam3us: also, your scheme requires the recieve have an online decryption key to identify their own transactions. (so did bytecoins)
17:54 < adam3us> the missing thing is an efficient privacy preserving way to ask a full node to give you transactions
17:54 < gmaxwell> 13:29 < gmaxwell> Bytecoin's suggestion IIRC was that you include an extra random public key in your transaction. And then the key you payto is ECDH between the recievers private and your public, plus his public.	This also gave you a nice identity for the sender of the transaction (the public key)
17:54 < gmaxwell> 13:32 < adam3us> gmaxwell: yes bytecoins seems similar and similar side effects.
17:55 < adam3us> (right, thanks for putting that backlog in for context!)
17:56 < adam3us> TD: well having to upload etc s complicated, if the crypto could be made to behave it could be very simple, and more convenient at user level & integrator level (no chain code, address pool, counter state to track etc)
17:56 < gmaxwell> (mostly I just continue to be amused by the apparent IRC substutuablity of Sipa and I.)
17:56 < adam3us> the missing thing is an efficient privacy preserving way to ask a full node to give you transactions
17:57 < TD> uploading is simple. you already have to calculate a big pile of keys for lookahead with deterministic wallets. uploading to some pastebin service is like, 100 lines of code
17:57 < TD> it's a for loop
17:57 < TD> i mean i love fancy crypto but sometimes, it might be overkill
17:57 < adam3us> sure, but my newspaper article cant do that
17:57 < adam3us> or the qr code in the shop window etc
17:57 < TD> your newspaper article says, visit,    pay.to/adam3us
17:57 < TD> ditto for the qrcode
17:58 < sipa> i think it's nice to have a mechanism that forces you to tell someone about the transaction
17:58 < gmaxwell> TD: and I am pay.to and I haz all the coins. :P
17:58 < sipa> as it means you can attach metadata to the transaction
17:58 < adam3us> TD: hmm boring ;)
17:58 < adam3us> sipa: it would be good to be able to send thing sto peers p2p
17:58 < adam3us> without full broadcast
17:59 < adam3us> sipa: maybe that couldve been the next step with auth
17:59 < sipa> you're reinventing pay-to-IP :D
17:59 < adam3us> sipa: yes but store and forward i mean with some redundancy, but not full; p2p email delivery
18:01 < adam3us> so cant one do attach some bloom bait to the outside of the encrypted/randomized addr to tag it up so you can ask an untrusted full node to give you your not directly linkable encrypted payent?
18:01 < midnightmagic> Sounds like Tor.
18:01 < adam3us> midnightmagic: no just to get a msg if the payer and the recipient are not online simultaneously
18:02 < midnightmagic> Hrm. Freenet then?
18:02 < gmaxwell> adam3us: in any case, another downside of the addition scheme is that its ecdsa centric. It doesn't work so well if your preferred payment script doesn't fit in a very narrow box, which is unfortunate.
18:02 < midnightmagic> I2PBote is an interesting anonymous mail mechanism in i2p-land.
18:03 < adam3us> midnightmagic: though bitcoin could do with some minimal tor like multi-hop tunneled link encryption - it can be dangerous to accept big bitcoins to geolocatable ip, people are logging ips looking out for this stuff
18:04 < adam3us> gmaxwell: yes its quite DL centric
18:04 < adam3us> gmaxwell: and actually you need the public key, which you do not currently have, just H(Q)
18:05 < midnightmagic> adam3us: I've taken to sendraw'ing all my txn through a tor-only node. b.i is blocked from my nodes, but dark many-connect siblings obviously aren't.
18:05 < gmaxwell> adam3us: yes, it requires another kind of address. but it would anyways, to indicate willingness.
18:05 < gmaxwell> adam3us: and perhaps key lifetime (do not use after x)
18:05 < gmaxwell> midnightmagic: it would be nice to get a list of those things.
18:05 < midnightmagic> gmaxwell: I agree!
18:06 < gmaxwell> midnightmagic: I've moved away from having ipv4 listeners or I'd offer to correlate with you.
18:06 < adam3us> midnightmagic: that was what i was referring to the dark-many connectors
18:06 < midnightmagic> hrm. IPv6 listeners. I'd forgotten about that as an option.
18:07 < gmaxwell> midnightmagic: my nodes are all either onion only or v4 outbound only + onion now.
18:08 < gmaxwell> I guess I need to fix that... annoying, I don't have stable v4 connectivity except at home and really don't want a public node running on that address.
18:08 < adam3us> oh BlueMatt mentioned that TD and/or gmaxwell had discussed a possibility for a multi-user extended variant of microtransacton channels
18:08 < adam3us> TD, gmaxwell: do tell - i thought that a potentially useful construct towards offchain
18:10 < TD> just making it work for the two party case is complicated enough, really
18:11 < gmaxwell> adam3us: there was a response on these lines in the coinswap thread.	Coinswap and the micropayment stuff are highly related protocols.
18:11 < adam3us> gmaxwell: yes that occurred to me also (that they seem very related)
18:12 < adam3us> ok so you or someone commented on this topic on that thread... i'll look
18:13 < gmaxwell> In general once you go beyond two parties in one of these interlocked protocols it becomes really tricky to implement, just from a pure software engineering perspective.
18:14 < adam3us> (still very irritated by the wanton destructiveness of the forbes article "coin validation" company - sabotaging the hard won bitcoin fungibility which is a large and core part of its value)
18:18 < gmaxwell> adam3us: so, I did have another idea related to the bloombait.
18:19 < gmaxwell> adam3us: you make the bloombait small. So that when your lite client fetches a block it can just get a map of bait to index for all transactions with acceptable cost.
18:21 < adam3us> gmaxwell: yes that makes sense
18:22 < gmaxwell> adam3us: then you define an error correcting code that every node can code the block with, this logically expands the blocks.  Now your client knows which indexes it needs for its transactions, and it can query N unrelated nodes for fractions of the block to retrive the txn its interested in. With appropiate scheme the servers learn nothing about which
transactions you're fetching if non-colluding.
18:22 < gmaxwell> (I guess thats "information theoretic private information retrieval")
13:15 < petertodd> jtimon: that's a market with very little depth to it
13:16 < jtimon> that depends on the issuers, aaa and bbb
13:16 < petertodd> jtimon: if the issuers are big, then you've got something that looks suspiciously like standard systems and the cancellation advantages of ripple don't apply, if the issues are small, then you've got the network effect problems and it doesn't work
13:17 < jtimon> maaku why a miner should accept seq = 5 over seq = 3 if seq = 3 has a higher fee ?
13:17 < petertodd> jtimon: because TD and Gavin asked nicely
13:18 < jtimon> petertodd: if I'm the issuer of both aaa and bbb I can make that volume infinite no matter how small I am
13:18 < petertodd> jtimon: if you issued both, they there weren't two separate things
13:18 < jtimon> "jtimon: because TD and Gavin asked nicely" what did they asked?
13:19 < petertodd> the difference between aaaBTC and bbbBTC is that the issuer is differnt, and thus the default risk is different
13:19 < petertodd> jtimon: to not do "selfish" replace-by-fee of course
13:19 < maaku> jtimon: what if they have the same fee?
13:19 < jtimon> whatever system you had in mind to make  "1 aaaBTC == 1 bbbBT", it can be simulated with a market
13:19 < maaku> agreed that nseq is dangerous, but just pointing out the (only) application I know of which nseq handles but nothing else does
13:20 < petertodd> maaku: then you want to accept whatever has the lowest orphan risk, which is whatever you think everyone else accepted, modulo the fact that accepting updates uses precious bandwidth so why encourage that?
13:20 < jtimon> killerstorm said you can do that use case with multisig
13:20 < maaku> petertodd: true. then is there any other valid use for nseq?
13:20 < maaku> (still catching up to scrollback)
13:20 < petertodd> maaku: to fork alt implementations :P
13:21 < petertodd> maaku: nSeq is also the *only* user-settable field in a txin that is signed by the signature - an unfortunate limitation
13:21 < petertodd> maaku: useful for colored coins, as an example, as nSeq can be the mapping of colored input to output
13:21 < jtimon> killerstorm wants to use the unused nseq to put CC metadata instead of using OP
13:21 < jtimon> OP_RETURN
13:22 < petertodd> jtimon: yeah, I suggested that to him
13:22 < jtimon> but some people are telling them that the field will be re-enabled later
13:22 < jtimon> petertodd: yes, he said so in bitcoinX
13:22 < petertodd> so what? using it that way is compatible with transaction replacement in fact
13:23 < jtimon> he came here to ask about that
13:23 < jtimon> arguing against the security and the use case of nseq
13:23 < petertodd> well, just think about it: if nLockTime=0 and nSeq != max, the tx is final and nSeq irrelevant
13:23 < jtimon> so I concluded we could just remove it in freimarkets
13:23 < petertodd> (to the replacement code)
13:24 < jtimon> I see, so there's no contra at all for using them for CCs
13:25 < petertodd> yup
13:25 < adam3us> jtimon, petertodd: are we all done with the sales/system competition-level arguments about freimarket/real-ripple/ripple.com/banking system?  so many ore interesting things to talk about... ;)
13:26 < petertodd> the real risk is nSeq will be defined to be something else entirely, and there's some possibilities there, but worst comes to worst you can just upgrade the CC software ina  "hard-fork" - not a big deal
13:26 < petertodd> adam3us: lol, distracting me from stealth addresses as it is
13:27 < adam3us> here's one for you... how do you bootstrap mergemine security in a side chain (or an alt in general).	find miners to merge mine as a favor before there is fee incentive?
13:28 < adam3us> petertodd: some stealth discussion on bitcoin-dev.. also did u see gmaxwell idea for a better fuzzy bloom-bait/prefix?
13:29 < jtimon> still, I see no reason to keep them in FM
13:29 < jtimon> adam3us I don't think we were advancing much
13:29 < petertodd> adam3us: remind me again?
13:29 < adam3us> petertodd: he posted it also on bitcoin-dev
13:29 < petertodd> jtimon: it's 4 bytes per txin, meh
13:29 < petertodd> adam3us: one sec
13:31 < jtimon> adam3us: our approach to MM start without it untill we have our own miners, than hardfork for MM and convince Luke-Jr to MM it
13:31 < jtimon> I think we could do it already, but maybe we won't be able to hardfok once again for freimarkets then
13:31 < jtimon> petertodd 4 bytes we won't use. we're hardforking, why not?
13:34 < jtimon> well, when we start MM I think we will approach all big pools
13:34 < petertodd> adam3us: gregories idea doesn't scale as well
13:35 < petertodd> adam3us: the big advantage of the prefix thing is it's trivially compatible with sharding ideas and so on - note how I talked about putting the ephm pubkey in the txout too
13:35 < adam3us> petertodd: nearly.  its also indexable just more indexes, and it allows some parameterizable fuzziness.  but it also has stat analysis problems nearly as bad as bare prefix
13:35 < petertodd> adam3us: to be efficient, you're going to need 16 lookup table versions for instance
13:36 < petertodd> adam3us: exactly, and at the same time, how bad is the analysis problem anyway? it's *not* an issue for coinjoin the way people seem to think it is, given the version where the bait goes in the txout
13:36 < adam3us> petertodd: yes its not cost free, but its still indexable and the privacy is slightly less bad.
13:36 < petertodd> jtimon: just make sure that a signature can sign stuff in the scriptSig then
13:36 < petertodd> jtimon: there really needs to be a mechanisms to do that
13:37 < petertodd> adam3us: meh, that's not exciting me very much - highly unlikely that version of it will wind up being made into miner committed indexes for instance
13:37 < jtimon> petertodd I don't understand, why is nseq necessary for the signature?
13:38 < petertodd> jtimon: the point of it in the CC example is that you want to sign something in the txin itself because you have some additional data that needs to be signed, but that data isn't known until the tx is created
13:38 < adam3us> petertodd: for example with 1 byte prefix, it cuts your anon-set by 256x.  mix in a bit of time correlation, change glomming on input, and any non-trivial use of reusable addr and its a lot worse i think
13:38 < petertodd> jtimon: the OP_RETURN txout solution to that is worse, because it doesn't play well with coinjoin
13:39 < petertodd> adam3us: remember that prefixes are denominated in bits...
13:39 < maaku_> petertodd: we support colored coins explicitly. is there some other reason you'd need data attached to the txin?
13:39 < petertodd> maaku_: upgrading CHECKSIG in a soft-fork is an excellent example
13:39 < maaku_> can you explain?
13:40 < adam3us> petertodd: either bits is enuf to create an anon-set problem, or bits is so small that it doesnt scale
13:40 < petertodd> adam3us: what makes you think it doesn't scale? I mean, shit, without prefixes the idea works reasonable well with 1MB blocks - there isn't that much data to manage
13:41 < petertodd> maaku_: suppose I want to add a signature over the fees paid to CHECKSIG, if I could just make a merkle tree of the txin values, and put that merkle root in the scriptSig, then I could soft-fork that feature in by defining SIGHHASH_CHECKFEE_MERKLE_ROOT
13:41 < petertodd> maaku_: I can't do that right now because any additional data in the scriptSig is unsigned
13:42 < petertodd> adam3us: fundementally the problem is what's the chance of all these extra indexes getting adopted? I'd say nero-zero
13:42 < adam3us> petertodd: i mean doesnt scale to non-full-nodes
13:42 < petertodd> adam3us: near-zero
13:43 < petertodd> adam3us: no, it's just a bandwidht trade-off, a desktop SPV client isn't gonna care about downloading even all blocks frankly, and 1/8th (say) gets to be more and more reasonable
13:43 < adam3us> petertodd: well if u wanna take the 'we cant change shit' stance i guess we hae to take solutions that cause big privacy problems because of that.  hmm.
13:44 < jtimon> petertodd I don't understand the use case, probablyit can be made without a new op
13:44 < adam3us> petertodd: your smart phone might care
13:44 < petertodd> adam3us: well hey, this is a much smaller privacy problem then what we have right now
13:44 < adam3us> petertodd: i disagree, its a worse privacy problem.  thats my point.
13:44 < petertodd> jtimon: think about it more, it can't
13:45 < petertodd> adam3us: reality is people are going to connect to untrusted SPV nodes, and it's *very* likely that attackers will start (or alredy do) run them for data collection
13:45 < adam3us> petertodd: gmaxwell went over this yday and i wrote about it in detail in one of my bitcoin-dev posts.  the privacy issues
13:45 < petertodd> adam3us: additionally we *need* to solve SPV scalability, and prefix indexes are a big part of that (electrum works that way for a reason)
13:45 < adam3us> petertodd: yes.  but.	as gmaxwell said thats different to putting the privacy leak in the indelible global record
13:46 < petertodd> adam3us: well for instance his analysis re: coinjoin is just wrong
13:46 < adam3us> petertodd: yeah but lets at least try do it in a privacy preserving way eh.  we can scale things also by doing other scary things.
13:47 < petertodd> adam3us: that's what I'm trying to do you know...
13:47 < adam3us> petertodd: i think my analysis on bitcoin-dev about the anon-set overlaid on network analysis is correct.
13:48 < petertodd> adam3us: my point is, remember what he said about it reducing the anonymity set in CJ? that's just wrong - it doesn't help you distinguish change and non-change for instance
13:48 < adam3us> petertodd: ok fair enuf.  i am just saying, its worse, not better; depending on your threat model, and i think targetted attack is less dangerous than after the fact global analysis attack
15:42 < petertodd> unless you can some PoX-style DAG structure
15:42 < petertodd> ah, that's just dual PoW functions basically
15:43 < realazthat> yep
15:43 < realazthat> I didn't understand what you were just saying now though
15:44 < realazthat> what is PoX
15:44 < petertodd> proof-of-sacrifice directed-acyclic-graph - point being because it's a graph the mining function *doesn't* need to be probabalistic provided you have a way of merging nodes together
15:44 < petertodd> with a key-value consensus system merging is easy
15:46 < realazthat> mmm
15:46 < realazthat> I have yet to fully understand PoS hehe
15:47 < petertodd> It's really pretty simple, you throw away some Bitcoins in a way that's provable, like spending to an unspendable output.
15:47 < realazthat> right
15:48 < petertodd> Because you are doing something that's costly, you can use it to come to global consensus, exactly like Bitcoin.
15:48 < realazthat> and that gives you a chance to win
15:48 < realazthat> yeah I grasped that
15:48 < realazthat> but I don't see how such a thing ... can begin
15:48 < petertodd> No, there's no chance involved, at least in the key-value maps I'm thinking about.
15:48 < petertodd> Remember we're not talking about coins here, more like a namecoin-type system.
15:49 < realazthat> I am not 100% familiar with the structure of nmc
15:49 < realazthat> I wrote my own bitcoin blockchain parser to learn bitcoin lol
15:49 < petertodd> Namecoin is basically Bitcoin, except with a rule where you can do specially marked transactions that are considered to be associated keys with values, in the case of namecoin, DNS settings.
15:50 < petertodd> (although namecoin can do more than just DNS)
15:50 < realazthat> right, thats what I figured
15:50 < realazthat> and there are rules for what is allowed etc.
15:50 < realazthat> ie. you can't reserve someone elses name
15:50 < realazthat> domain transfer rules etc.
15:51 < petertodd> Yup. I'm saying, ditch the mining and currency part, and do key-value consensus purely by what version of history has the biggest total sacrifice associated with it.
15:51 < realazthat> so who actually mints a block
15:52 < petertodd> A "block" is just one or more key:value settings, potentially just one.
15:52 < petertodd> Specifically Hash(key):Hash(value) probably makes sense.
15:53 < petertodd> And you probably want some rules where once a k:v is set initially, it's associated with a pubkey(s) that must sign for subsequent settings. (like namecoin does)
15:53 < realazthat> ok isn't that a TX
15:53 < realazthat> a block is a bunch of TXs
15:54 < petertodd> Exactly, there's no TX's because there's no currency.
15:54 < realazthat> ok
15:54 < realazthat> so I am just struggling to compare it to bitcoin
15:55 < realazthat> in bitcoin there is a centralization for each block minted
15:55 < realazthat> are you saying there is none here?
15:56 < petertodd> Yeah, anyone with some Bitcoins to sacrifice can trivially make a block in this system.
15:57 < petertodd> Each block includes one or two pointers to previous blocks that they consider canonical history.
15:57 < realazthat> wow
15:57 < realazthat> but thats a lot of different conflicting chains
15:57 < realazthat> oh so you combine it somehow?
15:58 < petertodd> Yeah, just merge them and discard conflicts.
15:59 < petertodd> And people should build on the tip of the highest sacrifice part of the graph they have validated.
15:59 < realazthat> mmm
15:59 < petertodd> The incentive is to do that too, because it makes it harder for an attacker to rewrite what you want history to be.
16:00 < realazthat> so what stops someone really rich from double spending
16:00 < realazthat> mmm
16:00 < realazthat> I guess that would just merge in
16:01 < realazthat> no wait, he can put in a conflict, then weigh his tree down
16:01 < realazthat> with a sacrafice
16:01 < realazthat> sacrifice*
16:01 < petertodd> Well of course you can be 51% attacked.
16:01 < petertodd> But that's always true.
16:01 < realazthat> why is it 51%?
16:02 < realazthat> wait
16:02 < realazthat> in order to get your key/value in,
16:02 < realazthat> you put sacrifice some coins, and store this special key/value transaction
16:02 < realazthat> mmm
16:02 < realazthat> right?
16:03 < realazthat> so if you later redo this, on another chain you own, and spend *more* coins, wouldn't this other chain weigh more?
16:03 < realazthat> ie. have more sacrifice/
16:03 < realazthat> ?
16:03 < realazthat> I know I am misunderstanding something
16:05 < petertodd> Basically whatever part of the DAG you want to rewrite, you have to spend more than the sum of the sacrifices of that part of the DAG.
16:06 < realazthat> mmm
16:06 < realazthat> I think I am beginning to understand
16:07 < realazthat> a nice illustration would help :P
16:07 < realazthat> so what is the source of new coin?
16:07 < realazthat> how does one get coin in this chain
16:08 < realazthat> or would it work tother with the main chain?
16:08 < realazthat> together*
16:08 < petertodd> Yup, it works only with Bitcoin.
16:08 < petertodd> Remember, there are no coins in this chain.
16:08 < realazthat> right ok
16:08 < realazthat> mm
16:08 < realazthat> destruction of bitcoins ... I don't like it :P
16:09 < realazthat> but i guess its good for everyone else :D
16:09 < realazthat> mmm
16:10 < petertodd> Future stuff can send them to mining fees with a soft-fork.
16:10 < realazthat> ah yeah ok
16:10 < realazthat> or
16:10 < realazthat> oh wait
16:10 < realazthat> what is proof of stake
16:10 < realazthat> sounds like what I was about to propose
16:11 < realazthat> essentially, you give it something temporarily
16:11 < realazthat> and eventually get it back
16:13 < petertodd> yeah, key-value could be done with proof-of-stake too actually
16:13 < petertodd> but proof-of-stake has problems... first of all, usually it turns out nothing is at stake
16:15 < realazthat> howso
16:15 < petertodd> You can often mine both sides of a proof-of-stake fork.
16:16 < realazthat> oh
16:16 < realazthat> and sacrifice?
16:16 < petertodd> sacrifice's can't be undone...
16:16 < realazthat> right
16:17 < realazthat> wow these things are hard to comtemplate automatically like side-channels
16:17 < petertodd> ?
16:17 < realazthat> I wouldn't have thought of that difference easily
16:18 < petertodd> ah, yeah it's a big difference
--- Log closed Tue Jun 04 00:00:04 2013
--- Log opened Tue Jun 04 00:00:04 2013
17:08 < petertodd> gmaxwell: At the conference you were talking about creating a SCIP proof of the UTXO set, and how it'd take a crazy amount of EC2.
17:08 < petertodd> gmaxwell: Was that because it would create the proof in one go?
17:09 < petertodd> gmaxwell: My understanding is that you can create a proof that a prooof evaluation program was run, which to me says you should be able to create these proofs on a per-block basis...
17:09 < petertodd> gmaxwell: ...leading to a UTXO set + total PoW proof that is self-checking - IE you don't need the blockchain history at all to trustit.
17:09 < petertodd> *trust it
17:11 < gmaxwell> petertodd: I think that even with the log2 decomposition what we want to do is at the upper edge of the scalablity of the software so far. But since the scaling problems there are mostly on the prover side I was throwing out 'big computation can be obtained'
17:12 < petertodd> gmaxwell: log2 decomposition?
17:13 < gmaxwell> petertodd: do stepwise proofs of every block. Then do pairs of validations of validations.
17:13 < petertodd> gmaxwell: Ah, as in what you were talking about previously was exactly what I'm proposing now.
17:13 < gmaxwell> Yes.
17:14 < petertodd> Ah, and hence the ideas for using the SCIP proofs themselves as your PoW function.
17:15 < petertodd> Speaking of, I was thinking SCIP proofs would be a way you could combine multiple proof-of-sacrifices together into one short proof.
17:17 < petertodd> Another idea I had was you could combine multiple proof-of-sacrifices together into a short proof with a probabalistic proof using a commitment.
17:19 < petertodd> So you have some set of PoX proofs, created successively. Each step you get to drop one of the proofs from the set, but for the proof to be valid the one you drop must match a random nonce in the future, such as the txid of whomever spends the anyone-can-spend txout in your coinbase tx.
17:20 < petertodd> Like how non-interactive zero-knowledge proofs use one-way functions and a pre-selected nonce.
17:49 < petertodd> Ok, so this works: Lets say I make fixed sacrifices of 1BTC. Each sacrifice encodes the txids of two prior 1BTC sacrifices. I want to be able to prove 3BTC in total have been sacrificed, but I don't want to provide three transactions.
17:50 < petertodd> So instead I call the two prior ones left and right, and the rule is if the last bit of the block hash subsequent to my transaction is a 1, I have to provide the left tx proof, if it's a zero, I provide the right one.
17:51 < realazthat> eli got back to me
17:51 < petertodd> I can of course make a fake sacrifice, but because I can't control the next block hash I have an equal probability that I'll waste my sacrifice.
17:51 < petertodd> Oh yeah?
17:52 < realazthat> I asked him very politely about Q&A and joining in irc
17:52 < realazthat> i made sure to say only if he had time
17:52 < realazthat> so his response was that they hitting a deadline this week
17:52 < realazthat> and I should contact him later next week
17:52 < petertodd> Promising!
17:53 < petertodd> Contact him in two weeks then.
17:53 < realazthat> and they working on website
17:53 < realazthat> so he wants it to coincide, perhaps
17:53 < realazthat> + he will release early specs of tinyram
17:53 < realazthat> so I can start working on LLVM backend
17:53 < petertodd> Oh, a website would be good. I was having a heck of a time trying to find info on SCIP earlier today.
01:15 < gmaxwell> petertodd: plus there is huge lags on mining. You'd do better to put a ecdsa public key in blocks and have miners announce announcement timestamps for the blocks they made.
01:15 < gmaxwell> I happen to like being alive and not irradated.
01:16 < petertodd> gmaxwell: If you want to reduce the lag, just broadcast sub-target difficulties.
01:16 < Luke-Jr> lol
01:16 < petertodd> gmaxwell: Ok, how about we require bitcoin to run on computers with shittier memory then?
01:16 < gmaxwell> petertodd: I mean there is huge lag in just issuing out work to miners, scanning it, submitting results.
01:17 < petertodd> gmaxwell: That's seconds, I'm thinking tens of minutes is what matters here.
01:17 < petertodd> gmaxwell: Again, this *isn't* for timestamping data!
01:22 < Luke-Jr> gmaxwell: well, who is to say what step the timestamp is meant to be for? :P
01:23 < gmaxwell> any field is defined by its validity rule.
01:30 < petertodd> except for nonce which is defined by the easiest implementation on an ASIC...
01:32 < petertodd> between nonce, version, and timestamp you could commit to 64-bits of data directly in the blockheader, but that's ASIC incompatible
01:33 < petertodd> (efficient mining in general incompatible really)
13:43 < jgarzik> amiller, can you expand("Amiller's high hash highway stuff")
13:43 < jgarzik> ?
13:44 < amiller> jgarzik, i can try
13:45 < amiller> the scenario is, you have a large number of proof of work solutions, and you want to check that their total-work is at least W in total.
13:46 < amiller> lets say they're all at the same difficulty
13:49 < amiller> if it's inefficient to check all of them individually, then the goal is to check just a sample such that it's unlikely the sample could be made in shorter time than W.
13:51 < amiller> (i'm going slow to try not to make mistakes here)
13:53 < amiller> i'm starting to feel like i made a bunch of mistakes or at least unnecessary steps in the solution i had previously
13:53 < amiller> but the basic requirement is that you need to be able to prove that an earlier block is committed to in a previous block
13:54 < amiller> and right now the only way to do that is to traverse backwards along the chain
13:54 < amiller> but you can do this faster if you commit to a skip list (or probably even just a merkle tree to be simpler) that has pointers further back than just the previous block.
13:55 < amiller> you know how the blocklocator works right? it's supposed to make it easy to find the intersection point between two blocks, and it does so by letting you jump back an exponential number of blocks?
13:56 < amiller> basically if you commit to a structure like that in the block header then you can do a secure diff between blockchains.
13:57 < amiller> the main application of this is faster SPV bootstrapping because you can quickly/securely estimate which chain is "longer", making it harder for someone malicious to lead you on a DoS goose chase
14:04 < gmaxwell> Personally, I think reverse header fetching is better. It's not better in the asymptotic complexity case, but under the assumption that the current difficulty is only a small factor away from the sum of the far past (exponential growth), it achieves the same security with only p2p behavior changes.
14:06 < gmaxwell> (the idea there that the difficulty of the most recent blocks is enough to make creating a goose chase very expensive)
--- Log closed Thu Jul 18 00:00:59 2013
--- Log opened Thu Jul 18 00:00:59 2013
08:46 < amiller> petertodd, the thing you described could just be a memory-bound proof-of-work function
08:47 < amiller> see https://research.microsoft.com/pubs/65154/crypto03.pdf
08:48 < amiller> also the H' you described is just a digital signature but a memory-hard pow would work just as well too
10:46 < petertodd> amiller: It's more subtle than that; I want to force my peers to consume memory, not do work
10:46 < amiller> well the point is that the work requires memory
10:46 < petertodd> I don't want a POW because I don't want it to be expensive for your usual client with some spare memory to connect, only expensive to make lots of parallel connections at once.
10:46 < amiller> hm.
10:47 < amiller> in that case i think you want the Hourglass scheme from RSA
10:47 < amiller> http://www.tablusqa.com/rsalabs/presentations/hourglass.pdf
10:48 < petertodd> Nah, this has nothing to do with having data or not.
10:48 < amiller> the simplest variation is based on signatures so it's pretty much what you describe... you sign a bunch of pieces of data (that's using the trapdoor) then require them to give it back to you
10:48 < amiller> so the only way they can give it back to you is to store it
10:48 < petertodd> But that requires bandwidth to give them the data.
10:48 < petertodd> I want something that only forces my peer to keep data in ram, ideally it is data then can generate from a seed.
10:49 < amiller> so you want to give them a concise seed, and force them to fill up a lot of memory their memory with it, then give you a concise digest at the end somehow
10:49 < petertodd> Yes, in a sense the "trapdoor" is that it's a function that's cheap to compute, but only if you have a big table in memory.
10:51 < amiller> hm.
10:55 < amiller> so the exponential memory bound proof of work function from fabian coelho is sort of like that too.
10:55 < amiller> http://193.55.130.53/~nitaj/AFrica08Slides/kyushu-pres_Coelho.pdf
10:56 < amiller> i think normally they pick whatever they want for the leaves.
10:56 < amiller> i think there's a way for that to work
10:56 < amiller> basically you construct the leaves from a seed
10:56 < amiller> then you find the root digest, then you use the root digest to help you sample the leaves...
10:57 < amiller> but the unique challenge here is that you want to make sure there's no storage shortcuts e.g. by having identical leaves
10:57 < petertodd> sounds pretty similar to what I'm proposing, done as a NI proof
10:57 < petertodd> well, in my case the proof can be done interactively
10:58 < amiller> either way you use the merkle root as a commitment then choose interactively if you like
10:59 < amiller> so you could give them a seed but then it if you only sample a couple leaves it would be hard to show they were computed correctly from the seed without checking the whole chain.
11:01 < amiller> i don't know how to solve that, hm.
11:03 < petertodd> for the SPV anti-dos you don't have to prove they've done anything, you only have to make it such that using up RAM allows the SPV client to return the correct result much faster than not doing so, and then prioritize based on that response time
11:04 < petertodd> The problem is that you'll need this table to be fairly large, because network latency is high and disks are fast.
11:08 < amiller> well you need them to fill up their memory with data
11:08 < amiller> and then query this data
11:09 < amiller> and you don't want them to be able to do computing on the fly
11:15 < amiller> so that requires putting full-entropy data in each spot
11:15 < amiller> otherwise you could cheat by compressing
11:25 < petertodd> yup
11:26 < petertodd> It's just a matter of how big is reasonable - a 100MB table makes life hard for phones for instance, yet disks are fast enough that we probably want something that size.
11:27 < petertodd> (it's also a trade-off of how often we query peers for the data, a disk can seek and grab 100MB quickly, but it can't serve 100x such requests at once)
11:28 < petertodd> 10MB isn't bad - that's 80MB of data for your standard 8 outgoing peers.
11:29 < petertodd> But it doesn't give that much protection either... 10k peers is just 10GB of ram, pretty cheap.
11:29 < petertodd> er, 1K peers
11:57 < realzies> yay guys
11:57 < realzies> SCIP
11:57 < realzies> got an email from eli ben-sasson today
11:58 < realzies> Dear Azriel,
11:58 < realzies> Some time ago you mentioned that you're interested in trying to write an LLVM backend for our TinyRAM spec. If you're still up to the task, we'll be happy to help out. I'm cc'ing the rest of the research team - Prof. Eran Tromer from Tel-Aviv U., my co-PI, Alessandro Chiesa (grad student @ MIT), Daniel Genkin (grad student @ Technion) and Madars Virza (grad student @ MIT).
11:58 < realzies> Our first paper using TinyRAM has been accepted for publication at the CRYPTO'13 conference this August. A draft is attached, and the full version will be posted in the next few weeks (we need to finish writing down some full-system performance numbers). We think this will make much more concrete our motivation in this project, and also the design choices
for TinyRAM (see Section 2.1).
11:58 < realzies> Also attached is the a draft of the tinyRAM spec, and the only reason it's just "0.99" is in case we get suggestions for improvements  before we publish it.
11:58 < realzies> All in all, we're very close to a time where everything about TinyRAM is public and ready for open-source development.
11:59 < realzies> Are you still interested in developing a TinyRAM LLVM backend? If so, we'd love to support your effort in any way.
11:59 < realzies> Best,
11:59 < realzies> Eli
11:59 < realzies> (2 attachments)
11:59 < realzies> gmaxwell: ping
11:59 < gmaxwell> petertodd: ISTM you really want a trapdoor functio nthat one party can compute in parallel, the other party must compute sequentially.
12:00 < gmaxwell> petertodd: then your query the sequential party for the Nth output and the a bunch of 0-N. Memorization is the cheapest way to compute the answers.
12:01 < realzies> shall I upload the pdfs somewhere
12:03 < gmaxwell> realzies: tinyram looked super simple.
12:04 < realzies> exactly why I eager to make an LLVM backend
12:04 < realzies> it should be simple
12:05 < realzies> https://docs.google.com/file/d/0Bx3Ty2UX6yDLSnM3aU04YUFSNU0/
23:16 < petertodd> andytoshi: were they smoking pot at the same time?
23:16 < andytoshi> petertodd: haha, that's the worst part
23:16 < andytoshi> petertodd: in one case, yes, he was the guitarist of a band at the bar near the math dept
23:16 < andytoshi> he kept getting ahead of me tho, and it turned out later that he had a tech startup 30 years ago and walked away with millions to play guitar..
23:17 < andytoshi> so i think he might've secretly known it all
23:17 < petertodd> andytoshi: it's so much easier in analog electronics... oh wait, I took MIT's second year course on that... :P
23:18 < petertodd> andytoshi: damn!
23:19 < petertodd> andytoshi: you know, it's interesting how many former comp-sci/physics/math/etc students you find in art school - I met easily two dozen, including ones that had pretty substantial degrees.
23:20 < andytoshi> interesting - in math departments, almost all the really good students are musicians, and some are even art school dropouts!
23:20 < petertodd> andytoshi: oh! I never met anyone with an art background at uoft
23:21 < petertodd> andytoshi: well, there was one cute girl who had been reluctantly pushed into biology by her parents in a physics class :P
23:21 < andytoshi> petertodd: nice :P
23:21 < petertodd> andytoshi: every day she dressed like she was going to some kind of anime con
23:22 < gmaxwell> to be fair, music may be far too practical for some mathematicians I've met
23:22 < petertodd> andytoshi: although what was more sad I thought was the sheer number of med students in that class trying desperately to impress admissions to residency or whatever it is exactly :(
23:23 < andytoshi> petertodd: ugh, we had those at SFU too, it was so competitive and so sad
23:23 < andytoshi> but i like this talk of anime con girls, my gf took me to a con once and it there were a lot of them there :)
23:23 < petertodd> andytoshi: did you ever take any summer classes? this was in the summer...
23:24 < andytoshi> petertodd: yeah, one summer i took a variational calc class -- and joined the physics soccer team -- i met a few med students then
23:25 < petertodd> andytoshi: heh, what's funny about it is she was in first year, and I'll bet you had she gone to ocad like she wanted she would have quit that by second year in favor of being a hipster
23:25 < petertodd> andytoshi: exactly
23:26 < andytoshi> petertodd: yeah, in general i found the students at university should not have been there
23:27 < andytoshi> they'd really drag down the classes in later years, hence my retreat to graduate classes -- fortunately i was friends with enough faculty by then that there was no trouble with that
23:27 < petertodd> ah that sucks
23:28 < andytoshi> so my feeling is that uni in general is not a great decision if you want to learn things, better to meet the right people and work with them
23:28 < petertodd> yeah, I've never had any experience with the non-art university environment
23:28 < andytoshi> e.g. #bitcoin-wizards
23:28 < petertodd> yup, which is actually pretty much how my art school went - although the flip side of that is they've got a huge failue rate
23:29 < petertodd> but what's interesting, is the post-graduation outcomes, like employment, are surprisingly good, even compared to stuff you think is a good bet like engineering and medicine
23:30 < andytoshi> yeah, i've heard that -- and the art students i've met tend to be more open-minded and intelligent-seeming than a lot of math/science folks
23:30 < andytoshi> why the failure rate tho? do people give up or is it really difficult?
23:30 < justanotheruser> petertodd: are you an art major?
23:30 < petertodd> yup, and people skills goes a long, long way in our economy
23:30 < petertodd> justanotheruser: yup
23:31 < justanotheruser> petertodd: what do you do that is artistic
23:31 < petertodd> andytoshi: people find it hard to deal with the lack of structure is a part of it I think - art school has this weird existential dread to it where you know you have to keep on coming up with new art to succeed, but there's no magic solution to doing that
23:32 < petertodd> andytoshi: and you've got a very unforgiving social environment that's incredibly elitist, as it should be (though that's not necessarily typical - my school had a reputation for that)
23:32 < gmaxwell> in 1970 college enrollment was ~50% of highschool grads in the US, it's ~70% now.
23:33 < andytoshi> petertodd: that does sound scary, though i can see why the same sorts of people end up in math departments
23:33 < midnightmagic> i woukd be curious to know whether those include the new vocational colleges that have started calling themselves colleges..
23:33 < petertodd> gmaxwell: sounds like a bubble
23:34 < gmaxwell> midnightmagic: no.
23:34 < petertodd> andytoshi: well, to what extent are those departments like that as research becomes more of a focus?
23:35 < andytoshi> petertodd: it's directly correlated to research, the people doing plug-and-chug degrees weren't artsy at all
23:35 < petertodd> andytoshi: I mean, research can easily have that same kind of treadmill to it
23:35 < andytoshi> yeah, that's absolutely the way it seems to me
23:35 < gmaxwell> petertodd: well I believe that it was in the early 70s that the US government privitized sallie mae and made it so you couldn't discharge student loan debt in a bankrupcy.
23:35 < petertodd> andytoshi: ah, yeah, plug-and-chug has it's own kind of pain I think
23:35 < petertodd> gmaxwell: good point, and they're pretty good at recovering the money, eventually...
23:36 < andytoshi> gmaxwell, petertodd: the student debt situation is a bubble i think, but i've read the first few chapters of the bell curve (1994) which has some scary stats about school enrollment and IQ stratification which suggest that high enrollment rates are not all bubble..
23:37 < gmaxwell> petertodd: they only have to recovery a small portion of it if they inflate tuitions, made possible by tsunamis of money enabled by the lender favoring law...
23:37 < midnightmagic> yay flynn effect
23:38 < petertodd> midnightmagic: people who complain about "all those dumb poor people" mating with each other forget that if you're at the other end of the spectrum, having a smart partner is strongly selected for
23:38 < gmaxwell> I'm sure there are plenty of papers on largely debt based economies and the relative rates of bubbles in them.
23:39 < midnightmagic> petertodd: mm.. not so sure about that. engineers mating withe ngi eers appears to select for autism. additionally, genetic issues with ashkenazi
23:39 < petertodd> andytoshi: well, it could be both true that the high enrollment rates are perfectly justified, and it's a bubble, not to mention that the whole industry could change rather drasticly with these efficient online courses (that MIT EE class was great, and free...)
23:40 < andytoshi> midnightmagic: the bell curve talks about this, there is a real selection effect which appears to be increasing IQs amongst part of the population almost as fast as it is decreasing amongst other parts
23:40 < petertodd> midnightmagic: yeah, sounds like very strong evidence for selective mating to me...
23:40 < petertodd> midnightmagic: note that autism is a spectrum...
23:41 < andytoshi> s/almost as fast/faster, but amongst fewer people/
23:41 < midnightmagic> andytoshi: If the research I read is correct, they're destroying their own genetic viability longterm.
23:41 < andytoshi> midnightmagic: let's hope not, they're doing all the crypto research :P
23:41 < petertodd> midnightmagic: and speaking of, when I was a kid my mom had a tutoring/babysitting business that specialized in austistic kids - I ended up hanging around with a heck of a lot of them, and their parents, and it's remarkable how many were comp-sci/engineering
23:42 < andytoshi> midnightmagic: there has a general theme amongst human development of "intelligence overriding medical problems", so personally i am not too worried about such things
23:43 < midnightmagic> mm.. fairly confident that environment nutrition and opportunity are stronger than plain genetics in success. but i'm on my ipad so i can't build a cite frok my zotero library
23:43 < petertodd> andytoshi: that modern culture rejects racism so strongly also gives a chance for genes to be spread across large chunks of the population limiting the worst effects of all this stuff
23:44 < gmaxwell> midnightmagic: I've seen papers on that subject, environment/nutrition/opportunity are so correlated with the parents they're almost completely colinear, any paper that claims to control for that is basically just reporting on the outliers by definition.
23:44 < midnightmagic> (absent actual genetic problems anyway)
23:45 < gmaxwell> unless they plan on doing a controlled study, which has ethical problems.
23:45 < gmaxwell> (its not like we have enough twins data, especially enviromentally distinct twins data, to really say a ton about nature vs nuture)
23:46 < petertodd> midnightmagic: I'm pretty skeptical of anyone who tries to claim modern societies are all that bad at providing everyone with opportunities
23:46 < midnightmagic> gmaxwell: the last study i read from u of.. illi ois? compared like to like re: private and public schools and came up witht he remarkable conclusion that public schools on the whole educated better, while private schools benefitted significantly from the rich person advantages.
23:47 < midnightmagic> petertodd: I have a sociology department or two who would disagree witht hat :-)
23:47 < petertodd> midnightmagic: define "educated better"
23:47 < andytoshi> midnightmagic: right, and they're sitting comfortably in sociology departments instead of on the street, despite having no skills ;)
23:47 < petertodd> midnightmagic: and remember, I spent enough time at arts school to know sociology is often full of shit :P
09:33 < adam3us> jtimon: given the centralized pressures that exist in the world for control  i think adding covenants would likely end in the loss of decentralization and effective user policy choice.  ie the destruction of bitcoin as a decentralized currency.
09:35 < jtimon> maybe I'm too optimistic or I expect people to be too smart
09:35 < adam3us> jtimon: see our visacoin example, it gives a new outcome other than banning exchanges: ban non AML convenanted coins.	that means u can not transfer a coin to an address that is also not AMLed.  easy there-forward for governments to mandate that policy.	ergo do not build the mechanism for your own demise
09:35 < jtimon> or maybe you're too pesimistic and expect people to be too stupid
09:35 < adam3us> jtimon: seemingly if bitcoin taught us anything its that people are too stupid :)
09:35 < jtimon> and don't distinguish between visacoins and bitcoins
09:37 < jtimon> adam3us: maaku had the same concern when we were discussing freimarkets authorizers
09:37 < jtimon> my believe is that people will tend to prefer non-authorized assets when they can
09:38 < adam3us> jtimon: see there is a hypothetical bootstrap stage where bitcoin density reaches a point where it can continue without exchanges (for some p2p uses).  covenants only makes that worse, because each time you interact with someone who is stupid or doesnt care or need the money in a aml form to dosomethin, it removes free coins, let it run for a year and there will be none left.
09:38 < adam3us> jtimon: i agree, but the virality and incremental leaking effect means you have no remaining effective say in the matter.
09:38 < pigeons> yes, its more than just the technical issue of unaware mixing of covenanted coins and unencumbered coins. As the large, "convienent" options force covenanted coins, some of their partners, customers, and suppliers do too, etc
09:38 < jtimon> and at the same time, there's local communities who want to impose strict rules for their local currencies, and authorizers were the most generic way of allowing them to do so
09:40 < jtimon> if btc are destroyed logarithmically, there will always be some of them left
09:41 < adam3us> jtimon: yes but the remaining free coins are not going up in value (much) so if there are 100btc left for those that care its too few, and bitcoin is dead.
09:41 < jtimon> please, don't say value, say price
09:42 < jtimon> you're making a lot of assumptions
09:42 < jtimon> why would the value of btc be correlated to the value of visacoin?
09:42 < adam3us> jtimon: (ok price) overall this is one of the reasons why tinkering with expanding script language power has far reaching implications, even for the very continued meaningful existence of bitcoin with decentralized policy features, and must be approached with extreme caution.
09:42 < jtimon> if there's 1% btc and 99% visa, btc are much more scarce
09:43 < pigeons> its similar to coinvalidate. you would think no one would want to use a whitelist, but once "everyone else" does
09:43 < pigeons> there become less options to use bitcoin and the only options are to use covenantcoin/visacoin/etc
09:43 < jtimon> what would I use whitelisted bitcoins? that's not a p2p currency
09:44 < adam3us> pigeons: right.  its as likely that the price of free coins would plummet because the people who think about technical freedom are in an economic minority
09:45 < jtimon> technical freedom is what bitcoin is about
09:45 < adam3us> jtimon: scarce as in about to become dodo i thin, due to incremental virality
09:45 < jtimon> if people think that bitcoin will go higher in price after they turn into visacoins they are blind
09:46 < adam3us> jtimon: i think it is more that the economic majority neither thinks, nor cares, they just want to buy a burger, etc.
09:46 < adam3us> jtimon: so why would they care when they spend the last freecoin for a burger, so long as the visa covenant shop accepts it at parity
09:46 < pigeons> well price isnt the concern, its usability and perhaps fungibility, if network effects help increase visacoin usage as the way to go
09:47 < jtimon> please, stop using the "people are dumb" fallacy
09:47 < jtimon> because the burguer costs 1 visacoin (1000 usd aprox) and 1 bitcoin costs 100,000 usd, for example
09:48 < adam3us> jtimon: ok, say the bitcoin wizard guy gets very hungry, and he wants to eat the burger and he has no visa coins in his wallet.  he think h well its only 10mBTC.  repeat viraly by the velocity of money and even people who are smart an care, can end up with no free coins left after a bit
09:48 < pigeons> so i like tools that have lots of options too, but also i've seen the "people are dumb" argument supported too well in bitcoin.
09:48 < pigeons> not reall dumb, just acting naturally for conditions
09:49 < jtimon> people are dumb, but if you need that fact to make a point there's something wrong with your reasoning
09:49 < pigeons> so for these matters i like if the features are supported better, but after there are more options to support the underlying p2p bitcoin and keep it viable in spite of other choices
09:49 < adam3us> jtimon: there you assume the exchange for freecoin/amlcoin diverges.  aml exchanges and shops will accept freecoin at parity i woul think (and convert them into amlcoins)
09:49 < jtimon> I'm just saying that's a fallacy, not that it is false
09:50 < pigeons> when bitcoin is more "entrenched" these outcomes are less of a concern
09:50 < jtimon> why would shops ask you for 1 btc for the burguer if they can sell 0.01 btc for 1 visacoin?
09:51 < adam3us> jtimon: i think covenants just hand a viral weapon of control to policy risk points.  bitcoin has policy risk points: exchanges, regulated businesses and the market success of payment processor policy (say bitpay adopted aml coin, jgarzik resigns in protest, but it has market adoption)
09:52 < jtimon> I could even be fine with assuming most cosnumers and some merchants are dumb
09:52 < jtimon> but certainly not assuming that most shops and producers will be dumb: because they go bankrupt when they're dumb
09:53 < jtimon> ok
09:53 < jtimon> what could happen...
09:53 < pigeons> policy risk points are not about business saavy, they are about external force imposed by regulators
09:53 < adam3us> jtimon: ok agree, no more dugging-krugeresque smugness.  lets focus on the virality issue
09:54 < jtimon> no matter the law, if your business sucks you go bankrupt
09:54 < jtimon> no matter how happy the nsa is with say, coinbase
09:54 < adam3us> pigeons: as we've seen with NSA the'll use / abuse what they can get.	we thought we were secure because of CAs.  in reality government can demand keys, and cooperation from CAs, do MITM and so we are not secure.  i called this risk in 1992 or something.  took 22 years but here we are.
09:55 < jtimon> f they keep on doing stupid things like using databases without consistency they will go bankrupt
09:55 < pigeons> there is much moral hazard about that i'm not so sure that's true
09:55 < jtimon> but CAs are centralized
09:55 < jtimon> no?
09:56 < adam3us> jtimon: not fully, there are 100s of them in dozens of countries, operated by a variety of types of organizations.
09:56 < pigeons> yes CADs are centralized, but bitcoin also has "policy risk points" as adam3us says. exchanges, mining pools, etc that have aspects of centralization
09:58 < adam3us> anyway bitcoin/altcoin focus i think covenant language extensions are dangerous and we should not introduce them.  or we should do language extension with language level provable virality/centralization resisting limits
09:58 < jtimon> I don't know, apparently I  wasn't being able to make my point that, bitcoins != amlcoins
09:59 < jtimon> back to your "bitpay ports to amlcoin" example
09:59 < adam3us> jtimon: i think i get what you are saying.  that by imposing amlcoins, the "attacker" has created an alt-coin.  you are supposing its value will float to the extent that people will not willingly exchange them or wil lthink hard about it
09:59 < jtimon> there will still be people that have eyes to see they're are different currencies
09:59 < adam3us> jtimon: however teh value of the freecoin is heavily hampered by not having access to exchanges.  that may defacto make its price quite close to the amlcoin floor
10:00 < jtimon> so the prices will (at first slightly) differ
10:00 < jtimon> people paying with bitcoins don't want to have their btc valued as if they were amlcoins
10:01 < jtimon> and suddenly the impossible happens: bitpay2 appears
10:01 < jtimon> wait wait
10:01 < pigeons> and there are now more things you can buy with amlcoins than with bitcoins
10:01 < adam3us> jtimon: your argument is analogous to the "attacker creates" alt in commited tx, yes i do get the argument.  but i am not sure the economics work for it in this case.  because the choice is severely limited, and the fungibility reduced which in tur affects the value.  the outcome depends on the balance between preference for freecoin (price up) and loss of
fungibility/virality (price down towards amlcoin)  my guestimate is freecoins lose an
10:01 < jtimon> you're now saying that all exchanges in the world will abandon bitcoin in favor of nsacoin at the same hour?
10:02 < pigeons> and yes you lose the advantage of bitcoins, but here is where you have faith that people will see that and reject the amlcoins, but this i would bet against
10:03 < adam3us> jtimon: well its a given that the main risk to bitcoin is regulation.	exchanges alredy impose AML due to regulation.	if we give them a way to make aml viral, i predict governments will seize and make that mandatory
10:03 < jtimon> ok, we found were we disagree
10:04 < jtimon> you think people are too dumb to distinguish between bbitcoin and amlcoin and the people who undesrtand it won't be able to explain it to the world
22:29 < amiller> i learned today about the "covert security" model which actually matches exctly what we'd like in terms of auditability
22:29 < gmaxwell> (IOW: a fucking useless model, what is wrong with these people?!)
22:30 < amiller> an adversary might change the outcome, but it will do so in a publicly-detectable way
22:30 < amiller> active*
22:31 < amiller> anyway that's beside the point i'm talking about rational analysis mainly here
22:33 < petertodd> gmaxwell: ...so we're talking security against dumb five year olds?
23:32 < amiller> there's still no way of doing a fair 50-50 bet in bitcoin
23:32 < amiller> there would be if we had even the most basic bitwise arithmetic ops
23:51 < gmaxwell> amiller: hm? you don't like iddo's protocol?
23:53 < amiller> gmaxwell, https://bitcointalk.org/index.php?topic=277048.0 this one?
23:54 < amiller> how do you take the LSB of something you can hash?
23:54 < gmaxwell> ah I thought you said "even if we had [...] arithmetic ops" misread.
23:55 < amiller> so having a bet like that is one of the things you just can't analyze in EU
23:56 < amiller> i think that's one of the reasons why simple games like that have been skipped over by cryptofolk who assume that anything that isn't EU is just irrational and not worth modeling
23:57 < amiller> but it seems appealing to me, if enough people are each willing to pay a small amount of money for a marginally-negative EV but a high variance, then they should be able to get together and do a lottery like this
23:57 < amiller> incurring only transaction costs
--- Log closed Tue Nov 12 00:00:14 2013
--- Log opened Tue Nov 12 00:00:14 2013
04:00 < adam3us> amiller_: lsb no, < n/2 mod n, yes? or is < also on small ints
04:51 < adam3us> i guess size limits would get in the way, but the lack of bigint operations in the script lang, invites people to write a sha256 in the script lang USING small ints (if there are enough small int ops ot turing completeness to even do that)
06:46 < adam3us> btw i hope someone has a real-time archive of bitcointalk - didnt seem to be that reliably maintained and managed from the repeated hacks & downtime - be an actual problem if that archive was lost
06:53 < adam3us> btw about "not as described" yesterday ... the fact that bitcoins fungibility is imperfect (and improvements worked on) can not be logically used as a rationale for building non fungible p2p bearer bond
06:55 < adam3us> the 1995 era digital bearer bond had perfect fungibility because of the simplicity of chaum blinding, but limited durability as the combined issuer/transaction server housing the double spend db could (and often did) disappear, like digicash betabucks server eg
06:57 < adam3us> it seems like chris odom's OT model with receipts and multiple competing redundant but not decentralized servers, and users could collaboratively, p2p, detect servers that issue conflicting transactions (each user audits his own view, posts conflict to other users) -and react by switching to another server
06:59 < adam3us> i dont know if the p2p part is implemented - seems more like a dissatisfaction word of mouth, loss of business for tx server argument afaik.  but at least the receipts provide some durability, however you may need all users in the tx chain to be around, online, to not lose their own records, to reassemble a server state  which sounds fragile
07:26 < jtimon> adam3us maaku wanted to add in-chain chaumian cash to freimarket, but I still don't see much value on it
07:26 < jtimon> chaumian cash is not atomically tradeable by anything else, not even in the same chain/server
07:27 < jtimon> I don't see the problem with non-perfectly-fungible in-chain assets
07:27 < adam3us> jtimon: i think it provides two features: optional privacy, and fungibility arising from the privacy.	just because the payment is fungible (due to anonymity) doesnt have to imply you need to use the anonymity: eg you ca be full identified, kyc certified, or pseudonymous or anonymous as you choose
07:28 < jtimon> you do have optional privacy with traceable pseudonyms
07:28 < adam3us> jtimon: if something is not fungible it adds to risk and transaction cost.  credit cards being the canonical example - many internet businesses cant take credit cards for this reason
07:29 < jtimon> no, the transactions are still irreversible
07:29 < adam3us> jtimon: if you mean bitcoin current, then yes and the implication is  you then get moderate fungibility which many think is a risk that needs fixing
07:30 < adam3us> jtimon: bitcoin transactions? or freimarket transactions?
07:30 < jtimon> both are irreversible
07:30 < adam3us> jtimon: defacto yes, cryptographically no, courts will disabuse people of the difference in due course
07:32 < jtimon> you mean at redemption time, but I don't think that's legally feasible nor how "full p2p fungibility" (whatever that means and if it's possible at all) helps in any way
07:32 < jtimon> let's go back to yesterday's example
07:33 < adam3us> jtimon: say mining was very centrlized, and consensus based (ripple), and claimed defacto irreversibilty, or friemarkets similarly and FBI found DPR coin, they could trace it but not grind the password - they would then apply an NSL or order or pressure on the few central servers to block the transaction, or to forcibly change the owner without signature
07:34 < jtimon> well, that's a problem with ripple consensus, not with bitcoin pow
07:34 < adam3us> jtimon: consider DPR doesnt want to redeem it, he wants to sell his IBM shares for bitcoin to hire a good lawyer
07:34 < adam3us> jtimon: yes and maybe with freimarkets also?
07:34 < sipa> jtimon: it's only not a problem for bitcoin if mining anonymously is possible
07:34 < jtimon> no, freimarkets is supposed to be deployed in a pow chain like bitcoin or freicoin
07:35 < adam3us> sipa, jtimon: its a problem in bitcoin also, as sipa said, because if there are few, central miners, they can block transactions (unless committed tx is implemented and used)
07:36 < adam3us> jtimon: ok.  still bitcoin has the issue and freicoin worse unless merged mined due to lower hashrate
07:37 < adam3us> in my opinion something is not a p2p bearer share unless it has full fungibility; the strength of its claim is how close it gets to ZC/chaum like assurances
07:37 < jtimon> what if I mine outside the judge's jurisdiction?
07:37 < jtimon> unless we're assuming a global state or something...
07:37 < adam3us> jtimon: yes but do you have 51% of poer
07:38 < adam3us> the coerced miners may be forced to orphan your transactions
07:38 < jtimon> I see don't see a judge ordering a mining pool to undue all their mined blocks
07:38 < jtimon> doesn't make any legal sense to me
07:39 < sipa> doesn't need to
07:39 < adam3us> jtimon: see most of the mining power is in the us, which is the closest we have to a global state (they think they can apply their laws abroad, and have the gall to put pressure to try emulate that)
07:39 < jtimon> miners are not responsible for Bob stealing from alice, nor selling to Carol, who's not responsible either
07:40 < jtimon> they can only expropriate from Bob to compensate Alice
07:40 < adam3us> jtimon: true, you may have trouble getting 6-blocks confirmation
07:40 < jtimon> if Bob, sold the stolen share, then they will force him to compensate with other assets he owns
07:40 < jtimon> you == bob ?
07:41 < adam3us> jtimon: yes bob the thief
07:41 < jtimon> so you say miners will be forced not to accept the tx where bob sells to carol, mhumm
07:42 < jtimon> if the sell is already in the chain, I think there's no way back they can ask from miners
07:42 < adam3us> jtimon: yep or worse, eg an exchange has alice's money she sues the exchange for its return, as there is taint list and the exchange did not follow best practices in rejecting bob's attempts to cash it out
07:43 < jtimon> wait wait
07:43 < sipa> i think we want a system that works correctly because of technical reasons, and doesn't need to assume reasonable laws or judges around it
07:43 < adam3us> jtimon: yes that is defacto harder as its a 51% attack.
07:43 < adam3us> sipa: bingo
07:43 < sipa> that's not always possible, but if your argument starts with "judges are reasonable", i don't think you're still arguing about the quality of the system itself
07:43 < sipa> even if for practical purposes, you still make that assumption
07:44 < jtimon> no, I'm not assuming that judges are reasonable but you're assuming that they're completely stupid and crazy
07:44 < sipa> i prefer not making any assumption at all, if possible
07:44 < adam3us> jtimon: its a stronger assurance to rely on cryptogahy
07:45 < sipa> i also prefer not assuming reasonable miners
07:45 < sipa> but for the time being, we have to
07:45 < jtimon> yes, completely agree, but I don't think the law can make a pow chain reversible
07:45 < adam3us> sipa: potentiall committed tx addresses both judge issues and miner issues
07:45 < adam3us> jtimon: no but it can block and freeze funds
07:46 < jtimon> I like the idea of blind commiting, but your p2p deployment doesn't convince me
07:46 < adam3us> jtimon: and they love to do that, if anything semi-technical gets in their path they will become irrationally unreasonable so fast it will make your head spin, cognitive dissonance means nothing to them
07:46 < jtimon> well, not completely
07:46 < jtimon> the judge could order US miners not to validate the transaction where bob sells
07:47 < jtimon> but an iran miner could mine it
07:47 < adam3us> jtimon: yes and there is some argumnt that courts are slow, it'll be a few weeks of confirms by the time they react
07:47 < jtimon> would US miners forced to leave that block orphan risking a fork?
07:48 < adam3us> jtimon: its a reasonableness argument so its slippey
07:48 < jtimon> I think they will just attack the redemption side
07:48 < jtimon> if anything
18:09 < adam3us> petertodd: yes but even selfishly there is interest to succeed.  mking bitcoin fail and going down with it is not useful to either the meta-coin nor bitcoin
18:09 < jtimon> and I don't think "MM is better than independent mining" is the message that people perceive from bitcoin devs
18:10 < petertodd> adam3us: meh, if you were right then peopel would never pollute, but they do
18:10 < andytoshi> petertodd: it might be interesting to think about an alt with a fixed 1-coin reward, and which capped miner fees at, say, 0.05 coins (and the rest would be destroyed)
18:10 < petertodd> adam3us: remember, we've got anonymous systems here where social pressure doesn't work very well
18:10 < jtimon> people somehow perceive that "all experts prefer scrypt and quark, it's just that bitcoin is not going to hardfork on that now"
18:10 < andytoshi> capped total fees per block*
18:11 < petertodd> jtimon: depends on what bitcoin devs your talking about - gavin regularly writes about how alts are stupid and harmful
18:11 < jtimon> andytoshi what for?
18:12 < jtimon> petertodd: I know there's not one voice
18:12 < adam3us> maaku_: SPV proofs and pegged sidechain.  yes.  the issue is that you dont really want to rely on as part of the protocol expecting bitcoin validators to follow the side-chain traffic or vice versa
18:12 < andytoshi> jtimon: to change the miner incentives to accept crap in exchange for high fees
18:13 < adam3us> petertodd: yes but it hasnt failed yet.
18:13 < petertodd> bbl
18:14 < andytoshi> jtimon: this would also reduce the potential for fee extortion, since with fees capped at 5% of income there'd be lots of people who simply don't care
18:14 < andytoshi> (this is a far future problem for bitcoin ofc since fees are not even 0.05%)
18:14 < jtimon> 0.05% of total reward to miner?
18:14 < adam3us> killerstorm: your super-rational miner strategy seems plausible
18:15 < andytoshi> jtimon: yeah. (am i wrong?)
18:15 < jtimon> andytoshi I don't know I'm not sure I understand
18:16 < jtimon> if you hash more than 0.05 in fees in a block you only get 0.05 in fees
18:16 < jtimon> but 0.5 will be less and less as inflation increases
18:16 < andytoshi> jtimon: that's right, and any other fees that transactions had included would simply get burnt
18:16 < adam3us> petertodd: you realize he just made the $25k per block fraud shrink a lot?
18:16 < andytoshi> jtimon: right, as will 1.0 (the block reward)
18:16 < jtimon> I think the reward will be eventually too small
18:17 < jtimon> 1.05 will eventually be 0.0000000000000001% of the total supply
18:17 < andytoshi> jtimon: no, currency loss will stop it getting that far i'm sure
18:17 < andytoshi> but i haven't done any detailed analysis to think about how far it will get
18:18 < andytoshi> maybe it will go too low and kill security, i don't know
18:18 < jtimon> oh, I guess you're right, is there any analysis on currency lost? how you do that?
18:19 < andytoshi> jtimon: it's hard to say, numbers exist for physical currency destruction, but that's obviously possible to measure, while cryptocurrency numbers are not
18:19 < adam3us> maaku_:  however there are some factors.  a) bitcoin is still security firewalled (it wont accept coins that didnt come from its chain), b) individual users/miners may choose to full validate; c) atomic swap is the much more frequently used method and that can be full validated; d) spv proven transfer back is liquidity event for imbalanced in demand, and a little bloated.
18:19 < andytoshi> so perhaps you can import the physical numbers as "percent carelessness" and get a swag
18:20 < adam3us> maaku_: e) 100 block confirmation on spv liquidity transfer on merge mine is still quite secure
18:21 < jtimon> adam3us how is any pegging scheme more secure than non-pegged MM ?
18:21 < andytoshi> jtimon: in the absense of demurrage, i don't think it's possible since people can store physical keying material, and that's identical to the network to a lost coin
18:21 < adam3us> jtimon: its not
18:21 < andytoshi> no matter how much magic crypto (eg OWAS) you throw at it
18:22 < andytoshi> but otoh with demurrage, measuring the velocity (which is easy) would give you an estimate of supply
18:22 < jtimon> adam3us and how pegging encourages or facilitates innovation?
18:23 < adam3us> warren: u know re mem hard complexity limits, dan larimer/bitshare/invictus momentum hash (birthday) does actually kind of work and is very fast to verify (modulo a non-catastrophic TMTO) would be interesting to see if the TMTO could be fixed.  see also google for cuckoo hash proof of work
18:23 < adam3us> jtimon: it allows people who are attached to doing things with btc scarcity rather than new scarcity to do so on a different chain and make changes and features that suit their use case.
18:24 < adam3us> jtimon: (rather than for example arguing that bitcoin main should incorporate their changes which imposes dev cost and security risk for btc main and so would tend to be rejected or progress slowly and conservatively)
18:25 < jtimon> I don't quite understand this part "people who are attached to doing things with btc scarcity rather than new scarcity"
18:25 < jtimon> the second sentence seems to apply for both pegged and non-pegged MM
18:26 < adam3us> jtimon: well if they dont care about using btc currency they can do a MM alt-chain with its own distribution params or auxilliary distribution PoW already
18:27 < warren> adam3us: how bad is the TMTO?
18:27 < adam3us> jtimon: i quite like btc scarcity, virtual gold property, capped supply, the supply curve, human policy inflation proof etc.
18:28 < jtimon> what if they do care, and want to experiment but just don't want pegged-MM's inferior security? say they're zerocoin
18:28 < jtimon> btc is still scarce no matter how many altcoins you create
18:28 < jtimon> 21 M at most
18:28 < adam3us> warren: bad enough that some guy claimed $5000 "break the PoW" bounty for demonstrating it would run on a GPU when they thought it would take 750MB per instance.
18:29 < maaku_> adam3us: 100 block wait is not secure. all you need is one global consensus bug and people can start printing money before it is resolved
18:29 < maaku_> it's a non-starter as far as I'm concerned
18:29 < petertodd> adam3us: how did I make what shrink?
18:29 < adam3us> petertodd: what?
18:30 < adam3us> maaku_: they cant print money from btc main perspective, because the SPV proofs have to track back to specific previously moved coins, and that will be allowed only once per moved coin.
18:31 < petertodd> adam3us: momentum (birthday) hashes may work from a theoretical point of view, but like I've said before, from a practical asic hard point of view they don't because they can be implemented with highly specialized content addressable memory techniques
18:31 < petertodd> adam3us: < adam3us> petertodd: you realize he just made the $25k per block fraud shrink a lot?
18:32 < adam3us> petertodd: yeah.  i agree with you.  came to same conclusion - i guess we talked about that a while back. (asic vs memhard).  just curious about the design of them to be memory low verify
18:32 < petertodd> adam3us: as for cuckhoo hashes as far as I can tell where they fail is they are parallizable, and an optimal implementation would be some crazy distributed routing layer ontop of some ram
18:33 < petertodd> adam3us: ah
18:33 < adam3us> petertodd: ah yes.  killerstorm was talking about a super-pragmatic or such miner greed where they could be bribed by paying $25k+10c if game theoretically they knew most of the other miners might do the same thing
18:33 < petertodd> adam3us: yeah, the low memory verify aspect is pretty neat, same with cuckhoo hashes
18:33 < sipa> cuckoo...
18:34 < petertodd> adam3us: right, and I'm saying that game theoretic makes too many assumptions about what information each miner knows each miner knows
18:34 < petertodd> sipa: rarely do you correct my engrish :P
18:34 < maaku_> adam3us: ok /print/steal/
18:35 < maaku_> i really don't think pegging adds much at all
18:35 < petertodd> adam3us: see, what *is* interesting about cuckoo hashes is that the memory *latency* hard part of them looks pretty solid, so in situations where you need a pow and it's not parallelizable, they work great
18:35 < maaku_> most of the interesting alt applications ahve to do with issuing new assets
18:35 < adam3us> jtimon: "what if they do care, and want to experiment but just don't want pegged-MM's inferior security? say they're zerocoin"well its a good example, but it kind of illustrates my point.  green et al seemed to think bitcoin would adopt their protocol.  when it turned out people didnt like the bloat, they were disppointed.  with pegged side chain they
could've gone and done it themselves
18:35 < petertodd> adam3us: timelock crypto could be one such example
18:36 < petertodd> maaku_: those new assets are more useful though if you can make contracts exchanging them for bitcoins
18:36 < jtimon> maaku_ apparently it solves a philoshophical problem related to non-scarce scarcity...
18:37 < maaku_> mmm marginally more useful
18:37 < jtimon> adam3us what's wrong with zerocoin not being pegged to btc ?
18:37 < maaku_> not everyone is convinced bitcoin has the right economics to play that role
18:37 < adam3us> jtimon: again with the zerocoin example now with zerocash, they took tht lesson and they're talking about making a zerocash alt coin.	so thts a net loss, probably some bitcoin users would like to be able to get zerocash anonymity for their bitcoin, but with a floating rate and an alt the zerocash might not be much fun to use, nor very secure.  merge mine
would be  good step either way
18:38 < jtimon> + 1 for MM zerocash, I don'
18:38 < jtimon> t see how non-peggin is a net loss
18:39 < jtimon> I hope they MM, maybe they prefer to be "anti-specialized-hardware"
13:44 < adam3us> petertodd: (since you last synced your smart phone)
13:44 <@gmaxwell> petertodd: yea but not a shared secret unless you digitize twice.
13:45 < petertodd> adam3us: that's still just over half a mb per day, not bad
13:45 < petertodd> gmaxwell: I know, I'm not solving that problem with that idea
13:46 < adam3us> gmaxwell: yes the shuffle and split is super nice in simplicity.  the other ones have complexity, failure etc.  the only limitation is 52bits.  kinda weak.  hence blue sky about flaky alternatives like permutations; double pack is probably better
13:46 <@gmaxwell> if you just want to be subtle, with prp... a boring business card with data stuffed into it .. a "random slogan" that is cryptographic works fine.
13:47 <@gmaxwell> adam3us: yea, double pack fixes the entropy problem well enough.
13:47 < adam3us> petertodd: so the main thing is how does that compare to SPV
13:47 < petertodd> adam3us: thing is, I'm expecting SPV to work like that anyway with prefix filters
13:47 < petertodd> adam3us: so the cost is only in the ECC computations, not extra bandwidth
13:47 < adam3us> petertodd: if 1byte is SPV compatible in overhead, i think we are closer to an spv killer.
13:48 < adam3us> petertodd: spv doesnt have prefix filters, it does fuzzy bloom fetches for requester address set
13:48 < petertodd> adam3us: if anything stealth addresses can be *more* plausible for SPV than stuff like handing out chain codes because the # of addresses you might have to scan for is actually more limited
13:48 < petertodd> adam3us: SPV will be with prefix filters in the future; bloom has shit scalability
13:49 < petertodd> adam3us: also electrum implements them, it's just that the prefix has to be the a full 20 bytes :P
13:49 < petertodd> adam3us: electrum will have proper variable-length prefixes sooner or later
13:49 <@gmaxwell> petertodd: ugh. I don't agree. requring all uses to grind addresses is kinda crazy.
13:49 < adam3us> petertodd: there maybe a small win lurking in there (stealth more plausible for spv more limited scan)
13:50 < adam3us> gmaxwell: maybe better to put the prefix somewhere else, a new field, or a harmless unused/overloadable field
13:50 < petertodd> gmaxwell: depends on how fast it works out to be. Also I think the idea works well in a model where you assume that usually the tx data is just given to the recipient directly; the stealth part is just as a backup
13:50 < adam3us> petertodd: yes but the steath part has to be ground to setup the backup
13:51 <@gmaxwell> petertodd: no, because it screws up wallet determinism or loading random keys from a determinstic wallet.
13:51 <@gmaxwell> petertodd: if you give the data directly, then you can just use a bip32 wallet.
13:51 < petertodd> gmaxwell: no it doesn't, the data required to recover the wallet is still fully deterministic
13:52 <@gmaxwell> petertodd: yes but only with a non-trivial computational cost per address.
13:52 < petertodd> gmaxwell: based on a seed I can regenerate my master pubkey and from that scan the blockchain to find my transactions
13:52 <@gmaxwell> With a _lot_ of computation, which
 will encourage address reuse.
13:52 < adam3us> gmaxwell: i think the issue is assuming a reliable 2pc to send the data from user to server is brittle.  risk of money loss.  so you need a network channel bound to the rest of the payment
13:52 < petertodd> gmaxwell: the computational cost isn't per address you use, it's per address in the blockchain
13:52 < petertodd> gmaxwell: if you don't use your wallet at all the cost is the exact same based on whatever prefix length you chose
13:53 <@gmaxwell> petertodd: you have to do the computation to even know what to look for.
13:53 < petertodd> gmaxwell: what do you mean? you have to do computation to check if every address matching your prefix is one you own
13:53 <@gmaxwell> and the privacy of that is very poor.  1/256 is fine for donation addresses. but you really don't want it for general usage.
13:54 <@gmaxwell> petertodd: no you have to do computation for ever index you possibly used to figure out if its your own.
13:54 < adam3us> gmaxwell: i think he is assuming the prefix target is static eg communicated as part of the base address encoding
13:54 < petertodd> gmaxwell: suppose bitcoin has 1,000,000 users, 1/256 is ~4000 users
13:54 < petertodd> gmaxwell: you only have a single master pubkey in the most simple case
13:55 <@gmaxwell> yes which is very small, and thats a large amount of initial users when you consider other factors like time of day or correlation of values transacted and joint spends.
13:55 <@gmaxwell> adam3us: no he's talking about using this not just for donation addresses, and I think thats horiffic.
13:56 < petertodd> gmaxwell: yeah, then if you're unhappy about that make your prefix match more people, worse case is you're doing computation roughly similar to syncing a full node
13:56 < petertodd> gmaxwell: best case is you use a payment protocol like this so normally you don't scan the blockchain at all
13:56 <@gmaxwell> I'm no longer talking about the scanning case, I'm talking about 10:50 < petertodd> gmaxwell: depends on how fast it works out to be. Also I think the idea works well in a model where you assume that usually the tx data is just  given to the recipient directly; the stealth part is just as a backup
13:57 <@gmaxwell> this is bullshit garbage rubbish
13:57  * gmaxwell spits in the general direction of the idea
13:57 < petertodd> gmaxwell: how? the tx data says "hey! here's this tx I sent you, add it to your list of funds (as though you had to scan the whole damn blockchain to find it)"
13:57 < adam3us> gmaxwell: he he.. dont mince your words there greg :)
13:58 < adam3us> gmaxwell: LOL
13:58 < adam3us> gmaxwell: but yes i think the network transport has to be considred the primary transport that is hit all the time, because thats how it works
13:58 <@gmaxwell> petertodd: great, now your online system fails and you have to do this very expensive computation to enumerate your determinstic keys.
13:58 < petertodd> gmaxwell: if you fuck up and have to restore from backups, well, then you scan the whole damn blockchain (or some subset)
13:58 <@gmaxwell> or you could just use BIP32.
13:59 < petertodd> gmaxwell: the point is you don't have deterministic keys! the computation is O(1) per tx, or O(n) for the blockchain
14:00 < petertodd> gmaxwell: vs BIP32 where you're match filter will match some subset of the chain, and your telling the nodes you connect too essentially what subset of all addresses you have funds in... if you're conservative you probably have already made it match about 1/256th of that whole set
14:00 < petertodd> gmaxwell: (remember I tend to assume full nodes are out to break my anonymity and figure out what's in my wallet)
14:01 <@gmaxwell> petertodd: if you wanted to give up your privacy then you could generically have bloom bait in _any_ transaction.
14:01 < petertodd> gmaxwell: huh?
14:02 <@gmaxwell> But your 1/256 thing really is risky IMO as you're making a highly public record of this flag, instead of something only your scanning node (Which may be trusted and operated by you!) sees, and you don't know how small the anonymity set you get is, you only know that you added _8 bits_ of distinguisher.  I imagine that in a lot of cases now 8 bits is completely identifying.
14:03 <@gmaxwell> imagine a coinjoin where the input owners are the same as outputs. 8 bits is completely deanonymizing.
14:03 < petertodd> gmaxwell: first of all I never said that the 1/256 is set in stone
14:03 < petertodd> gmaxwell: secondly for your change addresses you can easily deterministicly dervive them in a way that is not subject to the 1/256th business
14:03 <@gmaxwell> also you keep saying that its similar to full node syncing, but doing a arbritary point scalar multiply for every transaction is quite a bit slower.
14:03 < petertodd> gmaxwell: (per transaction)
14:04 <@gmaxwell> petertodd: yea sure you can use a smaller distinguisher, I agree. but then you lose the filtering advantage.
14:04 < petertodd> gmaxwell: yes, but computers are fast and bandwidht isn't... needs soem proper numbers, but the difference isn't huge
14:04 <@gmaxwell> yea, I generally agree the speed isn't a huge issue, as I said before I think for donations this is workable without the bloom bait at all.
14:05 <@gmaxwell> just for the sake of correctness, I'm pretty sure it will be worse than 2x full sync cpu. :)
14:05 <@gmaxwell> esp if you have more than one of they keys for privacy among the people you asked to pay you too.
14:05 <@gmaxwell> since then it grows like n*m.
14:06 < petertodd> gmaxwell: why would you have more than one? every payment using this thing is completely independent
14:06 < petertodd> gmaxwell: you only need more than one if you want to maintain multiple *identities*
14:06 <@gmaxwell> petertodd: no, its not independant to the people you asked to pay you.
14:07 <@gmaxwell> and they can even transfer that evidence.
14:07 <@gmaxwell> e.g. the disclose that transaction X is a payment to Y and can do so in a way that everone else can see too.	And then someone crops up and shows "hey I paid Z and its the same pubkey!!"
14:08 < petertodd> gmaxwell: which they can do with bip32
14:08 <@gmaxwell> petertodd: only if you actually give them extended public keys.
14:08 < petertodd> gmaxwell: and if you don't, then the user experience for recurring payments sucks
14:08 <@gmaxwell> which you don't need to if your website (the thing recieving a payment protocol receipt) is issuing them one use regular addresses.
14:08 < petertodd> gmaxwell: yeah, and that's a whole bunch of overhead
14:09 < petertodd> gmaxwell: for instance I just can't do that on freenet...
14:09 <@gmaxwell> not just that BIP32 lets you give each seperate user a sub-chain. and those are not linkable.
19:49 < gmaxwell> maaku: I was just saying in the abstract.
19:50 < gmaxwell> The decision problem still exists even in the simplest case.
19:50 < maaku> the real issue with republicoin is that there isn't to my knowledge an adequate proof-of-stake voting system
19:51 < maaku> all the current ones suck big time...
19:51 < gmaxwell> I don't think one is possible.
19:51 < gmaxwell> :(
19:51 < gmaxwell> (This bums me out greatly)
19:51 < gmaxwell> (because in general POS is a great idea, but it seems like you need a consensus system on top of it to make it actually work)
19:51 < gmaxwell> If you give me timelock encryption then I think I can make POS work.
19:52 < gmaxwell> Or at least almost work enough.
19:52  * amiller gives gmaxwell some timelock encryption??
19:53 < gmaxwell> amiller: e.g. I think you can do a POS consensus with timelock encrypted votes to prevent censorship. By the time anyone knows what the old state is, it's hopelessly burried.
19:53 < gmaxwell> (you use proofs that the hidden states are valid)
19:54 < gmaxwell> and timelock encryption means someone can't wedge the system by failing to ultimately disclose.
19:54 < maaku> gmaxwell: i'm fine with a side-chain. i'm even fine with public votes, although obviously something homomorphic would be better
19:54 < maaku> but yeah it would be a lot easier (trivial, almost) with time-lock encryption...
19:54 < gmaxwell> maaku: the problem with public votes is not that they're public, is that it allows whomever controls the consensus system that gathers them to censor the votes so the outcome is as they choose.
19:55 < maaku> ah, so proof-of-stake would essentially become proof-of-work once 50% of miners are corrupted
19:56 < gmaxwell> right. "I don't like this vote very much, bye bye"
19:56 < maaku> amiller: this is probably the best post : http://freicoin.freeforums.org/demurrage-should-it-all-go-to-miners-t20-40.html#p354
19:56 < maaku> but google 'republicoin site:http://freicoin.freeforums.org' to find some others
19:57 < maaku> it's an idea i would like to pursue, but the technical issues need to get worked out first...
19:57 < amiller> "I have an answer, albeit not a strong one: their own economic self-interest in the future of Freicoin."
19:57 < amiller> i'd love to understand that better but it's hard to reason about
19:58 < amiller> it's not totally wrong but it's tricky
19:58 < amiller> people are like, systematically myopic
20:00 < gmaxwell> maaku: another way to make POS votes work is to require _every_ coin to vote. But then your system dies the first time a key is lost. :(
20:00 < maaku> amiller: i have a crushing rejoinder which will squash any doubts
20:00 < maaku> you're right
20:00 < maaku> like i said, it's not a strong argument
20:01 < maaku> but it is basically the analagous situation as real life politics - what stops the big guys from buying the politicians votes?
20:01 < amiller> nothing, that's exactly what happens
20:01 < maaku> well, nothing really. that is what happens. but within limits
20:01 < gmaxwell> s/stops/tames/
20:01 < amiller> the limits aren't reliable
20:02 < gmaxwell> sure but it's not unbounded. It's actually pretty tricky to achieve any constraint at all.
20:02 < amiller> Okay so i'm writing up (for a lovely forum post) the idea of doing this soft blacklist
20:02 < amiller> i'm stuck on something
20:02 < amiller> besides getting two consecutive blocks
20:02 < maaku> as I said, not a strong argument, but there is enough room that a middleground might exist.. or at least hope for one
20:02 < amiller> there might be a way to just do one block, and incentivize people to take my block
20:02 < amiller> suppose there are two blocks at roughly the same time
20:02 < amiller> it's undefined which one people will choose right?
20:02 < amiller> whichever one they get first?
20:02 < amiller> there's no prioritization about blocks right now
20:03 < amiller> but suppose one block contains any anyone can pay transaction or something that only is valid if that blocks gets accepted
20:03 < amiller> you could then either mine on block A and get nothing, or mine on block B and get a bonus!
20:03 < sipa> the best pick (for consensus) is the one that you have most confidence in others will also pick
20:03 < amiller> the problem is you can't spend the coinbase immediately and you can't make a transaction pegged to one block
20:04 < amiller> you can in freimarkets where there's an OP_HEIGHT code
20:04 < amiller> is there any way to do that? to give a fee to the miner of the next block for building on the current block?
20:05 < maaku> amiller: give them the fee in the output of the coinbase
20:05 < amiller> no because you can't spend coinbase for 100 blocks
20:05 < maaku> they can't spend it immediatly, but they know it's there
20:05 < maaku> or am i missing something?
20:05 < amiller> they don't get it, the 100th block miner gets it
20:05 < maaku> oh i c
20:05 < gmaxwell> which they have hashrate/total_hashrate probablity of earning.
20:06 < gmaxwell> You can also lower the variation by 'announcing' a not yet valid spend cascade that spread it out over many blocks.
20:07 < gmaxwell> e.g. at height 100 that miner gets half, at 101, that miner gets 1/4, at 102 that miner gets 1/8... and so on.
20:11 < gmaxwell> amiller: speifically preventing this is why I'd said in the OWAS thread that the OWAS payments had to be maturity gated.
20:11 < gmaxwell> otherwise you get stupid randsom effects that screw up consenus.
20:11 < amiller> i'm going to call this a "feather-fork"
20:11 < amiller> because it's like a softer soft fork that only lasts for a couple blocks and only might work
20:12 < amiller> but may still have an influence
20:18 < maaku> i assume you would do that using time locked transactions?
20:19 < gmaxwell> maaku: yea, to space them out.
20:19 < gmaxwell> e.g. one locked at +100, +101, etc.
20:43 < petertodd> BlueMatt: Well frankly I think that's a dumb rule. For instance, would you object to SPV nodes relaying block headers to each other to be sure they had the best chain? I can't see why. Then if you don't object to that, why not relaying blocks too? Relaying transactions of course can have DoS issues, but if you solve those with a PoW or something, again,
why not? Knowing more information will never harm you.
20:44 < BlueMatt> petertodd: spv nodes shouldnt relay headers to each other that they cant verify, no
20:44 < BlueMatt> petertodd: spv nodes shouldnt connect to each other to begin with, really
20:45 < gmaxwell> BlueMatt: why not? if both parties connected are consentual participants?
20:45 < gmaxwell> E.g. "I didn't verify this, you still want it?"
20:45 < gmaxwell> "You know I'm stupid, but if you want me to tell you what I hear, I will."
20:45 < BlueMatt> gmaxwell: consensual in this case means policy defined by developer of spv nodes...
20:46 < gmaxwell> BlueMatt: or whatever they've negoiated.
20:46 < gmaxwell> (the nodes I mean)
20:46 < BlueMatt> and developers shouldn't make their policy of spv nodes to peer with other nodes
20:46 < BlueMatt> if someone wants to do that, they sure can
20:46 < BlueMatt> but thats up to their implementation
20:47 < gmaxwell> BlueMatt: right now SPV nodes are pretty vulnerable to a multitude of attacks, increasingly so as the number of accessible full nodes continues to drop.  One strategy to combat this might be for higher resource SPV nodes to connect to each other too.
20:52 < BlueMatt> gmaxwell: problem: full nodes aren't available as much as they should be, solution: work around the problem by coding lots of logic for spv nodes to rumor between each other
20:52 < BlueMatt> seems wrong to me
20:52 < BlueMatt> could just code some logic to make full nodes more appealing to run...
20:52 < gmaxwell> BlueMatt: Maybe. Depends on how fundimental the lack of full nodes problem is.
20:52 < gmaxwell> These aren't mutually exclusive. We may eventually need _both_.
20:52 < BlueMatt> true, but Ive seen no data to indicate the issue is really unsolvable with reasonable work?
20:53 < gmaxwell> I don't think we fully understand the reduction in reliable full nodes.
20:53 < BlueMatt> maybe, but I see no reason to code the spv rumoring for some time to come unless we've come a long way
20:54 < gmaxwell> yea, I missed the beginning of you and PT's conversation.  This is #bitcoin-wizards after all, and I was just chiming in that I don't think it would be unreasonable in the long term to have SPV nodes who are willing and able play a bigger role in the network.
20:55 < petertodd> BlueMatt: why?
20:55 < petertodd> BlueMatt: heck, blockheaders over twitter is genuinely useful
20:55 < BlueMatt> petertodd: blockheaders over twitter comes from a full node...
20:55 < gmaxwell> BlueMatt: bitcoin-qt's performance has improved _tremendously_ as has its reliablity (except on OSX).
20:55 < BlueMatt> gmaxwell: I dont really like that idea, but yes its an option...
20:56 < BlueMatt> gmaxwell: better: partially-verifying nodes playing a bigger role
20:56 < petertodd> BlueMatt: that's irrelevant
20:57 < petertodd> BlueMatt: blockheaders over twitter is validatable by the fact it's the longest valdi sets of headers you know of, *nothing* else
20:57 < petertodd> Let alone once we start talking about partial probabalistic validation schemes w/ fraud proofs...
20:57 < gmaxwell> BlueMatt: ultimately the shift in nodes type may just be that people do not see any reason to run anything but spv nodes anymore.
20:58 < BlueMatt> petertodd: my point is that, in the current network, there is NO reason for an spv node to take information from a node it knows is not doing any verification
20:58 < BlueMatt> in the future, maybe it will be neccessary
20:58 < BlueMatt> but not now
20:58 < petertodd> BlueMatt: how does the SPV node know the node it's talking to is doing verification?
20:58 < BlueMatt> gmaxwell: yes, which is why nodes should upgrade
01:50 < jrmithdobbs> :P
01:51 < jrmithdobbs> funny, seeing as i distinctly remembering lamenting how i didn't think it was necessary at a point in the not-so-distant past
01:52 < gmaxwell> jrmithdobbs: the sighash types are pretty much entirely about which parts of the transaction get masked out when you sign.
01:55 < jrmithdobbs> oh those, just re looked over the contracts stuff
01:56 < jrmithdobbs> all/none/single are the current ones?
01:58 < gmaxwell> and the anyone can pay modifier.
01:58 < jrmithdobbs> that covers everything I can think of / care about (contracts and escrow)
01:58 < jrmithdobbs> right right
02:00 < warren> jrmithdobbs: does that random embedded shit have any entropy source at all?
02:00 < gmaxwell> jrmithdobbs: oh no way.. say for example that you and 10 friends want to collaborate to raise a 50 BTC bounty. For that what you want is a txn with an ANYONECANPAY and an output that pays 50 BTC that everone signs, but then also a bunch of change outputs signed only by the person providing their inputs.
02:00 < jrmithdobbs> warren: some of it, yes
02:00 < jrmithdobbs> gmaxwell: i always forget change
02:01 < gmaxwell> there are a bunch of examples where change gets in the way.
02:01 < jrmithdobbs> gmaxwell: i thought it was enough to cover multi-party escrow, but ya, you're right=/
02:02 < jrmithdobbs> to be perfectly blunt, though
02:02 < jrmithdobbs> would it really be such an imposition to have to pre-prep those inputs?
02:02 < gmaxwell> well you go from 1txn to 21 txn in that case.
02:02 < jrmithdobbs> they're uncommon enough specialized txns that you're going to have an hour or so notice before hand usually
02:02 < gmaxwell> er 11 (I said 10 friends)
02:03 < jrmithdobbs> ya but 20 of those txns are very simple and easy to verify and already pass isStandard()
02:03 < warren> If one of those 10 gets hit by a bus, all that money is gone?
02:03 < gmaxwell> huh. no. 0_o why would you think that?
02:03 < jrmithdobbs> warren: huh? no the final couldn't be created until the first 20 were done
02:04 < gmaxwell> s/20/10/ for consistency. :)
02:04 < jrmithdobbs> right ;p
02:05 < warren> ugh
02:05 < jrmithdobbs> gmaxwell: the complexity of handling the change and the infrequency of the use of that type of mechanism ... is it worth handling the change? the minor txn spam argument seems pretty flimsy framed in this way
02:07 < jrmithdobbs> i could be convinced it's worth it if you could maybe postulate on some reasons why the use of multi party escrow or extremely complex contracts would be come the *norm* vs current simple addr txns
02:07 < gmaxwell> jrmithdobbs: Perhaps not. This is -wizards, I'm not talking about a pratical short term change to the system.
02:08 < jrmithdobbs> and i can maybe come up with some with some devil's advocate ones ;)
02:08 < gmaxwell> Handingling the change isn't the only gap in sighash types. They're just the one I was thinking about tonight.
02:08 < jrmithdobbs> oh i know i know
02:08 < jrmithdobbs> just talkin
02:09 < gmaxwell> Now I'm trying to remember what other cases were missing.
02:09 < jrmithdobbs> well it almost needs a _multi
02:09 < jrmithdobbs> so that one can sign more than just one part of nothing
02:10 < jrmithdobbs> but that gets hairy
02:10 < jrmithdobbs> err more than one part OR nothing
02:12 < gmaxwell> then there are things like partial constraints. sign output X but first normalize the value by min(value,1000000).  "Output X must be at least 1 BTC".
02:13 < gmaxwell> arguably you can do many of the applications by just SIGHASH_ALL but you can't do anyone can pay in that case.
02:13 < gmaxwell> one possiblity would be to have the scriptpubkey specify a masking script.
02:14 < gmaxwell> basically the only thing you sign is a script. And the script gets the whole txn pushed onto the stack and the signature is valid if the script returns true.
02:19 < jrmithdobbs> i dunno, i've been driving or flying for like 5 days straight now, i'm going to go sleep in my own damned bed finally ;p
02:21 < jrmithdobbs> actually
02:21 < jrmithdobbs> i think we're overthinking that
02:21 < jrmithdobbs> (not the sleep part, that's def happening in a bit, ha)
02:22 < jrmithdobbs> gmaxwell: i think all/one/none + anyone can pay *is* enough
02:22 < jrmithdobbs> gmaxwell: we're  falling into that whole "one person/party == one key" mindset
02:22 < jrmithdobbs> if any party needs to sign multiple parts they use multiple keys
02:22 < jrmithdobbs> if proof someone is in control of said group of keys, that's trivial
02:23 < jrmithdobbs> if proof is desired*
02:23 < jrmithdobbs> but maybe i've been paying too much attention to zooko lately, ha ;p
02:24 < gmaxwell> uh. I think you should sleep, 'cause nothing I've said is at all one person = one key. material. :P
02:24 < jrmithdobbs> no it's not
02:24 < gmaxwell> jrmithdobbs: he doesn't have you freebasing bacon greese does he? :P
02:24 < jrmithdobbs> but i'm saying the cases where being able to sign multiple but not all/none parts can be solved with multiple keys per party
02:25 < jrmithdobbs> but ya, i'm incoherent ;p
02:26 < gmaxwell> jrmithdobbs: that doesn't work so well if you want to have everyone sign output zero, and then each person sighash single the rest.
02:26 < jrmithdobbs> why not?
02:26 < jrmithdobbs> that just means you need to know how many keys per party and whether you want to bind their associations at the start
02:26 < jrmithdobbs> doesn't seem entirely out of the question
02:27 < gmaxwell> You're not making any sense to me.
02:28 < gmaxwell> Me and my N friends want to pay bob 50 BTC, and take our change. I don't even know N in advance. But I know I want bob paid, and I want my darn change back. Maybe I want to use N inputs too. in which case each of my N inputs wants bob and my change output to get paid.
02:29 < jrmithdobbs> i'll reread that in the morning/tomorrow and try and translate, i'm sure i'm saying what i think i am, just poorly :)
--- Log closed Wed Mar 27 00:00:08 2013
--- Log opened Wed Mar 27 00:00:08 2013
16:58 < sipa> converting C++ to C is boooooring
17:00 < jgarzik> hehehe
17:00 < sipa> and changing a += b; into secp256k1_ge_add(&a, &a, &b); does hurt...
17:01 < warren> sipa: resulting code won't be any slower though, right?
17:01 < sipa> no
17:02 < sipa> btw, a friend of mine contributed x86_64 assembly for a few low-level routines: 20% speedup!
17:02 < warren> nice =)
17:20 < petertodd> sipa: Are you planning on eventually getting rid of the libgmp dep in your secp implementation?
17:20 < sipa> perhaps, yes
17:20 < warren> petertodd: I'm hoping he gets rid of openssl
17:21 < sipa> petertodd: that does mean writing our own mini bigint code, though
17:22 < sipa> which is somewhat stupid if very well optimized alternatives exist
17:22 < petertodd> What are the dependencies like for those well optimized alternatives?
17:22 < sipa> gmp :)
17:22 < petertodd> Ha
17:23 < sipa> and gmp doesn't have dependencies of its own
17:23 < petertodd> I'm working on a really preliminary design for a "merkleized forth"; it should have it's core written in C I'm thinking with no dependencies for easy auditing/running on microprocessors.
17:26 < sipa> eh, relevance?
17:27 < petertodd> I'll need a fast secp256k1 implementation eventually, and probably a bigint implementation too, ideally ones that don't depend on malloc.
18:12 < warren> gmaxwell: regarding p2pool and your idea of share fork merging.  There is a potential flaw in the share fork merging idea that I can't think of a solution.  Say you allow a share to have up to 4 parents.  If colluding buddy nodes own one of those parallel shares, what incentive do they have to relay competing parallel shares if any block solution they come
up with is valid?  They're better off excluding competing parallel shares as much as p
18:12 < warren> ossible.  It would be difficult for the network to detect.
18:15 < warren> Hmm, I suppose it might work if the post-merge shares can be orphaned by another post-merge share that has more parents.
18:16 < warren> But are we then back with the original problem...
18:16 < gmaxwell> warren: as was already said before: the chain chain with the most difficulty wins.
18:17 < gmaxwell> and yea, you do end up with a circular issue there, I wasn't sure how to solve that.
18:18 < warren> gmaxwell: wouldn't this also exacerbate the frequency of new work?  Every time your p2pool node receives a parallel share, you would have to restart mining?
18:19 < warren> If so we didn't really solve any problem here.
18:19 < gmaxwell> No. You use it if you have it.
18:19 < gmaxwell> The other work is late you usually have it from the prior cycle.
18:20 < warren> I'm not following.  Whenever you receive a new latest share, work restarts at that moment no?
18:21 < gmaxwell> warren: I'm concerned that you're using the word 'restart'
18:22 < gmaxwell> You switch to work based on that, sure.
18:23 < warren> And isn't that switch where we currently have the work return latency issue?
18:23 < warren> Your local node switches work after you receive a new tip share.
18:23 < warren> "Late" shares come in, parallel to your tip share.
18:24 < gmaxwell> Yes, but prior to that happening you've recieved some straggling shares from other peers.
18:24 < gmaxwell> Late shares came in during the prior interval.
18:25 < warren> I might be missing something crucial in understanding this.
18:26 < gmaxwell> The late is merging not shares that were competitors for the current head but shares which were competitors for the prior one.
18:28 < warren> How does that avoid switching work more often than 10 seconds?
18:30 < gmaxwell> What would you switch to?     Height-100 comes in, you compute work based on H100 that merges H99 competition. If you get any H99 work after you recieve H100, you reject it.
18:31 < warren> So H101 merges the paralell H99's.
20:36 < maaku> Then you can use it to say "I encrypt this until the network expends X computational cycles"
20:37 < gmaxwell> maaku: no, that gives you no control of the time at all. And you _do_ guarentee that all keys are moved through for all levels under the difficulty.
20:37 < maaku> lack of control over tiem is precisly my point...
20:37 < gmaxwell> you can achieve that in the multilevel scheme by threshold encrypting.
20:38 < gmaxwell> basically the multilevel scheme allows you basically freedom between choosing absolute work, and absolute time (but with race ahead risk)
20:39 < gmaxwell> e.g. you can encrypt the problem to X=0 * 1000  or X=0*500 + X=1*500 or X=0*250 + X=1*250 + X=2*250 + X=3*250  ...  to achieve absolute work (to whatever degree you wish to approximate it)
20:40 < andytoshi> [unrelated] new optimization of koblitz curve optimization: http://eprint.iacr.org/2012/519
20:41 < maaku> gmaxwell: but presumably you reveal which ones you encrypt against right? (to avoid combinatorial explosion in decrypting)
20:42 < maaku> so someone need only "work ahead" those keys to decrypt
20:42 < gmaxwell> or you can encrypt to X=0 only, and have absolute time but perhaps a race-ahead risk if the difficulty goes way up.  Or you can have some guess at future difficulty (e.g. if the system is already on asics, then projecting mooress law or whatever).. or you can use all of these at once.
20:42 < maaku> (and if they're a miner they can later reuse that work for the subsidy)
20:42 < gmaxwell> No, the work can't be reused.
20:42 < gmaxwell> The attempts you make in the cracking are based on the hashes of the prior blocks, or you don't have a consensus.
20:43 < gmaxwell> maaku: But what I described there achieves absolute work ("X=0 * 1000  or X=0*500 + X=1*500 or X=0*250 +"), regardless of the difficulty. You can "race ahead" sure, but there is no faster way than doing a certan absolute amount of work.
20:44 < maaku> gmaxwell: I'm not sure I follow. the public keys are known in advance right? and the problem is to find the private keys right?
20:45 < gmaxwell> maaku: correct. The hash of your header tells you what part of the solution space to check. Finding a block requires proving you checked the right part of the space and found a distinguished point.
20:45 < gmaxwell> (a distinguished point is either the solution to the current problem, or some 'near miss' based on some arbritary criteria)
20:47 < gmaxwell> Wrt the absolute stuff, I was only pointing out that my hierarchical scheme allows you to get any mixture of "absolute work" or "absolute time with race ahead risk (diff overshoot risk)" or "absolute time with failure to decrypt (diff undershot risk)" that you like. It's not perfect, by any means, but I think it could be reasonably successful.
20:49 < gmaxwell> maaku: e.g. forget that there is a faster way of solving ECDLP than just testing secret keys.  To mine this you take your header hash and multiply it by the base point and then measure the current solution's hamming distance to the current digits of pi or whatever is the current x=0 target problem. If its below a threshold you have a x=0 solution.
20:50 < gmaxwell> if you raced ahead previously, that work isn't useful to you because the secret keys you checked weren't derrived from hashing a vaid header.
20:50 < gmaxwell> (at least not useful for mining)
20:53 < gmaxwell> andytoshi: that paper is about classical koblitz
 which is for characteristic 2 fields. I can't believe people are still doing stuff with characteristic 2 in 2012.
20:54 < andytoshi> oh, damn
20:54 < andytoshi> also it's 2014 :P
20:57 < nsh> let's split the difference for another couple of days eh? :)
21:12 < nsh> *sigh*
21:12 < nsh> https://www.openssl.org/ <-- compromised
21:13  * gmaxwell not going to load a compromised site.
21:13 < nsh> just says "TurkGuvenligiTurkSec Was Here @turkguvenligi + we love openssl _"
21:13 < nsh> no html. but good policy :)
21:17 < justanotheruser> In blockchain time It's already April 2014
21:32 < gmaxwell> So I think I have a goofy convoluted protocol for centeralized timelocking, between alice and a clock though it requires having some substr opcode we don't have.
21:33 < nsh> what's at the centre?
21:33 < gmaxwell> The idea is that alice and the clock can make a (complicted) series of transactions which sets things up so that alice learns a public key for which the clock knows the secret. Alice and the clock both put up funds, if the clock releases the secret on time it gets both its funds back and alices funds.
21:34 < gmaxwell> If the clock releases the secret early, then it doesn't get its funds back. If it doesn't release it alice gets its funds.
21:35 < gmaxwell> the basic idea is that if you give me a signature with a key of yours,  and if we had the right opcodes, I could write a scriptpubkey which allowed you to redeem it if and only if you reuse the same k value, thus disclosing the private key.
21:35 < nsh> hmmm
21:36 < gmaxwell> so then you setup a complicated sequence of timelocked n of m fiddly transactions so that there are three ways the thing can be released... early
 and the funds can only go to fee or alice.. ontime the funds go to the clock, or late and the funds go to alice.
21:40 < gmaxwell> I dunno if it would be useful though, esp I don't know how to prevent people from freeloading. E.g. alice publishes the initial signature and now any number of people can use that timelock
21:42 < nsh> i'm not sure that's too much of a problem, necessarily
21:45 < gmaxwell> well, if the bitcoin incentives are to have any point at all they should be fairly large... and it's not reasonable to ask clock to lock up funds for a long time without a considerable return. the more people who use it without paying the more incentive for clock to make a deal with someone and never disclose or disclose early.
21:47 < gmaxwell> how about a different one,  how about a semi-anonymous quorum timelock.
21:48 < gmaxwell> N players have a distributed public private key. The private key is split into polynomial shares such that
 50% of them are required to recover the private key.
21:49 < nsh> right
21:49 < gmaxwell> over time, some M of the N player drop out
 they vanish without any of the other playeryers hearing from them for a while, and so they do some quourum consensus and decide those M players are defunct.
21:50 < gmaxwell> They invite M new players, and do some protocol needing 50% of the original N to update help the new M players recover the shares of the M that left.
21:51 < gmaxwell> ignoring how you'd go about doing that
 how would this break down?
21:52 < nsh> i think i'm lost
21:53 < warren> http://www.openssl.org/  <--- sigh
21:53 < gmaxwell> nsh: well you get how you can have a key shared among many people such that you need a majorty?  You can do this in ec groups such that there doesn't need to be any trusted dealer.
21:53 < nsh> sure
21:53 < maaku> if you love openssl you wouldn't do that...
21:54 < gmaxwell> nsh: just information theoretically, if M of the N leave, but M<N/2 the N-M could still recover the key. So
 the remainaing N-M should be able to help a new M users recover the missing shares of the missing M that left.
21:54 < nsh> (maybe they love openssl, but not as much as fleeting noteriety in dubious social circles)
21:55 < nsh> gmaxwell, can they repopulate without revelaing the secret itself though?
21:55 < nsh> that seems less obvious
21:55 < gmaxwell> (after all, they could just recover the whole key and than split it up again)
21:55 < nsh> depends on the sharing scheme i guess
21:56 < gmaxwell> nsh: Yea, I haven't figured out how to do it, I'm pretty sure it can be done though. Just assume they can for the moment
 it's pointless if the scheme isn't useful regardless of doing that.
21:56 < nsh> okay
21:56 < maaku> nsh: probably helps them get their next job. i've heard that some major art thefts are only to enable the theives to get "in" to an organization
21:56 < gmaxwell> nsh: or actually I'm completely sure it can be done, I don't know how easy it is to do it.
21:56  * nsh nods
21:57 < gmaxwell> nsh: I'm completely sure because the remaining N-M plus new M could use secure multiparty computation to secretly regenerate the whole key and then split it back up and give it to the new N users.
21:57 < nsh> yes, that makes sense
21:57 < gmaxwell> Though I also think its likely that there is a less horriffic way than invoking SMPC.
21:57 < nsh> modulo some computational/bandwidth costs
21:57  * nsh nods
21:58 < gmaxwell> seems to me that you could get a pretty darn robust timelock this way.
21:58 < gmaxwell> you just need some sybil resistant way to select players.
21:59 < nsh> i'm missing bits still. how do you go from N of M secrets (with dropouts and repopulation) to timelock?
21:59 < gmaxwell> And then you can do {magic} to continually redistribute the key so that people coming and going don't break you.
21:59 < gmaxwell> oh just as the "rules of the system" the N parties agree that once the time passes they'll all publish their keys.
21:59 < nsh> backed by fidelity bonds?
22:00 < gmaxwell> So it's secure so long as the majority follows the rule.  But systems like that often aren't pratical because they don't handle the members changing over time.
22:00 < nsh> hmmm. i don't know how easy it would be to find N people who would reliably publish on schedule
22:01 < gmaxwell> nsh: maybe? or love for their commnuity. It's not like this is an expensive operation.  Generally the reason I think majority of N systems are not pratical isn't that you can't trust the majority for most things you'd want, but because of membership complications.
22:01 < gmaxwell> nsh: well its not people, of course, it's people's software. :P
22:01 < nsh> sure :)
23:34 < jrmithdobbs> it's packaged for ubuntu and debian but not in their repos
23:34 < warren> sounds like something that uses ec
23:35 < jrmithdobbs> nah, ruby software
23:35 < jrmithdobbs> noone bothers packaging it because it's impossible to package gems in anything but gems
23:44 < warren> jrmithdobbs: hm, fedora seems to have a 100+ "rubygem-*" packages
23:44 < warren> Fedora takes years to come up with a packaging standard before something like this is allowed.
23:44 < jrmithdobbs> ya it's not packaged, i'm 100% sure of that
--- Log closed Thu Apr 11 00:00:07 2013
--- Log opened Thu Apr 11 00:00:07 2013
00:12 < warren> My surgery is a few days before the conference, so sadly I'm not going.
03:11 < warren> gmaxwell: I just had a scary thought.  Could p2pool's purported "bad luck" be attributable to a slightly higher chance of orphans because many of those nodes take longer to upload the new block than an ordinary high-bandwidth pool server?
03:14 < petertodd> Absolutely
03:14 < petertodd> >1MB blocks will without a doubt kill p2pool for that exact reason
03:15 < petertodd> Similarly p2pool has the inherent problem that it has no way to get participants to include transactions in the shares they solve.
03:15 < warren> well, that's a benefit, if you believe in decentralization
03:15 < warren> I'm more concerned about the orphan risk
03:16 < warren> When a mining client like cgminer finds a block, what exactly does it upload to the pool server?  (I never looked yet)
03:17 < petertodd> "Mining" clients, IE hashing clients, don't need to know what transactions are in a block and just upload headers.
03:17 < warren> ok, so that's fast and tiny
03:17 < warren> petertodd: even with GBT?
03:17 < petertodd> Yup, regardless of what size blocks are.
03:17 < petertodd> GBT is only from pool to client.
03:17 < petertodd> Oh, sorry, that's a bad way to describe it...
03:18 < warren> sure, but the client can change the tx set that it chooses to hash, so I assume it has to upload a lot more to the pool server
03:18 < warren> upon finding a block
03:18 < petertodd> Yes, the client with a true GBT setup needs to tell the pool what TX's they used, whcih is why GBT in that use scenario won't be allowed by pools.
03:19 < warren> Ah, so Luke-Jr's argument that "Eligius is decentralized mining" is not very accurate.
03:20 < petertodd> Yup, it's at best accurate with small blocks, and doesn't scale.
03:20 < warren> So it's fine for Litecoin, which has no tx's!
03:20 < warren> =)
03:21 < petertodd> GBT doesn't solve the competition problem either, that is, the expense of starting a new pool because the old one is dishonest. In addition, pool ops can divert hashing power to other pools, while witholding block solutions, as a way to attack those pools.
03:21 < warren> So ... p2pool can only truly compete with "normal" pools if the nodes are run with high bandwidth.
03:21 < petertodd> Exactly
03:22 < petertodd> Even worse, there is a free-rider problem where naturally people with low bandwidth can connect to p2pool and screw it up for everyone.
03:22 < warren> p2pool currently makes no attempt of optimizing peer selection, among other problems.
03:22 < petertodd> If it did though it'd run into the same problems bitcoin would by optimizing peer selection.
03:22 < warren> forrestv made an excellent proof of concept, but it never went beyond that.
03:23 < petertodd> Yeah, I'm not convicned the proof of concept can be turned into something truly robust though due to inherent issues with Bitcoin. Issues that will be made truly insolvable with large blocks.
03:24 < warren> Perhaps if the nodes were encouraged to be hosted on high-bandwidth, and peer selection scoring measured peer quality in various ways.
03:25 < warren> This will matter if we want multi-ASIC owners to decentralize (not on the big pools).
03:25 < petertodd> Impossible not to game those things though - you can't prove to someone else that a third party posessed bandwidth.
03:26 < warren> You can score things like "who sent me the new share first" and "who responds with incredible lag"
03:26 < petertodd> Yes, but only locally. As I say, you can't prove to someone else that, other than by saying "I have a lot of hashing power and say so", which means your attacker just starts off with more hashing power, and votes for themselves.
03:27 < warren> It isn't really a vote, and the scoring is used primarily to figure out which of your peers is worst and to kick them out eventually.
03:28 < warren> By these measures a high-bandwidth node without hashers could be scored high.
03:29 < petertodd> Ah, yeah, locally that can work, on the other hand, it means you can attack P2Pool by running some high-bandwidth P2Pool nodes and doing stupid crap like splitting the network.
03:30 < petertodd> Hmm.... actually I may be wrong about that, if P2Pool merges splits together by including the work on both sides, which it should.
03:30 < warren> you'd need a large number, and you would need the actual hashers to never be connected directly to each other.  Big hashers explicitly connect to each other by IP.
03:30 < petertodd> Getting large numbers of IP's is really easy for attackers.
03:30 < warren> still, hashers will link directly to each other
03:31 < warren> forrestv is considering parallel chain merging as means to get rid of the current annoying 10 second work intervals
03:31 < warren> it's all talk now though, there are some design issues
03:31 < petertodd> Oh good, so he's not doing that right now, but recognizes it.
03:32 < petertodd> P2Pool also needs multi-levels eventually, to keep varience down. IE a p2pool that mines p2pool shares collaboratively.
03:32 < warren> forrestv's priorities are clearly elsewhere.  He's wholly unprepared for ASIC's and seems uninterested in working on someone else's Avalon.  Folks are waiting for him to get his own Avalon.
03:33 < warren> People thought of that. How do you prevent dust from getting too small?
03:33 < petertodd> he's a young kid in a hard university program, so I can't blame him.
03:33 < petertodd> The sub-p2pool shares don't have to communicate with each other, though yes, I'm sure there will be plenty of tricky design issues.
03:34 < petertodd> sub-p2pool chains I mean
03:34 < warren> right.  the hard part there is just the dust gets too small.
03:34 < warren> p2pool LTC payouts are *already* too small for LTC's super high fees.  Lots of complaints from CPU miners.  (haha)
03:35 < petertodd> On, you mean the dust payments, that's what off-chain transactions are for.
03:35 < warren> off-chain transactions would be entirely outside of p2pool's design goals.  If the code is implemented right (it currently isn't), you don't really have to trust the other nodes.
03:36 < petertodd> IE at some point there is someone paying sub-p2pool miners with off-chain tx's, possibly fidelity-bonded banking where you can take humans out of the equation in terms of trust.
03:36 < petertodd> Implemented properly fidelity-bonded banking relies on incentives, not trust. You are trusting the person actually holding the funds to be economically rational, because any fraud has huge costs to you.
03:36 < petertodd> But that's a long way off.
03:36 < warren> what is "fidelity-bond" in a nutshell?
03:37 < warren> the sub-p2pool would be centralized and easy to take down with a DoS attack?
03:37 < petertodd> Long story short, it's a way of proving you threw away value.
03:39 < petertodd> Doesn't have to be. You can have people's bigger nodes make promises to submit winning shares to the main p2pool sharechain, and make those promises dynamically. The actual messages can be passed around by p2pool itself, so you don't need to have any idea who is making the payout or what their ip addr is.
03:40 < warren> p2pool sends the new block to the other nodes *and* to bitcoind.  That's promoted as a benefit as other nodes can propagate the block faster.  gmaxwell explained this to me before but I don't remember the detail of exactly how much it needs to upload between nodes ... it could be far less than a full block because the block contents were already sent earlier.
03:40 < warren> So I suppose this could counter-balance the bitcoind upload being slower.
03:41 < petertodd> The same methods can be used with bitcoin itself, so p2pool stays at a disadvantage.
03:41 < warren> can?  but would it?
03:42 < petertodd> Hard to say, worse case is the blocksize gets lifted without any of the optimizations getting implemented. Although that particular one, sending tx hashes rather than full tx's, is a really dangerous one because an attacker can use it to fork the network.
03:42 < warren> I don't know how that can be true though, given that each p2pool has its own bitcoind choose its own tx's to include.
03:43 < petertodd> p2pool would be making the assumption that tx's have propagated to the whole network
03:44 < warren> So if your patched your bitcoind to exclude SD spam, the sharechain block header upload won't succeed to reconstruct the block elsewhere?
03:44 < warren> OH!
03:44 < warren> the p2pool log shows BLOCK FOUND and sometimes INCOMPLETE BLOCK FOUND
03:44 < warren> That must be it.
03:44 < petertodd> Interesting, that may be exactly the case. I don't actually know the full details.
03:45  * petertodd has a BFL and can't use p2pool.
03:45 < warren> BFL FPGA with the 5 second work return latency?
03:45 < petertodd> yup
03:46 < warren> what kind of hash rate and power usage does that have?  just curious.
03:46 < petertodd> I forget exactly, but I remember it was exactly as advertised.
03:46 < petertodd> ~830 and 60W or something
03:47 < warren> nice. especially due to the ASIC delays that must have been good for you.
03:47 < petertodd> Slightly insane that my one unit was bringing in a theoretical $500/month at the very peak of the BTC price...
23:25 < gmaxwell> at least would damper curious operators somewhat.
23:28 < gmaxwell> amiller: for the green address case where you actually do trust the proximal sender, they should just be giving you a signmessage "I promise I won't doublespend txid 12345 with something not paying output 1abcde"--well_known_key	out of band. :(
23:28 < gmaxwell> mtgox wouldn't implement that for near incomprehensibly stupid reasons.
23:28 < amiller> well you'd also need to have set the prior transaction old enough
23:28 < gmaxwell> yep. Sure.
23:28 < amiller> like you have to arm the proximal spender with a lot of time in advance, even if you don't know its destination
23:29 < gmaxwell> but thats why this is better than the version where the payee is the 'oracle': the spender could reasonable do this in advance if it were a common practice.
23:30 < gmaxwell> (Magicaltux got it in his mind that recovering the y coorid from the x in ecc was patented. Nevermind that this was disclosed in the original ecc paper, that the patents related to it are specific to specific performance optimizations on binary fields, and that you can't validate the bitcoin blockchain without doing recovery because of compressed keys... but
because of this he won't implement signmessage)
23:31 < gmaxwell> (and he's uninterested in most other green-address type approaches because they require something like the payment protcol where the proximal payee communicates with the paid, and his real motivation for "green" addresses was silk road whom he doesn't want to connect to)
--- Log closed Mon Sep 02 00:00:00 2013
--- Log opened Mon Sep 02 00:00:00 2013
02:25 < gmaxwell> 23:05 < jorash> gmax: cheers, research is done  < I have upgraded my personal assessment of this guy to scammer.
08:38 < Luke-Jr> heh
08:38 < Luke-Jr> if it really was done, I could have BFGMiner doing it in a few hours :p
08:43 < sipa> doing what?
09:02 < Luke-Jr> sipa: efficient quantum simulation to find the solution to a block ~instantly
09:02 < Luke-Jr> ie, break SHA-2
09:05 < sipa> lol
09:27 < Luke-Jr> yeah, pretty much XD
09:39 < HM> oh bollocks
09:41 < gmaxwell> he's surprisingly resistant to the argument "okay, fine, lets say your faster than QC computation on a desktop thing is true ... why do you want to mine bitcoin with it?  it would make bitcoin worthless"
09:42 < gmaxwell> presumably because that argument gets in the way of asking for funding. :P
09:42 < gmaxwell> man we should hook him up with the people funding this gonzo altcoin things that work by spamming the blockchain.
09:42 < gmaxwell> at least the funding would go someplace less harmful. :)
10:16 < Luke-Jr> heh
10:16 < Luke-Jr> I've been careful what I say to him, in fear that he might manage to scam people using my ideas <.<
10:41 < Luke-Jr> also strikes me as odd that he can't wait months for funding
--- Log closed Tue Sep 03 00:00:03 2013
--- Log opened Tue Sep 03 00:00:03 2013
15:49 < gmaxwell> amusing: people here have been chasing a bug for some users where the workaround has been to just recompile the browser and push an update.. and something non-determinstic in the build makes reported crashes go down.
15:51 < gmaxwell> Turns out there is some revisions of some AMD SOC where when the processor is in some state, and there is a branch misprediction, and then within four intructions from the mispredicted branch there is another branch.. then sometimes it resumes execution 15 bytes later than where it should have. And the build non-determinism seemed to be influencing if that
15 byte offset was a valid instruction or not.
16:00 < jgarzik> gmaxwell, makes one want to distcc each built file to N machines, and verify results match
16:52 < Luke-Jr> [20:52:22] <jorash> So, are we absolutely certain that GPUs are slower than ASIC --- ie. that devs are not missing something in the GPU miner code?
16:52 < Luke-Jr> gmaxwell: ^ lolwut
16:58 < gmaxwell> Luke-Jr: why are you talking to that guy still?
16:58 < Luke-Jr> gmaxwell: I wasn't, he just randomly spit that out :p
17:40 < midnightmagic> lol
17:42 < gmaxwell> For those not in #eligius, he continued on to demand citations for proof that GPUs could not efficiently simulate mining asics, and for proof that mining asics are not turing complete. (and then I gave up and pushed him into a volcano)
17:45 < gmaxwell> ... PM from him:
17:45 < gmaxwell> 14:42 <jorash> you just turned Skywalker into Vader.
17:45 < gmaxwell> just for the record in case my volcano dunking makes him actually go out and prove BQP is in P, so I can collect my credit for this contribution to the effort.
20:15 < midnightmagic> VA-DER va-DER! va-DERRRRR!!!
--- Log closed Wed Sep 04 00:00:06 2013
--- Log opened Wed Sep 04 00:00:06 2013
--- Log closed Thu Sep 05 00:00:09 2013
--- Log opened Thu Sep 05 00:00:09 2013
04:14 < gmaxwell> a pigeonhole principal violator looking for funds: https://bitcointalk.org/index.php?topic=288152.msg1958077;boardseen#new
04:15 < gmaxwell> next week we're going to have zeropoint energy people.
14:31 < midnightmagic> hah, awesome.
14:31 < midnightmagic> uber-compression to the rescue
14:33 < midnightmagic> comp.compression.research FAQ needs to be resurrected I guess
14:34 < midnightmagic> "and yes, this game idea would itself be worth millions if you knew everything it entailed"
14:34 < midnightmagic> i love it
15:34 < amiller> now i'm working on a paper about a proof-of-storage puzzle
15:35 < amiller> a couple of high profile professional researchers are surprisingly interested in this and so i get to collaborate with them
15:35 < amiller> it's basically the use-knowledge-of-blockchain-as-mining idea
15:36 < amiller> only they're less interested in it being the blockchain data itself, they think of it as storing arbitrarily useful unrelated data like library of congress, or maybe random user data if a user is willing to put up a bounty for storing their favorite data
15:36 < amiller> it doesn't really matter because the construction is the same
15:37 < amiller> i'm focusing on basically what the optimal mining strategy is for a puzzle like this
15:37 < amiller> especially if you have an ssd or a hard disk, and if you try to outsource it to a centralized storage depot somewhere
15:37 < gmaxwell> amiller: I was trying to come up with a way where the payment in the block would be paid to the author of a proof of storage proof in order to frustrate outsourcing the proof but didn't come up with anything great.
15:38 < amiller> well we have two ideas
15:38 < amiller> one is just to rely on latency making it hard
15:38 < amiller> like outsourcing generally means having round trip latency
15:38 < amiller> and the more latency you have from selecting a nonce to learning the result, the more likely someone else will find an answer in that time, so it's bad for you
15:39 < amiller> especially if the number of iterations is set really high... but that's also bad for proof size
15:39 < gmaxwell> yea, well the latency potentially has other negative implications... like strongly favoring consolidation.
15:39 < amiller> i dont' think i like that approach over all
15:39 < amiller> it also means that an SSD is really ineffective
15:39 < amiller> er an HDD
15:39 < amiller> the other idea is to make the operation at each step actually be a signature
15:40 < amiller> therefore you either need to securely outsource / obfuscate the signing operation with your key
15:40 < amiller> or you need to give the outsourcer your key
15:41 < amiller> i like this approach better, but in any case it's interesting to experiment with the parameters and performance tradeoffs
15:41 < amiller> the main thing i'm interested in is
15:41 < amiller> since the random seek time is somewhat expensive in either case
15:42 < amiller> how much more efficient (in throughput) can you make it by having lots of puzzle attempts pipelined / in a batch
15:42 < amiller> so you can read one block of a file
15:42 < amiller> and service all the threads that are waiting on that block, basically
15:43 < amiller> i think it depends on the ratio of the inner state (one hash, basically) and the effective block size for the disk
16:06 < gmaxwell> amiller: yea, I've thought of making the pseudorandom permutation in the search a trap door, but I think that makes the proofs much bigger.
--- Log closed Fri Sep 06 00:00:11 2013
--- Log opened Fri Sep 06 00:00:11 2013
11:07 < HM> the crypto debates with the latest SNowden revelations are so fascinating
11:07 < HM> *Snowden
11:08 < HM> It's kind of shocking to see Schneier outright saying he doesn't trust ECs like NIST P-521
11:15 < gmaxwell> HM: I don't think he was saying that.
11:15 < sipa> because of nist, or because of ec, or because of the p?
11:15 < gmaxwell> also IIRC P-521's parameters are the result of a nothing-up-my-sleeve procedure.
11:15 < sipa> indeed
11:15 < sipa> secp256k1 is much more "constructed" afaik
11:16 < gmaxwell> This isn't to say that they didn't have enough design control to steer it into something that they could optimize for.
11:16 < gmaxwell> But its not obvious how.
11:18 < HM> hmm, well maybe Schneier is misinformed
11:18 < HM> he said on his blog in response to a comment that he doesn't trust the constants out of NIST
11:18 < HM> specifically with regard to P-521
11:18 < jgarzik> are secp256k1 constants out of NIST?
11:18  * jgarzik never researched the "construction"
11:18 < gmaxwell> Yes.
11:19 < gmaxwell> hm actually they may be out of certicom ultimately.
11:20 < gmaxwell> so CSE instead of NSA. :P
11:20 < HM> lol
11:20 < gmaxwell> In any case, there isn't any known way that the public parameter choices could be backdooring these systems.
11:20 < sipa> yes, nist didn't standardize secp256k1 afaik
11:20 < gmaxwell> So I would be concerned that any _other_ random choice would be just as bad.
11:21 < sipa> only secp256r1, which they call p-256
14:29 < gmaxwell> Most of the examples I see are trivally exo-coin-able. The colored coin itself actually serves almost no purpose, there is some other system that assigns meaning to the coin, so you can usually do your transaction there.	 There are arguments to be made that the other thing might try to censor transactions, but it could just as well refuse to honor
transactions... and bitcoin itself is pretty censorable. Maybe it isn't a wash, but I ...
14:29 < gmaxwell> ... think it's far less obvious a gain than it looks at first blush.
14:31 < gmaxwell> worse, since bitcoin is colorblind, it doesn't usefully compute artifacts that help make looking up your colored coins computationally efficient. .. and if you try to make it, via things like inefficient tag addresses and address indexes, you make the colored coins much easier to censor. :(
14:31 < adam3us> gmaxwell: i think the irrevocability surprisingly transfers to even issuer backed items (eg colored usdcoins, goldcoins etc) as well as shares, in a way that ripple can not
14:32 < adam3us> gmaxwell: the issuer may not let you redeem, but you can trade for bitcoin or other exchange tradeable cryptocurrency, and get out
14:33 < adam3us> gmaxwell: though i have reservations about literally coloring bitcoins due to the tx volume of nominal value coins (eg mtgox has internal transaction per second peaks over bitcoins max tps with 1MB block)
14:33 < maaku> gmaxwell: that's why we developed freimarkets, because colored coins were too limited in functionality and huge scalability red flags
14:34 < maaku> it's our answer to the question "if you were to hard-fork, what changes would net you the most bang for the buck in the most general way possible"
14:35 < BlueMatt> gmaxwell: yea, thats a bit washy...in many cases that is true, but putting the colored coins directly in the bitcoin txn disconnects the exchanging from the issuer having to deal with it. and given that in some cases the exchange is a different part from the issuer, that may be a desirable property
14:35 < adam3us> gmaxwell: yes i thought of the definitional anti-mastercoin-dust (msc=literal coloring based) possiblity :) if they disrupt the bitcoin network to the point of seriously affecting normal bitcoin, the necessary openness and detection of coloring implies they can be blocked
14:35 < maaku> adam3us: well, anyone who thinks a decentralized exchange is going to surpass mtgox volume is fooling themselves
14:35 < BlueMatt> ofc there are plenty of cases where colored coins could easily just be handled directly by the issuer in a non-colored-coins way with the same security model (+/-)
14:36 < maaku> although you can take the idea rather far - if, like freimarkets you only ask for concensus on matched trades, not the order book, then you could probably reach mtgox circa-2012 levels
14:36 < adam3us> gmaxwell: actually let me retract that - the way msc does it most likely (and i didnt look at it beyond the initial paper) it could be blocked, but that may not be inherent, eg like my committed tx proposal  demonstrates yo can hide the nature of your tx even from all hostile miners
14:36 < gmaxwell> BlueMatt: a bit, but there are big advantages to not dealing with bitcoin. like... there is no promise that your colored coins will actually be transferable in bitcoin in the future. So even if the company is honest, the reality of bitcoin might make life hard for you.
14:37 < gmaxwell> adam3us: the schemes that hide though make the data even less public... and of course, if you can hide successfully, you could also use that with the trusted creator-of-value.
14:38 < adam3us> gmaxwell: i mean the committed tx feature that you can use bitcoin network validation for double-spend, without revealing addresses and tx details to the miners (or anyone not involved in the tx) due to commitments (hash tx detaisl including value, inputs, addresses) other than a one use recipient address to assure no double spending
14:38 < gmaxwell> Basically, whenever I've talked to people they've used examples where you can achieve it without bitcoin. maybe with some somewhat different tradeoffs. But since bitcoin is a _global_ broadcast medium, I generally default to "if you can achieve what you need without bitcoin transactions, you should"
14:39 < adam3us> gmaxwell: strongly agreed.  however i wanted to say that you can do irrevocable digital bearer certificates on a block chain, even if they are not mined, just issued; the issuer can refuse to redeem, but you dont need him to
14:40 < gmaxwell> adam3us: yea, now the annoying thing there is that all the users of those systems have to forever be personally trancking every coin in their system, because bitcoin can't do the work for them. And, of course, if the private data needed to do the tracking gets released people can censor the commitments.
14:41 < adam3us> adam3us: because you can trade them, atomically p2p for other cryptocurrency, and if necessary via other exchange if you want fiat
14:41 < adam3us> gmaxwell: actually bitcoin can do the storage for them, what the user has to store in committed tx in that variant is tiny, fixed size
14:41 < maaku> adam3us: if the issuer stops redeeming, I doubt there will be much liquidity to do that
14:42 < adam3us> maaku: no i mean about irrevocable DBC status, ecash like status; in my lexicon something i snot a DBC or not ecash if it has fungibility issues arising from selective non-tradeability
14:42 < gmaxwell> yea, if you imagine a money like asset whos value is pure scarcity ... there is an argument, but of course a money like asset is competative with bitcoin and miners have all the more reason to .. uh not look kindly on it.
14:42 < maaku> but anyway i think it's rather rare that you need global concensus when there is a trusted issuer involved
14:43 < maaku> let an exchange or the isser themselves run an accounting server
14:43 < adam3us> maaku: i think you are over-estimating the issuers involvement
14:43 < gmaxwell> I think you're talking about different cases.
14:43 < adam3us> maaku:  the point is once there are usd colored coins on the network , people wont need to use fiat wire xfer to get into and out of gox etc
14:44 < gmaxwell> One of the things people talk about are shares in companies. (e.g. like bitcoin businesses) there have been a lot of bitcoin stock markets .. and everyone worries that the next one will vanish and swallow up everything.. and so they ask for something p2p.
14:44 < adam3us> maaku: they can load exchanges with usdcoin, or type3 exchanges that just order match and green sign confirm a p2p atomic swap btc for usdcoin
14:44 < gmaxwell> adam3us: LOLOLOLOLOL
14:44 < adam3us> gmaxwell: ?? LOL ref?
14:45 < maaku> adam3us: what happens if the person acting as the gateway for usdcoin up and disappears?
14:45 < gmaxwell> adam3us: because everyone is totally going to be trusting that their adam3-usd is redeemable. That idea is a farse. Especially because creating notes for USD is generally believed to be regulatory unlawful... which is problematic if for nothing else than because you need the USD to actually be transferrable at some point.
14:46 < BlueMatt> adam3us: ehh, it still requires a similar level of trust on issuers...
14:46 < adam3us> maaku: sure, no diff to now what happens if gox goes under and you loe your goxusd (which btw are only worth 90c on the dollar)
14:47 < gmaxwell> adam3us: yea sure, but gox acts as a centeral clearing house. So goxusd is (in theory) liquid.
14:47 < adam3us> gmaxwell: "adam3-usd" tee hee pun.  in my way of thinking some innovator sticks their neck out forms a company in a digital currency conducive jurisdiction and issues them with auditors, banking reuglation and everything else that goes into it
14:48 < gmaxwell> We could call it DigiCash, if the name isn't already taken.
14:48 < adam3us> gmaxwell: its not liquid there are extreme backlogs getting the money out, daily limits, per tx limits, multiple month delays thats why its wort 90c on the dollar
14:48 < maaku> adam3us: hence our decision to domocile in St Vincent...
14:48 < gmaxwell> adam3us: that was the "in theory" part. Still, people consider it better than random-scammer-usd.
14:48 < adam3us> maaku: again, go maaku
14:49 < gmaxwell> adam3us: and in these cases you don't need colored coins for any of this. Have random-scammer run an open transactions server. The RSUSD is useless if RS goes kaput in any case.
14:49 < maaku> but the earlier point, that goxusd has any value is because you trust mtgox ltd. to redeem them (or you slightly trust them, and have 0.9 valuation)
14:49 < adam3us> gmaxwell: clearly its better if its a person people know, using their real name, with a real company in a credible, well regulated banking jurisdiction, with transparency, credible investors and backers
14:50 < maaku> you're trustin them to be honest anyway, so what is gained from public, global consensus of goxusd transactions?
14:50 < adam3us> gmaxwell: i dont think thats true; yes if it goes under you're in as much trouble as if gox goes under; but gox lived for some years so far, an presumably a few more yet
14:50 < gmaxwell> adam3us: sure, and if it is they can maintain their own ledger ... even using chaum tokens.
14:50 < adam3us> maaku, gmaxwell: again DBC have to be irrevocable or they are not DBC
14:50 < maaku> DBC?
14:50 < adam3us> digital bearer certificate
14:50 < maaku> ok
14:50 < gmaxwell> adam3us: if gox goes under all goxusd is worthless.. if RS goes under all RSUSD is wothless. Why not make RS run the ledger for them?
14:51 < adam3us> back in like 1995-2005 there were people running around ranting about DBCs, smart-contacts, chaum ecash etc
14:51 < adam3us> gmaxwell: there is a difference
14:51 < adam3us> gmaxwell: the ledger is central it can be hacked
17:24 < jtimon> of course we agree that most of the volume will be off-chain
17:24 < maaku> hopefully the law will change to be more bearer-instrument friendly, but until then...
17:25 < jtimon> until then maybe there's companies smaller than IBM and in other jurisdictions that can just issue shares without KYC
17:26 < maaku> yeah maybe we can start a movement for bitcoin startups in St Vincent and the Grenadines, as they have favorable laws towards bearer assets
17:26 < jtimon> but still IBM can be KYC compliant, I just don't think will be the most common case for in-chain assets
17:27 < maaku> but definately common for private servers, especially where convertible currencies are involved
17:28 < jtimon> what I still don't understand are adam3us and gmaxwell worries on "pseudonimously held" in-chain assets
17:29 < jtimon> I don't see the need for full anonimity in bitcoin itself, "user-defined anonymity" seems ideal to me
17:30 < maaku> jtimon: the issue is certain coins being marked as 'dirty' and black listed
17:31 < maaku> if you allow this to happen, it's a very slippary slope to full centralized, KYC control over bitcoin
17:32 < jtimon> but that doesn't makes much sense
17:32 < jtimon> who's going to maintain the centralized list of dirty coins?
17:32 < maaku> Financial regulators
17:33 < jtimon> and what happens to me if I spend those dirty coins?
17:33 < adam3us> jtimon: you need in my view the transaction layer to offer final settlement otherewise legal disputes increase costs and we're back to status quo
17:34 < adam3us> jtimon: but that doesnt mean anonymous, you can attach KYC info outside the fungible bearer certificate
17:34 < maaku> jtimon: good for you if you can actually get rid of them. but the point is that *everyone* will be checking this list of dirty coins to make sure they're not receving anything tainted
17:34 < jtimon> if the bearer contract says that a chain transfer is final after 3 blocks, then is final after 3 blocks
17:34 < adam3us> jtimon: only if its block chain hardened
17:35 < adam3us> jtimon: otherwise a judge can come in and say that malware share hack, all those have to be undone
17:35 < adam3us> jtimon: and any consensus system will have to obey the judges in their jurisdiction
17:35 < jtimon> that's impossible
17:35 < adam3us> jtimon: i view it as the analog of why credit cards have high fees and why banks have high wire fees etc
17:35 < maaku> adam3us: well, widely deployed coinjoin woudl be sufficient too, right?
17:36 < adam3us> maaku: sure, the main point is it is defacto impossible to undo because you cant tell you are punishing the right person
17:36 < jtimon> the judge can't just say, "hey, Bob, undo the last 1400 bitcoin blocks where you stole the IBM shares from alice"
17:37 < adam3us> maaku, jtimon: but it is orthogonal to identity, pseudonymity, privacy (say every knows everyone they interact with and can prove it btu the block chain doesnt see it) etc
17:37 < adam3us> jtimon: right thats good, the bad part is when they got to the OT server and undo the share
17:37 < jtimon> if privacy is possible, full traceability is not
17:38 < adam3us> jtimon: maybe not enogh assurance.. courts are very fuzzy, if there is a common sense argument as it being obvious who it was, they'll do it anywy
17:38 < adam3us> jtimon: i think privacy has to be near uniform ideally
17:38 < adam3us> jtimon: with identity added back on top as needed
17:39 < adam3us> jtimon: so you can prove who ripped you off, take them to court, and get a decision requiring them to reimburse you; but not get the court to find the actual share and give it back
17:39 < jtimon> but the thieft is the one responsible for the crime, not the person currently holding the coin
17:39 < jtimon> exactly
17:40 < jtimon> how that's not possible with the current input/output system?
17:40 < gmaxwell> Luke-Jr: I don't know that it matters, tracable = censorable. They can refuse to acknoweldge any share that hasn't had its whole history through KYC.
17:40 < adam3us> jtimon: yes, but we are not sure courts will care about that distinction, logical though it is, hence eg bitcoin fungibility worries from taint tracing, maybe a thief victim sues someone with deep pockets (gox) to get back their stolen "digital stamp collectible" from gox under handling stolen property rules
17:40 < adam3us> gmaxwell: yes and that could happen
17:40 < Luke-Jr> maaku: whenever it doesn't matter between public/shared or private, private is always the better option
17:41 < adam3us> gmaxwell: so i think give them the kyc, have opacity (privacy, but kyc inside provable by user), but have fungibility level anonymity of the bearer asset people are attaching the required KYC to
17:42 < jtimon> but with private the accountant (the server) has full control
17:42 < jtimon> with in-chain assets they only have control over issuance and redeption
17:43 < adam3us> jtimon: well one argument gmaxwell made above i that there were a few bitcoin related share issuing/trading compnies over the few years that were shutdown or disappeared leaving customers with claims on a nn-existant server
17:44 < adam3us> so it seems minimally necessary for the bearer asset/share to survive a transaction server shutdown
17:44 < jtimon> yes, scams will be possible under any system
17:44 < jtimon> I'm just talking about cheaper auditing
17:44 < adam3us> jtimon: i dont really mean scams, just that if the server shuts down for some reason
17:45 < adam3us> jtimon: you want your shares in the companies that were trading on it to persist and be tradeable and accountable afterwars
17:45 < maaku> jtimon: GLBSE being the example
17:46 < jtimon> that's a reason to better use colored coins for it, no?
17:46 < jtimon> there's no "accountant", the chain is the accountant
17:46 < gmaxwell> jtimon: dude, a chain is _far_ from free.
17:46 < adam3us> yes i guess thogh we should separate the term colored coins because its a mechanism (and maybe not the best one) to achieve bearer assets
17:46 < jtimon> with GLBSE you had to trust both issuer and accountant
17:46 < gmaxwell> It's basically the most expensive account system to ever be imagined, it actually sounds like a joke until you reason out that it can work at least at some scales.
17:47 < jtimon> ok, p2p bearer assets
17:47 < adam3us> i think you probably can use a side chain or something to spare bitcoin the volume of nominal value transactions which it badly does not need
17:47 < adam3us> jtimon: yes good name
17:47 < jtimon> or just in-chain assets
17:48 < adam3us> jtimon: so maaku was discussing above about using OT servers
17:48 < adam3us> jtimon: however while there are receipts and users can switch to another server, its still quite centralized
17:48 < maaku> adam3us: well really I advocate for Freimarkets' private accounting servers, but OT is better understood to this crowd
17:48 < jtimon> gmaxwell, in-chain assets can be far more scalable than current colored coins
17:48 < adam3us> jtimon: and the threat is basically if the system degrades the users migrate to a chain i suppose instatiated with the receipt history
17:49 < jtimon> I don't like OT much
17:49 < adam3us> maaku: (yes i hae some reading to catch up on, i dont mean to focus on OT, just i did not yet read the paper you published some time back)
17:50 < jtimon> OT assets are not atomically tradeable for in-chain assets, or even assets in other OT servers, for that matter
17:50 < adam3us> jtimon: in chain do u mean an altcoin with p2p assets on it? like a bitcoin extension that includes the asset issuer signature rather than mining evidence
17:50 < jtimon> yes, basically that
17:51 < jtimon> no
17:51 < jtimon> I mean, yes, the asset issuer signature is only required at issuance
17:51 < adam3us> jtimon: but that meets gmaxwell point that chains so far dont scale that far
17:51 < adam3us> jtimon: (yes)
17:52 < gmaxwell> jtimon: almost anything with script as powerful as bitcoin can be near atomically traded with bitcoin.
17:52 < jtimon> we could have bigger blocks
17:52 < adam3us> jtimon: at least while retaining their p2p nature (bandwidth too high if 1GB block eg)
17:52 < gmaxwell> jtimon: https://bitcointalk.org/index.php?topic=321228.0
17:52 < gmaxwell> (this works just as well when the endpoints are on different cryptocurrencies)
17:52 < adam3us> thats 23mbit symmetric i have nice internet in malta 100mbit/4mbit up but even i cant do that
17:52 < jtimon> yes, you cannot run NASDAQ on a p2p chain, I know
17:53 < maaku> adam3us: it's the consensus algorithm that doesn't scale, not the block chain datastructre itself
17:53 < adam3us> maaku: ok
17:54 < gmaxwell> jtimon: we could have bigger blocks  < this isn't a free choice. There is a direct tradeoff with decenteralization.  Since the chain has grown from 2GB to 14GB we've gone from around 40k reachable nodes to closer to 4000 reliable reachable nodes (actually there was an uptick in the last week, presumably due to the market activity, but we'll see how it settles)
17:54 < jtimon> we have problems to solve that we won't have in the future
17:54 < maaku> just pushing transactions through a beefy central server could easily handle 1000's of transactions per second, even with checkpoints and secondary replication, etc.
17:54 < adam3us> i think actually (in exploring what could change about bitcoin validation) some of the design decisions arise from supporting SPV
17:54 < gmaxwell> So yea sure, we could have bigger blocks but beyond some point it comes at a _direct_ expense of decenteralization. If the goal to not use something like OT was because of better decenteralization .. then thats counterproductive.
17:54 < jtimon> we don't need to download the whole chain
17:55 < adam3us> gmaxwell: agree, if that happens we have swift 2.0, and the miners will be public companies, they'd just as well sign paper contracts and stop mining
12:58 < andytoshi> as for the weird miner incentives, i'd really have to think about that
13:50 < Emcy> "BitTorrent Sync was designed with privacy and security in mind. The system uses SRP for mutual authentication and for generating session keys that ensure Perfect Forward Secrecy. All traffic between devices is encrypted with AES-128 in counter mode, using a unique session key. Modification requests are all verified using Ed25519 signatures and only systems
with full access keys can generate valid modification requests."
13:51 < Emcy> that seems ok right. apart from the closed source ofc
14:02 < gmaxwell> lol
14:02 < gmaxwell> "Hmm. Low fat. Low Sodium. That seems ok right. apart from the gives you cancer part ofc"
14:07 < Emcy> but bt sync is so usable.....
14:09 < maaku> jtimon: having transactions expire is a requirement of the system we are building. no way around that
14:11 < Emcy> i did notice in the android client sync gives you the option to email somewhere that nifty shared secret string you just generated
14:11 < Emcy> derp derp
14:11 < maaku> Emcy: that email is PGP encrypted, of course? :P
14:12 < Emcy> of course not, just uses whatever email handler you have in android. Liekly gmail
14:13 < Emcy> they should take that out and add the QR reader to the desktop app instead. The android client can already scan a QR produced by the desktop program, dont know why its not both ways
14:13 < Emcy> i guess thats why its still beta
14:18 < phantomcircuit> Emcy, i dont see any really good reason why you couldn't implement bittorrent sync with nothing more than a private tracker and a shared key
14:18 < phantomcircuit> it shouldn't even be that difficult
14:19 < Emcy> i think thats essentially what theve done
14:20 < Emcy> theyve just automated the hashing and .torrent publishing parts, and have some sort of metadata files hanging around so the nodes dont get confused about timestamps and such
14:21 < Emcy> it seems to be really quite usable though so far
14:21 < phantomcircuit> Emcy, depending on whether you trust the filesystems modification timestamp you can do all of this very very efficiently
14:21 < Emcy> its not quite dropbox level of brain absentia though
14:21 < phantomcircuit> im surprised it took them this long to do it actually
14:22 < Emcy> yeah well no one wanted to do anything with torrent tech because muh piracy
14:22 < phantomcircuit> if they wanted to make it really fast they could share the block hashes for all the files
14:23 < phantomcircuit> so you have 2 files that are 90% identical you only transfer the diff blocks
14:23 < phantomcircuit> but i bet they didn't do that and have each file setup as basically a torrent with private peering
14:23 < Emcy> i think there was actually a BEP for that for normal bittorrent
14:24 < Emcy> a thing which could maybe bring avail. <1 torrents back fromthe dead by matching data blocks from seeders of other torrents
14:26 < jtimon> maaku I though gmaxwell was proposing an alternative with multisig, but probably not the same use case
14:27 < jtimon> andytoshi, I'm not sure what you mean by "the whole transaction sub-DAG is risky", but I don't see how the 100 block wait is necessary
14:30 < jtimon> I'm not very informed on the bittorrent sync topic, but wouldn't a tahoe-LAFS GUI be better?
14:31 < andytoshi> jtimon: if a tx gets expired as a consequence of some reorg, the receiver of the btc loses out -- and so does everyone he spent to, and everyone they spent to, and so on
14:31 < andytoshi> the whole transaction chain is invalidated, so the risk model is the same as that for coinbase transactions
14:31 < andytoshi> hence the 100 block wait
14:31 < jtimon> that's the receiveer problem, why didn't he wait for reorgs to be unlikely?
14:32 < maaku> jtimon: they like the fact that any non-coinbase tx that hits the chain can only be made invalid by malicious/buggy clients
14:32 < jtimon> or by a later double-spend
14:32 < andytoshi> jtimon: because he's an spv node and he didn't know that there was an nExpiresTime tx 2 layers back in the blockchain
14:32 < maaku> jtimon: that falls under the malicious category
14:33 < jtimon> can SPV wait less confirmation than rational people just because they have less information about the global state?
14:33 < maaku> as you say, it is trivially solved by having the receiver wait 100 blocks, then you have the same security as other transactions
14:33 < andytoshi> jtimon: and actually, if people are doing this sort of analysis when considering whether to receive coins, then the coins are non-fungible
14:33 < andytoshi> (at least temporarily)
14:33 < jtimon> why 100? where that number comes from?
14:33 < maaku> or, alternatively, tracing inputs back 100 blocks to show that they are not expiring soon
14:33 < maaku> coinbase maturity
14:34 < andytoshi> jtimon: 100 is arbitrary, just to be consistent with coinbases
14:34 < maaku> i'm just saying that would get you to the same level - right now any bitcoin transaction could get reversed in a reorg of >100 blocks
14:34 < jtimon> if you wait 50 blocks you are probably pretty secure despite previous coinbases or expiries
14:34 < maaku> well not *any* txn, but as a SPV node you don't know which ones
14:35 < adam3us> jtimon: thanks for the url btw i was unable to find "original ripple" before archive.ripple-project.org! all other urls and history redirects to ripple.com which maybe moderately different
14:36 < maaku> adam3us: significantly different
14:37 < jtimon> adam3us that link was to the 2PC distributed Ripple protocol, which is radically different from ripple.com
14:38 < maaku> jtimon: you know i think this is a non-issue, but it falls in a similar category as refheights
14:38 < maaku> you have to change your behavior slightly, and maybe adjust how clients/wallets work
14:38 < jtimon> everything is "off-chain" and you can actually trade 2PC assets for bitcoins (not btc denominated IOUs) atomically
14:38 < jtimon> if there wasn't expiries
14:39 < jtimon> all clients should probably determine the "secure number of confirmations" from the value of the transaction received
14:40 < jtimon> my point is that with expiries, transaction value is still the more important criterion
14:40 < jtimon> for both SPV and non-SPV clients
14:41 < maaku> jtimon: the ~100 blocks of security becomes a concern during network-wide problems like the March fork
14:41 < maaku> where opportunistic people can build chains off of expiring transactions on the bad fork, and cause merchants to lose money
14:41 < jtimon> maybe some miners
14:41 < jtimon> sorry
14:41 < maaku> but there are solutions that could be put in place on the merchant and wallet side to fix that
14:42 < maaku> by estimating nethash you'd be able to see the drop in hash power that would signal a fork, and delay/postpone any irreversable actions
14:43 < jtimon> march fork was exceptional, it was an unexpected hardfork
14:43 < jtimon> what are the chances of that happening again?
14:44 < maaku> pretty high, just not on a regular basis
14:44 < maaku> or you can make 100 confirms, or something as absurdly high the norm for high-value transactions
14:45 < maaku> and let clients/wallets use old coins with short proofs showing that they can't be reversed in less than N blocks
14:45 < jtimon> "high-value" doesn't exist in chain
14:45 < maaku> it's not something you have to reach consensus over
14:45 < jtimon> value is only in our heads, thus outside the chain
14:46 < jtimon> oh, I see
14:46 < jtimon> client policies
14:46 < maaku> i'm just saying the merchant waits until processing your gateway withdrawal or shipping your order or whatever
14:46 < maaku> yeah
14:46 < jtimon> yeah, I'm with client policies as well
14:46 < maaku> unless your client used old coins and provided proof, which could even be made the default behavior with little more than a UI checkbox for "expediatd transaction"
14:47 < jtimon> in certain way I'm with miners policies too I don't like "non-standard fees" for the long run
14:48 < maaku> so my position is that like refheights this is a developer education problem
14:48 < maaku> but what we get out of it is absolutely worth it
14:48 < maaku> what do you mean?
14:48 < jtimon> I still I don't see how unexpected hardforks can be common anyway
14:49 < gmaxwell> who cares if its common, if you play your cards right its world ending.
14:49 < jtimon> and although I think the devs did the right thing, they could have been chosen the other solution
14:49 < gmaxwell> As in .. some event happens and it can never be recovered.
14:50 < jtimon> it was the ref implementation which wasn't following the protocol specification
14:51 < jtimon> we could have had much lower hashrates until the ref implementation was fixed
14:51 < gmaxwell> ... thats what we did.
14:51 < gmaxwell> we fixed the ref implementation to match the old.
14:51 < jtimon> that's the opposite of what I'm saying
14:52 < gmaxwell> uh.
14:52 < maaku> gmaxwell: you get just as much gloom and doom from a >100 block reorg now, and merchant policies can limit their exposure to be the same
14:52 < jtimon> we said "the rules aren't the specification, the rules were the old implementation"
14:52 < gmaxwell> jtimon: something like 80% of nodes were on the other fork including every major merchant, it would have been a non-issue except for the fact that 3 upgraded miners constuted >60% of the hashpower.
14:52 < jtimon> we could have as well said "the rules are the specification, fuck the old implementation for not following it"
14:52 < gmaxwell> maaku: yes, >100. But the events we've had have been <20.
14:53 < maaku> "merchant policies can limit their exposure to be the same"
14:53 < maaku> the only guys who got screwed are the ones who weren't doing adequate coin safety
14:53 < gmaxwell> jtimon: gee thats nice, except for the 80% of nodes including all major merchants who were actively being defrauded.
09:15 < Emcy> if they accepted the loss of cpu mining then why the fuck are they even there? I feel the same way about some of what people want to do to bitcoin too
09:16 < Emcy> grq?
09:17 < Luke-Jr> get-rich-quick
09:18 < Luke-Jr> Bitcoin has value to non-miners
09:18 < Emcy> like i said, so many ltc pump threads on /g/ now that OPs are actually starting to get banned
09:18 < Emcy> ive even seen feathercoin and peercoin (whatever that is) threads
09:20 < Emcy> damn you know youre poor when you have to learn to mouse left handed cos thats the side the heat vent is on your laptop and you can really afford as much heating as you need anymore......
09:20 < Luke-Jr> sure, my point is there's nothing left once the pump goes away
09:21 < Emcy> i gather ltc bubbled and popped this week. Again gathering from various butthurt on /g/ from people who just did what /g/ told them to.
10:47 < skinnkavaj> Dear wizards, how can I protect my site from being ddosed to death without giving up all control to a company to Cloudflare? It's impossible right? Would it work better if everyone used namecoin instead of the current dns system?
10:48 < Luke-Jr> namecoin does not improve the situation at all
10:48 < pigeons> namecoin wouldn't stop idiots from saturating the pipes to your ipv4 endpoints ior the servers using those addresses
10:49 < skinnkavaj> So it's not possible to do what cloudflare does in a p2p decentralized way?
10:50 < Luke-Jr> p2p does not help against DDoS
10:51 < skinnkavaj> Right now it's not good that so many big exchanges use cloudflare. Really serious problem I think.
10:51 < Luke-Jr> they're just exchanges *shrug*
10:51 < Luke-Jr> it's not like Cloudflare controls the bitcoins or fiat
10:52 < skinnkavaj> But hack Cloudflare and peope LOSE millions.. Of course it's not like everyone would stop using bitcoin. But it could lower the confidence in bitcoin for a longer period.
10:57 < Emcy> cloudflare is just caching or somthing
11:04 < Emcy> "I know you devs are busy selling coins, but you owe the community solving this problem at least, before buying your ferrari."
11:04 < Emcy> check out this fucker
11:04 < Emcy> this will kill bitcoin. Ignorance = entropy
12:48 < nOg4nOo> Good morning, bears.
16:00 < MoALTz> question: does it really matter what the PoW function is (as long as it's a valid PoW one)? counter-point to answering "no": the ASICs already invested in and running on the network
16:05 < HM2> I think it should be calculating pi to 5000 trillion decimal places
16:06 < HM2> where's sipa? I need to his wisdom on serialising public keys
16:14 < maaku> MoALTz: yes, proof-of-work needs to be fast to compute
16:15 < Luke-Jr> s/fast/easy/
16:15 < Luke-Jr> where "easy" can be defined multiple ways
16:16 < Luke-Jr> eg, a memory-hard PoW would need to use less memory to verify
16:18 < phantomcircuit> Luke-Jr, it would be at least vaguely interesting to use a variable memory scrypt
16:18 < Luke-Jr> phantomcircuit: AFAIK scrypt always requires the same memory to verify than to find
16:18 < Luke-Jr> which is why it doesn't work as a proof-of-work
16:19 < phantomcircuit> Luke-Jr, iirc there is a "hardness" factor which can be changed
16:19 < phantomcircuit> it changes the number of prng's used
16:19 < phantomcircuit> maybe that's bcrypt
16:20 < maaku> phantomcircuit: yes, but that's symmetrical
16:20 < phantomcircuit> right but it would make developing ASICS for it very expensive
16:21 < maaku> i think Luke-Jr is talking about a hypothetical situation where a miner uses GBs of RAM in the search, but only kilobytes are required to verify
16:21 < phantomcircuit> yeah i know im talking about something different
16:21 < phantomcircuit> you would have to build them with extra prng pipelines that would go unused right up until the chip became useless
16:25 < jtimon> phantomcircuit to justify anyting different from merge-mineable SHA-256 first you have to explain why AISCs are bad for "you" as a network
16:26 < phantomcircuit> jtimon, ASICs necessarily lead to semi centralized mining efforts
16:26 < jtimon> defining ASIC as an artifact specifically created to be only able to serve you as a security provider
16:26 < maaku> phantomcircuit: not in practice...
16:26 < phantomcircuit> capital costs and non recurring engineering costs dominate
16:27 < maaku> we've gone from very centralized botnets to very distributed asics
16:27 < phantomcircuit> electricity is basically just a foot note
16:27 < jtimon> it is now, let's wait until asics are really optimized
16:28 < jtimon> profits tend to zero no matter the pow
16:28 < Luke-Jr> [21:25:26] <nwoolls> https://github.com/nwoolls/bfgminer/blob/feature/updating-windows-build/windows-build.txt
16:28 < Luke-Jr> [21:26:51] <Anixs> my Avast said that was a malicious text file
16:28 < Luke-Jr> lol
16:28 < jtimon> and in the end electricity is what makes the difference
16:28 < jtimon> paradoxically, taxes/subsidies on energy
16:30 < jtimon> Anixs stop using malware and you won't need to install avast or update it
16:31 < jtimon> that's my generic answer when my relatives asks me about viruses "I'm sorry, I don't use viruses so I don't know much about antiviruses"
16:32 < Luke-Jr> :D
16:32 < jtimon> then people ask "what do you mean you don't use viruses"
16:32 < jtimon> -you know, malware is software that does things you don't want it to do
16:33 < jtimon> do you have windons installed?
16:33 < jtimon> -yes
16:33 < jtimon> -that's what I mean, I don't use viruses
16:34 < jtimon> I guess you could adapt it to mac in the us ;)
16:35 < jtimon> as said, the best thing an asic can do you serve you as network, GPUs can do many things and leave you in the dark
16:36 < jtimon> if litecoin dropped to 1 usd cent tomorrow
16:37 < jtimon> miners would go to a more profitable scryptcoin fairly soon
16:38 < jtimon> how long would it take for the next "faster than bitcoin confirmation"?
16:39 < jtimon> on the other hand, asics that are not mining namecoin are just rejecting cheap income
16:40 < jtimon> namecoin is far more secure than litecoin
16:41 < jtimon> people often forget the limitations of the attack 51
16:42 < jtimon> you cannot change the rules no matter how much hashing power do you have
16:42 < jtimon> your orphan invalid chain contains more pow? good for you, you can eat it
16:43 < jtimon> we users are looking to the blocks that follow the rules, period
16:44 < jtimon> you can do bad things with 90% of the pow, sure
16:45 < jtimon> but the machines (capital) want to yield as much as they possibly can
16:46 < jtimon> and that's mining
16:47 < MoALTz> good heating if you live somewhere cold
16:47 < jtimon> not reorging
16:48 < jtimon> yeah but you will get the heat either properly mining or trying to disturbe the network
16:50 < jtimon> so if all asics end up in iceland and alaska
16:50 < jtimon> and two meteorites hit those places at the same time
16:50 < jgarzik> iceland is ideal, for energy as well as cooling
16:50 < jtimon> it's not such a big deal
16:51 < gmaxwell> MoALTz: there are certian requirements which are met by secure cryptographic hashes and are maybe met by other things. In general its useful
 that the work have no value outside of getting into the longest chain, though even for PoW merged mining breaks this a bit.
16:51 < jtimon> you just need to make a hard fork reducing diff deus ex machine and take the opportunity to change to maaku's diff filter ;)
16:53 < jtimon> gmaxwell what do you think about a snark-based pow in which you do "voluntary" (it would start to be paid) computing instead of sha-256?
16:54 < jtimon> that would be GPU friendly so "less secure" in that respect
16:55 < jtimon> I heard that "specialized is better" argument first from jgarzik, and it really convinced me
16:55 < gmaxwell> the only space and validation compact snarks I'm aware of let the chooser of the validation key (e.g. the circut) bypass the proving time.
16:56 < gmaxwell> jtimon: also, it would sort of be dishonest, e.g. snark prover time is a huge multiple of program execution time. so this wouldn't usefully be a way of getting work computed for you in the real world, regardless of the fact that theoreticians like to talk about outsourced computation as though it were a real application of their work. :P
16:58 < jtimon> yeah, wouldn't it be magical? trust-less boinc?
16:58 < gmaxwell> also, as a side effect of their zero knoweldgeness, all the compact snarks I'm aware of are trivally rerandomizable. E.g. you do execution once and then you can trivially generate an infinite number of distinct proofs from your first proof.
16:58 < jtimon> yeah, but with snark you don't need repetitions anymore do you?
16:59 < jtimon> boinc send the same work unit to many clients to prevent them from lying
16:59 < gmaxwell> oh sure, but if its 1000x slower... the repetitions are cheaper.
17:00 < maaku> jtimon: yes, but the cost of making the snark proof probably dwarfs the inefficiency by orders of magnitude -- what gmaxwell said
17:00 < gmaxwell> (and actually I think 1000x is really small as things are today, but perhaps with specialized hardware you could start to get it down to numbers like 1000x slower)
17:00 < jtimon> I understand, I just don't want to believe I guess
17:01 < gmaxwell> It's magic in any case, but all real magic has limits. :)
17:01 < gmaxwell> I think it's silly to promote this stuff with general delegated computation, but I think thats just what some of the research groups have found that gets them funded.
17:01 < gmaxwell> since if that actually was efficient, e.g. overhead < 2x it would be commercially interesting.
17:02 < jtimon> I don't know how many repetitions boinc does, but 2000 is still "unsecure" the way they do it, so maybe they use the 1000x thing
17:03 < jtimon> mhumm, I'm just speculating but I would say boinc does 100 repetitions or so
20:43 <@gmaxwell> petertodd: ah. point, right I knew this before.
20:44 < petertodd> gmaxwell: damned if you do, damned if you don't, unless everyone just uses the same nTweak, but then you have DoS attacks
20:44 < petertodd> gmaxwell: I mean, prefix-filtering has those DoS attacks too of course, but at least we know they're expensive
20:44 < BlueMatt> petertodd: this is why you dont use the same nodes multiple times (but mitm?: no, at that point you already know your target, whats the point?)
20:44 < petertodd> BlueMatt: your target can easily run a high % of the nodes on the network
20:44 <@gmaxwell> [OT] http://www.gwern.net/Blackmail	I'm amused by this both because of gwern whining about people thinking he's satoshi while he's been super agressively trying to deanonymize satoshi elsewhere, and also accusing random people of being satoshi.  Also amused by the moron he's talking to who _cant_ get pgp right.
20:45 < petertodd> BlueMatt: s/target/attacker/
20:45 < petertodd> BlueMatt: less relevant given that bitcoinj doesn't do Tor yet, but one day...
20:45 < BlueMatt> petertodd: yes, at this point you're fucked anyway...
20:46 < BlueMatt> petertodd: (note the model here is a phone who's ip changes every 10 minutes)
20:46 < BlueMatt> petertodd: bitcoinj /does/ do tor now
20:46 < BlueMatt> (on master, no support for hidden services)
20:47 < BlueMatt> sure, with enough nodes you can AND everything together and find results which have large intersections, but that should be very expensive
20:47 < petertodd> BlueMatt: no, I don't think you necessarily are. e.g. many scalability schemes spread the work out over multiple shards, which means a client can just subscribe to some subset
20:47 < petertodd> BlueMatt: why? running nodes is cheap - all you need is ip addresses
20:47 < petertodd> BlueMatt: they don't actually need to even be unique nodes...
20:47  * gmaxwell waits for one of you guys to find http://percy.sourceforge.net/
20:48 < petertodd> gmaxwell: meh, that's the kind of thing only a wizard would understand, oh wait...
20:48 < andytoshi> gmaxwell: wpsoftware.net/coinjoin/chime.wav
20:49 < andytoshi> it is actually a MIDI of a c chord run through the fluid soundfont that came from fedra
20:49 < andytoshi> fedora*
20:49 < petertodd> BlueMatt: with payment protocols you're doing especially well, because fixed filters (prefix or bloom) mean it's basically like a well design bitmessage: all the adversary knows is you keep on getting some consistent % of the transaction space
20:49 < petertodd> BlueMatt: they can't do any better than that to deanonymize you
20:50 < petertodd> BlueMatt: (ie, you never actually send a transaction) Handling sends can be done via special-purpose mixnets and what not too
20:50 <@gmaxwell> petertodd: except you suggest making the data visible to everybody instead of a finite number of possibly evil servers.
20:50 < BlueMatt> petertodd: I didnt say it wasnt possible, I know its very possible to become some large % of network nodes
20:51 < petertodd> gmaxwell: not necessarily: remember the version where all you leak is the fact that *a* payment was made, not the details of what txout in the transaction was involved, which is doubly hidden via coinjoin
20:51 < BlueMatt> petertodd: I was saying that if you're a client who's ip changes regularly (ie you cant identify one client from one session to the next), then the AND attack is difficult due to the large cost of ANDing together all combinations of filters you've ever seen....
20:52 < BlueMatt> s/large/impossibly large/
20:52 < BlueMatt> generally the "ip changes regularly" part is quite ugly, but its realistic on many networks, especially mobile ones
20:52 < petertodd> BlueMatt: problem is IP's don't neccessarily change like that - NAT maps things to the same IP, and the clients leak a bunch of info because they give version strings
20:53 < BlueMatt> on android the upgrades happen at ~the same time, so version string doesnt leak much there
20:53 < petertodd> BlueMatt: sure in a perfect world the ANDs are hard, but that's a perfect world...
20:54 < nsh> 1. make perfect world
20:54 < nsh> 2. build cryptosystems
20:54 < BlueMatt> petertodd: agreed, there are certainly cases where its not good...my point is just that coming up with a realistic threat model where these things break down and where the attack is still realistic is pretty hard
20:54 < petertodd> BlueMatt: heh, that's in some ways worse: you probably can use update lags to start tracking down your target, although at least that's a NSA adversary
20:54 < BlueMatt> (if you already know who it is, just go hit them with a wrench instead...)
20:55 < BlueMatt> easier for an nsa adversary to just hack your baseband :p
20:55 < BlueMatt> and, again, anyone who's concerned about an nsa adversary probably wants an anonymity set of the whole network, not any subset thereof
20:55 < petertodd> BlueMatt: maybe... they don't like using their sophisticated exploits if they can help it
20:56 < petertodd> BlueMatt: anyway, my main point is there's a shitload of tradeoffs involved here, and there probably are good designs that we haven't considered carefully enough
20:56 < BlueMatt> yes, certainly
20:56 < BlueMatt> my point is that there are more pressing issues as what we have is ~workable
20:56 < petertodd> BlueMatt: that there isn't a master tradeoffs document outlining the thought process isn't a good sign...
20:56 < BlueMatt> maybe with some small tweaks
20:57 < BlueMatt> petertodd: lol, what in bitcoin has such a doc?
20:57  * nsh imagines compropedia -- the definitive interactive animated guide to trade-offs in security models
20:57 < nsh> with sliders
20:57 < nsh> mmmm, sliders
20:57 < petertodd> BlueMatt: well, remember that it looks like electrum will be implementing prefix filtering because of how it fits there model well, so I'd like to understand that well, and this stealth address stuff involves a similar set of considerations
20:58 < petertodd> BlueMatt: gee, I dunno: http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03508.html
20:59 < BlueMatt> petertodd: ok, what before very recent stuff in bitcoin has master tradeoff docs like that?
20:59 < petertodd> BlueMatt: heh, fuck all
21:00 < BlueMatt> petertodd: :)
21:00 < petertodd> BlueMatt: I also gotta do one up for, dare I say it, mastercoin...
21:00 < BlueMatt> ewwwwww
21:01 < petertodd> BlueMatt: so much disgust as blank canvases, just waiting to be filled with beautiful consensus systems...
21:01 < petertodd> BlueMatt: s/as/about/
21:01 < BlueMatt> petertodd: anyway, the analysis for bloom filters was largely started on an original version that looked up input scriptPubKeys (which was a bit disk expensive, surprise, surprise...) and the privacy provided vs efficiency tradeoff on the client side was really quite good
21:02 < BlueMatt> petertodd: yes, I would like it if it were 1:1 pegged to bitcoin and on its own merged-mined chain
21:02 < BlueMatt> until then, ewwwwwww
21:03 < BlueMatt> petertodd: if you can come up with a script type that is easily matched by one element in both the scriptPubKey of an output and the scriptSig spending that output, the bloom filter model would go back to that
21:03 < petertodd> BlueMatt: it's not going to be merge-mined unless some major advances in crypto-coin theory are made
21:03 < BlueMatt> and the anonymity set could be ramped up with tiny thin clients being able to handle it fine
21:03 < BlueMatt> (eg, push the hash160(pubkey) to the back of the scriptSig after the pubkey/sig)
21:04 < BlueMatt> well, ok, if you can come up with a way to do it so that you dont risk missing txn if a key is imported to a different client (or block that?) and a good upgrade path
21:04 < BlueMatt> petertodd: why not?
21:06  * BlueMatt hurtles at a runway a few hundred mph and decides to get off irc
21:07 < petertodd> BlueMatt: isn't just defining bloom v2 that matches H(element) and element simultaneously enough?
21:07 < petertodd> BlueMatt: merge-mining is insecure
21:07 < petertodd> BlueMatt: ha, have fun
21:08 < BlueMatt> petertodd: too expensive for servers, I think
21:08 < BlueMatt> needs further testing, I suppose
21:08 < petertodd> BlueMatt: why? it's just one extra hash and comaprison per element
21:08 < BlueMatt> petertodd: yes, a 1:1 pegged merged-mined coin can be more secure
21:08 < BlueMatt> there are currently 0 cryptographic hashes per element right now
21:08 < petertodd> BlueMatt: no it can't - merge-mining means the cost to attack is near zero
21:08 < BlueMatt> youre now making it 2
21:08 < petertodd> BlueMatt: hashes are fast...
21:09 < petertodd> BlueMatt: gurantee you disk io is a bigger problem
21:09 < petertodd> BlueMatt: also, those hashes can be cached easily and re-used for multiple clients
21:11 < BlueMatt> petertodd: yes, disk io is currently the problem, I'm not entirely convinced that the hashes arent also expensive if you assume nodes are only serving some small section of the chain (ie the past 1k blocks served out of memory)
21:11 < BlueMatt> petertodd: if you're gonna cache them on disk, you should just match both scriptSig and the scriptPubKey its spending
21:11 < BlueMatt> thats more general and as easily cached
21:11 < BlueMatt> anyway, actually landing
21:11 < petertodd> BlueMatt: heh, have fun
21:12 < petertodd> BlueMatt: That is a good point: any per block index of scriptPubKeys should have a per-block index of scriptPubKey's spent.
21:12 < petertodd> *of scriptPubKeys created
22:10 <@gmaxwell> andytoshi: can you setup a simple http page that gives a one line coinjoin status? e.g. something we could ask nanotube to have gribble query?
22:11 <@gmaxwell> andytoshi: e.g. the number of txn in the queue, popular output(s), time remaining.
22:12 < andytoshi> sure, one moment
22:14 < andytoshi> plain text?
22:16 <@gmaxwell> nanotube: what would be useful for gribble?
02:32 < petertodd> Yes, or more to the point, adapt the pow function to what they have no choice *but* to build. Fortunately memory is incredibly simple.
02:32 < adam3us> at present it seems the oligopoly is existing below that barrier
02:33 < adam3us> ie a non-profit could do what i said for now i think
02:33 < petertodd> It is, only because Intel doesn't make Bitcoin mining gear. When they decide they want to be in that market we'll have a monolopy controlled by Intel.
02:33 < adam3us> come up with the money for some big runs
02:33 < petertodd> Big runs that Intel can deny if they want to.
02:33 < adam3us> tmsc also can compete
02:34 < petertodd> For now they can compete, in the future either they or Intel will lose the race and there will be only one.
02:34 < adam3us> yes that is the limit, but we are far from that limit at the moment
02:34 < adam3us> limit that hw manufacturers will themselves hoard, premine, or refuse to fab or sell competing mining hw
02:34 < petertodd> We're not "far", we're just a few years away. The point is to have a viable pow scheme that can be useful when Bitcoin mining equipment itself becomes regulated.
02:36 < petertodd> ...and really, that's why I'm inclined to make the "work value" be proof-of-work*proof-of-stake, where the former acts as a random beacon for the latter.
02:36 < adam3us> then its what you said: someone really does have to find a way to make a gpu pow
02:36 < petertodd> Why would you want it to be a GPU? They aren't simple. Memory is simple.
02:37 < adam3us> yeah: proof of something they're building anyway for general use
02:37 < adam3us> that doesnt have a big hw/sw advantage
02:37 < petertodd> SRAM, DRAM, DDRAM whatever all consists of one or more banks, where each bank is an xy array of bits. It'll never get simplier than that.
02:37 < adam3us> my worry about ram is ram architecture may not be optimized for pow
02:37 < petertodd> Sure those banks get surrounded by reams of routing logic these days, but the routing logic area is always less than the area of the memory itself.
02:38 < adam3us> such that there maybe soe hw advantage in novel ram architecture that they are not going to make for you
02:38 < petertodd> But that's it, ram architecture can't be optimized for a "fill it up with random junk, access randomly" PoW.
02:39 < petertodd> In fact, what you can do, is use hiarchy: your PoW consists of a *mandatory* selection of powers of two bank sizes over a wide range, so whatever is the bank size of the memory actually out there you meet it. (thus preventing power down tricks)
02:39 < adam3us> well there's a big diff in ram latency l1, l2, l3, main; and most of these memory bound have time-memory tradeoffs too (eg scrypt)
02:40 < petertodd> Yes, which is why you need to target multiple bank sizes to ensure that you force latency into the domain of commodity hardware.
02:45 < petertodd> BTW, so a modern SDRAM chip is basically a set of multiple banks, where each bank is an xy array; SDRAM stands for synchronous DRAM, and the synchronous just refers to how there is a synchronously clocked command/data bus as the interface.
02:47 < petertodd> So what happens on a random access? Well, the memory controller tells the chip "make bank n active", wait, "set row address to x", wait, "set column addr to y", wait, "read", wait, etc. Subsequent chances of row and col are quite a bit faster than the initial activate.
02:48 < petertodd> Why have the banking stuff? That's just because there's a size-speed tradeoff to bank size, make the banks larger and it takes too long for the row select signals to propagate across the surface of the chip due to the higher capacitance.
02:49 < petertodd> More to the point, what that means is the moment you're pool of memory exceeds the size of the largest bank, every work-cycle includes some chance of having to turn the bank on - at a higher level as your working data set gets larger the latency increases.
02:50 < petertodd> The other trick is that if you don't access a given bank of ram the same can *somewhat* power down, but only somewhat. (DRAM still needs to be refreshed)
02:51 < petertodd> Either way, the optimal implementation "band" is very wide and what you're really doing is forcing the memory to exist, even though other than the bus interface it isn't actually getting used all that hard. But that's good, because the optimal bus interface is also a wide band of optimal solutions.
02:53 < petertodd> The power thing is important, because proof-of-work really comes down to proof-of-energy in the end, and we want to ensure that the memory access patterns are such that the data must be in DRAM so that the optimal minimal power design looks like commodity hardware.
02:53 < petertodd> Fortunately for all this stuff, conventional applications also have hideous access profiles where access jumps all over main memory due to how much programmers rely on things like linked lists, so engineers have optimized random access to death already for us.
02:55 < petertodd> Litecoin's scrypt implementation of course screwed all this up simply because the working set was designed to fit into L1 or L2 cache where the optimal implementation is very far from how conventional computers are made. But you know that...
02:57 < petertodd> ...and finally, so for future proofing, have multiple working sets of different sizes each consuming a small portion of total work. Sure you can have a stupidly optimized implementation for a 64KiB working set, but so what if that's just 5% of the work? UTXO storage proofs are nice here, because as amiller pointed out, the working set size is the data
you should be good at verifying anyway.
12:16 < amiller_> "<adam3us> [02:31:44] u say: adapt the proof-of-work function to what they are building - maybe yes"
12:16 < amiller_> i say the alternative is to make them do r&d on whatever functionality you want, i.e. whatever helps the network scale
12:16 < amiller_> i think the idea of commodity hardware is unsupportable
12:17 < amiller_> people don't mine because they have spare commodity hardware
12:17 < amiller_> they mine deliberately
12:18 < jgarzik> petertodd, still prefer miner's fee to anyone-can-spend or burn-money.  it's a public good, and the mechanism to sweep donated funds already exists, and is already automated.
12:21 < petertodd> jgarzik: anyone-can-spend *is* a miners fee
12:23 < jgarzik> petertodd, in theory only
12:24 < jgarzik> petertodd, in practice, miners will not update their software just for an experimental project.  a true miner's fee is already supported by the system.
12:25 < petertodd> jgarzik: miners already need to update their software to attempt to redeem the announce-commit sacrifice, the step to collect anyone-can-spend is trivial
12:26 < jgarzik> petertodd, making miners unlikely to adopt either immediately, putting it in the user realm for the first many months
12:27 < petertodd> so what? just add anyone-can-spend to IsStandard() at the same time as adding prunably unspendable
17:21 < amiller_> so if i'm a miner i can generate identities for free, right
17:21 < amiller_> petertodd,
17:22 < amiller_> just pay my own money to myself?
17:22 < petertodd> Of course not: announce-commit means every miner has an equal opportunity to mine the fee.
17:24 < amiller_> i see so i announce it and then it's only the #100th block next that wins it
17:24 < petertodd> Exactly
17:24 < petertodd> Using nLockTime
17:26 < amiller_> i guess it would be pretty impractical to try to reudce the cost of identieis by jsut trying really hard ot be the one that mints that 100th block
17:27 < petertodd> Doesn't even have to be 100th block; mining is a random process so the next block is fine. (unless the sacrificed value >> block reward)
--- Log closed Sat Jun 29 00:00:46 2013
--- Log opened Sat Jun 29 00:00:46 2013
--- Log closed Sun Jun 30 00:00:56 2013
--- Log opened Sun Jun 30 00:00:56 2013
--- Log closed Mon Jul 01 00:00:01 2013
--- Log opened Mon Jul 01 00:00:01 2013
--- Log closed Tue Jul 02 00:00:04 2013
--- Log opened Tue Jul 02 00:00:04 2013
12:29 < jgarzik> petertodd, RE announce/commit, sorry missed that
12:31 < petertodd> Basically because we allow "pubkeys" to be up to 120bytes in size in the standard transaction code fitting a whole tx in a tx is actually pretty easy.
12:32 < jgarzik> petertodd, FWIW I'm currently thinking about how an alt-blockchain for this identity data could be timestamped into the blockchain in a normal transaction
12:32 < petertodd> Did you see my write-up in -dev for a 1s resolution timestamp chain? Not dissimilar...
12:33 < jgarzik> petertodd, what, do a 1-of-20 (picking absurd example) multisig, and stuff the whole tx in there?
12:34 < jgarzik> petertodd, I was pondering a rule that permits an OP_TRUE w/ a standard transaction inside, to be made standard
12:34 < jgarzik> petertodd, validate the inner tx according to IsStandard and spendable rules
12:34 < petertodd> Nope, a 1-of-3 just fits: 2d201879608ed2d14c362dff713a6d17d680cb42d5175dfe42e960e94736be04
12:35 < jgarzik> I dislike multisig hackery ;p
12:35 < petertodd> I was thinking of that too - weirdly like P2SH...
12:35 < jgarzik> petertodd, precisely!
12:35 < jgarzik> better than stuffing unvalidated data in odd places, IMO
12:36 < petertodd> I can see the anti-spam argument, although myself I'd lean more towards just allowing OP_RETURN <data> to have a decently sized payload.
12:37 < jgarzik> <= 80 bytes OR standard, spendable TX
12:38 < petertodd> As always unless we go to the extreme of gmaxwell's P2SH^2 people will always stuff data in the system.
12:38 < jgarzik> indeed
12:39 < jgarzik> IMO you strike a zen balance.  Make it easy but not too easy
12:39 < Luke-Jr> petertodd: extreme? seems perfectly reasonable to me
12:39 < petertodd> The tx validation machinery could easily have it's own bugs...
09:53 < BlueMatt> compete on regulation and refuse dumb things that america tries to push
09:53 < TD> EU governments can't/won't push back strongly against FATCA even though it means the end of their sovereignity, because they've all been on the war-path against "tax avoiders" so can't afford to look soft on tax now. especially as there are so many people who are being kept alive only through taxation
09:53 < BlueMatt> compete on regulatory burden and figure out what regulation should be instead of just taking what is forced on them from washington
09:53 < adam3us> they paid some lip service to that after snowden's haul revealed spying on the politicians themselves (merkle etc)
09:53 < phantomcircuit> BlueMatt, americans largely hate politicians
09:54 < TD> then it only takes a few to crack and what little unity existed is gone. divide and conquer. easy.
09:54 < phantomcircuit> but the reality is by and large we're wealthy enough that doing something about it is risky
09:55 < BlueMatt> phantomcircuit: for good reason
09:55 < adam3us> TD: well i hope the swiss vote against it, in their citizen led referendum; they managed to keep out of EU through the same process, the problem is the man in the street may not understand the issues well enogh
09:55 < phantomcircuit> BlueMatt, dat welfare, placating the masses
09:55 < TD> the problem is if the  swiss reject it, they will be completely wrecked
09:56 < TD> it's not just the USA that will impose massive sanctions. every other country that agrees to FATCA has to as well
09:56 < BlueMatt> phantomcircuit: lol
09:56 < TD> that's why it's viral and like an empire - countries that are theoretically "allied" will be forced to fight the swiss, or become enemies of the empire themselves
09:56 < TD> i don't think switzerland can survive a sudden, overnight 30% loss of trade and foreign assets
09:57 < TD> ultimately the swiss will have to agree that they are no longer a free, independent people, and relinquish that, or risk becoming the next iran
09:57 < TD> and that will be incredibly painful. i am not sure what they will do.
09:57 < TD> no other government is ever going to put this to referendum for exactly the same fear - that the people will reject this takeover, fight it and get killed in the process
09:58 < phantomcircuit> BlueMatt, sadly that isn't really a joke, my personal experience has been fairly strongly that people on welfare strongly support the governments power to tax and give them more money
09:58 < phantomcircuit> ironically they get all mad when some cop shows up and shots someone
09:58 < TD> of course they do. you would too, if you were on welfare
09:59 < phantomcircuit> i've literally never met anybody on welfare who could see the irony
09:59 < phantomcircuit> TD, i honestly cant say i'll likely ever know
09:59 < TD> i wouldn't be too sharp there. times change. i've met out of work programmers who couldn't get a job for whatever reason.
10:00 < TD> but if you really can't imagine this, imagine it's your girlfriend/wife/son/daughter/best friend/whatever
10:00 < adam3us> so does facta extend to other countries than US?
10:00 < phantomcircuit> TD, i went to high school with a ton of people whose parents were on welfare
10:00 < TD> the problem is not taxation. the problem is this idea that every government has to know everything about every country in order to implement it
10:00 < adam3us> i mean does it have implications for non americans?
10:01 < phantomcircuit> TD, (like nearly the entire school was on some sort of assistance)
10:01 < TD> adam3us: green card holders, ex citizens too. otherwise no. but the issue is - now america went ahead and did it, suddenly that strategy is legitimised. other parts of the world are talking about the same thing, which would have been unthinkable a few years ago
10:01 < TD> which is stupid because they can't possibly collect any significant amount of tax that way
10:01 < TD> even FATCA is seriously net-negative when you add up the costs and expected extra revenue
10:02 < TD> and the US has citizenship-based taxation which nowhere else does
10:02 < adam3us> TD: well there is also the EUSTD but realistically the UK is dragging its feet because its a bigger tax haven than switzerland (with its offshore dependencies)
10:02 < TD> so if the USA can't make it work, financially, nobody else can even get close.
10:02 < adam3us> TD: and austria is also pushing back
10:03 < TD> yeah but these places all have no chance.
10:03 < adam3us> TD: they are working on EUSTD2 at present
10:03 < TD> basically, the future is automatic data exchange between all countries.
10:03 < phantomcircuit> TD, and the vast majority of us citizens living outside the us dont end up paying much tax anyways
10:03 < phantomcircuit> (if any)
10:04 < TD> ah well, just wait until the people who were supposed to file lots of paperwork and didn't (because they didn't know/would have paid no tax) start getting their savings confiscated to pay the fines
10:04 < phantomcircuit> since the first 90k is exempt entirely and then you can deduct taxes paid to the local authorities
10:04 < adam3us> TD: UK might they have some veto power in europe and vested interest to keep their financial center status, and while they cant say it, they also like their offshore dependent's tax haven status
10:04 < TD> no, no, no they don't: http://www.caribjournal.com/2013/11/05/cayman-islands-united-kingdom-sign-fatca-type-agreement/
10:04 < TD> the UK is busy imposing its own fatca-lite on the caymans
10:05 < TD> anyway, i'm actually all for the idea that if you live in a country you should pay taxes there
10:05 < adam3us> TD: I think views on it are mixed, as i recall the guy who was reviewing one of these things for the uk govt, some lord or something, was himself the beneficiary of a like $100m offshore trust
10:06 < TD> FATCA is evil because for poor old americans there's no easy way to escape.
10:06 < TD> you can't just leave the country and say goodbye to the IRS
10:06 < TD> (and because of how it's being implemented)
10:06 < adam3us> TD: yes i agree - you have to vote with your feet, not dodge local taxes, that way lies legal risk
10:07 < phantomcircuit> TD, it's also fairly difficult to renounce your citizenship
10:07 < phantomcircuit> there's a comical number of people who think they have but infact haven't
10:07 < adam3us> TD: the americans are screwed already.  my wife and brother in law are american dual nationals.  have to avoid joint accounts
10:07 < TD> oh dear. they should try and fix that ASAP
10:08 < TD> my brothers girlfriend is a dual british/us national
10:08 < TD> she can barely pay her british taxes, which are trivial. i bet she's never heard of an FBAR
10:08 < TD> i really worry one day her savings (or whatever she has of them) are just going to vanish
10:08 < TD> sent to the IRS to pay fines for not filing paperwork she never even heard of
10:08 < adam3us> phantomcircuit: correct.  i do not believe you can renounce us citizenship.  my sister in law did it, but i doubt it would make a difference if there is tax involve, they can reject the renunciatoin on tax grounds as invalid
10:09 < phantomcircuit> adam3us, no they cant
10:09 < adam3us> TD: yes my brother in law who lives in canada is avoiding flying to the us until his accountants work through the retroactive legislation
10:09 < jgarzik> TD, That's modern life in modern society.  There are enough laws that (a) no one can credibly know them all, and (b) everybody is a criminal, because everybody is likely violating /some/ law like these.
10:09 < TD> they claim they can actually
10:10 < phantomcircuit> adam3us, you have to go into a us embassy on foreign grounds and renounce your citizenship to the ambassador
10:10 < TD> i've read this too. if the embassy suspects you're giving up citizenship for tax reasons, they can deny it
10:10 < jgarzik> Thus you exist at the whim of prosecutors not focusing their attention on you.
10:10 < phantomcircuit> TD, they can try but that would never fly in court
10:10 < TD> jgarzik: well, she hasn't broken any local laws. she was born into dual nationality, she never lived in the USA
10:10 < TD> phantomcircuit: which court? "citizenship" just means "the US considers you to be an owned asset". they can enforce whatever they like if they get brutal enough
10:10 < TD> courts or no courts
10:10 < adam3us> phantomcircuit: yes, it doesnt work.  my sister in law got irish citizenship first, then renounced us; but if there was tax involved it is explicitly within their rule  book that they can reject it or look past it for tax purposes
10:11 < TD> FATCA just bypasses the whole civic infrastructure of laws and courts. the banks will fine you for them
10:11 < phantomcircuit> TD, you'd end up having to sue the IRS
10:11 < TD> and you'd fail. you're technically a criminal, right?
10:11 < TD> (in their eyes)
10:11 < phantomcircuit> TD, im pretty sure you would succeed
10:11 < phantomcircuit> there's a reason that this has never gone to court
10:12 < phantomcircuit> they dont fight battles they will lose if they can bullshit people instead
10:12 < TD> i'm pretty sure you would fail. what ground would you have to sue them? they're just implementing laws congress wrote
10:12 < adam3us> phantomcircuit: courts dont work because they make the rules, and they interpret the rules, and they can interpret the very loosely and they have infinite money.  you lose.
10:13 < TD> now this is all well and good, but the *real* fun will begin once the US starts to tax people and things that don't have any US connection at all
10:13 < TD> the current definition of "us person" is already so expansive that it bares little relation to the intuitive definition
10:14 < adam3us> TD: being the world currency reserve is a form of global hidden tax via USD inflation.  its  relatively significant bonus to the us
12:24 < petertodd> Just signed up for the Financial Cryptography and Data Security 2014 conference.
12:24 < petertodd> Who else is going?
12:26 < justanotheruser> I wish I could take a vacation to Barbados
12:27 < petertodd> justanotheruser: heh
12:28 < petertodd> justanotheruser: kinda eye-opening the overall cost - I'm gonna have to bring a tent :P
12:29 < justanotheruser> petertodd: Is Financial Cryptography conference a fancy way of saying bitcoin conference?
12:29 < petertodd> justanotheruser: yup, btc workshop on one of the days
12:30 < petertodd> justanotheruser: http://fc14.ifca.ai/bitcoin/index.html
12:30 < petertodd> justanotheruser: or more interestingly: http://fc14.ifca.ai/bitcoin/accepted.html
12:31 < justanotheruser> petertodd: what, interesting that RS are there?
12:31 < justanotheruser> Or just S
12:32 < petertodd> justanotheruser: ?
12:32 < justanotheruser> nevermind
12:32 < justanotheruser> Interesting that I don't see any familiar names on that list
12:33 < justanotheruser> Seems like a bunch of PhDs are going to explain bitcoin to the bitcoin devs
12:35 < petertodd> Ha, yeah pretty much from the looks of it, will make for an interesting workshop...
12:35 < petertodd> I think amiller said he was going, so maybe it won't be all people totally removed from the dev community.
12:35 < petertodd> (not that him and I write much code...)
13:11 < Emcy> petertodd sleep on the beach
13:16 < Emcy> did anyone figure out how TPB is planning to use bitcoin for its little thing
13:16 < Emcy> or have you been talking about it and its way over my head
13:17 < Emcy> thye best not be spamming the chain......why dont they use namecoin instead
13:31 < maaku> Emcy: have they stated any details?
13:31 < maaku> all they've done is name-drop bitcoin, as far as I can tell
13:32 < maaku> their plan is, apparantly, "BITCOIN!!"
13:33 < Emcy> sounds about right
13:35 < skinnkavaj> gmaxwell: https://litecointalk.org/index.php?topic=12404
13:36 < maaku> skinnkavaj: sure, google "geistgeld"
13:36 < Emcy> maaku isnt there a data feild in a TX that cam be used for arbitrary data without really bloatingit
13:37 < Emcy> or somthing like that
13:37 < maaku> Emcy: sure, any OP_RETURN output
13:37 < Emcy> and that was specifically done to give people a place to dump thier crap, if they must?
13:38 < maaku> yes
13:39 < Emcy> wait is that a new feild or something repurposed? If its new isnt that just appeasement
13:39 < maaku> and by putting the hash instead of the data itself (or better, the Merkle root of a structure that can hold lots of data), you can keep the wire size small
13:39 < maaku> i think most people here are ok with committing data by hash to the chain
13:39 < maaku> it's an integral part of many of the protocols we design
13:40 < maaku> its just that putting raw data straight on the chain is wastful, inefficient, and (if it's not provably unspendable) freeloads off of full nodes
13:41 < maaku> it's part of the scripting language not a specific field, and it's always been there
13:42 < maaku> it's just being made standard so it can be relayed in 0.9
13:42 < Emcy> so TX will get slightly bigger, albeit by something that was already in the protocol but disabled until now?
13:43 < maaku> not disabled, you could always use it
13:43 < maaku> just not relayed by default just like other non-standard scripts
13:44 < michagogo|cloud> maaku: It freeloads off of full nodes even when it's provablt unspendable
13:44 < michagogo|cloud> It's still in the blockchain
13:44 < maaku> michagogo|cloud: no, full node != archival node
13:44 < maaku> it's not in the utxo set
13:44 < michagogo|cloud> It just isn't in the utx-
13:44 < michagogo|cloud> oh
13:45 < michagogo|cloud> Erm, do non-archival full nodes exist atm?
13:45 < Emcy> that archival node thing isnt really gonna happen is it? 6tb helium disks soon
13:45 < michagogo|cloud> Emcy: It;s safe to assume that at some point in the future there will be non-archival full nodes
13:51 < Emcy> michagogo|cloud i hope not out of stict neccesity, but to try and poke people into running a node at all
13:53 < Emcy> hmm asking on TPB irc and no one seems to know shit......
16:19 < maaku> at some point in the near future
16:20 < maaku> i know both petertodd and myself have separately gotten some money to work on a pruned bitcoind
16:21 < maaku> we just have to good sense to make sure that some other fixes make it in first
16:21 < maaku> like headers-first syncing, and being able to advertise which blocks you hold
16:38 < gmaxwell> the later I think is most of the actual work in pruned bitcoind.
16:39 < gmaxwell> I mean, right now you can just delete the old block files and it works until you run a rpc that would access an old block or a peer tries to sync from you.. it's probably just a few lines of code to make those failures tidy.
16:39 < gmaxwell> and a few lines of code to just automatically delete old files.
16:49 < Emcy> id say it was probably a tradeoff worth making if the alternative is full verifiers dwindling to the hundreds because no one wants to run one
16:49 < Emcy> then again im not sure it will help, because even a pruned node is the same mental distance away from "just works instantly" as a proper node
16:50 < gmaxwell> Emcy: it's just a good thing to have even without that concern.
16:50 < gmaxwell> I now only run one full node at home and one on my laptop, because I just don't have the space for N copies of the blockchain.
16:50 < Emcy> SSDs?
17:31 < Guest22406> Anyone bought from iMine.org.uk?
17:32 < Guest22406> http://iminecryptos.webs.com seems to be their temp. page
19:19 < michagogo|cloud> Hmm, another benefit of pruning is that it means that a full node can be bootstrapped from another trusted full node very easily
19:22 < gmaxwell> michagogo|cloud: I don't see why you think thats a benefit of pruning.
19:26 < sipa> the only advantage is less data that needs to be copied in that case
19:26 < sipa> but making it easy to run in a way that requires absolute trust in another node is not really a priorit
19:37 < michagogo|cloud> gmaxwell: because you don't need to copy 12+ GB
20:13 < Luke-Jr> combined with SCIP it could be trustless perhaps :p
20:13 < gmaxwell> Luke-Jr: yea sure, but we're currently a long way from authoring proofs of state for bitcoin.
20:15 < gmaxwell> e.g. see the benchmarks in 13:59 < andytoshi> a new snark paper from ben-sasson: http://eprint.iacr.org/2013/879
20:16 < adam3us> gmaxwell: just have to use it recursively as the pow :)  (self-evident) proof of making snark proof as the pow
20:17 < andytoshi> adam3us: i was about to say that .. you'd have to tie the reward to the number of transactions considered, otherwise including transactions is costly
20:17 < gmaxwell> less crazy than it might seem.
20:17 < andytoshi> but can you do that in zero knowledge? i'd have to think about it
20:17 < gmaxwell> andytoshi: nah, just pretextually.
20:18 < gmaxwell> andytoshi: e.g. make your POW   SHA256(SNARK_PROVE(SHA256(header)))<target  ... (ignoring the fact that the pairing snarks are like.. perfectly malleable).
20:19 < andytoshi> just MAC them ;)
20:19 < gmaxwell> and of course you use a nice universal circuit inside the snark_prove in order to hopefully cutoff sha-256 specific optimizations.
20:20 < andytoshi> gmaxwell: so the idea is, changing the nonce is just as hard as adding transactions?
20:22 < gmaxwell> andytoshi: well thats true but its not the idea, the point there is that it creates an incentive for people to optimize the SNARK_PROVE() function. :P
20:24 < andytoshi> gmaxwell: well, if transactions are hard to add that kills the idea immediately because there'd be only empty blocks
20:25 < andytoshi> as it is, an alt could be written today which does this
20:25 < andytoshi> (and nobody would be able to mine it :P)
20:26 < gmaxwell> Luke-Jr: in the vnTinyram paper (I think their vnTinyram is slighly slower than regular tinyram), they're showing that their prover basically runs at 25 Hz ... can you imagine verifying the blockchain on a 25Hz cpu? :P  ... a dedicated blockchain checking circuit could be maybe 1000x faster, but it would still be verfy slow to generate the proofs.
20:26 < gmaxwell> andytoshi: Is it late where you are? :P
20:26 < gmaxwell> andytoshi: transactions are no harder to add than incrementing the nonce.
20:26 < gmaxwell> so there is no incentive to not add them.
20:27 < andytoshi> gmaxwell: no, i think i've just got a cold :P
20:27 < gmaxwell> :P
20:27 < andytoshi> when adam3us first said "use a snark as a POW" i thought, SHA256(SNARK_PROVE(transaction updates) + nonce)
20:27 < gmaxwell> yea, don't do that.
20:28 < gmaxwell> there might be some interesting way to do a reward for producing proofs of prior states though.
20:29 < gmaxwell> two ways to mine the coin: producing blocks or producing proofs for the state in prior blocks.
20:30 < andytoshi> that'd be excellent because you're also paying people to be archival nodes
20:31 < gmaxwell> in any case, I think we're still a ways off. E.g. you can't even download and screw around with any of this stuff.
20:31 < gmaxwell> and I'm sure what exists is Academic Quality code.
20:31 < andytoshi> i concur
20:31 < andytoshi> i'm about halfway through the first snark paper, the impression i get is that i can't reimplement this just based on the paper
20:31 < gmaxwell> (meaning it's probably crashy garbage and half of it runs in matlab and the other half works by manually pasting things from matlab into mathmatica and back)
20:31 < andytoshi> (though maybe the tinyram paper is more detailed)
20:32 < andytoshi> gmaxwell: i've never worked with cryptography people, but that's standard MO for the rest of math
20:32 < gmaxwell> a lot of the theoretical crypto people just don't implement at all.
20:33 < gmaxwell> actually the verifyable computing stuff is unusual in that people publishing papers have implemented something.
14:54 < jtimon> exactly, the decision was taken (sanely) counting miners and merchants, instead of being strict with the defined rules
14:54 < gmaxwell> jtimon: not to mention the utterly insane risk of rapidly forcing everyone onto bleeding edge software... including god knows how many people who had highly customized code who are _still_ on 0.7.x with patches.
14:54 < adam3us> the 2pc ripple seems a bit like OpenTranscations security model also... get signed/timestamped receipts from servers, users audit servers, if they detect malicious server, they have proof, and can rebuild server state with the receipts (in theory though maybe the rebuild part may not be automated yet)
14:55 < gmaxwell> jtimon: the decision was simply "the deployed software is the spec"
14:55 < jtimon> I'm not saying the decision was wrong
14:55 < jtimon> but I hate that justification
14:56 < jtimon> I prefer to justify it as "following the specs instead of the ref code would have had worse consequences"
14:56 < gmaxwell> jtimon: You can point at a stack of paper and say "but the rules!" all day... but the paper doesn't do shit. The behavior of the participants is what defines the rules in a consensus system.
14:57 < gmaxwell> jtimon: well of course, it's not like we say "the deployed software is the spec" because God gave that to us on a tablet,
 rather, its the necessary thing to achieve good outcomes in 99.99% of cases.
14:57 < jtimon> agreed, of ALL the participants, not just miners
14:57 < jtimon> as some seemed to imply at the time
14:57 < gmaxwell> absolutely not just miners, and double absolutely not hashpower.
14:57 < jtimon> let me put it another way
14:57 < gmaxwell> Those implying that are not competent.
14:58 < jtimon> if 90% of the hash power was in the old code and 90% of merchants and users are on the specs (I know that wasn't the case), what's the right chain?
14:58 < gmaxwell> (And as you may note, in that hardfork the majority of hashpower was the new behavior... due to the fact that hashpower is controlled by basically 3-4 people, and they'd upgraded faster than the rest of the network due to the competative incentive of orphaning reduction)
14:59 < jtimon> yeah, ok, good point
14:59 < gmaxwell> Merchants and users would be the right chain generally.
14:59 < adam3us> i suppose this is another reason pooled mining can be a problem
14:59 < jtimon> the majority of hash was on the specs back then and we went with users
15:00 < adam3us> and economies of scale in mining
15:00 < jtimon> I agree, merchants and users are the right chain
15:00 < gmaxwell> (90% hashpower might just be 50 people that need to fix themselves)
15:00 < gmaxwell> (but even ignoring that, I think its reasonable and prudent that mining basically takes more of the risk, and pratically every miner whos thought about any of this would agree)
15:01 < adam3us> gmaxwell: how do u think that fork would've played out if there was no pooled mining and mostly decentralized mining power?  better or worse?	(more distributed consensus on sw upgrade, maybe slower reaction time)
15:01 < jtimon> adam3us, 2PC is similar to OT in some senses, but simpler (not so many instruments) and...in OT all atomic stuff occurs in a single server, with 2PC, there's atomic trades involving an arbbitrary number of independent servers that don't necessarily trust each other
15:01 < gmaxwell> adam3us: I don't think the fork would have happened, in fact.
15:02 < gmaxwell> (well, it would have self resolved)
15:02 < adam3us> gmaxwell: well wasnt the fork the result of the level db bug? how would it have self-resolved... a few people early would've noticed problems
15:02 < adam3us> gmaxwell: and been outvoted anyway, and then the bug backed-out?
15:02 < maaku> adam3us: It would have been much harder to side with the users
15:02 < gmaxwell> adam3us: it would have been hashpower overtaken
15:02 < maaku> if there weren't any big miners you could get to switch chains
15:03 < gmaxwell> maaku: there wouldn't have been an artificial miner/user split there.
15:03 < adam3us> jtimon: i think OT also has a concept called voting pools like k of n pools have to agree for a tx to complete
15:03 < gmaxwell> most _miners_ were also on old code at the time too.
15:03 < maaku> gmaxwell: yes there would. miners-set doesn't overlap well with user-set
15:03 < gmaxwell> it's just that most hashpower was on the new stuff.
15:03 < adam3us> gmaxwell: we could really do with direct mining protocol for that reason also.  difficult to make that work though.
15:04 < adam3us> gmaxwell: a lesson therefore without decentralization, is the centralized parties need to use intelligence and gradual phase in
15:04 < gmaxwell> maaku: at the time most of p2pool's hashpower stayed on the 0.7 side.. though it was complicated by the fact that 0.7 didn't reliably reject the new chain.
15:04 < adam3us> gmaxwell: however i think from views expressed here that most of the mining power has very limited "intelligence" applied to it at all
15:04 < gmaxwell> (it wasn't a real hard fork, it was a softboiled fork. :P )
15:05 < maaku> adam3us: iirc Luke does a good job of this. he runs blocks past multiple node versions
15:05 < gmaxwell> yes, it would be easier for more to do that if we'd merged luke's patches for that.. but they were pretty invasive.
15:07 < jtimon> adam3us, but that's not more scalable, that's like a "shared server" much like ripple.com's consensus mechanism
15:09 < adam3us> maaku: yes Luke-Jr is a rare example of pool intelligence
17:15  * andytoshi-logbot is logging
17:17 < andytoshi> hey, it came back on its own :)
18:42 < gmaxwell> but ... now it seems to have a droopy leg and a strange interest in brains.
19:44 < justanotheruser> Is there any trustless way to pay someone in BTC to mine an altchain that is inherently worthless? (specifically I was wondering if you could subsidize merged mining of a votecoin))
19:49 < Emcy> i suppose you could make some shitty system that bloats the fuck out of bitcoin because they wont merge mine a specialised votecoin
19:50 < Emcy> but i dont think we really know how reluctant the poolops are to merge mine something decent because no ones ever tried
19:51 < justanotheruser> Emcy: I don't really want to use the bitcoin blockchain. A new blockchain could be created cheaply and be disposable.
19:51 < Emcy> well thats a refreshing attitude
19:53 < justanotheruser> Emcy: anonymous voting would require many coinjoins and coinswaps. If there were millions of voters, the election could cost millions of dollars in bitcoins
19:54 < justanotheruser> with all the transaction costs. Not much of a point.
19:54 < Emcy> i wonder how much those shitty diebold contracts cost
19:54 < Emcy> did you work out how to issue votes anonymously
19:55 < Emcy> *issue ballots
19:56 < justanotheruser> Emcy: everyone gets a vote, everyone has a public bitcoin address associated with their name.
19:56 < justanotheruser> Coinswaps and coinjoins are used to anonymize the votes
19:56 < justanotheruser> then when everyone has sufficient anonymity, they to 1ALGORE or 1GEORGEBUSH
19:56 < justanotheruser> *they pay to
19:57 < justanotheruser> I just wish I could pay someone automatically in bitcoins for finding a block without a central authority
20:00 < Emcy> what about vote selling
20:00 < gmaxwell> justanotheruser: thats really dumb. sorry, it's often repeated enough you should have seen other people calling it out.
20:00 < gmaxwell> Bitcoin is not a jamming resistant network. Congrats you just let the miners decide the election outcomes.
20:01 < justanotheruser> gmaxwell: What do you mean by jamming resistant
20:01 < justanotheruser> Emcy: That is possible without decentralized voting (but I agree, this makes it easier)
20:02 < Emcy> oh yeah hes right
20:02 < petertodd> gmaxwell: timelock crypto can be used to circumvent miner censorship of votes in some conditions
20:02 < Emcy> i think when i first brought up some sort of votecoin was years ago back when i still thought every responsible citizen could have a miner in the cupboard
20:02 < justanotheruser> Blocks could be rejected if they didn't include a certain number of transactions
20:04 < Emcy> justanotheruser when youre talking about elections there are incentives which easily override money concerns
20:04 < petertodd> justanotheruser: now you've turned pow mining into a weird pow/proof-of-stake/proof-of-sacrifice combo, doesn't necessarily help re: elections
20:04 < Emcy> in the money/power chicken and egg game, power always came first
20:05 < justanotheruser> petertodd: What? How is there any prooof of stake/sacrifice?
20:05 < petertodd> justanotheruser: the transactions - how do you distinguish a "legit" tx from one the miner made?
20:06 < justanotheruser> petertodd: network rule that only allows a coin to be transacted a certain number of times
20:07 < petertodd> justanotheruser: right, so by including a transaction you have sacrificed someone, hence, it's proof-of-sacrifice
20:08 < justanotheruser> petertodd: how have a sacrificed someone?
20:08 < petertodd> justanotheruser: you sacrificed something, coinage, or coins, or whatever scheme you decide to use
20:09 < justanotheruser> petertodd: to get a block you have to have done a PoW with a certain number of transactions. The miners have no sacrifice
20:10 < petertodd> justanotheruser: something was sacrificed, or miners can stuff the block full of their own transactions at zero cost
20:10 < petertodd> justanotheruser: anyway, this works for voting: http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03524.html
20:10 < justanotheruser> petertodd: The miners can only have a limited number of transactions
20:11 < petertodd> justanotheruser: limited how?
20:11 < justanotheruser> petertodd: because everyone only gets one votecoin and they only can be transacted 100 times from the coinbase
19:00 < adam3us> maaku_: "3 people to donate <$1000" i a not sure what this says about the crypto currency market.  seems like so far its telling us that scamcoins and crazy but high PR things get the most money.  if the market keeps voting that way an the money is used accordingly (ie nothing good morphs out of bad money) ... hmm depressing
19:00 < jtimon> maaku_ adam3us re not the end of the worl: specially if litecoin was MM
19:00 < adam3us> jtimon: but its different PoW
19:01 < maaku_> adam3us: yeah, depressing :(
19:01 < jtimon> yeah, I mean assuming it was a SHA256 improvement instead of a scrypt one
19:01 < adam3us> petertodd: do something good with msc money to restore our faith in humanity :) please!
19:01 < killerstorm> people regularly ask me how to buy colored coins, I have a hard time telling them that it's impossible :). they do this much research before "investing"...
19:01 < petertodd> adam3us: don't worry, going to vegas with my first paycheck to find some strippers
19:02 < maaku_> pics or it didn't happen
19:02 < petertodd> killerstorm: lol
19:02 < jtimon> re: 1M usd destruction it would be funny if the guy said "it was a joke"
19:02 < petertodd> jtimon: the guy is anonymous
19:02 < maaku_> killerstorm: that sounds like every investor conversation Jorge and I have had (save one, maybe something will come of that)
19:02 < jtimon> petertodd does it make it less funny?
19:03 < petertodd> jtimon: it makes it more plausible
19:03 < petertodd> jtimon: well, more likely
19:03 < maaku_> he sure as hell is going to stay anonymous now
19:03 < adam3us> petertodd: did someone look at the code of xcp? it claims to actually have stuff working?
19:03 < maaku_> adam3us: honestly the crypto currency investment market reminds me of Lemmings
19:04 < petertodd> adam3us: I did, not much too it
19:04 < killerstorm> BTW is anybody interested in reviewing design/implementation of colored coin client (NGCCC aka ChromaWallet)? We don't have people who are familiar with bitcoin clients in our team, I just want to confirm we aren't doing something stupid...
19:04 < adam3us> maaku_: i think there is a lot of dumb money.	people who got lucky with various mining/buying things and are not considering it real money
19:05 < warren> adam3us: maaku_: I'm open to diverging more from bitcoin.  it just isn't clear what are the good ideas at the moment.
19:05 < killerstorm> We can probably allocate some bounty for it (review).
19:05 < warren> adam3us: maaku_: meanwhile litecoin has mainly been useful in discovering bugs that are in bitcoin
19:06 < adam3us> warren: could try zerocash but integrated in the way zerocoin was planned if you like being a canary
19:06 < warren> adam3us: the original zerocoin?
19:06 < maaku_> adam3us: unfortunately that pool of dumb money will eventually empty itself on mostly useless projects :(
19:06 < maaku_> there's some other interesting ones out there
19:06 < adam3us> warren: well u recall that it was a trustless mix attached to the block chain
19:06 < maaku_> but quality of the project seems to be inversely proportional with funds received
19:06 < jrmithdobbs> maaku_: nah that's not the sad part
19:07 < warren> adam3us: I'm actually very interested in P2SH^2 and something like p2pool in the standard client
19:07 < warren> adam3us: I don't like data storage in the blockchain and mining centralization is a long-term existential threat.
19:07 < killerstorm> Oh, BTW, is anybody working on cryptocurrency which uses something other than ECDSA?
19:07 < adam3us> warren: whereas now that bitcoin said "nah too heavy" with zerocash which is actually light enuf to be sensible, they're taken the msg that they will create an alt instead.
19:07 < maaku_> warren: be careful the trapdoor in zerocash though... not ready for prime time imho
19:07 < jrmithdobbs> maaku_: the sad part is that it's self fullfilling and there doesn't seem to be a way to break the chain, it's like people actually actively attempt to invest in the worst ideas in the space because they think they have intuition for the system they're buying into when they really have no fucking clue what's going on
19:07 < warren> maaku_: I'm aware
19:08 < maaku_> killerstorm: we're eventually going to add schnorr and laport signatures
19:08 < jrmithdobbs> maaku_: but maybe i'm just jaded :)
19:08 < adam3us> killerstorm: gmaxwell investigated using EdDSA as a bitchoin
19:09 < adam3us> killerstorm: new sigtype which is schnorr and so has some nice features (compact k of n sig, blind sig)
19:09 < jtimon> maaku_ lol lemmings
19:09 < warren> Is the latest thoughts on P2SH^2 written anywhere?
19:09 < warren> I lost my IRC logs.
19:09 < adam3us> maaku_ warren: yes the setup time trapdoor is a problem someone has to be trusted to delete it
19:09 < justanotheruser> maaku_: I think it's already been implemented, it's just not public
19:10 < killerstorm> maaku_: I think it would be interesting to implement optional upgrade-to-lamport. I.e. script references both ECDSA pubkey and Lamport pubkey, normally only ECDSA pubkey is used, but optionally if ECDSA is broken :), one can use Lamport pubkey without revealing ECDSA pubkey
19:10 < adam3us> warren: if you dislike centralization and have not much SPV clients? you could consider committed-tx experiments
19:10 < petertodd> warren: I can send you my logs
19:11 < maaku_> killerstorm: that would be perfectly doable using multisig
19:11 < warren> adam3us: regarding zerocash, even if it is efficient in terms of blockchain bloat, I am concerned about the regulatory implications.  The current situation with bitcoin less-private-than-case-even-with-coinjoin might strike a good balance of needed transactional privacy with the need to prevent unfettered criminal uses.
19:11 < adam3us> warren: i agree mining centralization is bad.	committed-tx is an attempt to have user polic choice even with quite high centralization by denying miners information with which to make policy on
19:12 < warren> less-private-than-cash
19:12 < adam3us> warren: yeah the risk is not lost on me.  hence "if you want to be a (regulatory) canary"
19:12 < maaku_> you'd accomplish this by sighash extension, so the signature itself specifies which scheme is used (of course it would have to match the pubkey)
19:12 < petertodd> adam3us, warren: committed txin may be even more interesting along those lines
19:12 < warren> adam3us: mastercoin is asking to be a regulatory canary
19:13 < warren> adam3us: I think centralization should be a top priority, it is an existential threat.
19:13 < maaku_> killerstorm: lamport sigs are big ... even in a post-quantum world i think we'd still use elliptic curves
19:14 < warren> centralization is *THE* existential threat
19:14 < petertodd> warren: +1
19:14 < adam3us> warren: btw i think its not as clear cut as all that.	you can make different privacy tradeoffs by choice.   zerocash is a building block as much as ecdsa.  you could have fungible coins with new "wallet addresses" that have a similar payment level linking as today.
19:15 < adam3us> warren: sign me up no that call too "centralization = existential threat"
19:15 < warren> petertodd: I'd like logs covering all the recent P2SH^2 discussion
19:15 < adam3us> warren: which i think is a quite interesting tradeoff.  no more private than current, but fully fungible.  (coinvalidation falls on its face)
19:16 < warren> is zerocash's design published?
19:16 < maaku_> warren: no
19:16 < adam3us> warren: ie current privacy at payment level, but fungible/anonymous at coin level.  so if you trade a bad actor you ask them to reimburse you but you cant freeze the coin
19:16 < petertodd> warren: sent
19:17 < adam3us> warren: gmaxwell knows more about it (zerocash)
19:18 < adam3us> warren: also there was a podcast recording of matthew green talk on it at real world crypto conf, can google for
19:18 < killerstorm> maaku_: I think the idea is to have something as a backup IF shit hits the fan. E.g. if ECDSA vulnerability is discovered, people can use Lamport signatures temporarily, and then hard-fork upgrades cryptocurrency to something small and safe.
19:19 < adam3us> warren: you could always build holes to plug it into, then wait for zerocash to release their code & link in the library
19:19 < warren> IMHO, I rather focus entirely on the centralization existential threat.
19:19 < warren> That's uncontroversial.
19:19 < adam3us> warren: ok.  see if u can do something with committed tx.
19:20 < adam3us> warren: are you willing to complicate SPV model to do it?
19:20 < petertodd> killerstorm: you realize that lamport sigs are implementable easily in even bitcoin's original scripting system right?
19:20 < petertodd> killerstorm: not possible now that op_cat is disabled, but it doesn't take much
19:21 < killerstorm> Well, how do you hide ECDSA pubkey?
19:21 < Luke-Jr> meh, "disabled" really means "removed" in this context :/
19:21 < warren> adam3us: it depends, need to read all the current thinking on committed tx.  is this written down anywhere?
19:21 < petertodd> Luke-Jr: yup
19:21 < warren> adam3us: I really dislike the current way SPV is done.
19:21 < jrmithdobbs> petertodd: ya well the disabled ops have enough to implement salsa/chacha too (inefficiently and insecurely)
19:21 < jrmithdobbs> heh
19:22 < petertodd> jrmithdobbs: well, scripts are limited to 10,000 opcodes so... probably not, lamport however is practical within the limits (modulo disabled ops)
19:22 < petertodd> warren: what do you want changed re: SPV?
19:22 < adam3us> warren: sort of but not really cleanly  bct thread https://bitcointalk.org/index.php?topic=206303.0 ask if it doesnt make sense
19:22 < jrmithdobbs> petertodd: i think that's still true for at *least* chacha with the real limits
19:22 < killerstorm> Ok I guess it isn't hard to hide it...
19:22 < jrmithdobbs> petertodd: not that anyone should do so, ever
12:04 < jtimon> sipa: yeah, I guess that's the word we were looking for: p2pool and eligious are both trustless pools
12:05 < sipa> yup
12:05 < Luke-Jr> sipa: that might be better terminology, but it's not the common terminology already in use
12:05 < adam3us> Luke-Jr: does eligius reject/not support non-GBT shares?
12:05 < Luke-Jr> adam3us: Eligius supports all protocols at the moment
12:05 < sipa> Luke-Jr: i don't think anyone but you considered eligius decentralized (i know it satisfied some definition of decentralized that's common, though, but not all)
12:06 < adam3us> Luke-Jr: so its trustless to the extent users use GBT then
12:06 < brisque> Luke-Jr: what sort of percentage of users use GBT over stratum?
12:06 < Luke-Jr> brisque: probably near zero :/
12:06 < sipa> trust-free doesn't mean you cannot trust anyone - it just means you don't need to
12:06 < Luke-Jr> the solution is to make decentralised mining just as easy/painless as centralised mining
12:07 < Luke-Jr> sipa: trust-free implies more than decentralisation IMO
12:07 < adam3us> Luke-Jr, sipa: so it seems to me there is some pain. the bw consumption.
12:07 < brisque> Luke-Jr: imagine i'm a miner, is there an incentive for me to use GBT on eligius over Stratum?
12:07 < Luke-Jr> brisque: only for the good of Bitcoin
12:07 < jtimon> Luke-Jr open transaction is trustless but centralized
12:08 < brisque> Luke-Jr: mm, there's the reason why lots of people don't use it.
12:08 < sipa> Luke-Jr: they overlap, but neither implies the other
12:08 < sipa> jtimon: trust-free to an extent - you still need to trust the issuer
12:08 < Luke-Jr> sipa: p2p != decentralisation
12:09 < jtimon> sipa : for non-p2p currencies you always need to trust the issuer anyway
12:10 < jtimon> if you issue usdCoins using colored coins is no different
12:11 < adam3us> jtimon: i think there are two aspects to trust for issued units.  1. the issuer to redeem, maintain 1:1 backing, 2. the network to secure ownership transfer.	so it can still make sense to use decentalized ownership tracking (blockchain) for an issued asset.
12:12 < adam3us> jtimon: (you probably would personally redeem by selling to the unit for another crypto curreny or on an exchange, not via redemption with the issuer)
12:12 < jtimon> adam3us: my point is that, despite being centralized, you don't need to trust the OT server
12:13 < adam3us> jtimon: agree.  i just mean with open transactions you need to trust it for some things but not others  i think in their terminology an issuer is a different entity from a tx server.
12:14 < jtimon> yes, the same issuer can operate in different OT servers at the same time
12:15 < jtimon> the main problem with OT is you can't trade assets that are in different servers atomically, you have to move them all to the same server first
12:15 < stonecoldpat> adam3us: it would certainly add extra-security (if thats a phrase), but the way im thinking about it ... SPV clients arent really part of the hashing power (as they are not mining). As you said - they are just observers. So you would still need to trick over 50% of miners for the attack to work. my comment is probs a bit old now (got distracted at work)
12:15 < adam3us> anyway on the decentralization from pools.  its good that eligius supports GBT and more users should use it.  Luke-Jr is also right that hosted mining is likely even worse.  but an even better outcome would be if there was a way to not need pools.  ie to solo mine with reasonably frequent and predictable payout.
12:16 < jcrubino> does there need to be any protocol level changes for stealth addresses?
12:16 < Luke-Jr> adam3us: I don't think that's very practical on a wide scale.
12:16 < adam3us> stonecoldpat: heaven forbid to let work distact from btc :)  yes i recall the context.  this is true.	but there could be a large payout  you could mint millions and millions of $ of tx that didnt even exist and an SPV client would temporarily accept it
12:16 < Luke-Jr> adam3us: for the low variance many miners want, you *need* to keep a running balance somewhere
12:17 < jtimon> jcrubino: I don't think so, just the payment protocol
12:17 < adam3us> jcrubino: i do not think so.  just client work.
12:18 < jcrubino> and does anyone in here  have bitcoin-dev mailing list archived from the beginning?
12:18 < adam3us> Luke-Jr: yes i am talking spherical cows territory  like changing the minimum reward.	having 100s of mini-rewards per block, such things
12:18 < Luke-Jr> jcrubino: I think SF has an official archive
12:18 < jcrubino> Luke-Jr: can I download it all at once?
12:18 < Luke-Jr> no idea
12:21 < jcrubino> hmm
12:21 < jcrubino> I want to try to do a topic mapping of the messages
12:22 < adam3us> jcrubino: maybe wget -r from the right base url might do the trick
12:24 < jcrubino> adam3us: It looks like the actual messages are id with every other message on SF
13:27 < michagogo|cloud> ;;seen andytoshi
13:27 < gribble> andytoshi was last seen in #bitcoin-wizards 12 hours, 30 minutes, and 7 seconds ago: <andytoshi> i assume jon matonis was involved in that list ..
13:28 < michagogo|cloud> ;;later tell andytoshi Did you make any more progress on the cj client? Let me know if/when it's ready for more testing.
13:28 < gribble> The operation succeeded.
13:32 < wallet42> so stealth addresses are base58_check encoded compressed pubkeys? whats the version byte?
14:25 < justanotheruser> Is it possible to make an easy to confirm hashing function that involves all the previous confirmed tx?
14:26 < justanotheruser> *easy to validate
14:33 < gmaxwell> justanotheruser1: you mean what we're already using in Bitcoin?
14:34 < justanotheruser1> gmaxwell: no I mean your idea that would require miners to have the blockchain
14:35 < gmaxwell> justanotheruser1: I assume you mean easy to validate you mean fully validatable by someone who doesn't have that data?
14:37 < justanotheruser1> gmaxwell: no. I mean easy to validate in general. I thought of two methods, one where the hash you generate would require you to look up a tx based on that hash and include that in a new hash, but I think miners would just end up trying to find hashes of the tx in their cache to circumvent that. The other method I thought of involved having each
tx be at the leaf of a merkle tree and the nonce be an adjacent leaf, but that would be hard
14:38 < gmaxwell> justanotheruser1: I thought I described such an approach in the post about that?
14:38 < justanotheruser1> gmaxwell: I haven't seen your post, just the wiki page. Could you link me it?
14:39 < gmaxwell> you can use the block header to force you to do N lookups and make a hash tree. And then you use the hash of the solved block to select which M of those N lookups to publish.
14:39 < gmaxwell> This way you can publish a relatively small number of values, but grinding the preselection isn't too effective because it's picking N.
14:41 < gmaxwell> e.g. 32 random lookups is not going to do well with a small cache. And then you find a block and you're forced to prove one of them.
14:41 < justanotheruser1> gmaxwell: So N is generated based on the block header?
14:43 < gmaxwell> e.g. H(prev header) tells you to pick N transactions at random. you include a hashtree over them in your block. H(your header) tells you which of the N to include with your solution.  (this can be pooled, to prevent pooling for it, you'd need to put it in the inner loop which makes the pow utxo throughput hard)
14:44 < gmaxwell> I'd also suggested a simplified version where you just do queries on the inputs consumed in the prior block. The rationale being was that we really just wanted you to prove you had the required data to do the validation.
14:45 < justanotheruser1> Why not make H(Prev head) also tell you which N to include? Couldn't miners modify the header to make it so they only have to look at the 1mb of tx they have?
14:45 < justanotheruser1> (in a hypothetical situation where miners only store 1mb of tx to save space)
14:47 < gmaxwell> previous header. as in the prior block.
14:49 < justanotheruser1> gmaxwell: yes, but you are using "your header" to find the block. Couldn't a malicious mining pool make it so their header tells them that they have to include only tx in the set of tx the miners own?
14:49 < justanotheruser1> s/to find the block/to find the tx for the block
14:50 < gmaxwell> only by doing N fold the work of finding a block.
14:52 < justanotheruser1> gmaxwell: well the work of finding a block is memory hard, but finding an easy header isn't.
14:53 < justanotheruser1> unless there's something I'm missing
14:53 < gmaxwell> I have no freeking clue what you're talking about there.
14:54 < gmaxwell> The only point of the proposals of preventing people from mining without the blocks was to stop botnets that just mined using the headers and processed no txns.
14:54 < gmaxwell> The explicit goal of that was not to make the POW memory hard.
14:57 < justanotheruser1> gmaxwell: I thought the purpose was to keep centralized pools that don't require blockchain ownership infeasible
15:00 < maaku> adam3us: there would need to be some infrastructure for recognizing and handling covenants at the user interface level.
15:00 < maaku> users will probably have to whitelist which covenants are accepted under which circumstances... there are some nontrivial problems here.
15:00 < gmaxwell> No. If you want to do that then you need a utxo query throughput pow where the hardness comes entirely from random queries.
15:00 < maaku> but they are solveable. certainly the default should be that added covenants are non-fungible. this is part of why a strongly-typed, simple, theorum-proovable language should be preferred. that way a wallet could ignore / cordon off incoming coins which can't be proved to be covenant-free
15:00 < maaku> and that should certainly be the default behavior
15:51 < adam3us> michagogo|cloud: it was a month ago, i tried 10, 12 as main advertised iso on ubuntu.co and i think 10 server at suggestion of a hacker friend of mine that server maybe less chatty
15:51 < adam3us> .04
16:50 < andytoshi-away> gmaxwell: cool, glad to see (a) that the list is active and (b) we're not crazy to think we can be throwing hash circuits everywhere
16:51 < andytoshi> i have another concern, which i haven't mentioned since i haven't read the whole paper, about verifying input..
16:51 < andytoshi> presumably to make a snark-based blockchain we would want VERIFY (old chain state, new chain state, transactions)
16:51 < gmaxwell> someone needs to find a bored grad student to go generate circuits for sha256 and all the sha3 finalists and see which results in the fastest proofs.
16:51 < andytoshi> and we'd want the old and new chainstate to be public, but the transactions to be zero knowledge
16:52 < andytoshi> the impression i get from the paper is that if we want inputs to be public and provably there, we'd need them to appear in the preprocessing stage
16:52 < andytoshi> is this right?
16:54 < gmaxwell> andytoshi: no, the preprocessing stage just takes in the description of vntinyram itself, the time limit bound, and the _number_ of public inputs.
16:54 < andytoshi> are the public inputs what they call 'auxilliary inputs'?
16:55 < gmaxwell> no, public inputs are "program inputs", while "auxilliary inputs" are the ZK inputs.
16:55 < andytoshi> ok, thanks, great
16:55 < gmaxwell> (also non-determinsim used to simplify the tinyram circuit, e.g. like magical answers that tinyram divide by only having a circuit to check the answer)
16:56 < andytoshi> yeah, i noticed that, that was really clever
16:57 < gmaxwell> andytoshi: also, in your description above there is an extra thing that needs to be provided.. full nodes would also demand a set of updates to change from the old state to the new state.
16:58 < andytoshi> the proof would not be enough for them?
16:58 < gmaxwell> E.g. the transactions are ZK but you do actually need to know the final state (not intermediate states) in order to make the next proof yourself.
16:58 < andytoshi> right, that's what i mean by 'new chain state', they can just use that as 'old chain state' in their next proof
16:58 < gmaxwell> oh okay, I read what you were saying as a commitment to the state.
17:00 < gmaxwell> A non-miner in that model doesn't actually need to pay attention to the state much of the time... so commitments are good enough.. then they could just get fragments of the state from filtering nodes to prove they were paid.
17:01 < andytoshi> right
17:02 < andytoshi> and full/filtering nodes would have to figure out some way to efficiently store the series of chainstates
17:03 < andytoshi> perhaps snark-proving chainstate diffs would be more efficient, i dunno, these are just details at this point :)
17:03 < gmaxwell> its useful to commit to the diff as well, since then you can get it from someplace else.
17:03 < andytoshi> oh, good point, doing both gives the best of both worlds
17:05 < andytoshi> full nodes would use the diffs, non-full user nodes would use the full state to verify what the full nodes are telling them
17:08 < gmaxwell> if you want to be really snazzy,  you have a hiearachy of backpointers to old blocks, and at each backpointer level you keep a state snapshot and periodically commit big gap proofs.
17:09 < gmaxwell> then hotstarting a full node just involves evaluating log2(blocks)+
 proofs, and pulling down a full state.
17:09 < gmaxwell> but since the proofs are so fast, I goes O(N) proofs isn't so bad.
17:10 < andytoshi> we'll see what hardware looks like wherever this becomes feasible :P
17:10 < andytoshi> though my money's on "before 2020", and then things will look pretty-much the same
17:14 < andytoshi> justanotheruser: the 1-1 peg discussion starts (i think) at http://download.wpsoftware.net/bitcoin/wizards/2013-12-18.txt
17:14 < andytoshi> (for some reason my logs from 12-17 to 12-27 were not on the website, that's why i couldn't find them earlier)
17:16 < michagogo|cloud> 2014-01-08 22:11:18 REORGANIZE: Disconnect 7880 blocks; 000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f..
17:16  * michagogo|cloud 2014-01-08 22:11:18 REORGANIZE: Connect 31489 blocks; ..00000000ce13e2d877387db6a418974481fdcd946bcc72c3a52f1ed7ad34f2a5
17:17 < gmaxwell> michagogo|cloud: is that testnet?
17:17 < michagogo|cloud> It's Jesuscoin
17:17 < andytoshi> phew
17:17 < gmaxwell> ... Jesus coin?!
17:17 < gmaxwell> (I did a reorg on testnet that big)
17:17 < michagogo|cloud> gmaxwell: coingen
17:18 < michagogo|cloud> second coin on http://coingen.io/status.html
17:18 < gmaxwell> ohhh you blew up a coingen coin?!
17:18 < gmaxwell> hah
17:18 < michagogo|cloud> Well, my script is breaking
17:18 < michagogo|cloud> since the reorg lags jesuscoin-qt
17:19 < gmaxwell> hah
17:19  * gmaxwell titters at "jesuscoin-qt"
17:19 < gmaxwell> does it have an icon where a coin outline forms a halo around jesus?
17:21 < helo> it proclaims to _be_ the second coming
17:21 < michagogo|cloud> gmaxwell: http://imgur.com/Wldyc7t
17:22 < gmaxwell> aww
17:23 < michagogo|cloud> Okay, added begin,rescue,retry,end lines
17:23 < phantomcircuit> opportunity missed
17:23 < michagogo|cloud> that should make it stop crashing
17:24 < michagogo|cloud> If you're interested, here's my script: http://0bin.net/paste/OFWqJ7Lj0k0GO0o4#Rd6uP8VFxwv3SEO4HQAwtF+Vy5M3ZtaUrrKC9m3qI+w=
17:25 < michagogo|cloud> Anyone happen to know when Bitcoin's first difficulty increase was?
17:25 < gmaxwell> block 80k?
17:26 < michagogo|cloud> thanks
17:26 < michagogo|cloud> Heh, looks like the real chain is fighting with my replay of the bitcoin chain
17:27 < michagogo|cloud> Reorging back and forth
17:27 < andytoshi> ah, this is from before BlueMatt fixed the 'same genesis' 'bug'
17:27 < shesek> oh, it was fixed eventually? when?
17:28 < shesek> we were talking about it just yesterday
17:28 < gmaxwell> michagogo|cloud: oh I'm wrong about the height
17:28 < BlueMatt> no, it was fixed a long time ago
17:28 < gmaxwell> michagogo|cloud: 32256
17:28 < michagogo|cloud> Hmm, what did it rise to?
17:29 < gmaxwell> 1.18289953
17:29 < shesek> oh, I was under the impression it was still like that yesterday... someone said it was
17:30 < michagogo|cloud> If anyone feels like watching jesuscoin get killed, https://secure.join.me/671-648-265
17:30 < michagogo|cloud> (tailf of jesuscoin's debug.log)
17:32 < michagogo|cloud> Hey, I think I might have just pulled ahead
17:33 < michagogo|cloud> BlueMatt: How many coingen coins used Bitcoin's genesis block?
17:33 < gmaxwell> michagogo|cloud: too bad there aren't any huge tx fees until fairly late.
17:34 < michagogo|cloud> gmaxwell: Why?
17:34 < gmaxwell> otherwise I'd say it would be fun top play it up to right before the point where there was a block with huge tx fees. Then mine that txn yourself.
17:34 < BlueMatt> michagogo|cloud: no idea
17:34 < gmaxwell> Then continue on.. and you get the huge tx fees.
17:34 < michagogo|cloud> gmaxwell: heh
17:37 < helo> where's the boom?
17:37 < michagogo|cloud> helo: https://secure.join.me/671-648-265
17:39 < michagogo|cloud> shh, nobody tell Luke-Jr that I killed Jesus(coin)
17:39 < helo> interesting date
17:39 < michagogo|cloud> helo: hmm?
17:40 < helo> jesuscoin has blocks as far back as 2010?
17:40 < michagogo|cloud> helo: It's the Bitcoin blockchain
17:41 < michagogo|cloud> I'm just using http://0bin.net/paste/OFWqJ7Lj0k0GO0o4#Rd6uP8VFxwv3SEO4HQAwtF+Vy5M3ZtaUrrKC9m3qI+w= to replay the bitcoin blockchain onto Jesuscoin
17:42 < helo> wouldn't the hard coded genesis block make that not work?
17:42 < shesek> they share the same genesis block
17:42 < helo> bad move :/
17:42 < shesek> coingen used to give the altcoins it created the same genesis block as bitcoin's
18:20 < gmaxwell> andytoshi: the proving process for QAP snarks is ludicrously parallel, I wonder if it would make sense to have distributed generation of the proofs? ... I think the problem is that they need communcation similar to the prover key in size.
18:23 < maaku> adam3us: I've done multiple ubuntu installs without network connection ... i know it works for 12.04
18:26 < andytoshi> gmaxwell: hmm, a high communication requirement is going to incentivize centralization
18:26 < andytoshi> and in general, if you break the proof up it is hard to decide what part any individual miner should work on
18:27 < andytoshi> which i think also encourages centralization since it is easy to organize a single mining farm to not step on its own toes
18:30 < andytoshi> i think "ludicrously parallel" will just mean that we don't have a gpu-hard mining algorithm here
18:30  * maaku downloads jesuscoin-qt and goes to make some popcorn
18:32 < michagogo|cloud> maaku: not much to see
18:32 < sipa> i expect jesuscoin to be able to fork, and keep both instances alive...
18:32 < michagogo|cloud> It'll just look like Bitcoin-Qt syncing
18:32 < maaku> is it off of git-head, or 0.8?
18:33 < michagogo|cloud> 0.8.6
18:33 < sipa> 0.8.6 iirc
18:33 < maaku> oh :\
18:33 < michagogo|cloud> Why?
18:33 < michagogo|cloud> Which git feature were you hoping to use?
18:33 < maaku> i was hoping for some fine grained timestamps on the log messages to get a good idea of how the reorg was spreading through the network
18:33 < maaku> vs. the "honest" miners
18:34 < michagogo|cloud> maaku: you can roll your own
18:34 < michagogo|cloud> Just built git head and change the pchMessageStart
18:34 < maaku> yeah true. i suppose I just need the port & msg bytes
18:34 < michagogo|cloud> port 9336
18:34 < michagogo|cloud> Don't know the magic, though
18:34 < michagogo|cloud> Sorry
18:35 < maaku> np. thanks
18:35 < maaku> i'll read the first 4 bytes of blk*.dat
18:35 < michagogo|cloud> (Not at my computer anymore, I'm writing this from my bedroom)
19:55 <@gmaxwell> CodeShark: I suppose that it just reduces to the storage throughput stuff on the altcoin page as one way of showing you have it at all times.
19:55 < Luke-Jr> CodeShark: not sure I agree
19:55 < petertodd> Luke-Jr: well, for me it's about the pay-per-hour-of-studying-cryptocurrencies, and mastercoin's offering full-time crypto-coin studying :)
19:55 <@gmaxwell> e.g. instead of paying you just make storage a byproduct of mining.
19:55 < Luke-Jr> petertodd: is that really all they expect of you?
19:55 < CodeShark> Luke-Jr: or at least, we wouldn't need currencies that are deliberately scarce
19:56 < petertodd> Luke-Jr: mastercoin is roughly speaking a blank slate, so roughly speaking yes
19:56 < maaku> BlueMatt: "merged mining isn't very good" -- because of the security risk of diluting the reward function?
19:56 < BlueMatt> petertodd: well, instead of working on fun cryptocurrencies problems like scaling, you've ended up working on how to best hide data in coins not designed for it...
19:56 < BlueMatt> instead of designing for it
19:56 < petertodd> BlueMatt: yes, but once you accept that as your model... then obviously you should work on scaling
19:57 < BlueMatt> maaku: because if you make a new researchcoin today, getting it merged-mined by enough mining power isnt a trivial problem, mostly
19:57 < petertodd> BlueMatt: see, if mastercoin is merge-mined, there's no reason to work on making bitcoin scale better, but if mastercoin isn't merge-mined and is embedded in the blockchain, then there's every reason to make bitcoin scale better
19:57 < nsh> scaling is a solved problem. we just all have to trust random people we've never spoken to in strange countries with unknown interests. cf. BGP
19:58 < nsh> , GRX, &c.
19:58 < CodeShark> I do not agree with the notion that the bitcoin protocol is a general low-level protocol - if we really want to build a network like that, we should design a low-level blockchain-based protocol (for, say, timestamping)
19:58 < CodeShark> without attaching anything else to it
19:59 < CodeShark> it should be completely agnostic as to the contents of data packets
19:59 < petertodd> CodeShark: I suspect we're going to end up with that, and specifically, the magic word is "proof-of-publication"
20:00 < maaku> CodeShark: and that's a problem?
20:00 < CodeShark> furthermore, proof-of-publication doesn't require all the data contents to be stored on the blockchain itself
20:00 < BlueMatt> petertodd: my view: ignore all non-btc-denominated cryptocurrencies: they all need to die and should be treated as shit anyway. after you do that, you have to somehow make the total throughput of btc-denominated transactions scale, that can come in the form of alts that are on their own btc-denominated chain or however you want, the whole system has to scale
20:00 < CodeShark> hashes would be sufficient
20:01 < CodeShark> we could completely separate the data storage/query mechanisms from the timestamping mechanism
20:01 < petertodd> CodeShark: no it does: if it's not in the blockchain there's no proof anything was in fact published. that siad, the existing bitcoin system is kinda weak on that respect...
20:01 < nsh> petertodd, there are different (but overlapping) use-case sets for proof-of-existence and proof-of-publication
20:01 < petertodd> CodeShark: the ideal might be some pow function that forces you to prove you have access to some data set, but that's not what we have
20:02 < BlueMatt> petertodd: if it were easier to get mastercoin merged-mined (eg to the scale of namecoin), and you can do 1:1 exchange to a secondary chain, do you not agree mastercoin /should/ be on a separate chain at that point?
20:02 < CodeShark> ok, yes, I get the distinction now between proof-of-existence and proof-of-publication
20:02 < nsh> also publication might have gradations, as not everything is published to *
20:02 < petertodd> BlueMatt: if you can wave a magic wand and get it to reasonable hashing power, lovely, but there is no such magic wand so I can't advise them to do that
20:02 < petertodd> BlueMatt: more likely I'd get there by designing a good merge-mined proof-of-publication scheme
20:03 < BlueMatt> ok, so our disagreement is how hard it is to get merged-mined a new coin
20:03 < CodeShark> besides the fact that mastercoin represents extra blockchain bloat, I'm also concerned about the unpredictable nature of block intervals
and the average length of that interval
20:04 < petertodd> BlueMatt: pretty much, and there's lots of ways forward: IE if I managed to find a way to make bitcoin tiself scale in some unspecified way, then mastercoin dumping data on the blockchain wouldn't matter
20:04 < CodeShark> 10 minutes on average doesn't seem like sufficient granularity for a lot of things
20:04 < sipa> petertodd: better != infinitely
20:04 < petertodd> CodeShark: given the selfish mining stuff I think we're going to find that 10 minutes was optimistic...
20:05 < petertodd> sipa: my suspicion is there is a fundemental security and scalability tradeoff with proof-of-publication, so you'll wind up with some scheme that lets you make choices about that tradeoff - pay more for more secure coins
20:05 < petertodd> sipa: txout storage fees based on value are nice there, but they change economics...
20:05 < sipa> very much so
20:06 < CodeShark> shouldn't the storage fee be based on size, not value?
20:07 < petertodd> CodeShark: NO, based on value because more value needs more security needs wider spread holders who actually have the data
20:07 < CodeShark> ah, ok
20:07 < andytoshi> if we used a base-1 encoding, we could make size and value be the same
20:07 < andytoshi> am i a wizard yet?
20:07 < petertodd> CodeShark: e.g. Suppose I want to destroy all (public) copies of some blockchain data, in the Bitcoin system that's going to be extremely hard, roughly a 51% attack, but if bitcoin mining was sharded such that you could mine with 1/8th of the blockchain data, you'd wind up with a system where you may be able to do a 51% * 1/8th attack instead
20:08  * petertodd gives andytoshi a robe and pointy hat
20:08 < maaku> why not put mastercoin on namecoin?
20:08 < maaku> or hey, devcoin or ixcoin
20:08 < CodeShark> right, I get it now, petertodd
20:08 < petertodd> maaku: why bother? it's not mastercoin's problem that it crowds out other uses of the blockchain
20:09 < CodeShark> the fundamental problem here, IMO, is the misplaced incentives
20:09 < petertodd> CodeShark: agreed
20:09 < CodeShark> there are no rewards in the bitcoin network for providing storage nor for relay
20:09 < maaku> petertodd: just pointing out that there are other merged mine chains with high hash rates
20:09 < petertodd> CodeShark: especially with regard to the UTXO set...
20:09 < maaku> i actually think that it is perfectly fine to put whatever you want on the block chain
20:10 < BlueMatt> petertodd: well, I find the difficulty of getting a real research coin merged-mined to be a problem that needs solving, so I'd argue that you (as someone paid to work on this) should work on fixing that problem instead of working on hiding shit in the chain so that people cant block it
20:10 < maaku> and if anyone has a problem with that ... it's your own damn fault for not coming up with and implementing a better fee system
20:11 < petertodd> BlueMatt: meh, I think I've basically solved the "hide shit in the blockchain" problem very thoroughly, something we need *someone* to have done if only to understand the risks
20:11 < sipa> without fees going to those providing the storage that is wasted, the incentives can't align
20:11 < petertodd> BlueMatt: note I also have a half-decent solution to UTXO bloat, so it's not like it's the only thing I've been working on
20:12 < maaku> sipa: and fees can't go to those providing the storage because ... ?
20:12 < andytoshi> i think there is always an incentive for people to put stuff on the blockchain, it's not their problem ... so it's up to bitcoin to figure out pruning strategies
20:12 < maaku> not saying it's easy, but also no one's shown it impossible
20:12 < CodeShark> petertodd: I'd love to see some of those implemented :)
20:12 < sipa> maaku: well, i wouldn't call it bitcoin anymore in any case
20:12 < petertodd> maaku: modulo utxo bloat, the existing fee system works just fine: really we've got people whining that they aren't getting cheap transactions because something else can afford a higher fee/byte
20:13 < petertodd> CodeShark: heh, well actually I've got an unreleased upload-files-to-the-blockchain tool that makes them into a shared consensus namespace... add timelock crypto to it and you'd have a rather frightening system
20:14 < petertodd> CodeShark: fortunately $0.1/KB is kinda pricey, and it's even higher if you want to hide in normal-looking transactions
20:15 < CodeShark> petertodd: I also wrote a tool once to upload arbitrary text (base58 encoded) to the blockchain :)
20:15 < CodeShark> I'm only guilty of using it a few times :)
20:15 < andytoshi> there is a rickroll somewhere in testnet (i have the command to play it, but not on me right now)
20:15 < petertodd> CodeShark: heh, it's not rocket surgery... although I think the trick is the retrieval side of things so people find it useful - hence my shared consensus namespace thing
20:15 < andytoshi> i think one of you guys did that
20:16  * petertodd looks guilty
20:16 < andytoshi> i thought it was petertodd, didn't want to accuse since i wasn't sure :P
20:16 < CodeShark> lol
20:18 < nsh> j'accuse!
20:18 < nsh> (best chess move)
20:19 < petertodd> andytoshi: heh
20:19 < petertodd> andytoshi: everytime someone claims bitcoin scales I edge a little closer to releasing the upload tool :P
20:19 < CodeShark> haha
20:19 < CodeShark> petertodd: someone uploaded the source code for a python tool to upload arbitrary data
20:19 < CodeShark> it's still somewhere in the block chain
21:12 < gmaxwell> petertodd: meh, that doesn't worry me _that_ much. The verifier is just a couple dozen lines of code given a sutiable pairing library. (which they don't provide, but there are several sutiable liberally licensed ones available)
21:14 < gmaxwell> the interesting code they provide is the circuit generator and the prover which are non-normative so long as you don't make something which is married to a single validation key.
21:16 < adam3us> about coloring in the context of zerocash, i think they could include another value in the hash, being the color
21:17 < adam3us> gmaxwell: that kind of sucks about the EdDSA high bit.. i was looking forward to compact k of n sigs, blind sigs & such :(
21:19 < gmaxwell> adam3us: I mean, it would only be a couple of lines of code to add schnorr signatures to sipa's library.  compact k of n is kind of a killer feature.
21:20 < adam3us> gmaxwell: kind of annoyed at DJB now that is an unclean hack disguised as a feature.  it fails composability
21:23 < gmaxwell> adam3us: well, I was made kind of annoyed by the "Safe or Not" summary table most recently added to safercurves
21:24 < gmaxwell> which has now three times caused me to get questions with urgent concerns that bitcoin's curve is not safe.
21:25 < adam3us> gmaxwell: the guys on IRTF/CFRG are making an RFC for safe curves.. can be  good place to ask questions or complain if u see problems.  they seem to have a good collection of people who understand ECC & coding
21:26 < adam3us> gmaxwell: as there is a guy moving pretty fast on getting an RFC through standardizing the safe curves
21:26 < gmaxwell> It's my opinion that the addition of the binary safe or not table debased an otherwise thoughtful site to marketing tripe... since it happily fails bitcoin's curve because the endomorphism shaves off 1.5 bits of security, while meanwhile his curves cofactor of 8 shaves off at least three bits of his already smaller curve, and then his implementation throws
away another bit for that optimization.
21:30 < CodeShark> "safe or not" is pretty stupid when it comes to proclamations of security completely devoid of context
21:31 < maaku> if someone wants to advocate for schnorr and bip-32 comaptability with the RFC safe curves, that'd be a noble thing to do
21:35 < sipa> what is considered unsafe about secp256k1?
21:35 < gmaxwell> http://safecurves.cr.yp.to/
21:35 < gmaxwell> scroll down
21:35 < gmaxwell> it's "not safe" if it doesn't meet all of DJB's criteria.
21:36 < gmaxwell> the criteria are all interesting. Few of them would justify not-safe for failing them
21:37 < gmaxwell> esp since the critiera omits other no less reasonable considerations like "cofactor == 1", presumably since his own curves fail it.
21:37 < maaku> chiefly, the fact that it doesn't have "25519" in its name
21:41 < gmaxwell> I gave a somewhat irritated response here: https://bitcointalk.org/index.php?topic=380482.0  (being that it was the second time that day I'd been asked about it)
22:28 < andytoshi> wizards, i am enrolled in a "numerical iterative methods" class which is very open ended
22:28 < andytoshi> can you think of any interesting (or useful to bitcoin) numerical analysis projcets?
22:35 < gmaxwell> andytoshi: network simulations can fall in that bucket.
22:36 < gmaxwell> andytoshi: if you wanted to fool with an altcoiny thing, control loops for difficulty adjustment.  What else? Hm. anti-spam/dos attack hurestics perhaps.
--- Log closed Tue Jan 14 00:00:09 2014
--- Log opened Tue Jan 14 00:00:09 2014
00:22 < phantomcircuit> gmaxwell, just take your entire hardfork list and implemetn them
01:12 < justanotheruser1> Is there an alternative to pandora that has a GP or BSD license?
01:12 < justanotheruser1> *
04:12 < adam3us> andytoshi: numerical iterative analysis? perfect one for you: selfish attack?
04:51 < adam3us> is there a EdDSA mailing list? or should i just email DJB?  want to figure out this highbit/constant time 'hack' limitation on composability, thats kind of broken.
07:18 < andytoshi> adam3us: the 'hack' is pretty simple, the second answer here explains it: http://crypto.stackexchange.com/questions/11810/when-using-curve25519-why-does-the-private-key-always-have-a-fixed-bit-at-2254/11818
07:19 < andytoshi> and it's also easy to avoid, even if you want to run in constant time -- but then we'd have a nonstandard implementation
07:21 < andytoshi> it might be worthwhile to bug him and ask what he was thinking, because it really is ugly and you're a name he ought to recognize..
08:28 < adam3us> andytoshi: hmm so neves is saying it doesnt matter, if the code does the defense as the reference does, it is still constant time.  what about the other bits?  a[255]=0,a[254]=1, a[2]=a[1]=a[0]=0
08:28 < adam3us> adam3us: none of those will necessarily be the case after public HD derivation
08:29 < adam3us> adam3us: andytoshi: a[255]=0 maybe ok, as |n| < 255 (the order) i presume from the h=8 (cofactor)
08:36 < andytoshi> adam3us: a[255] it appears is always zero, yeah, we'd be fine there (though why are we "using 255-bit strings" with only 254 actual bits??)
08:36 < andytoshi> and as you say (and gmaxwell has been whining for weeks), bit 254 might not be set after pubic HD derivation, or multisig with additive signatures
08:37 < andytoshi> this seems weird, i dunno why the reference implementation didn't just hardcode the 254 in there
08:38 < andytoshi> maybe add a big comment saying not to change that if you are reimplementing, but i think it's pretty obvious that if you make your loop bounds depend on the input you are asking for timing attacks
08:38 < adam3us> andytoshi: 256-bits (0..255) probably just for power 2 & word size divisibility.  not necessary  he says you can reuse the bit in bit-stealing if u want.
08:39 < andytoshi> oh, good to know
08:42 < adam3us> andytoshi: so the thing with the co-factor is there is  think a small subgroup also as n=h*l (l subgroup size, h cofactor, no points on curve), so trailing 000 is actually computing d=rand(0,l), Q=dG, Q'=8Q i think to avoid the small subgroup,
08:44 < adam3us> andytoshi: (ie the useful private key is 251 bits, and presumably |l|=251) but still u stay in the subgroup once u start there, so Q"=Q'+MAC(chain,ctr)G is still in the subgroup (hopefully!)
08:45 < adam3us> andytoshi: actuall i guess |l|=252, the top-bit is not "useful" as its fixed but its still part of the private key
08:47 < andytoshi> adam3us: understood, though i suppose i don't understand why this subgroup is so bad that we actually need to zero it out
08:47 < andytoshi> i guess fixing a representative of the coset is needed for determinism
08:48 < adam3us> andytoshi: actually take that back |l|=253, paper:  l is the prime 2^252+2...
08:50 < adam3us> andytoshi: maybe its fixable.	its just an obtuse way of saying d=rand(0,l-1) Q=8dG right?
08:50 < adam3us> andytoshi: so do the *8 part after HD derivation
08:51 < andytoshi> that's my understanding, and also i think it's just obtuse so that he can hold bit 254 fixed
08:54 < andytoshi> adam3us: at first glance, doing *8 after derivation would make HD work, i don't think the cofactor is a problem for us (though it weakens security by those 3 bits, and gmaxwell is pissed that djb considers this "better" than the ~1.5 bits our curve loses by fast parameter choices)
08:54 < andytoshi> but i don't see how we can hold bit 254 on
08:54 < andytoshi> though i guess we could grind through HD keys until we get one with bit 254 set :}
08:56 < andytoshi> (kidding!) anyway i've gotta run, good talking to you
08:58 < adam3us> andytoshi: Bernstein et al's style is obtuse in general :(  cleary if ou do Q=dG (d chosen rand(0,l-1)) then you do HD derivation Q"=Q+M(c,i)G, and finally Q"=8Q' then there is no guarantee that top bit is 1 as its mod l, but we dont care about that anyway
08:59 < adam3us> andytoshi: well with public derivation u have no way to know what the top bit of the private key is.
12:39 < maaku> farewell net netrality, we hardly knew ye
12:41 < nsh> :/
13:05 < gmaxwell> maaku: you don't have any great ideas on how to prevent incentive buggary with expensive validation do you?
13:10 < gmaxwell> andytoshi: you called it correctly on my complaints.	WRT cofactor there are two complaints, one it that there is the direct rho security reduction from the decrease in the order, compariable in magnitude to the rho reduction he dings secp256k1 on.  The other is that having a non-trivial cofactor is a necessary precondition for index calculus, though just
a single extra distinct prime factor is probably no concern, all thing equal we ...
13:10 < gmaxwell> ... should prefer thing with a cofactor of 1.
13:26 < adam3us> gmaxwell: so do u know does the trailing 000 bits of d matter?  that also will be lost by HD derivation
13:28 < pigeons> andytoshi: is there an irc channel or bitmessage broadcast address or something anouncing pending coinjoin sessions?
13:32 < gmaxwell> adam3us: so long as you compute the derivation the right way you can preserve it.  Basically the scalar you compute in it has to also be a multiple of 8.
13:33 < gmaxwell> adam3us: because the order is prime*8 the sum of any two numbers which are themselves a multiple of 8 will still be a multiple of 8, thats what results in it being a subgroup.
13:33 < andytoshi> pigeons: no, not yet, i have just released a client and having trouble finding testers during my free moments
13:34 < andytoshi> i'll check out bitmessage tho, that'd be fun to set up
13:35 < adam3us> gmaxwell: but if you are working in the subgroup, the scalars are then mod l not mod n=8l?  or is B a generator of the full group?
13:36 < gmaxwell> oh darn. hm. I think you're right. obviously the basepoint isn't going to generate the full group.
13:37 < gmaxwell> then I don't understand anymore why the private key is constrained.
12:30 < andytoshi> is the s/2 characteristic random now? istm if i'm publishing coinjoins with inconsistent signatures
12:30 < andytoshi> that screams "this is a coinjoin"
12:30 <@gmaxwell> yes its random now.
12:31 <@gmaxwell> bitcoin git produces signatures where S is always in the lower half. <=0.8.6 S is randomly in the upper or lower half.
12:31 < andytoshi> ok, thanks
12:32 <@gmaxwell> sadly the compressed vs uncompressed is a distinguisher but there isn't anything you can do about that.
12:33 <@gmaxwell> normal users also end up with a mix, so you having a mix doesn't distinguish it as a CJ, but it may hurt users privacy.
12:34 < andytoshi> ok, thanks
12:34 < andytoshi> maybe when i get time to do this 0.9 will be out .. it'll be 3-4 weeks
12:35 < andytoshi> i have been learning crypto 12 hours a day for the last week or two, but i have schoolwork to get on :}
12:36 <@gmaxwell> Certantly not a priority.
13:25 < maaku> very appropriate response to telegram : http://thoughtcrime.org/blog/telegram-crypto-challenge/
13:29 <@gmaxwell> thats really quite brillant.
13:30 <@gmaxwell> I've suggested a thought expirement of the same ilk in the past
 imagine bitcoin with the hashes replaced with md5 and the crypto replaced with 512 bit RSA. .. what is the security like?	 as a metric in how robust the overall system is to weak crypto.  Neat to use that as a test of a test.
14:06 < phantomcircuit> maaku, i love that
14:07 < phantomcircuit> gmaxwell, as long as people didn't reuse addresses? still pretty secure
14:07 < phantomcircuit> neat
14:07 < phantomcircuit> i think the biggest issue there would be someone generating collisions with block hashes/transactions
14:07 <@gmaxwell> So cryptocurrencies which "fail inflationary"... which is a property that things like USD has, if you print really good fake USD .. well everyone takes the cost. Not the person that accepted the fake USD, at least not if its sufficiently good.
14:08 <@gmaxwell> phantomcircuit: yea, but that would mostly be a DOS vulnerablity and it would result in invalid data, so you could just ban peers that give it to you.
14:08 < phantomcircuit> right
14:08 < phantomcircuit> except now you need to have the full set of txids
14:08 < phantomcircuit> or actually you dont
14:08 <@gmaxwell> It would be totally plausable to make it so that if you get tricked by a recentl valid looking bitcoin fork, that both parties get paid. Thus moving the cost of such an attack to everyone holding bitcoin and not just the guy accepting it.
14:09 < phantomcircuit> as long as it's not in the utxo right now reusing a txid wouldn't break things
14:09 < phantomcircuit> theoretically
14:09 < phantomcircuit> gmaxwell, heh incentivize miners to intentionally build forks though
14:09 < phantomcircuit> incentive
14:09 < phantomcircuit> word*
14:10 <@gmaxwell> phantomcircuit: maybe. setting it up right might be tricky.
14:10 < phantomcircuit> heh understatement of the year goes tooooo
16:15 < nsh> ;;title http://thoughtcrime.org/blog/telegram-crypto-challenge/
16:15 < gribble> Error: This url is not on the whitelist.
16:16 < nsh> nu
16:16 < nsh> "So Telegram developers, by way of a response, I have my own crypto cracking contest for you. Below is a horrifically bad
 protocol that wouldn
t last a second in a real world environment, but becomes
 when presented in the exact same framework as the Telegram challenge."
16:16 < nsh> +1
17:20 < adam3us> phantomcircuit: what requires a lot of private key ops?
17:21 < brisque> adam3us: importing a deterministic wallet maybe?
17:22 < HM2> Moxie is grand
17:25 < brisque> Moxie has an incredibly awesome name.
17:26 < phantomcircuit> adam3us, signing
17:26 < HM2> Diffie said at an RSA conference, not sure if last or this year, that he thought Moxies name was a joke when they first met
17:27 < HM2> (they were talking about Convergence)
17:29 < HM2> I'm guessing Moxies challenge is actually pretty hard because 896bit RSA is reasonably outside computable for average readers
17:30 <@gmaxwell> HM2: his point was to make it clearly unacceptably insecure in serveral ways but still almost certant to not be broken in the context of the challenge.
17:30 <@gmaxwell> In reality such a system would be broken if it were used for a long time on something high value.
17:31 < HM2> right, if there's a time limit you can get away with weak crypto
17:31 < HM2> but i'm not sure how it's a fair comparison
17:32 <@gmaxwell> http://crypto.stackexchange.com/questions/12425/why-are-the-lower-3-bits-of-curve25519-ed25519-secret-keys-cleared-during-creati
17:32 <@gmaxwell> wtf are with the responses there?
17:32 < HM2> ah
17:33 < HM2> RSA is still more secure than I thought
17:33 < HM2> you can claim $75,000 for factoring 896 bit
17:33 < HM2> 768 bit was factored in Dec 2012, so Moxie has chosen that deliberately
17:34 <@gmaxwell> HM2: hm? the challenges were withdrawn.
17:34 < brisque> HM2: did he use the factored key in his challenge?
17:34 <@gmaxwell> HM2: sure he did. but at the same time we know that 896 is clearly achievable.
17:35 < HM2> sorry, you're right. 2010
17:35 < HM2> why did they retract the challenges? :S
17:35 < HM2> it seems people have been factoring the keys published under the challenge without the financial incentive
17:35 <@gmaxwell> Yes, they have been.
17:38 < HM2> I wonder if he really did dig up an instance of Dual_EC_DRBG to compute the super_secret
17:38 < HM2> I'd wager he didn't
17:38 < brisque> lots of things support EC_DRBG
17:38 < phantomcircuit> HM2, cat /dev/random on a recent but not too recent freebsd box isn't too hard
17:38 < brisque> he probably did, given the way the "contest" is presented
17:40 < brisque> this is something I thought of when helping somebody with their botched job of making a
d dropped the end off and I had to remake the hash portion for them to be able to import it.
17:40 < brisque> most of the problems people encounter seem to be with private keys, spending from them and screwing up the keys, not writing them down with capital letters, all very preventable errors. it seems to be proposed in the mailing list that the
 will be removed and replaced with
 which seems to fix many of these issues.
17:40 < brisque> could we go further, and make a paper wallet
 system. the user selects an amount, and an address is created and the funds sent to them. the token is then presented for writing/printing/saving and not saved to the wallet. the token is armoured with a large amount of parity, enough to save the user if there is user created damage. it can only be
spent from by destroying it by importing it, and the UI mak
17:40 < brisque> it removes a lot of the danger, and gives the users something useful at the end of it. is this madness, stupid, fantastic? I can
17:41 < HM2> you should just send the keys to moonpig.com and have them sent to them on festive cards
17:41 < HM2> i'm sure they have an API
17:42 < brisque> HM2: a snowman with a carrot phallus, charming.
17:43 < HM2> you obviously made snowmans differently when you were younger to how I made mine
17:44 < brisque> it's one of the cards on the page you linked to
17:46 < HM2> you know, it occurs to me that you could can bruteforce moxies challenge
17:46 < HM2> feasibly
17:48 < brisque> you can brute force lots of things, that doesn't mean it's worth the money to
17:48 < HM2> he's not offering any money hah
17:49 < brisque>  I meant it's not worth spending my money on EC2 instances
17:50 < phantomcircuit> HM2, bruteforce which part
17:52 < HM2> well i was thinking his message is only 16 bytes
17:52 < HM2> and its probably something fun
17:52 < HM2> or seasonal
17:52 < brisque> could just as well be /dev/random though
17:52 < HM2> it might even contain words from his post
17:52 < HM2> sure, but this is Moxie
17:53 < HM2> it doesn't help anyway
17:53 < HM2> he makes a good point
17:57 < phantomcircuit> HM2, come up with a message
17:57 < phantomcircuit> xor it against the cipher text
17:57 < phantomcircuit> present as key
17:58 < phantomcircuit> laugh as people who dont understand xor go wild
17:58 < HM2> heh
22:41 < Emcy> http://engineering.bittorrent.com/2013/12/19/update-on-bittorrent-chat/ anyone think this will be much cop?
22:41 < Emcy> seems like theyve just said "moar dht" again
22:42 <@gmaxwell> I wish them luck.
22:43 <@gmaxwell> I would certantly be happy if DHTs were the magical tools people often assume they are. The more systems that get built which fail obviously when the DHT doesn't work the more likely people will work out the issues.
22:44 <@gmaxwell> and even if it only hardly works, we can still abuse it for carrying bitcoin traffic. :P
22:44 < Emcy> haha
22:45 <@gmaxwell> (after all, when we have multiple transports no single one needs to be perfectly reliable)
22:45 < Emcy> their existing sync product uses dht too. They claim its secure and everything, but theres no way to really tell
22:47 < Emcy> i dont think bram cohen likes just throwing the complete spec out there anymore, after what happened with bittorrent
22:52 < nsh> what happened? people made clients?
22:53 < Emcy> basically
22:54 < Emcy> bittorrent has been trying to 'go legit' quite hard recently though
22:56 < nsh> hmm
23:02 < Emcy> http://engineering.bittorrent.com/2013/12/19/dht-bootstrap-update/ hmm thats more technical detail, theyre trying to harden dht against sybil
23:03 < Emcy> also open sourced the bootstrap server which is nice
23:11 <@gmaxwell> I think I'd mentioned before, but the businesses that screw with bittorrent for the recording companies and movie studios already pay ISPs for huge amounts of address space spread across many /8s and /16s as possible.
23:24 < Emcy> hmm
23:33 <@gmaxwell> maaku: wtf is a "varchar()" is it a null terminated string?
09:25 < adam3us> TD: "TD: (too hard to build secure software systems)" i worry about this.  baseband hacking smart phones, targetted sophisticated malware, code base targetted tampering, human error over time.
09:25 < sipa> /ignore WOODMAN
09:25 < TD> adam3us: best "solution" such that it is, is to avoid large pileups of value in one place
09:25 < adam3us> TD: it doesnt seem like security has even warmed up yet.  even the trezor & armory wallet are not safe from address substitution and payment protocol still leaves a gap in the merchant server
09:25 < TD> however, wealth inequality will not go away anytime soon. so .... not sure how far that takes you
09:26 < adam3us> TD: i think u could operate quite a bit of bitcoin ecosystem with airgap security protecting funds and airgap level of assurance of ownership of addresses
09:26 < adam3us> TD: even an exchange.
09:28 < adam3us> TD: (using color coin or better labelled /tagged coins on a pegged side chain and an offline issuer key issuing USD against a client funds issuer account. with a high reputation issuer)
09:31 < adam3us> TD: i think the airgap could save it as the exchange then has no btc funds or usdcoin funds at stake.	all cash funds are held in offline airgapped wallets at all times.  physical security for a merchant is like any supermarket... an armored truck deals with emptying.  but even better than can sweep electronically to a vault with armed guards at company HQ.
09:31  * TD -> away
09:35 < adam3us> hmm so maybe a solution is a different property coins circulating though. optionally intentionally (time-limited) revocable coins for large tx by companies to derisk their storage from physical assault.  and you can convert from revocable to irrevocable simply by waiting for the escrow smart-contract clause to expire
09:37 < adam3us> and similarly irrevocable become revocable by adding the escrow agent smart-contract.	actually for storage the revocability needs to be permanent.  the way you remove it is to spend it to an irrevocable address with the cooperation of the escrow agent.
10:40 < adam3us> TD: btw something else on the topic of software security and not daring to make changes to btc anymore, it seems to me there maybe scope to simplify high value storage & tx and perhaps layer the assurance.	eg full node only model requires less validation, less code, less assumptions, and high value can afford full node reliance.  not sure how to layer that
upwards to SPV separately, but it seems like a desirable property
10:41 < CodeShark> adam3us: what about high values formed by aggregating lots of small ones?
10:41 < adam3us> TD: also apropos of the new discovery of a 23-year old remote root in all intervening? versions of X11.  how would that look for btc as a world currency.
10:42 < adam3us> CodeShark: doesnt change the picture, we're talking systemic risk of value bug
10:47 < michagogo|cloud> ;;later tell shesek Looks like the magic bytes appear 250,010 times in the first 250,000 blocks on disk (bootstrap.dat)
10:47 < gribble> The operation succeeded.
10:54 < sipa> michagogo|cloud: they could be occurring a few times just randomly as part of other data
10:54 < sipa> though 10 times is a lot
10:54 < michagogo|cloud> sipa: Yeah, I know that
10:54 < michagogo|cloud> (we had this discussion earlier (today or last night))
10:55 < jgarzik> adam3us, RE X11... url?
11:36 < adam3us> jgarzik: http://lists.x.org/archives/xorg-announce/2014-January/002389.html
11:38 < adam3us> jgarzik: "checked in on 1991/05/10, and is thus believed to be present in every X11 release starting with X11R5 up to the current libXfont 1.4.6"
11:39 < andytoshi_> adam3us: that bug is older than i am!
11:39 < sipa> andytoshi_: wow :o
11:39  * sipa suddenly feels old
11:39 < andytoshi_> well, only by 3 months :)
11:39 < sipa> well, I was in my first year at school in 1991...
11:42  * adam3us *is* old :) was starting CS PhD degree then
11:42 < sipa> haha
11:42  * sipa feels young
12:00 < WOODMAN> sipa take it somewhere else
12:00 < WOODMAN> sipa now
12:00 < WOODMAN> take it to lethargic IRC chat
12:00 < WOODMAN> now
12:00 < WOODMAN> go
12:00 < WOODMAN> run
12:01 < helo> :/
12:07 < WOODMAN> you kids are funny
12:07 < WOODMAN> B)
12:39 < justanotheruser> andytoshi_
12:40 < justanotheruser> do you have logs from the 2 way pegging discussion?
12:41 < nsh> justanotheruser, it's still in my buffer. can pastebin it
12:41 < nsh> (was meaning to give it another read later anyway)
12:43 < justanotheruser> nsh: please do
12:43 < nsh> moment
12:44 < justanotheruser> nsh: you mean the discussing I wasn't involved in right?
12:44 < nsh> oh, i meant from earlier today. i missed the discussion when gmaxwell mooted it
12:44 < andytoshi_> justanotheruser: one sec, i'm pretty sure i do..
12:45  * nsh defers to andytoshi
12:45 < nsh> (here's today, in any case (unlisted on pastebin): http://pastebin.com/Aefaxfew )
12:47 < justanotheruser> thanks nsh
12:48 < nsh> np
12:54 < andytoshi_> justanotheruser: sorry, i can't find it on my server's logs, will check my laptop's logs when i get home
12:55 < andytoshi_> there are memories in my brain of it, so i'm pretty sure i was present
12:55 < justanotheruser> andytoshi_: ok please PM me them, thank
12:55 < justanotheruser> s
13:53 < gmaxwell> andytoshi_: I made a kind of boring comment about the vntinyram paper: https://groups.google.com/forum/#!topic/scipr-discuss/1psbALDMkAI  (mostly I just wanted an excuse to post to the list and see if anyone was reading it, since there were no posts ever)
14:46 < nsh> gmaxwell, is that what you were referring to in this: "but the really small ones have some uncomfortable security tradeoffs (CRS assumption) the ROM ones are somewhat larger (eg 20kb, though I did invent a novel compression scheme which may help, so they may not be good for compressing header proofs" from earlier?
14:49 < gmaxwell> nsh: no.
14:49 < nsh> k
15:08 < jgarzik> adam3us, sounds like the root hole is in BDF font installation
15:09 < jgarzik> adam3us, thankfully, not really an actively used or triggered area
15:10 < adam3us> jgarzik: yes.	i was well is the coe in the bdf or the code is in a malicious font no? the latter is bad as someone can send u a font file.  did u know fedora 18 dvd wont install without network and downloads amongst other things fonts? (they are crazy)
15:10 < adam3us> jgarzik: or is bdf font an optional font system? so no risk if u havent installed that component?
15:11 < jgarzik> adam3us, well, (1) F18 installs fine without network and (2) any download exists inside a GPG-signed universe
15:12 < adam3us> jgarzik: hmm it depends which image u download, i tried 3 of them until i found one that installs without network cable.  their new installer is a bit of a mess, but i was pretty determined to get an all offline install and trid 7 isos from ubunu an fedora over pretty much 2 ays
15:13 < jgarzik> adam3us, at which step did you get stuck?  I might have had to do some magic to get my F18 going in its network-free VM
15:14 < jgarzik> adam3us, I keep several network-free VMs as virtual condoms for various things
15:16 < adam3us> jgarzik: about the gpg-sig.  the problem is 2-fold: one the WoT is sparse, secondly it doesnt define a merkle tree, so the content can be tailored to u and there is no rpm sig equivalent of certificate transparency
15:18 < adam3us> jgarzik: i finally gave up as i recall an used ethernet briefly i was very annoyed by that point, 2 days burnt on fedora & ubuntu i was astounded that it would fail for network on a DVD iso.  4GB and they want to fetch a font on the network or the install aborts.  actually it was probably fc 19.  i even tried ubuntu server install.
15:18 < jgarzik> adam3us, well each package comes from signed metadata package repo summary
15:18 < jgarzik> adam3us, I agree this does not solve 'tailored to u' problem
15:18 < adam3us> jgarzik: yes my point is say NSA has a copy ... ok right u get it
15:19 < adam3us> jgarzik: there is a solution.. merkle tree of snapshot of packages at iso release time, then your entire install is hardwired to the merkle root.
15:19 < jgarzik> adam3us, nobody wants packages of an era circa iso release time ;p
15:20 < jgarzik> adam3us, familiar problem as with routers:  the moment you open the box and turn on the computer, it is out of date and missing security and other critical bug fixes
15:21 < adam3us> jgarzik: actually i would happily take an out of the box for this app, which is admittedly completely atypical (i was testing armory prebuilt stuff and source stuff.)  that the DVD wouldnt install therefore was just the opposite.
15:24 < helo> hmmm... ubuntu without network has worked fine for me (via iso-on-usb)
15:27 < adam3us> jgarzik: also i guess we're going to need sooner or later the SSL / cert transparency, for rpm signatures, or something.  its pretty much spelled out in like schneier and applebaum research in teh docs and articles from that that NSA has well placed TCP hi-jack infrastructure with selective payload delivery.	u could imagine they might hve hacked some
important signing keys via physical intrusion, black bag, NSL etc.
15:29 < adam3us> helo: i am not in a hurry to repeat that experiment it was the least fun i've had with a computer in quite a while.  this was ubuntu 10 and ubuntu 12 (whatever armory claimed to be prebuilt for, or latest stable for source) and fedora 18.  tried lots of isos.  i dont think i was dreaming.  been using linux since slackware 0.9 so i am not unusually fat
fingered about linux installs
15:30 < helo> yeah, sounds pretty terrible
15:31 < gmaxwell> the fedora stuff kinda shuffles users torwards the crappy live image based installers, which I think do have to be online.
15:50 < michagogo|cloud> adam3us: 10 and 12?
15:50 < michagogo|cloud> Which ones?
15:50 < michagogo|cloud> (.04 or .10?)
17:48 < petertodd> Luke-Jr: you realize I've proposed basically the same thing with my zookeyv proposal, and I even took advantage of that by ensuring that proof-of-sacrifice "blocks" in the scheme were always visible in the bitcoin blockchian, so you could know if a 51% attacker was waiting to reveal their attack to the world and outspend them
17:48 < petertodd> Luke-Jr: tl;dr: I'm way ahead of you :P
17:50 < petertodd> sipa: the problem is that if you tie things as tightly to the bitcoin chain as luke is suggesting, the moment someone mines an alt-coin block but *doesn't* publish it you're screwed because all alt-coin clients can see the block header commitment, but dont have the data to go along with it
17:50 < petertodd> sipa: OTOH if you're system doesn't have that vulnerability, it's still longest chain wins and your 51% attack vulnerable
17:50 < Luke-Jr> .. unless we softfork bitcoin
17:50 < petertodd> Luke-Jr: sure, but then it's not a merge-mined chian anymore
17:50 < Luke-Jr> petertodd: sure it is
17:50 < petertodd> Luke-Jr: No, you've just made the blocks bigger with a fancy hash commitment.
17:51 < Luke-Jr> bitcoin miners can enforce disclosure of the merged data to some degree
17:51 < petertodd> Luke-Jr: the whole point of merge-mining is that it's *voluntary*
17:51 < Luke-Jr> petertodd: hence the degree limit
17:51 < petertodd> Luke-Jr: yes, and if disclosure is enforced you've just made the blocks bigger and contain extra data
17:51 < sipa> yup, i see the problem
17:52 < Luke-Jr> only bigger for miners
17:52 < petertodd> Luke-Jr: so what? that's the problem we keep trying to solve
17:52 < killerstorm> OK, let's formulate in a different way: is there a game-theoretic research of Bitcoin? Particularly, double-spend-via-a-bribe attack: somebody wants to double-spend a large amount of money and will pay miners a bribe to help him to do that.
17:53 < sipa> killerstorm: yup, will work for large amounts; you just need to have enough confirmations that reverting it costs more than what one might pay a miner to revert it :)
17:53 < petertodd> killerstorm: yeah, and the results are ugly, don't accept 1 conf payments for $1million and do irreversable things based on them
17:54 < petertodd> killerstorm: notably it's why tx fees being the only thing paying miners leads to really ugly consequences
17:54 < jtimon> killerstorm exactly, the bigger the transaction the more you have to wait, it's not 6 blocks
17:54 < sipa> the 6 blocks number is based on statistics that assumed a much less centralizing mining landscape in any case
17:54 < petertodd> FWIW peter from the bitfoin foundation asked me last summer if I or someone else would be willing to do some research to make up a whitepaper and similar tools to advice merchants on exactly that issue.
17:55 < petertodd> dunno if that project ever went anywhere, but it's an important one
17:55 < killerstorm> I'm afraid it's much worse than you think...
17:56 < Luke-Jr> personally, I don't think merchants want to have to read a paper..
17:56 < petertodd> killerstorm: lots of people forget an attacker might be ripping off multiple people at once for instance
17:56 < petertodd> Luke-Jr: indeed, which is why peter's vanesses idea was to eventually create some calculators for said merchants to do the thinking for them
17:56 < petertodd> Luke-Jr: Like, input in the value of the tx and spit out how long they needed to wait. (subject to certain assumptions about the attacker)
17:58 < Luke-Jr> petertodd: re MM, the problem we need to solve is not forcing people to store data against their will, but also enable innovation beyond Bitcoin taking advantage of the same securing hashpower
17:58 < petertodd> Luke-Jr: yeah, well, MM isn't necessarily that innovation
17:58 < adam3us> Luke-Jr: that seems like an interesting idea.	(merge mine where the bitcoin blocks are valid alt-chain blocks)
17:58 < Luke-Jr> present-day MM style does that just fine, really. the 51% risks aren't really a real concern.
17:59 < petertodd> Luke-Jr: you realize that one of the reasons mastercoin hired me was because they realized they needed someone to study that
17:59 < Luke-Jr> petertodd: MM is what is needed to *enable* that innovation
17:59 < petertodd> Luke-Jr: again, MM fails in a hell of a lot of scenarios
17:59 < adam3us> Luke-Jr: I agree
17:59 < adam3us> petertodd: so lets see if we can improve it
18:00 < petertodd> adam3us: heh, what do you think I'm working on?
18:00 < adam3us> petertodd: judging from the above stego encoding msc into btc? :P
18:00 < killerstorm> Well, here's what I'm thinking about: Suppose we have 100 independent miners each having an equally powerful mining rig (thus one of them solves the next block with equal opportunity). Block reward is 25 BTC, normal tx fees are negligible. Somebody sends a transaction with Y BTC in it. Gets 6 confirmations. Then publishes a transaction which pays X BTC
to fees. What happens next, super-rational miners realize that all super-rational miners will tr
18:00 < killerstorm> y to do a reorganization. Only 6 miners are NOT interested in reorganization, thus we'll have 94 miners working on a fork.
18:00 < killerstorm> Note that X is not used in equation: it can be very low. Like 1 BTC.
18:00 < petertodd> adam3us: in the mean time, my advice *without* those theoretical - and maybe impossible - improvements is that stego encoding has a hell of a lot of advantages
18:00 < adam3us> petertodd: fair enuf.
18:01 < killerstorm> You can get 25 BTC of a normal reward, or 25.1 BTC of reward + bribe, what do you do?
18:01 < petertodd> adam3us: and remember, knowing that stego encoding is useful, and damn near impossible to stop, is very valuable knowledge for bitcoin too
18:01 < adam3us> petertodd: yes i think however that its a bit of a dead end.  it much more attractive to have secure pegged side-chains or unpegged alt-chains for innovation
18:01 < killerstorm> All super-rational miners will decide to take bribe. So one only needs, say, 0.6 BTC to buy them all.
18:02 < maaku_> adam3us: I don't think you can call pegging "secure" until you get rid of the SPV trust
18:02 < killerstorm> Which basically means that if miners are super-rational and there are many of them, we should just pack and go, it doesn't work.
18:02 < killerstorm> What am I missing
18:02 < maaku_> and incidentally, i have an ignore bit to the topic until that is done :P
18:03 < petertodd> adam3us: it's a "dead end" only because I've shown that you don't need to go any further with the theory; I solved the problem modulo invasive censorship like whitelists, or P2SH^2 v2.0 - and that isn't very likely to get implemented
18:03 < petertodd> killerstorm: 0.6BTC isn't enough because the work done to get all that reward is done and there's a valuble return
18:03 < adam3us> petertodd: yeah i already figured out the stego and kept it to myself :)
18:04 < petertodd> adam3us: heh, did you figure out the timelock crypto version of it?
18:04 < petertodd> killerstorm: for the miners if they don't reorg and keep trucking they get to keep the block rewards that are already there
18:04 < jtimon> petertodd parasitism is more secure and unstoppable, fine, who cares? it doesn't scale MSC can't do the things willet wants atscale with parasitism, at some point you will have to tell him that
18:05 < killerstorm> Well, first miners to win a block will pay 0.5 BTC to OP_TRUE, script, second will pay 0.4 BTC and so on. Each one will collect only 0.1 extra BTC, but it is nice and shiny.
18:05 < petertodd> jtimon: which is why my job there is more aimed at making *bitcoin* scale
18:05 < killerstorm> All super-rational miners think in the same way, so they will find a strategy which rewards everybody who are working on the fork.
18:05 < petertodd> jtimon: (we're all lucky they have enough cash around and pr to consider to do things that may not be stricly economically rational)
18:05 < adam3us> petertodd: no, but better.  just publish the key.  i think you do not need consensus on the key because consensus is reached on the ciphertext and its non-malleable.	same argument s committed-tx
18:06 < petertodd> adam3us: publishing the key doesn't guarantee consensus though - the idea being the timelock crypto is to be able to guarantee that
18:06 < petertodd> adam3us: e.g. if the key doesn't get published, and is uncrackable, you'll never know for sure if one isn't waiting to be published
18:07 < jtimon> ok, then I guess I would just ask you to encourge parasitism over altcoinism more openly, not just over MM
18:07 < killerstorm> petertodd: I think you're missing that 6 miners will get rewards through chain which appeared earlier, and 94 miners will get reward through a fork. Basically, 94% of hashpower will work on forking chain in these conditions.
18:07 < petertodd> killerstorm: ok, I see your point, but the problem is there's no way for those super-rational selfish miners to know they're all working on the same fork, and if they aren't, then defection makes sense
18:07 < jtimon> as always, my claim is that MM is better than independent mining
18:07 < adam3us> petertodd: no i mean dead end like focusing all energy ontop of bitcoin may saturate bitcoin tx throughput and hit its scaling limits, and damage crypto currencies generally.  i think there is better scope for innovation if we can focus on uncoupling innovation (btc denominated with pegged side-chain and other with mm alt-chain)
18:08 < petertodd> adam3us: that's a nice concern, but for the individual alt-coin thing they're incentive is still to defect and do what's best for them individually
18:09 < petertodd> adam3us: simple example: I want to timestamp a document. Why do I care about the "bitcoin environment" when I just want to easily timestamp something and my desire not to lose the timestamp is worth more than the tx fee to bloat the UTXO set?
08:22 < adam3us> petertodd: say with committed tx; the miner sees which tx arrived first from his point of view, but he has no idea what the tx is about its an opque crypto blob to him, so if he sees also a double-spend of it, it doesnt actualy matter whcih he chooses
08:22 < petertodd> Ah, yeah, the only order that matters is the order in the blockchain.
08:22 < adam3us> petertodd: he dosnt have to be honest to what he received over the network first
08:23 < adam3us> petertodd: so then the other thing is the miner and a given user could be in collusion (so called 51%)
08:24 < petertodd> yeah
08:24 < adam3us> petertodd: you could imagine multiple network hop encryption of the tx before ordering so that the miner and his cheating buddy cant even recognize which tx is which at that stage
08:24 < petertodd> right, but anyway, the fundemental thing is that consensus on order has to be based onw hat's in the blockchain, end of story!
08:25 < petertodd> don't worry about in flight transactions and other stuff
08:25 < adam3us> petertodd: yes... so its not really arbitration of what comes first, its just pick a random tx and enforce it ... coin toss if you like
08:26 < adam3us> petertodd: which is weaker than an auditable first come first served namespace
08:26 < adam3us> petertodd: or publication as you put it
08:27 < adam3us> petertodd: so can you securely define a globally consistent transaction order after the fact without thte timestamper having any input involvin your transaction?
08:27 < adam3us> petertodd: i think... maybe
08:27 < adam3us> petertodd: the timestamper timestamps random numbers
08:28 < adam3us> petertodd: you later apply some arbitratoin logic using the 6-block old timestamp output as a becaon to drive that decision deterministically
08:28 < petertodd> So here's the other thing: with this "proof-of-publication" sharded blockchian, what a transaction should look like is you would have a merkle-sum-tree of transaction inputs, that is a reference to the previous output, and a scriptSig, and then a corresponding inverse merkle-sum tree of *outputs*. Now from any output, you can audit back to any input,
and because it's summed in both directions you're guaranteed for the amounts to add up. IE: an output is considered valid if you can prove a path back to a sufficient number of valid inputs.
08:29 < adam3us> petertodd: truncated at IE: an outpu
08:30 < petertodd> IE: an output is considered valid if you can prove a path back to a sufficient number of valid inputs.
08:34 < petertodd> So, now lets look at the proof-of-publication side of things: what's the absolutele minimum thing you need to prove has been published? So we can define transaction outputs uniquely as H(txout)=txoutid. That txoutid commits to the scriptPubKey associated with the txout. Thus what you want to know, is has there ever been a valid scriptSig for that scriptPubKey
ever published? This means we can take the entire space of all possible txouts, turn it into a radix tree, and at the base of the tree either have NULL or a "never been published" txout, or H(txin) if the transaction output has been spent.
08:35 < petertodd> (did that get cut off?)
08:35 < adam3us> petertodd: after turn it int
08:35 < petertodd> turn it into a radix tree, and at the base of the tree either have NULL or a "never been published" txout, or H(txin) if the transaction output has been spent.
08:35  * petertodd googles irssi split messages
08:37 < sipa> petertodd: http://scripts.irssi.org/scripts/splitlong.pl
08:37 < petertodd> sipa: what's the magic thing to actually load that?
08:37 < sipa> put it in ~/.irssi/scripts/autorun :)
08:38 < sipa> or use /scriptload <filename>
08:38 < sipa> /script load, sorry
08:38 < petertodd> ha, cool, thanks
08:39 < adam3us> petertodd: catching up "valid if sufficient number of valid inputs" but i think the miners dont care whats in the block i think you have to go back to genesis
08:39 < adam3us> petertodd: not that thats a problem
08:39 < petertodd> anyway, so mining is now a matter of making new versions of that radix tree, and mining fraud is confirming a transaction output as spent when no valid scriptSig existed
08:40 < petertodd> you still need blocks, but blocks are just proof that you manipulated the radix tree in the right way, and how much of that tree you choose to store is up to you.
08:40 < adam3us> petertodd: wel there are two possible lvels of validation i think you are still valdiating sigs at mining level, with committed tx i didnt even do that
08:41 < adam3us> petertodd: so maybe you are heading back towards increasing validation again in a diff design towards an alternate spv model with this input/output trie
08:42 < petertodd> Right, see, if miners didn't validate sigs, this system would work only slightly differently: the bottom of the radix tree would be a list of data items. Generally the data items would represent spends of the transaction that could be validated, but they wouldn't have too.
08:42 < petertodd> Again, the fact that there can only be one data item stored in the chain per txout is an optimization.
08:42 < adam3us> petertodd: yes
08:44 < petertodd> So now ask, as a Bitcoin 2.0 user, how do I know a transaction was valid? Well, this is where it gets a bit ugly: for every input required by that transaction output, you need to prove to yourself that the part of the radix tree that committed to the fact that your txout was unspent, has always been unspent.
08:44 < adam3us> petertodd: problem encountered at detail level when trying to do this with committed tx is that you ave to be able to prove to your recipient that a forged spend is bogus and you cant do that with hashes (not easily ... i didnt see a way) so i had to use a MAC so you can prve ok if you see the mac & sym encrypt so you can give the recipient hte enc key and
they can see it matches the mac but decrypts to junk
08:45 < petertodd> IE, by doing that, you've proven that miners have been honest, with respect to that particular transaction output.
08:47 < petertodd> Ah, ok, so this is an interesting point: lets suppose a miner changes the state of the TXO set they commit to from, say, unspent to spent, but you've never actually spent the transaction? What then?
08:48 < petertodd> This is really ugly, because you can't prove a negative: the bottom of the tree is a hash, and you can't show that the has is invalid!
08:48 < adam3us> petertodd: yes that sounds probably analogous - what i found was i need to be able to demonstrate to my recipient that the spend is fake
08:49 < petertodd> All you can do is show that every block ever mined *didn't* have a transaction in it spending that txout.
08:49 < adam3us> petertodd: precisely
08:49 < petertodd> Which gets to the other issue: this radix tree shouldn't be all TXO's ever, it should only be the TXO's in some time period! Now you *can* show this, by providing proof on a block-by-block basis.
08:49 < adam3us> petertodd: i had to possible solutions: requre that it be signed, and you reveal your pub key ontly the recipient nd hten they can see this is garbage
08:50 < petertodd> um, retype that?
08:51 < adam3us> petertodd: so eg what goes i the tree is ecdsa r, s value rather than hashouput, so no-one has a clue what it means (except tweaked in some way so they cant compute Q from r,s via ecdsa recovery)
08:52 < petertodd> So maybe to keep this proof small, what we want is to "merge" old history: first commit to the transactions that were in the past block, then all in the past two blocks, then four blocks and so on. The proof is now "I prove a valid spend didn't exist in the past 1 block, or the two blocks, prior, or the 4 blocks prior to that etc."
08:52 < petertodd> You can prove fraud, simply by showing that a spend did exist at layer 2^n, and layer 2^n+1 didn't include it.
08:53 < petertodd> adam3us: hmm... I'll have to read up on that again... I'm not familiar enough with the details.
08:55 < adam3us> petertodd: basically (i forgot also details) but you want to ensure that you can prove forgeries are garbage via encryption, or signature so that while someone can forge "spends" you can prove they are garbage, using the advantage that ou have the signature private key of the undisclosed public key hashed in the address
08:55 < petertodd> Basically what this 2^n scheme is doing is making miners make commitments to what txouts were spent over increasingly larger fractions of the blockchain. The *point* of it, is to be able to recover from the case where an invalid tree is committed, and no-one catches it: you give the person you're sending the coins to the proof of miner incompetence,
and they take that into account. (or conversely, a miner distributes that along with their block)
08:55 < adam3us> petertodd: so then its not proving no spends, its proving no spends or all spends are forgeries
08:55 < petertodd> Ah I see.
08:56 < adam3us> petertodd: not in a clever way... you just give the recipient a key to decrypt all of the forgeries and then test them as if they were dsa sigs.. if they are not the recipient throws them away
08:56 < petertodd> yeah
08:58 < adam3us> petertodd: so it circles back to your comment that suppressing doublespens being stored is just a storage optimization; if you give the miner some way to verify the sig, he can throw them away himself
08:58 < petertodd> adam3us: Yes... and no. Someone's gotta have this !@#$ data at some level.
09:00 < petertodd> As clever as all of the above is, without the data it's just commitments. Even worse, without the data you can't change what is being committed too.
09:00 < adam3us> petertodd: the objective with committed tx is to keep the miner in the absolute dark so he knows nothing, as that robs him of policy based decision making and so the amount, sender, and recipient are all hiden
15:25 < jrmithdobbs> i think test-driven-development (besides making me want to kill people) actually *PROVES* (like, possibly mathmatically, with a bit of fiddling) that SSL/TLS is broken by design
15:25 < jrmithdobbs> think about this for a second
15:25 < jrmithdobbs> so, I'm trying to add proper cert validation to some code acting as a tls client
15:25 < jrmithdobbs> let's assume i can get the code correct, i move on to writing the test cases for it
15:26 < jrmithdobbs> let's even assume we get past that part
15:26 < jrmithdobbs> now the test suite needs to act as a tls server in order to use the certs in the test cases
15:26 < jrmithdobbs> which means the code now needs functionality completely irrelevent to it's actual purpose
15:26 < jrmithdobbs> which means you have a new set of functionality to test
15:27 < jrmithdobbs> problem: a valid tls server implementation requires valid x509 validation
15:27 < jrmithdobbs> so we can't test the tls server code without solving the original problem the tls server code is meant to solve
15:27  * jrmithdobbs MIND BLOWN
15:27 < jgarzik> hmmm
15:27  * jgarzik scrolls back, after putting down wife and 2 kids for naps
15:28 < jrmithdobbs> if it can't be proven to "broken by design" it can at least be proven that there is no such thing as a tls *client* only servers acting as clients
15:28 < jrmithdobbs> (which to me really, is the same level of brokeness due to complexity in this context, really ;p
15:28 < jrmithdobbs> )
15:29 < HM> jrmithdobbs: i just give up
15:29 < HM> throw stunnel up in front of your server, firewall things properly
15:32 < jrmithdobbs> that doesn't fix the fact that this shit isn't validating certs properly on outbound connections and the fix to make it so wont get merged without test cases ;p
15:32 < HM> what 'shit' is this?
15:33 < jrmithdobbs> (all of the above came from a real scenario, not imagined PKI/x509 whining, jfyi https://github.com/gitlabhq/gitlabhq/issues/3445 )
15:33 < HM> yeah
15:34 < jrmithdobbs> this shit is unimplementable in a deterministic fashion =/
15:34 < jrmithdobbs> what a clusterfuck
15:35 < jrmithdobbs> can't even blame ruby (let alone rails, this is the non-rails part of the app, though the rails part uses https for git cloning without verifying too! ugh!)
15:35 < jrmithdobbs> this is a problem with the standards not the language =/
15:35 < HM> how can CN verification be off?
15:35 < jrmithdobbs> because it was never on
15:36 < HM> actually stunnel does this as well
15:36 < jrmithdobbs> openssl doesn't do that for you, it just verifies the chain
15:36 < HM> " Specifically for level 2 every non-revoked certificate is accepted regardless of its Common Name"
15:36 < HM> default is level 0
15:36 < HM> stunnel is a proxy frontend for OpenSSL basically
15:36 < jrmithdobbs> binding it to an identity (the fqdn in the case of https) is outside the scope of openssl's implementation
15:36 < jrmithdobbs> believe it or not
15:36 < HM> wouldn't surprise me if those levels were part of the openssl api
15:36 < jrmithdobbs> people don't seem to realize this
15:37 < jrmithdobbs> so nothing but browsers validates properly, basically
15:37 < HM> hmmm
15:37 < jrmithdobbs> gmaxwell linked a paper that backs up that statement a while back
15:37 < HM> what about SNI?
15:37 < HM> that moves the requested hostname up to the SSL/TLS protocol level
15:37 < jrmithdobbs> doesn't matter if you don't check the identity after performing the sni operation
15:38 < jrmithdobbs> sni solves a different problem
15:38 < HM> sure
15:38 < jrmithdobbs> the problem is nothing verifies the identity, not in requesting the right identity (though that is a problem too, and i'm not sure how well sni addresses it because i've not looked at it much because nothing supports it)
15:38 < amiller> gmaxwell, tpm and split key are so *boring* i wish you would toss along "or another blockchain" as another kind of delegation
15:39 < jrmithdobbs> amiller: imagine the tpm is controlled by an agent, not so boring now, eh?
15:39 < jrmithdobbs> ;p
15:39 < amiller> that's just a tpm
15:39 < amiller> agent is a non-word there
15:39 < HM> i think SNI would solve it
15:39 < jrmithdobbs> HM: it doesn't.
15:40 < jrmithdobbs> HM: sni doesn't have anything to do with the fqdn -> subject/subjectAltName binding/verification step
15:40 < HM> for http?
15:40 < HM> i don't know what gitlabhq is
15:40 < jrmithdobbs> HM: it's a method for requesting the identity you intended, if you don't verify it afterwards sni doesn't force you to verify it afterwards any more than plain https
15:40 < amiller> the options are a) use a magic tpm remote attestation device, b) use an M-of-N split of designated trust identities, or c) an anonymous public competitive process like bitcoin
15:40 < jgarzik> amiller: boring but useful, in the stated use case (spend to address -> trustworthy, automated split of spent funds to N independently controlled addresses)
15:41 < jrmithdobbs> HM: think github / gitolite / gitorious
15:41 < HM> perhaps you're right
15:41 < jrmithdobbs> sni is kind of stupid too
15:42 < jrmithdobbs> because http just needs a real starttls command ;p
15:42 < amiller> jgarzik, fair enough, in order of usefulness i'd say the order goes (most useful) an anonymous public competition, (second most useful) m-of-n trusted designees, (last most useful) tpms
15:42 < jrmithdobbs> sni already requires argeement on protocol level changes, if you're conceeding that just add starttls to http damn it
15:43 < HM> jrmithdobbs: https://www.ietf.org/rfc/rfc2817.txt this isn't good?
15:43  * amiller reads up and finally sees jgarzik's original question though
15:43 < amiller> that would be really easy to encode with more powerful scripts and wouldn't require any of the three *fancy* solutions...
15:44 < jrmithdobbs> i should write a paper about this experience
15:44 < jrmithdobbs> and title it "An indictment of x509, tls, and the security community at large."
15:44 < jrmithdobbs> ;p
15:44 < amiller> so any bitcoin value sent to this address is automatically split three ways
15:45 < amiller> that's cool
15:46 < jgarzik> amiller: ?
15:46 < jrmithdobbs> HM: you mean the 13 year old document that has no chance of ever being implemented? no there's nothing wrong with it per se, it's just never getting implemented ;p
15:47 < HM> i thought Googles SPDY was going to require TLS by default
15:47 < HM> the HTTP 2.0 scene seems to have gone quiet though
15:47 < amiller> jgarzik, that application is really cool, i haven't seen anyone talk about it before, and it's a great example of something that shouldn't require 'fancy' trust splitting techniques and would be a good justification for slightly more powerful scripts that can constrain txouts in subsequent txes
15:49 < jrmithdobbs> HM: but actually, yes, in glancing over it i can come up with a few problems with that too =/
15:49 < jrmithdobbs> HM: implementing that requires concession of http proxies, big ones
15:50 < HM> Websockets upgrade is also broken in the face of shitty proxies
15:50 < jrmithdobbs> HM: it basically MUST be possible to CONNECT through an http proxy to port 80 and 443, for starters, which if you're somewhere trying to use said http proxy for egress filtering in a non-evil-mitm way it makes things difficult without conceeding to evil and mitm'ing the traffic
15:51 < gmaxwell> amiller: I don't even know how you're really usefully express those limits... and they wouldn't be compact at all... kinda sucks to have to carry around a bunch of data in the distributed consensus for a one time operation.
15:51 < jrmithdobbs> (assuming you have access to the client, which in these scenarious you usually do)
15:51 < gmaxwell> (obviously I know how it can be expressed at all
15:51 < jrmithdobbs> HM: also i see about 10 different ways implementations could shoot themselves in the foot with that (it's too complex)
15:52 < amiller> gmaxwell, the limits for jgarzik's split-three-ways txouts?
15:52 < HM> This is why I don't like implementing SSL/TLS
15:52 < jrmithdobbs> HM: but then, so are the range/etc operators introduced in http/1.1 that are related to that connection upgrading stuff (outside of that tls extension) is guilty of the same, so in this case it's an http and tls problem for once at least ;p
15:53 < jrmithdobbs> http or without tls is a security nightmare to implement correctly, adding tls in any way makes it that much more convoluted =/
15:53 < amiller> i don't know why i never thought of it before but it might be exactly the simple killer app i've been hoping for...
15:53 < gmaxwell> amiller: Yes, well he didn't say /three/ ways...
15:53 < jgarzik> amiller: arbitrary split, not 3-way
15:53 < HM> jrmithdobbs: let's leave http now :P
15:54 < amiller> the basic thing that this would need to work is a way for a txout to validate txouts in subsequent txes
15:54 < jgarzik> amiller: Example: lead dev gets 50% of funds, remaining devs split remainder of funds.
15:54 < gmaxwell> amiller: hm? I thought you'd talked before about constraining following txouts? but it becomes messy fast. e.g. what happens when you want to spend two coins in the following txout with conflicting constraints?
15:54 < amiller> the representation would be like a remaining balance for each of the parties, rather than one total btc amount
15:54 < jgarzik> a "fund broadcast" almost
15:55 < amiller> so each 'change' tx would have to put back the correct amounts for the other parties
15:55 < amiller> oh or the simplest thing
15:56 < amiller> maybe make it so anyone can spend it
15:56 < amiller> but... the only 'valid' way to spend it is to split it into however many txouts
16:03 < amiller> so yeah i have talked before about constraining following txouts but i've never had any example where that was necessary or the easiest way to implement, but this is a good candidate
07:15 < adam3us> petertodd: it is a deterministic signature however, if you spend to the same recipient, same amount you release the same sig, so no leak
07:16 < petertodd> yup
07:16 < petertodd> but anyway, I gotta go
07:16 < adam3us> petertodd: so you need like database transactional behavior
07:16 < adam3us> petertodd: 'night!
07:16 < petertodd> later
07:16 < petertodd> read through that txin post if you could btw
07:16 < petertodd> thanks
07:16 < adam3us> petertodd: i am
07:26 < jtimon> petertodd I'm still reading your proposal, looks very promissing
07:38 < jtimon> I have some questions when you get back
07:45 < warren> The obscure exploit in Litecoin's code for the clones with non-Litecoin parameters might not actually work.  They're failing to make a copy of our code work at all.
08:16 < Emcy_> it seems like you really want to see that logic bomb go off
08:21 < Emcy_> did i just hear right that the foundation is involved in some sort of child protection "task force"
08:23 < Emcy_> tht pretty much precludes any endorsement of measures to counter things like CV, or even indifference since theres no way to magically seperate out 'good' uses of privacy from bad ones
08:23 < Emcy_> however desirable that may be especially in this case
08:25 < warren> The logic bomb may or may not exist.  They lack the ability to figure out if it exists.
08:25 < warren> They can't even get the code to run.
08:27 < Emcy_> also i find it interesting that the first panel consisted of the reps from the very serious and scary agencies and depts of government, and the second panel they threw a child protection guy in with the actual 3 reps from the bitcoin community.
08:27 < Emcy_> an attempt to steer the commentry or am i just cynical
08:30 < Emcy_> god did he relly have to namedrop somr of those onion sites........
08:32 < Emcy_> now he just basically said we need to break privacy for everyone because actual police work is expensive and difficult
11:52 < petertodd> jtimon: thanks!
11:53 < petertodd> warren: lol
11:53 < TD> wow
11:54 < TD> tony actually submitted my smart property auto loan protocol as an example to the US Senate
11:57 < petertodd> TD: congrats!
11:57 < TD> thanks!   a little bit of #bitcoin-wizards has gone to washington :)
14:43 < BlueMatt> TD: nice!
14:43 < sipa> it's in 45 minutes, right?
14:43 < sipa> *47
14:43 < BlueMatt> yea
14:51 < TD> BlueMatt: wanna see a video of micropayments based file download app?
14:52 < BlueMatt> TD: really? yes!
14:52 < TD> http://www.youtube.com/watch?v=r0BXnWlnIi4
14:52 < TD> i made this for a journalist who is writing a story about cool stuff you can do with bitcoin, contracts and so on
14:52 < TD> he wanted to see it
14:53 < TD> it's not _quite_ ready to ship yet but a guy has turned up to help and is serious, he's been submitting patches. so i think it should launch by EOY
14:53 < BlueMatt> TD: wow, that is beautiful
14:53 < BlueMatt> is the code public?
14:53 < TD> https://github.com/mikehearn/PayFile
14:54 < TD> there's a CLI and a server as well, of course
14:54 < BlueMatt> awesome
14:54 < BlueMatt> out of curiosity, how long did it take you to bootstrap that?
14:55 < BlueMatt> ok, this seems unreasonably high, sending a block from new york -> sydney -> new york is taking multiple seconds???
14:55 < BlueMatt> is that a shitty network stack or is that shitty tcp?
14:56 < TD> the actual amount of code is small, but i developed the wallet template app and fixed a bunch of micropayments issues along the way so hard to say
14:56 < TD> but if you look at the code it's not very complicated
14:56 < TD> switching it to use a properly abstracted protobuf rpc layer like p2proto would reduce the code size even further
14:56 < TD> also it's java 8 so i get to use lots of lambdas and CompletableFuture
14:56 < TD> which is sort of like ListenableFuture but on steroids
14:57 < TD> but payfile was an evenings and a few weeks jobby
14:57 < BlueMatt> ahh, well, still...thats awesome
14:58 < TD> when it's done i was thinking of making some video tutorials where i actually code it up, on the video
14:58 < TD> i reckon we can make the code required small enough that a code spring from start to finish could be just a few hours
15:00 < BlueMatt> yea, in theory it shouldnt be hard, but yea, thats pretty awesome
15:00 < BlueMatt> a tutorial would be pretty cool, get people using micropayments
15:01 < TD> right
15:06 < TD> anyway glad you like it. and yeah i put in some effort to make it look nice and be usable, like with the qrcode button
15:07 < TD> i'm looking forward to seeing what people make of it. we found a really nice java installer creator as well - you can even create windows installers from mac/linux without needing windows (signed!)
15:07 < BlueMatt> damn
15:08 < BlueMatt> yea, Im not sure about the use it will get, but its a perfect example for micropayments and it should drum up some interest for other related projects
15:09 < TD> well downloading files isn't terribly important.
15:09 < TD> but simon, i think, is ambitious. he wants to evolve it towards gmaxwell's StorJ vision. like after v1, he wants to do uploads, and from there ....
15:11 < BlueMatt> ooo
15:11 < BlueMatt> yea, ok, thats very useful
15:36 < coryfields> Luke-Jr: around?
15:37 < cfields> Luke-Jr: just in case i was invisible just now, re-ping
15:44 < phantomcircuit> hmm
15:45 < phantomcircuit> im running master on a server with zfs
15:45 < phantomcircuit> a client is reporting that the time of a block it's sending is too far in the future
15:45 < phantomcircuit> given it's zfs im not thinking disk corruption is likely
15:59 < Luke-Jr> cfields: ?
16:12 < petertodd> TD: in addition to data streaming, here's another application for your micropayments: http://www.reddit.com/r/Bitcoin/comments/1qzr3n/when_escorts_start_accepting_payment_in_bitcoin/cdi450c
16:13 < TD> like pay-per-minute sex? i think that establishes the wrong incentives ....
16:13 < petertodd> TD: hehe
16:13 < TD> i guess camgirls could use it though
16:13 < warren> cfields: you still going to do the qt dep upgrade?
16:14 < TD> if there was a generic pay-per-second stopwatch
16:14 < TD> petertodd: btw, economist writes up fidelity bonds/sacrifices on the babbage blog: http://www.economist.com/blogs/babbage/2013/11/internet-security
16:14 < petertodd> TD: actually that'd be a nifty thing... generic payment-protocol-using pay-to-time-money
16:15 < TD> (unfortunately the journalist called it "Mr Hearn's protocol" at one point, I wrote him to correct that, dunno if he'll update the blog)
16:15 < petertodd> TD: thanks, that's awesome
16:15 < petertodd> TD: do mention the computational financial side of it too - they're both distinct use-cases
16:16 < TD> there's a larger article coming out at the end of the month in the print edition that covers more topics, not sure what it'll contain exactly
16:17 < petertodd> TD: interesting; the economist tends to have good insight
16:17 < TD> well after spending ~1 hour talking to one of their journalists, i am not really surprised by that, they do their homework
16:18 < TD> after he heard about the anonymous ID protocol he got really excited by it and obviously wanted to write about it ASAP
16:18 < TD> so that's pretty cool
16:18 < petertodd> Yeah, I think in the short term the anonymous ID stuff is much more interesting - financial uses for sacrifices are much more abstract and theoretical.
16:19 < TD> yeah
16:19 < petertodd> I mean, it's cool and all you can make fidelity bonded banks with all those nice incentives, but that doesn't mean they're useful.
16:21 < cfields> warren: osx dmg built in linux, up and running on osx :)
16:22 < cfields> Luke-Jr: deterministic dmg's would be a major headache, if even possible
16:22 < warren> cfields: can the toolchain itself be deterministic and unpacked in one of the existing VM's?
16:23 < cfields> warren: yea. going to take a while to clean it up, but that will be the end result
16:23 < warren> cfields: awesome
16:23 < petertodd> http://www.reddit.com/r/Bitcoin/comments/1qz6hn/dont_believe_the_numbers_in_blockchain_scam_alert/ <- cryptographic proof, you don't grok it
16:24 < warren> cfields: what is the minimum macosx version that it will run on?
16:24 < warren> cfields: I think we can drop 10.5.x
16:24 < cfields> warren: should be 10.5
16:24 < cfields> it's currently running on my 10.6 box
16:25 < warren> cfields: following gavin's instructions our binaries don't work on 10.5
16:25 < warren> 10.6 works
16:25 < warren> in any case are there really 10.5 users?
16:26 < cfields> warren: that discussion is tangential.
16:27 < warren> cfields: how much more work would it be to make it 32/64bit in the same binary?
16:28 < cfields> not too bad, you'd basically just do the whole things twice
16:29 < warren> cfields: can users crypto verify the .app without executing anything in the .dmg?
16:30 < warren> since the .dmg can't be deterministic
16:31 < cfields> not saying it can't be, just saying it may be an unreasonable amount of effort. .app is a much more reasonable (first) goal
16:31 < cfields> and yes
16:32 < cfields> there's still a long way to go.. it's big, it's not pretty, it was built by hand, etc
16:33 < cfields> just figured i'd mention that it's up and running
16:36 < warren> cfields: are you still doing the planned qt dep upgrade?  we've held off from touching that stuff because you requested.
16:36 < cfields> hmm, forgot about that
16:36 < cfields> yea, i'll dig it up and PR it
16:37 < warren> cool
16:37 < Luke-Jr> cfields: DMGs are just disc images, why would that be a headache? O.o
16:38 < cfields> Luke-Jr: hehe, they're far from 'just disc images' :)
16:38 < Luke-Jr> they *can be* at least
16:38 < cfields> Luke-Jr: yea. seems there's all kinds of randomness baked into the spec
16:39 < cfields> i can get to the bottom of most of it.. but to go further means really nasty hacks
20:51 < gmaxwell> This leaked information about the distribution of balances, ... with the right tree contstruction the leak could be reduced, but it still leaked.. and this is perhaps commercially interesting data.
20:52 < gmaxwell> So instead: You make a sum-tree over the funds you can spend, which commits to all your spendable coins and their sum value... and you commit to this in a super public way so that all customers get the same value.
20:53 < gmaxwell> oh @#$#@ I forgot it now darnit.
20:54 < phantomcircuit> gmaxwell, :)
20:55 < phantomcircuit> gmaxwell, is there already a branch which doesn't keep archived blocks?
20:56 < phantomcircuit> (or rather doesn't ever save the info at all)
20:56 < phantomcircuit> i'd like to see how well it works on my raspberry pi with it's terribly slow sd card
20:56 < gmaxwell> phantomcircuit: no. Needs fairly minor p2p changes to be correct.  (also, you will need to keep the recent blocks for reorgs, since their is no promise that you can fetch them again once the network has reorged... so not saving at all isn't really an option)
20:57 < phantomcircuit> gmaxwell, yeah the idea here is more of a poc than a production ready example
20:58 < phantomcircuit> it would be connecting directly to a node i control such that it can guarantee having 100% of the previous blocks for a reorg
20:59 < phantomcircuit> dont worry i wont be going around telling people they should all switch to my brilliant code
20:59 < phantomcircuit> :)
20:59 < gmaxwell> ohohoh right. so you sort all if your spendable outputs... and then assign contigious ranges of spendable outputs to each customer equal to their balances.	You build a tree which commits to the the output<->customer correspondance. Make it highly public. And then when customers connect you give them proof that they have coin assigned to them in this proof.
21:00 < gmaxwell> phantomcircuit: we've been talking about completely inhibiting serving blocks which aren't on the main chain. though it works now.. I mean for POC.. just go delete the files ... if nothing requests them it works (if something does it'll crash. :P )
21:01 < gmaxwell> phantomcircuit: so the service has committed to one set of coins and one set of user<>coin mappings the actual mapping is irrelevant, so long as there only exists one at a time and you're not giving a custom one to each user.
21:01 < gmaxwell> This way people do not learn how much funds the service has (except very roughly be the size of the tree), and they do not learn anything about the balances of other users, except a tiny amount where a single coin owned by the service has to be split between two users.
21:02 < gmaxwell> and users only learn the identity of coins owned by the service ~proportional to their own balances.
21:03 < gmaxwell> you could prefer mappings to use coins that were deposited to the user in question to
 so in the case where it isn't behaving as a shared wallet (where you really don't need the proof) the proof teaches you ~nothing you don't know from the blockchain.
21:47 < amiller> i have a really good idea, it uses a lot of fancy generic zero knowledge though
21:47 < amiller> i've been trying to make an anti-outsourcing proof of work puzzle
21:47 < amiller> one that would make something like gpumax totally implausible
21:48 < gmaxwell> amiller: one problem I had thinking about that space is that I wasn't sure that I could really define outsourcing.
21:48 < amiller> the idea is that doing the mining necessarily requires knowledge of a secret key, such that that knowledge acts like a trap door that can be used to steal the reward somehow
21:48 < gmaxwell> yea, thats the best idea I've seen here. where you do signing in the innerloop of the POW.  But how does one then make the proof small?
21:49 < amiller> maybe if we're already doing lamport signatures then that's okay
21:49 < amiller> well yeah that's the best idea so far but it's also not neouhg
21:49 < gmaxwell> if there are few signatures then the communication overhead will not be great enough to prevent outsourcing?
21:49 < amiller> the problem is that just having that secret key doesn't make the trapdoor necessarily easy to use
21:49 < amiller> gmaxwell, imagine you need to do a signature to scratch off a single attempt
21:49 < amiller> mining requires lots of attempts and therefore it's hard to outsource that without leaking the key
21:50 < amiller> etiher way give me a pass for that part, it's the relatively easy part
21:50 < amiller> the thing is even without outsourcing and leaking that key, in any ordinary scheme that looks like hash cash but with signatures, it's not obvious that the centralized service provider can't just promise not to use the trapdoor
21:51 < amiller> if the service provider could steal from one client but then would be found out, then it would be easy to believe it's not in the service provider's best interest to do so
21:51 < gmaxwell> interesting: so don't pool the payments and then this is outsourcable. :(
21:51 < gmaxwell> actually I kinda have a solution for that.
21:51 < amiller> so what i really need is a kind of silent trapdoor that can be used to steal the reward and money if it's known, but that doesn't leave any trace whether it was used or not
21:52 < amiller> something like this would create the perfect environment of distrust, which is exactly what's needed for bitcoin mining resources to be decentralized
21:53 < amiller> i have a scheme in mind to do this but it sounds a bit ridiculous, i'm going to explain it anyway and maybe it can be simplified
21:53 < gmaxwell> OKAY
21:55 < amiller> the way it works is that a successfully mined block doesn't result in a bonus immediately, instead the bonus is learned later, and it's drawn from some lottery probability distribution
21:55 < amiller> the drawing depends on information in future blocks
21:55 < amiller> in particular the drawing is influenced by statements in some future block that looks like:
21:58 < amiller> "the block reward bonus from several blocks ago is X, which is drawn from probability distribution p, and either: a) the probability is p0, or a) I know the trapdoor private key, Y, in which case the probability is only p0/3, and with separately probability p/3 if it wins then some of that sneaks out a secret channel to pubkey Z"
21:58 < gmaxwell> This may be a sign I've read too many papers, but why not use a signature scheme specifically constructed to have this vulnerablity: http://link.springer.com/content/pdf/10.1007/s10207-005-0071-2.pdf#page-1
21:59 < gmaxwell> The idea is that you would have the work definition. like H(header) and then the payee would sign the header. Then the miner would UTXO hard work on it.. and if it's a winner the miner could use the weakness to change himself to be the payee.
22:00 < gmaxwell> E.g. UTXO hard mining and making it so the miner can steal the work... but they could still pass back unstolen shares to get credited.  The trick is making it so no one else can steal the block. :P
22:00 < amiller> i don't see how that prevents the service provider from basically promising that won't happen and preventing the client from detecting it
22:00 < gmaxwell> amiller:  no no UTXO hard work, and you make the client the theif not the provider.
22:01 < gmaxwell> amiller: you can solve your problem by making so that either side can cheat.
22:01 < amiller> i don't think that's enough because the client doesn't necessarily have to be paid out directly to his own key
22:01 < phantomcircuit> gmaxwell, pst pm
22:01 < gmaxwell> A lot of people spaz out thinking "omg what if the miner keeps the block for himself!" when talking about pooling. ... so make that possible.
22:04 < amiller> hm.
22:04 < amiller> well one problem with the key substitution vulnerable signatures is that the signature has to be deterministic, in order for it to be suitable for use as part of a PoW puzzle
22:05 < amiller> well maybe that's not exactly true
22:05 < amiller> hm
22:05 < gmaxwell> if the signature is before the POW hard part (E.g. it isn't the hard part itself) it doesn't have to be.
22:05 < amiller> yeah but if it's not part of the PoW hard part then it's really easy to outsource the rest
22:05 < amiller> to outsource the hard part i mean
22:06 < amiller> but anyway that's not a problem
22:06 < amiller> with this substitutable signature i mean
22:06 < gmaxwell> Right but the idea is that you make it so the solver of the hard part can retrospectively replace the address that it's paying to.  But I'm not quite sure if its possible to make it so that he and only he can do it while at the same time make it impossible for him to tie his hands.
22:06 < gmaxwell> (e.g. and prove that he's arranged it so that he can't do it)
22:07 < amiller> so one key about my scheme is that the trapdoor holder is able to reduce the probability distribution arbitrarily
22:07 < amiller> that means he can choose any small amount that avoids detection
22:07 < amiller> or for example, only skim from the 'rare' events
22:08 < amiller> which are less likely to be detected given a lot of samples
22:08 < gmaxwell> one way to do it would be with some kind of commitment scheme to decide who a block pays to. E.g. instead of the block specifying woh it pays to, you instead announce to the network the ID of a winning block and who it should pay to. And once thats propagated enough you announce the block. but then we need a blockchain to secure our blockchain, yo dawg.
22:09 < amiller> none of that prevents the mining service provider from promising to commit the winnings to the client
22:09 < amiller> it doesn't prevent the mining service provider from being detected doing that
22:09 < gmaxwell> Yep but its the user you have to worry about doing that.
22:10 < amiller> the mining provider doens't have to share the mining key with the user
22:10 < gmaxwell> What mining key?
14:52 < maaku> adam3us: Jorge and my poposal (in the Freimarkets PDF) is to have "private accounting servers" -- private servers that speak bitcoin p2p, but with the consensus algorithm sergically removed
14:52 < adam3us> gmaxwell: the leger is central there can be a court order to modify it
14:52 < adam3us> gmaxwell: if there is no mining there is no security against modification
14:52 < maaku> digitally sign blocks instead of proof-of-work
14:52 < maaku> but you could use open-transactions too
14:52 < gmaxwell> adam3us: the value behind the ledger is central regardless. Some court orders RS to pay cert 12345 to 23456 instead. "What now, bitches?"
14:52 < maaku> either way, you get the same security properties and don't force everyone to track your ledger
14:53 < adam3us> maaku: i dont think consensus like ripple cn actually make a DBC nor a smart-contact because the transaction layer does not finally and (fairly) instantly settle
14:53 < gmaxwell> as maaku says.. what OT supposidly does is let you distribute that stuff (but not decenteralize it) and it also produces recepts that can show when the ledger operators cheat.
14:53 < adam3us> gmaxwell: as i said the thing is the issuer for adam3-usd :0 is not online
14:53 < adam3us> gmaxwell: it doesnt get involved in exchange, just in changing the money supply, with an airgapped key
14:54 < gmaxwell> adam3us: there is no reason for the consensus and issuing to be the same keys... It's not like bitcoin instantly clears.
14:54 < adam3us> gmaxwell: yes sure but OT is still centralized just slightly redudant
14:54 < maaku> so if random OT server just disappears, the people using it have all the information necessary to reconstruct their accounts in their receipts, without trusting each other
14:54 < adam3us> gmaxwell: ok let me make a ripple example of why consensus fails
14:54 < maaku> adam3us: our point is that adam3-usd, goxusd, or any X-issued coin is centralized anyway, so why demand decentralization?
14:55 < adam3us> (finding email)
14:55 < adam3us> maaku: there is a reason... one sec find th eemail
14:55 < maaku> ok
14:55 < maaku> adam3us: are you talking about OpenCoin/Ripple.com concensus algorithm, or Ryan Fugger ripplepay accounting?
14:55 < gmaxwell> maaku: an argument is, for example
 the centeral party could be online only rarely. But I think this is a pretty thin advantage vs the tradeoff e.g. losing instant transactions and running into the global scaling and possible censorship problems with bitcoin.
14:55 < adam3us> it distinguishes ripple from bitcoin-like and makes bitcoin (mining based) inherently superior in irrevocable final settlement which keeps dispute costs out of the transaction level
14:56 < adam3us> screw it my filing system is stupid, i'll explain
14:56 < adam3us> gmaxwell: thats not it either
14:57 < adam3us> gmaxwell, maaku: lets say we're talking about ripple when they implement the ripple script
14:57 < adam3us> (they also have aspirations to do smart contracts, you can consider their gateway ious as a kind of issue)
14:57 < adam3us> except its consensus based
14:57 < adam3us> ok now imagine someone gets scammed, eg malware causes them to sign something they did not intend (their computer lied to them and they bought shares for 10 the advertised price)
14:57 < maaku> gmaxwell: very true, which is why we want to deploy Freimarkets to Freicoin, not just private servers although we expect most traffic to be private...
14:58 < adam3us> they take the evidence to a court, the court decides in the favor, slaps > 50% of ripple gw with court orer to undo that
14:58 < maaku> also I imagine reconciliation at the highest level will happen on the public chain (e.g. gox and bitstamp paying each other)
14:58 < adam3us> unlike bitcoin mining-hardened block chain, there is no 50 day minng equiv param so they comply
14:59 < adam3us> with bitcoin like block chain, the court cant make that order, because its basically mathematically impossible at current compute rates, by the time a court has issued an expedited decision, the block chain will be months in at 5ph/s
15:00 < gmaxwell> adam3us: except they can just slap the stock issuer with the same order, and damn the consensus. Of course that doesn't reverse the bitcoins, but it still wouldn't reverse the bitcoins if bitcoins were transacted in bitcoins and the stock leger was run by the company.
15:00 < adam3us> so a ripple smart contract is actually a dumb contract, and a ripple xrp is not ecash, its a revocable IOU, and a ripple usd is not aecash, and a ripple share is not	DBC etc
15:00 < adam3us> gmaxwell: yes but it doesnt matter to you
15:00 < adam3us> gmaxwell: as long as the transactoin layer is fungible who cares if the court puts a random number somewhere
15:01 < gmaxwell> because it's not fungible, you just trace the colored coins and don't honor them.
15:01 < gmaxwell> "it's only fungible if you're not looking"
15:02 < adam3us> gmaxwell: yes well thats a bitcoin fungibility flaw too eh... thats why i proposed committed tx
15:02 < gmaxwell> Lets imagine that share ownership is run by the company, and people can exchange them for bitcoin by doing an atomic transaction.  court orders a reversal. You still can't make the bitcoin network reverse the bitcoins, and you still can make the company not honor them.
15:02 < adam3us> gmaxwell: bitcoin also not quite ecash until this fungibility issue is addressed somehow
15:02 < gmaxwell> adam3us: but committed tx doesn't help, because eventually the company needs to see the history to honor the shares, and in doing so they can distinguish ownership.
15:02 < BlueMatt> a court cant force the chain to change algorithms because they only have jurisdiction in some area, and they would literally fork the system if they tried to
15:03 < gmaxwell> and even if you make bitcoin fungable, you do so at the expensive of making colored coins impossible.
15:03 < gmaxwell> Colored coins are achieved by breaking fungibility!
15:03 < adam3us> gmaxwell: think of the DBC share as like a chaum signature, they cant selectively dishonor them
15:03 < BlueMatt> whereas they can force a given issuer to not honour certain coins
15:03 < gmaxwell> BlueMatt: yes, what are you disagreeing with?
15:03 < BlueMatt> nothing, i was agreeing and restating
15:03 < adam3us> gmaxwell: i dont think fungibility and prurpose / currency field are incompatible eg brands ecahs has attributes and blinding unlinkability
15:04 < BlueMatt> youd have to have decentralized issuance/redeeming, but that becomes an issue of trust...
15:04 < BlueMatt> how do you trust all the issuers if anyone can be an issuer?
15:04 < adam3us> gmaxwell: also when you have a share in IBM, you dont turn up at IBM and demand they have an emegency stock holder meeting to do a 10 share buyback, you atomically trade them
15:04 < gmaxwell> BlueMatt: well decenteralized redeeming doesn't generally make sense. :)
15:04 < BlueMatt> yep
15:05 < adam3us> gmaxwell: ye not decentralised redemption, decentralized trading
15:05 < gmaxwell> adam3us: because there is no way to distribute a classical stock market because we're not using ecash for usd. :P
15:05 < adam3us> gmaxwell: thats circular man
15:05 < adam3us> gmaxwell: so we need to issue usdcoins
15:06 < gmaxwell> adam3us: and I'm arguing that for most things decentralized trading has very little marginal value (but not zero) when issuing and redemption are centeralized.
15:06 < adam3us> gmaxwell: but also once you have shares, it doesnt actually matter what they are redeemed or listed in... could be bitcoin
15:06 < gmaxwell> adam3us: if we had USD coins then I'd expect every major corporation to just run its own stock servers (or at least contract to people to do it for them)
15:07 < adam3us> gmaxwell: irrevocability and the above story about ripple implications of court case
15:07 < adam3us> gmaxwell: if a server has a database (the double spend db) it can get shutdown
15:08 < adam3us> OT receipts help but i am not sure its as robust as a block chain, and also it can be undone
15:08 < gmaxwell> adam3us: consider colored coin vs external ledger and cross chain trades.   In either case you can order IBM to not honor certan shares, or to redeem for a different party than the keys imply.
15:08 < gmaxwell> In either case the bitcoin side is irreversable.
15:08 < adam3us> eg basically what makes OT secure is that the users have receipts so if a court made all OT servers do something unpopular they could form a p2p network filled with the receipts and resume
15:09 < gmaxwell> adam3us: but doing that is worthless for shares of IBM if IBM isn't going to honor or pay dividends to those share holders.
15:09 < gmaxwell> Empty victory.
15:09 < adam3us> gmaxwell: if they are properly fungible i do not think they can order IBM to do anything
15:09 < BlueMatt> adam3us: yes they can...
15:09 < gmaxwell> adam3us: so explain how colored coins can be properly fungable in a way that IBM can't cut through?
15:10 < adam3us> gmaxwell: because tehy do not know hwo the owner of the share is
15:10 < BlueMatt> you can jump up and down all day in front of a judge and say "but...but...thats not possible"
15:10 < BlueMatt> and they will just say, "ok, make it possible"
15:10 < adam3us> BlueMatt: yes thats why central severs are bad and block  chains are good
15:10 < gmaxwell> ...
15:10 < gmaxwell> again, please, tell me how its possible to do this with colored coins?
15:10 < adam3us> gmaxwell: say zerocoin
15:11 < maaku> adam3us: the problem isn't the chain/server, it's the issuer
15:11 < adam3us> gmaxwell: i'm not even saying coloring coins (literally) is a good idea, i'm just saying that a transaction layer anonymous (fully fungible) system can not discriminate at the issuer redemption point
15:11 < gmaxwell> adam3us: great and if zc were implemented as described the coin color wouldn't traverse the zc.
19:15 < gmaxwell> deciding a winner with multiparty computation is easy, and I can point you to sofware which you should just be able to run to do that.. but getting a transaction out of it is hard.
19:15 < maaku> nanotube: no, expected proceeds are lower for a first price auction
19:15 < gmaxwell> I don't know how to do that except by computing the signature under MPC and ... uh. hope you've got a while.
19:16 < maaku> yeah, if you figure out a truly efficient way to do that, let me know so I can co-author ;)
19:16 < maaku> the link i posted is the best i've found so far, but it's still hours or days of computation for the signature
19:17 < nanotube> http://en.wikipedia.org/wiki/Vickrey_auction#Revenue_equivalence_of_the_Vickrey_auction_and_sealed_first_price_auction
19:17 < maaku> (at least verification is fast though
19:17 < gmaxwell> Someone on BCT recently linked to a paper claiming massive MPC speedups and also security against active attackers with a only one partitipant required to be honest...  but it was all moonmath not something I could run so.. :P
19:18 < gmaxwell> (computing the winner is easy, you just do a sort and only output the first guy and the second price
 but doing a bunch of EC group operations under MPC sounds pretty painful)
19:19 < maaku> nanotube: the equivalence only holds if all bidders are using the same strategy
19:19 < maaku> with 2nd price they would be, if they are acting rationally
19:20 < maaku> with 1st price there are many pareto optimal solutions
19:20 < maaku> if their strategies are mismatched, then the result is worse off
19:24 < nanotube> mmm
19:40  * jgarzik reads scrollback
19:41  * sipa doesn't
19:41 < jgarzik> I'll probably just do sealed bid because it's easy and clearly works with bitcoin tech
19:41 < jgarzik> should be able to do a design where the HTTP server and bitcoind are both free of private keys
19:44 < jgarzik> one of the more difficult parts isn't writing the server, but getting some usable client thingamajigger
19:45 < jgarzik> command line bitcoind is decidedly sub-optimal (as TD noted earlier, on another channel and subject)
19:45 < jgarzik> need to:  add an unsigned input, add a signed input, add an output to the auction, and add one or more other outputs (change or whatever the user needs)
19:46 < gmaxwell> jgarzik: it would be really not so hard to have an advanced send tab that let you pick your outputs, then calculate/pick inputs, then sign.. and at the bottom its displaying the in-progress raw transaction.
19:46 < jgarzik> certainly I can write a JS or python tool to do that, but it's still ugly CLI and Linux-only
19:46 < gmaxwell> So you'd just use this and not hit send, but instead copy out the transaction.
19:48 < jgarzik> yep
19:48 < jgarzik> the familiar problem of building and passing around an advanced transaction
19:49  * jgarzik had once pondered a PyQt tool, that could be a companion to bitcoind, for this
19:57 < maaku> jgarzik: i'd rather have that in Bitcoin-Qt
19:58 < gmaxwell> maaku: some advanced things really want a python interpeter.
19:58 < jgarzik> maaku, it would be nice in Bitcoin-Qt
  but there is not necessarily a requirement to tie it tightly to the ref client
19:58 < jgarzik> having an external tool to sign transactions is nice
19:59 < jgarzik> (as I've seen with the command line txtool)
19:59 < gmaxwell> the one challenge with have an external tool is that you need to fetch the inputs to sign for them.
20:00 < gmaxwell> and so this basically requires something have access to the utxo set.
20:43 < petertodd> jgarzik: how do you intend for the timestamping to work?
21:09 < jgarzik> petertodd, to satisfy the SIN protocol, you may provide your MPK (hash of public key) to a third party provider, who timestamps the MPK into the chain in the specified manner
21:09 < jgarzik> petertodd, or do it yourself
21:09 < petertodd> jgarzik: what's the specified manner?
21:10 < jgarzik> petertodd, https://en.bitcoin.it/wiki/Identity_protocol_v1
21:10 < jgarzik> petertodd, announce/commit sacrifice
21:10 < petertodd> jgarzik: ah, so not just a timestamp then
21:11 < jgarzik> petertodd, "timestamp" was shorthand, sorry
21:12 < petertodd> jgarzik: so basically, what you really need is just a little script that creates a new address, and when sufficient funds are deposited makes the sacrifice, and has some mechanism to give you back the sacrifice data (email even?)
21:13 < jgarzik> txtool will handle the DIY part
21:13 < jgarzik> a website will work for the lazy
21:14 < petertodd> yup
21:24 < jgarzik> gmaxwell, I suppose a best-practice would be for bids to set nlocktime to auction expiration time
21:25 < jgarzik> and the tool should create a refund transaction (double-spend) at the same time it creates the bid transaction
21:25 < jgarzik> perhaps setting nlocktime=$expiration+30 minutes
21:25 < gmaxwell> jgarzik: I wondered about that but I actually think it doesn't matter. If you bid and the seller wants to accept a bid and close the auction early, the winning bidder surely doesn't mind
21:26 < jgarzik> true
21:26 < jgarzik> seems like an option people might want, for added fairness
21:38 < gmaxwell> sipa: I'm mildly excited about this pairing crypto aggregate signature idea. Not because of the anonymity stuff, but because it makes scalable relay fees viable. and can also reduce transaction sizes in the non-anonymous case.
21:45 < gmaxwell> (or even in the anonymous case when there are more inputs than outputs:  basically this thing requires one pubkey per input (duh), one pubkey per anonymous (or added by a relayer) output, and one shared signature for the whole block. (and each of these are just of field element each, e.g. 256 bits)
21:45 < gavinandresen> gmaxwell: link?
21:46 < sipa> gmaxwell: i don't know anything about pairing crypto or what you're talking about
21:46 < gmaxwell> gavinandresen: They propose it as an anonymity thing, https://bitcointalk.org/index.php?topic=290971.0
21:48 < gmaxwell> sipa: signature algorithim that allows one way aggregation of signatures.  e.g. {message1,key1,sig1} + {message2,key2,sig2} -> {{message1,key1},{message2,key2},agg sig}  and they show how to use it to unlink inputs and outputs for privacy.
21:48 < gavinandresen> I'll always be interested in ways of making transactions smaller.
21:48 < gmaxwell> I say: the privacy use is not as exciting (coinjoin is sufficient): but this thing also gives you the ability to pay relayers, the ability to make blocks smaller, and a bit of anti-censorship.
21:49 < gmaxwell> (Anti-censorship because if someone has combined some transactions and gives them to you combined you can't uncombine them to only mine one)
21:53 < gmaxwell> But yea, I dunno much about pairing crypto.
22:25 < jgarzik> OK
22:26 < jgarzik> Decentralized auction protocol (json-rpc): https://gist.github.com/jgarzik/6546194
22:26 < jgarzik> Well, the protocol itself is not decentralized; it is decentralized in the sense that anyone may set up a server
22:28 < jgarzik> each bidder provides a common, unsigned input, guaranteeing that only one transaction in the auction will be valid
22:28 < jgarzik> inside their bid
22:28 < jgarzik> protocol users must be able to grok hex-encoded bitcoin transactions and txout's
22:30 < jgarzik> bitcoin addresses are used for identity
22:30 < jgarzik> (hopefully that gets migrated to SIN)
--- Log closed Fri Sep 13 00:00:32 2013
--- Log opened Fri Sep 13 00:00:32 2013
00:31 < midnightmagic> uh.. there was an old scientist, old when black and white film could be shot of him, a famous man, who for all the world looked like the early Dr. Who, and there's a video of him on youtube somewhere talking about god and how he's an atheist. i don't remember his name. can so ekne give me a clue?
02:15 < gmaxwell> petertodd: http://sourceforge.net/p/bitcoin/mailman/message/31397880/  < this needs a blog post with some pretty "illustrations" of the scripts.
02:58 < petertodd> yes it does!
02:58  * petertodd needs to get petertodd.org running again
02:58 < gmaxwell> maybe an animation of the stack
02:59 < petertodd> yeah, that'd be good
02:59 < petertodd> webbtc.com actualy can give you step-by-step stack traces, although being bitcoin-ruby it's buggy...
03:22 < amiller> that's cool :)
07:54 < jgarzik> Got "auctionpunk" server skeleton going last night.  It creates auctions for a fee, accepts bids and checks the bids, and reports progress on the auction.  Next step: handle auction ending (which might be off-server, since it requires private keys, and I am trying to create a setup that does not require private keys on the server itself)
07:55 < jgarzik> just got first-price-sealed-bid for now
07:55 < jgarzik> *does
13:09 < nanotube> 112 connections, 749/329 M mem usage. and that's with a  2329 tx pool.
13:12 < gmaxwell> Cool.
13:13 < jgarzik> no-wallet will make that mem usage even smaller :)
13:13 < gmaxwell> http://www.reddit.com/r/Bitcoin/comments/1mavh9/trustless_bitcoin_bounty_for_sha1_sha256_etc/ < responses to the collision bounties has been pretty good.
13:14 < jgarzik> gmaxwell, I forwarded it to Bruce S, though (a) he is probably mega-busy and (b) it requires a lot of bootstrapping introduction, even for knowledgeable tech folks
13:15 < jgarzik> gmaxwell, I see you had to do similar bootstrapping on the reddit post, in fact
13:16 < gmaxwell> jgarzik: yep.
13:51 < nanotube> jgarzik: 50mb doesn't make that much difference to me atm. i recall you said the difference was roughly 50mb?
13:52 < jgarzik> nanotube, 40mb for me.  warren reported upwards of 200mb on some Fedora installs.
13:54 < nanotube> hm, how come such a big difference?
13:54 < nanotube> (also, i'm on debian)
13:55 < jgarzik> nanotube, no one knows but The Shadow
13:55 < gmaxwell> jgarzik: it's only when you run the gitian builds on fedora.
13:55 < gmaxwell> presumably something to do with bdb static linking and The Shadow
13:57 < nanotube> heh
18:23 < adam3us> gmaxwell: yes.  there are also some computational versions with lower overhead, and even single db pir (though that one is not cheap)
18:23 < gmaxwell> lower communications overhead.
18:23 < gmaxwell> But not computational overhead.
18:24 < adam3us> gmaxwell: in fact yes
18:24 < adam3us> gmaxwell: (i mean i agree)
18:25 < gmaxwell> the computational ones use things like homorphic encryption and they're very slow on the server, which I think takes them out of the realm of viablitity. Vs the information theoretical constructions can just be done with xor, and can be stupidly fast. Though they'd have overhead on the order of the number of servers you need to be secure against colluding.
18:26 < gmaxwell> in other words, I think the information theoretic one is actually at least theoretically deployable in bitcoinland... which I think the single server ones not so much, at least not unless we can figure out how to pay a server to filter for you. If only we had digital cash. :P
18:30 < adam3us> gmaxwell: its not really clear what the bloombait could be as its sent by the spender in the clear, must produce something from a  predictable set or offloadably encrypted searcheable; any one can see the address and compute the bloombait set and infer who it is to
18:31 < gmaxwell> adam3us: well the point of the bait is that there would be lots of collisions but few enough to reduce the data sent to an acceptable amount.
18:31 < adam3us> friend of mine thought up a homomorphic equality test base on weil pairing years ago, but that only incues n^2 overhead vs on for scan for someone fishing for info which is not a convincing security argument
18:31 < gmaxwell> You don't have to have encrypted matching for the bait.
18:31 < gmaxwell> If the bate is small you just send the whole bait to index map.
18:32 < gmaxwell> Then the user does a PIR queries to get the indexes they want.
18:32 < adam3us> yeah
18:32 < gmaxwell> Other fun thing: you put the SPV proofs for the transaction in with the transactions, which will thus prove the query results were of the right database. :)
18:33 < adam3us> that makes sense eg hash public key 8 times with counter 1.. 10 pick 8 lsb, pick on eof those at random
18:35 < gmaxwell> adam3us: though its interesting that the PIR could be done block at a time... might actually be feasable to do single server PIR for a wallet... at least as a commercial offering. Dunno if it would get any customers though.
18:37 < adam3us> bandwidth is high for the client also, but yes thats probably effiicient enough with  some GPUs
18:39 < adam3us> gmaxwell: hmm yeah not working out too well so far, so TD's pragmatic view is winning still (i am not overl prone to pragmatism - getting the right communication matters in architecture even if you have to work hard to achieve it)
18:41 < gmaxwell> well single server can be low bandwidth, there are computational pir which have just small constant overhead (wtf?!), but they aren't fast. .. uh .. though there be dragons: I've never seen an implementation of any of these leading edge schemes, and sometimes the theoreticians are misleading. ... in any case, it would perhaps be interesting in the mobile
context, where communication is costly and the server has a lot of computation ...
18:41 < gmaxwell> ... potentially.
18:43 < petertodd> gmaxwell: replace-by-fee scorched earth doesn't necessarily work unless the sending tx is of minimum size anyway unfortunately
22:50 < amiller> i broke and subsequently fixed my non-outsourceable puzzle.
22:50 < amiller> the solution, remarkably, involves hash-based signatures :)
22:55 < gmaxwell> amiller: does it result of your choice of two things to sign? if so, I came up with that too and it doesn't work because you can be forced to make the other one jibberish. :P
22:56 < amiller> nope
22:56 < amiller> the problem is just that i need a deterministic public key signature and those are expensive in pinocchio
22:56 < amiller> i could make the pow signatures under RSA for example
22:57 < amiller> or BLS if you want to use elliptic curves
22:57 < amiller> basically i want to have a default-option where an ordinary non-outsourcing user can just prove that work is valid without having to do a zk trick
22:57 < amiller> but it does have to avoid revealing the actual seret
22:57 < amiller> any public key signature would suffice here
23:01 < amiller> the problem with my scheme before is that i said the cheap option is the user just actually reveals the secret, but then anyone that sees that can do the zero-knowledge trick later so that's bad
23:01 < amiller> a race condition at best
23:02 < amiller> so any public key is sufficient, but then for the zero knowledge option the outsource server has to be able to relatively efficiently do a zk proof and that's a bitch with any actual publickey primitive
23:02 < amiller> but you can build a merkle tree just out of pretty simple hashes (ajtai lattice hashes in particular, would be efficient)
23:03 < gmaxwell> amiller: I suggest you go post someplace right now about your method for doing a determinstic signature that would be cheap under pinocchio. :P and which one you'd propose.
23:04 < amiller> you mean besides right here
23:07 < gmaxwell> so with your anti outsourcing.. say some miner manages a run of 6 consecutive blocks... can he not produce infinite variations on them and only later commit to them with more blocks? ... so really should we be counting zk blocks the same in security?
23:08 < amiller> you should add 1+ of security to the zk blocks
23:08 < amiller> they don't stack
23:08 < amiller> in other words suppose a miner connects to every single node
23:08 < amiller> finds a winning solution
23:09 < amiller> and gives each node a distinct winning block
23:09 < amiller> now every miner is working on n different forks of length 1, but as soon as one of them wins it, they are committing to a *single* one of those forks
23:09 < amiller> and everyone that builds on it is picking one
23:09 < gmaxwell> unless they zk that one too.
23:09 < amiller> the zk block does *not* hide the previous block it attaches to
23:10 < amiller> that's committed and can't be changed
23:11 < gmaxwell> gotcha. yea, hm. have to be careful that there are no free bits that can be used as marking.
23:13 < amiller> the previous blockhash is literally the only thing not hidden in the zk
23:16 < gmaxwell> being able to retime your blocks is interesting... :P
23:16 < gmaxwell> like ... my block is always 2 hours in the future. oh its a minute later? I've got a new block for you.
23:20 < amiller> i guess :p
23:20 < gmaxwell> I hate that all these ideas have so many angles you have to reason about to be sure you haven't created @#$@#ed up incentives.
--- Log closed Thu Nov 14 00:00:35 2013
--- Log opened Thu Nov 14 00:00:35 2013
00:26 < nanotube> wonder if anyone has seen the protoshares pow scheme. https://bitcointalk.org/index.php?topic=325261.0
00:27 < gmaxwell> nanotube: this its the 3rd (or 4th) POW scheme from those same people whos pow I eviscerated before.
00:28 < gmaxwell> Sadly they didn't get the memo I was trying to give them which was: stop coming up with novel cryptographic things out of your rear end where you don't really need them.
00:29 < gmaxwell> I think PT cut down their 3rd generation one.
00:30 < nanotube> hehe ic
00:30 < gmaxwell> I regret telling them about the first, would have been more fun to just exploit it in production. oh well.
00:31 < gmaxwell> I'd hoped that they'd actually believe me that it's hard to get this stuff right.
00:31 < nanotube> hah well, now you know better, and can do that with their fourth.
00:32 < gmaxwell> well, the first was ... basically riddle grade. Just hard enough to be enjoyable to break but not actually hard.
00:33 < gmaxwell> with enough iterations it would actually be work to break.
00:33 < gmaxwell> but its just goofy, they haven't gained any useful properties over scrypt, and scrypt has security proofs that have been reasonably well reviewed.
00:44 < warren> where's the URL for petertodd's MMR proposal?
00:56 < Luke-Jr> gmaxwell: isn't theirs actually a POW algo?
01:48 < gmaxwell> https://bitcointalk.org/index.php?topic=333487.0
01:48 < gmaxwell> couple thousand btc will pay for a lot of transaction fees.
03:42 < petertodd> gmaxwell: oh, and I misunderstood what you said re: scorched earth: it's actually not an issue for the other parties to the coinjoin, because the scorched earth spend just means the original tx is even more likely to be mined - only the funds going to the merchant can be turned into fees. The real issues are complex than that
03:43 < petertodd> gmaxwell: for instance, suppose the coinjoin is the double-spend...
03:43 < gmaxwell> petertodd: no consider
03:43 < gmaxwell> you are a merchant.
03:43 < gmaxwell> I want to pay you. I am honest.  I coinjoin with alice. Alice is paying someone else.
03:44 < gmaxwell> Alice is not honest.
03:44 < gmaxwell> Alice double spends her coin, paying to another party. The double spend does not pay you.
03:44 < gmaxwell> You do scorched earth. Sending my payment to you to the miners.
03:44 < gmaxwell> Now everyone is unhappy except the person alice was trying to rip off.
03:45 < gmaxwell> this happens because you didn't know that my contribution to you wasn't being double spent, only alices input to the join which was irrelevant to you was.
03:45 < Luke-Jr> oh crap
03:46 < Luke-Jr> gmaxwell: payment protocol beats it?
03:46 < Luke-Jr> then the merchant has an isolated transaction to refer to
03:47 < gmaxwell> yea, if you can tell the merchant whats up
 even give him a non-cj'ed spend of that input to sit on.. things are happy.
03:47 < Luke-Jr> "ok, my original transaction is still valid with this double-spend; I'll hold off"
03:47 < Luke-Jr> (and broadcast the isolated tx obviously)
09:04 < adam3us> sipa: ok but bitcoin hashrate as a ballpark is well known to be n the peta hash range
09:04 < sipa> yes, 4 PH/s
09:04 < sipa> that's 2**52 H/s
09:05 < adam3us> log(2,4*1000^6*600)
09:05 < adam3us> 71.02352439846840313959
09:05 < sipa> you must still be off; i get 2**61 per 10 minutes
09:06 < sipa> 1:kilo, 2:mega, 3:giga, 4:tera, 5:peta
09:06 < adam3us> sipa: well i did before, but KH=1000,HM=1000.. etc
09:06 < sipa> so it's ^5, not ^6
09:06 < sipa> ^6 is exa
09:06 < adam3us> sipa: oh doh
09:07 < adam3us> sipa: damn i was right the first time, undo wiki edit! (confusing exa and peta order)
09:07 < sipa> adam3us: the reference client outputs the total amount of work done in a chain when it updates the tip
09:07 < sipa> SetBestChain: new best=0000000000000000bd36abfbfaf30511e69d9747b1b4c9238739b20d7a92e760  height=267715  log2_work=73.502314  tx=26423141	date=2013-11-03 13:58:03
09:07 < adam3us> sipa: gotcha, thats nice
09:07 < sipa> i trust that computation very much, as it is consensus-critical
09:08 < sipa> (it's used to determine the longest chain)
09:08 < sipa> adam3us: http://bitcoin.sipa.be/powdays-50k.png
09:09 < sipa> that's how long, at max-hashrate-ever-seen-until-point-X, it would take to redo all the computational work in the best chain known at point X
09:09 < adam3us> sipa: a quite relevant metric :)
09:09 < sipa> it's painfully low these days
09:10 < sipa> we came up with it, when trying to reason like "how many days of PoW-equivalent work would it take, to safely reduce verification"
09:10 < adam3us> sipa: indeed it is - i think it should be temporary perhaps as asic catchup with moore's law
09:10 < sipa> so for example, one idea was to only do signature checking in the last month worth of PoW
09:10 < adam3us> sipa: however the other metric is the market availability
09:10 < sipa> but as you can see, that would mean everything now :)
09:12 < sipa> hmm, i wonder, is this coincidence?
09:12 < sipa> tera ~ quatro (1000^4)
09:12 < sipa> peta ~ penta (1000^5)
09:12 < sipa> exa ~ hexa (1000^6)
09:13 < sipa> at least for peta and exa it is not coincidence
09:13 < sipa> tera ~ tetra works even better
09:14 < adam3us> yeah, you see it in greek naming for geometric shapes also
09:14 < sipa> and above: zetta ~ hepta
09:14 < sipa> yotta ~ octo
09:16 < adam3us> sipa: i think i just illustrated even to myself that k=61 O(2^k) security notation is better - it gets confusing to work with metric units you dont normally use
09:17 < sipa> yup
09:19 < sipa> knowing that an exabyte addresses is close to what you can represent in a 64-bit integer, also helps :)
09:22 < adam3us> sipa: probably proof of stake contribution to voting is a defense though that also is imperfect
13:21 < warren> more leveldb corruption "Getting same error on 8.5.1 OS/X 10.9 Mavericks out of the blue, my system never sleeps and Litecoin was shut down properly, but received this error on re-opening wallet."
13:21 < warren> clean shutdown
14:43 < adam3us> sipa: re pow-equiv days - you might consider also the days to redo all work since last checkpoint, an even lower number
15:20 < gmaxwell> adam3us: we hope to remove checkpoints or at least significantly reduce their role. They're creating seriously problems for people understanding the consensus model, to the extent where people are producting altcoins where the developers just constantly announce checkpoints via an alert like mechenism to control the consensus and this is judged to be the
same kind of thing as bitcoin.
15:26 < jrmithdobbs> you know, haskell really is the most fun i've had with CS stuff since initial dive into bitcoin stuff
15:26 < jrmithdobbs> why doesn't everyone use this language?
17:27 < sipa> jrmithdobbs: haskell is cool :)
17:28 < sipa> adam3us: right, as gmaxwell says: this idea of using PoW-equivalent time as a criterion is mostly intended as a replacement for checkpoints
17:29 < adam3us> sipa: i see i didnt get that before; so you propose to eg pick a number of days, and say a new client only starts that far back with its validation?
17:30 < adam3us> sipa: or validate back to current pow-equivalent
17:30 < sipa> adam3us: you always start from the genesis, there is no way to retrieve the UTXO set at any other point in a trust-free way
17:31 < adam3us> sipa: wonder if there's a way to batch process DSA sig verify
17:31 < sipa> adam3us: but some parts of the validation, in particular script validation, can be skipped without impacting
17:31 < sipa> adam3us: there is, but it requires the full R point, instead of just R.x mod n
17:33 < sipa> without impacting later state
17:33 < adam3us> sipa: so (the proposal would be) you just validate inputs add to outputs and the hashing, but not the sigs before pow-equiv? reasoning being the whole network could've forged history to that depth?
17:33 < sipa> i had to finish that sentence
17:33 < sipa> indeed
17:34 < sipa> or some compromise, like only checking a random N%
17:34 < sipa> when buried deep enough
17:34 < gmaxwell> adam3us: right, or move to probablistic validation of deep history. So you still can be reasonable confident that if there is trechery and a good number of honest users it will be discovered... but removing 99.9% of the computational cost for the far history.
17:35 < sipa> then again, saying "more than a month of PoW" won't work anytime soon :)
17:36 < gmaxwell> sipa: I dunno if I ever mentioned it, but I was thinking that it actually should be validation of the history where it is uniquely dominated by POW-days work. E.g. if there are two compeating forks with less than powdays-tresh between them, you still check both completely in case the signatures are a cause for the fork.
17:36 < sipa> you have mentioned that before, i believe
17:37 < gmaxwell> okay. Wasn't sure.
17:39 < adam3us> sipa, gmaxwell: i wonder if you only need 50% PoW-equiv , because isnt sying full hashrate PoW days assuming 100% hashrate hostility?
17:40 < sipa> it's a scaling factor anyway
17:40 < sipa> something to judge what a potential attacker could amass
17:40 < gmaxwell> adam3us: bitcoin, in the original vision promises to now allow some attacks even in the face of full hashrate hostility. This is important because its part of what makes greedy-optimal miners behave honestly (in the ficticious world where miners are optimal self interested agents, hah).
17:42 < gmaxwell> So it's not really quite good enough to say "we're going to make things maximally brittle against >50%" because part of the argument that an attacker won't amass 50% is the limitations on what they can do with it. For example: if it were sufficient for 50% of miners to peg the subsidy at 25 btc forever then the argument that it wouldn't happen is pretty soft.
17:42 < gmaxwell> (since even if the miners are independant they have a common interest in continuing to recieve subsidy)
17:43 < adam3us> gmaxwell: yes there are somethings eg also committed coins seemingly you can continue to transact in the face of 99% hostlle (maybe 100%) their attack degrades to random DoS if they cant tell whats happening
17:44 < adam3us> gmaxwell: (commited tx not coins) and also 50% is  probability argument only: you can double spend with various probabilities with 25% of 75% hashrate its not binary
17:45 < gmaxwell> adam3us: yea, well at >50% you can exclude other blocks and if you can attack for infinite time you'll eventually get ahead. (infinite becoming smaller the more over 50% you are).
18:16 < adam3us> sipa: (about batch ECDSA verification) "sipa: adam3us: there is, but it requires the full R point, instead of just R.x mod n" - you could arrange that in a format compatible way analogous to the s vs -s issue; just only use R=(r,f(r)) with positive f(r).
18:17 < gmaxwell> you still have to then 'uncompress' the r there then, which would remove some (much?) of the batch speedup.
18:33 < sipa> i believe it would still be a speedup
18:34 < sipa> but it's pointless: it would mean an incompatible change of the script language, or at least an op_eval like structure with a new address structure
18:34 < sipa> and if we do that, there are far better changes to make
18:35 < sipa> hmm, i didn't read what you said entirely
18:36 < sipa> putting an extra requirement on r is always possible of course, and only a soft fork
18:59 < adam3us> sipa: maybe could restrict f(r) >= 0 while fixing (r,s) vs (r,-s) sig malleability (and the serialization ones) .. just towards enabling batch sig vrfy later?
18:59 < adam3us> sipa: mean R.y>=0
19:00 < sipa> the '>' operator doesn't have much meaning in a Z_p set
19:00 < gmaxwell> gonna make life hard for determinstic dsa signers. Also makes life harder for people to make txn slightly smaller by chosing smaller rs.
19:01 < sipa> i'm not sure batch verification is worth it
19:01 < sipa> iirc the speedup wasn't very impressive
19:01 < gmaxwell> in any case the speedup from batch verification is pretty small.
19:01 < adam3us> sipa, gmaxwell: seems like forget that then :)
19:24 < amiller> hm, i wonder if there's an accelerated utxo check
19:24 < amiller> well nvm it probably wouldn't make much difference
19:26 < amiller> but you don't have to use a *random access* data structure just for checking a utxo, since you can have some untrusted hints about after how many blocks an element will have to be removed at all
19:30 < sipa> amiller: anything that adds performance increases for the common case, means a potential DoS attack by someone not following the common case :)
19:35 < amiller> i guess... can't stop anyone from just downloading a "trusted" utxo and skipping validation anyway though, so it seems like reducing the cost of actually checking it (if that's even possible) would be good to know how to do
--- Log closed Mon Nov 04 00:00:16 2013
--- Log opened Mon Nov 04 00:00:16 2013
17:11 < amiller> uh.. does anyone have a rough figure for the gate count of an asci/fpga mining unit
17:47 < sipa> if the sstables corresponding to that state have been deleted, there is a problem
17:47 < sipa> warren: then they have a hardware problem, i guess
17:48 < gavinandresen> sipa: right -reindex
 I'm actually copying known-good copies of the chain to a second drive, and restore from there if I get corruption.
17:49 < gavinandresen> sipa: and right, truncating manifest should just get to a previous state, which is why I thought truncating it might be a quick-and-dirty way of mitigating the problem
17:50 < gavinandresen> I haven't looked to see if any other leveldb files were corrupted
17:51 < sipa> if you ever get a snapshot of a corrupted state, that would certainly be something useful to try
17:51 < sipa> increasingly truncating more off the manifest, and seeing whether you end up with something valid
17:51 < gavinandresen> I've got a couple of snapshots of corrupted state, will try at some point if the problem doesn't get fixed before it percolates up to the top of my TODO....
18:27 < Luke-Jr> warren: I was referring to bitcoin-next; that is only ACK'd things.
18:27 < Luke-Jr> warren: next-test tests everything
18:29 < warren> ok
18:29 < warren> Luke-Jr: I notice that you didn't try to merge watchonly
18:29 < warren> it goes kaboom
18:29 < Luke-Jr> warren: it didn't exist at the time either
18:30 < Luke-Jr> when autotools have stabilised I'll probably make a new next-test
18:30 < Luke-Jr> still a bit too buggy imo
18:39 < phantomcircuit> gavinandresen, i have actually regularly told people not to use os x for servers, but for security not integrity reasons
18:40 < BlueMatt> who uses osx as a server?
18:43 < warren> jgarzik: hmm, disablewallet=1 needs a GUI error message if someone tries it with bitcoin-qt
18:49 < phantomcircuit> BlueMatt, silly people
18:50 < BlueMatt> then again, I suppose some use windows as a server too, which is far worse...
18:58 < phantomcircuit> BlueMatt, prior to last year it was actually much better
18:58 < phantomcircuit> (the joke is apple discontinued x servers like last year or something)
20:02 < warren> gmaxwell: jgarzik: updated fedora 19 openssl http://wtogami.blogspot.com/2013/05/openssl-with-ecdsa-for-fedora-18.html
20:15 < warren> gmaxwell: shoot, I lost the IRC log about the desired forum features, could you please copy that for me?
--- Log closed Sat Nov 02 00:00:49 2013
--- Log opened Sat Nov 02 00:00:49 2013
07:17 < adam3us> can you do the opposite of timelock >= time ie timelock < time for an offline time-limited offer?
07:18 < adam3us> (other than using online update to retract the offer by sweeping the funds off the contract txout at the expiry time)
08:17 < sipa> adam3us: bitcoin transactions are pretty intentionally designed to be non-retractable
08:17 < sipa> once valod, always valid
08:17 < sipa> so they can enter a mempool, and later a block, without breaking dependencies afterwards
08:24 < adam3us> sipa: but they are sometimes updateable, and first-spend invalidates later spends (even if the later spends were constructed earlier just not sent to the network)
08:27 < adam3us> sipa: (when sequence is not UINT_MAX), so I guess you could implement a time-limited cheque by giving someone the cheque and yourself spending the txout it relies on if they do not before the time-limit; however bitcoin network doesnt help you
08:29 < adam3us> sipa: eg think of an option as a smart-contract (the right but not the obligation to exercise), it has a time-limit
08:32 < adam3us> sipa: maybe one can use timelock on the non-exercise address, and sequence to allow update; the update is to take the funds, and its the option seller (writers) job to reclaim the funds after expiry, but the timelock prevents him reclaiming the funds early (undermining the buyers right to exercise during the validity period)
08:34 < adam3us> (unrelated) in script hash addresses if someone can find two scripts that has to the same string, thats a problem right?
08:35 < adam3us> eg I could find addr1=RIPE160(SHA256(SIG(a) and y=H(x))) and addr2=RIPEMD160(SHA256(SIG(b)))) where addr1=addr2 is a full birthday collision then I can cheat all those protocols that rely on inter-locked necessary revealing of x to claim
08:37 < adam3us> and I think I can do that for cost O(2^80) which is significantly below the normal bitcoin target of O(2^128), though still above the hashrate - each mine hashcash-sha256^2 is about O(2^62) per 10mins but a big bet in a few years with O(2^70) hashrate and faster miners
 O(2^80) is the weak point
08:51 < gmaxwell> "Based on this reasoning, we are planning to go forward with a draft SHA3 FIPS with all the n-bit fixed hashes having capacity = 2n, thus providing n-bit preimage resistance"
09:03 < sipa> adam3us: is a collision enough?
09:03 < sipa> you want at least one of the scripts to be spendable, and the other is not undet your control
09:03 < sipa> sounds more like a constrained preimage to me
09:04 < sipa> just having two scripts, and sending to one and spending by thebother doesn't gain you anything
09:24 < adam3us> gmaxwell: spectacular
 that makes SHA3 usable without tweaks for bitcoin hashcash-SHA3 if needed in the future
09:25 < adam3us> sipa: the thing is many of the interlocked protocols like atomic swap, coinswap, iddo/my fair-coin toss rely on this property
09:27 < adam3us> gmaxwell: I hope I did my bit in disabusing Kelsey of the idea, of gaining a tiny % perf for introduction of sqrt(n) attack on preimagine on the crypto list :) but i think the feedback was loud and wide
09:27 < sipa> ah
09:28 < gmaxwell> adam3us: I don't think they do require that property. Like sipa said, having a collision that can't be spent is harmless, since it can never show up in the chain, and thus can't prevent the one that can be spent.
09:28 < adam3us> https://bitcointalk.org/index.php?topic=323443.msg3463719#msg3463719
09:29 < adam3us> gmaxwell: i am talking about two spendable inputs, one bypassing the y=H(x) preimage interlock
09:29 < gmaxwell> adam3us: yes, sure, but thats not a free collision. The collision must be constrained to be spendable. This means it's harder than 2^80. I'd hard to say exactly how much harder.
09:29 < adam3us> gmaxwell: well two script versions basically with the same p2sh output, which you as a participant in an interlocked protocol have incentive and opportunity to create
09:30 < gmaxwell> er s/I'd/It's/
09:30 < adam3us> gmaxwell: there are lots of candidate inputs > 2^80, adnd they are no harder to create than random ones
09:31 < gmaxwell> adam3us: Random scripts are overwhelmingly invalid.
09:31 < adam3us> gmaxwell: its a pure brute force play
09:31 < adam3us> gmaxwell: yeah who said random: just create H(s_i) for i from 1 to a trillion, generate s'_j) for j from 1 to a trillion, store in efficient hash table, repeat
09:32 < gmaxwell> adam3us: sure, I understand. It's a multi-collision with 1:{huge number of targets} so it's closer to 2^80 than 2^160, agreed.
09:32 < adam3us> gmaxwell: where s'_i can spend s_j without needing to know y=H(x), the interlock falls apart if that can be setup before the bet
09:33 < adam3us> gmaxwell: yes, the main thing that makes it more than 2^80 is probably its sqrt(pi/2)*2*2^80 = 1.25*2^81; but realstically the TMTO need makes it > O(2^80) cos you dont have an efficeint way to store that even with bloom filters nor skip tables (as there is no sequence you can use)
09:34 < gmaxwell> In any case, I'd expressed sadness before that we'd specialized P2SH too far, and made it not able to use the 256 bit hashes we have in script.
09:34 < gmaxwell> For coinswap your attack doesn't quite work, because the preimage interlock never needs to be in P2SH.
09:35 < adam3us> gmaxwell: i think p2sh addresses are different serialization than pub key addresses right? otherwise you could bypass it and make AH(Q_i) == AH(s'_j)
09:36 < adam3us> gmaxwell: (where AH=addr-hash(z) = RIPEMD160(SHA256(z))...)
09:36 < gmaxwell> adam3us: you couldn't possibly confuse them, no.
09:37 < gmaxwell> Cute attack: http://7habitsofhighlyeffectivehackers.blogspot.ca/2013/11/can-someone-be-targeted-using-adobe.html
09:39 < adam3us> gmaxwell: what no salt? ;)
09:40 < adam3us> gmaxwell, sipa: but also for my understanding, its optional to use P2SH, you can instead serialize the script in the transaction right? thats another generic work-around (if you care about O(2^80) + TMTO yet)
09:40 < gmaxwell> adam3us: a lot of places "salt" their passwords by adding the name of their site to the hash. :P (because they misunderstand the purpose of salt)
09:40 < sipa> adam3us: P2SH is optional indeed
09:40 < sipa> adam3us: but using it has some advantages regarding size of the UTXO set
09:41 < gmaxwell> adam3us: One of the malleability workarounds I gave requires using p2sh, alas.
09:41 < gmaxwell> (It uses p2sh to make the transaction the attacker would need to mutate indistinguishable, so they'd have to try to mutate all transactions)
09:42 < gmaxwell> But e.g. for coinswap you'd only need to do that for the inital escrows, and the 2^80 attack is irrelevant there.
09:43 < gmaxwell> the hashlock releases don't need to be p2sh.
09:43 < adam3us> gmaxwell: well one defense is if you have 2^80 you have more profitable thing sto do with it: mine
09:44 < adam3us> gmaxwell: but maybe as a component of high stakes poker, if done like the fair-coin-toss with a multi-million pot, maybe if you can precompute something
09:45 < adam3us> gmaxwell: of course the other players should chose their interlock signature keys 1hr before the game
09:47 < adam3us> sipa, gmaxwell: i was wondering about a generic p2sh kind of defence, like in hashcash version 0 it was to find a 2nd preimage to a fairly chosen image, ie find h=H(s,x) and h'=H(s,x,c) where h'/2^(n-k)=h/2^(n-k) ie k leading bits of h and h' match the target 0 string came later as a suggestion from Hal Finney and another guy
19:20 < gmaxwell> Really the best thing to do now is publish publish publish. You can't use defensive patents to negoiate with patent assertion entites in any case, since they only assert, not practice.  Defensive patents are only really useful for a licensing negotiation between parties with remotely equal standing. ... though I know VCs often pressure startups to build
patent portfolios ... but I dunno how they'd feel about them being put into a ...
19:20 < gmaxwell> ... general disarming pool.
19:23 < adam3us> gmaxwell: well to my way of thinking they are benefiting from satoshi's work and lots of volunteer effort in developing and innovating bitcoin, which they use for free, and most of the bitcoin startups have no innovation, just deploying things (which is useful, necessary) but its an insult if they then grab biz process patents or patents on permutations of others work
19:24 < gmaxwell> Indeed, but that won't stop people. Most patents are very very incremental.
19:24 < adam3us> gmaxwell: so the community would be easily in its rights to have the foundation frown on tem etc
19:25 < midnightmagic> There are also groups of people who agree, collectively, that jointly-developed technologies or jointly-developed standards can be shared by all members, they disclose their patents, and then sign agreements that the disclosures are full and that they all agree that *if* any of the patents apply to the jointly-developed technology, they won't bring
them to bear on any agreement-signers..
19:25 < adam3us> gmaxwell: yes been in enough startups to see the vc, ex-big-co patent hungry people at work, they either dont care, or just want to make money fast, long term consequences be damned
19:26 < gmaxwell> (I actually went as far as writing a provisional patent application for the use of the EC additive homorphism for publicly derivable wallets, but didn't go through with it because there were no other bitcoin relevant applications being filed and didn't consider it worth the risk that it would inspire more bitcoin patenting, etc.)
19:27 < adam3us> gmaxwell: yes.  i expect there are some patents in the dozens of bitcoin related companies already or pending now
19:28 < gmaxwell> At some point someone probably needs to get a patent application on something bitcoin related with a relatively complete description of the system just so it shows up in examiner prior art searches. (they sometimes search the internet ... but uh, it seems pretty rare!)
19:28 < midnightmagic> it would be amusing somehow if some company were awarded some patents on bitcoin core technologies and then they asserted them..
19:29 < gmaxwell> midnightmagic: it's possible, they wouldn't be valid of course... but examiner prior art searches are lame, and the applicant is required to disclose, but often don't (for obvious reasons...)
19:30 < midnightmagic> "clean room" defense.
19:30 < adam3us> midnightmagic: not in a good way though, courts and patents are largely hamfisted idiots, viz the apple/samsung to and fro and product freezes $1b awards, on xor-cursor level patent pool stuff; retardation^n
19:30 < gmaxwell> I suspect if they called it bitcoin in the patent they'd be likely caught. But if they didn't they'd likely get it through.
19:31 < gmaxwell> At least on the core stuff the age of it is unequivocal and digital cash was kind of a dead field in 200x.
19:31 < gmaxwell> There are some patents I'm aware of that probably read on _all_ DSA but are also new enough that they're necessarily invalid if they do.
19:31 < midnightmagic> adam3us: Maybe in a good (but absurd) way because patents have territories and people typically forget Canada exists.
19:32 < midnightmagic> "America's hat"
19:32 < adam3us> ok my turn to sleep
19:32 < midnightmagic> night adam
19:32 < gmaxwell> in any case, this is a much bigger risk for any better-than-bitcoins. .... as they might run afoul of new patents that bitcoin is old enough to be prior art for.
19:34 < midnightmagic> Say, did djb ever reveal the list of patents that NaCL was written to specifically avoid somewhere?
19:34 < midnightmagic> .. can't believe I even feel like I should know that. software patents. urg.
19:34 < gmaxwell> "We are now aware of this issue and we will perform an internal investigation to find out who is responsible for this.
19:34 < gmaxwell> Thank you for pointing out. "
19:35 < gmaxwell> https://bitcointalk.org/index.php?topic=327767.msg3552672#msg3552672
19:35 < gmaxwell> I guess I need to send these guys a christmas card for making me victor of the internet in all those arguments where people told me if a pool was evil miners would notice right away and switch.
19:37 < maaku> gmaxwell: 501c6 only goes bankrupt if its members let it
19:37 < midnightmagic> lazy/crazy?
19:37 < gmaxwell> maaku: it can become bankrupt as a result of litigation, e.g. if its found to have some neigh unbounded liability.
19:37 < midnightmagic> lol
19:38 < maaku> not that it isn't a risk - plaintiff could use the risk of bankruptcy as blackmail to raise settlements
19:39 < gmaxwell> maaku: at least thats less bad, a settlement can't free one from a perpetual patent grant.
19:40 < maaku> i guess my point is if the 506c3 is about to go bankrupt due to litigation, the members have option to make donate to cover the settlement & preserve the pool
19:41 < maaku> er, c6
19:41 < gmaxwell> midnightmagic: so it looks like a 25% hashpower pool doublespent the shit out of a service almost a month ago, even using the procedes of the activity to pay out miners. people only noticed about a week ago. It's known on the mining subforum now, but no one is leaving the pool.
19:41 < midnightmagic> gmaxwell: That's pretty funny.
19:41 < maaku> so if they let it go bankrupt, then presumably it's because the members made that cost-benefit analysis and decided  the patent pool wasn't worth it...
19:41 < gmaxwell> maaku: yea, but that could be very expensive. Either way the bitcoin community could have to pay a lot of funds due to patents stuffed there.
19:41 < maaku> yeah
19:41 < gmaxwell> (compared to the patents not existing or being handled some other way)
19:42 < maaku> better to publish and prevent a patent in the first place ;)
19:42 < midnightmagic> gmaxwell: This is one of those "people should insist on coinbase payouts" things that miners just automatically avoid getting entangled in.
19:42 < kill\switch> ^
19:42 < midnightmagic> still have no idea why I was never asked to return that 2x payouts on that mining pool a while back.
19:43 < gmaxwell> what pool did that?!
19:43 < Luke-Jr> midnightmagic: NaCL doesn't even avoid *copyright* problems, let alone patents
19:43 < gmaxwell> and why were you mining on it?
19:43 < gmaxwell> Luke-Jr: he means djb nacl not google nacl.
19:43 < midnightmagic> gmaxwell: I was invited after my Avalons came online but the database was for a while recording like 2x my hashrate than I was actually putting into it. And went through the payouts. And I notified the pool operator. And got paid out anyway.
19:44 < gmaxwell> midnightmagic: you see 50btc's letter?
19:44 < midnightmagic> Most of it was originally from coinbase, but a couple hops out but..
19:45 < midnightmagic> no, were they laundering for shadowy Tor people?
19:45 < gmaxwell> https://50btc.com/news/status_28_10_en
19:45 < gmaxwell> Conman thinks 50btc is mostly a cover for a botnet, they're certantly weird.
19:46 < midnightmagic> I hate it when people don't date their PR.
19:46 < gmaxwell> well the URL says 28_10 but I think its (or at least the en version) is newer than that.
19:49 < midnightmagic> What's the pool that keeps getting stolen from? Is that 50btc? Like over and over..
19:50 < gmaxwell> a few weeks back 50btc had all their user balances set to crazy amounts and people withdrew until their wallet ran out of coin.
19:50 < gmaxwell> ...and it sat like that for weeks. may even still be like that now.
19:50 < gmaxwell> and more coin was going in and people were pulling it out.
19:51 < gmaxwell> ozcoin got robbed a bunch of times. :(
20:02 < Luke-Jr> what is djb nacl? O.o
20:03 < Luke-Jr> hm
20:05 < maaku> Luke-Jr: super cool crypto
20:05 < maaku> http://nacl.cr.yp.to/
20:06 < gmaxwell> petertodd: can you please generate a new dust-b-gone txn? I'm sure you've had more submission since.. I want to take another pass at getting it mined.
21:05 < petertodd> gmaxwell: there's four txins for a few satoshi's, submitted it, but it's not likely to get mined
21:07 < gmaxwell> petertodd: hm? I don't think the first one got mined and didn't it have more than that?
21:07 < petertodd> gmaxwell: also: cbebc4da731e8995fe97f6fadcd731b36ad40e5ecb31e38e904f6e5982fa09f7 WTF!
21:07 < gmaxwell> I've gotta stop assuming you made all the weird txn.
21:08 < petertodd> gmaxwell: some of them eventually got mined - I'm talked about the total
21:08 < gmaxwell> I've seen it.
21:08 < gmaxwell> it forked some alt implementations
21:08 < petertodd> gmaxwell: might have been me - I am a crack addict
21:08 < petertodd> heh, figures...
21:08 < gmaxwell> and confused some of their implementors.
21:08 < petertodd> not good...
21:09 < gmaxwell> (confused because the 0 in the scriptsig position made them think it was like the checkmultisig behavior)
21:10 < midnightmagic> Luke-Jr: NaCL from dan bernstein, the NaCL paper he wrote on it sold me pretty good..
21:11 < gmaxwell> petertodd: care to give me the hex the submitted txn so when it doesn't get mined I can nag luke and wizkid about it?
21:11 < petertodd> gmaxwell: http://0bin.net/paste/qel7hbPIRFtSLRGc#Lwd7vxfMuyQPwhunBDq1SmWVvysX99wKozKgEYnkY24=
21:13 < gmaxwell> petertodd: weird, I know I sent you a388195b8c39caf20c7774045287ebc370b57db59909fe97668b7872b3396514:0 value	       "amount" : 0.00040000,
21:14 < midnightmagic> Luke-Jr: http://cr.yp.to/highspeed/coolnacl-20120725.pdf
21:14 < gmaxwell> a while back, but its not been mined nor is it in that one.
07:58 < adam3us> sipa: yep, everyone thinks about it, i thought about it also
07:58 < brisque> I take the primecoin comment back, it seems to be semi-sane but the "work" it's producing is just as useless as anything else.
07:58 < sipa> yeah
07:58 < adam3us> brisque: no there is something wrong with primecoin, algorithmically; its not exactly progress free and the probability distribution is slightly wrong i think
07:58 < sipa> adam3us: i'd probably implement most of it from scratch, though
07:59 < brisque> adam3us: on my first read I thought the work was based on a 32bit hash, but it's not. I haven't looked any further than that.
08:00 < brisque> sipa: why wouldn't you? there's lots of little niggles in Bitcoin that could be fixed with a complete rewrite.
08:00 < adam3us> sipa: yes that is actually what got me to thinking about 1-way pegged side-chain and i presume BlueMatt/gmaxwell about 2-way peg was that it makes more sense to respect the initial bootstrap as a one-off event, the it becomes possible to do significant innovation, overhauls, re-writes without having the barrier to actual adoption of a new digital scarcity
08:01 < sipa> brisque: not following, i'm saying i prefer to total rewrite over patching
08:01 < brisque> sipa: I'm agreeing with you.
08:01 < sipa> ok
08:02 < adam3us> the only other people i saw who even tried to tone down the "make money fast" motivation (which is actually a smart thing to tone down for adoption)  were jtimon & maaku, there was like a charitable donation, and a temporary but modest (i think?) development fund, plus the new economic bit about demurrage
08:03 < sipa> maybe ironically, i just don't care about economics much
08:03 < adam3us> sipa: yeah the thing that i find awesome about 1-way or 2-way pegged side-chain (if we can figure out the details) is that it fully allows major feature experiments, securely
08:03 < sipa> adam3us: link?
08:04 < adam3us> ohh i am not sure there was a 1-way peg write up on bitcoin-dev, one sec for link; 2-way was a thread on here, been meaning to update the email thread with that discussion
08:04 < sipa> one way pegging through burning bitcoins to create coins in another system seems simple enough
08:04 < sipa> being able to go back... i don't see how
08:05 < adam3us> https://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg02945.html
08:05 < adam3us> thats the 1-way
08:06 < adam3us> sipa: so the 2-way works if  you make changes to bitcoin 0.9x to honor transfers back.  but only once for previous transfers out.  in that way the security is limited to damange ONLY the current holders of transferred out bitcoins (if security issues appear on bitcoin 1a.x)
08:07 < brisque> adam3us: so you would have coinbase TXs without a block, sorta?
08:08 < sipa> i don't understand
08:08 < sipa> you send a coin to a dead address to instantiate it in betacoin
08:09 < sipa> how do you turn it back into a bitcoin coin?
08:14 < adam3us> sipa: sorry about that free airport wifi expired
 onto the next laptop
08:15 < adam3us> sipa: the reason i thought 1-way peg is interesting is i was frustrated about adoption rate of simple (but soft/hard-forking) clear improvements to bitcoin (of which i think there are many)
08:15 < adam3us> sipa: so i though 1-way peg servers as a security insulator and doesnt require bitcoin 0.9x changes (which was the bottleneck i was trying to think of a way to unblock)
08:16 < sipa> i'm not following what you're talking about now
08:17 < adam3us> brisque: "coinbase tx without a block" no the pegged side-chain would have no reward mining (that would be done via transfer/destruction on bitcoin main) but it would have tx reward (denominated in btc)
08:18 < adam3us> sipa: did u skim the url about bitcoin-staging?  which bit of the above?
08:18 < sipa> adam3us: sorry, your mails are too long :)
08:18 < adam3us> sipa: yeah i tend to write tldr stuff oops.
08:19 < adam3us> sipa: so i guess we agree that there are a number of things that could be simply fixed, but arent worth the security/value risk of soft/hard forks, and interesting features to enable
08:20 < sipa> it depends whether it's about things that could reasonably once be enabled in bitcoin itself
08:20 < adam3us> sipa: (eg enable some more scripting, or change it so the value is signed - which bites trezor & offline armory)
08:20 < sipa> yeah
08:20 < sipa> that stuff is fine
08:21 < sipa> but things like utxo-walking pow, or transactions committing to a particular chain, or tx fees that are spread over multiple blocks
08:21 < sipa> i doubt those can be considered "bitcoin"
08:21 < adam3us> sipa: so its not exclusive right, there can be a bitcoin 1a.x bitcoin 1b.x etc which are competing pegged side-chains
 if maaku & jtimon want to go implement the freimarket script extensions on one thats cool.  another one can focus on shorter term fixes like the above.  maybe bitcoin might merge some of them later or switch over bitcoin to 1c.x if users
demand it and move everything to 2.x
08:23 < adam3us> sipa: well i think the interesting thing to preserve if people are genuine about wanting to move the tech forward is the digital scarcity definition.	eg one can preserve bitcoin 0.9x as the only reward miner, that way it respects the 21 mil coin limit, and people can innovate on an existing currency base (which i do not  think its reasonable to attempt to restart)
08:23 < sipa> i don't want 1-way pegging, as it means you have to burn (valuable) bitcoin to obtain a potentially worthless successor coin
08:24 < sipa> if you kbow a way to do actual two way pegging, i like to hear it
08:24 < adam3us> sipa: so whether its a rewrite or just enabling queued simple/nice things or some script/market experiment
 that can all be done on competing pegged side-chains. they can interoperate if you can move coins back (via main)
08:25 < sipa> (in a way that doesn't force the side chain to be very compatible with bitcoin, as that would limit the degree of innovation there)
08:25 < adam3us> sipa: i think the main limitation is you have to enforce security so that security/value bugs in the side-chains can not leak back into bitcoin main.	for more adventurous things (utxo walking pow)) you'd probably have to make do with a 1-way peg
08:25 < sipa> right, of course
08:26 < adam3us> sipa: yes.  2-way peg is far nicer as nothing is destroyed, just moved.  just pointing out the limits with 2-way tieing back to the more adventurous changes that cant easily say preserve a security/value firewall because the value definition is too redefined
08:26 < sipa> right
08:27 < sipa> there is of course the centralized approach using an exodus address which has an actual private key known to some people
08:27 < sipa> but that already smells way too scammy
08:28 < brisque> smells like mastercoin to me.
08:28 < adam3us> sipa: so gmaxwell & BlueMatt were exploring using SPV security from the merge mined 1:1 pegged side-chain (with a long conf time like 100blocks) .  even that is pretty complex.  i guess we'd have to explore that first before figuring out if you can go further and two-way peg something with quite different value semantics
08:30 < adam3us> sipa: maybe you can do something, the main point being that nothign must be possible to move back from the side-chain twice.  ie it must be tied back to the demonstrable ownership (in SPV model say) of a previous bitcoin that was destroyed, and then allowed (once) to be recreated (though the cycle could repeat, it must be allowed once in each cycle)
08:31 < gmaxwell> the key observation in that discussion that I came to was that it doesn't really matter if the value transfer mechenism is very slow (e.g. taking many blocks), because you could just do regular atomic coinswaps so long as the liquidity on each side was reasonably balanced, you only need the direct chain moves to move funds without a counterparty.
08:32 < adam3us> gmaxwell: yes i agree with that.  its the expectation of later fairly certain settlment, market can do the rest (pay day loan for the impatient)
08:33 < adam3us> gmaxwell: sipa was wondering if more esoteric/bigger value definition/ownership changes could be two-way pegged "sipa: if you kbow a way to do actual two way pegging, i like to hear it
08:33 < adam3us> (in a way that doesn't force the side chain to be very compatible with bitcoin, as that would limit the degree of innovation there)"
08:34 < adam3us> sipa: even if it were not (significantly) possible, just a two-way peg could allow quite a lot of new parallel development flexibility and innovation on existing value base.	that alone is a big project.
08:35 < brisque> if a two way peg were possible namecoin would be a lot more interesting.
08:36 < gmaxwell> brisque: no thats not possible.
08:36 < sipa> souns like that requires every utxo in the beta currency to be backed by a bitcoin utxo
08:36 < gmaxwell> namecoin already exist.
08:36 < adam3us> sipa: (another change would be like the tagging of additional meanings directly on the side chain rather than coloring; freimarkets proposes tagging, and its better than coloring as coloring is i think inherently SPV incompatible, and tends to spam the bitcoin network)
08:37 < gmaxwell> sipa: not quite, perhaps someone should go extract that conversation from logs.
08:37 < brisque> gmaxwell: well yes, unfortunately.
08:38 < brisque> gmaxwell: not sure anybody would argue that the project isn't stale though.
08:38 < sipa> well if you can create a bitcoin output script that requires a proof of transfer through betacoin and back... ok
08:38 < gmaxwell> sipa: in any case, basically you add a softforking change to bitcoin that lets you write txouts which can be spent according to terms that come with SPV-like proofs from the other chain.
08:38 < gmaxwell> right.
08:38 < sipa> but SPV proofs cannot prevent double spending
17:24 < petertodd> maaku: it'd be done 100% publicly
17:25 < jtimon> butthey can only paralize the network, never change the rules
17:25 < petertodd> maaku: you may work for government, but I work in a field where I have to have a itar security clearance - I know how hard it is to buy custom equipment that the governmetn has decided shall be regulated
17:26 < maaku> it's a lot easier to buy that equipment in china. or singapore. or south africa
17:26 < petertodd> maaku: no it's not, the manufacturing capacity simply doesn't exist for a lot of this stuff. As I say, only a tiny number of companies in the world can make top-of-the-line ASICs.
17:27 < petertodd> maaku: in fact, only a tiny number can make even low-performance digitial ASICs...
17:27 < petertodd> fab plants are fucking expensive
17:29 <@gmaxwell> maaku: WRT sha512 speed, the compression function is slower, but it handles twice the data, and it's not twice slower.
17:30 < jtimon> will anybody be prohibited from building another asic when asic's yield is 0% and is clearly stupid to build another one?
17:30 < petertodd> jtimon: huh?
17:30 < jtimon> who's going to be the champion who thinks that can control the users by controllling the pow?
17:31 < petertodd> jtimon: still huh?
17:31 < jtimon> the hashing alg is somthing you can change whenever you want
17:31 < petertodd> in a hard-fork yes
17:32 < petertodd> which is why I'm *not* suggesting bitcoin change the pow right now, I'm suggesting that asic-hard pow's be researched so we'll have them ready if we need them
17:32 < petertodd> after all, governments may very well play nice and we'll be just fine, great!
17:32 < jtimon> if users are screwed up and just need a hard-fork to be where they were, they wll download the next version
17:32 <@gmaxwell> I did make a Modest Proposal to LTC to change their POW.  When people started attacking my character I departed the thread, I dunno how that discussion has gone since.
17:32 < petertodd> and they're more likely to play nice if they know the community has alternatives
17:33 < petertodd> gmaxwell: try again when LTC is 51% attacked by an ASIC vendor :P
17:33 < jtimon> of course you would need "social consensus" whatever that is
17:34 < jtimon> probably not something to look for in a cuLTC
17:34 < jtimon> sorry
17:35 < maaku> helo: btw, one system we (jtimon and I) came up with for the namecoin 2.0 system is squatting resistance by having a market-set cost assocated with the domain
17:35 < jtimon> that's pretty economic actually
17:36 < maaku> heh, i hadn't seen cuLTC
17:36 < jtimon> sorry again
17:37  * petertodd didn't realize he wasn't the only Canadian in the room
17:37  * maaku is a canadian whenever he travels
17:37 <@gmaxwell> midnightmagic: is here
17:42 < jtimon> hey wizards, if it had an application, how would you define the pow ADDition operation?
17:42 < jtimon> like if tx could have pow fees or something
17:46 < nsh> i would define it constructively if possible, otherwise existentially
17:46 < petertodd> jtimon: just add the work together is one way
17:46 < petertodd> anyway, bbl
17:49 < maaku> jtimon: not sure what you mean
17:50 < helo> maaku: you create a limited supply of domains that can be created in each block so fees compete?
17:50 < maaku> helo: no, domains are unlimited in supply
17:51 < maaku> but domains are not a fungible commodity
17:51 < helo> how do you create a market of price competition without scarcity?
17:52 < maaku> helo: there is scarcity. domains are like land
17:52 < maaku> only one person/scriptPubKey can own google.bit
17:53 < maaku> so you have a mechanism for registering committed bids to buy domains from the current owner
17:53 < jtimon> maaku I've been thinking lately about incorporating petertodd's input-only txs to freimarkets with per-tx pow which with you can build "pow chains" you can hash your transaction on top of some others that already have pow, adding it all for the txs that haven't appeared "latelay"
17:54 < helo> so initial squatting is cheap, but you construct a bidding market to allow people to purchase the domains from the initial squatters?
17:54 < maaku> so long as there is an outstanding valid bid, the current owner has to pay (by destroying coins) a small percentage of the highest bid
17:54 < jtimon> you could also have hash-only transactions
17:55 < helo> interesting...
17:55 < maaku> yeah, and if the owner doesn't pay upkeep than the highest bid can claim the domain (but in doing so, they have to pay the owner the amount they offered)
17:56 <@gmaxwell> maaku: certantly not socially optimal. How would nike-exploits-children.bit exist in that world?
17:56 < maaku> jtimon: i'd have to see a more therough description / example to understand it
17:56 < helo> i think it would be uneconomical for me to keep my namesake's domain as i have for 15 years in such a system :/
17:57 < jtimon> so you cannot bid up a domain for free, google could actually accept your million
17:57 < maaku> gmaxwell: in what way are you thinking?
17:57 <@gmaxwell> helo: you have hello.something?
17:57 <@gmaxwell> maaku: I mean that powerful voices could silence people just by outbidding them.
17:57  * helo dot org :)
17:57 < maaku> gmaxwell: that gets expensive, fast
17:57 < maaku> (the upkeep is destroyed, but the payment goes to the previous owner)
17:58 <@gmaxwell> When you're nike and your opponent is some broke activists?
17:58 < maaku> helo: that's two sides of the same coin. can't get rid of squatting or achieve ultimate utilization without annoying some early adopters
17:59 < helo> yeah...
17:59 < maaku> fwiw this is actually an application of georgian land tax theory
18:00 < jtimon> helo: if nobody else like the domain, you would pay a percentage of your "reserve" until somebody offers more, but you can always stop paying and leave the domain available
18:00 < maaku> which seeks to show that tax on the basic value of land (what I'm calling upkeep fees here) is the only known tax to *increase* economic production, and thereby (a georgist would claim) a moral tax
18:01 <@gmaxwell> maaku: making money is not the only valid use of a domain name.
18:01 < maaku> gmaxwell: i think it's more likely to work in the reverse direction
18:01 < maaku> re: nike
18:01 <@gmaxwell> nike-explots-children.bit doesn't make any money, its good cannot easily be monetized.
18:02 <@gmaxwell> so yes, letting people outbid popular names may well increase economic production, it may not improve human welfare (at least in all cases)
18:02 < maaku> so the activists pay their own upkeep fees as nike keeps upping the bid, then finally they run out of money and give in
18:02 < maaku> and get paid by nike, 20x what their annual upkeep fee was
18:03 < maaku> and then they register nike-enslaves-children.bit
18:03 <@gmaxwell> The most valuable economic production of wikiipedia.org (note typo) is, no doubt, a malware installer or other scam. I'm glad that it's owned by wikimedia instead. :)
18:04 < maaku> i'm more worried about solving the ideal distribution problem
18:04 < maaku> i'm not a crypto-anarchist, so I'm comfortable with some legal fallback for libel and such
18:05 < nsh> that's exactly what a crypto-crypto-anarchist would say, to throw us off the scent
18:05 < nsh> i'll be watching you...
18:05 < maaku> heh
18:05 < jtimon> but he has a point, how do you prevent people from getting sick when they get into wikipedia.bit ?
18:05 < nsh> :)
18:05 <@gmaxwell> I'm not uncomfortable about fallbacks for libel, but I don't think creating default economic incentives which fixate everything on money is a great way to achieve social justice.
18:05 < jtimon> into fake-wikipedia.bit, I mean
18:06 <@gmaxwell> (e.g. I am not a capitalism-is-everything-ist)
18:06 <@gmaxwell> There is merit to first come first serve.
18:07 <@gmaxwell> maybe something like com should be pay to park, and .org should be first come first serve.
18:07 < helo> i definitely like the idea of in-band domain bidding. the adversarial anti-bid fee is kind of spooky though.
18:07 < maaku> gmaxwell: that's a solution i'd be comfortable with
18:08 < maaku> for context, this originally came was designed for registering locations in a virtual world
18:08 < Luke-Jr> in other news, I am now officially a home owner <.<
18:08 < maaku> but there's going to be an alternate system for registering loations in the real world
18:08 < jtimon> but there has to be some cost, even or .org or you would bloat the "domain-UTXO"
18:08 <@gmaxwell> The idea that some names have more productive use than others is ... somewhat true but limited, thats probably only true for relatively few names, and we're faced with the problem that almost always the most 'productive' use of a name is a bad one (like scams) since good uses don't depend on their _name_ in order to be prodctive. Naming is not like land. Land
has properties beyond location. :)
18:08 < maaku> for the purpose of augmented reality
18:08 < maaku> which is similar
18:08 < maaku> Luke-Jr: congrats :)
18:09 <@gmaxwell> Luke-Jr: congrats.
18:09 < Luke-Jr> now I need to hack this silly Nest thermostat so I can put some free software on it <.<
18:09 <@gmaxwell> you bought a place swank enough to have a nest thermostat .. in florida? really? :P
18:09 < Luke-Jr> .. or just wait and see if they give in to my legal demands :P
18:09 < Luke-Jr> gmaxwell: nah, bought the Nest separately
18:09 <@gmaxwell> hehe
18:09 < Luke-Jr> couldn't find a cheap IP humidity sensor
18:10 < nsh> what happens if your nest gets too warm/cold?
18:10 < nsh> are you running a hatchery on the side or something?
18:10 <@gmaxwell> mining should have been called incubating.
18:10 < Luke-Jr> heh
18:10 < nsh> hehe
18:10 < nsh> just hatched a block!
18:10 < Luke-Jr> Nest should put a miner in their tstat!
18:10 < warren> not digging? =P
18:11 < Luke-Jr> then it'd always report a higher-than-reality temperature <.<
00:21 < andytoshi> well, i'm going to move to #bitcoin..
00:21 < warren> andytoshi: that update was to stop a massive dust attack.  they had a mintxfee of 0.0001 when coins were very plentiful ... much hilarity
00:22 < gmaxwell> andytoshi: yea, it'll keep creating more forks if the non-acceptable-to-all-nodes chain has a majority hashpower.
00:22 < andytoshi> oh man, such wow
00:22 < gmaxwell> er "acceptable-to-all-nodes"
00:22 < gmaxwell> not non-.
00:22 < gmaxwell> if the non-acceptable has a majority then you'll get exactly two.
00:23 < warren> how do I format a mocking doge message to post in litecoin dev news
00:23 < petertodd> warren: heh, I wish I had the time to add really easy multi-currency support to python-bitcoinlib to make writing attacks for non-btc crypto-coins easier...
00:23 < grau> gmaxwell: there could be a lesson for us in this. Let's see how the worst case unwinds.
00:23 < gmaxwell> if the acceptable to a majority has a majority you'll get constant reorgs and more forks but most will be short.
00:23 < Luke-Jr> gmaxwell: I thought you left? :P
00:23 < warren> petertodd: you're sitting on a lot of unearned funding...
00:23 < gmaxwell> grau: things like this have happened with smaller alts before, they just release another version and tell everyone to hurry up and upgrade. And because there is no major economic activity no one cares and its forgotten.
00:24 < brisque> presumably they aren't using the alerts system to notify clients because they didn't change the key from Litecoins.
00:24 < petertodd> warren: one of the reasons I'm not working on python-bitcoinlib...
00:25 < petertodd> warren: and for that matter, why I quit the day job (mastercoin was just good luck)
00:25 < andytoshi> i like how this happened less than a hour after i decided to write an alt faq
00:25 < andytoshi> brisque: classic
00:25 < warren> I need a doge speak primer to format the mocking message properly.
00:26 < grau> I regularly write doge, without intent :)
00:27 < petertodd> warren: verb noun, verb noun, verb noun etc. (all lowercase) make the layout alternate sides, but not symmetrical.
00:27 < brisque> https://github.com/dogecoin/dogecoin/commit/2ee5cb3396df66c10fef34480a183d00e3bec635
00:27 < brisque> ^ that's the forking change, if anybody was curious
00:27 < petertodd> specifically the change to the definition of MAX_MONEY
00:28 < brisque> https://github.com/dogecoin/dogecoin/blob/94b99f5cc7d997d9c656b9d08ce5f74caa6a3ec3/release/dogecoin.conf
00:28 < gmaxwell> wtf they totally did just change max_money, halarious.
00:28 < brisque> what's with the hardcoded RPC password?
00:28 < warren> prior to making that change they e-mailed me asking for help
00:28 < brisque> default rather, not hardcoded.
00:28 < gmaxwell> worse than I guessed, initially I thought perhaps not all instances of max money were made into the define and they only got one right.
00:28 < gmaxwell> "Fix dust issue" misleading commit message too
00:28 < warren> I didn't intentionally not respond, I was sleeping the entire time including that commit.
00:29 < petertodd> lol "
00:29 < petertodd> wallet_bgcoin.png should not be modified on every release, as it would increase the size of the repository time by time...
00:29 < gmaxwell> and the commit was by " dogecoin " no actual attribution.
00:30 < warren> I didn't verify this, I was told one of the dogecoin devs is an engineer at IBM.
00:30 < brisque> oh, so Dogecoin is a fork of "Linkcoin" rather than Litecoin?
00:30 < petertodd> ha, and dogecoin doesn't sign their commits
00:30 < petertodd> or even tags
00:31 < petertodd> warren: they do have an android client on the front page though
00:32 < brisque> petertodd: and a web wallet.
00:32 < warren> brisque: not all that different from most coins.  people mine directly into an exchange wallet.
00:32 < petertodd> brisque: with twitter bootstrap like the big boys!
00:35 < grau> Alt holdings could wash to BTC now en masse.
00:37 < warren> https://plus.google.com/+LitecoinOrg/posts/3iVBu7bC1h6	<--- this is the best I could do
00:37 < petertodd> warren: lol
00:37 < grau> :)
00:41 < brisque> there's a comment in that reddit thread asking the developer to use the alerts system to notify people, the response is "in good time"- they definitely can't because they don't have litecoin's alert private key.
00:42 < warren> they actually copied our alert key?
00:43 < andytoshi> i bet "in good time" means "when a litecoin dev names his price to sign an alert for us"
00:43 < brisque> warren: https://github.com/dogecoin/dogecoin/blob/2ee5cb3396df66c10fef34480a183d00e3bec635/src/main.h#L1589
00:43 < warren> andytoshi: can't do that.  that alert would be on our network too.
00:43 < brisque> andytoshi: http://www.reddit.com/r/dogecoin/comments/1ufl1e/much_concern_dogecoin_block_chain_has_split/cehkh91?context=1 (I misremembered, that quote wasn't verbatim)
00:44 < warren> andytoshi: litecoin's alerts already jumped onto 20+ clone networks
00:44 < petertodd> warren: isn't dogecoin on 0.6? could limit display to just 0.6
00:44 < andytoshi> warren: oh, i thought because the nodes won't talk to each other litecoin would be isolated
00:44 < brisque> andytoshi: they would be isolated until someone just manually transported the alert to litecoin and made a mess.
00:45 < andytoshi> brisque: yeah, i realized that as soon as i typed that
00:45 < brisque> andytoshi: if I've read right, some people on bitcointalk have designed their systems to go into a safe mode when they see an alert on the network too
00:46 < warren> litecoin does regular alerts for color changes, so they shouldn't be surprised.
00:46  * warren is exaggerating, a little.
00:48 < petertodd> I like how in the reddit thread about the dogecoin split, specifically warning people not to send dogecoin during the split, people are tipping each other like crazy...
00:50 < brisque> petertodd: it's fairly obvious that the community has no clue what they're doing. the "co-founder" is saying everything is fine and they had 10 days to update (not realising that as soon as they made the commit the network could have been split {if anybody actually builds from master and runs it behind something})
00:51 < petertodd> brisque: and with their fast block rate and fast diff adjustment we can see first-hand what forks look like when coinbase payouts are destroyed!
00:51 < andytoshi> brisque: where are these claims being made?
00:52 < brisque> andytoshi: http://www.reddit.com/r/dogecoin/comments/1ufl1e/much_concern_dogecoin_block_chain_has_split/cehkbm8 and there's other bits scattered about the thread
00:53 < andytoshi> i love the talk in that thread about the "real chain" and "bad chains"
00:53 < andytoshi> apparently they have a reddit-based consensus system now..
00:54 < petertodd> BlueMatt: ^ there's an option for the coingen!
00:54 < petertodd> "So, now what do we do? Is there someone who is in charge of maintaining the blockchain?" <- lol
00:55 < brisque> petertodd: I would absolutely love to have a real time visualisation. connect to multiple nodes on different forks and watch them race. the short block time for make for an incredibly interesting display.
00:56 < petertodd> brisque: it'd be extra fun if someone decided to DoS attack the network right now
00:58 < warren> petertodd: coingen.io is for sale
00:58 < brisque> petertodd: I doubt they need it really. the network is so fragmented and so little actually relies on Dogecoin that the entire system will likely just collapse.
00:59 < petertodd> brisque: I sure hope so, but good luck on that...
00:59 < petertodd> brisque: communities of people around a technology that doesn't actually need to work for the community to exist can be surprisingly durable
01:01 < brisque> petertodd: I suppose, if they don't understand as a whole how bad this situation is then it won't collapse. strange situation. it's a bit like NXT supporters still being optimistic when their closed source currency posted it's source.
01:02 < petertodd> brisque: well remember the "situation" is they have a fun meme and a community built around that meme. if anything the problem is just as likely to get *more* people interested in dogecoin
01:04 < andytoshi> well, as fun as this is to watch, i've got an early flight tomorrow
01:04 < andytoshi> have a good night guys
01:05 < brisque> petertodd: like all "memes" the velocity will die off (if it isn't already).
01:05 < andytoshi> petertodd: i'm going back to austin, vancouver is freezing !!
01:05 < petertodd> brisque: sure, but that die-off may have little to do with tech
01:05 < petertodd> andytoshi: ha
01:05 < petertodd> andytoshi: pretty though :)
01:06 < andytoshi> that's true, i'll miss it
01:06 < brisque> petertodd: the meme is already losing staying power, it could just be that massive incompetence and forks is enough to destroy the coin as well. http://www.google.com/trends/explore#q=doge%2Cdogecoin
01:07 < brisque> http://www.google.com/trends/explore#q=doge%2C%20dogecoin&date=today%2012-m&cmpt=q
01:08 < brisque> that's a much better graph.
01:16 < warren> this fork didn't seem to affect its exchange rate
01:17 < brisque> logically exchanges would have closed their doors temporarily when they saw the network wide alert about the chain fork (haha). they risk double spends if they don't.
01:18 < warren> I'm just pointing out that networks being reliable has nothing to do with alt value.
01:19 < brisque> alright, I agree.
01:27 < nessence> it is near ~midnight throughout most of US on a saturday
03:06 < warren> petertodd: ooh... with the dust spam attack, I wonder if their massive reorg triggered the BIP50
05:08 < brisque> looks like dogecoin released another update that adds check pointing to try and get around their hardforks issue.
05:08 < brisque> confusingly in two commits "checkpoint" and "checkpoints".
05:09 < gmaxwell> brisque: oh boy, did they back out the change?
05:10 < brisque> they did not.
15:25 < gmaxwell> adam3us: I know it does, thats why I'm crying to you.
15:25 < adam3us> gmaxwell: so couldnt we add a new signture schme?
15:25 < gmaxwell> adam3us: we can, it's non-trivial though.
15:27 < gmaxwell> worse, there is no sutiable prefab EC schnorr sitting ready to use. The Ed25519 formulation, for example, breaks this stuff.
15:27 < adam3us> gmaxwell: maybe you could joint validate multiple input keys.	add up the public keys from the input addresses and provide one signature with it
15:28 < adam3us> gmaxwell: why do you say ed25519 breaks ec schnorr?
15:28 < gmaxwell> adam3us: meh, never been a fan of that kind of layering violation, as it binds script too tightly to the choice of underlying crypto.
15:28 < adam3us> gmaxwell: :) more compact though.  cisc vs risc argument
15:29 < gmaxwell> adam3us: I mean, if bitcoin worked that way now talking about adding schnorr would be much harder. :)
15:30 < gmaxwell> adam3us: IIRC Ed25519 modifies schnorr by adding an extra hash input. I am not sure if it breaks these things, but I had a vague recollection that it did.
15:31 < adam3us> gmaxwell: yes - i understand.	its not that serious of a suggestion  what you could say is its an optional op only avalable with some sig types eg opcombosig or whatever.  as you say layer violation, agreed.  you'd have to decide if it was worth the bandwidth saving
15:31 < gmaxwell> If it doesn't ... then my evaluation of the usefulness of Ed25519 has gone up a lot.
15:32 < adam3us> gmaxwell: i dont know the answer... anyone else on here read djb stuff in enough detail to know?
15:32 < gmaxwell> I mean, both sipa and I have, but I know I don't currently remember. :)
15:33 < gmaxwell> At the time, while I knew there were schnorr things to do threshold crypto I was totally not thinking about that.
15:33 < gmaxwell> For some reason DJB himself never points out that Ed25519 is applicable to that stuff.
15:34 < adam3us> gmaxwell: i think sooner or later we should add/move over to schnorr it is just better in so many directions that its a design/efficiency win
15:34 < adam3us> gmaxwell: mainly the flexibility enables new things, that are not possible without it
15:35 < gmaxwell> I think the notion that it enables new things which are externally indistinguishable from old things is one I hadn't considered before and is also pretty compelling.
15:42 < adam3us> gmaxwell: trying to decipher EdDSA - has he done something funky to the H (aka sha256) etc output?  seems like he went slightly too far in optimization, maybe use his curve but not the most extreme of the optimizations
15:43 < gmaxwell> I think the optimization was to try to eliminate some precomputation attacks.
15:52 < adam3us> gmaxwell: djb can be one crazy dude at times.	i think this is more like a speed hacked, mangled, curve specific, bigger hash schnorr!  (i thought it was dsa lke from the name)
15:54 < adam3us> gmaxwell: he might've broken the algebraic properties with the speed hacking for n of n etc
15:55 < adam3us> gmaxwell: i reckon this djb edDSA has its own protocol violation layers; i reckon use sipa's ECDSA,and if/when switching use ECSchnorr with your favorite EC curve
15:57 < gmaxwell> yea, but then you've taken the whole setup out of the realm of something well known, which is unfortunate.
16:00 < adam3us> gmaxwell: btw there are even arguments schnorr is more secure than dsa see p10 of bernstein paper.  there's another paper just on that topic by someone else.	i dont think edDSA is something that specific - its just a speed hacked tweaked schnorr.  but the signature size is bigger a he doesnt want to count the cost of uncompressing
16:01 < adam3us> gmaxwell: i do like his idea to include Q the schnorr hash (he labels it A)  alternatively someone figures out if it doesnt break the desired features n o n, brands, blinding etc and if it can be optionally used in compressed form
16:13 < adam3us> gmaxwell: btw here in lies the problem (of why we are even having this conversation) "Practical use of Schnorr's system was hampered by a patent (which expired in 2008),"
16:13 < adam3us> gmaxwell: hence the introduction of the inferior DSA (slower, less flexible, less secure to some attacks)
16:14 < adam3us> gmaxwell: and less security proofs, and more complex... something like a quintuple fail as the standardized algorithm because prof schnorr decided to get himself a patent - i bet he never got much money from it
16:17 < gmaxwell> adam3us: yea, I know. (I thought I previously defeneded bitcoin's use of ecdsa instead of it on that basis, but maybe I didn't because the patent expired in 2008 ...)
16:17 < gmaxwell> And 12:16 < gmaxwell> If they do, it'll be sad because the history of crypto says that patented crypto is dead on arrival.
16:17 < gmaxwell> (on a seperate subject)
16:18 < adam3us> gmaxwell: and dsa was	also designed by NSA, and has fragility due to extreme reliance on unbiased randomness (withotu the determinsitc change) and the original dsa spec had a suspicious bias only rectified as an advisory after bleichenbacher spotted it.  something like 8 negative points
16:19 < gmaxwell> i was unaware of issues in the original dsa spec!
16:20 < adam3us> gmaxwell: the algo for generating k had a bias... given the other attacks on computing d given even a few bits from a few hundred sigs, thats suspicious to me in hindsiht
16:21 < jrmithdobbs> adam3us: i hadn't thought about it before, but that is indeed very suspicious in light of recent events
16:21 < jrmithdobbs> but as used/specified now it just has the randomness reliance so is 'safe enough' if implemented well afaict
16:22 < adam3us> http://www.ipa.go.jp/security/enc/CRYPTREC/fy15/doc/1002_reportDSA.pdf by vaudenay section 5.	i think bleichenbacher is another one of those people who doesnt bother to write papers...
16:22 < gmaxwell> yea, requiring good randomness is a neat trick, you can be sure your own stuff is secure just by doing better engineering, and then trust everyone else will get it wrong.
16:23 < jrmithdobbs> ya, i've always wondered why dsa did that, i didn't realize it came out of the nsa (was aware of that paper you just linked though)
16:23 < adam3us> 4 million signature key recovery attack (say a busy web server)... i dont think he tried very hard to optimie it either
16:24 < adam3us> gmaxwell: thre was a greenwald article that said expliclty that> they did that intentionally as a form of soft sabotage, complexity and fragilize standards and use their influence with nist to get it through
16:24 < jrmithdobbs> adam3us: papers over a decade old, might not have seemed feasible/worthwhile to try at the time
16:25 < adam3us> jrmithdobbs: bear n mind you do not get FIPS certification beyond a certain level if you do not follow their method.  even certification rams through their defective designs, because some sectors wont buy non fips certified sw
16:26 < jrmithdobbs> adam3us: ya, i worked in compliance "industry" for a while, i know.
16:27 < jrmithdobbs> what I want to know is what's non-obviously wrong with keccak that they chose it over blake or is this the one nist crypto standard nsa failed to get in on?
16:27 < jrmithdobbs> and the fact that i think thoughts like this constantly these days without feeling paranoid/dellusional hurts my head in itself :(
16:28 < Luke-Jr> in other news, some Linux kernel devs are "complaining" to me (simply because they recognised my name on the forum thread) that tips4bitcoin is "spamming" them XD
16:28 < adam3us> its probably hard for them to damage the primitives... they attack the key management - its a more valuable target then you can mitm and decrypt despite strong primitives
16:28 < gmaxwell> Luke-Jr: lol
16:29 < Luke-Jr> .. along with a complaint that Linus shouldn't get so much for mere merge commits
16:29 < jrmithdobbs> adam3us: didn't stop them with md*/sha*
16:29 < adam3us> jrmithdobbs: (i mean because these days its an international design competition and a lot of expert participation, open etc)
16:30 < maaku> jrmithdobbs: you could say the same about AES
16:30 < maaku> NSA doesn't seem to be targetting the core algorithms, but rather the constructions on top of them
16:30 < maaku> (Snowden said that in an interview somewhere)
16:31 < BlueMatt> d-ec-drbg...
16:31 < adam3us> sha0 was a mistake, sha1 also later, i thnk it just shows the nsa doesnt have a lead anymore for some time now.  they just sabotage.  md4, md5 blame rivest
16:31 < jrmithdobbs> except you could say that they may have influenced the decision that chose rijindael as aes in favor of it's weaker key schedule to exacerbate those issues
16:31 < jrmithdobbs> they claimed "performance" re: the key schedule thing, but looking back, every time they claim performance they seem to mean "nsa backdoor of some form"
16:32 < jrmithdobbs> (note: I do not believe rijindael was influenced directly by nefarious parties, just that it's shortcomings may have been intentionally overlooked due to influence from same parties)
16:32 < adam3us> maaku: yes i think i saw that article.  also sabotaging standards, including complicating crypto standards and open protocols to make them prone to impl mistakes, and also pressuring us companies to modify system arhcitecture to create central choke points for inerception/attack
16:33 < TD> the IPsec thing was interesting
16:33 < gmaxwell> jrmithdobbs: nah, I mean, look at DUAL-EC ... no one could claim "performance" for that. And atm I believe that is the only absolutely known for sure backdoored thing.
16:34 < jrmithdobbs> did someone finally own up to intentionally convoluting ipsec so that's impossible (except on openbsd, basically, and with a very knowledgable admin) to actually construct a secure ipsec tunnel that provides encryption and authentication in a way that isn't recoverable (pfs) given keys
16:34 < jrmithdobbs> because ipsec is one fucked spec
17:45 < gmaxwell> Though the power consumption of their stuff is better than the 65nm asics today.  Well, the 55nm bitfurry stuff, which was a careful hand layout is more power efficient than knc.
17:45 < MC1984> its like where there is a huge breakthrough in hashrate security actually decreases for a while
17:46 < gmaxwell> MC1984: you've noticed sipa pointing out that we're down to ~1 month work to replace the chain.
17:46  * jgarzik returns
17:46 < MC1984> yeah a while ago
17:47 < MC1984> do you still keep very close tabs on the asic manufacturers gmaxwell
17:49 < gmaxwell> There is a new chinese company claiming to have parts that are 1.47GH/j on 55nm, parts in hand near release, pretty close to what hashfast and cointerra are claiming to have targeted at 28nm.
17:49 < gmaxwell> ( https://bitcointalk.org/index.php?topic=330665.0 )
17:49 < gmaxwell> MC1984: somewhat.
17:49 < midnightmagic> adam3us: Based on my experience with p2pool, if I pretend everyone is smart, I ask myself the same thing. Why the heck doesn't everyone p2pool. I'd bet if it were included with mainline and "just worked" if people pointed their miners at their bitcoind(-qt) it would probably dominate.
17:50 < MC1984> midnightmagic, true
17:50 < MC1984> i called for that ahwile ago
17:51 < MC1984> the power of default seems to override even rational economic interest a lot of the time
17:51 < midnightmagic> gavin has mentioned (don't know if it's still true these days) that if p2pool were c++'ized he would want to include it in mainline
17:51 < adam3us> do it!
17:51 < MC1984> whats it written in
17:51 < gmaxwell> midnightmagic: there are two things that increased p2pool rate a lot in my expirence: google ads (no kidding), and people paying random bonuses to p2pool users.  And there was two things that decreased its usage, it not working right with the lastest miner of the month, and people posting FUD about it.
17:52 < MC1984> the FUD really pisses me off
17:52 < MC1984> like people are content to post total shit as long as it makes them look like they know something everyone else dont
17:52 < midnightmagic> most of it was corrected with the most-recent versions of p2pool which now operate with the major miners just fine, along with the major devices.
17:53 < midnightmagic> actually, I don't know about jupiters.
17:56 < maaku> MC1984: Python (twisted)
17:57 < gmaxwell> midnightmagic: so far the people complaining about jupiters have so far turned out to people with hosted ones, who also complain about stale rates on other pools. I don't know if people with regular jupiters are all happy or if none have tried.
17:57 < gmaxwell> The firmware and mining software for the jupiters has apparently turned out to be a bug fest.
17:57 < maaku> forrestv (or someone) should apply for money from the foundation to C++'ify it for mainline
17:57 < MC1984> i bet you could do a successful bounty to port it to c++
17:58 < MC1984> i have zero idea how hard that would be mind
17:58 < gmaxwell> it's a decenteralized consensus algorithim... not exactly the easiest stuff to work on.
17:58 < gmaxwell> It also goes further than strictly needed for just decenteralization purposes.
17:58 < maaku> MC1984: it would be a rather large undertaking.. and not necessarily worthwhile. it actually benefits a lot from the Python ecosystem
17:58 < gmaxwell> As I've been promoting, coinbase-only mining lets people keep something closer to the existing model.
17:59 < gmaxwell> And it avoids the need for a decenteralized consensus.
17:59 < midnightmagic> If I were to do it, it would end up as pure C. I'm not sure whether people would appreciate that..
17:59 < midnightmagic> Python is sooooo fast for prototyping.
18:00 < maaku> and for writing concurrent servers
18:00 < midnightmagic> the GIL is pretty annoying to get around tho
18:00 < maaku> eventlet, not multi-threaded is what i generally do
18:04 < maaku> gevent, actually
18:04 < midnightmagic> maaku: Is gevent friendly?
18:04 < maaku> it's pretty much a drop in for threading
18:04 < maaku> monkey patches all the APIs
18:06 < midnightmagic> cool
18:18 < gavinandresen> midnightmagic: I'd love to see a "start mining" button in bitcoin core that did the p2pool thing and knew how to find / talk to asics....
18:19 < gavinandresen> midnightmagic: or, actually, any other withing-an-order-of-magnitude technology for mining (still wondering how power-efficient the SHA256 Intel CPU instructions will be)
18:20 < gavinandresen> (order of magnitude power-efficient, I mean
18:25 < MC1984> sha256 acceleration wont be viable because the funciton is actually sha256^2 right
18:25 < maaku> MC1984: it isn't sha256 either
18:25 < maaku> it's a primitive you can use to build efficient sha256
18:25 < maaku> or sha256^2
18:52 < phantomcircuit> maaku, which actually might be better
18:52 < phantomcircuit> although i suspect it'll be the same thing as the AES-IN which are effectively a set and an update function
18:56 < gmaxwell> in intel the SHA256 stuff is just a function that implements two rounds of SHA256.
18:58 < gmaxwell> I think I figured a 3GH/s cpu would be a 50MH/s miner or something, with a guess at the throughput of the round function instruction.  So I don't think this will bring cpus back in the running for mining, though it may make other things we do faster...
18:59 < warren> block propagation?
19:00 < gmaxwell> I don't think hashing is the real barrier in performance there by far... but if everything else gets optimized it may be, so that would help then.
20:40 < midnightmagic> gavinandresen: ah cool
21:17 < amiller> i really like this tweet from matt green https://twitter.com/matthew_d_green/status/399236330581786624
21:17 < amiller> "Every new idea has already been discovered, inaccurately discussed & totally forgotten about on the Bitcoin forums."
21:24 < gmaxwell> amiller: Emin's character attacks on people expressing doubt about their work is exactly as I predicted.
21:33 < MC1984>  @matthew_d_green Every random noise channel will eventually transmit every transmissible message.
21:33 < MC1984> #iceburn
21:47 < amiller> actually, what do you mean by predicted
21:48 < amiller> predicted like based on this guy is, or predicted after first seeing the paper, or predicted about computer science academics looking at bitcoin generlaly
21:54 < gmaxwell> predicted after seeing his initial comments, and his sell pumping on twitter.
21:55 < amiller> yeah, he's such a douche bag and a bad example
21:57 < amiller> everything about it pisses me off, even the random noise comment
21:57 < amiller> there are at least a non-negligible polynomial number of ideas
21:57 < amiller> like 1/n of the user's have at least 1/k of their posts are good ideas
21:58 < amiller> the result is fine and i don't even care so much about the press whoring because frankly it's part of the process and if pr people suck up to university professors they've at least earned it or something, bitcoin companies etc do it too,
21:59 < amiller> i think what i hate most about the paper itself is that the proposed fixes are so dumb and introduce more problems and there's a specific section that's like "they should implement exactly these suggested patches immediately or else face imminent collapse" which is total crap
22:00 < gmaxwell> yea, the proposed fix is obviously pretty dumb.
22:00 < gmaxwell> And bytecoin's analysis was not random noise. He performed a simulation, posted figures. He considered a somewhat different model, indeed and it wasn't developed in the same direction or to the same extent as their work, and their work was interesting beyond it... but this isn't a complete surprise.	Amusingly, the most interesting proposed improvement in
response I've seen is from bytecoin.
22:00 < amiller> it would be really sad if this causes other legit researchers just to steer away from the topic, i don't actually think it will have that effect
22:00 < amiller> yeah definitely
22:02 < gmaxwell> also the fact that there is no acknowledgment that they have an implicit incentives model which doesn't appear to be supported by reality is irritating.
22:04 < gmaxwell> e.g. assuming that miners are frictionless spherical objectivsts in simple harmonic motion.
22:06 < amiller> "the obviously desired and hinted-at theory is unsound under some circumstances" is a whole lot different than "this is about to collapse, panic immediately"
22:07 < gmaxwell> claims like "it shows that, even under the best of circumstances (i.e. the attacker has terrible network connectivity, no Sybils, no control over information propagation and loses to the honest miners every single time), defending against the attacker requires at least 2/3rds of the network to be honest"
22:07 < gmaxwell> are just outright untruths.
22:08 < gmaxwell> It's adding an additional assumption that an "honest" miner will behave adversely to bitcoin's long term interest if its more profitable to do so.
22:08 < gmaxwell> Thats not a very good defintion of "honest"
22:09 < amiller> no one is "honest", or else honest miners mine and donate the reward to p2pool
22:10 < amiller> it's a significant result to show that beyond 33% gets disproportionate reward, because other miners would want to join that pool so there's a slope toward larger and larger up to 50
22:10 < amiller> it's not an "attack" its just a lapse in the ideal incentives-keep-everything-okay argument
22:11 < gmaxwell> amiller: Sure but it isn't accurate, not even in the slightest or smallest way, to say that their 2/3rd number is a replacement for the majority number.
22:11 < amiller> well yeah
22:11 < amiller> the 51% number we're used to is 51% honest
22:12 < amiller> hypothetically we can imagine that people also believed that 51% is also the threshold for rational
22:12 < amiller> in that if no coalition controls more than 50%, then there is no way to profit by deviating from the protocol
13:49 < petertodd> adam3us: as a thought experiment, consider how it'd work if you made the grinding bloom filter compat: that's basically what gmaxwell is proposing
13:49 < petertodd> adam3us: (specifically with a random nTweak value)
13:49 < adam3us> petertodd: well actually it might  if non-change is an prefixed reusable addr and change is a one-use adr
13:49 < maaku_> jtimon petertodd: well i think this particular application could be better done wih etotheipi's WITHINPUTVALUE sighash mode
13:49 < petertodd> adam3us: the whole point is that you can't distinguish a prefixed reusable *output* and a change output
13:50 < petertodd> maaku_: yes, but where in the scriptSig do you sign the input value?
13:50 < petertodd> maaku_: again, if the signature covers some of the scriptSig, that's easy
13:50 < adam3us> petertodd: i know.  but prefixes are unchanging.  there lack of presence eliminate some tx from the network analysis.	that effect can be cumulative.	it might leak more bits of entropy per edge than a coin join with random (possibly malicious join to self parties) adds
13:51 < jtimon> petertodd maaku_ I can't think about it because I don't know what is trying to be done
13:52 < maaku_> jtimon: he's trying to have his signature cover the fee, by signing both the input values and the output values
13:52 < adam3us> petertodd: ( i mean if i know because its public your prefix is FF and i see a coinjoin that doesnt have FF in the output then i know you're not in it with that addr.  maybe there's another CJ feeding into the previous and it does have FF in it.)
13:52 < petertodd> adam3us: again, you're totally missing my point here. you can't distinguish the output in the prefix-tx, so all you've maanged to do is narrow down who the tx might pay in terms of probabilities (and even worse, you can't rule out stealth addreses with longer, or no, prefixes)
13:53 < jtimon> ok, first solution: using joyscript and a load_utxo-family opcode (I know, this is another opcode)
13:54 < maaku_> jtimon: and doesn't work for hostcoin
13:54 < petertodd> jtimon: anyway, just look up what I've written on bitcointalk about OP_CODESEPARATOR
13:54 < maaku_> hrm, well this is actually an interesting question about a more expressive script - sighash will have to be implemented differently
13:54 < adam3us> petertodd: ok look at it from a black box perspective.  there's 1000 tx going into a cluster of CJ, two inputs have FF on them, two output have FF on them.  there are two uers we've noticed who use CJ who have FF, anon-set reduction by factor of 1000
13:54 < jtimon> maaku_ to disable covenants you just need to disable load_tx
13:54 < jrmithdobbs> petertodd: OP_CODESEP is just bottom really isn't it?
13:54 < petertodd> jrmithdobbs: ?
13:55 < maaku_> jtimon: ah, reading failure
13:55 < jtimon> maaku_ how so?
13:55 < maaku_> jtimon: you're fine i misread what you said
13:56 < petertodd> adam3us: again, you can't distingish outputs using stealth and ones that aren't
13:56 < jrmithdobbs> petertodd: give me a few and i'll restate ;p
13:56 < adam3us> petertodd: i think you said it yourself even "all you've maanged to do is narrow down who the tx might pay in terms of probabilities" right exactly :) it weakens the already fragile anon-set coming from CJ with random parties.  there are flood attacks on mixers near and dear to people who analysed mixaster remailers which apply
13:56 < maaku_> but about sighash, the issue is that how it determines what script to put in the serialization only really makes sense for a linear language
13:56 < adam3us> petertodd: correct. but that doesnt stop you ruling out a given stealth address.
13:57 < adam3us> petertodd: full node stealth addresses are of course immune as they can have zero prefix.
13:58 < petertodd> adam3us: look at it this way, I agree with you that there is an info leak, is it enough to say "wait stop! lets not implement this and delay!" no
13:58 < adam3us> petertodd: so either you are saying they arent used, or if they are used they decrease anonymity.  less than address reuse, but more than one-use address.
13:59 < petertodd> adam3us: what gmaxwell proposes is a linear increase in anonymity set size, with a linear increase in peer work because of extra indexes. will that be implemented? I'm not seeing it
13:59 < adam3us> petertodd: well it was for me.  i figured out the same stuff on bct and thought, hmm no thats not good for privacy, put in bucket of fun but not quite safe things.  (other than for full-node use case)
13:59 < gmaxwell> ditto, fwiw.
13:59 < gmaxwell> (That this idea wasn't new to me
 I knew it from bytecoin's thread, but I simply thought it wasn't good enough)
13:59 < petertodd> adam3us: tough, it's a hell of a lot safer than the *actual* alternative people are going to be using
14:00 < adam3us> petertodd: what are they going to be using
14:00 < petertodd> adam3us: don't live in a dream world of users doing what's absolutely optimal vs. "Hey, this works!"
14:00 < adam3us> petertodd: TD is working on HD wallet for bitcoinj.
14:00 < petertodd> adam3us: they're going to re-use addresses left right and center
14:00 < jtimon> maaku_ is there any reason not to make withinput value the default?
14:00 < petertodd> adam3us: that's got nothing to do with it
14:01 < petertodd> adam3us: HD is orthogonal to the problem stealth addrs try to solve
14:01 < gmaxwell> having your security depend on unknown factors esp including the attacker's statistical prowess... kinda lame and sometimes less secure than no privacy at all.  In any case, it's worth at least doing the thought to get the best design within that space we can.
14:01 < adam3us> petertodd: i think it has a lot to do with it.  most addr reuse is on bitcoinj dependent smart phone wallets i hazard
14:01 < maaku_> jtimon: yes, that's been my thinking. just have to be careful about compatability
14:01 < maaku_> petertodd: so you'd want a some sort of code-separator like device for the scriptSig?
14:02 < petertodd> gmaxwell: I forget if I got around to proposing it, but the wider blockchain data thing that be made more private in exactly the same way as you're proposing by having full-nodes maintain redundent indexes
14:02 < petertodd> adam3us: that's change addr reuse, not payment related
14:02 < petertodd> adam3us: I'm solving the user-payment side of things, and that's a hard problem without bi-directional comms
14:02 < adam3us> petertodd: aslo while you and jeremy spilman are in implemention mode why not focus on full node case?
14:02 < jtimon> valitationScript may serve too, but again I'm missing the practical use case of the problem, small memory nodes?
14:03 < petertodd> adam3us: because that's stupidly limiting
14:03 < petertodd> adam3us: anyway, long-term this prefixing stuff will either end up being common for scalability in general, or bitcoin doesn't scale...
14:04 < petertodd> adam3us: equally, in the near future we're going to see prefix lookups being used for wallet syncronization, so that part of the infrastrucutre is getting implemented
14:04 < petertodd> adam3us: did you read my blockchain privacy paper btw?
14:05 < jtimon> I'm not following the stealth addresses discussion in detail, but petertodd are the prefixes needed for sharding?
14:05 < petertodd> jtimon: exactly
14:05 < adam3us> petertodd: thats just admitting defeat.  i dont think we've necessarily hit a tech wall yet. eg gmaxwell cooked up the fuzzy bloombait in a few mins yesterday.
14:05 < maaku_> jtimon: it's an avenue for future expansion of capability, by being able to include stuff in the scriptSig which is covered by a signature
14:06 < adam3us> jtimon: no he's just trying to make addresses recognizable but with some privacy in a bloom subset like sense
14:06 < adam3us> petertodd: blockchain privacy? where was this?
14:06 < petertodd> adam3us: http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03612.html
14:06 < jtimon> petertodd then I guess you need to convince people sharding is feasible to make it count as an argument in the stealth address discussion
14:07 < petertodd> jtimon: sharding isn't just related to blockchian structure, it also works even in the "big-block" scenario because it lets nodes handle a subset of the blockchain bandwidth
14:07 < jtimon> adam3us: I think he uses it for two purposes I don't understand the one you mentioned, but don't bother I still have too much to read from stealth addresses
14:08 < adam3us> jtimon: yes like views it as somehow inevitable for sharding maybe.. i dont get that bit either ;) (talking about you third person there petertodd)
14:09 < petertodd> adam3us: read that paper first...
14:09 < petertodd> adam3us: there is logic to it :P
14:09 < jtimon> petertodd: so it could work even without changing anything, miners could just do it to be able to manage a partition
14:10 < jtimon> petertodd I am understanding what you're saying?
14:10 < jtimon> ma I
14:10 < jtimon> am I
14:10 < jtimon> ug
14:10 < petertodd> jtimon: miners can't mine without the whole blockchain right now, but full-nodes passing around archival data and serving SPV can easily shard and process bandwidth subsets
14:11 < petertodd> jtimon: they can do so securely with the committed (U)TXO stuff that's been floating around
14:11 < jtimon> assuming we already have commited utxo
14:11 < jtimon> what's the next step for sharding?
14:12 < petertodd> jtimon: very simple: adversie what prefix of the UTXO space some full node has, and SPV clients connect to full nodes with the data they need
14:13 < petertodd> jtimon: well, and make "full" nodes themselves only get tx's from their peers matching the prefixes
14:13 < jtimon> I see, thanks
14:13 < jtimon> wait
14:14 < jtimon> full nodes also select a part of the UXTO, where do the prefixes come in?
14:14 < jtimon> oh, sorry
14:14 < petertodd> jtimon: the prefix is what part they select
16:31 < gavinandresen> sipa:  double-spends are weird, though:	they're not really "invalid", just "I saw this one first"
16:32 < gavinandresen> (0-conf double spends)
16:32 < petertodd> Yeah, and it's hard to say which one was first anyway; what matters is that two exist.
16:33 < gavinandresen> sipa: Also: only double-spends of another 0-conf transaction will get sent; once a transaction is mined and the TxOut isn't in the UTXO, a double-spend will just get dropped.
16:33 < sipa> it's not even detectable as a double spend at that point
16:33 < gavinandresen> sipa: right
16:34 < phantomcircuit> warren, has anybody tried disabling the write cache on their hdd and seeing if that fixes it?
16:34 < warren> phantomcircuit: I personally got my first mac yesterday.
16:34 < petertodd> gavinandresen: this will make it easier to get tx's into people's wallets where a different double spend was actually mined; what's your thinking on fixing the 'never-will-confirm' tx's that'll show up in people's wallets?
16:34 < warren> I don't know how to do that.
16:34 < gavinandresen> phantomcircuit: reproducing it is the problem
16:34 < phantomcircuit> i can definitely see drives sold with apple hardware lying about the write cache being flushed
16:34 < phantomcircuit> gavinandresen, yeah it's a several month experiment
16:35 < gavinandresen> petertodd: that's just a bug that should be fixed.
16:35 < BlueMatt> petertodd: let other wallets that are smarter fix it :)
16:35 < warren> gavinandresen: is the foundation willing to pledge funds to this?
16:35 < BlueMatt> let bitcoind's wallet die
16:35 < phantomcircuit> my first guess is that the hdds apple uses are tuned to lie their asses off
16:35 < petertodd> BlueMatt: ha, some of them have IIRC
16:35 < warren> we've wasted a great deal of time failing to figure this out
16:35 < BlueMatt> yes, bitcoinj handles it very well
16:35 < gavinandresen> warren: foundation isn't, but I still have donated bitcoins for testing I'd be willing to pledge.  Say 5 BTC ?
16:35 < petertodd> BlueMatt: oh good! replacement for fees would trigger that one a lot
16:36 < BlueMatt> petertodd: well if replacement for fees ever gets enabled...
16:36 < warren> gavinandresen: that's a start, I'll try to find someone else to administrate the money holding
16:36 < petertodd> BlueMatt: heh, only needs epsilon hashing power for some value of epsilon to become an issue :P
16:37 < petertodd> BlueMatt: I mean, it annoyed me when I originally wrote the code...
16:38 < gavinandresen> warren: getting money from the foundation means going through the grant process, I don't want there to be a special "Bitcoin-Qt gets whatever it likes, other wallet/implementations have to jump through hoops"
16:38 < BlueMatt> petertodd: if replace by fee gets enabled, bitcoinj would get lots of transactions marked DEAD, I think, but it would be smart about it
16:38 < gavinandresen> too much confusion about relationship between the Foundation and the reference implementation already
16:38 < BlueMatt> unlike bitcoind's wallet...
16:39 < gavinandresen> "patches welcome"  :  as long as they come with a good test plan.
16:40 < petertodd> BlueMatt: that's plenty good enough for now - tx replacement is mainly useful because fee estimates will never be perfect after all. (modulo complex scorched earth game theory stuff)
16:48 < petertodd> gavinandresen: min standard tx size is ~134 bytes, 100,000/134=746 times cheaper to bandwidth DoS the network.
16:50 < petertodd> though $4/MiB is probably something we can live with...
16:51 < petertodd> wait, doh, no that's $0.04/MiB
16:51 < gavinandresen> petertodd: I'm still not following you.	Today, I can send 134 bytes to a peer and get 746 times leverage in terms of DoS bandwidth amplification.  Right?
16:51 < gavinandresen> petertodd: today, I can do that once for each UTXO I own in the UTXO set (assuming I'm willing to pay fees)
16:52 < petertodd> gavinandresen: My point is it's 746 times cheaper to do that, because you only pay the fees for the 134 bytes, rather than 100KB
16:52 < gavinandresen> petertodd: if first-double-spend is pulled, I can do that two times for each UTXO I own.  So the delta increase is 2, not 746.
16:52 < gavinandresen> cheaper to do it than what?  Than a world in which I cannot transmit any transactions?
16:53 < petertodd> gavinandresen: It's really simple: if I want to DoS the network now, I have to pay fees to do so, and I pay 0.1mBTC/KB or expensive priority.
16:53 < petertodd> gavinandresen: But with first-double-spend, I broadcast that 136 bytes tx first, then broadcast a 100KB double-spending tx, yet it's the ifrst one that is getting mined.
16:54 < petertodd> gavinandresen: Hence I'm paying ~750 times less for that bandwidth.
16:54 < gavinandresen> petertodd: 100KB won't be sent if it doesn't have enough fees-- MUST PASS ISSTANDARD CHECK
16:54 < petertodd> gavinandresen: But if the 100KB isn't mined, I didn't pay the fees!
16:55 < petertodd> gavinandresen: But if it is mined, then we've somehow enabled replace-by-fee basically...
16:55 < gavinandresen> Meh.  Might could be mined, depends on miner policies....
16:55 < petertodd> I mean, first-double-spend is totally safe re: DoS attacks so long as replace-by-fee is enabled!
16:55 < gavinandresen>
 and your luck on when miners enter/leave network...
16:56 < petertodd> Yeah, so real world, maybe with bad luck I'm down to 500x, which is still a big improvement.
16:56 < sipa> ideally, you'd have a small proof of double spend
16:56 < sipa> rather than broadcasting the whole transaction
16:57 < petertodd> sipa: which you can do, you just prove the signature, but that's a fair bit of code
16:57 < gavinandresen> ideally we have a generic active queue management for managing bandwidth
16:57 < sipa> gavinandresen: true, but that's a different problem
16:57 < gavinandresen>
 so that 100K double-spend is simply de-prioritized.
16:57 < petertodd> gavinandresen: right, but then that means double-spend detection isn't reliable
16:58 < petertodd> gavinandresen: I just have to simultaneously flood that channel while I do my attack
16:58 < gavinandresen> petertodd: if the detection isn't reliable, then the mining isn't reliable, either, and that is just fine
16:58 < petertodd> gavinandresen: no, you're saying it's deproritized, while tx's go through, so mining is reliable
16:58 < petertodd> gavinandresen: if it isn't reliable, then my DoS attack *is* effective
16:58 < gavinandresen> if it is deprioritized in relaying then it won't get to miners
16:59 < gavinandresen> I am ignoring Finney attacks, they are not solved by first-double-spend-relay
16:59 < petertodd> gavinandresen: right, but the that still doesn't solve the "broadcast simultaneously at two points" problem
17:00 < gavinandresen> petertodd: ???
17:00 < gavinandresen> petertodd: attacker does what-- broadcast a 150 byte txn at one point, and a 100K txn at another?
17:00 < petertodd> gavinandresen: you're solving the problem where a merchant doesn't know if you've broadcast simultaneous double-spending transactions.
17:00 < petertodd> gavinandresen: No, attacker disables double-spend detection by flooding it, then in totally unrelated transactions does a double spend.
17:01 < gavinandresen> flooding what?
17:01 < petertodd> gavinandresen: flooding the channel for double-spend detection - you said you'd de-prioritize that information channel
17:01 < gavinandresen> no, I would de-prioritize large transactions in that channel
17:01 < petertodd> gavinandresen: yes, and that doesn't help, because my double-spend can be large
17:02 < gavinandresen> okey dokey.  If both spends are large, they will both (likely) not make it to merchants or miners.
17:02 < petertodd> but anyway, I don't get why I'm arguing because for my purposes I'd rather see the patch happen...
17:02 < gavinandresen> If one is large and one is small, the smaller is likely to be mined/seen by merchants.
17:37 < warren> gavinandresen: did 0.7 or earlier have any mac corruption like this?
17:37 < warren> or it started with leveldb?
17:37 < sipa> bdb had different corruption patterns
17:37 < warren> (I wasn't around back then.)
17:37 < warren> linux and windows corrupted equally?
17:38 < sipa> unsure
17:38 < gavinandresen> I don't remember OSX having more issues with bdb
17:39 < sipa> this may actually be a leveldb-on-osx problem
17:39 < warren> does any other software use leveldb on osx?
17:39 < gavinandresen> I haven't seen "OSX sucks for running a database server", either, which makes me suspet the issue is leveldb specific
17:40 < gavinandresen> Chrome uses leveldb on OSX, but with a very different usage pattern and I think they don't use the same os-specific code we're using
17:40 < sipa> indeed
17:40 < sipa> chrome has its own environment layer
17:41 < warren> I have a hunch, but I need to be able to reproduce the corruption to confirm it...
17:42 < gavinandresen> sipa: could we mitigate the problem by truncating the leveldb MANIFEST file up to a known-good point?  Or would that screw up the integrity of the UTXO set....
17:42 < sipa> gavinandresen: my guess it it's something with interaction between mmap'ed files and writing, or some synchronization barriers
17:43 < sipa> i doubt we trying to "fix" it outside of leveldb is the right way
17:43 < gavinandresen> sipa: I agree, not the right way, but if it prevents "re-download-the-entire-blockchain" 50% of the time it might be worth dong.
17:45 < warren> making the problem happen less often will increase the chance of never fixing it
17:47 < sipa> i hope you're not downloading the entire blockchain every time, but just use -reindex
17:47 < sipa> anyway, truncating the manifest will just reset you to a former state, right?
17:47 < warren> sipa: some mac users are reporting that -reindex doesn't fix their mac problem.  it's difficult to confirm ecause these people don't respond to follow up questions.
14:54 < adam3us> amiller: yeah; only justification i can see really
14:56 < amiller> i think incentive-compati-bullshit should trump honest-reorg friendliness, but who's to say :p
14:57 < gmaxwell> amiller: because even without dishonesty on the part of the transacting parties locking in the other direction can screw people.
14:57 < gmaxwell> amiller: they should be, they're not the same as non-fresh coins.
14:58 < adam3us> amiller: well someone (satoshi, someone else) must've put 100 confirms on coinbase tx for some rationale, maybe its even mentioned in the code
14:58 < gmaxwell> They have an additional risk. If the chain reorgs to far they are forever gone no matter how much people wish it were otherwise.
14:59 < gmaxwell> vs if the chain reorgs that far they merely _could_ be forever gone, in the presence of an attack involving a grandparent transaction.
15:01 < adam3us> gmaxwell: this is true, but if chain reorgs much > 6 occurred with any frequency someone may try repeatedly double spending (simultaneously to about 50% of hash rate) sooner or later he'll get lucky
15:01 < amiller> past a small distance, the difference of freshness is a negligible matter
15:01 < amiller> if you're really concerned about forks that far back, then you shouldn't consider fungibility anyway
15:01 < gmaxwell> adam3us: Right, but the criteria of "there must be an attack at all" is a major one.
15:02 < gmaxwell> adam3us: I agree, debate can be had what the small difference was.
15:02 < amiller> i guess you're saying that a major fork is more likely to occur due to honest things that will largely preserve transactions rather than a fork that introduces some magnificent double spend in the past
15:02 < adam3us> gmaxwell: say once per month average this happened (i imagine its never happened ignoring the db bug) people would do it as it would pay off
15:04 < adam3us> gmaxwell: (because double spending to something fungible can have nearly zero cost either you pay yourself (and say oops and pay again) or you pay the seller; sell it back and repeat)
15:05 < gmaxwell> Satoshi picked 100 blocks. I like that figure, you may not. it's hard to argue for any specific value.
15:07 < adam3us> gmaxwell: yes, anyway its nice and conservative and not causing a problem; i do find the script language limitations require extra interlocked transactions, to avoid abort/extort attacks etc but i also appreciate that changing script is very what-if and would have to be very carefully validated for implications
15:08 < gmaxwell> 100 blocks fits well in the timescale of large scale (national level) internet partitionings we've had in the past 15 years.
15:08 < adam3us> gmaxwell: eg opentransactions allows eg javascript or other script langs, ripple draft script lang is not very constrained (to the point of probably security risk)
15:09 < adam3us> gmaxwell: eg imagine halting problem in jscript, or vm escape - all hell could break loose
15:09 < gmaxwell> yea, plus its at the center of a consensus protocol... all implementaitons must agree.
15:09 < gmaxwell> (in bitcoin)
15:09 < gmaxwell> Javascript!@#!
15:09 < gmaxwell> :P
15:10 < adam3us> gmaxwell: (even apart from the cryptographic security of the script language - its hard to prove that the script language changes do not introduce crypto attacks)
15:10 < gmaxwell> OP_RETURN
15:10 < gmaxwell> (facepalm)
15:11 < adam3us> gmaxwell: didnt get the return ref
15:11 < adam3us> gmaxwell: like anyone can cash? sure you can write dumb scripts, but more the worry is the script lang itself introduces a risk for other peoples payents
15:11 < gmaxwell> adam3us: in the original bitcoin source code you could push 1 then OP_RETURN in a _ScriptSig_ and spend any coin you wanted without it ever executing the ScriptPubkey.
15:11 < adam3us> gmaxwell: oh ha ha ha :)
15:12 < adam3us> gmaxwell: thats like being able to write your own script, and then satisfying it tautalogically
15:12 < gmaxwell> this was fixed by turning OP_RETURN into a RETURN(FALSE) effectively. :)
15:13 < adam3us> gmaxwell: well wait shouldnt the satisfying inputs be constants not script keywords generically?
15:13 < gmaxwell> (which was a safe but somewhat kludgey fix... ideally it would have just been prohibited in scriptsigs or.. that)
15:14 < gmaxwell> adam3us: there are slightly useful things you can do with scripts in scriptsigs to make txn slightly smaller, but not worth the problems it creates.
15:15 < gmaxwell> e.g. instead of PUSH_Hash(1) you could PUSH_1 OP_HASH...
15:15 < adam3us> gmaxwell: that seems like a robust fix now i need to go see if i can confuse someone else's script with more script code in front of it (excluding return) is that generically safe even?
15:15 < amiller> it doesn't matter whether 100 blocks is a good value, any number of blocks is bad if you buy my argument about incentive compatibiltiy and stray transactions
15:15 < amiller> i think the question should be whether or not incentive compatibility is a first-class design goal and if so how to cope with it and what to trade off for it
15:16 < maaku> amiller: is that even a question? why would you not want incentive compatability?
15:16 < adam3us> amiller: well i reckon in an ideal world you should be incentive immune - you participate all day long with the devil himself
15:17 < adam3us> amiller: you only fall back to incentive when you cant cryptographically enforce
15:17 < amiller> maaku, i wrote an argument why the coinbase maturity  actually leads to an incentive compatibility glitch
15:17 < gmaxwell> amiller: Transaction independance from the consensus mechnism is a first order design goal of bitcoin.
15:18 < gmaxwell> (in one direction)
15:18 < midnightmagic> incentives are the reason why when people see bitcoin's floodfill and declare it useless because it's O(mn) they're missing the point
15:18 < amiller> maaku, https://gist.github.com/amiller/cf9af3fbc23a629d3084
15:19 < adam3us> amiller: eg re enforcement up to 99%  hostile network with committed transactions thats fun, that the best the attacker can do is random DoS that costs him money, its like a DoS counter measure where the victim can cost the culprit a massive multiplier
15:20 < amiller> i don't understand
15:20 < maaku> amiller: but we can't really change that rule, except by adding it to the someday, maybe hard-fork wishlist...
15:20 < gmaxwell> amiller: I think any argument for incentive-compatible at least for short-term-self-interested is pretty insanely hard to achieve.
15:20 < adam3us> amiller: about commited tx? or ther thread
15:21 < gmaxwell> amiller: e.g. incentive arguments fail to things like miners can just perform a double spend attack of far greater value for the subsidty, enough to pay off a bunch of miners.
15:23 < midnightmagic> amiller: hah, great gist. :) i love it
15:24 < amiller> i think that's fine for my model of attacker
15:25 < amiller> which is a) it's an individual's decision how long to wait, which depends in part on how long *other* individuals wait
15:25 < amiller> b) any attacker that makes a profit has to target some maximum length of attack, so it doesn't harm eventual consensus
15:25 < amiller> thanks midnightmagic :)
16:11 < BlueMatt> gmaxwell: though I agree it is unlikely that analysis is correct and any miners are delaying blocks, does anyone actually have monitoring in place that would tell them if they were?
16:11 < gmaxwell> BlueMatt: I watch for orphans.
16:12 < gmaxwell> I assume other people do to.
16:12 < gmaxwell> (I also get a phone call for reorgs >2 blocks, though that hasn't fired for a while, I ought to set up some test so I know if it stops working)
16:13 < BlueMatt> hmm, fair enough
16:13 < sipa> how often does >2 happen?
16:15 < gmaxwell> sipa: basically never (but not never)
16:16 < gmaxwell> looking at my logs, I see a reorg of 2 once in the last three months.
16:16 < gmaxwell> I don't have logs going back to the last time I saw 3.
16:16 < gmaxwell> but that was the point. At 3 I can reasonably drop whatever I'm doing and go worry about bitcoin... it should be rare enough that its not a terrible disruption.
16:18 < phantomcircuit> gmaxwell, that file is the blocks folder
16:20 < ielo> oh hi there
16:24 < phantomcircuit> nope actually it's an entire .bitcoin folder
16:24 < phantomcircuit> that's bad
16:29 < gmaxwell> phantomcircuit: with wallet too? :P
16:33 < phantomcircuit> sadly no
16:42 < amiller> justaskingplz is the only person working on a bitcoin p2p and mining simulator
16:42 < justaskingplz> hi
16:44 < sipa> cool
16:48 < ebfull> so this is where the cool kids hang out
16:48 < amiller> http://ebfull.github.io/ this is a selfish mining simulation
16:48 < ebfull> a very naive one
16:49 < ebfull> it does appear to work though, shows a sybil+selfish attack together will significantly increase revenue under this topology
16:49 < ebfull> for certain percentages
16:49 < ebfull> of network hashrate
16:53 < adam3us> ebfull: does it take into account that the non-selfish winner will not be convinced by the raced announce?  (and that 80% of the network is pooled, in pool sizes of 30%, 20%, 15%, 7% etc stats from blockchain.info)?
16:54 < adam3us> ebfull: i hacked up a simultator  few dys ago but was unsatisfied with its in ability to model latency (i did start coding the above though)
16:55 < ebfull> it doesn't take into account pools and other large miners, but it can if i change the way nodes are created
16:55 < adam3us> ebfull: also do you have correct parameters to create the approximate correct ratio of accidental orphans
16:55 < ebfull> originally it did
16:55 < ebfull> i adjusted the natural orphan rate to mimic bitcoin's
16:55 < ebfull> everything else is completely different, latency between nodes etc.
16:56 < ebfull> arbitrary that is
16:56 < ebfull> i can adjust the orphan rate, if i make it higher the attacker will get a better lead and earn more revenue
16:56 < ebfull> (as you'd expect)
13:56 < petertodd> Yeah, for for domain names, a perpetual auction may be acceptable, or an auction that goes into effect every n blocks.
13:56 < petertodd> I doubt people would like that domain name system, but it's an option...
13:57 < petertodd> For PGP->email CA's, full email addresses don't get reused all that often really.
14:02 < petertodd> Oh, mind, for a PGP CA, you do need to handle key updates. So immutable sitll isn't great.
14:03 < jgarzik> yeah
14:04 < jgarzik> Trying to think through balancing the value of immutable (cannot be attacked via change) versus the real world need to expire master keys
14:04 < jgarzik> If there is a lesson to be learned from security in the past 10 years, it's that keys (and the passphrases protecting them) are inevitably vulnerable via human/human attacks like social engineering, poor passwords, ...
14:04 < petertodd> Well, the mutability rule can be just "there must exist an unbroken chain of keys signing keys"
14:05 < jgarzik> humans suck at password and key management
14:05 < jgarzik> agree
14:05 < petertodd> Proof size should be reasonable in the real world.
14:06 < petertodd> One issue here, is what's the equivilant of a UTXO proof? Maybe a merkle mountain range of every value ever associated with a given key?
14:08 < jgarzik> heh, merkle mountain range
14:08 < petertodd> The merkle-mountain range is prunable, and the incentive to get it right is that others will see you screwed it up, and won't build upon your sacrifices.
14:08 < petertodd> jgarzik: do you know the explanation for the name?
14:08 < jgarzik> no, but I can guess
14:08 < amiller> in the most general setting it's called a verification object (VO)
14:08 < jgarzik> tree of trees?
14:09 < petertodd> jgarzik: https://github.com/opentimestamps/opentimestamps-server/blob/master/doc/merkle-mountain-range.md
14:09 < petertodd> Pretty similar to a merkle-skip-list, but it has an unusually simple visual image to expalin it.
14:10 < petertodd> ...and my dad thought the name was hilarious.
14:12 < jgarzik> hmmmm.  Can the identity chain be purely PoS-based, ditching PoW completely?  Not sure.
14:12 < jgarzik> PoS ties you to the bitcoin chain, but loosely
14:13 < petertodd> Well, PoS does always make it possible for a wealthy attacker to attack your chain, but on the other hand, that's really true of PoW too.
14:13 < petertodd> At least PoW makes figuring out how much money they'll have to spend really easy.
14:14 < petertodd> The real problem is what's the incentive to pay enough for the PoS chain, other than "shit, an attacker attacked us, lets go outspend them and and put the chain back!"
14:14 < jgarzik> yeah
14:15  * sipa somehow always reads PoS as 'piece of shit', instead of the (slightly) more common interpretations in the Bitcoin world (including point of sale)
14:15 < jgarzik> PoSa
14:15 < jgarzik> distinguishes between proof of stake and proof of sacrifice
14:15 < petertodd> For low interest chains, your PoS for a block would converge to the fees required to get the root bit of data into the bitcoin blockchain.
14:15 < jgarzik> and point of sale
14:16 < jgarzik> petertodd, true
14:16 < sipa> PrOSt, PrOSa, PoOS
14:16 < petertodd> we should call proof-of-stake PoT in reference to what the creaters of proof-of-stake systems usually seem to be smoking
14:16 < jgarzik> hah
14:17 < petertodd> also, keep in mind that not unlike Bitcoin, with any k-v system where updates are signed, the attacker has to rewrite the whole chain all the way back to the initial insertion
14:18 < petertodd> and there's nothing stopping you from using manual checkpoints, as ugly as that is
14:18 < jgarzik> most chains bootstrap into existence using this ugly solution
14:18 < jgarzik> including bitcoin ;p
14:18 < petertodd> indeed
14:20 < petertodd> also with signatures on updates, the chain *can* be a dag structure, with conflict resolution being done via highest total PoS
14:20 < petertodd> it's totally ok to "mine" a block with some secret k/v setting, and reveal it much later provided that there aren't conflicts
14:22 < petertodd> re: namespaces, note how the tradeoffs are kinda weird here, bigger blocks are definitely better up to the decentralization limit, because they allow as many parties as possible to share one PoS
14:22 < jgarzik> nod.  Some k-v will definitely be private, to be revealed only to chosen parties
14:23 < jgarzik> e.g. you might not publish your real name and government attestation, but you would give permission to give out that info to certain parties.
14:24 < jgarzik> Get to a point where you, A, reveals info to party B.  party B keeps that info private, but publicly attests to fact F
14:24 < jgarzik> then another party C can see F from B
14:24 < petertodd> yup, and it works at both the value level, and the block level
14:27 < petertodd> brb
14:27 < jgarzik> In the KYC context, you can remain private, but have a trusted firm digitally attest to your lack of criminality:  Alice receives a signature from Identity Checking Inc., after undergoing full identity exam including rectal check.  Alice only needs the sig, to prove she went through KYC.
14:28 < jgarzik> The KYC check is as valuable (or useless) as Identity Checking Inc.'s services and reputation, and private details need never be revealed.
14:28 < jgarzik> This certainly exists today
 but in a centralized fashion, with massive redundancy (everybody checks government ID etc., everybody runs background checks, etc.)
14:48 < petertodd> The debugging tools for analog electronics have such terrible UI's...
14:49 < petertodd> Hmm... so with KYC though, exactly how does the k-v consensus actually help us?
14:49 < petertodd> There's no zooko's triangle involved, well, there is, but you have trusted Identity Checking Inc.
14:54 < jgarzik> petertodd, That's all an attestation really is
  Bob trusts Identity Checking Inc. attestation of Alice (or not).
14:57 < jgarzik> petertodd, in theory you don't strictly _need_ a unified view of this global database; it's more for convenience.  Two parties just need sufficient amounts of data from each other, just like PGP WoT today.  The idea with decentralized identity is to generalize that and make it easier (+ attaching a cost)
14:57 < jgarzik> a chain would be very helpful in solving several problems though
14:57 < petertodd> Exactly, this whole system is rather complex... although it'd be useful for so much stuff.
14:58 < petertodd> A chain is required to be sure you have a recent copy of, say, revocation certs.
14:58 < jgarzik> yes
14:58 < petertodd> Not unlike the fidelity-bonded-banks problem actually...
15:01 < petertodd> Here's another thought: what's we've created here is more general than k-v store, it's basically a general purpose PoS-mined alt-chain system.
15:02 < petertodd> However, the problem is the PoS algorithm I've described isn't all that useful for alt-chains representing monetary value.
15:04 < jgarzik> as discussed, data chains are quite useful for several things
15:04 < petertodd> Yeah, see, what I'm curious about is are there cases where they are useful for "transactional" data, IE not the k-v model?
15:05 < petertodd> (although, I guess you could say a transaction *is* a k-v pair with a height)
15:05 < petertodd> (and k=H(v))
15:05 < jgarzik> either way, with zero trust you gotta prove history from genesis to present, transactional or not
15:05 < petertodd> yup, at best you namespace it
15:06 < petertodd> ok, so with a merkle mountain range k-v history proof for every k-v pair, you don't actually need to validate anything *about* the k-v pairs, you are just proving that they existed
15:07 < petertodd> so that the "SPV" client equivalent can know if they've seen full history since the genesis block
15:07 < petertodd> *maybe* add a really general purpose signature for subsequent updates mechanism, where the pubkey is uncensorable
15:08 < petertodd> for any given k, first occurance is that k's "genesis block" so to speak, and subsequent are validated by the sigs
15:08 < petertodd> no sig == junk, and not in the mmrange k-v history
15:09 < jgarzik> hmmmmm
15:09 < petertodd> (add in expiry etc. as required to keep proof size reasonable)
15:10 < petertodd> Oh, actually... so the signature just has to sign the mmrange of the key!
15:12 < petertodd> So you can prune everything but the first occurance... still need to figure out expiry though, because after the fact it looks like the key never existed if pruning is used... maybe some kind of interval thing.
15:13 < petertodd> Bigger issue: what exactly are the incentives for doing k-v history proofs anyway? How do full-nodes and SPV nodes interrelate? why would you run a full-node anwyay?
15:13 < petertodd> If there aren't any notion of SPV, the whole thing becomes way easier.
15:13 < petertodd> s/aren't/isn't/
15:15 < petertodd> semi-related: amiller's concept that losing PoS markers contribute to total PoS doesn't work, because how exactly do you decide who lost?
15:16 < jgarzik> Indeed.  The incentives for running a node are possibly lower, residing mainly at identity attestation firms, auction market providers, and other businesses that need identity
15:16 < jgarzik> *possibly lower for the average user, I mean
15:17 < petertodd> also, PoS sum should somehow take block size into account, so if my data is large I lose out to a small block with the same sacrifice amount
15:17 < jgarzik> agreed
15:17 < petertodd> Yeah, like Bitcoin, is running nodes is cheap, people will do it anyway, but resources are limited and demand is infinite.
15:17 < jgarzik> provides incentive for efficiency
15:19 < petertodd> value/size is probably fine... but just like Bitcoin, consensus and decentralization demands limits on size
15:21 < jgarzik> As soon as v0.1 of this identity system exists, people will complain that it does not immediately support all ~7 billion people on Earth
12:46 < jgarzik> Troll patches are famously employed by Linus Torvalds' #2 in Linux, Andrew Morton.  A mild-manner, Gavin-like guy for the most part.  But if an issue is sticking, he'll post a patch that solves the issue in an ugly way, "encouraging" people to do a better job than he.
12:47 < sipa> haha
12:47 < jgarzik> (it works because he merges tons of patches, has plenty of merge power)
12:47 < jgarzik> ultimately all changes are pulled by Linus, so no ACK/NAK consensus system in Linux.  It's either pulled by Linus, or not.
12:48 < petertodd> jgarzik: potentially bad incentives there re: busses
12:48 < petertodd> 12:47 < jgarzik> ultimately all changes are pulled by Linus, so no ACK/NAK consensus system in Linux.  It's either
12:48  * sipa wonders what a 'SYN' comment on a patch would mean
12:48 < BlueMatt> wait...we have a consensus system?
12:48 < petertodd> jgarzik: though I suspect Linux isn't *quite* as political as Bitcoin...
12:48 < BlueMatt> hah
12:48 < jgarzik> petertodd, You would be surprised!
12:48 < petertodd> sipa: It means the patch is ECN capable.
12:48 < jgarzik> petertodd, billion-dollar companies competing for your attention, where a patch merged might greatly benefit one business over another
12:49 < petertodd> jgarzik: I hear DRM has been an exception...
12:49 < jgarzik> petertodd, here in bitcoin, we "merely" have a handful of million dollar startups
12:49 < petertodd> jgarzik: True, lots of sunk engineering costs that managers don't want to change.
12:49 < sipa> BlueMatt: yes, it is "make someone with merge rights feel confortable enough he won't be drowned in alpaca piss by the other devs for merging something"
12:50 < jgarzik> pretty much
12:50 < BlueMatt> sipa: ok....I /guess/ that counts
12:50 < jgarzik> RE DRM
 never a real problem for Linux.  Being open source, it's kinda pointless to create software that locks down data
12:50 < petertodd> jgarzik: So how often does a proposed patch lead to a 3 minute animated video done by some guy with an arts degree? :P
12:50 < jgarzik> The DRM problems were always with hardware gadgets, that need upper level Linux drivers
12:51 < petertodd> jgarzik: Well, I could see more remote attestation stuff being practical, if anthetical to open source.
12:51 < jgarzik> never with Linux kernel itself _serving_ / providing DRM protection
12:51 < jgarzik> petertodd, with a benevolent dictator, crowd pressure is less effective
12:52 < jgarzik> petertodd, that's sorta where the linux/bitcoin analogy breaks down
12:52 < petertodd> jgarzik: indeed, and Linux is not a global consensus system. Bitcoin isn't just a piece of software.
12:52 < sipa> so we need a benevolent dictator!
12:52 < sipa> yay decentralization!
12:52 < petertodd> sipa: sounds like an AI problem...
12:53 < jgarzik> we need The Daemon
12:53 < sipa> i propose a blockchain mechanism to achieve consensus about what decisions to take wrt project management
12:53 < petertodd> sipa: <shudder>
12:53 < sipa> perhaps a controversial opinion, but i'm not convinced that is necessarily contradictory
12:54 < sipa> i like to see bitcoin more as an experiment in building a decentralized system, rather than a (fully) decentralized system itself
12:54 < petertodd> The problem is any pure blockchain mechanism is really a miner vote.
12:54 < sipa> (of course, that part was a joke)
12:55 < petertodd> sipa: Reminds me, for keepbitcoinfree I've already proposed a -talk email list with whitelisting done by fidelity bonds.
12:55 < petertodd> sipa: good, but best that people reading IRC logs understand the problem
12:57 < petertodd> You see, the fidelity bonds thing sounds good, but the real advantage is you implement it with PGP, which means people are forced to use PGP to post, which inherently filters out so many crazies...
12:58 < sipa> it also filters out so many
12:58 < jgarzik> indeed :/
12:58 < petertodd> Yeah, it's a trade-off.
12:58 < sipa> (though the filtering percentage for crazies is likely higher)
12:58 < jgarzik> PGP key signing is geek wanking :)
12:58 < petertodd> I'm and jdillon am the only guys who regularly use PGP on the -dev email list.
12:58 < jgarzik> (though that means admitting I'm a wanker?)
12:59 < petertodd> jgarzik: but it feels so good!
12:59 < jgarzik> A real life fingerprint (mannerisms, coding style, coding smarts) is always more useful, more natural than PGP WoT
12:59  * sipa wonders if anyone will sign his keys based on his presentation slides
12:59  * jgarzik wonders if anybody validates the PGP signatures on bitcoin downloads
13:00  * sipa also wonders whether he should trust such a person to do good identify verification
13:00 < petertodd> jgarzik: Yes, but using PGP lets you establish a link to that link history of mannerisms and coding style.
13:00 < jgarzik> or if anybody checked my PGP sig, in my exmulti->bitpay PGP signed message to the -development ML
13:00 < sipa> jgarzik: i haven't
13:00 < petertodd> jgarzik: See, I would have, had I had a reason to trust your first PGP key... (other than the fact I timestamped it months ago)
13:01 < jgarzik> hehehe
13:01  * jgarzik needs to backup the BitPay keyring, speaking of
13:02 < petertodd> sipa: you haven't even signed my key, and I gave it to you personally :P
13:02 < petertodd> jgarzik: you're not using a hardware key?
13:03 < jgarzik> I like the idea (Adam's?) of having little pull-off paper strips, with the pgp fingerprint on it
13:03 < jgarzik> petertodd, hah, no
13:03 < sipa> petertodd: i haven't had access to my private key yet
13:03 < jgarzik> petertodd, my PGP usage merely gains me entrance into the technological priesthood
13:03 < sipa> petertodd: but i can't actually remember verifying your identity :)
13:04 < jgarzik> other that that it's a circle jerk ;p
13:04 < petertodd> jgarzik: I've got two types of hardware PGP keys, but in all honesty, gnupg smartcard support is a buggy pain in the ass.
13:04 < jgarzik> gnupg is a PITA
13:04 < petertodd> sipa: Do you think I'm Peter the crazy off-chain guy? Or was I too sane in person?
13:04 < sipa> petertodd: pretty sure you're the same guy, but what i think isn't relevant
13:04 < jgarzik> where is the easy-to-use PGP library?  Every single program that wants to use PGP must exec(2), it seems
13:04 < jgarzik> that's part of the problem
13:05 < sipa> jgarzik: you know why, right?
13:05 < petertodd> sipa: heh, see, I disagree with the government-issue ID business in that respect
13:05 < jgarzik> ditto Tor.  no "link this lib", but "run this proxy"
13:05 < jgarzik> sipa, there is an official reason?
13:05 < sipa> jgarzik: yes, mlock
13:05 < jgarzik> besides "RMS blessed this code" or NIH?
13:05 < petertodd> jgarzik: yes, all total BS. The python gpgme library is particularly embarassing.
13:05 < sipa> jgarzik: they mlock the entire process, because anything else isn't guaranteed afaik
13:06 < jgarzik> sipa, understandable
 but mostly pointless IMO
13:06 < petertodd> sipa: yes, but that could be done far more sanely with fork followed by brk to reduce the memory footprint, and some pipes
13:07 < sipa> there are libraries that do that
13:07 < petertodd> sipa: instead you get libraries that literally run the gpg exec, and do crazy text grabbing
13:07 < petertodd> sipa: oh good, hopefully I just missed the saner ones, although last I needed it I was only looking at Python stuff
13:08 < jgarzik> yeah, it's awful
13:08 < sipa> petertodd: anyway, about identity checking: yes and no: imho, gpg identities should list (perhaps just in the form of a free-form text field) what authority the identity claims to provide the identity (not sure about terminology)
13:08 < petertodd> and it just gets worse if you try to integrate with a PGP hardware thingy (I briefly looked into it for timestamping, and gave up screaming)
13:09 < petertodd> sipa: Indeed. Where authority can be "Internet Reputation"
13:09 < sipa> petertodd: for example, i could have an identity that says "Bitcoin developer 'sipa'", without claiming anything about my real name
13:09 < petertodd> sipa: Heck, I signed jdillon's PGP key soley on the basis that I was one of the first people to talk to him in Bitcoin. (AFAIK)
13:09  * petertodd needs a keysigning policy, no wait, a life...
13:10 < sipa> or, the other extreme, i could have an identity that claims corresponding to the Belgian citizen registry entry named "Pieter A. S. Wuille"
13:11 < sipa> so you also know what to ask for to verify an identity
13:11 < petertodd> There's on and off discussion in gnupg-devel and openpgp mailing lists about that stuff actually - seems semi-consensus is it's just too complex for people to understand.
13:12 < sipa> it probably is
13:12 < jgarzik> That's what I want to do with a decentralized identity system.  Take a UUID and a database, and attach various signatures (your own, PGP, ECDSA, etc.) and various endorsements (signatures from third parties, be it personal ("sipa is a great guy") or identitybased ("sipa == Pieter Wuillle, national ID number 1234-5678") or reputation based ("sipa is a 5-star
trader on MyEbayClone")
13:12 < jgarzik> Just need a protocol/data definition, and your decentralized identity can be as private or public as you like.
13:13 < sipa> but the problem is, many of the people who signed my GPG key (most was at a FOSDEM keysigning party with 100-200 people), did check my identity based on government-issued paper (and i'm sure they wouldn't have if i couldn't provide such paper)
13:13 < sipa> so they likely expect me to do the same sort of checking when signing other keys
13:13 < petertodd> sipa: indeed, I don't want to be mean, but jgarzik here is an excellent example: having a separate signing key in addition to your master signing key is a good thing, because it lets you limit the damage from a compromise. But seriously, understanding that crap is just not worth it.
13:14 < sipa> well, nobody understands GPG in the first place :p
22:16 <@gmaxwell> I assume plaintext is fine, since thats what the old blockexplorer api was.
22:17 < andytoshi> https://www.wpsoftware.net/coinjoin/status.php
22:18 < andytoshi> when there is a transaction in there, it is pretty verbose..
22:18 < andytoshi>     echo 'The current session is open for ', Session::time_to_switch(), ' more minutes. There ',
22:18 < andytoshi>	    'are currently ', Bitcoin::unsigned_tx_count(), 'transactions in the pot. The most ',
22:18 < andytoshi>	    'popular output value is ', Bitcoin::most_popular_output(), '.';
22:19 <@gmaxwell> does the way it works now have a session 'close' and open for signing?  e.g. is there also a need for a status.php?id=deadbeef  to find out if a past session is still in need of signatures?
22:19 < andytoshi> yeah, there is a flag in the database which sets the "active" session
22:20 < andytoshi> one moment..
22:21 <@gmaxwell> (might be useful in harassing people to finish signing in an IRC join)
22:25 < andytoshi> see eg https://www.wpsoftware.net/coinjoin/status.php?session=fd1d19c88eaa675d7151a625bcb911e05d8b58e35faf51a974ba73c565ba6a63
22:26 <@gmaxwell> andytoshi: maybe a lark you'll think is stupid. But I think it should display a "round name" from the session ID, which is converted to english using a spookwords list (e.g. http://attrition.org/misc/keywords.html ) so it tells you that "session fissionable Indigo speedbump is live in three signatures."
22:27 <@gmaxwell> I have no idea where a good name generator is though, the link there was a random google result.
22:27 < andytoshi> :P i think that'd be awesome
22:27 < andytoshi> i'll look into it
22:27 < Luke-Jr> Is there a reason alex_fun hasn't had at least a kick or warning in #bitcoin-dev yet? He seems to intentionally flaunt being off-topic :/
22:28 < andytoshi> my brainwallet uses six random words from Great Expectations, and they always come out as stories
22:28 < andytoshi> in fact, i never use it as a brainwallet, just for making passwords
22:28 <@gmaxwell> Luke-Jr: I prodded him in PM which promoted
22:28 <@gmaxwell> 19:07 < alex_fun> guys and girls whatever really , u feel rigid its u choise
22:28 < andytoshi> nanotube: the source for status.php is here: http://pastebin.com/ra8NTFxA
22:29 < andytoshi> nanotube: i'm happy to change the formatting however you see fit
22:30 <@gmaxwell> andytoshi: there doesn't seem to be any good "topsecret codeword" generators though there are lots of lists of sutiable words.
22:33 < maaku> CodeShark: the joiner I'm working on 100% p2p
22:33 < maaku> but it's not something I'm spending a lot of time working on ...
22:34 <@gmaxwell> I think of andy's thing as something fun that people can use right now. It's obviously not what we need long term, and (at least right now) doesn't really overlap or compete with better ways of doing it.
22:35 < andytoshi> to Luke-Jr's point, alex_fun has been around for many months (years?)
22:35 < andytoshi> i thought luke was yelling at ghosts, and it turned out that there was in fact some alex_fun in my /ignore list, which i'd put there so long ago i'd forgotten
22:36 < maaku> yeah he's a troll that's been around a while
22:36 <@gmaxwell> I think he's just another yibbering idiot.
22:36 < maaku> gmaxwell: i don't mean to imply anything negative. CodeShark just asked earlier if anyone is working on a server-less joiner
22:36 <@gmaxwell> ah!
22:38 < andytoshi> maaku, gmaxwell: i agree with gmaxwell's opinion of my joiner, i'm glad it's usable but it's mostly a way for me to learn rust
22:46 < maaku> it's good work andytoshi, and better to have something working than the perfect unimplemented whiteboard design
22:46 < maaku> my weakness is that I spend too much time on the latter (see: freimarkets)
23:23 < nanotube> ;;alias add cjs web fetch https://www.wpsoftware.net/coinjoin/status.php
23:23 < gribble> The operation succeeded.
23:23 < nanotube> ;;cjs
23:23 < gribble> Error: This url is not on the whitelist.
23:23 < nanotube> >_>
23:23 < nanotube> just a sec lol
23:23 < Luke-Jr> lol
23:24 < nanotube> ;;cjs
23:24 < gribble> There is no currently open session.
23:24 < nanotube> there :P
23:24 < nanotube> ;;alias add coinjoinstatus cjs
23:24 < gribble> The operation succeeded.
23:24 < nanotube> for those who prefer a more verbose command. :)
23:24 <@gmaxwell> nanotube: hurrah
23:25 < andytoshi> nanotube: can we make ;;cjs fd1d19c88eaa675d7151a625bcb911e05d8b58e35faf51a974ba73c565ba6a63 go to status.php?session=fd1d19c88eaa675d7151a625bcb911e05d8b58e35faf51a974ba73c565ba6a63
23:25 < andytoshi> ?
23:26 < andytoshi> also, thanks! :)
23:26 < nanotube> yes, technically speaking. :) question is, if session id is blank, will it still work?
23:26 < nanotube> ;; web fetch https://www.wpsoftware.net/coinjoin/status.php?session=
23:26 < gribble> There is no such session.
23:26 < andytoshi> nope, one moment..
23:26 < nanotube> ;; web fetch https://www.wpsoftware.net/coinjoin/status.php?session=fd1d19c88eaa675d7151a625bcb911e05d8b58e35faf51a974ba73c565ba6a63
23:26 < gribble> This session is complete. The submitted transaction ID was 33854f625c90e3287eae951103489a2449f91bfe039aa4d4c810bd66450edbf1.
23:27 < andytoshi> ;; web fetch https://www.wpsoftware.net/coinjoin/status.php?session=
23:27 < gribble> There is no currently open session.
23:27 < andytoshi> there we go
23:27 < nanotube> nice. :) i could do it either way, but it would be more trivially easy if empty sessionid defaulted to general query.
23:28 < andytoshi> yeah, this is probably the better behavior for when users put a blank session= anyway
23:28 <@gmaxwell> ;;cjs Halcon Capricorn
23:28 < gribble> Coinjoin Status: There is no such session.
23:28 <@gmaxwell> aww
23:28 < andytoshi> i've got a python script which converts to codewords, but not the other direction
23:29 < nanotube> ;;cjs fd1d19c88eaa675d7151a625bcb911e05d8b58e35faf51a974ba73c565ba6a63
23:29 < gribble> Coinjoin Status: This session is complete. The submitted transaction ID was 33854f625c90e3287eae951103489a2449f91bfe039aa4d4c810bd66450edbf1.
23:29 < nanotube> ;;cjs
23:29 < gribble> Coinjoin Status: There is no currently open session.
23:29 < andytoshi> :D
23:29 < nanotube> there we go. :)
23:29 < nanotube> ;;help cjs
23:29 < gribble> (cjs <an alias, 0 arguments>) -- Alias for "echo Coinjoin Status: [web fetch https://www.wpsoftware.net/coinjoin/status.php?session=@1]".
23:29 < nanotube> ;;cjs Halcon Capricorn
23:29 < gribble> Coinjoin Status: There is no such session.
23:29 < nanotube> heh
23:30 < nanotube> ;;sl halcon capricorn
23:30 < gribble> http://www.youtube.com/watch?v=DITktReXJpI | 4 Dic 2011 ... Horoscopo Maya 2012 KosmosErika HALCON, para los nacidos del 7 de ... CAPRICORN Horoscope for JANUARY 2014 - Karen Lustrupby
23:30 < nanotube> >_>
23:30 < andytoshi> right now this fd1d19 guy turns into "DIA sorot van 1071 JSOFC3IP Cornflower Electron PBX Ionosphere CSC EG&G MKNAOMI PBX Iris WWSP RSO MD5 USACIL JCE NSWC IACIS LEASAT Yukon GGL NAIA"
23:30 < andytoshi> so it should be a bit shorter :P
23:30 < nanotube> heh yea... but it is a pretty long string....
23:31 < andytoshi> so, the sessid is actually only 32 bits from /dev/urandom right now
23:31 < andytoshi> i just run it through sha256 :P
23:31 < andytoshi> it has lots of room to go shorter
23:31 < nanotube> ah good old sha2
23:34 <@gmaxwell> making the small big and the big small since 2001.
23:35 < andytoshi> ok, future sessions will use 8 bytes of randomness and output the first 16 chars of the hash
23:35 < andytoshi> that translates to 7-8 words, which looks good
23:35 < andytoshi> [username@titanic spookwords]$ ./main.py fd1d19c88eaa675d
23:35 < andytoshi> FID DDP Embassy Bluebird GEO Canine 1911
--- Log closed Mon Dec 23 00:00:19 2013
--- Log opened Mon Dec 23 00:00:19 2013
02:16 < andytoshi> ;;cjs fd1d19c88eaa675d7151a625bcb911e05d8b58e35faf51a974ba73c565ba6a63
02:16 < gribble> Coinjoin Status: Session Delta USAFA SAMU SIGS DCSS spook RRF LASINT CFC spookwords NSDM Uziel NRO PLO MSNBC JPL plutonium FINCEN JANET Fortezza ESN SATKA toffee eavesdropping fissionable : completed. The submitted transaction ID was 33854f625c90e3287eae951103489a2449f91bfe039aa4d4c810bd66450edbf1.
02:17 < andytoshi> ;;cjs Delta USAFA SAMU SIGS DCSS spook RRF LASINT CFC spookwords NSDM Uziel NRO PLO MSNBC JPL plutonium FINCEN JANET Fortezza ESN SATKA toffee eavesdropping fissionable
02:17 < gribble> Coinjoin Status: Session Delta USAFA SAMU SIGS DCSS spook RRF LASINT CFC spookwords NSDM Uziel NRO PLO MSNBC JPL plutonium FINCEN JANET Fortezza ESN SATKA toffee eavesdropping fissionable : completed. The submitted transaction ID was 33854f625c90e3287eae951103489a2449f91bfe039aa4d4c810bd66450edbf1.
03:14 <@gmaxwell> hahahah
03:16 <@gmaxwell> ;;cjs
03:16 < gribble> Coinjoin Status: There is no currently open session.
03:42 < maaku> why is JPL a scary word? :P
03:47 <@gmaxwell> maaku: the spookwords lists have a whole bunch of generic military-industrial-complex keywords. ... someone's idea of unusual words that in the early 90s might have triggered some government keyword filter, at least in the busy imagination of some cryptoanarchist.
03:48 <@gmaxwell> (and, well, probably in reality too
 at least for some of the words)
03:49 < CodeShark> gmaxwell: were you able to install boost_log? :)
03:49 <@gmaxwell> CodeShark: s'not yet. I figured I'd upgrade fedora and got as far as downloading it. :)
03:50 < CodeShark> well, in the worst of cases you can just ./b2 --with-log :)
03:52 < Emcy> what am i reading
07:50 < adam3us> petertodd, gmaxwell: sender derived address/code and stealth-addr write up on my older thread	(still to locate bytecodes to link) feel free to correct https://bitcointalk.org/index.php?topic=317835.new#new
10:08 < petertodd> ;;cjs
10:08 < gribble> Coinjoin Status: There is no currently open session.
10:33 < andytoshi> petertodd, gmaxwell: if you throw a tx into the joiner it'll trigger a new session
13:21 < gmaxwell> helo: The payouts to the pool itself are generated, the payouts to the users would be instant spendable.
13:21 < maaku_> our current approach (for freimarkets, freicoin we screwed up) is to have the block height indicate the hard-fork transaction format
13:21 < gmaxwell> (I think doing coinbase payments in such a model would add a lot of complexity for not a ton of data)
13:21 < petertodd> gmaxwell: (U)TXO commitments should be structured such that multiple low-bandwidth parties can create a block co-operatively. Shouldn't be too hard to pull off in a trusted scenario, harder in untrusted. (though could be fidelity bonded)_
13:22 < maaku_> which is somewhat undesireable around the transition, although that is one-time and can be mitigated by creating new-format transactions early
13:22 < petertodd> maaku_: that's reasonable, although remember that you can do a nVersion voted hardfork too
13:27 < jtimon_> kind of off-topic, but now that you're talking about coinbase...nVersion=2 of joke I think I heard here
13:29 < jtimon_> The success of coinbase surprises me given that their transactions take 100 blocks to confirm. That latency surprises me even more given that they use mongoDB, whose writes are almost as fast as writes to /dev/null
13:31 < jtimon_> just a mix of jokes really
13:31 < petertodd> jtimon_: well, that was more funny than the comedian they hired for the san jose conference
13:31 < jtimon_> hehe
13:31 < jtimon_> I saw him a little bit, but yeah, not funny at all, I couldn't watch the whole video
13:31 < gmaxwell> jtimon_: I think it's because they have to send their transactions all the way to blockchain in the UK for processing.
13:32 < jtimon_> hehe
13:32 < petertodd> gmaxwell: these services need a little <hex> button that gives you the raw hex of your tx
13:35 < gmaxwell> petertodd: We got blockchain.info to add that. (well not a button but a ?format=hex on the transaction page)
13:35 < petertodd> gmaxwell: nice!
15:00 < orperelman> Jtimon & Peter, it's all about the PR and marketing, one of the reasons they are so successful, they are doing an amazing PR work - gotta give them that
15:01 < orperelman> It's amazing me to this day  - there is almost no normal wallet out there today that I can recommend to new bitcoin users heh
15:45 < adam3us> gmaxwell: proof of (holding) bitcoin - (for bandwidth allocation in bitmessage etc) but with 100btc i can take 100 shares of bandwidth at no cost (if i was holding them anyway).
15:46 < adam3us> gmaxwell: "as of right now in git bitcoin allows data in OP_RETURN though given what people are saying I hope we back that out." dont object to backing out (say NO to block-chain spam!), but what are they saying missing context?
16:17 < adam3us> gmaxwell: ps still musing about how to do a subliminal channel free sig (motivated by such things).  one thing wondering is the existing possibility to make a ECDSA key that can sig that is valid for two different msg hashes (by chosing public key at time one msg is known). thinking it might be enuf flexibility to do something
16:37 < gmaxwell> adam3us: there have been a number of articles about how bitcoin has been "upgraded" to enable "distributed storage" and such horrifying things like that.
16:40 < adam3us> gmaxwell: ah yes.  its a scary situation indeed.  the flip side is there are then people who will stego encode then in multisigs if you dont, and create needless non-compactable TXOs and on.  Cant win:(  well maybe... there's the subliminal channel plugging drive - could try how far you can get with that.  eg all outputs are blinded  somehow by the next
mining event and unblinded by recipient or inputs blinded by spender and unblinded by mi
16:41 < gmaxwell> adam3us: thats why I didn't oppose it initially. Though the trade off of people thinking it is a good non-antisocial and supported application is concerning.
16:41 < gmaxwell> Esp what happens if abusive use arises and it must be turned back, but there is also non-abusive use?
16:41 < adam3us> gmaxwell: pegged side-chain, pegged side-chain, pegged side-chain
16:42 < gmaxwell> I mean there is a whole seperate stupid altcoin  "datacoin"
16:43 < adam3us> gmaxwell: seriously.  if that can be bootstrapped there is no rational excuse for not using one.  i mean maybe we'll need a pegged-side-chain-gen.io because of lameness but otherwise...
16:45 < adam3us> gmaxwell: yes it seems like the msg was interpreted badly as a big GREEN light, that people can do any random stuff like its an API, or I dunno "HTTP on top of TCP"
18:13 < gmaxwell> andytoshi: I wonder in a public CJ server if there would be a value in using a socialist millionaire protocol so that a prospective CJ player could query the available sessions to test for an output size match, without disclosing what size they're looking for (and without learning what any of the ongoing sizes is)
18:17 < andytoshi> gmaxwell: what would they learn in the case that a match exists?
18:18 < andytoshi> it seems like they could get a good idea of the sessions just by testing various output values to see if they can join
18:18 < gmaxwell> andytoshi: you can limit them by making them show you inputs they're interested in using as a rate limiter.
18:19 < andytoshi> ok, fair enough
18:20 < andytoshi> i'll put this on my list of "things to do when we have enough people for more than one session at once" :)
18:20 < gmaxwell> I mean ultimately what you can do is a multiparty computation where the server has a list of possible CJ's and the user has a set of inputs/outputs they're interested in and the MPC tells the user and the server which one they ought to be joining and no one learns anything beyond that... but thats getting into moon technology where socialist millionaire
protocol is straightforward.
18:20 < andytoshi> well, if it's tractable moon technology then i'll look into using it one of these days ..
18:21 < andytoshi> i am being selfish and using other peoples' privacy desires for my own learning purposes
18:23 < andytoshi> if i can get my bitcoind back to life i'll have a coinjoin client written by sunday evening, then this week we'll see if i can spur some popularity
18:23 < gmaxwell> It's not intractable, but not a 1 hour hack either.
18:31 < gmaxwell> there may be a 'simple' way to implement it where the server and the client disclose a bunch of fake data about the candidate joins and inputs/outputs (including the real data), and then the server and the client compute which would go with which, and then you do a far simpler multiparty computation just to learn a single one of matchups which involve real transactions.
18:32 < gmaxwell> (lets you keep the coinjoin matching outside of the multiparty computation.. the multiparty computation would just be "take two bitstrings, return a random index which has a 1 in both bitstrings"
18:32 < gmaxwell> )
18:44 < maaku> gmaxwell: would there be a chance at analagous technology for the p2p case?
18:45 < maaku> for my architecture I'm still assuming a broadcast architecture for requesting potential joins
18:46 < maaku> which isn't as privacy enhancing as I would like...
18:48 < gmaxwell> maaku: nothing fundimentally prevents it, e.g. you could do multiparty computation with any number of parties. Though I think the complexity of hacks like I suggested to keep the mpc part maximally simple would not scale well.
19:21 < jgarzik> New torrent, http://gtf.org/garzik/bitcoin/bootstrap.dat.torrent
19:21 < gmaxwell> maaku: fwiw, you can do a very easy implementation of socalist millionaire using only blind signing.
19:23 < gmaxwell> maaku: you hava a database you'd like me to check for matches it. You sign each entry and give me the signatures. I learn nothing useful from this.  Then when I want to see if X is in the database, I blind X and ask you to sign it. You learn nothing about X. Then I unblind and can see if it was in your list.
19:34 < Emcy> jgarzik do you have the previous 2 or 3 bootstrap torrents you made anywhere?
19:34 < gmaxwell> maaku: though I think until someone works out what an 'optimal' CJ decision looks like, it's hard to reason about what it would take for some magical private process to generate them.
19:34 < Emcy> it occurs to me i can seed them all from the same file
19:39 < Emcy> well actually ive got 3, 4.5gb, 9gb and this new 13gb
19:39 < Emcy> i think thats all of them right
19:41 < maaku> gmaxwell: what do you mean by 'optimal coinjoin decision'?
19:56 < jgarzik> Emcy, sf.net/projects/bitcoin has current; above is current+1
19:58 < Emcy> huh?
19:58 < Emcy> thats the bitcoin client
19:58 < gmaxwell> maaku: I mean, say given a set of transactions, which partipants will not gain any privacy under an assumption that the attacker understands coinjoins and are unravling them based on the assumption that users_inputs==users_outputs?
22:18 < gmaxwell> oh. I think I just reduced the complexity of my trivial NIZK proof to O(N) without substantially increasing the complexity of it, though by adding a discrete log hardness assumption.
22:19 < gmaxwell> The point I'd made at the end is that you could remove the N^2 by using an xor-homorphic commitment as that would allow you to just combine the gate key commitments directly.
22:23 < gmaxwell> But really the xor-homorphic commitment only needs to be xor-homorphic for a single bit, which means straight up additive homorphism over any field should work. E.g. the commitment can be X*g in some EC group.
23:38 < gmaxwell> Oh, interesting. I can get a simpler CoinSwap protocol if prior to any transactions, one party proves to the other H(X),H(Y),X xor Y for some undisclosed X,Y  in other words, having this proof in hand you know that if you know the preimage of H(X) the you also know the preimage of H(Y).
23:39 < gmaxwell> I think I can do a proof for H(X),H(Y),X^Y with sha256 under 40 megabytes now.
00:54 < amiller> because if you bind the new transactions after the reward it makes converging to a singe block less likely
01:03 < amiller> so i need to have a commitment to some transactions before the work
01:04 < amiller> so that a winning proof of work can be counted as a vote for at most one block
01:04 < amiller> but!!!
01:05 < amiller> the whole stealable/non-outsourceable thing can work if revealing the transactions is optional
01:07 < amiller> agh i guess if one's bad for consensus then the other is too
01:07 < amiller> actually i think it doesn't matter in either case
01:08 < amiller> nevermind
01:09 < gmaxwell> MAGNETS!
01:11 < amiller> anyway tl;dr is that the current way proof-of-work is revealed poses an existential threat to bitcoin because it makes outsourcing effective which leads to decentralized
01:11 < amiller> (which starts with d and that rhymes with p and that stands for pool)
01:11 < amiller> lkasdjflkadjsf
01:12 < amiller> and the main fix is to make it so the proof-of-work is like a digital signature, it doesn't reveal the solution
01:13 < gmaxwell> I am not following. it's already like that.  E.g. if I give you a block header you do not have a solved block.
01:14 < gmaxwell> obviously I can make you give me a solved block but likewise for a digital signature.
01:14 < amiller> no not like that
01:15 < amiller> in order to prevent the outsourcing bogeyman, you need to be able to claim the reward (get your block accepted) without revealing anything about the solution you found
01:15 < amiller> even if it's just the nonce and extranonce
01:15 < amiller> i can pick a random prefix of nonce/extranonce and use that as a watermark
01:16 < gmaxwell> right you want a signature of knoweldge over a valid solution.
01:16 < gmaxwell> which is created posthoc but can't be rebound otherwise.
01:16 < amiller> right
01:17 < gmaxwell> "I have a valid block, and I am bob. Accept my might!"
01:17 < amiller> yeah!
01:17 < gmaxwell> this is also perhaps useful for anti-censorship.
01:19 < gmaxwell> (other miners could still demand other signatures of knoweldge
 e.g. prove your solution doesn't include blacklisted txn before we mine on it)
01:19 < gmaxwell> one problem is that you couldn't mine any more transactions until that SoK block is revealed.
01:19 < amiller> yeah so
01:19 < amiller> i think it's not like you just get your block accepted
01:20 < amiller> and reveal the tx at ay point
01:20 < amiller> it's basically you have a choice
01:20 < amiller> you either reveal the transactions
01:20 < amiller> or you have your block mined as an 'empty' block
01:20 < gmaxwell> or steal the generated coin!
01:20 < gmaxwell> ohhh thats cool, except it doesn't work if most of the generated coin is fees.
01:20 < amiller> this means that someone who hears about your block can pretend they didn't get the txs and just mine on top of it
01:21 < amiller> i think even that's fine too
01:21 < amiller> like
01:21 < amiller> the point is to give as much flexibility as possible
01:21 < gmaxwell> (thats, unfortunately, pro-censorship)
01:21 < gmaxwell> amiller: yea but it would be superior if you could still steal the fees.
01:21 < amiller> it's only pro censorship for one block
01:21 < amiller> yeah so the point is
01:21 < amiller> to make the outsource server capable of theivery
01:21 < amiller> it has to be able to steal as much as possible while omitting any detectable watermark
01:22 < amiller> so if it's confident that the fees are public
01:22 < gmaxwell> oh so you have to hide the txn for that. I see.
01:22 < amiller> then they're not watermarks
01:22 < amiller> so really the point is just to allow it to hide as much as it wants
01:23 < gmaxwell> oh thats an interesting point. E.g. it could show some txn, and get the fees on those, but hide other potentially watermarking txn.
01:23 < gmaxwell> I think you can prevent a later miner for censoring.
01:23 < amiller> if you're honest you can prevent later miners from censoring you
01:23 < amiller> by only signing one set of trnasactions after the fact
01:24 < amiller> you could also sign two equivocating sets of transactions and try to split the network
01:24 < amiller> but it wouldn't really have much effect
01:25 < gmaxwell> Maybe there is a way to prevent a third party from gutting a block without producing a watermark.
01:25 < amiller> that's definitely prevented
01:26 < amiller> if you are honest and publish only one set of tx's along with your pow, no third party can create a second set of tx
01:26 < amiller> because the pow still involves a secret that only you know and that you use to sign the txs
01:26 < gmaxwell> gotcha okay.
01:36 < amiller> so, yeah
01:36 < amiller> this can be done pretty easily with discrete log group things
01:37 < amiller> y = g^x  can be used as a hash function
01:38 < amiller> you can check that y is in an arbitrarily small subset of the group, zeros in front and everything
01:39 < amiller> ah, hm, i need to hash the previous block in there too
01:42 < amiller> i'll work it out, i don't think it will be complicated, but it would be simultaneously a signature and proof of work
02:37 < Luke-Jr> gmaxwell: I wonder if anyone has conceived of an imaginary/fictional primary colour before; Google doesn't seem to turn up anything
02:37 < gmaxwell> you mean like a super intelligent shade of blue?
02:38 < gmaxwell> http://en.wikipedia.org/wiki/List_of_races_and_species_in_The_Hitchhiker%27s_Guide_to_the_Galaxy#Hooloovoo
02:39 < gmaxwell> Luke-Jr: there are actual extra-spectral colors, which I'm not sure if that qualifies what you're looking for since they're "real" :)
02:40 < Luke-Jr> gmaxwell: like a colour that cannot be represented with real colours
02:40 < Luke-Jr> yes, those are too real :P
02:41 < gmaxwell> I suppose that you can actually have complex wavelengths as solutions to wave equations, but they're just phase shifts of other colors.
02:42 < Luke-Jr> I'm thinking more along the lines of something beyond what we can conceive of in our mind, but can understand the theory maybe.
02:43 < gmaxwell> well thats why I was thinking of complex wavelength... something where the math worked out but it didn't really make any sense.
02:44 < Luke-Jr> if the math works out, it makes sense :P
02:45 < gmaxwell> But if you don't have _some_ constraint then you are free to say anything, and end up with super intelligent blue or the like.. which isn't all that satisifying.
02:45 < Luke-Jr> depends on the goal.
02:47 < gmaxwell> You end up with something like  Feltrabl a highly controlled and secret color used by Tristero's Empire conspiracy to mark rubbish bins for special collection by their agents as part of their secret message relay network.
03:01 < petertodd> Luke-Jr: Fictional primary color? That's easy, long red. (actually an exercise in a science of color class I took to consider the ramifications of sight if we had a cone that could sense infrared)
03:05 < gmaxwell> I have some marks on my arm that prove that I can sense infrared!
03:05 < petertodd> lol
03:05 < petertodd> ...but only once per eye.
03:05 < gmaxwell> nah, I've got lots of square cm of skin to turn to plasma.
03:06 < petertodd> Sheesh, and I thought I was playing it dangerous with the 1W or whatever it was blue diode laser I was using to make cave formations glow-in-the-dark at Christmas...
03:07 < petertodd> What were you doing with IR lasers anyway? I thought you did light shows...
03:08 < gmaxwell> petertodd: most cost effective way to get lots of green light used to be to frequency double the 1064 nm output of an arclamp pumped NdYAG laser.
03:08 < petertodd> Ah
03:08 < gmaxwell> (and still pretty much is, but they're laser diode pumped now)
03:10 < gmaxwell> because the conversion process is non-linear its much more efficient the higher your peak power is, so not only IR lasers, but ones which are q-switched: microsecond long pulses at 10KHz packing an _average_ power of many watts.
03:10 < petertodd> ...damn....
03:10 < gmaxwell> While realigning one of my lasers I caused some ESD that made the qswitch trigger and got a dump with a peak power output of probably >100kw that grazed my arm, ... also exploded the optics.
03:11 < gmaxwell> BANG.
03:11 < petertodd> Heh, reminds me: I got a chance to visit a laser lab some years back - my arts school had a holography course for decades - and they had some insane 1nS pulsed laser or something in the visible spectrum. Kinda insane to see that flash.
03:12 < gmaxwell> I was always terrified by that thing, even with the qswitch open the continuious IRC circulating beam in the reasonator was probably about 300 watts.
03:12 < petertodd> nuts - should have worn the ESD handcuffs!
03:13 < gmaxwell> and it wouldn't lase with the arclamp turned down too far... maybe I could get the IR down to 10w while working on it, which still will burn you quickly, and blind you instantly.
03:13 < gmaxwell> (obviously I used IR safty goggles)
03:13 < petertodd> That's obvious because I know first hand that you can see.
03:13 < gmaxwell> In florida ESD was almost never an issue due to high humidity
03:14 < petertodd> hah, very true, not so true here...
03:14 < petertodd> We grudingly have those ESD mats all over the place at work, although I've only used the wrist straps a handful of times.
03:22 < petertodd> gmaxwell: You could have done worse though: http://www.ncbi.nlm.nih.gov/pubmed/9510099
03:24 < gmaxwell> the @#$@$#@$
03:24 < gmaxwell> crazy!
03:25 < petertodd> Heh, my brother's got a few tattoos from the chain of his mountain bike, but that takes the cake...
03:26 < gmaxwell> Nah, I have a tiny scar where a bit of tissue was removed and instantly cauterized. May have even been from a reflection as the optics exploded and not the main beam itself.
03:26 < petertodd> Ha, yeah, depends so much on exactly what happened too; the energy could have easily been absorbed by the smoke emitted.
23:15 < amiller> i've been wanting to meet him for like 2 yrs and somehow convince him that proof-of-work based consensus and not inherently wasteful or inferior to designated identities
23:17 < gmaxwell> did he set you on fire and throw you out a window?
23:18 < amiller> no but it didn't go as well as i hoped anyway
23:18 < amiller> we kinda rambled at each other for a while
23:19 < amiller> he thinks during the conversation he came up with a great improvement that resembles proof-of-stake a bit
23:20 < amiller> an interesting (imo) line of thought came out of it though, which is that any spending on "defense" always appears as waste if it's spent to defend against an attacker that has no plausible chance of existing
23:21 < amiller> paranoid spending
23:21 < petertodd> ...yet we still have nuclear subs...
23:21 < petertodd> makes sure the attacker doesn't exist because they take one look at it and say "why try?"
23:23 < amiller> if someone comes to you with a proposal for building a defensive forcefield, there's only a few ways to go about good deciding
23:24 < amiller> i guess it helps if everyone can agree on what kinds of attacks we should defend against or deter
23:24 < petertodd> I prefer to think about it in terms of the value asymetry: in bitcoin an attack can spend much less than the total value of the currency to destroy it.
23:26 < petertodd> or in short, attack money is probably fungible
23:29 < amiller> in bitcoin's steady state, however the fees work out, the total amount of fees collected (funds raised) basically equals the amount of mining power expended on defending against bitcoin's particular 51% attacker
23:30 < petertodd> well, that's actually my key point: the fees may work out, but that's all you've got - it's hard to just spend more fees or something to defend against a previous unknown attacker
23:30 < amiller> so it's a sound/efficient system if it's basically a good way to in a decentralized way decide how much to spend on defense and how to decide who pays what
23:31 < petertodd> well see I'm mainly thinking in comparison to proof-of-sacrifice blockchains, which can be arrange in such a way that you sacrifice what funds you have left to stop the attacker - but they need an underlying proof-of-work to actually work...
23:32 < amiller> so what does it mean to choose an attack model by consensus
23:32 < amiller> basically everyone gets to have their own bogeyman
23:32 < petertodd> for me it's aliens
23:32 < amiller> and when it's done correctly the attacker likely won't even show up
23:32 < amiller> well aliens are far away so you can use my new overwhelmingly-powerful-but-distant-attacker proof of work model
23:32 < petertodd> for my brother it's fear that all his efforts towards preventing an attack will prove to be wasted against a phantom threat...
23:33 < petertodd> lol
23:33 < amiller> that's so tricky
23:33 < amiller> because you never get a good signal that you're wrong in that case
23:33 < petertodd> heh
23:33 < amiller> maybe leaving some cheap coins around as a decoy is a good principle?
23:34 < petertodd> interestingly I was talked to peter vesessenes the other day about changing the proof-of-work function, and he had been convinced that the option needs to be on the table and planned for
23:34 < petertodd> good indication of the social environment around btc
23:34 < amiller> yeah
23:35 < petertodd> he's right though in a way: the biggest strength is that bitcoin can fundementally change what it is to adapt
23:35 < amiller> well lets see how the community handles fragmentation and dozens of these cryptocoins as well
23:36 < petertodd> heh, hence having a entity named "the foundation"...
23:46 < amiller> i have a contradiction in even my really simple model
23:46 < amiller> i'm not really sure what to make of this, even intuitively
23:46 < amiller> here's the problem, i think of bitcoin as a protocol for synchronous networks
23:47 < amiller> the proof sketch in the satoshi whitepaper essentially assumes that blocks are broadcast immediately
23:48 < amiller> and there's no trouble carrying that through with some maximum delay, but that delay certainly has to be *known* and set globally as a parameter
23:49 < amiller> the problem is that given this assumption, it seems like it's possible to get security against even an arbitrary >50% attacker
23:50 < amiller> the reason why is that if you imagine that every honest node is able to broadcast, and also that somehow stale/parallel/fork blocks get included in every chain in a specially marked 'wastebin' pile or whatever,
23:51 < amiller> then you could also change the best block rule to ignore blocks you haven't heard about from a while ago
23:52 < amiller> or to put it another way, bitcoin is really lenient about time when picking the largest chain, which is good because it makes it tolerant to longer partitions
23:53 < gmaxwell> yea, means an modest intercontential partition doesn't just end the currency, even absent an attacker other than ActOfGod.
23:54 < amiller> it does basically require shutting down service though
23:55 < amiller> i mean, an intercontinental partition is still really harmful, especially if the attacker is better connected
23:55 < amiller> even eclipse-attacking an individual node is pretty bad
23:58 < amiller> how to reason something that's half-in and half-out of the attack model
--- Log closed Mon Aug 19 00:00:20 2013
--- Log opened Mon Aug 19 00:00:20 2013
01:59 < gmaxwell> https://bitcointalk.org/index.php?topic=277389.0
01:59 < gmaxwell> "Really Really ultimate blockchain compression: CoinWitness"
12:14 < realazthat> mmmm
--- Log closed Tue Aug 20 00:00:24 2013
--- Log opened Tue Aug 20 00:00:24 2013
08:02 < gmaxwell> Hey everybody, Tonal bitcoin is a more likely reality than you might expect!
08:03 < gmaxwell> https://bitcointalk.org/index.php?topic=278122.0 "CoinCovenants using SCIP signatures, an amusingly bad idea."
08:03 < gmaxwell> Luke-Jr: I think it would be super awesome if you'd reply to that with a "finally I've found a way to move everyone to tonal!"
08:04 < gmaxwell> (e.g. by constraing txouts never be round decimal values, and requiring higher transaction fees if the numbers are not round tonal values)
08:06 < petertodd> gmaxwell: that's exactly what I was doing here: http://permalink.gmane.org/gmane.comp.bitcoin.devel/2612
08:06 < Luke-Jr> might not be politically wise right now :p
08:06 < petertodd> Luke-Jr: 0.1BTC if you do
08:06 < Luke-Jr> petertodd: lol
08:06 < Luke-Jr> has anyone suggesting SCIP scripts to blind the inputs?
08:06 < petertodd> might not be politically wise right now :p
08:07 < Luke-Jr> eg, have the public info just be a UTXO set hash, and have the SCIP script verify the secret transaction inputs are part of it
08:07 < petertodd> yeah, could work... gmaxwell said 144 minutes for what, ~100 instructions? That's plenty to evaluate the merkle tree
08:07 < gmaxwell> Luke-Jr: you need to remove the utxos from the set though.
08:08 < petertodd> oh, right...
08:08 < Luke-Jr> ah
08:09 < gmaxwell> you certantly can do things like input blinding though, just not quite so directly.
08:09 < petertodd> yeah, the timestamping oracle is a good mechanism, and it'd be a wonderful way of forcing authorities to make public services like timestampers lie
08:10 < gmaxwell> petertodd: so yea, one "problem" with this SCIP stuff is that even if you introduct it as a script feature in its _MOST_ limited form, in is insanely powerful, even including power we'd probably choose to not offer.
08:10 < petertodd> vessenes did bring up the issue of allowing people to restrict their transactions to meet local regulations... which SCIP would be just ducky for
08:11 < gmaxwell> e.g. we would probably not want to make scripts able to go do a bunch of math on the nlocktime of their containing transaction. But any SCIP signature system would have to be able to be used to preform general computation on anything it was signing.
08:11 < gmaxwell> petertodd: well the regulations are almost never a function, ... and when they are they are usually wrong headed.
08:11 < petertodd> which means they either have access to nlocktime or don't
08:11 < petertodd> *maybe* you could add a specal purpose opcode, but...
08:12 < gmaxwell> could you imagine CoinCovenant viruses?   haxers break in, they don't steal their coin. They encumber them so you have to include a "I LOVE GNAA" OP_RETURN txout in every transaction.
08:13 < petertodd> ha, lovely
08:13 < gmaxwell> fortunately scripts don't pass through to fees... :P
08:13 < gmaxwell> (and SCIP can't extend them there)
08:13 < petertodd> I've been thinking about posting high-value partially signed tx's with, stuff in them
08:13 < petertodd> actually, I posted one to bitcointalk, and no-one has found it yet
08:14 < petertodd> gmaxwell: in practice it can: anyone-can-spend-except-for-gnaa outputs
11:42 < realazthat> lol
11:48 < gmaxwell> I'm sad, iddo didn't give a terrible example. EmperorBob made up for it.
11:49 < petertodd> oh, so rick-roll was a good idea? cool
11:49 < gmaxwell> the snowballing taint is pretty awesome. It's like cancer, it has a moral imperative to grow!
12:32 < gmaxwell> petertodd: I powered up EmperorBob's spamcoin.
12:33 < petertodd> ?
12:34 < gmaxwell> - Smashcoin:  Any spend of a coin with this covenant must retain the covenant and provide proof of an attack on an alternative cryptocurrency. (e.g. SPV proof of bloating some other cryptocoin's UTXO, or mining multiple blocks at the same height (with some committed data))
12:34 < gmaxwell> (In particular, if it required that there be no payee at all beyond the covenant for one of its outputs. ... and it becomes a self-administering bounty for attacking something else 0_o spooky. Fortunately most attacks are not cryptographically provable)
12:34 < petertodd> Ha, lovely
12:35 < petertodd> I'll refrain from posting about my genocide coin...
14:31 < adam3us> gmaxwell: (not saying its not a problem, just that maybe we currently have a close to analogous problem)
14:32 < gmaxwell> adam3us: yes because it results in a natural way to rate limit their activity. They have to spend their coins to do it. Perhaps I've forgotten your proposal, but I though you could create invalid transactions and no one could tell that they weren't valid.
14:32 < adam3us> anyway blind sigs between commited tx spends for payee anonymity - thats neat, i have to think what else can come out of that plus homomorphic vale; also there is another (big) homomorphic value tweak i need to work on
14:32 < adam3us> gmaxwell: yes that is true, however there were clear text fees
14:33 < gmaxwell> adam3us: how can cleartext fees work if the public doesn't know what coin is bein spent?
14:34 < adam3us> the fee has to be from some clean coins.. not ideal but the miner can not see the coins so necessary
14:34 < jtimon> ok, it wasn't what I thought it was, but I think I understand now
14:36 < jtimon> it's like putting hashes of transactions in the chain, and not reveal the actual transaction until it is sufficiently buried
14:37 < jtimon> but what if the dihonest miner doesn't want to include the "revealed transaction"?
14:37 < gmaxwell> adam3us: the other issue with it is that the privacy was very brittle. If you recieve a coin from someone you must be able to decrypt the whole history to know its valid.
14:38 < adam3us> jtimon: in many senses the transaction already happened, revealing it is just to reduce utxo
14:38 < jtimon> but the "revelation" must get into the chain too, no?
14:38 < adam3us> gmaxwell: yes.  its not so much private as non-public
14:39 < adam3us> jtimon: its optional, they can be respent in committed form indefinitely
14:39 < jtimon> adam3us, no as gmaxwell says, you need the whole history public to be sure is valid
14:40 < gmaxwell> not quite.
14:40 < gmaxwell> jtimon: it has to be known by people accepting the coins.
14:40 < adam3us> gmaxwell: when the trail grows long privacy becomes quite weak, so i think its more like ensuring peers can chose policy of who to accept transactions for
14:40 < gmaxwell> but then you get fungibility issues.
14:40 < jtimon> let's say the chain contains hidden(A->B)
14:41 < jtimon> now B wants to pay C, he shows C the reveal of A->B plust B->C and broadcasts hidden(B->C)
14:41 < adam3us> jtimon: yes
14:42 < jtimon> How can C know for sure that hidden(B->C2) and hidden(B->C3) aren't already in the chain?
14:43 < adam3us> jtimon: because a committed spend includes a hash of the address, so you can check that
14:43 < jtimon> if there's no public validation there's no guarantee against double-spend
14:43 < jtimon> of the source address B ?
14:43 < adam3us> yes
14:44 < gmaxwell> jtimon: no, not so. It's basically blinded.
14:44 < adam3us> and if the tansaction is spent in non committed form, it reveals the public key so then anyone can compute the committed form hash, so both committed and non-committed forms can be double-spend protected
14:44 < jtimon> hidden(A->B) contains a hash od address B? I'm confused
14:45 < adam3us> jtimon: no hash of A
14:45 < adam3us> gmaxwell: yes its curious it seems like a symmetric form of blinding approximately
14:46 < jtimon> So, I'm C, you include hidden(B->C), how can I be sure that you haven't spent what you got from hidden(A->B) 5 times already?
14:46 < gmaxwell> jtimon: because when you recieve a hidden coin you must evaluate and unblind its whole history.
14:47 < adam3us> because it has to go to the chain in committed form, which reveals H(B)
14:47 < adam3us> sorry you sid A->B, so rather it reveals H(A)
14:48 < maaku> gmaxwell: but where is the double-spend protection there?
14:48 < gmaxwell> maaku: in the recievers.
14:48 < jtimon> committed form == public form, non-commited form == in-chain but  hiden form, right?
14:48 < maaku> i'm not following
14:48 < adam3us> jtimon: only back to the point of the last uncommitted spend
14:48 < maaku> i have my history, but how there aren't other alternate histories?
14:48 < adam3us> jtimon: uncommitted is normal bitcoin tx form
14:49 < jtimon> ok, uncommited == public
14:49 < gmaxwell> maaku: because you know non-public data that lets you identify any spends of the coins you care about.
14:49 < maaku> gmaxwell: even though all the other histories are encrypted?
14:49 < adam3us> jtimon: basically you can sort of do a (committed/hidden) spend, then later convert that into a normal spend
14:49 < jtimon> can we follow the example please?
14:49 < gmaxwell> maaku: yes, because if you're accepting the coin you have the key.
14:49 < jtimon> I'm getting lost
14:50 < jtimon> A has its funds from a public tx
14:50 < adam3us> jtimon: it generated a long thread until everyone was convinced, its somehow counter-intuitive
14:50 < jtimon> A->B is in the chain in hidden form
14:50 < adam3us> ok
14:50 < gmaxwell> adam3us: he's asking about the case where you are d in a chain of hidden spends.   a->b b->c c->d  And he's confused about how you know that a->q  didn't happend first.
14:51 < adam3us> gmaxwell, jtimon: so if a is spent, in committed or normal form, you see evidence of it on the chain
14:51 < gmaxwell> And, as far as I recall, the reason is if these are all non-public, you will know a's key so that you can see that a->b was the unique first spend of a.
14:51 < maaku> and the reason is that you get the key to a, so you can go back and decrypt all the transactions of the form "a -> ..." and make sure that "a -> b" is the first, right?
14:51 < adam3us> gmaxwell: so you demand sufficient info from the sender to validate that this did not happen
14:52 < adam3us> maaku: yes
14:52 < gmaxwell> maaku: right. You'll demand to know, as adam3us says.
14:52 < maaku> ok
14:52 < maaku> so it's basically encrypted mastercoin :\
14:52 < gmaxwell> maaku: yea, basically.
14:52 < adam3us> gmaxwell: yes, this is a trick that a normal signature include sthe public key and so then anyone can correlate it with any previous committed versions of it
14:52 < adam3us> hey take it easy there.. i am not a mastercoin fan :|
14:53 < gmaxwell> maaku: but it doesn't invoke another currency. :P
14:53 < gmaxwell> though the there is fungibility break, a long chain coin is not as valuable as a public one.
14:53 < adam3us> gmaxwell: are the mastercoin guys on here?
14:54 < maaku> adam3us: no, I don't think so
14:54 < adam3us> i think petertodd is putting archives of this in the clear on amazon, so nothing too biting can be said
14:55 < adam3us> anyway my issues with mastercoin are funding model, not technical ideas
14:55 < maaku> meh, J.R. seems to take genuine technical objections pretty well
14:55 < petertodd> adam3us: only when requested - it's not something I've been doing regularly
14:55 < maaku> doesn't learn from the pointed out mistakes though, but that's a separate issue
14:56 < adam3us> maaku: i havent made any technical comments about msc, i just commenting n the funding model
15:03 < gmaxwell> in any case, adam3us's proposal becomes potentially more interesting if the network can validate a ZKP of a transcript of a validation of his coin scheme.
15:03 < adam3us> so what about this p2p blind sig on the coin transfer idea
15:03 < gmaxwell> as it would allow you to reemerge and make public a coin without making the keys public.
15:04 < adam3us> gmaxwell: SCIP/SNARK fo the encrypted history? wowsers the inefficiency of that :)
15:05 < gmaxwell> adam3us: right. SCIP a validation of the encrypted history to emerge the coin in zero knoweldge  ... and yea, costly, but the validation is fast, so the public part wouldn't be an issue.
15:05 < adam3us> i think the p2p blind sig on transactions could achieve something committed coin similar but on normal transactions, payee anonymity
15:05 < adam3us> gmaxwell: wouldnt it be big?
15:06 < TD> proofs are small
15:06 < adam3us> gmaxwell: i dont know in my head it just seems like its a compiler for what you could do manually with generalized fiat-shamir transform of cut & choose repeated on a program, plus all the systematizable optimizations
15:06 < TD> an OP_SCIP would not be unthinkable
15:06 < adam3us> gmaxwell: and i cant see that being very compact somehow
15:07 < gmaxwell> adam3us: no, the proofs are small (they are not proportional in size to the program). Authoring the proofs is painful.
15:07 < adam3us> gmaxwell, TD: ok that could quote be interesting & powerful as a building block
15:08 < TD> gmaxwell: it got a LOT better, apparently.
15:08 < TD> not sure if i'm allowed to discuss their latest performance results in public, or how that works, etiquette wise
15:09 < adam3us> gmaxwell: eg hal finney made a presentation of what it took to prove a SHA1 hash in zkp it did not look pretty, they must've made some new insight
15:09 < TD> yes they did
15:09 < gmaxwell> adam3us: there has been a _lot_ of avancement here.
15:09 < jtimon> sorry guys, my laptop died
15:09 < adam3us> gmaxwell: ok, its interesting though because whatever they are doing is general - one could use it oneself manually, hand optiize it etc
15:10 < adam3us> gmaxwell: eg can it make a smaller homomorphic valued coin?
15:10 < jtimon> maaku can you paste me the conversation from "A->B is in the chain in hidden form" somewhere else?
15:10 < gmaxwell> adam3us: yea sure the compiler part is obviously never going to be as efficient as hand circuit optiomization.
15:11 < gmaxwell> TD: well, so, they do have multiple backends on this stuff, the really compact things is the knoweldge of expoenet pairing crypto stuff, and adam3us's skin with crawl at that. :P
15:11 < amiller> (this is totally irrelevant, but it irks me that eli ben sasson has gotten everyone to use SCIP as a generic name for this, SNARK is the generic name, SCIP is just the name of his particular project, his paper for scip is even titled SNARKS for C)
15:11 < TD> SNARK sounds dumb
13:01 < gmaxwell> But if we can use POW hashes to pick the subsets, I think we can make non-interactive require some multiple of the networks computing power to cheat.
13:01 < gmaxwell> And yea, absolutely I agree.
13:02 < gmaxwell> The non-interactive system is just a derandomization of the interactive one.
13:02 < petertodd> In fact, with SPV proofs for each txout, you can still have an interactive node sync from another interactive node I think - again, gota think about the economics.
13:02 < petertodd> Oh, no, that doesn't work: can't stop the peer from removing a UTXO and not telling you.
13:03 < petertodd> Though it may be enough to use these challenges to determine if the delta-UTXO of some block of history is correct, meaning you don't actually need to get that whole block of history from a peer, just how it changed the UTXO set.
13:04 < gmaxwell> thats why I was talking about a committed utxo, since it makes the state transition implicit.
13:04 < petertodd> For sure, again, just thinking about doing a meaningful prototype prior to changing th eprotocol.
13:08 < gmaxwell> well I do think that unfortunately a random check of the past headers needs a protocol change.
13:08 < gmaxwell> because you can't tell if random headers are connected. :(
13:08 < gmaxwell> well no, I suppose you could ask a peer to commit to a hashtree over the past headers.. without having it in the protocol.
13:08 < gmaxwell> and if you catch them cheating you ban their ip.
13:16 < petertodd> Oh, I'm assuming you have all the headers first.
13:16 < petertodd> This is just to optimize getting the blocks themselves.
13:29 < petertodd> Hmm... the problem is if any 1 element in the UTXO set is either invalid, or missing, the attacker can fork you. The numbers just aren't going to work out for checking enough of the proof to be sure there isn't an invalid txout in there, other than getting copies of every tx for every txout in the set. The same applies to being sure that you aren't missing a txout.
13:29 < petertodd> With UTXO commitments it's another story, but without them I think it's hopeless.
13:31 < gmaxwell> The forking you isn't so bad.
13:31 < petertodd> How so?
13:32 < gmaxwell> ask the guy who gives you a block to prove any txo you can't prove for yourself.
13:33 < petertodd> But that leads to bandwidth forks - the proof of a txout is the tx, and that's far larger than the txout itself.
13:34 < gmaxwell> it's not just the tx, it's a spv fragment for the tx.. a lot larger, sadly.
13:35 < petertodd> For a small tx sure, but you could arrange for those tx's to be all MAX_BLOCK_SIZE large...
13:36 < gmaxwell> I'm agreeing with you. this is another reason that it blows that our tx format is not tree structured.
13:36 < petertodd> Yup
13:36 < gmaxwell> ideally the proof for an output should be log(blocks) hashes + log(txn in block) hashes + log(outputs in txn) hashes....
13:36 < gmaxwell> plus the output.
13:36 < petertodd> Yup
13:37 < gmaxwell> but instead it block hashes + log(tx in block) hashes + the whole size of the transaction, which could be enormous.
13:38 < petertodd> Supposing it was though, you could pass around tx's and blocks with txout proofs relatively cheaply (k*~log() increase in bandwidth) and all nodes could start validating blocks fully fairly well.
13:40 < gmaxwell> petertodd: yea, would probably only tripple transaction sizes, assuming max size blocks.
13:40 < petertodd> yup
13:43 < petertodd> Would work nicely with fraud proofing too, because a fraud proof for an invalid txin is just to point out that it's invalid.
17:50 < gmaxwell> amiller: so for pinocchio, you just have your transcript with steps*words memory, and you compute a hashtree over that.. and then the circuit satisfication runs and just validates that every access is consistent with the transcript memory snapshot?
17:50 < amiller> yeah
17:50 < amiller> it's only a little different than tiny ram which doesn't use a merkle tree to represent ram, but it does do this weird sorting/routing thing which has almost the same effect
17:51 < gmaxwell> well kinda, the sorting is provably correct with non-determinstic advice, so it can be very minimal. Though how the efficiency ultimately plays out I dunno.
17:52 < amiller> it's kind of just an optimization of the write-to-merkle-tree-every-time
17:52 < amiller> like the tinyram begins empty and doesn't write back anything when it's finished
17:52 < amiller> so it's almost like a cache
18:03 < gmaxwell> I had a weird dream about this proof systems for software last night. Where someone had some new technique which was particularly powerful, and I went to go try to convince them to not let MIT patent it because they'd be typical licensing idiots and prevent everyone from using it. ... and then I got lost in mit. very weird.
18:10 < amiller> so i've studied the hell out of this recurive snark composition paper
18:10 < amiller> and i'm writing my own now
18:10 < amiller> they argue that their construction only works for constant-depth circuits
18:10 < amiller> which means it works for turing machines with a fixed polynomial bound
18:10 < amiller> on the number of steps
18:10 < gmaxwell> right.
18:10 < amiller> i claim that you can do it for unbounded length computation
18:11 < amiller> because you can build a fixpoint verifier
18:11 < gmaxwell> by nesting proofs?
18:11 < amiller> in either case you nest proofs
18:11 < gmaxwell> interesting.
18:11 < gmaxwell> oh I see, right nesting gets you the polynomial bound.
18:12 < gmaxwell> making the computation unbounded would be nice... having to precompute for different work sizes stinks.
18:12 < amiller> yes
18:13 < gmaxwell> (esp in the model where if the generator cheats it can produce false proofs, because you'd really want to only ever run root generator once since gaining confidence in it will be expensive)
18:14 < amiller> i can't figure out why they didn't do it this way in the recursive composition paper
18:15 < amiller> but i can describe my scheme really easily
18:15 < amiller> to start with the snark consists of a triple G,P,V
18:15 < amiller> G(k,C) takes a circuit C, security k, and outputs a verification key v
18:16 < amiller> prover P(C,x,w) takes a circuit C, input x, witness w, and outputs a proof p
18:16 < amiller> the circuit is a function C(x,w) -> {0,1}
18:16 < amiller> x and w are the combined inputs of the circuit but it's split into a part x that the client provides and a part w that the prover provides, think of the x as a blockhash and w as untrusted block data that gets checked during the circuit
18:17 < amiller> so the conciseness of a snark is that v is always constant regardless of the size of C, and so is p, and V takes constant time to run
18:17 < amiller> next part (two of three) is a constant step turing machine
18:17 < amiller> this is easy because i can represent the tapes of a turing machine as a hash chain
18:18 < amiller> so M(s0,s1,w) -> {0,1} returns 1 is s0 -> s1 is a single valid state transition
18:18 < amiller> s0 and s1 are digests of the turing machine state including the remainder of the tape to the left and to the right
18:18 < amiller> blank tapes have like the genesis digest 0000000 sentinel value
18:19 < amiller> w contains like one element of the tape, either the left or the right, so it's enough untrusted data to check one step
18:19 < amiller> okay so the final part is putting these together
18:19 < amiller> the trick is to build a circuit that contains the single step M and the verifier V, and it also takes a key v as its input
18:19 < amiller> and passes through
18:20 < amiller> so you can compile that whole circuit v* and pass v* as input and that's a fixpoint verifier
18:20 < amiller> so more specifically,
18:20 < amiller> i'll define M* as a circuit
18:21 < amiller> M*((s0,sF,vk),  (w1,p1,s1)) -> {0,1}
18:22 < amiller> M* returns 1 if   M(s0,s1,w1) and either V(vk, (s1,sf,vk), p1) or s1==sF
18:23 < amiller> i forgot to write the form of the verifier V earlier in part 1 about snarks, so it's V(vk, x, p) = 1 only if there's some witness w such that p = P(C, x, w)
18:24 < gmaxwell> yea, thats obvious enough, thats what the snarks prove.
18:24 < amiller> okay so that circuit is like a fixpoint operator
18:24 < amiller> v* = G(k, M*) gives you a special key
18:24 < amiller> that you can pass in
18:25 < amiller> so basically the final verify function is like V*(proof,s0,sF) = V(v*, (s0,sF,v*), proof)
18:25 < amiller> you use v* as the verification key, you also pass it through as input
18:25 < amiller> that's the whole damn thing, no troubles incurred.
18:26 < gmaxwell> But doesn't the verification key grow linearly with the depth instead of being constant?
18:27 < amiller> verification key is constant in the size of the circuit
18:28 < gmaxwell> oh I see, right. It's not N verification keys, it's a verficiation key of a circuit that includes a verifier for itself.
18:29 < amiller> it's a verification key of a circuit that includes a verifier for any verification key
18:35 < amiller> i'm beginning to understand the problem of extraction for security thouhg
19:03 < amiller> this seems like a ridiculous technical detail.
20:28 < amiller> yeah this is frustrating, i think it's a crypto-definitions quirk more than anything practical
20:28 < amiller> the problem is that security for these snark things is defined using a non-black-box extractor
20:28 < amiller> the scheme is secure if an extractor exists
20:29 < amiller> if some adversary P' produces an untrusted proof, then the extractor is given non-black-box access to the code of P'
20:29 < amiller> and the extractor is supposed to produce the witness, and run in polynomial time relative to the time of P'
20:30 < amiller> so the problem is this definition composes really poorly
20:30 < amiller> because if P' altogether runs in time t
20:30 < amiller> then E(P') might run in time t^2 *just to give you the next-to-last proof*
16:07 < amiller> i still think it would be a lot easier to argue about whether any of these schemes are sufficient by first describing the ideal function of the ledger using zero knowledge
16:07 < adam3us> (from hashing)..
16:07 < gmaxwell> adam3us: then you'd have to know which utxo is which. (to prune) and the advantage of the snark emergence is that you don't have to ever disclose anything...
16:07 < maaku> hrm.. MMR double-spend db might work very well
16:08 < amiller> in a perfect world you'd learn nothing except that the transaction was valid, and the state could be updated by anyone without having to know anything else
16:08 < adam3us> gmaxwell: but if its an opaque blob, wahts the damage to say yes this was my txin.
16:08 < adam3us> gmaxwell: if the entire chain was in hidden form
16:08 < gmaxwell> adam3us: because it disclosed where it came from and so you can build a transaction graph.
16:09 < amiller> i wonder if accumulators are the right thing because if you know x, you can prove that x is included in acc{...,x,...}, you can also produce acc' = acc - {x} without knowing any of the other committed values
16:09 < adam3us> gmaxwell: yeah but  tx graph of opaque blobs isnt so bad - you dont know who they're to who theyre from or the amount
16:09 < adam3us> gmaxwell: i mean even the addresses arent disclosed, there's nothing
16:10 < amiller> i don't think i believe that adam3us's scheme actually sufficiently protects against blacklisting policies etc
16:10 < gmaxwell> amiller: it doesn't but it makes it softer.
16:10 < gmaxwell> adam3us: ... if you can remove the utxo this emerge consumed, then you could also look to see which utxo it removed and so on.
16:10 < adam3us> gmaxwell: i think it could be about the right model, for privacy you can subpoena a person in the chain, and they can prove the blob they got it from
16:10 < gmaxwell> adam3us: if bitcoin is used correctly the addresses are all single use anyways, hiding the addresses isn't that helpful.
16:11 < adam3us> gmaxwell: yes but coin control fails in real life seemingly
16:11 < amiller> yes and elaborate zk fails to exist in real life seemingly too
16:12 < gmaxwell> adam3us: I mean, the top most wallet promoted on bitcoin.org forces you to constantly reuse an address, as does the most popular wallet software. I don't think you can say there is any fundimental failing, ... and you can't cure people's disinterest by making transactions much more expensive (in size and computation)
16:12 < amiller> isnt coin control an easier thing to get right for this level of improvement
16:12 < maaku> adam3us: these are user interface problems
16:12 < maaku> in short time, with the proper tools, bitcoin addresses will be 1-use-only
16:12 < gmaxwell> What maaku says.
16:13 < gmaxwell> There are things in the pipeline which will help, and eventually we will need to grow some balls and threaten to delist wallet software from bitcoin sites when they force known bad behavior.
16:13 < gmaxwell> But thats mostly orthorgonal from crypto stuff, there is huge information leaks from the transaction graphs even when addresses are not reused.
16:13 < adam3us> gmaxwell, maaku: i dont thnk so quite, hence coinjoin etc
16:14 < gmaxwell> adam3us: coinjoin actually buggers the graph analysis.
16:14 < adam3us> gmaxwell: exactly
16:14 < adam3us> gmaxwell: good,somewhat, still prefer opaque blobs if we could find an efficient way to do it
16:14 < adam3us> unencrypted value is also hideous
16:14 < gmaxwell> But what you're suggesting (snarking at each step) doesn't. It just hides reused public keys, which is kinda boring... I mean, it's better but so long as it has a cost....
16:15 < gmaxwell> right. okay, I don't think we actually disagree. Maybe just on the exact tradeoff points.
16:15 < adam3us> gmaxwell: it hides value as well
16:15 < maaku> mostly it's just a matter of getting payment protocol and hd wallets accepted everywhere and built into every wallet
16:15 < maaku> coinjoin is a separate issue, is it not?
16:15 < adam3us> gmaxwell: you could probably mix some ORs into the snark
16:16 < gmaxwell> In any case, I think it's not good enough to do one thing, we must do all the things.
16:16 < adam3us> maaku: i think coin control is not enough
16:16 < gmaxwell> But I think humans have a lot of inertia so we need to do the more user visible things first.
16:17 < adam3us> maaku: still plenty of transaction graph leaks
16:17 < maaku> adam3us: ? by coin control do you mean coinjoin et al?
16:17 < adam3us> amiller: i think it could block miners
16:17 < gmaxwell> e.g. if we get enormous bitcoin businesses depending on being able to infer refund addresses from chain analysis, any improvement will be hard to deploy.
16:17 < adam3us> maaku:  no i mean not picking coins at random from your wallet
16:17 < adam3us> gmaxwell: yes that has to die
16:18 < adam3us> gmaxwell: btw that is why i proposed a publicly creatable chian code like thing (bip 38?) extension
16:18 < maaku> adam3us: yes, that's not enough. which is why we need payment protocol + hd wallets (don't reuse addresses) and coinjoin (spread the taint around)
16:19 < adam3us> hd wallets are a great invention on multiple grounds (nice job), but it is interactie, and people like static addresses for usabiity and chain is private
16:19 < gmaxwell> adam3us: it's not interactive. 0_o
16:20 < adam3us> gmaxwell: well if the site has a chain code online and hands it out right then to the sender
16:20 < michagogo|cloud> Interactive? What does that even mean?
16:20 < adam3us> michagogo|cloud: spender goes to web site, web site uses chain code to make new address, spender recieves address, sends to block chain
16:20 < gmaxwell> adam3us: the idea is that you can give someone who will pay you multiple times a extended public key for a child chain. Then they can pay you without interacting.
16:21 < gmaxwell> adam3us: thats one possible usecase, another is that you give them their own subchain
 the whole extended public key.
16:21 < adam3us> you give htem a subchain key so they can generate more?
16:21 < adam3us> gotcha
16:21 < gmaxwell> adam3us: yes.
16:21 < gmaxwell> You can use it either way, interaction is optional. :P
16:21 < adam3us> yes i got that picture i think from the bip etc
16:21 < adam3us> gmaxwell: my point is you could have a print advertisement in a newspaper, and still have each sender use a different address
16:22 < gmaxwell> adam3us: you could, but they'd need to figure our which addresses were used already first.
16:22 < adam3us> gmaxwell: i wrote it somewhere... i think you replied on the thread, sender does Q'=xG+Q  x=random, and encrypts x for Q
16:22 < adam3us> gmaxwell: no it would be random
16:22 < gmaxwell> I know, bytecoin proposed exactly that a long time ago.
16:23 < adam3us> gmaxwell: tht seems to answer peoples seeming desire to work with static addresses... its probably its just simpler to think about
16:23 < michagogo|cloud> The only thing is, you'd need to generate a sufficiently long series of addresses to watch from that subchain key
16:23 < gmaxwell> but this requires a lot of work from the reciever. e.g. he has to do cryptographic work for every tansaction and can do nothing like bloom filtering.
16:23 < michagogo|cloud> Or, provide some mechanism for people to let you know which address they sent to
16:24 < adam3us> gmaxwell: probably you could put some bloom bait on it
16:26 < maaku> for printed advertisements, payment protocol is often the better solution
16:26 < maaku> which is why we need both
16:27 < maaku> "send coins to myfoundation.org/donate"
16:28 < gmaxwell> adam3us: also, your scheme requires the recieve have an online decryption key to identify their own transactions. (so did bytecoins)
16:28 < jtimon> they could say in the ad how to build the address
16:29 < gmaxwell> Bytecoin's suggestion IIRC was that you include an extra random public key in your transaction. And then the key you payto is ECDH between the recievers private and your public, plus his public.  This also gave you a nice identity for the sender of the transaction (the public key)
16:29 < gmaxwell> by it required doing a free point multiply for every transaction on the network, and also keeping your private key online for doing it.
16:29 < jtimon> in freicoin foundation, for example, is organization_id/months_after_launch but you could have a deterministic mapping between username and an int
16:29 < maaku> jtimon: yes, but equally important is the other end of it. they need to know what addresses to listen for
16:30 < jtimon> all_my_registered_usernames/start_incrementing_from_0
16:31 < maaku> yes, but again: printed ad - you don't know your future donors
16:31 < maaku> hd wallets fit some situations, payment protocols others
16:31 < maaku> typically hd wallets are good for existing relationships, payment protocols for new ones
16:32 < maaku> it would be nice if payment protocol had a mechanism for specifying an hd address (there was some discussion on the list about this, I believe)
16:32 < jtimon> printed add is too much, you can't do it on your own
16:32 < adam3us> gmaxwell: yes bytecoins seems similar and similar side effects.
16:32 < jtimon> but if they register in your web is different
16:32 < jtimon> there was a video "pay to protocol"
16:33 < maaku> ?
16:33 < adam3us> my additional probaby unstated thought on the btc thread is maybe the sender can give you a hint, that allows you to narrow which are for you, or safely delegate searching to a full node
16:33 < jtimon> where the receipt was used to build the payment address from the recipients seed_key
16:33 < maaku> the UI for payment protocol would presumably be the same - you use a url in place of a address and your wallet handles the magic
16:34 < adam3us> gmaxwell: have to think about details coud be interesting as fixed addresses are seemingly what users understand and they are setting a bad direction as is
23:08 < gmaxwell> I think making a concrete argument the whole of the interior rules are a cryptosystem is important. It's a bit sad that OP_CAT is off and that we don't havea OP_PUSH_TXN_HASH as you could implement lamport signatures in script with that.
23:09 < gmaxwell> bluematt's think will help, in a couple of months you'll be able to claim that many alts are created by people who can't use a compiler.
23:09 < gmaxwell> so there will be no illusion that there is some latent stock of cryptographic genuises putting out these things.
23:09 < andytoshi> yeah, that's excellent
23:11 < andytoshi> i might even describe this as a "social experiment which Matt Corallo proposed to the bitcoin developers to illustrate this point"
23:11 < andytoshi> because people on the btct thread seem to think he is some random guy..
23:12 < andytoshi> though i really don't want to give the impression that the bitcoin developers are holy people directing the currency somehow
23:12 < andytoshi> because that kind of thinking causes alts with convergence issues
23:12 < Luke-Jr> Matt Corallo is a bitcoin developer O.o
23:12 < gmaxwell> well, also, while not a secret emphasizing that the tool is intentionally cynical may lower matts income from it.
23:13 < andytoshi> Luke-Jr: i know, i guess i phrased that badly
23:13 < gmaxwell> andytoshi: and fwiw, I do think I was the first person to suggest it. :P (though perhaps matt had been thinking about it independantly)
23:13 < andytoshi> oh, sorry :}
23:13 < gmaxwell> (I spent a while in #bitcoin-mining trying to convince Luke-Jr and/or petertodd to do it. (luke has the nice ability to tie in merged mining))
23:13 < gmaxwell> like ... N months ago.
23:14 < andytoshi> my intention in saying that was exactly to claim it is cynical .. but you are right that i'd be just taking money from Matt
23:15 < gmaxwell> well I think its cyncism is not secret, but emphasizing it now might reduce his income from it, and given the two choices I'd rather have the latter.
23:16 < gmaxwell> the cynical aspect of it is super obvious (it even was one of the first comments in the altcoin thread about it)
23:16 < andytoshi> okay, that's good then .. one of my concerns was that having Matt involved publically might make alts seem legitimate
23:19 < grau> I assume you talk about coingen.io: I think it greatly damages alts, showing how pointless they are, unless there is a network of people supporting one.
23:22 < gmaxwell> grau: thats the idea.
23:22 < gmaxwell> Were you in the #bitcoin-mining discussion where it was proposed eons ago? for some reason I had the impresion you were. :P
23:23 < grau> I never joined #bitcoin-mining
23:23 < gmaxwell> hm! okay!
23:23 < gmaxwell> well as I just said: super obvious.
23:23 < gmaxwell> :P
23:23 < gmaxwell> Part of it is a network effect thing, dillution hurts smaller coins more than bigger ones.
23:24 < grau> but is it good in your opinion, or should we rather embrace alts?
23:24 < gmaxwell> I think it's good to dillute "worthless" alts.  I don't think coingen.io does anything harmful at all to ones that have a solid reason for existing (which currently is .. not very many)
23:26 < gmaxwell> it highlights the worthlessness of things that are clearly worthless, and somewhat undermines the efforts of people who use the internet version of boilerroom techniques to promote worthless things trying to get a quick buck.
23:26 < justanotheruser> I think altcoins are an interesting phenomenon. Normally people wouldn't flock to a new version of software with a new logo and a few variables changed. For example, if I made altfirefox where the scroll bar was half the size and the logo was a dog, it wouldn't get any downloads let alone a thread with hundreds of replies.
23:26 < gmaxwell> though I still have no real answer to altcoins which have good _sounding_ reasons to exist but which are without substance when you pull back the technical covers.
23:27 < gmaxwell> justanotheruser: yea, you're not promoting the altfirefox with an investment ... scheme.
23:27 < warren> protoshares!
23:27 < justanotheruser> exactly, people buy into a purposeless piece of software because they think they will make money off it
23:28 < gmaxwell> right and coingen.io probably dashes those hopes for "YAAC" (yet another altcoin) though not for something with an elaborate vaporware story.
23:28 < gmaxwell> obviously then next thing to do is a coingen2.io that makes whitepapers for non-existing altcoins using a hidden-markov-model
23:29 < grau> those get rich schemes depend on being able to convert to BTC (since direct to fiat is absent) and this keeps me wondering why someone is selling BTC for some alt.
23:29 < andytoshi> gmaxwell: my hope is that i can write a faq which talks about smart-sounding alts
23:29 < justanotheruser> andytoshi: You should. There are only a handful you would have to cover
23:29 < grau> assuming there is no get rich, then motivation might really be the need for cheap tokens
23:29 < andytoshi> e.g. litecrypt and it's goofy scrypt implementation, feathercoin and its super fast alts
23:30 < andytoshi> blocks*
23:30 < grau> there could be applications for near worthless tokesns e.g. for games.
23:30 < justanotheruser> grau: if you want a cheap token, you should buy uBTC
23:30 < andytoshi> realsolid's difficulty algo
23:30 < gmaxwell> grau: my guesses include things like (1) people with large amounts of illicitly gained btc which can't easily be spent other ways, (2) exchanges buying them with fake BTC to pump prices for their own profits, (3) ... just people trying to repeat bitcoins rise in value a second time
23:30 < justanotheruser> I suppose you are talking about small transaction fees though
23:31 < gmaxwell> grau: sure, but we've got plenty of altcoins already, we don't need public exchanges for cheap tokens either.
23:31 < andytoshi> for that matter, solidcoin's seemingly solid reputation, and the character who turned out to be behind it
23:32 < justanotheruser> Is there going to be a point where most of the transactions are off-chain? I mean if we keep the block size at 1mb, people will eventually be competing with higher transaction fees to get their transaction into a block.
23:34 < andytoshi> my feeling is that some sort of {snark+agressive pruning}coin will be released before bitcoin is seriously strained by the tx load
23:34 < petertodd> justanotheruser: nah, hopefully we'll just uncap the blocksize and gmaxwell and I will get the smug satisfaction of being proven right
23:34 < petertodd> andytoshi: snark's don't help with scalability the way I think you think they do
23:35 < justanotheruser> petertodd: how do we deal with the massive blockchain and bandwidth?
23:35 < andytoshi> petertodd: i'm not suggesting they can be used for pruning, but for quicker transaction validation
23:35 < grau> gmaxwell: (4) maybe a also scheme of anonymizing with recourse to BTC
23:35 < andytoshi> (and i'm aware that in 2014 even that is not true)
23:35 < gmaxwell> andytoshi: they're not quicker than trivial txn today. even the fastest stuff is .. well see that tinyram paper you linked to.
23:36 < petertodd> justanotheruser: by sharding the blockchain so that no individual node has to deal with all of it, but that's very tricky
23:36 < gmaxwell> But to the extent that they allow binding offchain systems they do improve scaling.
23:36 < andytoshi> could petertodd's MMR stuff be implemented in an alt today and enable massive block pruning?
23:37 < petertodd> andytoshi: yes, but not in the way you think so :P
23:37 < justanotheruser> petertodd: Is that in development at all? Is there anywhere I can read about that?
23:37 < andytoshi> petertodd: ok, this time you're right that i believe unjustified things :)
23:37 < petertodd> andytoshi: MMR TXO commitments actually make scalability a lot worse
23:37 < andytoshi> really?
23:38 < petertodd> andytoshi: yes, the bandwidth required to prove txin existence is about an order of magnitude more than what it is now
23:38 < gmaxwell> they make the blocks really big, but they allow a bandwidth/storage tradeoff if you can optionally send them when a node already has the data.
23:38 < BlueMatt> andytoshi: yea, I love that comment
23:38 < andytoshi> i thought with TXO commitments we could get away with only storing the last $small_time of actual blocks
23:38 < gmaxwell> bandwidth does tend to be more scarce than storage. though the ratio is kinda hard to reason about
23:38 < petertodd> andytoshi: where they can make things better is in conjunction with sharding techniques that allow that much worse bandwidth to be spread out over multiple nodes
23:38 < BlueMatt> Luke-Jr: I'm not a "bitcoin developer"?
23:39 < Luke-Jr> BlueMatt: you're not?
23:39 < BlueMatt> not a core dev sure, but I think everyone here is...
23:39 < gmaxwell> andytoshi: you can but you made the blocks much bigger because they're carring around kilobyte proofs per txin instead of 32 byte hashes.
23:39 < andytoshi> gmaxwell: ah, i see, that's what i was missing
23:39 < petertodd> BlueMatt: heh, people are starting to call even me a core dev, which you have a much better claim to :)
23:39 < gmaxwell> of course if you have the txo set you don't need the proof, so it could be made optional.
23:39 < andytoshi> i thought this MMR business was basically a smart version of "add a hash of chainstate/ to the blocks"
23:40 < gmaxwell> andytoshi: sure but when a tx spends coins committed in that state the tx has to include a proof that its inputs are in it.
23:40 < andytoshi> and you'd request a copy of the chainstate dir instead of IBD'ing
23:40 < andytoshi> gmaxwell: oh, okay, so my understanding was not wildly far off
23:40 < gmaxwell> andytoshi: oh no, that just SPV security for full nodes you're talking about. sort of orthorgonal
23:40 < petertodd> andytoshi: that's completely right, but bandwidth, esp. anonymous bandwidth is the importatn thing
22:47 < nanotube> i think it's pretty cool, as far as raising dos costs
22:48 < jgarzik> I'm incredibly thrilled, though unsurprised, that Chinese like bitcoin.  Under a layer of thick communist oppression, there is an amazing undercurrent of raw capitalism in China.  Sometimes they are more libertarian/capitalist than Americans, though they basically operate under "wrath of God" mode:  In china, you will be OK as long as you don't wander into
the political realm or make.  If you do, they aim a huge cannon at you
22:48 < jgarzik>  and your business.
22:48 < jgarzik> *make waves
22:49 < jgarzik> hopefully bitcoin gets entrenched. freedom++
22:49 < nanotube> heh
22:49 < nanotube> aye
22:49 < HM3> sell treasuries, buy bitcoin :P
22:50 < nanotube> gmaxwell: what prevents the attacker from calculating the hash tree on the fly when needed? 2^32 hashes are pretty fast to calculate.
22:54 < gmaxwell> nanotube: Adjust the hash cost vs size to taste. E.g. last step in the tree can just iterate the hash N times. It needs to be just slow enough that simply recomputing it every query isn't a win.
22:56 < gmaxwell> But yea, this is a bit of a pain, because you can get a hardware speedup on that. Point.
22:57 < nanotube> yea, stick a couple of ati gpus on your attack node, and you'll outcompute anything running on a vps.
22:59 < gmaxwell> nanotube: well, not quite that bad, I mean the storage full clients has a ~4 billion advantage factor over your gpu device once their table is built.
23:00 < nanotube> well, 4billion/32 :) so only 134million advantage.
23:01 < nanotube> i suppose if the challenge/response in frequent enough
23:01 < nanotube> you won't be able to maintain too many connections even with significantly more computing power.
23:02 < nanotube> it just has to be something on the order of minutes, rather than on the order of days/hours.
23:03 < gmaxwell> right, and its cheap for the server so it could be querying you once every minute or two.
23:03 < nanotube> yes, and a 'legitimate' storage client should have no problem responding.
23:03 < nanotube> mk then, back to our regularly scheduled programming. :)
23:03 < gmaxwell> yea, not even a burden to query fairly often.
23:15 < nanotube> hm, so if we're targeting 1gb storage, and a sha3-512 hash is 64bytes, we can store roughly 2^24 hashes in the tree. which gives us roughly a 2^20 advantage for query vs response. since a couple-gpu box is roughly 2^10 faster at hashing than a cpu, that makes the attacker a disadvantage of only 2^10. still not bad. a couple-gpu box could probably handle
a hundred or so connections without using storage... but at this rate it's cheaper t
23:15 < nanotube> o just buy a few 1tb hdds and handle even more.
23:16 < gmaxwell> nanotube: well not quite, you don't need to store the whole hash.
23:16 < nanotube> speaking of which... i could buy 10 1tb usb disks for roughly $700. which is the cost of maybe 1 high-end ati gpu.
23:16 < nanotube> so for 1gb per connection, it'd only cost me 700 bucks to eat up 10k slots.
23:17 < nanotube> which is still a lot more than what it'd cost me right now to eat those same slots, i suppose.
23:18 < nanotube> gmaxwell: ok fair point. by storing only a large-enough-to-effectively-guarantee-uniqueness subchunk of a hash, we can achieve a much higher compute cost per GB.
--- Log closed Mon Oct 14 00:00:08 2013
--- Log opened Mon Oct 14 00:00:08 2013
01:03 < BlueMatt> sipa: :(
02:28 < warren> sipa, gmaxwell : http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg02751.html  should we go ahead with a BIP number assigned?
02:36 < BlueMatt> why can you have NODE_BLOOM && !NODE_NETWORK?
02:36 < BlueMatt> that makes no sense
02:37 < BlueMatt> if you are gonna relay something, you better check it first
02:37 < warren> BlueMatt: It is not clear why NODE_NETWORK exists, maybe it was just an example?
02:38 < BlueMatt> well, ok, my point is that that bip as written clearly says you can relay without having full verification
02:38 < BlueMatt> which is evil
02:42 < warren> BlueMatt: I agree that part really wasn't necessary to mention in the BIP.
02:54 < warren> hmm, what was the original purpose of NODE_NETWORK?
02:55 < warren> as there really aren't any service bits, there's no example code of how they're supposed to be used.
03:09 < sipa> i think we need to diversify node bits further
03:10 < sipa> as nodenetwork implies both relying of new block and historical storage pf everything
03:10 < sipa> either of these combined with nodebloom makes sense
03:10 < sipa> spv nodes do neither
03:13 < warren> ah
03:13 < warren> sipa: then the pruned proposals have talked about partial blocks available ... how would you advertise which?
03:16 < sipa> i'm just disagreeing with BlueMatt that Bloom without Network is meaningless... once we have pruning
03:25 < warren> sipa: we intend on launching pruned + expiration sometime after bitcoin 0.9, with the pruned part being submitted to bitcoin.  are the pruned proposals written spelling out all the diverisified node bits?
03:26 < sipa> there were objections to my proposal earlier
03:28 < warren> where was the proposal and objections?
03:28 < warren> I don't even know where to look. =)
03:35 < sipa> proposal was on the mailing list
03:35 < sipa> but it doesn't really matter, we just need to start talking about itt again i guess
--- Log closed Mon Oct 14 09:13:21 2013
--- Log opened Mon Oct 14 09:13:35 2013
14:23 < BlueMatt> sipa: ok, though, again, the bip as stated is very misleading
14:24 < BlueMatt> sipa: "may have data that its peers may be interested in, but is not a full node"
14:25 < jgarzik> BlueMatt, RE relay, the current code is pretty stupid, and just offers everything to all connected, unless something changed in the past year or so...
14:25 < jgarzik> regardless of what a spec says
14:26 < BlueMatt> yep
16:57 < maaku> possible academic weakness in linux /dev/{u,}random: http://eprint.iacr.org/2013/338.pdf
16:59 < gmaxwell> maaku: yea, that paper was making the rounds a couple months ago. It's boring though.
16:59 < sipa> BlueMatt: not sure why that is misleading?
17:00 < BlueMatt> sipa: it seems to indicate that you may want to relay unconfirmed data
17:00 < gmaxwell> it basically shows that if an attacker somehow knows the whole internal state of the rng (how?) he can trick the entropy estimator that he's been adding entropy when he really hasn't so the system will continue to return numbers he can derive... so long as he's the only input (how?).
17:00 < sipa> BlueMatt: well, if it's ambiguous itneeds improvement :)
17:05 < jgarzik> maaku, is that what Bruce S is on about?
17:07 < gmaxwell> (Not that I'm a huge fan of linux's /dev/random ... but god knows it's probably impossible to improve now since everyone would assume every effort to do so was an attempt to backdoor it :P)
17:09 < maaku> jgarzik: yes
17:21 < gmaxwell> maaku: IIRC that paper recommends replacing /dev/random with something is very much like AES-GCM (incrementing the galois counter by new random data that comes in). Paranoid people have already called out using AES stream ciphers as CSPRNGs in the context of the intel stuff. So their proposal is unlikely to be attractive to too many.
17:24 < maaku> gmaxwell: i see
18:42 < warren> jgarzik: do you have to mail your passport along with the application?
18:44 < gmaxwell> warren: apparently you do, intern in the office here went to china and had to send him his actual passport. They turned it around right away though.
21:42 < HM3> gmaxwell, more reason to move to schnorr-esque signatures that don't require absolute randomness for signing i guess?
21:44 < HM3> I'd be more worried about Windows RNG than Linux's
21:44 < HM3> I'm sure i read an article some time ago that illustrated with bitmaps that Windows' had patterns
21:47 < HM3> nevermind, i think maybe it was PHP
21:54 < HM3> yep PHP, but Windows did have RNG flaws some time ago. According to Matt Green Windows uses FIPS 186-2
22:06 < gmaxwell> HM3: that irrelevant, you don't need randomness for DSA, and if your system RNG is bad you're already screwed (because your keys will be bad)
22:15 < jgarzik> warren, a good question
22:15 < jgarzik> warren, my FB is recommending Travista
22:15 < jgarzik> er, Travisa
22:27 < maaku> fraudian slip?
22:36  * jgarzik isn't sure what Freud would think of a vista
22:36 < jgarzik> unless you mean to imply I am using Windows Vista, which I assure you I would never do...
22:38 < HM3> gmaxwell, what do you mean randomness isn't needed for DSA?
22:38 < HM3> although i agree with your other point
22:39 < gmaxwell> HM3: You use derandomized DSA.
22:39 < HM3> but that's not DSA is it
22:39 < gmaxwell> It's indinguishable from DSA.
22:40 < HM3> and what's the magic ingredient to derandomize it?
22:40 < gmaxwell> and in particular, you don't need to go about deploying _yet another_ cryptosystem to use it.
22:40 < gmaxwell> HM3: http://tools.ietf.org/html/rfc6979
22:41 < gmaxwell> HM3: effectively, K = HMAC(message,private_key)
22:42 < HM3> that's basically what Schnorr did
22:42 < HM3> and why I suggested Schnorr signatures
22:42 < HM3> Schnorr predates DSA
22:42 < HM3> It's also what djb did in Ed25519
22:43 < gmaxwell> HM3: Yes, I know.
22:43 < gmaxwell> (and you can find me pointing to Ed25519 in arguing to do this prior to RFC6979)
22:43 < gmaxwell> In any case, you don't need to change anything about the cryptosystem, require any upgrade, or create any incompatiblity in order to do that.
22:43 < HM3> true
22:44 < gmaxwell> (and if you want you can also do HMAC(message||nonce,private_key) to belt and suspenders it... though you lose the auditablity value of determinism)
22:44 < HM3> it's a bit grotty though
22:45 < warren> jgarzik: it's quite a mess.  You can't mail the application, you must apply at a consulate in person or have someone else (usually an a visa agent) do it for you.
07:40 < adam3us> brisque: fantastic :) innovation wow.	should allow param-tweaks, its part of the game.  15sec block interval ftw!
07:41 < brisque> I'd say that's planned.
07:41 < brisque> it's got more features than last time I looked.
07:41 < brisque> ;;tell later BlueMatt you might want to move that URL pronto, it's been posted in the main chat.
07:41 < gribble> Error: I haven't seen later, I'll let you do the telling.
07:42 < brisque> ;;later tell BlueMatt you might want to move the coingen URL, it's been posted in the main chat.
07:42 < gribble> The operation succeeded.
07:42 < adam3us> brisque: i suggest to BlueMatt that it may be interesting to generate params randomly from the hash of the coin name (for the genetic algorithm approach to chosing coin params) maybe we'll get a surprise winner
07:43 < brisque> do we have the density of altcoins for that to work?
07:43 < adam3us> brisque: (it might have been my idea to do coingen... BlueMatt & I were talking about it a few weeks back.  encouraging crypto coin diversity & innovation & lowering the barrier to entry)
07:44 < adam3us> brisque: well i was thinking maybe we'd get aaacoin through zzz coin, that' be quite varied
07:44 < brisque> adam3us: probably was. I can't imagine anything coming out of increased diversity, but it should be fun finding out
07:45 < brisque> I bet /somebody/ will make a block target of 1 second. that will be fun to play with.
07:46 < adam3us> brisque: maybe we can get better price discovery if dogecoin competes with aaacoin with parms=rng(seed=aaa) through zzz
07:47 < brisque> you can't eliminate the effect of the name from the other variables though
07:47 < adam3us> brisque: it will be very interesting to observe the marketing efforts of aaa vs aab vs bbq
07:49 < gmaxwell> adam3us: it was also a proposal of mine from some time ago.
07:49 < adam3us> brisque: yes thats most interesting.  you may detect some dogecoin wow tongue in cheek about the whole endeavor but i think it could have real benefits, unimagined by the promoters of particularl BBR coins.  maybe branding and features have to be stronger if there are more brands
07:49 < gmaxwell> I was trying to talk Luke-Jr into it because I thought he could do a nice mining pool tie-in with merged mined ones.
07:49 < adam3us> gmaxwell: figures... too many reinventions :)	still i like the idea very very much..
07:50 < gmaxwell> yea, as I said previously, ... dillution effects break the economics of the small ones much worse than the big ones; so presumably with enough of this there will be no more param tweak coins with a non-zero market value.
07:50 < brisque> adam3us: I don't think you can eliminate the effect of the name on the value without using large control groups. have you considered enlisting parallel universes?
07:51 < adam3us> gmaxwell: yes, i was trying to keep the tongue in cheek, but i agree this is the predicted positive outcome.  i wonder if it will surprise us also though :)
07:52 < gmaxwell> win win
07:54 < adam3us> gmaxwell: i think we were talking about it, but for others it could be interesting to encourage or facilitate competition in the form of like hash rate spikes, 'coin of the day' placement, an automatic exchange listing
07:55 < adam3us> gmaxwell: i wonder also if there is a way to do this without consuming electricity.  a trusted server approach maybe.	renting virtual vsp, buying virtual asics that virtually fail to be delivered on time etc.  then we could even add random events to mix it up a bit!
07:57 < adam3us> gmaxwell: u could even define proof of work functions with so far impossible to achieve properties :)
07:58 < brisque> adam3us: RSA coin. solve a block by factoring a private key.
07:58 < sipa> is factoring progressless?
07:58 < brisque> pretty much
07:59 < gmaxwell> depends on how you do it.
07:59 < kinlo> there is no way to factor rsa's so you'll just have to guess/brute force the values
07:59 < gmaxwell> it's very very very not progressless for the subexponential methods.
07:59 < kinlo> but who is going to generate the rsa keys?
07:59 < kinlo> that person will (at least temporary) have access to p & q
08:00 < brisque> MD5 proof of work would be fun.
08:01 < brisque> you'd have to prove that md5(block + a) = md5( block + b) and b!=a
08:01 < brisque> ie, finding a collision.
08:01 < gmaxwell> Most of modern factoring is based on https://en.wikipedia.org/wiki/Dixon%27s_factorization_method  which is pretty much grade-school accessible... kinda fun to read about and play with if you've never toyed with fancy factoring methods.
08:02 < gmaxwell> brisque: not progress free, but doesn't have to be for the tool.
08:03 < brisque> gmaxwell: the issue if there was progress made in a linear fashion you'd just all be racing to the same goal, wouldn't you?
08:03 < brisque> that is, the fastest person would always win.
08:03 < gmaxwell> kinlo: Bytecoin sent me email saying that he had a trustless way to do RSA number generation.
08:04 < michagogo|cloud> ;;later tell BlueMatt Looks like Magiccoin crashes when you issue the getblocktemplate command, btw...
08:04 < gribble> The operation succeeded.
08:04 < gmaxwell> brisque: right thats if it's 100% progress, there are degrees in between.
08:04 < gmaxwell> michagogo|cloud: did you pay for it to be mineable? :P
08:05 < michagogo|cloud> Hmm, actually
08:05 < michagogo|cloud> bitcoin-qt on Windows crashed the first time
08:05 < michagogo|cloud> now it's just hung
08:06 < michagogo|cloud> odd
08:09 < kinlo> gmaxwell: that would be cool
08:10 < michagogo|cloud> ;;gentime 3.8 1
08:10 < gribble> The average time to generate a block at 3.8 Mhps, given difficulty of 1.0, is 18 minutes and 50 seconds
08:14 < michagogo|cloud> ;;gentime 18 1
08:14 < gribble> The average time to generate a block at 18.0 Mhps, given difficulty of 1.0, is 3 minutes and 58 seconds
08:14 < michagogo|cloud> Ooh
08:14 < michagogo|cloud> Just realized I might be getting the BE that I ordered later today
08:14 < sipa> BE?
08:15 < sipa> a big endian?
08:15 < kinlo> block eruptor? :)
08:15 < michagogo|cloud> block erupter
08:15 < sipa> ah
08:15 < michagogo|cloud> Woot, just mined a MGC block :-D
08:16 < brisque> mgc?
08:16 < michagogo|cloud> brisque: magiccoin
08:16 < michagogo|cloud> brisque: http://coingen.bluematt.me/status.html
08:16 < brisque> oh
08:17 < brisque> michagogo|cloud: hold on, I want some magic too
08:17 < michagogo|cloud> ;;genrate 1 330
08:17 < gribble> The expected generation output, at 1.0 Mhps, given difficulty of 330.0, is 1.5239591407 BTC per day and 0.0634982975291 BTC per hour.
08:17 < michagogo|cloud> erm
08:17 < michagogo|cloud> ;;gentime 330 1
08:17 < gribble> The average time to generate a block at 330.0 Mhps, given difficulty of 1.0, is 13 seconds
08:19 < brisque> michagogo|cloud: damn, no autotools.
08:20 < michagogo|cloud> brisque: Nah, it's 0.8.6-based, I think
08:20 < kinlo> gmaxwell: you wouldn't happen to have the theory behind this trustless rsa generation?
08:20 < michagogo|cloud> brisque: Are you not on Windows or Linux?
08:20 < brisque> michagogo|cloud: debian, just spinning up a new VM for it.
08:21 < michagogo|cloud> So you don't need autotools :P
08:21 < brisque> makes my life easier though
08:22 < kinlo> eh, did BlueMatt really created a coingenerator? :O
08:22 < michagogo|cloud> kinlo: yeah, coingen.bluematt.me
08:22 < kinlo> yeah, just a bit startled :p
08:23 < michagogo|cloud> Wait, this is known outside of this channel?
08:23 < kinlo> not that I know of :)
08:23 < brisque> yeah, someone posted it on #bitcoin ahead of time.
08:23 < michagogo|cloud> Someone appears to have posted it on Reddit...
08:23 < brisque> someone needs to tell him to move it, it's nowhere near ready for public release.
08:23 < kinlo> eh, why not? :)
08:24 < michagogo|cloud> ;;seen BlueMatt
08:24 < gribble> BlueMatt was last seen in #bitcoin-wizards 4 hours, 39 minutes, and 55 seconds ago: <BlueMatt> whatever generates lots of use
08:24 < michagogo|cloud> Someone created an account just for this, it seems
08:24 < michagogo|cloud> http://www.reddit.com/r/Bitcoin/comments/1u861l/coingen_create_your_own_altcoin_in_60_seconds/
08:24 < michagogo|cloud> http://www.reddit.com/user/altcoin_fan
08:24 < michagogo|cloud> "redditor for 41 minutes"
08:25 < brisque> doubt it would have been him, there's a lot more features to add before it's ready
08:25 < brisque> changing the address prefix for starters
08:27 < brisque> michagogo|cloud: what's your MGC peer running at?
08:27 < michagogo|cloud> brisque: I have one running on my laptop behind a NAT
08:27 < michagogo|cloud> And one on 2a01:4f8:190:1405:beef::
08:28 < michagogo|cloud> or 5.9.140.23
08:28 < michagogo|cloud> 5 blocks at the moment
08:28 < michagogo|cloud> But later today (potentially in a few hours) I may be able to point a couple hundred mh at it
08:29 < michagogo|cloud> Mh*
08:30 < brisque> hm, could you try adding 95.85.34.118?
08:30 < kinlo> heh
08:30 < kinlo> I'll start creating a pool :)
08:31 < brisque> there we go
08:38 < michagogo|cloud> Okay, g2g for a bit
08:38 < michagogo|cloud> 9 blocks so far
08:42 < brisque> heh, threw an old miner at it. there's a few more blocks now.
09:05 < michagogo|cloud> brisque: how many?
09:06 < brisque> michagogo|cloud: 104.
09:06 < michagogo|cloud> When I get home in 45 mins or so, I'll be able to churn them out every 13 secs or so
09:07 < brisque> michagogo|cloud: found my Block Eruptor and burnt my fingers on it.
09:07 < michagogo|cloud> Do they heat up quickly?
09:07 < michagogo|cloud> I just got my BE -- it's much smaller than I pictured
09:08 < brisque> surface of them is absolutely untouchable when they're running. just be careful not to grab it on the aluminium edge and you'll be fine.
09:09 < michagogo|cloud> How quickly does it get to that point? Is it a matter of seconds? Minutes?
09:09 < michagogo|cloud> Also, how long does it take to cool down?
18:49 < sipa> if only one could strangle non-living things
19:47 < HM> ;p
19:47 < HM> i had many ways of expressing frustration in mind, and none of them made it coherently to my keyboard
19:59 < gmaxwell> sipa: killall -19 thing
20:06 < sipa> sigstop?
20:07 < sipa> what a boring way of strangling
20:07 < amiller> hardly a strangle
20:07 < sipa> it should be more violent
20:07 < sipa> -9 comes closer
23:59 < amiller> i think i figured out a good way to model bitcoin
--- Log closed Tue Jul 30 00:00:35 2013
--- Log opened Tue Jul 30 00:00:35 2013
00:00 < amiller> there's tons of protocols that are trivial with a trusted third party and impossible with just a bunch of separate players
00:01 < amiller> a trusted third party is typically allowed to keep secret state
00:01 < amiller> that seems essential, since basically the way a ttp is used is that you have to know you're talking to the ttp, so it basically has to hold a private key and it is recognized by its public key
00:02 < amiller> so bitcoin seems like it could do almost anything a trusted third party could do, except for keep a secret
00:02 < amiller> which means it can't sign anything
00:02 < petertodd> heh, bitcoin's signature algorithm is simply a very hard problem...
00:02 < amiller> this is the sense in which the proof-of-work acts as a substitute for holding a secret
00:03 < amiller> it's the network aggregate signature
00:03 < amiller> it's almost like secret sharing, except for the secret
00:03 < petertodd> interesting cncept, sounds about right to me
--- Log closed Wed Jul 31 00:00:38 2013
--- Log opened Wed Jul 31 00:00:38 2013
15:40 < jgarzik> petertodd, about to integrate announce/commit TX support into txtool
16:11 < petertodd> nice
18:26 < jgarzik> petertodd, your audit report is not directly linked to something render-able in the browser?  poo.
18:27 < petertodd> jgarzik: It's PGP signed and people should be verifying that stuff.
18:27 < petertodd> jgarzik: Though I could also to a zip file of it...
18:28 < jgarzik> petertodd, pipe dream, just like the PGP WoT
18:29 < jgarzik> Just decreases the reader audience size dramatically, due to lack of ease of reading, and lack of SEO indexing
18:29 < petertodd> pff, there's nothing I can do that's better other than putting it on petertodd.org, and I haven't had a site there for ages
18:29 < jgarzik> ;p
18:29 < petertodd> Litecoin can do what they want for SEO.
18:29 < jgarzik> off to Fry's, for UPS's
18:30 < petertodd> I'm posting it because I want Bitcoin people to see and learn, and critisise!
20:02 < Luke-Jr> any know why glibc seems to have zero real wide character support? :/
20:08 < midnightmagic> Luke-Jr: drepper ..?
20:08 < Luke-Jr> sigh
20:08 < Luke-Jr> and ncurses lacks UTF-8 support
20:09 < midnightmagic> it does?!
20:09 < sipa> wut?
20:10 < midnightmagic> I thought it does do widechars.
20:10 < midnightmagic> Yeah, http://invisible-island.net/ncurses/ncurses.faq.html ncursesw ?
20:15 < Luke-Jr> midnightmagic: it supports wide chars, which glibc doesn't
20:15 < Luke-Jr> it doesn't support UTF-8, which is distinct from wide chars
20:15 < Luke-Jr> and if the locale is UTF-8, it won't render wide chars using it
20:16 < Luke-Jr> although that's arguably the libc's job
20:16 < Luke-Jr> maybe
20:17 < Luke-Jr> all the documentation for glibc infers it works, but in practice, iswprint only returns non-zero for ASCII characters, and wprintf prints only the last 8 bits of every character
20:29 < midnightmagic> That's weird. I recall using ints for character printing in an old ncurses app I wrote and graphs worked just fine.
20:32 < jrmithdobbs> have they actually provided details on that iphone charger hack thing?
20:32 < jrmithdobbs> at blackhat
20:37 < midnightmagic> oh awesome. apple messed up with their proprietary cable stuff?
22:16 < Luke-Jr> hrm, it works if I set a null locale
22:16 < Luke-Jr> but only using C setlocale, not LANG=
22:18 < Luke-Jr> oh weird, setlocale does more than just what its name suggests!
--- Log closed Thu Aug 01 00:00:41 2013
--- Log opened Thu Aug 01 00:00:41 2013
18:33 < gmaxwell> realazthat: did you see that mill cpu arch stuff on hacker news?
18:34 < gmaxwell> it looks a lot more like the SCIP underlying machine than the tinyram stuff.. I wonder if it wouldn't make for a better implementation, assuming you had a good compiler for it.
18:37 < realazthat> mmm no gmaxwell
18:37 < realazthat> link?
18:38 < gmaxwell> https://www.youtube.com/watch?v=QGw-cy0ylCc
18:40 < realazthat> mmmm
18:40 < realazthat> I'll watch it part now part tonight
18:40 < realazthat> love the comment: "This is the most exciting new development in computing and hair fashion in ten
19:16 < petertodd> looks easier in some ways than bitcoin's forth-like...
19:18 < gmaxwell> yea, well, it's a limimted horizon single static assignment rolling window, actually looks a lot like a compiler register allocator.
19:19 < gmaxwell> I also though it looked like the routing topologies in the SCIP stuff, which is sort of interesting.
19:20 < petertodd> yeah, matches up nicely to how they actually work
19:20 < petertodd> I'm also thinking that on a really practical level, it'd be a nice way to refer to previous results more efficiently
19:20 < realazthat> yes
19:21 < realazthat> I think a RA would take such a FIFO into account
19:21 < gmaxwell> on the other hand, ssa form is pretty hard to read code in.
19:21 < realazthat> instead of doing RA
19:21 < realazthat> ie. it would store if it needs to remember something longer
19:21 < realazthat> is there only the belt?
19:21 < realazthat> I stopped in middle
19:21 < realazthat> he said he was splitting temporary storage off
19:22 < realazthat> but I didn't get to that
19:22 < realazthat> is there another register pool for short term storage?
19:22 < petertodd> gmaxwell: yes, although so is pure stack
19:22 < gmaxwell> There is really no belt in the actual implementation. There are a bunch of parallel lanes, one for each delays outputs, and then it shuffles from them into the end.  The belt is just a way of visualizing this delay line system. There is a logical belt per stackframe basically.
19:47 < realazthat> mmm
19:47 < realazthat> I'll finish the vid tonight
19:54 < amiller> i'm convinced there is a huge need for a really different cpu model
19:55 < amiller> circuits suck, turing machines suck, ram machines (including tinyram) suck, and term rewriting machines suck
19:56 < amiller> circuits are the only ones that map well onto modern crazy-crypto, term rewriting is the only one amenable to formal semantics
19:57 < amiller> they're all polynomially (like, quadratically) convertible in between but that's not very precise
20:08 < sipa> wow, impressive stuff
20:09 < gmaxwell> I've programmed for the VLIW DSP he's referring to (c64x) ... its a bit of a pain to program for. But works pretty nicely.
20:14 < sipa> i've watched most of the video
20:57 < amiller> hey i have a simple practicalish idea
20:57 < amiller> why not have block locked transactions
20:58 < petertodd> isn't that what gmaxwell and I have proposed in various ways?
20:58 < sipa> a practicalish idea?
20:58 < sipa> from amiller??
20:58 < sipa> :o
20:58 < amiller> where you can include a block hash such that your transaction is only valid if that block is in the ancestry
20:58 < amiller> this would basically allow you to limit what could happen if there's a reorg
20:59 < petertodd> right, gmaxwell's idea
20:59 < petertodd> also doable with my "getblockhash" opcode ideas
20:59 < amiller> that makes sense.
20:59 < amiller> welp, good one gmaxwell, i must have never understood it if i've seen it before :p
20:59 < sipa> iirc gmaxwell's idea does require the hash being present, but revokes fee claiming when it's not
21:00 < sipa> which sounds less dangerous in any case
21:00 < amiller> it's a nice simplification if you've already been living in a fantasy world where everyone's RationalClients automatically doublespend coins back to themselves, you know, just in case...
21:00 < gmaxwell> https://en.bitcoin.it/wiki/User:Gmaxwell/alt_ideas
21:01 < amiller> a getblockhash opcode is a good way of doing it
21:01 < gmaxwell> Transaction checkpoints. Each transaction (or signature?) should contain a block index and 32 (?) least significant bits of the block hash. The transaction's fees are only valid (or only their full value?) if they are mined in a chain they agree with. This would let people making bitcoin transactions 'vote with their wallets' on the identity of the chain
they consider important. This isn't a viable POW replacement, but would greatly reduce
21:01 < gmaxwell> Nodes would typical checkpoint a few blocks in the past from their current height to avoid overstating their opinion unnecessarily.
21:01 < petertodd> amiller: you see my suggestions on how to add as many opccodes as you want with a soft-fork?
21:01 < gmaxwell>  Deep checkpoints could be automatically triggered by observing a crtical mass of coins-day-destroyed confirming them
 creating a PoS-ish system, though this is subject to the 'nothing at stake' problem of PoS, and is probably very dangerous. (e.g. isolation risk for inewly bootsrapping nodes)
21:02 < amiller> petertodd, not sure which one you mean, link?
21:02 < amiller> petertodd, if you're thinking about opcodes, in general i think it is interesting to let transactions basically make 'queries' to arbitrary indices
21:03 < amiller> so if you support getblockhash, everyone must keep a index of at least query-by-blockhash
21:03 < petertodd> amiller: hmm... kinda buried in bitcointalk somewhere, but the basic idea is that OP_MAST_EVAL can be done as a soft fork, therefore any opcode can be
21:04 < amiller> the basic functionality is query-by-txid
21:05 < petertodd> hmm... I think the main thing with that king of querying, is figuring out a sane way to actually do it that is understandable
23:08 < CodeShark> for most coins, if you sold 10% of it on any public orderbook, the price would drop to zero :)
23:08 < phantomcircuit> maaku, lolol i love that
23:09 < phantomcircuit> BlueMatt, the most meaningful thing is the total size of all the bids
23:09 < phantomcircuit> asks are useless since you'll have some fools with things like 1 BTC @ 100000000000000000000000 USD
23:09 < BlueMatt> phantomcircuit: yes, agreed
23:11 < CodeShark> you could look at depth on both sides up to, say, 1% of total coins in existence
23:12 < phantomcircuit> for example
23:12 < phantomcircuit> there is 39275377.92397302 USD in bids on mtgox
23:12 < phantomcircuit> which is actually not even that much money
23:13 < phantomcircuit> but iirc the kraken XRP exchange has the equivalent of like a few thousand dollars total
23:13 < BlueMatt> phantomcircuit: yea, but that is mtgox...you cant really count mtgusd as usd anyway
23:13 < BlueMatt> anyway, yea, total bids isnt that high compared to the market cap
23:14  * BlueMatt ponders how that ratio compares to other assets...
23:15 < phantomcircuit> BlueMatt, it's difficult to compare because most assets the orderbooks are full of highly leveraged offers
23:15 < phantomcircuit> especially currency markets
23:15 < phantomcircuit> people there are often trading on 10000:1 leverage
23:16 < phantomcircuit> or more
23:16 < BlueMatt> true, but you can trade on leverage on btc on...whats the exchange again?
23:16 < phantomcircuit> bitfinex?
23:16 < phantomcircuit> the idiot who stole the bitcoinica source code
23:17 < BlueMatt> I suppose you cant really compare the numbers until the exchange markets grow up a bit, but still, would be interesting to compare those numbers
--- Log closed Fri Dec 27 00:00:31 2013
--- Log opened Fri Dec 27 00:00:31 2013
01:16 < jcorgan>  /clear
13:13 < Emcy> https://twitter.com/zestyping/status/416570841720438785/photo/1 theyre mental.
13:13 < Emcy> i wonder if its actually a statement about how fuckd up the internet is now
13:13 < Emcy> "welp everyone back to pneumtics"
13:31 < nsh> greenwald keynote starts: http://streaming.media.ccc.de/saal1/native/lq/
13:33 < TD> thanks
13:37 < BlueMatt> nsh: thanks
13:37 < nsh> np
15:31 < goedgoed> nsh: Shit. CCC totally slipped my mind. Thanks for reminding me!
15:33 < nsh> np
16:46 < Emcy> greenwald isnt do ing anything particularly amazing or insightful
16:46 < Emcy> hes just telling it like it is, according to occams razor mainly
16:47 < Emcy> unfortunately the weave of lies and obfusication of whats really going on has run so deep for so long, when he opens his mouth it feels like a lungful of air after a freedive
16:48  * nsh nods
16:57  * daira2 nods too
17:33 < gmaxwell> Went out to lunch a bit ago, heard random people talking about dogecoin.  The person promoting it was proposing it as a fun way to try out cryptocurrency.
17:34 < nsh> whatever happened to experimenting with psychedelic drugs and rock music :/
17:35 < gmaxwell> I wonder if we should rebrand testnet as Courage Wolf coin.  "Bitcoin too stable and secure.	Use testcoins!"
17:36 < nsh> go full hog and gamify the whole system of cryptocurrency experimentation
17:37 < nsh> it'll be like spore but with a lot more hashing
17:37 < gmaxwell> well, my point there is that if you really want coins for futzing around with, testnet is better than some total alt, since at least testnet is guarenteed to track development.
17:38 < Emcy> serioualy isnt dogecoin only about 3 weeks old
17:38 < Emcy> either that was very improbable or cryptocoins in general are getting some wicked mindshare
17:39 < nsh> well, doge represents the intersection of cryptocurrency and inane internet sensations
17:39 < nsh> which have a much wider and more rapid mindshare proliferation function
17:40 < Emcy> we havent had a really good meme since the great meme collapse of 2011
17:40  * nsh smiles
17:40 < Emcy> when facebook kids started unironically posting the meme templates everywhere and then arrow knee blew the lid off the whole thing
17:40 < gmaxwell> Emcy: I mean, I am in silicon valley, hearing people talk about bitcoin in public is basically a daily event.
17:41 < Emcy> oh cool didnt knew you went there
17:41 < Emcy> that skews the probabilities somewhat
18:00 < pigeons> i know people who have never used bitcoin and aren't interested in it but are trying dogecoin for fun and to buy steam games. i don't get it, but people like it for some reason
18:01  * andytoshi-logbot is logging
18:02 < Luke-Jr> gmaxwell: update topic?
18:02 < Luke-Jr> andytoshi-logbot: got a link for topic? :P
18:02 < andytoshi-logbot> I'm logging. I don't understand 'got a link for topic? :P', Luke-Jr.	Try /msg andytoshi-logbot help
18:02 < andytoshi> lol
18:03 < andytoshi> Luke-Jr: i need an ack from gmaxwell .. and i'm not sure i'll get one as long as people are talking about bitcointroll users candidly here :P
18:05 < andytoshi> the last thing we need is altoz posting "see, andy and luke really are out to get me!"
18:05 < Luke-Jr> haha
18:08 < nsh> i will happily volunteer to be a few order of magnitude more offensive than anyone else to deflect log-flac
18:08 < nsh> (just one of my many services)
18:08 < Luke-Jr> lol
18:10 < gmaxwell> logging is fine, but something more reliable than andytoshi-logbot should be doing it if we're going to have public logs. :P
18:10 < gmaxwell> also, I think the topic is public editable in here.
18:10 < andytoshi> aww, you don't trust the perl script i downloaded and ran without reading?
18:11 < gmaxwell> andytoshi: I mean I see your bot bouncing in and out a lot.
18:11 < andytoshi> i know, it is supposed to detect disconnects and come back, but it doesn't
18:12 < andytoshi> i'll spend some time working on it over in #andytoshi..
18:17 < sipa> dogecoin even still uses irc seeding...
18:17 < sipa> or rather, again
18:22 < gmaxwell> sipa: I assume it's a fork of the pre 0.8 litecoin codebase?
18:24 < Luke-Jr> gmaxwell: it's not (topic public edit)
18:25 < warren> gmaxwell: it's 0.6 based
18:27 < andytoshi> ok, i see, the logger's "reconnect" code just deletes the PID file and assumes somebody else will respawn it
18:27 < andytoshi> i'll give it its own user, write some systemd unit files and do this properly..
18:52  * andytoshi-logbot is logging
18:52 < andytoshi> ok, it shouldn't disconnect for more than a few secs from now on
18:53 < gmaxwell> andytoshi: Is your CJ thing available as a tor hidden service?
18:54 < andytoshi> oh! gimme five minutes..
18:55 < gmaxwell> yea, part of why I asked was because its so easy to setup. :P
18:58 < andytoshi> http://xnpjsvp7crbzlj3w.onion/
18:59 < andytoshi> let me just confirm that none of the links assume it is under domain.net/coinjoin/ ...
19:01 < andytoshi> cool, all good
19:06 < gmaxwell> andytoshi: cool. it works, you might want to put both links on the bottom of the page.
19:10 < andytoshi> done
19:11 < andytoshi> now i'll go spam anontalk with it..
19:12 < gmaxwell> Whats anontalk?
19:12 < andytoshi> i don't think that's what it's called .. there used to be an anonymous board at http://ci3hn2uzjw2wby3z.onion/
19:12 < andytoshi> maybe it has gone down
19:13 < gmaxwell> I guess the next missing piece for your tool is an auto-participater. e.g. something that polls periodically and if there is a open CJ of the right size, it participates for you.
19:15 < sipa> TD: what timezone are you in? :)
19:17 < TD> currently
19:17 < TD> GMT
19:17 < TD> sipa: why?
19:18 < sipa> not used to seeing you join at this time :)
19:18 < andytoshi> gmaxwell: yeah, that'd be cool
19:19 < andytoshi> right now i'm working on having any coinjoins going on, when i'm not 50% of the participants
19:20 < gmaxwell> andytoshi: yea well part of the challenge, of course, is that when someone uses it there may be no one else, or /worse/ just someone with a non-match that doesn't really increase their privacy.
19:29 < andytoshi> yeah, that happened to my this morning..
19:29 < andytoshi> ;;cjs c11fc9bd5b462946
19:29 < gribble> Coinjoin Status: session ``AMEMB Lanceros PFS Sex Tess IDB 15kg'' is completed. The submitted transaction ID was 80819213bb25df35f890fab55f8d3b71c8f5bed3b823bb949ce26e1471686e61.
19:29 < andytoshi> https://blockchain.info/tx/80819213bb25df35f890fab55f8d3b71c8f5bed3b823bb949ce26e1471686e61 i was the 0.2's
19:29 < andytoshi> it clearly said, "most popular output is 0.2. use that output size"
19:32 < gmaxwell> might be better if the person starting a join could mandate a size?
19:34 < andytoshi> maybe, i dunno, i don't want to make it too irritating .. i am already disappointed by the ~0 uptake
19:35 < gmaxwell> andytoshi: yea, sorry about that. I could have warned you.  See also the ~0 uptake in PT's dust-be-gone.
19:37 < andytoshi> lol, s'fine, i learned a lot from this
19:37 < andytoshi> and i found a bug in the rust compiler, so my github account claims i have "contributed" to rust, which is cool
19:40 < gmaxwell> My expirence with dust-b-gone suggests that even with an automated participater the usage will be low. I'm not sure what it takes to get it used.
19:41 < andytoshi> calling it doge <.<
19:41 < gmaxwell> I ... worry... that there are basically few actual cryptocurrency people in Bitcoin.
19:42 < sipa> is there anything coinjoin-related already usable/released?
19:42  * sipa has hardly followed up recently...
19:43 < andytoshi> i worry about this too, but then i remember that there are like 30-40 serious people here, and we are able to connect on #bitcoin-wizards and exchange research in a way that would've been impossible even 10 years ago, even if we'd had bitcoin back then
19:43 < andytoshi> well, irc was around 10 years ago, but i don't think the preprint archives were, nor do i think academics spent a lot of time on public forums
19:44 < andytoshi> sipa: i have a joiner at http://xnpjsvp7crbzlj3w.onion/ which is "usable" if you can deal with rawtx's
19:45 < sipa> ok
00:44 < gmaxwell> justanotheruser: it's not, but what you want is a resource rate limiter. You want to give each user 1/Nth of the capacity, but since users are anonymous you need a way of to prevent a user from claiming that they are 100 users and gobbling it all
00:44 < gmaxwell> holding bitcoin at a particular instance of time is something that prevents unlimited cloning.
00:46 < justanotheruser> gmaxwell: I suppose an attack on the network would cost as much as in a system with PoB because they would have to create a large number of new addresses with coins and pay the tx fee for all those just like if they were doing a large number of burns
00:47 < gmaxwell> yea, well I think a real sacrifice is stronger, but it's not clear to me that something bitmessage like would need a real one, and just showing you were holding coins as of a daily txoutset snapshot would be easier to accept for users, I suspect.
00:48 < gmaxwell> in any case, I also think that because of the aformentioned ecdsa an actual sacrifice would be easier to implement.
00:48 < justanotheruser> gmaxwell: funny to see you promoting proof of stake btw :D
00:49 < gmaxwell> justanotheruser: PoS is fine, so long as you're not expecting it to operate its own consensus.
00:49 < justanotheruser> yeah
00:49 < gmaxwell> you could mine a PoS altcoin based on bitcoin holdings, you just can't the chain itself. :P
12:08 < jtimon> petertodd why does litecoin need a softfork?
12:45 < petertodd> jtimon: to implement height in coinbase, and warren wants to see single-satoshi dust made unspendable
12:46 < jtimon> thanks
12:46 < jtimon> so are they making a protocol antidust rule?
12:47 < petertodd> jtimon: yup, if nValue == 1 satoshi treat the output like a provably unspendable OP_RETURN
12:47 < jtimon> is not only in isStandard, interesting
12:47 < sipa> petertodd: why not 0 satoshi?
12:47 < sipa> what makes 1 special?
12:48 < petertodd> jtimon: Note that this *isn't* because doing so will actually have a big impact on anything, but rather the argument is to do it "symbolicly" for future, more invasive, anti-dust efforts.
12:49 < petertodd> sipa: Litecoin had a bunch of 1 satoshi dust spam a while back, and it's conceivable that a future soft-fork feature might want to use 0-value outputs for something.
12:49 < jtimon> we haven't even make sub satoshi (sub-kria) outputs unspendable in freicoin. Yes, demurrage still applies to a single satoshi so you won't be able to spend it, but you may want to spend 0 coins?
12:50 < petertodd> Indeed, zero-output txouts could be used to implement a increased divisibility soft-fork for instance.
12:50 < jtimon> well, maaku was reluctanct to have any form of escheatment
12:50 < jtimon> yes, and we also plan to increase divisibility on freimarkets so...
12:51 < petertodd> Add nNewValue to transactions and define nSumValue = nNewValue + nValue, then do divisibility by moving value from nValue to nNewValue, which means you can re-combine sub-satoshi outputs, it's just that old clients can't see the fact you've done so.
12:52 < petertodd> Note how this depends on the fact that miners can destroy coins forever rather than taking them as fees.
12:53 < jtimon> I think that's what we have in freimarkets
12:53 < jtimon>     nValue :: int64
12:54 < jtimon>     dValue :: decimal64
12:54 < jtimon>     dValue = nValue * 10^369
12:54 < petertodd> Oh, interesting!
12:54 < jtimon> but maaku told me that gmaxwell told him we're not using nVersion as it was intended
12:54 < petertodd> how so?
12:54 < jtimon> I'm not sure I did understood that
12:54 < petertodd> how are you using it?
12:55 < jtimon> for us version 2 are transaction with an additional refHeight, necessary for calculating demurrage
12:55 < jtimon> so all freicoin transactions are v2
12:55 < petertodd> is refHeight actually a different binary format?
12:56 < jtimon> and freimarkets introduces v3 with more modifications
12:56 < jtimon> it's an additional field
12:56 < petertodd> right, nVersion was meant to signify to *interpret* a otherwise backwards-compatible transaction differently
12:56 < jtimon> so if bitcoin were to adopt freimarkets, interest bearing assets could be moved with v2 transactions
12:57 < jtimon> ours aren't backward compatible, are hardfork changes
12:59 < jtimon> here's the commit that adds nRefHeight: https://github.com/freicoin/freicoin/commit/cee818350d857029e0e7148fece35646d479aea1
12:59 < petertodd> for instance P2SH could have been done with a nVersion bump
13:01 < jtimon> but some other version number was changed for that, no?
13:01 < petertodd> jtimon: right, you could have done that as a soft-fork
13:01 < petertodd> jtimon: no, that was done with voting by putting the string "P2SH" in the coinbase - not a great mechanism
13:02 < petertodd> jtimon: the "height in coinbase" soft-fork was a lesson learned there, and was done with a CBlock.nVersion bump.
13:02 < petertodd> jtimon: oh, sorry, and come to think of it the voting *wasn't* software evaluated
13:02 < petertodd> jtimon: IE, miners "voted", then a bitcoin was released that turned on P2SH on a specific day IIRC
13:03 < petertodd> eh, I might have to double-check the code for that, don't quote me :)
13:04 < jtimon_> petertodd: "right, you could have done that as a soft-fork" what? adding the nRefHeight field?
13:04 < jtimon_> anyway, the tx-nversion looked ideal for our changes, I'm not sure what we should use instead
13:05 < petertodd> jtimon_: yeah, you'd do it by just recording nRefHeight in a different datastructure that was stored along-side the block
13:05 < jtimon_> no, no
13:05 < jtimon_> the nRefHeight goes with EACH transaction
13:05 < petertodd> Yes, and along-side the block you store an nRefHeight array for each tx.
13:05 < jtimon_> oh, I see
13:06 < jtimon_> but...
13:06 < jtimon_> that number has to be signed
13:06 < jtimon_> it really belongs in the tx
13:06 < petertodd> See, what might be good is a hard-fork to allow arbitrary junk to go at the end of CTransaction's, and then forever after you could add new fields in soft-forks by bumping nVersion.
13:07 < jtimon_> interesting
13:07 < petertodd> jtimon_: oh right, well, that's another thing: SignatureHash() should have been written so that the presence of unknown flags makes the signature always evaluate as true, so that new flags could be defined in soft-forks.
13:07 < petertodd> Additionally you need different OP_CODESEPARATOR there too, long story. :P
13:09 < petertodd> (well, actually, better to only define *some* of the unused flag bits as "return true")
13:09 < petertodd> (though an even better system wouldn't have a "all-in-one" CHECKSIG anyway, but I digress)
13:09 < jtimon_> well, I think it was much simpler to just add the nRefHeight field after nLockTime (if I remember correctly, that's where it is)
13:09 < petertodd> sure, given you're doing a hard-fork
13:10 < jtimon_> so there's no way to signal hardfork versions for transactions?
13:10 < petertodd> point is, if you're doing a hard-fork you don't have too really
13:11 < jtimon_> well, it just simplifies the implementation, since older versions will still work the same
13:11 < petertodd> yeah, older code
13:12 < gmaxwell> petertodd: sig flags are set by the signer. So I write a txn with an unknown flag and freely spend your inputs. :P
13:13 < jtimon_> I guess we will keep using the nVersions even if it wasn'te the purpose for a lack of a better alternative
13:14 < petertodd> gmaxwell: gah, damn, that's right
13:14 < petertodd> gmaxwell: yeah, guess that just leaves the OP_CODESEPARATOR solution so you can put arbitrary signed data in the scriptSig
13:15 < jtimon_> the "junk-at-the-end-of-the-tx and nversion for softfork additional fields" is really interesting though
13:16 < petertodd> yup, basically you just need to hard-fork in a total-transaction-length field and then go nuts
13:17 < petertodd> you probably want OP_CHECKSIG to be made to include the *contents* of the extra data in the signature hash, which nicely can be done backwards compatibile - generally the extra contents are empty
13:17 < shesek> though it'll make it impossible to prevent arbitrary data storage on the blockchain, as something like p2sh^2 intends to do
13:18 < gmaxwell> petertodd: on another subject I don't know if you saw my musing;  wrt coinbase only pooling, if the payout is to some M of N keys,  then shares could be submitted to N entities and they could share the shares to achieve a consistent state and then do consensus signing of payouts. So you can even distribute the payout trust in coinbase only mining.
13:18 < petertodd> shesek: if you genuinely make arbitrary data storing impossible you've probably made future soft-forks difficult to impossible
13:18 < petertodd> shesek: e.g. you need to change the signature algorithm, now what?
13:19 < maaku_> are all forms of transaction storage length prefixed though?
13:19 < petertodd> gmaxwell: ha, nice
13:19 < gmaxwell> petertodd: also the entities need only about 1mbit/sec of bandwidth if you assume eligius' current user count and that each user is targeting 4000 shares / day  (which gets them to the point where weekly performance <98.5% if less than 1% likely)
13:19 < petertodd> maaku_: not yet, but they can be made to be in a hard-fork
13:19 < helo> would those then be unspendable for 100 blocks?
13:19 < gmaxwell> which means you could easily support additional observer entities over the N.
13:19 < maaku_> regardless though I don't think it will work - before the soft-fork the length-extending version means nothing, after it means there's extra bytes
13:20 < petertodd> maaku_: doing that in a soft-fork is much less trivial, I'm talking about a hard-fork
13:20 < maaku_> well ok, i guess it'd work if every instance of transaction storage is made length prefixed
13:20 < gmaxwell> helo: the payouts in what I'm talking about? yes.
13:20 < petertodd> gmaxwell: not bad
13:32 < adam3us> maaku: the online validity check is for double spend checking, and if you want privacy then you have to get it refreshed by the issuer (swap a signed certificate for a new one)
13:33 < maaku> the online validity check is the only show stopper for me then, at least in the public chain case
13:34 < maaku> I wonder how much we can reduce the burden of maintaining a double-spend db
13:34 < adam3us> maaku: yes but if its a certificate rather than a signture, you can delay or do that publicly
13:35 < adam3us> maaku:  the chaum thing is like you end up with a signature on a random number which they chose to interpret as "the bearer is the bearer of 1 ecash unit"
13:36 < adam3us> maaku: in bitcoin terms its cashable by anyone! so the recipient has to connect with haste to the issuer and send the coin to it over ssl, because its about as secure as a bitcoin private key that the other user still has
13:36 < maaku> but with credentials it's basically like any other output, minus the traceable history
13:37 < maaku> except that validators have to keep a list of which credentials have already been spent
13:37 < maaku> so you lose the benefits of needing only the utxo for chaum/brands outputs
13:37 < adam3us> maaku: yes so if you replace the random serial number with a publc key hash, then you can define seeing the certificate doesnt confer anything excet that the person wththe ability to sign with this is roving they are the owner of a freshly unlinkable ecash unit
13:39 < adam3us> maaku: i think bitcoins blockchain is a double spend database, its analogous though we think about it differently because of bitcoin mechanics, semantics and terminology - but its a distributed double spend db in functionality
13:39 < maaku> adam3us: yes, but validation must not require access to the entire blockchain history
13:40 < adam3us> maaku: eg its going to be far more scalable for a few validators to keep a list of spent coins, than to broadcast the double spend db
13:40 < maaku> that wouldn't even scale to current levels
13:40 < maaku> that's why we extract out only the information relevant for validation to the unspent transaction output index
13:41 < maaku> but chaum credentials would require keeping a history of all spent blinded outputs, which grows linearlly with total history
13:41 < maaku> that's not scalable
13:41 < maaku> s/keeping/miners maintaining an index of/
13:42 < maaku> of course it's all there in the block chain history, but right now miners or other full validators don't need the entire block chain history to validate new blocks
13:42 < maaku> so it'd be a large step backwards
13:43 < adam3us> maaku: its a bit analogous to zc
13:43 < maaku> but i suppose some sort of system could be designed to pay for this storage, and to retire old series of coins
13:43 < maaku> speaking of which, what's the advantage of zc over this?
13:43 < adam3us> maaku: yes they do have the concept of issues, retire the key
13:44 < maaku> is it that there's no centralized mint?
13:44 < adam3us> maaku: this is a new permuation i think - to have a single issuer, but use blockchain storage of double spend db
13:45 < adam3us> maaku: its a more robust alternative to OT having multiple servers
13:46 < adam3us> yes with zc there is no central issuer, and ll the coins can be in one anonymity set; if an issuer goes down, its keys are lost, then future issues will have a different key - but also this is an issuer - if it goes down maybe they become non-redeemable to the underlying also
13:47 < maaku> adam3us: yes, generally speaking except for the host currency (bitcoin/freicoin) it's okay to have some trust in the availability of the issuer, if the issuer == the redeemer
13:50 < adam3us> maaku: it could be reactive... like start with a separate redundant storage for the dbl spend (peers, validators, redundant servers) but rely on a transaction server.  if thre start to be big problems with transaction servers remaining online, then the redundant stores can populate a blockchain and probalbly receipts and timestamps can prove its the full set
13:50 < maaku> it would be ideal if there were some way that proof-of-uniqueness could be maintained by the holder, not the network, and provided upon redemption
13:51 < maaku> adam3us: no, not if dbl spend status is a concensus property (a double-spend is not a valid transaction, right?)
13:52 < maaku> then every full node would need to have this info, if we want to maintain bitcoin's decentralized properties
13:53 < adam3us> maaku: a few days ago gmaxwell was suggesting you can get most of the benefit just trusting the issuer to be available (or his transacton server... his actual issuing key maybe not online)
13:55 < maaku> i'm not sure how that relates to the issue i'm seeing
13:56 < maaku> i'm a full node, i receive a block with a chaum spend in it. how do I know if it's valid (not double spent)?
13:58 < adam3us> maaku: as it stands the usage pattern people gravitate to is that you check its not double spent
14:00 < maaku> and i see two options for that: (1) check the authoritative block chain history (not scalable because you must always remember spent tokens), or (2) ask a transaction server, which decentralizes bitcoin
14:00 < adam3us> maaku: maybe you could get other tradeoffs; currently by having a double spend db, then any coin spent could be any previously unspent coin from any previous withdrawal (blind issue event) so the anonymity set is maximal
14:03 < maaku> still, all these reservations aside, that only affects the public chain case
14:03 < maaku> there's no reason not to include these blinded credentials on private accounting servers
14:03 < maaku> where the server itself can maintain the dbl spend list
14:03 < maaku> jtimon: ^^
14:04 < adam3us> maaku: lets say you use a brands credential which supports zkp attributes.  you unblind the token, then you prove the block height it was issued at is < 144, and therefore the miners add it, you can later prove you own it, transfer it to the new owner, who cn request the issuer create a new one replacing the old one
14:05 < adam3us> then full nodes only need to keep last 144 blocks of double spend
14:06 < adam3us> maaku: you have anonymity within the last 144 blocks of withdrawals, and the can look for spend transactions to check if its valid
14:07 < adam3us> maaku: (the recipient) presuming the transfer of ownership is itself logged
14:07 < adam3us> maaku: then you have some kind of blind smaller anonymity set utxo like concept
14:14 < adam3us> actually maybe you can make a p2p blind signature for the transfer of ownership.  combined with committed tx that is actually quite interesting, it means you dont know the address of the person you paid (payee anonymity)
14:15 < maaku> committed tx meaning utxo hash tree committment?
14:16 < jtimon> I think commited tx are more like a chai nthat timestamps everything without validating anything
14:16 < adam3us> maaku: no its something else with a badly labelled bitcoin talk subject heading. you can have the blockchain validate double spends
14:16 < jtimon> if I understood it correctly, of course
14:16 < adam3us> maaku, jtimon; right, so the block chain doesnt see who is spending to who, nor how muc
14:16 < maaku> link?
14:17 < jtimon> then validators interpret the transactions by the order they appeared
14:17 < maaku> and yeah that's a horrible name
14:17 < jtimon> so if a double-spend is commited, no problem, it will just be ignored by validators
14:18 < adam3us> https://bitcointalk.org/index.php?topic=206303.0
14:18 < jtimon> but yeah, I should read it, I'm trying to guess how the proposal works really
14:19 < maaku> jtimon: well that's really my point - how do the validators validate without keeping a O(n) history
14:19 < adam3us> maaku: they either pass it with the transaction, or its on the block cin, and being in the transaction path, they get to see its history back to genesis, or to uncommitted form
14:20 < jtimon> the transactions can refer to a previous block
14:20 < adam3us> maaku: you can reveal it back to the network fairly soon, or keep it offchain for ever
14:20 < adam3us> maaku: you can respend a committed tx
14:20 < maaku> "they get to see its history back to genesis" <-- that's what we've got to avoid
14:20 < adam3us> maaku: (in committed form)
14:20 < adam3us> maaku: yes its not had much work on trying to figure out a spv concpt
14:21 < adam3us> but i think the new idea to use a blind signaure for the p2p transfer may nudge some possibillities out of it
14:21 < adam3us> another interesting aspect is had homomorphic encrytped values worked out, then you can disclose those also, without loss of privacy
14:21 < maaku> well it's not really about spv - even full validation would not be possible at current transaction rates if validators needed random access to the entire block chain history
14:23 < adam3us> maaku: it may not be as bad as that, the sender gives you everything you need to validate
14:24 < adam3us> maaku: you can have prevalidated and indexed encrypted utxo (actual forged double spends are ignored so are useless other than spam)
14:25 < gmaxwell> adam3us: "useless other than spam", which there is absolutely no way to defend against in that scheme.
14:25 < adam3us> maaku: combining it with homomorphic value is interesting because you can have normal validation then
14:25 < gmaxwell> so one wizeguy with a while true ends your system.
14:26 < jtimon> maybe transactions can be required to also provide som pow?
14:26 < jtimon> some
14:29 < adam3us> gmaxwell: yes agreed spam needs defending.  there are (cleartext) fees however.  and you can already pay to spam.  however this is messing up a different aspect, which is the utxo size.  i guess you can spam that too currently?
14:30 < gmaxwell> adam3us: only by creating valid transactions.
14:30 < adam3us> gmaxwell: is that a useful distinction? (in the eyes of the spammer)
15:12 < gmaxwell> adam3us: okay, well I can't argue with a non-specific system. There may be some way to do it.. but the colored coin stuff people talk about does not accomplish it. As far as I can tell it's not a useful tradeoff over issuer ledger with cross chain trades.
15:12 < maaku> gmaxwell: you could have per-asset zc accumulators, no?
15:12 < adam3us> gmaxwell: dont attach to much to coloring as a process, if you had moderately efficient zc, you can extend it like brands so there are ibm coins and usd coins and bitcoin zcs
15:12 < maaku> ok that's not "as described"
15:12 < gmaxwell> maaku: it's not as described. :P
15:13 < adam3us> so my point is (about why fungibility and fairly immediate final settlement is important) that if you let courts get into canceling and undoing transactions it introduces dispute costs into the trasction layer and you ahve no improvemnt over the status quo
15:14 < adam3us> they can still do their dispute resolution, just their job is to identify the party who commited the theft and demand he reimburses the victim
15:14 < gmaxwell> adam3us: I agree with that advantage only where it actually exists. Eg.  yea the ledger has that weakness but so does _every_ colored coin system which I've ever seen described in detail.
15:14 < adam3us> you no more want the court undoing transactoins than you want the convenience store heist to result in usd paper in your wallet to be seized 10 tranactions later
15:14 < gmaxwell> And yea sure, if you postulate a system which doesn't have that problem then I revoke my complaint, there would actually be a reason to use that one vs issuer ledgers.
15:15 < gmaxwell> But where are the proposals for those systems? :P
15:15 < adam3us> gmaxwell: ok ok yes; i am eaning on idealized ecash system property which bitcoin does not currently robustly have
15:15 < BlueMatt> gmaxwell: except for the insane overhead of running your own ledger if you just want to issue some bond...contracting out the ledger without contracting out the issuance is actually quite nice
15:15 < BlueMatt> same with running your own chain
15:16 < gmaxwell> adam3us: fair enough, though it makes my other arguements stronger. e.g. ZC is hundreds of times less scalable than bitcoin * global blockchain = yuck.
15:16 < adam3us> gmaxwell: i think all agree that bitcoin should have that property as fast as we can figure out how to do it, viz coinjoin, coniswap, mixes, zc, committed tx, homomorphic encrypted value etc
15:16 < gmaxwell> yes, bitcoin should be ecash, ideally.
15:16 < adam3us> gmaxwell: alright lets do it then :)
15:17 < adam3us> gmaxwell: btw i saw you made the same argument i did in one bct thread that fungibility is orthogonal to identitytracebaliliy/etc
15:17 < maaku> you could do straight chaum or inefficient zc on a private server though (OT or Freimarkets)
15:17 < maaku> that's one advantage over doing IBM shares on the public chain
15:18 < adam3us> maaku:  this is true, and chris odom has chaum, and expressed an interest in homomorphic encrypted values (if i would get off my butt and implement the protocol) and brands also likewise
15:18 < gmaxwell> maaku: yea I almost argued that a moment ago, but I'm contemplating the court arguing IBM to rewind the entire state. Of course they could do that to bitcoin to... E.g. snapshot the ZC accumulators for IBM coins as of height=12345 and now all IBM shares are offnet.
15:19 < gmaxwell> If it's really blinded to ibm, then I think you get most of the advantage of non-revokablity (because it would create a disaster of doublespending) without requiring a global consensus network to create non-revokablity.
15:19 < gmaxwell> The non-revokablity comes from it being a suicide pact not the pow.
15:19 < adam3us> gmaxwell: i dont know that the court really need to go there, i think its better if the parties can be identified (eg by each other with proof) and the court can tell the guy who ripped the other guy to reimburse him
15:20 < adam3us> gmaxwell: after all there is currently not much bank note serial number blocking
15:20 < gmaxwell> I assumed we didn't exploit serial numbers more because we don't want to ruin fungiblity.
15:21 < gmaxwell> the obvious thing to do would be to catch counterfeit bills, by making serial numbers digital signatures and having banks announce ID's in their possession .. but as soon as we do, the USD would be unsafe to accept.
15:21 < adam3us> gmaxwell: (i mean in the paper usd analog, when they have rcrimes they go after criminals, not after tracking down the individual notes an seizing off the current innocent owners under "receiving stolen property" rules)
15:21 < gmaxwell> adam3us: right, I understand.
15:21 < maaku> gmaxwell: i always assumed banks did this behind the scenes...
15:22 < gmaxwell> maaku: no, you know they don't because you've never heard of someone getting @#$#@ due to accepting a superdollar.
15:22 < gmaxwell> If they are they're silent about it and not making the customers eat it.
15:23 < adam3us> gmaxwell, maaku: they dont want to dent confidence in fiat, its a fragile confidence bubble with no underlying value, apparently when the deflate, historically they are almost impossible to reinflate without going back to eg gold backing and then weaning off slowly)
15:23 < maaku> i mean, if I was DHS I would make every atm or teller counting machine scan the serial number and submit it with tx info
15:23 < maaku> i just assume, operationally, that is what they're doing
15:23 < adam3us> maaku: yes but whats the point.. no criminal is ever going to pay their note direct to a bank or atm deposit
15:24 < gmaxwell> yea, it's probably a safe "paranoid" assumption.
15:24 < gmaxwell> I don't know if its true but it could start at any time.
15:24 < maaku> adam3us: yeah, but if you had this info for every piece of paper that enters a bank, you can detect flow of money, deduce drug routes, etc.
15:24 < adam3us> maaku: they might track it and ask people, if there is something unique to try track down a forgery ring, but generally its hard, a shops cashdrawer is like a digital mix, they have no idea
15:25 < adam3us> maaku: oh sure they probably log and scan the crap out of it, but they're not breaking fungibility
15:25 < maaku> not with real bills, but they do reject counterfits
15:25 < gmaxwell> maaku: well, only bad ones.
15:26 < adam3us> gmaxwell: so back to your comment above that most of this can be done by IBM operating their own double-spend db, online, and be done with it (with chaum for fungibility)
15:26 < gmaxwell> maaku: rejecting counterfits that a careful shopkeeper could also reject doesn't break fungibility.
15:26 < gmaxwell> Rejecting ones that can only be detected with trusted online read/write access to a bank database would.
15:27 < adam3us> gmaxwell: one diff is ibm is central and could get their db hacked, the same way various bitcoin business had bitcoi thefts or ownership database modifiction
15:28 < adam3us> though they could append only write once log everything, if its fungible thats still a problem as you dont know which tx to accept after fixing the db
15:28 < gmaxwell> adam3us: imagine what IBM runs is a private fork of bitcoin with ZC, a seperate network.. and instead of POW they use IBM signed blocks and WORM media.
15:28 < adam3us> hmm maybe you could think of the block chain as a distributed secured append only double spend implementation
15:28 < maaku> adam3us: OT or OT-like private accounting servers would prevent this - every affected participant would know that the server reversed it's state
15:29 < adam3us> gmaxwell: its not bad, while they can undo things, they cant usefully udo them because of the blinding anonymity based fungibility
15:32 < adam3us> it does mean ibm has to be online and be involved in every trade of ibm for usd, or btc.
15:32 < adam3us> as you cant securely transfer without their confirmation of non-double spent status
15:33 < adam3us> maaku: they may know but what are they going to do about it? i presume the OT argument is to instantiate a new OT server, repopulate it with their combined logs and start with a new key
15:35 < adam3us> gmaxwell: i think another diff is the central server approach has full control and sets its own rules and can change them at any time
15:36 < adam3us> gmaxwell: eg with blockchain, there could be a smart-issueing-contract n a share, that says they cant issue more without 25% share holder approval, they cant do a share buy back without similar, and the approval is validating the amount; in this way the issuer is relatively powerless and has to behave within its contract
15:36 < gmaxwell> adam3us: yes, but I think thats true even using bitcoin since ultimately IBM controls the redeeming. e.g. "We're gonna go issue new shares over here, too bad for you guys that don't agree, since we're paying out the dividends"
15:37 < adam3us> gmaxwell: also redemption is a mini-buy back, so if those are allowed they would be required to prove posession and to prove destruction
15:38 < adam3us> gmaxwell: yes while the details are hazy at this point, i think where this is heading is like a scrupulously honest, uninfluenceable virtual bot enforcing as much of the companies stock rules and finances as can be coded
15:39 < adam3us> gmaxwell: except that as its block chai validated it is the down stream recipients that validate and reject if the terms were not followed, so th epotential to apply the smart-contract apriori enforcement can cover more and more of financial function
15:40 < adam3us> gmaxwell: ie the profits are mathematically defined, and the dividend voted on, and the company cant override the agreed rules for dividen issue
15:41 < adam3us> gmaxwell: and no one would pay an address for IBM not covered by its company contract, as they'd know there would be elevated risk the company execs would line their pockets iwthout shareholder and board approval
04:49 < gmaxwell> we had big farms with gpus, amd is now raising their gpu prices due to litecoin. I don't think hardware selection saves you from consolidations, being worthless does. :P
04:49 < adam3us> gmaxwell: amiller's thing might be easy to make work no?  as i recall we were talking about eg chameleon hash so the miner can chose after the fact what the reward address is
04:50 < adam3us> gmaxwell: yes probably no diff from that perspective
04:51 < adam3us> gmaxwell: it might be hard to pool two fast computers super-linearly with momentum because of latency and bandwidth of ethernet vs ram, however simpler proof of work doesnt have that problem to start with
04:52 < gmaxwell> adam3us: I think it's tricker than that, because you can't have people going and replacing 'ordinary blocks' later. ... but regardless, as I mentioned above, I don't think it helps even if its easier because while it would kill pooled mining completely dead, people would still cloud mine... and without pooling they'd probably only cloud mine.
04:52 < adam3us> gmaxwell: in principle a fixed momentum could be a memory hard proof of work, but with no memory to verify.  verification is h(a)=?h(b) mod 2^k, and h(a,b)<target
04:53 < gmaxwell> The way all the popular pools today (excepting p2pool) work their operators could be easilly skimming a couple extra percent from users nearly undetectably in any case... and few care (as measured by the p2pool hashrate).
04:53 < adam3us> gmaxwell: yes and cloud mining is in many ways worse - even if he user is independent, the hosting provider can comply with court orders to tamper and not tell user (gag on top)
04:54 < gmaxwell> or it could all be going along in a lovely way ... until it isn't and all the hardware has been handed over to someone else.
04:54 < adam3us> gmaxwell: i am having a "if they dont care" make some technical approach to make them care moment - eg hack them, or make them easier to hack
04:54 < adam3us> we are lacking a disincentive to idiocy motivator
04:55 < gmaxwell> well, I don't have anything to offer, in darker moments I've mused that the only "fix" is to go out and run dishonest pools and mining companies and just rip people off
  ... but even there, that doesn't work: it's already been done and here we are.
04:56 < gmaxwell> I suppose that in the limit, with enough theft, people will eventually clue up or go broke... but a little doesn't appear to be enough.
04:57 < adam3us> gmaxwell: anyway something useful from this discussion, it seems there is scope within coinbase only eg gbt extension to give people who do care something they can do using existing pools; though why they would not use p2pool already is a mystery (if it really does scale)
04:57 < gmaxwell> as I mentioned before, 50btc is eating all coins, and it still has non-trivial hashpower. People even show up on IRC asking about it from time to time... I went and updated the wiki page the last time someone showed up in #bitcoin-mining asking about using it: https://en.bitcoin.it/wiki/Comparison_of_mining_pools
04:58 < adam3us> gmaxwell: LOL pps fee=100%, 1.8TH ha ha ha
04:59 < gmaxwell> adam3us: p2pool scales but has some tradeoffs in the payment mechensim / variance.  ... at least right now it 'scales' by keeping the pool-wide share rate to 1 share per 30 seconds. Which means that if you're a "small" miner, e.g. 60gh/s you're only getting a couple shares a day, and not getting paid in every block.  So higher variance than you would get mining at eligius.
05:01 < gmaxwell> Personally I think people worry too much about variance
 if you're getting paid multiple times a week
 meh, nothing bad will happen.  But its a much more visible thing to miners than things like the risk of a pool attacking the network or skimming an extra 1% on top of their 3% stated fees.
05:02 < gmaxwell> plus you have to run p2pool which adds an extra 500MB memory and 2kB/s of network traffic, on top of running a full node.  Coinbase-only could let you have more payment pooling flexibility, and potentially outsource the full node running to a third party (distinct from the pool)
05:03 < adam3us> gmaxwell: according to 50btc.com it has 3.26 TH i guess its not so much only $1670/day
05:04 < adam3us> gmaxwell: i do like stuff Luke-Jr does.  like down prioritizing reused address and other fun.	would happily delegate vote to him
05:05 < gmaxwell> yea "only" $1670/day.   "I'm in the wrong business" when you could just run a pool for a bit then stop paying people and recieve $1670/_day_. :P
05:05 < adam3us> gmaxwell: of couse he already has 12%
05:06 < hno> gmaxwell, I would hope it declines rapidly if trying to pull that off.
05:06 < gmaxwell> yea, thats a somewhat recent event.
05:06 < gmaxwell> hno: they stopped paying over two months ago. It did decline rapidly, but it seems like it's taking a loooong time to die completely.
05:07 < gmaxwell> there are people who lost >100 btc in accrued funds on the pool.
05:07 < hno> right, that pool...
05:08 < adam3us> gmaxwell: $600k/year :) seems odd - their own stats show their % nosedivided from 122TH in oct to 3TH now.  even so they had 3% fee so 3% of 122 > 100% of 3.26 (just) seems more like bitrot- but why bitrot something paying high income? weird
05:08 < gmaxwell> basically every major pool has been hacked at some point, except eligius.  (and maybe except ghash.io, but I'm actually not sure there)
05:10 < gmaxwell> adam3us: well they were losing their position due to growth of cex hashrate. ... now, they claim to have been "hacked" so it may not have been a choice,  but otherwise 100% of 3TH _plus_ hundreds of btc in balances  vs 3% of 122 with prospects of rapid declines in the share of the total...
05:10 < hno> same rule as always.. keeping funds online / at control of others (not sure there is a distiction between those two) is high risk.
05:12 < adam3us> gmaxwell: but it seems bizarre - hacked and locked out and hackers just left it that way? didnt care?	"hacked" ie they took their own funds and pretended it was a hack and moved onto other projects
05:12 < gmaxwell> I, personally, think the latter is fairly likely.. but the pool was basically always very absentee-operated. E.g. lost a whole bunch of blocks when p2sh was deployed because they hadn't updated.
05:15 < gmaxwell> The way it played out is that they were "hacked" and then didn't respond at all for two weeks. The 'hackers' scrambled up everyone's balances and ran off with all they could. it's since been locked down and there is apparently some story about some randsom for the balance data.
05:16 < adam3us> eligius approach for immediate payout in the coinbase is more sensible, then miners can validate their address is in the coinbase and central theft risk is largely avoided
05:17 < gmaxwell> not completely, since it could be live stolen,
 e.g. hack in and make it pay any found blocks to the attacker until someone notices.
05:18 < gmaxwell> but there are independant people running sanity checkers on the eligius coinbases.
05:18 < gmaxwell> and the operators phone numbers are on the website and irc channel, so its unlikely that would last long
05:30 < maaku> adam3us: how do you distribute mining fees if the pool doesn't select transactions?
05:32 < maaku> gah, tx fees
05:33 < gmaxwell> maaku: pretty straight forward, you report the fees in your shares submitted to the pool, and the pool does some proportional thing for at least the fees portion of the payout.
05:36 < maaku> gmaxwell: so you pass fees as a parameter to gbt? i guess that can work
08:43  * andytoshi-logbot is logging
08:57 < andytoshi> nOgAnOo: http://download.wpsoftware.net/bitcoin/wizards/
08:57 < andytoshi> i should probably have the logbot announce that url..
09:11 < michagogo|cloud> andytoshi: Note that freenode policy is that public logs of a channel need to be authorized by channel operators, and all users need to be made aware (the suggested method is a note in the topic)
09:12 < michagogo|cloud> (chanserv says that the only op in here is mindspillage... no idea who that is)
09:16 < michagogo|cloud> Google (and NickServ's listing of the cloak on the account) suggests it's someone named Kat Walsh, a former chair of the Wikimedia Foundation and attorney for Creative Commons
09:17 < michagogo|cloud> Still no idea who this person is and why she registered this channel...
09:18 < pigeons> michagogo|cloud: someone in this channel is very close to her
09:19 < pigeons> i've seen him use her irc account, as can sometimes happen when you share machines with someone
09:19 < michagogo|cloud> Ahhhhhh
09:19 < michagogo|cloud> A google search for (mindspillage OR "kat walsh") bitcoin
09:20 < michagogo|cloud> turns up http://bitcoinstats.com/irc/bitcoin-dev/logs/2012/03/03
09:20 < michagogo|cloud> Hi Greg :-)
09:20 < michagogo|cloud> Gregory Maxwell (greg@wikimedia/KatWalsh/x-0001) is authed as mindspillage
09:21 < michagogo|cloud> They share a NickServ account? o_O
09:23 < michagogo|cloud> ;;later tell gmaxwell I noticed http://en.wikipedia.org/wiki/User:Gmaxwell has an outdated version of your pgp key... missing 2 UIDs, 2 subkeys, and 158 signatures
09:23 < gribble> The operation succeeded.
09:27 < andytoshi> michagogo|cloud: thx
09:30 < andytoshi> ;;later tell gmaxwell freenode policy is that i notify a channel op before running andytoshi-logbot, and that the log url ( http://download.wpsoftware.net/bitcoin/wizards/ ) wind up in the channel topic
09:30 < gribble> The operation succeeded.
09:31 < michagogo|cloud> andytoshi: s/notify/ask permission from/
09:31 < andytoshi> oh :)
09:32 < andytoshi> if anyone has a problem, i will take it down -- but i have mentioned to gmaxwell that i'm running this log bot before
09:33 < michagogo|cloud> andytoshi: It's actually in the motd
05:19 < TD> that would be useful. the scheme in your post sounds like a wallet would have to sync with the network regularly just to keep money spendable, not only like today to learn about new inbound coins
05:20 < Mike_B> a "merkle mountain range" just looks like a set of merkle trees?
05:20 < Mike_B> where there's no single top node?
05:21 < gmaxwell> TD: kinda! in order to spend it would need some data this is kept updated by an online node, but it doesn't have to have this data itself, if there are other nodes providing this service.
05:21 < TD> right
05:22 < gmaxwell> Mike_B: it's an insertion ordered binary tree where you keep the right edge of the tree constantly. So you can keep inserting while only storing ~log2(n) data.
05:23 < gmaxwell> see also, https://github.com/opentimestamps/opentimestamps-server/blob/master/doc/merkle-mountain-range.md
05:30 < Mike_B> gmaxwell: what do you mean by keeping the right edge of the tree constantly? looks like in the example above that they append nodes to the right and the left is constant
05:30 < Mike_B> in that github link
05:32 < gmaxwell> Mike_B: "keeping constantly" mean keep that data all the time. sorry for the confusing language. :)
05:33 < TD> gmaxwell: did you see the multi-party lottery paper?
05:34 < TD> probably the most impressive piece of academic research into bitcoin yet, too bad the paper has a fair few spelling errors and is quite hard to follow
05:34 < gmaxwell> I did. and their transaction.
05:34 < gmaxwell> (I didn't comment in the thread.. instead I used my diabolical mod powers to copyedit amillers post :) )
05:36 < TD> hehe
05:37 < TD> i sort of understand why they invented their own notation for the scripts and transactions given the complexity of their programs, but ... i really wish they had avoided greek letters
05:37 < TD> english pseudocode is so much easier to follow
05:38 < gmaxwell> I was just talking to Iddo about it earlier, he's emailing them to point out the efficiency improvements Adam Back and he came up with in their cointoss thread.
05:39 < Mike_B> gmaxwell: sorry for being so slow here, i'm trying to get caught up to speed fast
05:39 < Mike_B> you guys have a tremendous amount of knowledge at the ready
05:39 < Mike_B> i'm totally new to the game
05:39 < TD> yes it reminded me i never wrote up adams/iddos coin toss protocol on the wiki
05:39 < TD> must do that
05:40 < Mike_B> so here's an absolute noob question: when you talk about the utxo set, you just basically mean the total set of coins that each wallet has, minus the wallets with 0 coins (e.g. almost all)?
05:40 < Mike_B> like it's a set of wallets with coins in them that are "unspent," meaning they're still in those wallets?
05:40 < gmaxwell> I wonder if any of those software packages for making illustrations from state machine descriptions could be put to use in illustrating some of these protocols.
05:41 < gmaxwell> Mike_B: Bitcoin doesn't track balances. It tracks transaction outputs, which we often tend to call coins.  Every transaction specifies a list of TxIns and a list of Txouts.
05:42 < gmaxwell> Mike_B: the TxIns are the transaction outputs from past transactions that it will be consuming
 they're represented by encoding a txid and an index (which txout of that txid).
05:43 < gmaxwell> The txouts are the outputs from the transaction, which have a scriptPubKey (identify the rules for spending the output) and the value.
05:43 < sipa> it's very much like a wallet, where you track each individual coin
05:43 < sipa> except that coins can have arbitrary values
05:43 < sipa> to do a transaction, you give some coins, and get some coins back
05:43 < gmaxwell> The UTXO set is all the txouts that haven't been spent yet... keyed by txid:index.  with data being .. the scriptpubkey and value (and potentially a little bit of other data)
05:44 < gmaxwell> There are a bunch of reasons why this way of constructing the system actually turns out to be simpler than having balances. And if you're always using new public keys for privacy, its basically the same efficiency.
05:45 < Mike_B> ok, got it
05:45 < gmaxwell> https://people.xiph.org/~greg/tx.flow.png < a simple visualization I did for a post previously.
05:45 < Mike_B> ok, so instead of a set of "wallets with balances," which is what i thought naively, it's just a set of "wallets with individual coins," where each "coin" is a transaction that went to that wallet and is still in there
05:46 < gmaxwell> right, and a coin is spent atomically. If the coin has more value than you want to spend, you add an output to send some of the value back to you.
05:46 < gmaxwell> "Change"
05:46 < Mike_B> oh, i totally get this from satoshi's paper now
05:46 < Mike_B> when he talks about an individual coin being a chain of signatures and etc
05:47 < gmaxwell> Righ! yea, the whole system of transactions works without the blockchain at all
 so long as no one double spends. :)
05:47 < Mike_B> i was always confused because it sounded like he meant literally one coin, like
05:47 < Mike_B> but a "coin" is just a transaction
05:47 < Mike_B> ha, that makes way more sense now
05:47 < gmaxwell> right you can imagine it as little metal coins that go off to the network to be melted down and reforged with new owners, and the network obeys conservation of mass.
05:47 < Mike_B> yeah that's exactly how i just visualized it in my head right now, haha
05:47 < Mike_B> different size coins
05:48 < Mike_B> beeeeautiful
05:48 < gmaxwell> (if the outputs are of lower value than the inputs, then the remainder is kept by the miner as a fee)
05:48 < gmaxwell> yea, it's a good mental model, though the overloading of "coin" and "bitcoin" creates confusion. :(
05:48 < Mike_B> i had this thought about mining and consensus and it's connection to something from political science called "arrow's impossibility theorem"
05:49 < Mike_B> it seems like the basic point of the blockchain, in a certain sense, is to come up with some way for the network to reach consensus on which transactions happened first
05:49 < gmaxwell> lol
05:49 < gmaxwell> Thats the purpose of it exactly.
05:49 < gmaxwell> I'm laughing becuase I spent a lot of time on IRC telling people that the only real purpose of mining is ordering transactions.
05:49 < Mike_B> say i'm in the US, and you're in japan, and we both control the same wallet with
1 in it, and we try to spend that
1 "at the same time"
05:50 < gmaxwell> yea, there is no _general_ autonoymous way to have a decenteralized order
 see lamports clock paper. Relativity makes order position dependant, if you want to be uber wanky about it.
05:50 < Mike_B> but there's no such thing as "at the same time" actually, because even if information traveled as fast as possible (e.g. at the speed of light) it'd still take like 30ms or so for information to get from (say) new york and japan, right
05:50 < Mike_B> haha, you called the thing i was about to say "wanky" before i even got to wank :(
05:51 < gmaxwell> I'm allowed to call it wanky because its a position I've earnestly advocated. :)
05:51 < Mike_B> so anyway, *wank wank wank* relativity, no privileged reference frame, etc
05:51 < gmaxwell> But, you know, invoking relativity to explain ... its a little overpowered. :)
05:52 < Mike_B> i did find it useful though, because sometimes you're fooled into thinking that at bottom, there really was a "true" ordering of events
05:52 < Mike_B> and network latency just obscures that One True Ordering
05:52 < Mike_B> i found it useful to realize that i need to completely give up on that because it doesn't even exist
05:53 < gmaxwell> but right, for the most part the system is autonomous and trustless but relativity gets in the way
 making there be no true order unless you assume a privledged position. So we use a computational vote. Voting sucks. But it's pretty much only used for the ordering.
05:53 < Mike_B> yeah that's what i was thinking
05:53 < Mike_B> the network basically needs to "vote" on a reference frame, and bitcoin is like using the "random ballot" voting approach
05:53 < Mike_B> and the downside to that approach is the 51% vulnerability
05:54 < gmaxwell> right. but if you think about it any kind of "consensus" must have some kind of majority vulnerability... otherwise it has a minority vulnerability!
05:55 < Mike_B> if you used "first past the post" voting, which is kind of ripple's trying to do, you'd run into some other characteristic vulnerability
05:55 < gmaxwell> if there are orthorgonal states that honest nodes can disagree on, and you must pick one...  the weak part of bitcoin isn't 51% it's that it's a 51% of computation (well, really energy consumption it seems :) ) which may not map to anything fair.
05:55 < Mike_B> hm need to think about that re minority vulnerabilities
05:55 < gmaxwell> "fair"
05:56 < Mike_B> yes, that makes sense
05:56 < Mike_B> well i was curious if the 51% attack is a special case of that Arrow's impossibility theorem with the "random ballot" voting method
05:56 < gmaxwell> e.g. 51% of computing power could still be 1% of people, which would be a bit unfortunate. Though, if you want to be .. again. wanky.. given enough time 51% of energy means 51% of anything else. If bitcoin was based somehow on counting people, china (favorite boogyman) could use an energy majority to fund mining babies.
05:57 < gmaxwell> 'mining'
05:58 < Mike_B> what do you mean by that 51% of anything else part?
05:59 < gmaxwell> I was responding to my own point that 51% of energy expended on the system is not necessarily a fair representation of the wishes of the users. But at the same time if someone can really outspend the honest users, then upto-some-efficiency-constant-factors they can also out-whatever your metric is.
05:59 < UukGoblin> isn't "wizzard" spelled with two "z"s? ;-)
12:05 < gmaxwell> Well SNARK basically just means "efficient proof", but you mean are there ZKP that are more efficient for cert chains.. and yes, there are
 e.g. signatures in the identity based encrpytion model are basically that.
12:05 < gmaxwell> (and they can even be smaller than our own signatures; assuming you trust pairing crypto)
12:05 < TD> you mean for IBE/ABE and variants?
12:07 < gmaxwell> TD: http://www.larc.usp.br/~pbarreto/pblounge.html e.g. CC02 there.	(Though I don't recall if that one uses short signatures, I think it does)
12:07 < TD> thanks
12:07 < TD> btw, your construction requires a proof of a program that itself runs a program. does that explode the complexity requirements?
12:07 < TD> i mean does the program you prove have to basically be an interpreter for another program?
12:09 < gmaxwell> Nah, it just has to have the function embeded in it. The payer would see the meta program and be happy with it.
12:09 < TD> right. because the secret you're selling is not a program, it's the inputs to the program
12:10 < gmaxwell> right if it is a program you'd have to have the execution inside it. though _technically_ that wouldn't be any harder. In fact thats how tinyram works.
12:10 < gmaxwell> E.g. for tinyram all users use the same validation key, the validation key for the tinyram circuit.
12:10 < TD> yeah, the program it proves is a cpu that runs the real program
12:10 < TD> yeah
12:10 < gmaxwell> well I shouldn't say any, tinyram is a slowdown for many things.
12:10 < TD> well, no, i thought the tinyram circuit was manufactured by a compiler and it is a series of steps customised to the program that has to be run. like in size.
12:11 < TD> so it's somewhat but not completely generic
12:12 < gmaxwell> TD: nah, at least what they're doing right now the tinyram key is constant (at least for a given number of public inputs, and a duration of execution
 the later being the big thing). and the hash of the program you want it to run is one of the public inputs on the proof size.
12:13 < TD> right, that's what i meant, it's customised for the execution time.
12:13 < TD> i guess in future an obvious optimisation is to customise it further, so opcodes you know can't be executed at time X aren't emitted
12:14 < gmaxwell> Right and indeed. I was thinking about that in particular related to bitcoin, for our applications we often want proofs of hashtrees (e.g. is this transaction comitted), and implementing sha256 in tinyram is stupidly inefficient compared to a direct circuit.
12:15 < gmaxwell> but such programs could usually be arranged as a set of pre-processing steps where there is no control flow, and then a set of tinyram steps.
12:16 < TD> or you could just microcode SHA256 or other primitives so the compiler emits specialised circuits directly
12:16 < TD> i think that's what eli suggested for RSA modular exponentiation
12:17 < gmaxwell> yes, but then you increase the size of the tinyram machine, which makes all the steps when you won't be running the instructions slower. It might make sense for sha256 since you probably would want it in the middle of control flow for many applications.
12:18 < gmaxwell> in any case, at least for the GGPR zk-snarks the validation keys are pretty small. (similar in size to the proofs) and it would be perfectly reasonable to have circuts customized for many different things.
12:19 < gmaxwell> though I don't know if the same is true for some other systems which don't have the CRS security model limitations, if not then you may really prefer everything use the same circuit.
12:28 < andytoshi> man, this password-locked transaction stuff is brilliant
12:28 < andytoshi> such a simple idea
12:29 < TD> this is a new use of the word "simple" i was previously unfamiliar with
12:30 < sipa> "This obviously some strange usage of the word 'simple' I hadn't been previously aware of."
12:30 < andytoshi> well, the "throw a password into what's being proven" idea is simple
12:30 < andytoshi> everything surrounding it is not, but that's as far as i got trying to tackle the problem
12:30 < gmaxwell> I wrote that why_hash_locked page really as a flight of fancy, at the time I wrote it the construction that all the current work is using to make this stuff tractable hadn't even been invented yet! (well, at least not published yet) The existing ZKP stuff for general circuits that I was aware of appeared to have complexity that was infeasable even as a
tech demo. (though, in fact there were some somewhat viable things I just wasn't ...
12:30 < TD> sipa: i forget where that quote is from. hitchhikers guide?
12:30 < sipa> TD: bingo!
12:30 < gmaxwell> ... aware of them)
12:31 < TD> yeah it sounds like Adams :)
12:31 < sipa> (it was 'safe' instead of 'simple')
12:31 < TD> sipa: but it's such a brilliant construction that works with any word :-)
12:32 < gmaxwell> There is also the classic, "You keep using that word. I do not think it means what you think it means."
12:32 < andytoshi> hmm, this is really exciting stuff..
12:32  * andytoshi will look into switching his doctorate to CS
12:34 < gmaxwell> (The Garth2010 paper was out, and I suppose would have worked for this
 the proofs involve something like 45 group elements, but the proving process is basically the same as the GGPR stuff. ... of course no implementations, ... now we at least have benchmarks of implementations)
12:35 < andytoshi> what is the stuff that zerocoin uses? i have not read that paper yet..
12:37 < gmaxwell> andytoshi: zerocoin uses a application specific cut and choose zkp, not a general proof for NP.  Their ZC2.0 stuff will be based on a zk-SNARK for NP (like the SCIPR lab stuff).
12:37 < andytoshi> kk, thanks
12:37 < andytoshi> i have not read tho zk-SNARK paper yet either :P
12:38 < andytoshi> i've had students wasting my time all morning
12:49 < TD> it's more of a book than a paper
12:54 < gmaxwell> A lot of the papers in this space are quite long.. e.g. 60 pages is pretty typical.
12:55 < gmaxwell> "I thought this was supposted to be a succinct argument??"
12:56 < zooko> Heh heh
13:01 < gmaxwell> I bumped into a survey paper thats probably a handy reference "Verifying computations without reexecuting them: from theoretical possibility to near practicality" (googling that string yields it)
13:13 < gmaxwell> They don't focus as much on the details around public verification as I would have (since its centeral to most of our applications) but it looks like a reasonable survey.
13:27 < TD> thanks
13:37 < maaku> andytoshi: switching to CS from what?
13:41 < iddo> gmaxwell: i was confused earlier, Bob sees the entire refund txn (he only sees hash of the earlier txn that the refund spends), so Bob can see that he gets the right amount of coins back if the earlier txn had some of his coins as input
13:41 < iddo> TD: gmaxwell: i wrote the coin toss protocol as short note PDF: http://www.cs.technion.ac.il/~idddo/cointossBitcoin.pdf
13:42 < iddo> i asked the guys who wrote the new MPC paper to reference this instead of forum post, they haven't replied yet
13:43 < iddo> it's also less cluttered than the entire forum discussion, i suppose
13:43 < iddo> (also i asked Adam Back to write this short note PDF, he agreed)
13:44 < gmaxwell> iddo: I don't think you were. The refund transaction can't be authored unless bob has already signed the escrow transaction. in which case, alice could go ahead and announce it and tie up bob's funds without a refund.
13:46 < andytoshi> maaku: mathematics
13:46 < iddo> hmm
13:46 < TD> iddo: an opcode that pushed the block hash would cause problems after re-orgs.
13:46 < TD> iddo: a re-org could change the outcome of the toss and invalidate all following transactions. that's why there's a maturity rule on coinbases
13:47 < iddo> ok maybe the opcode can require some sort of maturity?
13:48 < maaku> andytoshi: well doctorate-level CS is really a sub-field of math ;)
13:48 < TD> perhaps. but not being able to spend the results of your bet for 100 blocks or so is awkward. and the 100 block rule is arbitrary. for coinbases we just have to suck it up, but i'm not sure we should be spreading the idea of "mature" coins further
13:48 < TD> i mean people love their fungibility, right ;)
13:48 < iddo> i mean a node will evaluate this opcode as some illegal value, unless the block is mature enough
13:48 < iddo> ok
13:50 < iddo> yes when considering safe maturity rules, this idea of pushing block hash on the stack becomes much less attractive
13:50 < iddo> i'll re-word or delete it
13:51 < andytoshi> maaku: yes, but nobody in the math dept does crypto :)
13:53 < gmaxwell> TD: part of the reason for maturity is to ensure fungibility. :)  Makes it so you don't have to go inspecting the history of every coin you recieve to make sure it's not a recent coinbase.
13:54 < TD> well yes, and as an arbitrary choice it's fine. but we just sort of pretend the 100 block rule doesn't exist. i mean, otherwise we could just auto-checkpoint every 100 blocks and get rid of the maturity rule entirely. and it'd be basically the same
13:54 < TD> it's just yet another magic number. it's worth it, but not conceptually very clean
13:55 < gmaxwell> Yea, not saying it's clean, another number would have worked. At some point in depth a coinbase is like any other input.. is that number 100? 1000? 50?  It's certantly not 12 since we've had reorgs in production that deep
 though they were special cases.
13:56 < gmaxwell> Having to worry that 2 tx back there was a bet transaction that will be lost in a reorg is lame though.
13:57 < iddo> gmaxwell: i see about bob having to sign the escrow txn before the refund txn is created, so my first coin toss protocol would indeed need the extra complexity, luckily Adam's protocol makes all of the aspects of it as efficent as possible
06:23 < BlueMatt> not that Ive thought about it at all, but it seems to go together there
06:23 < gmaxwell> 32 years until the reward is imprecise.
06:23  * BlueMatt goes back to all-nighter coding parallel algorithms
06:24 < gmaxwell> Mike_B: software engineering nightmare.
06:24 < Mike_B> yeah that's no good
06:25 < Mike_B> i guess the only way around it would be to just get rid of the finite supply
06:25 < gmaxwell> already the range we have is close to what you can do before it's annoying.
06:26 < Mike_B> which is equivalent to everyone on the network paying a very small "tax" to miners
06:26 < gmaxwell> I do kinda wish bitcoin had been programed with some very slight inflation. But ... it sure makes the explination easier to say fixed supply.
06:26 < Mike_B> it would be weird for political reasons, people hate inflation
06:27 < BlueMatt> gmaxwell: i think most people do, but the "deflationary" statement made initial adoption all the more attractive
06:27 < Mike_B> but you could also program it to just suck some tiny percent out of everyone's wallet proportionally totaling
50 or whatever, and then give it to the miner who won as a "tax'
06:27 < BlueMatt> gmaxwell: and despite being little practical difference, there is huge psychological difference between "deflationary" and "barely inflationary"
06:28 < Mike_B> people would probably mind that less even though it's the same thing
06:28 < gmaxwell> Mike_B: there are problems, say you program the inflation rate at 1% and the lost rate is 2% ... after some very large amount of time the inflation is now some large percentage of the actual economy. And thats distorting.. people are like .. out capturing extra stars to implode them to power their miners.
06:29 < gmaxwell> maybe you could get away with some system estimate of the current surviving coin supply to keep that under control... but the solution is not unique. Every part of the bitcoin design which isn't largely unique seems to be subject to endless wasteful debate.
06:30 < epscy> i guess if you use days destroyed that's just a kind of proof of storage, but with the proceeds going to miners rather than the storers
06:30 < Mike_B> i agree having the system estimate the surviving coin supply is bad
06:30 < Mike_B> or likely to cause problems, at least
06:30 < gmaxwell> Mike_B: freicoin does the sucks out thing. ... but their sucks out and pumps in rate is 5% 0_o.
06:30 < jtimon> Mike_B gmaxwell infinite precision to have perpetual reward doesn't make much sense, will an anual reward of 0.00000000000000001% of the supply really make any difference?
06:31 < gmaxwell> jtimon: depends on how many coins are left. Careful with "supply"
06:31 < Mike_B> you could use "total number of transactions in a 2 week time period" or something to gauge how hot the bitcoin economy is
06:31 < Mike_B> the bitcoin GDP or whatever
06:31 < Mike_B> and tie inflation to that somehow
06:31 < Mike_B> dunno how that relates to miners anymore though
06:31 < gmaxwell> jtimon: if you've lost 99% of the coins (the great crypto wars of 2124 ...) then its a fair bit more.
06:31 < gmaxwell> Mike_B: easily manipulated by miners.
06:32 < gmaxwell> (who, of course, recieve the subsidy)
06:32 < jtimon> at some point the reward will be lower than the 0% of coins lost
06:32 < Mike_B> gmaxwell: i was thinking an inverse relationship
06:32 < Mike_B> more transactions = less reward
06:32 < Mike_B> though that's also bad
06:32 < jtimon> and with everrgowing supply but constant reward (aka timecoin) the problem is similar
06:32 < Mike_B> the real problem seems to be the length of time it takes difficulty to adjust
06:33 < gmaxwell> Mike_B: hm? I've never seen that as a problem.
06:33 < jtimon> if you one to have a perpetual reward proportional to the supply the only solutions are freicoin and expocoin (the reward is always growing too)
06:33 < Mike_B> oh nm i misunderstood what you were saying
06:34 < Mike_B> you're saying that if difficulty drops due to a block reward decrease, overpowered miners can come in and try to 51% the network?
06:34 < gmaxwell> Mike_B: yea.
06:34 < jtimon> Mike_B you cannot measure bitcoin's GDP from within the chain
06:34 < gmaxwell> Mike_B: if it drops and leaves the network stranded uhh we have bigger problems. (and it would be 'easy' to do a manual difficulty step to fix)
06:35 < Mike_B> gmaxwell: wouldn't all of these overpowered miners suddenly try to do that though? suddenly everyone's competing to be dishonest instead of honest
06:36 < Mike_B> now all overpowered miners now have an incentive to try to stay in to get 51%
06:36 < gmaxwell> Mike_B: maybe, depends on the form of the dishonesty. Some kinds are not that competitve. ... e.g. if there are very few full nodes they can cause inflation.
06:36 < Mike_B> jtimon: why not?
06:36 < gmaxwell> also, a war of dishonesty is bad for stability. e.g. big reorgs. even if the end result is mostly kinda sort honest.
06:37 < jtimon> because I can pay to myself
06:37 < gmaxwell> esp if jtimon is a miner.
06:37 < jtimon> and if I'm not I can pay fees to pay to myself
06:38 < gmaxwell> you can try some hack with coins days destroyed perhaps that works, but you get deep into hurestics, and I think adhoc solutions are not good inside a cryptocurrency.  All the users have to accept that it works right, and if there are 1001 ways to do something thats bad.
06:38 < jtimon> the point is there's no way to distinguish "real commerce" from just "wallet refactoring"
06:38 < Mike_B> ok, very true
06:39 < gmaxwell> you could potentially try a control loop that keeps difficulty forever increasing.
06:39 < Mike_B> though i'd still expect "more volume moved" still correlates very strongly with "bitcoin GDP" (whatever that would actually be)
06:39 < gmaxwell> Mike_B: it does until you add in an adaptive attacker.
06:39 < gmaxwell> as soon as there is an incentive to fake gdp (up or down) miners can block transactions or fill blocks with 'fake' ones.
06:40 < gmaxwell> might as well just have a field in the blocks miners can set: GDP: X :P
06:40 < jtimon> Mike_B that could be useful for an economic researcher that makes estimates about % real commerce, etc, but the chain algorithm shouldn't make those kind of estimates
06:40 < Mike_B> ok right
06:41 < jtimon> gmaxwell I've been thinking more about your "required security is not proportional to the value of the total supply more"
06:42 < jtimon> not taking post coins into account because those are recycled in freicoin
06:42 < jtimon> but I now disagreee
06:42 < jtimon> your example was that you could reverse a 1M tx with the work of one block
06:43 < jtimon> but it is the recipients fault to only wait 1 block (or 6) for a 1 million transaction
06:44 < jtimon> so really any demurrage rate is enough, it's just a matter of people having to wait more confirmations
06:44 < gmaxwell> jtimon: so what if they wait 6? 1M is cheap compared to 6 blocks, e.g. if you assume the attacker can bribe miners, or buy computing power. Bitcoin mining marketplaces offering 115% PPS got a substantial chunk of the hashrate when they existed. :P  perhaps enough, though enough might be a really large number. :)
06:45 < jtimon> I'm using 6 just as a number
06:46 < jtimon> the recipient should estimate how much he has to wait to considered himself paid
06:46 < jtimon> maybe he has to wit 4 or 100 blocks, I don't know
06:46 < jtimon> wait
06:47 < gmaxwell> all txn in the block could be attacks however. :(
06:47 < jtimon> what do you mean txs could be attacks?
06:47 < gmaxwell> yes, but if you assume current block volumes in bitcoin assuming an attack with 20% hashpower... you end up with crazy numbers like 35 blocks where attacking isn't provitable over subsidy.	(Well, current: I ran these number 9 months ago)
06:48 < gmaxwell> jtimon: an attacker is not limited to making one attack per block. Every transaction in their block could be a double spend attack on a different target.
06:48 < jtimon> oh, I see
06:48 < gmaxwell> so if you are to be conservative you must compare the value of the lost subsidies to the value of all transactions.
06:49 < jtimon> interesting, you would not only need to look at your transaction, but to all transactions near it
06:49 < gmaxwell> which is a bit extreme, I was hoping it would produce tidy numbers like 10 confirmations or whatever, but it turns out in bitcoin it didn't... not if you assume attackrs with 20% hashpower.
06:49 < jtimon> to know the full potential incentive of the attacker
06:50 < gmaxwell> (I was concerned about everyone still assuming 6 was golden and hoped the software could give better advice...)
06:50 < jtimon> but I still think that the rule "the more valuable the coins are, the more security you need" applies
06:51 < Mike_B> 06:28 gmaxwell: Mike_B: there are problems, say you program the inflation rate at 1% and the lost rate is 2% ... after some very large amount of time the inflation is now some large percentage of the actual economy. And thats distorting.. people are like .. out capturing extra stars to implode them to power their miners.
06:51 < Mike_B> i'm still kind of hung on this
06:51 < Mike_B> what would the problem be exactly?
06:52 < jtimon> yes, would be cool to have a configurable client that waits for more confirmations depending on values, maybe querying bitcoinwatch or something
06:52 < Mike_B> if there's an inflation rate of 1% and a lost rate of 2%, you end up with a net deflation rate of 1%, right?
06:52 < Mike_B> why does that lead to dyson spheres or what have you
06:52 < gmaxwell> Mike_B: but compute the proportion of the total remaining economy that is going to mining.
06:52 < Mike_B> oh, i see what you're saying
06:53 < Mike_B> since you never have a clue what the lost rate is
06:53 < gmaxwell> the 1% isn't of the economy, we can't measure that
 it's 1% of the maximum potential economy.
06:53 < gmaxwell> right.
20:33 < warren> If Litecoin is willing to go through the pain of a hardfork, it better be more interesting than bigger scrypt.
20:34 < petertodd> warren: agreed
20:34 < warren> And I think bigger scrypt is a bad idea, validation is already slow.
20:34 < amiller> you can reject someone's blocks, as part of the rational strategy space
20:34 < amiller> so that can include whether the sum difficulty is over tons of weak blocks or a few bonanza blocks with high diffiuclty
20:34 < adam3us> warren: coelho merkle hash PoW is better.  vitalik used it in dagger for ethereum.
20:34 < amiller> obviously the tons of weak blocks is a DoS
20:34 < petertodd> warren: heh, well, doing birthday-style momentum hash would be as temporarily asic-hard as any scrypt tweak, and with fast validation
20:34 < amiller> but we handle DoS on an ad hoc basis at the moment anyway.
20:34 < adam3us> warren: better in that it uses fiat-shamir to only have to spot check the answer, not repeat the work
20:35 < warren> petertodd: temporarily ...
20:35 < amiller> so how about this
20:35 < amiller> accept a range of difficulties
20:35 < petertodd> warren: sure, but at least the barrier to making an asic with that is fairly high - as I say, it gets you the same kind of barrier than an scrypt tweak would, but with less resoruce usage
20:35 < amiller> but not all the way to nothingness
20:35 < adam3us> petertodd: momentum is not too stupid.  quite TMTOable but other than that.
20:35 < warren> adam3us: <adam3us> maaku_: yes litecoin & ftc are currently not plausible to overtake  <----- huh?  ftc?
20:35 < petertodd> adam3us: define TMTO again?
20:35 < amiller> the bottom-out level is a miner policy
20:35 < amiller> minimum acceptable difficulty i mean
20:36 < warren> adam3us: only thing implausible about overtaking FTC is their centralized broadcast checkpoints
20:36 < petertodd> amiller: but difficulty is related to block interval, and you have to have long enough min block intervals so that consensus still works
20:36 < adam3us> warren: it was hypothetical comparison, nothing specific to ltc/ftc
20:36 < warren> adam3us: petertodd: economically the only way litecoin users would accept a PoW change is if the same miners were the beneficiaries (GPU owners). =(
20:36 < petertodd> adam3us: oh, right, Time Memory Tradeoff or whatever
20:37 < amiller> petertodd, okay so the basic way to handle that is to a) make everyone include stale blocks in some way, like GHOST already recommends and i babbled about on irc a year ago
20:37 < amiller> b) the more stale blocks you accumulate, the more penalty you apply to short spammy blocks
20:37 < petertodd> warren: birthday PoW might be GPU implementable actually
20:37 < petertodd> warren: cuckoo hashing seems possibly to be as well
20:37 < warren> adam3us: is Savitch's theorem relevant at all to this?
20:37 < adam3us> petertodd: TMTO is fine for warren's GPU lovers.  you ned that to run momentum on a gpu anyway
20:37 < amiller> the effect is that you eventually get enough of a bonus to mining at a hard difficulty, which causes the chain to stabilize
20:38 < petertodd> amiller: gah, I really am against this stale block crap - it gives advantages to those with fast network connections
20:38 < adam3us> warren: i am not sure if it is because momentum nearly works and has an extremely efficient verification (consuming no memory)
20:38 < amiller> they have an adavantage anyway
20:38 < petertodd> adam3us: no actually, I was looking at some papers suggesting that GPU's are actually reasonable good at implementing content addressable memories
20:39 < petertodd> adam3us: it's not a TMTO tradeoff in that case
20:39 < adam3us> petertodd: oh nice.
20:39 < petertodd> amiller: yes, but don't make it even bigger, which ghost does
20:40 < amiller> i'm advocating *allowing* it to get bigger for a much more important reason
20:40 < amiller> the only thing ghost claims you can do is marginally increasing the flux of transactions, which is meh
20:41 < amiller> i'm claiming the main benefit to this is getting user-selectable variance *within* the main mining game
20:41 < petertodd> amiller: wait, what getting bigger? orphan rate?
20:41 < amiller> no the advantage to dudes with better network equipment in data centers, ie the amount of data and latency dependence
20:42 < petertodd> amiller: nah, better ways to get user-selectable varience than screwing up those incentives
20:42 < amiller> like what
20:42 < petertodd> amiller: again, why are you assuming a monolithin blockchain?
20:43 < amiller> how else are you going to get user selectable variance
20:43 < petertodd> amiller: do per-tx PoW and figure out how to make that reasonable
20:43 < adam3us> amiller: above are you talking about p2pool?  pooled mining apis in general? variance you mean being able to pick an appropirate to miner pow work size?
20:43 < amiller> small players want to play at lower variance, so yes
20:44 < adam3us> amiller: just because actual low variance can be done via multiple sub-puzzles and redefining work to be the sum of the subpuzzles,however that breaks power-fairness of the PoW for btc style first past post race
20:44 < adam3us> amiller: so u mean low variance in terms of pool shares.
20:45 < petertodd> adam3us: ifthe sub-puzzles earn you money linearly, that doesn't break fairness
20:45 < amiller> it doesn't break power fairness, it does have a subtle security rpoblem related to that though
20:45 < petertodd> amiller: which is?
20:45 < amiller> attackers can revert larger history with *better than negligible chance* if they can increase the difficulty high enouhg
20:45 < warren> petertodd: perhaps it would be more palatable of a change if something like every other block were allowed to be scrypt or birthday.  but in any case none of that fixes the issue of centralization, if litecoin has a hardfork I want to tackle that.
20:45 < adam3us> amiller: well if we said you had to make a coelho merkle pow it would have a lot of progress so be power-unfair
20:46 < amiller> adam3us, that's an all or nothing puzzle
20:46 < amiller> adam3us, that's different than letting individuals get their own little reward for a subpart
20:46 < adam3us> amiller: right.  the prize is all-or-nothing.
20:47 < amiller> ok so make subdivisible puzzles where there rewards are also subdivisble in the same way
20:47 < petertodd> amiller: right, so devise schemes where we're not letting luck revert large history
20:47 < adam3us> amiller: ok that i think is interesting to explore.  (i tried a bit in the past also)
20:47 < amiller> petertodd, no that's fine as long as its not unbounded
20:47 < amiller> unbounded is a problem in the other direction too
20:47 < amiller> unboundedly small puzzles => DoS hazard as attacker floods network with small plausible weak blocks
20:47 < warren> adam3us: petertodd: how well researched is birthday against a worse break?
20:47 < adam3us> amiller: the other problem is you have reward and consensus and they are bound together
20:47 < amiller> unboundedly difficult puzzles => attacker has too good a chance of an attack with less power
20:47 < adam3us> warren: its pretty fundamentally hard
20:48 < adam3us> warren: just time memory trade offs
20:48 < amiller> adam3us, could you be a little more specific about what reward and consensus mean here
20:48 < warren> adam3us: are people already using TMTO to mine it?
20:48 < petertodd> amiller: in any case, I think my binary tree chains thing works for this, because you set it up with diff halved on each step down, and only let miners mine one path, keep separate diffs for each level, but also keep the reward the same horizontally so there's no economic incentives to let them get out of whack
20:48 < warren> scrypt GPU uses TMTO
20:48 < adam3us> warren: there was a thread on the protoshares / bitshare board where a guy was coding one.
20:49 < amiller> petertodd, i don't know what you are talking about, MMR? MMR for blocks?
20:49 < adam3us> warren: he had an example implementation and got the tmto working, but i dont know if he yet coded it for the gpu
20:49 < petertodd> amiller: no, I mean, strucure your blockchain as a binary tree of "blocks"
20:49 < petertodd> amiller: still linear in the time axis
20:50 < adam3us> amiller: reward = 25btc/block, consensus = everyone agreeing on transaction order and validation (over time)
20:50 < petertodd> amiller: point with this, is that you can have PoW per tx, and sum up work simply by the fact that the upper levels of the tree get that lucky less often, yet have higher difficulty
20:50 < petertodd> amiller: related is I suspect such a structure can do better scalability
20:50 < amiller> ok so make the reward proportional to block
20:51 < amiller> fees behave same way as before
20:51 < amiller> consensus = everyone agrees on transaction order same as before...
20:51 < petertodd> amiller: yeah
20:51 < amiller> proportional to difficulty in a block*
20:51 < adam3us> adam3us: but for consensus security there maybe an incentive security tie relating to reward...
20:51 < petertodd> amiller: now I *also* think you can probably structure this so that miners don't have to keep up with the whole chain, only doing subsets, but that's not necessarily directly related to the per-tx PoW aspect of it
20:52 < adam3us> amiller: oh i get you.  allow a consensus to be built up from frctional blocks
20:53 < petertodd> adam3us: yup, and the fraction could be as little as a single tx
20:53 < petertodd> adam3us: (obviously it's likely the concept will end up with some notion of work/byte)
20:53 < adam3us> amiller: like you could be 1.5-confirmed.  plausible but creates longer chain/complexity, maybe orphan risk, bandwidth usage
20:54 < petertodd> adam3us: yet, if you combine it with a scalability solution w/ sharding, per-node bandwidth can be less
20:54 < amiller> maybe the GHOST guys want to work on this
16:44 < gmaxwell> gwillen: computationally sound basically means a cryptographic assumption, e.g. someone who can search 2^256 spaces can produce a proof which you believe is valid but it's not.
16:44 < gmaxwell> Vs a perfectly sound proof where you can never be fooled even by an unbounded attacker.
16:45 < gmaxwell> (or, if the cryptographic assumption fails
 discrete log is easy, etc. depends on how the system is constructed which assumptions are at play. Or of P=NP..
 then the system allows fake proofs)
16:46 < gwillen> gmaxwell: ahhhh, clever.
16:48 < gmaxwell> There is a similar set of levels of zero knoweldge.  Some things have perfect zero knoweldge where an unbounded attacker with unbounded examples of your proof learns nothing,  statistical zero knoweldge where the distribution of answers is negligibly different from 'fake' answers so at most they learn very little, and varrious computational assumptions
for zero knoweldge. e.g. where they learn nothing unless they can solve some hard ...
16:48 < gmaxwell> ... problem.
16:48  * gwillen nods
16:48 < gmaxwell> Interestingly there seems to be some tradeoff, it seems that many of the systems with perfect soundness can only offer computational zero knoweldge, and vice versa.
16:49 < gwillen> interesting.
16:49 < gmaxwell> For something like blockchain proofs we don't care about zero knoweldge at all, thought we do care if the proofs are small.
16:51 < gwillen> gmaxwell: is this counting or not counting 'I prove that I have a bitcoin without revealing which one' as zk?
16:51 < gwillen> it feels zk-flavored to me
16:51 < gmaxwell> for that you'd want zk, indeed
 though computationally sound ZK is probably fine for that.
16:51  * gwillen nods
16:52 < gwillen> 'you can break my anonymity if you can do a 256-bit search' is certainly an improvement on what we have now. :-)
16:53 < gmaxwell> likewise, for something like zerocoin you need zk to hide which coins you're spending.  So we do have applications for ZK.  Things like my contigent payment protocol need fairly strong ZK since the payer can rob the payee if the ZK isn't strong.
16:54 < gwillen> interesting.
16:56 < gmaxwell> then you have the whole axis of publically verifyable vs designated verifier.
16:57 < gmaxwell> A bunch of these systems work easiest where there is a single verifier who generates a challenge, and a single prover.  Thats desigated verifier.
16:57 < iddo> gmaxwell: from what i know there is no (working) code yet for non-CRS SCIP, but it's being work on... about CRS SCIP, obviously they will release code with their lame zerocoin altcoin:( but i'll continue to inquire and see if i have updates
16:58 < gmaxwell> Publically verifyable is like a digital signature.  Then a number of these systems are "publically verifyable in the CRS model" which is basically publically verifyable but only if everyone has a magical trusted string.
16:59 < gwillen> gmaxwell: what are the requirements on the CRS?
17:01 < gmaxwell> gwillen: depends on the system, most of the CRS models are effectively structured like public key cryptography where the CRS gives you public keys for a trapdoor permutation constructed so that you can encrypt your proof but still check that its valid. if someone knows the randomness underlying the CRS they can trivially create fake proofs.
17:01 < gmaxwell> the crs generation process in that case just ends up looking like generating a bunch of random public keys, more or less.
17:02 < gwillen> gmaxwell: is this the sort of thing where, if we knew that God generated the CRS and threw away the generation parameters, the system would be fine?
17:02 < gmaxwell> Yes.
17:02 < gwillen> Huh.
17:03 < gmaxwell> some of the stuff in the CRS model also loses its zero knoweldge to god, so you can't necessarily safely use it in the designated verifier case where the designated verifier produces the CRS. (annoyingly I find the papers often unclear exactly what the threat model(s) they work under)
17:03 < gmaxwell> (though anythin with a succinct proof is probably still ZK to god, simply because there is so little information at the end)
17:04 < gmaxwell> some people talking about this stuff have suggested you could use multiparty computation to compute the CRS in a way that God is distributed.
17:05 < gmaxwell> But it still would leave you that if the majority (or all) of the multiparty computation players cheated they'd know the parameters.
17:06 < gmaxwell> Also, many of the active-secure multiparty computation systems only achieve security via zero knoweldge proofs ... so you can end up with circular security. :)
17:06 < gmaxwell> E.g. you can take a passive-secure multiparty computation system,
 one which is only secure if the players follow the protocol
 and boost it to active security (secure regardless of the players) by having the player use proofs to prove they did their computation according to the rules.
17:08 < phantomcircuit> gmaxwell, is there anything preventing someone from mining a version=3 block?
17:08 < phantomcircuit> other than just stupidity
17:08 < gmaxwell> phantomcircuit: nope.
17:08 < phantomcircuit> is it at least discouraged?
17:09 < gmaxwell> it shouldn't be done, because we will want to use the version field for future changes, and if people are actively producing blocks with other versions it will make that impossible.
17:17 < andytoshi> i like this business of referring to an unbounded attacker as god
17:17 < andytoshi> #bitcoin-wizards could use some wizardly lingo
17:19 < sipa> let's call Him Laplace's Demo
17:19 < sipa> hmm, i actually wanted tot type Demon, but Demo isn't too bad either
17:20 < gwillen> he is Laplace's Demon, Laplace's Demo is when he shows you that your system is insecure.
17:20 < gmaxwell> I wonder if in some of the holographic universe theories if knowing the path of a single partical with enough detail actually describes the entire universe. :)
17:21 < gmaxwell> particle*
17:21 < gwillen> gmaxwell: certain facts about our actual universe makes me like the theory that this isn't true because it has only limited resolution
17:21 < gwillen> (i.e. that you can't in fact get the entire universe from the path of a particle)
17:22 < gmaxwell> gwillen: e.g. what if there is only one universe consistent with our laws of physics and the existance of particle X.
17:22  * gwillen nods
17:27 < edulix> http://www.michaelnielsen.org/ddi/how-the-bitcoin-protocol-actually-works/ now in slashdot btw
17:30 < edulix> which makes me wonder, is there any book on bitcoin with internal details etc
17:39 < michagogo|cloud> edulix: yes, it's online at https://github.com/bitcoin/bitcoin
17:39 < michagogo|cloud> (and at http://bitcoin.it)
17:43 < edulix> nice
17:50 < edulix> hehe the author of that post doesn't understand why double spend is fixed the way is fixed in bitcoin
17:52 < Emcy> is it true there were altcoins with fixed difficulty?
17:53 < gmaxwell> Emcy: liquidcoin had that... didn't last long.
17:54 < Emcy> what was the rationale of that
17:56 < phantomcircuit> gmaxwell, what block shunning is there?
17:57 < phantomcircuit> or is that just txs
17:57 < phantomcircuit> ;;seen jgarzik
17:57 < phantomcircuit> no gribble
19:45 < andytoshi> Emcy: no doubt "fairness"
19:46 < andytoshi> or plain old silliness :)
22:40  * andytoshi-logbot is logging
--- Log closed Sun Dec 08 00:00:40 2013
--- Log opened Sun Dec 08 00:00:40 2013
13:44 < MoALTz> http://blockexplorer.com/block/00000000000000189ad9b20ed103ac14ca5c08ecfb0f5a0f538e4678f4535c46
13:53 < MoALTz> the smallest block. the next (same-sized) smallest are 181 bytes
18:04 < crispy> fdadf
18:05 < phantomcircuit> gmaxwell, lol mike
18:05 < phantomcircuit> there is no such thing as a secure registrar
18:05 < phantomcircuit> DNE
18:10 < nsh> i hear melbourne IT is pretty good
18:10  * nsh sniggers
19:11 < Emcy> did petertodds pooled-solo mining thing from May go anywhere?
19:16 < Luke-Jr> Emcy: petertodd's? :P
19:16 < Luke-Jr> BIP 22 is from Feb 2012 ;)
19:22 < Emcy> sorry, he did say it was more you and greg
19:23 < Emcy> im going over the dev list again
19:23 < Emcy> you guys send a lot of mail to that list now
19:26 < Emcy> i think when people take discussions private then start ccing list again it breaks threads in my program :(
20:51 < Mike_B> has anyone assessed this new paper about blockchain confirm security?
20:51 < Mike_B> counting orphaned blocks as a confirmation
20:54 < Baz> there's a pretty good thread on it https://bitcointalk.org/index.php?topic=359582.0;topicseen
20:55 < Baz> are there disadvantages for when a wallet client uses a server to read through the blockchain, rather than load it all locally, as armory does
21:39 < maaku> Mike_B: I'm not sure that's an accurate explanation. it doesn't count orphaned blocks as confirmation, but uses work spent on orphans is determining the most-work chain
21:42 < midnightmagic> It seems strange somehow that you can force the network to switch to another sibling by mining multiple side-by-side siblings, and potentially roll back a retarget.
21:44 < maaku> midnightmagic: that requires a 51% attack ... nothing strange about that
21:49 < midnightmagic> as far as I know, a 51% attack can't *roll back* a retarget though can it? the 51% must linearly reach a longer sibling fork which itself is beyond the retarget.
21:50 < midnightmagic> this provides an additional consideration for a 51% direction that an attacker can take the chain.
21:50  * midnightmagic finishes reading
21:51 < maaku> midnightmagic: it most certainly can
21:52 < maaku> there is no limitation on how far back a rollback can go, except for checkpoints
21:53 < midnightmagic> maaku: What I mean is, it must extend it using post-retarget mined blocks. but if you reveal a GHOST-based subtree which is heavier but hasn't yet reached retarget, the network as a whole rewinds to that.
20:54 < warren> <petertodd> warren: heh, well, doing birthday-style momentum hash would be as temporarily asic-hard as any scrypt tweak, and with fast validation
20:54 < warren> To what degree would this be merely kicking the can down the road?
20:54 < petertodd> amiller: heh, well *I* want to work on this
20:55 < petertodd> warren: good question, probably tens of millions down the road, in terms of ASIC development cost
20:55 < amiller> well it basically forces a bunch of other sore issues
20:55 < amiller> like how to make fees match resources consumed
20:55 < warren> tens of millions of dollars?  that's nothing
20:55 < petertodd> warren: the scary thing is like any ASIC-hard-but-not-hard-enough scheme the first ASIC to be built is winner take all
20:55 < amiller> i think having parameters to restrict the bounds on either end is important
20:55 < petertodd> warren: sha256 ASICs are hundreds of thousands
20:55 < adam3us> petertodd: well if basic compression (not sending data twice) was implemented a block may cost less bw
20:55 < warren> petertodd: oh, tens of millions factor, not dollars?
20:56 < petertodd> warren: no, I'm saying my gut feeling is that a successful ASIC for such a beast would be tens of millions in dev costs
20:56 < adam3us> warren: i think $ in both cases
20:56 < warren> ok, then that isn't a worthwhile change
20:56 < petertodd> warren: but, what that's really saying is this is something that we need a real hardware person to analyse
20:57 < petertodd> warren: also momentum has interesting stuff: e.g. commodity content addressable memory *is* available because network routiers and the liek use it
20:57 < adam3us> amiller: btw i also thought of ghost a while back :) (saw you mentioned u did above)
20:58 < petertodd> warren: if you could get the community to put up a few thousand, you could probably get a decent bit of research+report on how viable it is
20:58 < warren> who is qualified to analyze it?
20:58 < petertodd> warren: it's the kind of thing MSC should be thinking about too
20:58 < petertodd> warren: good question - some kind of digital electronics/computer engineering person
20:58 < warren> huh? MSC has PoW?
20:58 < adam3us> amiller: in my case i was like hmm this creates compexity not enuf of a win, but they picked out its lower block interval support which i wasnt focusing on
20:58 < petertodd> warren: I've got the contacts to find a person for that
20:59 < petertodd> warren: not yet, but that falsl into things MSC should look into
20:59 < petertodd> warren: note that Ethereum does and it's a MSC competitor/substrate
20:59 < warren> If MSC is on Bitcoin's network, I don't see how it needs its own PoW
20:59 < warren> what is Ethereum?
20:59 < adam3us> warren: oh boy
21:00 < petertodd> warren: a bit part of why I was hired was to determine what the options are there...
21:00 < petertodd> adam3us: lol
21:00 < warren> (I've been busy lately.)
21:00 < petertodd> warren: "TURING COMPLETE CRYPTO CURRENCY INVESTMENT OPPORTUNITY BUY BUY BUY!"
21:00 < adam3us> warren: http://ethereum.org/ethereum.html
21:00 < warren> who made this?
21:00 < adam3us> warren: vitalik
21:01 < warren> a month ago he was all pro-primecoin
21:01 < adam3us> warren: with support of some good marketing folks
21:01 < petertodd> warren: vitalik is smart, but not wise...
21:01 < adam3us> warren: prime coin is a crock (IMO)
21:01 < adam3us> warren: i persuaded him that coelho was better ;)
21:01 < warren> sorry, what is coelho?
21:01 < adam3us> warren: hence he made dagger (linke from the above)
21:01 < petertodd> I was at a talk by him on ethereum and there was a moment kinda halfway through where he really jumped the shark so to speak
21:02 < adam3us> warren: merkle hash PoW with a fiat-shamir trick to reduce the memory for verify to like 4log(n) or such
21:03 < petertodd> adam3us: ugh, dagger is used *so* poorly in ethereum
21:03 < adam3us> warren: it crazy stuff because the script language is like able to do almost anything.  the implications are unknowable
21:04 < adam3us> petertodd: critique specific?
21:04 < petertodd> adam3us: the huge advantage with a fiat-shamir trick pow is that you can make the pow depend on block data, with dagger doesn't do
21:04 < adam3us> warren: virus script that like takes all coins?  probably not actually. but its openended and people may have fun with it
21:05 < petertodd> adam3us: meanwhile that kind of PoW is still rather parallelizable, including in an asic
21:05 < adam3us> petertodd: ah yes he dropped that bit.  he was talking about data tho & i mentioned he could use that feature
21:05 < adam3us> petertodd: (separately proof of storage or something for some other reason... )
21:05 < petertodd> adam3us: ugh, so he knows that you can do that? fuck
21:05 < petertodd> adam3us: the whole writeup on the ethereum site is just full of hand-wavey numbers too
21:05 < adam3us> petertodd: well he does now.  i am not sure it occurred to him at the time he wrote dagger
21:07 < petertodd> adam3us: anyway, the whole idea that memory requirements somehow make something ASIC hard by themselves is very wrong
21:07 < adam3us> petertodd: well it is somewhat memory hard with the params he has and thte sequence of calcs hmm i wonder ou cant keep a cache and skip list and get most of it without memory can you?
21:07 < warren> is dagger fast to verify?
21:07 < petertodd> warren: yeah
21:07 < adam3us> warren: faster than scrypt for the memory used, but slower than momentum.  however momentum is more TMTOable
21:08 < petertodd> adam3us: well, you make an asic that's physical strucutre is a tree for instance
21:08 < adam3us> warren: i wouldnt say fast but less slow.
21:08 < adam3us> warren: i think he aims to use the faster verify to demand more memory per instance however, rather than to make faster wall-clock verify
21:08 < adam3us> warren: u could use it otherwise...
21:09 < adam3us> petertodd: i meant even in software!  gotta re-read it (didnt occur to e before for some reason)
21:09 < petertodd> adam3us: kindsa reminds me: so one problem I had in coming up with a asic-hard "hash all the data"-style pow was that crypto-primatives like hash functions tend to be pretty slow compared to the bandwidth of main memory
21:10 < petertodd> adam3us: so the question is then what's the *weakest* crypto-primative you can get away with and still be secure - like, could you have the lowest parts of a dagger-style tree only do a single sha256 round?
21:10 < adam3us> amiller: this fractional block seems interesting, but you probably have to use ghost, due to block interval creating orphans, and put a sanity limit like you said.
21:10 < warren> petertodd: so wait, where would MSC use PoW?
21:10 < petertodd> adam3us: where going up the tree enough rounds have been done to be pre-image secure?
21:11 < warren> sorry, I'll be back later, meeting in 30 minutes I need to prepare for
21:11 < petertodd> warren: it'd use it to implement a ethereum layer
21:11 < petertodd> warren: I mean, implement ethereum-style consensus system, as an example
21:11 < amiller> adam3us, sure, it's kind of a dauting engineer effort which is why i've shied away from it
21:11 < adam3us> petertodd: that might not be a bad idea. tree-evaled sha256 rounds
21:11 < amiller> adam3us, but i hope at this point it's at least clear what sort of benefit this can get you
21:11 < amiller> not faster transactions or something trivial like that, but the ability to have user-selected difficulty which means the whole need for pools goes away
21:12 < petertodd> adam3us: yeah, hell, maybe even something as simple as XOR can be used in some cases for lower parts of the tree?
21:13 < petertodd> adam3us: cuckoo PoW could be an example there too: maybe each round of your cuckoo path can be just a single hash round and you can still get away with it given reversing a round may be *sufficiently* hard that just fetching the appropriate bit of memory is easier
21:15 < petertodd> adam3us: though that could backfire too because I suspect an optimal cuckoo implementation is a grid of small memory cells and routing logic to efficiently pass around in-progress solutions without using long, power-hungry wires
21:15 < adam3us> petertodd: i think scrypt has a faster hash to fill memory at one stage no?
21:16 < adam3us> petertodd: there were some earlyer PoW that aimed to stress memory latency by wobber et al.  unfortunately they all got broken :)
21:16 < petertodd> adam3us: yeah, that's why it uses salsa20
21:16 < petertodd> adam3us: for consensus pow I think trying to stress latency is hopeless
21:17 < petertodd> adam3us: though for timelock crypto it's perfectly reasonable
21:17 < adam3us> petertodd: why? its another form of parallelizable work...
21:18 < petertodd> adam3us: I'm talking about serial-parallel hash chain schemes
21:18 < petertodd> adam3us: in that case that memory latency leads itself to high parallelism is an *advantage* by making it cheaper to make the timelock
21:20 < petertodd> e.g. prepare x GB worth of lookup table, have n parallel queries going to the lookup table using some scheme using up all available bandwidth, then use the encrypted intermediate steps trick to deparallelize it
21:20 < adam3us> warren: u now in theory sha256 asics are more efficient in the way jtimon was arguing about earlier.  it concentrates the reward, but it maybe uses less electricity as a result
21:20 < petertodd> now you have a timelock that was reasonable cheap to make, yet the speed of sequentially cracking it is very directly related to memory latency, and mem latency sucks
21:21 < adam3us> petertodd: he he the first memory (latency) hard paper sent 16MB of random data in the example executable to make it non compactible
21:21 < petertodd> adam3us: sent? ?
21:21 < adam3us> petertodd: they linked it into the exe
21:21 < petertodd> adam3us: ah, I get it
12:43 < tacotime_> And, do I have it right? Okay, payer sends funds to some address generated from stealth address of payee, plus an OP_RETURN that publishes a secret (nonce).  Payee scans blockchain looking for a pubkey and secret that will allow him to spend from some address.  Payee finds said address, regenerates privkey from secret and pubkey, and then spends funds.
12:43 < sipa> correct
12:44 < tacotime_> Excellent.  Thanks.
13:26 < petertodd> tacotime_: all correct. An interesting question is if it would be better to at least have the option for the payment to be recoverable from information purely in the txout - it's plausible that in the future it'd work better once you can get a miner proof of a txout's existence.
13:27 < petertodd> tacotime_: I'm waiting on some Javacsript ECDH benchmarks FWIW before I make any kind of decision - it'd be nice if web-wallets like coinpunk could receive stealth payments entirely in the browser with at least some privacy.
13:28 < petertodd> tacotime_: On the bright side, javacsript SHA256 grinding is plenty fast enough to support stealth + prefixes.
13:29 < petertodd> adam3us: that's exactly what I suggested actually, which leads to an interesting question that BlueMatt(?) brought up: Can you prove to a third party that a given transaction does *not* contain a stego-encoded data packet? With SCIP it's easy to see how that could be possible in principle, but I dunno if it can be made efficient enough to be practical.
13:32 < nsh> you can always upper-bound the redundancy
13:32 < petertodd> nsh: ?
13:33 < nsh> the "spare" information in the transaction after you discount the necessary
13:33 < petertodd> nsh: oh, this isn't standard stego really: you're hiding encrypted data in random junk, so there's no measure of spare to talk about
13:33 < nsh> oh, hmm
13:33 < sipa> well obviously the amount of data that can be stored is limited to the size of the transaction
13:35 < petertodd> the real question is can you prove the execution of a timelock crypto sequence, which is something as simple as 10,000 SHA256 invocations, such that you can prove the end result cheaply to a third party that can evaluate that proof cheaply
13:35 < petertodd> it's obviously possible in principle, but how can it be made practical?
13:38 < nsh> perhaps in the future there will be a market for verify-farms, like compile/render-farms, that perform some computation and provide short/cheap verification proofs for it and its inputs
13:38 < petertodd> nsh: right, that's the "in principle" part :P
13:38  * nsh smiles
13:39 < petertodd> nsh: remember the Blub programmer principle: If Peter can't understand the crypto, it's obviously not practical.
13:39 < nsh> aye
13:39 < sipa> s/Pe/Pie/
13:40 < petertodd> lol
13:40 < nsh> hehe
13:40 < petertodd> and actually, in practice I use a scricter standard: If Peter can't teach the crypto to someone else, it's not practical
13:42 < sipa> it's not necessarily stricter; you often learn things exactly by trying to explain them to others
13:43  * nsh nods
13:44 < nsh> understanding-in-motion has a value above and beyond understanding-in-stasis
13:44 < petertodd> sipa: very true! in uni my smarter calculus classmates were always confused as to why my marks were so much worse than theirs given I was the guy always leading the study sessions :P
13:44 < nsh> like currency in some ways
13:45 < kinlo> blub programmer principle, does that require peter to be smart? :p
13:47 < petertodd> kinlo: the exact opposite :)
14:02 < gmaxwell> 21:45 < jron> slides from RWC if you haven't seen them yet: https://www.youtube.com/watch?v=Uh6erfE9HYE
14:03 < gmaxwell> (zerocash slides)
14:04 < nsh> the audio is almost comprehensible in that recording :)
14:12 < justanotheruser> What is the most interesting development in the cryptocurrency world?
14:12 < justanotheruser> Preferably something I haven't heard about
14:19 < maaku> Jeb donating 25M XRP to MIRI?
14:19 < maaku> kinda hard to guess what you haven't heard about
14:19 < maaku> also, #bitcoin
14:28 < nsh> wrt zerocash, i wonder if you could have some weird cypherpunk ritualized inaugeration event, with some carefully-selected and mutually-audited public parameter generation set-up, then everyone stands around it in robes looking solemn as the priests generate them and the machinery is then ritually destroyed
14:29 < nsh> some cross between the mimbari gray council and burning man
14:30 < sipa> #bitcoin-priests plz
14:31  * nsh smiles
14:32  * maaku joins #bitcoin-priests
14:32 < orperelman> lol
14:32 < maaku> make it happen nsh
14:32 < nsh> i'll start work on the liturgy
14:35 < justanotheruser> maaku: minecraft jeb?
14:36 < maaku> minecraft? no the guy who started MtGox and Ripple Labs
14:36 < justanotheruser> Is jeb magicaltux?
14:37 < justanotheruser> oh, reading the wiki. Looks like jeb sold it to magicaltux
14:38 < sipa> jed, you mean?
--- Log closed Mon Jan 20 00:00:41 2014
--- Log opened Mon Jan 20 00:00:41 2014
--- Day changed Mon Jan 20 2014
05:42 < adam3us> petertodd: "Can you prove to a third party that a given transaction does *not* contain a stego-encoded data packet? With SCIP it's easy to see how that could be possible in principle, but I dunno if it can be made efficient enough to be practical." <-- other than the assertion that stego wins
05:47 < adam3us> petertodd: maybe subliminal channel free signatures would be a starting point
07:12 < adam3us> petertodd: "can you prove the execution of a timelock crypto sequence, which is something as simple as 10,000 SHA256 invocations, such that you can prove the end result cheaply to a third party that can evaluate that proof cheaply" <-- well just Hellman's idea to delete 16-key bits with symmetric crypto is efficiently provable after someone has found the key.
or do you mean prove it is decryptable before it has been decrypted?
07:27 < petertodd> adam3us: I mean to prove that some random junk *doesn't* contain data using the appropriate timelock-iterations algorithm
07:29 < petertodd> adam3us: remember that the timelock algorithm in this case is just a fixed number of H() invocations or similar - the question is can you prove the end-result of that algorithm to someone else cheaply?
07:29 < petertodd> adam3us: hellman's idea doesn't work in this case - proves the wrong thing
07:31 < adam3us> petertodd: well hellman's thing shows after you know the key, its certainly easy /cheap for anyone else to verify its the right key, and decrypt it and see what the plaintext was
07:31 < petertodd> adam3us: but that's the thing, there may be no key
07:31 < adam3us> petertodd: ok so you want to prove that its not a DoS msg, ie the person who encrypted actually knew the plaintext
07:32 < adam3us> petertodd: and have that be verifiable before the brute-force decryption happens
07:32 < petertodd> adam3us: no, I have random data, I want to prove that after you apply the timelock stego algorithm, you still have random data
07:32 < petertodd> adam3us: proving that there is a hidden message is the easy part
07:33 < adam3us> petertodd: ok so maybe like if you could prevent proof of publication, eg by proving with SCIP that the contents are the hash of an undisclosed value then you restrict the stego-encoding rate to ground bits of the hash
07:34 < adam3us> petertodd: kind of analogous the p2sh^2 argument frustrating data publication
07:34 < petertodd> adam3us: that still doesn't work
07:35 < petertodd> adam3us: I was referring to using SCIP to prove that you *did* the 10,000 iterations of H() honestly, and thus the result is the honest candidate decryption key, so if that key doesn't work, you know there isn't hidden data
07:35 < adam3us> petertodd: or if there is a static public key, the private key of which is used as the seed of a rng, you could prove that this hidden/encrypted value is  with the next rng output, without revealing what the rng output is
07:35 < petertodd> adam3us: remember this is about my timelock crypto for embedded consensus systems thing - you don't get any control over the data other users add to the blockchain
07:36 < adam3us> petertodd: i suppose you dont want to connect the msgs to the same author or they could be blockable
07:36 < adam3us> petertodd: (provable rng seed)
07:37 < petertodd> adam3us: that's irrelevant, it's timelocked so the fact that you can decrypt the stego message in 1hour frustrates the miner who only wants to spend a few seconds at most figuring out if they can put the transaction in their block
07:37 < adam3us> petertodd: btw why scip prove you did the work, you can just reveal the key, if the msg is garbage, people can see that for themselves
07:38 < adam3us> petertodd: yes time-lock works for analogous reasons to committed-tx, there is some similarity in forcing miners to make decisions on encrypted data
07:39 < petertodd> adam3us: it's impossible to prove you revealed the *correct* key if decrypting the candidate stego data with that key results in random junk
07:39 < petertodd> adam3us: you can only use a key to prove data was hidden, not the other way around
07:40 < adam3us> petertodd: oh wait you want to efficiently prove this is the ground key, without attaching it to the useful decryption
07:40 < petertodd> adam3us: remember that there's far more candidate data without steggo data in it, so you save resources if everyone can work together in a trust-free way to decrypt it all
07:40 < adam3us> petertodd: because the decryption maybe garbage, and so have no inherent verifiability
07:40 < petertodd> yes
07:43 < adam3us> petertodd: i was thinking about like rivests rsa-timelock might be tweaked to be efficiently veriable maybe, (i managed to find a blindable version of it so you could securely offload KDF calculation to untrused nodes) but maybe more simply if you make the key to grind have structure (an indirection)
13:43 < gmaxwell> Really the major breakthrough that allows sublinear is bootstrapping, which I think was mostly really inspired by the FHE work.
13:43 < tacotime_> I can tell already that I will never understand that paper.	But that's what proves the sublinear size and makes 288 byte SNARKs possible?
13:43 < gmaxwell> You can make it non-interative with fiat shamir IIRC, most interactive things can be.
13:44 < gmaxwell> tacotime_: the GGPR'12 technique is constant size proofs.  There are a couple of high level ideas that can help you intutively understand why sublinear proofs are possible.
13:45 < andytoshi> fiat-shamir is also really cool philosophically. it's like you summon a random oracle to do the interactive proof with you and publish the transcript
13:47 < gmaxwell> tacotime_: imagine you have a system which can prove the validity of two operations: executing a single instruction AND verifying a proof that the prior state for that instruction.	If the proof verficiation is randomized/probablistic, then its not surprising that the proof size can be proportional to security rather than execution size... and then you
nest these operations and get a constant size proof. (bootstrapping approach). ...
13:48 < gmaxwell> ... Efficient systems don't work directly in this way, but its an intutive way to see the possiblity.
13:48 < andytoshi> as for SNARKs being "'only' computationally sound", that seems to be strongly analogous to the quantum-entanglement scenario wherein your "faster than light correlation" can only be verified by communicating slower than light
13:48 < gmaxwell> andytoshi: thats why I pointed it out.
13:48 < andytoshi> gmaxwell: yeah, i realize that. but i'm that slow :)
13:49 < nsh> (slow is pretty damn relative here)
13:49 < andytoshi> realize that now*
13:49 < gmaxwell> amiller: yea, fiat shamir is insanely useful. I'm not sure why its not more widely known.  It doesn't help that the original papers on it are a bit opaque.
13:50 < andytoshi> the original paper pretends to be about the smart-card scheme, it's really not obvious that there is anything generally useful in there at all until you read it :(
13:51 < nsh> "The heuristic was originally presented without a proof of security; later, Pointcheval and Stern [2] proved its security against chosen message attacks in the random oracle model, that is, under the assumption that random oracles exist. In the case that random oracles don't exist, the Fiat
Shamir heuristic has been proven insecure by Goldwasser and Kalai.[3]
Shamir heuristic thus demonstrates a major application of random oracles." - http:/
13:51 < nsh> /en.wikipedia.org/wiki/Fiat%E2%80%93Shamir_heuristic
13:51 < gmaxwell> yea, that article is useless.
13:51  * nsh frowns at irc client
13:53 < nsh> kinda provocative that you could have some empirical security difference that implies the existence or not of random oracles
13:53 < tacotime_> Is there a text book somewhere for this sort of stuff?
13:54 < jtimon> gmaxwell, if you were to design a concatenative merklized scripting language (joyscript), what would be important to take into account so that in the future it is "good for snark"
13:54 < jtimon> ?
13:54 < gmaxwell> Basically it says you can take an interactive protocol and make it non-interactive by commiting to your state with a random oracle, then using the random oracle to play the counterparty in the interactive protcol.  If the interactive protocol has the right properties then you can instantiate the system with a hash function in the place of the random oracle
and make a secure conversion.
13:55 < andytoshi> jtimon: you want to be able to easily bound the time-to-execute for scripts
13:55 < andytoshi> for a concatenative language maybe that is as easy as computing a tree height
13:56 < gmaxwell> andytoshi: only if you can describe an efficient arithemetic circuit for evaluating the concatenative language such that execution = tree height. This seems unlikely to me.
13:59 < jtimon> wouldn't those problems be solved with the instruction counter?
14:00 < tacotime_> Okay, I think it's starting to make sense.  We have algorithm A, with non-arbitrary input I and output O.  The proof takes input I_ro from a random oracle (hash function) and produces output O_ro using A(I_ro).  We can then prove the execution of A(I) for some non-arbitrary input I.
14:00 < jtimon> btw, maaku, I don't think your message got to the concatenative group maybe you had to enter the tahoo group after all
14:01 < jtimon> http://groups.yahoo.com/neo/groups/concatenative/conversations/messages
14:01 < tacotime_> With some small amount of bytes using SNARK, because the proof is logarithmic in size?
14:01 < gmaxwell> jtimon: current constructions for snarks require costly preprocessing which is program generic but specific to the machine beging evaluated and specific to the length of execution.
14:03 < tacotime_> Is that the overall gist of what's going on?
14:03 < tacotime_> My background is in biochem, so sometimes I'm a little slow for CS stuff, forgive me.
14:04 < jtimon> gmaxwell I don't think I understood that, but I'm asking with the hope that those costly executions become cheaper in the future somehow
14:04 < gmaxwell> tacotime_: I'm not sure I followed what you were saying clearly enough there to agree or disagree.  Another way to look at it is that program validation and program execution are not the same problem. Imagine making a transcript of a program execution
 you write down every instruction that gets run and then the state (memory, registers, etc) along the way.
14:05 < gmaxwell> The result is a transcript
 or sometimes called a witness
14:05 < andytoshi> jtimon: the other problem is that the preprocessing step has a security parameter which can be used for forging. this is a serious problem when there is one guy (the coin creator say) who is doing the preproccessing step, but it'd kill the scheme if everybody was doing their own preprocessing
14:05 < gmaxwell> If I give you such a transcript I can ask you if its valid, to tell if its valid you walk through the instructions and then check that the instructions match the rules e.g. that an ADD instruction updates the state in the right way.
14:06 < tacotime_> Right.
14:06 < jtimon> for those who are interested in this joyscript thing, this is the message that maaku (tried to?) send to the concatenative mailing list http://pastebin.com/5ScNX7vy
14:06 < gmaxwell> tacotime_: what all of this stuff is based on is that there exist ways of encoding the transcript so that if you only check a tiny portion of it, that you can become very confident that the whole transcript was faithful.
14:06 < jtimon> andytoshi, I see, like zerocoin's trapdoor
14:06 < andytoshi> yeah exactly
14:07 < tacotime_> Given some non-arbitary input?
14:07 < andytoshi> i had some vague ideas about using a variant of FHE to obtain the security parameter from a random oracle in a zk way (so provable nobody knows it) but i ran into serious conceptual problems when i tried to make these ideas concrete
14:07 < gmaxwell> for any input. well technically what you do is provide the inputs and 'outputs' as inputs and then the whole program just decides to accept (inputs agreed with the program) or not... e.g. convert it into a decision problem.
14:09 < tacotime_> Okay.
14:09 < jtimon> and if anyone is more interested, I can forward what maaku has been discussing with an strong typed concatenative language expert (the guy who wrote that "why concatenative matters" article) [unless you maaku haave some objection to sharing it, which I doubt]
14:09 < andytoshi> basically, you want it to be verifiable that you actually got the security parameter from the oracle -and- you only used it for a specific circuit (zk-snark preprocessing) and couldn't have used it in a circuit which reveals the parameter
14:09 < andytoshi> but these two requirements conflict when you try to implement them in the 'obvious' ways it seems
14:11 < andytoshi> that is, if you tie the parameter to a specific circuit it's hard to make it random (it's hard to make it at all actually). and conversely if you want to make it random it's hard to tie it to a circuit, but if you don't then it's trivial to replace the circuit with one that reveals it, defeating the whole exercise
14:14 < gmaxwell> andytoshi: why can't you just pick a ciphertext input to the circuit at random (e.g. because you don't know the decryption key)?
14:17 < andytoshi> gmaxwell: to implement this "tie the input to the circuit" scheme, my thought was to make the key derivation depend on the circuit
14:18 < andytoshi> but when you do this, it becomes hard (or rather outside the things i'm aware of being possible) to create a decryption key without an encryption key
14:19 < andytoshi> the hope was, i could make the output-decryption key be "111111" or something which clearly has no input-encryption key. then i can put whatever i want as input and what the circuit sees will be random and unknown
14:20 < andytoshi> but it seems implausible that just using 111111 will get me a valid decryption key, since my key derivation is so complicated
14:21 < gmaxwell> I still don't understand how the reencryption used in bootstrapping FHE can even work at all, so that sort of leaves me powerless to speculate about how you can get unknown encrypted with known decryption key FHE. I think it would be very powerful and not just for this if its possible.
14:22 < andytoshi> ditto. i have been trying to meet with brent waters, who has published several papers with craig gentry about FHE, because i'm trying to seduce him into supervising me. but he's been out of the country a lot this semester. whenever i get ahold of him i'll bring this up and maybe he can speculate more intelligently
13:59 < gmaxwell> maybe someday when we add new checksig operators we'll make sure there is a sighash flag that leaves the input txid:vout out of the signature. It would make a number of refund cases much easier if that was possible.
13:59 < gmaxwell> (because then you could author the refund before authoring the payment)
14:00 < TD> yes
14:00 < TD> that would be nice
14:03 < iddo> hmm i thought that what's needed is that the txid hash doesn't depend on the signature of the txn ?
14:06 < gmaxwell> iddo: being able to not have a later signature depend on prior txids is more general, I think.
14:07 < gmaxwell> making the txid not depend on the signature removes malleability, while masking the input results in malleability indifference.
14:09 < iddo> i probably don't understand what's meant with "leaves the input txid:vout out of the signature" ?
14:09 < gmaxwell> A silly example of how masking the input is more general.  I can compute a timelocked transaction that pays to me in
 1 year.  In the signature field I put in a nothing up my sleeve number.
14:09 < gmaxwell> Then I recover the applicable public key.
14:09 < iddo> doesn't that mean something about the signature not depending all the data of the txn, instead of the txn hash not depending on the signature?
14:09 < gmaxwell> And author a transaction which pays funds to that public key.
14:10 < gmaxwell> iddo: we have flags in bitcoin to control what parts of the transaction that the signature depends on.
14:10 < gmaxwell> But the flags are not flexible to express "do not depend on the txid:index of the coin this signature is spending"
14:10 < gmaxwell> er not flexible enough.
14:11 < TD> iddo: see the contracts page on the wiki for an intro
14:11 < iddo> ok i'll look, thanks
14:39 < maaku> Mastercoin is looking for devs to hire fulltime (paid in fiat).
14:40 < maaku> I replied with "Mastercoin is a flawed concept and I have better things to do with my time"
14:40 < maaku> But maybe for someone else here it'd beat whatever your dayjob is
14:40 < maaku> Or maybe you can convince them to pay you to work on something actually useful.
14:41 < _ingsoc> Mastercoin is the Antichrist. There, I said it and I don't care.
14:43 < gmaxwell> I think the postive thing is that mastercoin isn't anything but a bucket of money, wrapped in marketing and hope.
14:43 < gmaxwell> So on the technical side it could probably become something substantially different from whatever it is they've been doing so far.
14:44 < _ingsoc> gmaxwell: Can it realistically mess with Bitcoin?
14:44 < _ingsoc> gmaxwell: The whole issue with dumping things into the block chain.
14:44 < gmaxwell> I expect if it survives it'll stop doing that. Thats what I mean by substantially different.
14:45 < _ingsoc> Right, I see.
14:45 < gmaxwell> its funding model made it competative with the bitcoin currency. Dumping data into the blockchain is very easily censored.
14:45 < _ingsoc> The name is stupid anyway. Great. Let's forgoe our fiat master for a new one. :)
14:45 < gmaxwell> Miners, who recieve bitcoin currency ... and not mastercoins .. have every incentive to censor it, and few to not do so.
14:47 < maaku> I would love to take that offer to implement Freimarkets, or even Bitcoin-X
14:48 < maaku> But mastercoin, specifically, serves no purpose and has no future
14:49 < maaku> and unfortunately they can't switch to something better and carry over the investment structure
14:49 < jgarzik> maaku, <shrug>  perhaps today, but with a huge endowment I would not project that opinion into the future
14:49 < jtimon> bitshares seems a similar "money bucket", and they aren't obsesed with "it has to be in the bitcoin chain without modifying the protocol"
14:50 < jtimon> although they got a lot of funding and now they launch protoshares? I don't undesrtand
14:51 < pigeons> easier to launch another funding mechanism than implement a promised application
14:51 < gmaxwell> jtimon: do they actually have a lot of money?
14:52 < _ingsoc> Looks like they're just spending money left and right on whoever comes up with the promise of something.
14:52 < jtimon> I think so, that's what amir told me
14:52 < _ingsoc> gmaxwell: They do.
14:52 < gmaxwell> Protoshares seemed like it was an exit strategy for someone.
14:52 < _ingsoc> It's like 4k BTC?
14:52 < gmaxwell> But I've only been watching very lightly.
14:52 < jtimon> well, maybe it looked like a lot of money to me, I don't remember how much they got
14:52 < _ingsoc> That was a very long time ago.
14:53 < gmaxwell> okay, well, 4k btc is only a lot of money at a personal scale. (though I guess thats about the scale of mastercoins funds)
14:54 < _ingsoc> http://blockchain.info/address/1EXoDusjGwvnjZUyKkxZ4UHEf77z6A5S4P
14:54 < jtimon> I think is a substantial quantiy to fund development
14:54 < _ingsoc> That's them.
14:55 < jtimon> maaku do you think we could implement freimarkets with that? ;)
14:55 < jtimon> with what's left on the address, I mean
14:57 < jtimon> wasn't the exodus address a mastercoin thing?
14:57 < _ingsoc> If maaku would listen to me we could do freimarkets and more, but he's too stubborn. :D
14:58 < jtimon> what's your plan?
14:58 < _ingsoc> Aren't you guys sitting on a few million now anyway with your own dev fund?
14:58 < jtimon> what dev fund?
14:58 < _ingsoc> I thought Freicoin had something set up like that.
14:59 < jtimon> oh, the funds that are going to be issued through the foundation? that's not ours
14:59 < jtimon> we want to experiment with issuance mechanisms that aren't as wasteful as mining
15:00 < jtimon> but we can't take such direct decisions
15:00 < jtimon> we should list freimarkets to receive donations here though: http://foundation.freicoin.org/#/donations
15:01 < _ingsoc> How does the foundation decide what to do? And who's the foundation?
15:01 < jtimon> the foundation it's us and 3 other freicoiners
15:01 < jtimon> but the proposals for issuance mechanisms are discussed publicly in the forum
15:02 < _ingsoc> So it's your fund that you can't use without some mechanism?
15:02 < jtimon> yeah, we can't directly chose an amount and finger to a person to receive them
15:03 < jtimon> that's what was promised and the chain is auditable
15:03 < _ingsoc> Right, so you can put up a proposal for freimarkets and get it funded if there's support for it?
15:03 < jtimon> if we fail our promise people can hard-fork and cancel the foundation funds
15:03 < jtimon> yes
15:03 < _ingsoc> That's interesting.
15:04 < _ingsoc> It's too bad the we get tied into camps. If we were fluid, stuff would get done a lot faster.
15:04 < _ingsoc> that*
15:07 < jtimon> yes, this is specially painful in local currenciessoftware
15:08 < jtimon> it's much simpler, but the efforts are even more divided
15:51 < iddo> anyone looked at bitshares or protoshares whitepaper?  http://static.squarespace.com/static/51fb043ee4b0608e46483caf/t/52654716e4b01acd1ac8a085/1382369046208/MomentumProofOfWork.pdf
15:51 < iddo> seems like these guys never heard of cycle finding algorithms without space complexity blowup, like pollard's rho ?
15:52 < jtimon> I looked at bitshares paper a while ago
15:52 < maaku> gmaxwell: from what I can tell the bitshares people have convinced some investor to bankroll whatever they do
15:52 < jtimon> there's many people that believes all these anti-ASIC arguments
15:52 < maaku> it's not like they're sitting on a pile of irrevocable funds like mastercoin is
15:53 < gmaxwell> yea, also mastercoin funds are bitcoin.
15:53 < gmaxwell> it's possible that if bitcoin goes up further mastercoin will end up with an amount which is impressive even at an instutional level...
15:54 < maaku> jtimon: heh, we could implement freimarkets with private servers at 5% of what's left of the mastercoin bucket of money... and have a better, more robust system
15:55 < iddo> gmaxwell: did you see the claim in that bitshares pdf that birthday collisions are hard to find without space complexity, but easy to verify? it sounds wrong, because you can find collisions with cycle detection?
15:57 < gmaxwell> iddo: yup. We've talked about that here before.
15:57 < gmaxwell> There is a simple time memory tradeoff.
15:57 < iddo> ahh
15:58 < iddo> i think that this channel should be logged+archived too, like #bitcoin-dev :)
15:59 < nsh> +1
15:59 < gmaxwell> iddo: but ::shrugs:: when they first published their stuff I eviscerated their initial "memory hard" PoW, reducing it from 128MB to 8kb, complete with an implementation. And also a probablistic version with no memory required... and I waged my finger to them about novel crypto. And their response was to hastily rewrite it and claim that the old one (which
had been slathered with marketing) was "just a placeholder"
15:59 < gmaxwell> And after that point I decided I was never again going to do any technical analysis of their stuff.
16:00 < iddo> i see:)
16:00 < iddo> that whitepaper has wild claims that they don't try to back up
16:07 < pigeons> gmaxwell: i don't know the details but the new version of the PoW actually released which was supposed to require lots of meory usage already has custom mining software out for it bypassing the need for all that memory
16:08 < pigeons> so yeah, no reason to take them seriously
16:08 < pigeons> now the principal Larmier is in favor of GPU mining
16:09 < gmaxwell> My impression was that they felt they had to invent novel crypto for pure marketing mumbojump purposes.
16:09 < pigeons> because his alternative is botnets/AWS
16:09 < gmaxwell> lol, I believe I made that point to them previously.
16:09 < gmaxwell> (I've certantly made it before)
16:09 < pigeons> yes lots of pure marketing mumbojumbo over there
16:13 < iddo> pigeons: why AWS is bad?
16:14 < pigeons> iddo: i'm not making a judgemnt on it
16:15 < pigeons> there are trade-offs as far as accesability and decentralization to all the approaches
16:32 < tromp__> that doesn't work for random memory access, maaku
16:33 < maaku> tromp__: it absolutely does. an integrated system-on-chip would always be more efficient than having external interconnects
16:34 < jtimon> I still don't understand the goal, and it's sad for me to see so many smart people dedicated to something I consider a complete  waste of time
16:34 < tromp__> pls explain how you'd implement pointer chasing on a die
16:34 < maaku> and because of heat dissapation and power issues, it may even end up having asic vs. gpu/cpu be an even *larger* performance jump than sha256
16:35 < tromp__> the goal is a pow constrained by memory latency
16:35 < jtimon> but why?
16:35 < maaku> tromp__: the same way you do on a cpu, but put the cpu + memory on the same die
16:35 < maaku> so, no need for an interconnect (except at the gate level inside the chip)
16:36 < jtimon> why do you think that "pow constrained by memory latency" is any better than SHA256?
16:36 < jtimon> you have to think is somehow better if you're spending on time on it
16:36 < jtimon> s/on/your
16:37 < tromp__> because commoditized hardware gets optimized partly for low latency
16:37 < jtimon> how would bitcoin be better by replacing SHA256 ASICs with cucko ASICs ?
16:38 < jtimon> "[I'm missing a claim here] because commoditized hardware gets optimized partly for low latency"
16:38 < tromp__> i expect cukoo asics will be way harder to develop
16:38 < tromp__> way harder than scrypt ones
16:39 < jtimon> tromp__ harder to develop mean less companies doing it, no? how does that help centralization?
16:39 < tromp__> i think you overerestimate the feasibility of putting many GB of memory with embedded cpus on a die
16:40 < jtimon> no, I believe that making a cucko ASIC will be harder
16:40 < tromp__> i think commoditzed hardware will remain competitive
16:40 < jtimon> I just don't see the point of making pow ASICs hard to develop
16:41 < jtimon> you want GPU mining to be competitive with ASIC mining?
16:41 < tromp__> sure
16:41 < jtimon> because there's many companies building sha256 asics but only two making GPUs?
16:42 < tromp__> no, because it
16:42 < tromp__> 's commodotized
16:43 < jtimon> "it's commodotized" it's starting to sound like "mongodb is web-scale" like if that was something inherently good or something
16:43 < jtimon> I'm confused
16:44 < jtimon> you prefer only two companies, namely ATI and nVidia producing most of the mining equipment "because it's commodotized"
16:44 < jtimon> ?
16:45 < tromp__> because everyone can easily buy a pc that can mine competitively
16:45 < jtimon> even if GPUs could be competitive with ASICs at all, I don't see the point
16:45 < tromp__> mining is no fun if you need to invest tons of capital preordering asics that will quickly become obsolete
16:45 < jtimon> tromp__ buying sha256 is now relatively easy and will only become easier
16:46 < maaku> tromp__: mining isn't about having fun...
16:46 < jtimon> at some point asics will stop "getting obsolete" so fast
16:46 < tromp__> i don't want to have the asic vs commodity hardware discussion right now
16:47 < maaku> tromp__: it'd be great if you could have a pow function that really did benefit from general hardware
16:47 < maaku> but that's rather impossible
16:47 < tromp__> there are many peopl who want a pow for which asic advantage over commodity hardware is mimimized
16:47 < jtimon> ad populum
16:48 < maaku> tromp__: minimizing the asic advantage makes the situation worse off!
16:48 < tromp__> and for them, cuckoo seems like the best option
16:48 < grazs> so the best PoW algorithm would be cryptographically secure, cheap to produce, easy to replicate, hard to improve, add additional value (like curing cancer), distributed as evenly as possible, hard to deanonymize the result and be cheap to verify?
16:49 < jtimon> and I still wonder why would they want such a thing
16:49 < maaku> either make general hardware *exactly equal* to custom hardware (impossible in practice), or make the asic advantage *as great as possible*
16:49 < gmaxwell> jtimon: maximum return from botnets, of course. :P
16:49 < jtimon> grazs add additional value (aka curecoin) is very different, I'm all for that
16:50 < sipa> curecoin?
16:50 < maaku> grazs: not to mention progress-free, and all the other things I'm too distracted to think of which PoW requires
16:50 < jtimon> sipa there was a group collecting bounties and distributing them to people folding@home
16:50 < sipa> ok
16:50 < grazs> maaku: yes, think I included that with 'hard to improve'
16:52 < tromp__> anyway, thx for the "feedback"; i'm gonna have alittle break now
16:52 < tromp__> afk
16:52 < jtimon> btw I actually liked charlee's intervention
16:53 < sipa> ?
16:53 < maaku> jtimon: well additional value is only good so long as it can't be monetized...
16:53 < jtimon> there were some stupid arguments I expected
16:54 < jtimon> and it was funny how he started to answer the question "What was your motivation for creating litecoin? When I created litecoin there was already other alternatives, but those were created by other people."
16:55 < jtimon> but overall good, I don't really think he went too technical, he even explained colored coins
16:55 < grazs> spoken like a tru playa
16:56 < jtimon> maaku would seti pow be monetizable?
16:56 < grazs> no
16:56 < grazs> seti isn't a pow, it's just work
16:57 < jtimon> yes, I mean an hypothetical seti-based pow
16:58 < jtimon> not that SETI is the more useful thin for humanity in the world, but still better than hash collisions or prime numbers I think
16:58 < maaku> jtimon: someone could pay money per work unit completed, as a way of 'donating' to the seti project
16:58 < grazs> results held random until you send seticoins to the coming coinbase
16:58 < grazs> held ransom*
16:59 < maaku> more generally, if it was a general BOINC proof-of-work, it's easy to see how you could setup monetizable tasks
16:59 < jtimon> maaku, yes, I think that's simpler and I would like the foundation to do that
17:00 < jtimon> maaku, you said it yourself, they have to be hard-to-monetize tasks
17:00 < maaku> well, if/when freimarkets is completed it's a rather simple matter to issue assets based on the BOINC point system
17:00 < jtimon> no, general BOINC
17:00 < jtimon> maaku, yes I remember that plan
17:01 < jtimon> and gamers could make money with their GPUs again! everybody happy
17:04 < jtimon> btw, on the hearings, it is curious how so many people think that the blockchain's "main advantage" are somehow "cheap transactions", completely ignoring the big subsidies we have
17:05 < gmaxwell> jtimon: yea, "so you're telling me that your _global broadcast medium_'s value is that it's cheap?"
17:06 < jtimon> off-chain credit transactions will always be cheaper, this is just trustless
17:06 < jtimon> although irreversible actually makes transactions cheaper
17:06 < jtimon> an fees non-proportional
17:08 < jtimon> s/an/and
17:16 < grazs> jtimon: what are these subsidies?
17:18 < sipa> grazs: mining subsidy
17:18 < sipa> grazs: our preset inflation that basically pays for the system's security
17:19 < grazs> sipa: ah, oh yes ofc
17:21 < maaku> you know, just $127,500 per hour
17:21 < maaku> nothing big
17:45 < andytoshi> who can be said to have invented POW? was it adam or hal?
17:46 < andytoshi> i don't mean that to be an exhastive list; english 'or' is ambiguous that way..
17:47 < gmaxwell> andytoshi: https://en.wikipedia.org/wiki/Hashcash
17:50 < gmaxwell> Am I the only person in here who ever used Hal's RPOW system?
17:50 < gmaxwell> I wonder if I can find some tokens from it.
17:51 < tromp__> this related work predates hashcash by 5 years: http://en.wikipedia.org/wiki/Memory_bound_function#Using_memory_bound_functions_to_prevent_spam
17:52 < maaku> it's not a proof of work though
17:54 < maaku> dwork and naor didn't have asymmetric validation times, which is the important innovation, I think
18:05 < jron> gmaxwell: I downloaded the source yesterday and assumed I was the only one who ever did that :P
18:07 < gmaxwell> jron: oh well it's long since dead as far as I know... or is hal's server back up again.
18:07 < gmaxwell> ?
18:08 < gmaxwell> I downloaded it and used it and talked to hal about it some back when it was new... had suggested some improvements and he tried to talk me into making a GUI for it. :)
18:10 < jron> I was just got an urge to check it out after reading a story about him and his wife. I never compiled it\executed it.
18:13 < midnightmagic> tromp__: Adam Back has a very nuanced understanding of the origin of POW-like mechanisms/concepts and their history, including an extremely detailed response to an edit I made on the bitcoin.it wiki where I was wrecking Steve Gibson's video explanation of bitcoin. It's very fascinating if you can ever corner him somewhere.
18:13 < gmaxwell> you mean like in here where he talks almost every day?
18:13 < midnightmagic> oh is that him?
18:13 < gmaxwell> hahah
18:13 < midnightmagic> jesus
18:13 < gmaxwell> Yes.
18:13 < jron> hehe.
18:14 < midnightmagic> Well how am I supposed to know these nicknames, I live in the frozen north *grumble grumble*
18:14 < midnightmagic> Sorry Adam.
18:14 < gmaxwell> there are certantly differences in the requirements for anti-spam applications and consensus POW.
18:14 < gmaxwell> e.g. progress freeness is probably not really important for anti-spam.
18:14 < jron> midnightmagic: you might enjoy the interview he recently did on letstalkbitcoin.
18:15 < midnightmagic> ah yes I believe I will. He was very generous with his time in his emails with me.
18:16 < midnightmagic> aaargh produced by antonopoulos
18:17 < jron> midnightmagic: it was still enjoyable =)
18:17 < tromp__> midnightmagic: i would love to have adam's feedback on cuckoo cycle
18:17 < midnightmagic> :)
18:19 < gmaxwell> oh apparently BFL's 28nm stuff has a test chip running now.
18:11 < petertodd> see, I'm thinking that the fact that a child block was found would be known from examining *just* the parent blockchain, IE, put the child blockheaders in the parent blocks
18:12 < arbart> makes sense, it is a worked on (child) block with provable difficulty, some hash of it in the parent blockchain, something like that right?
18:13 < petertodd> yup, and importantly, by just examining the parent blockheaders+part of the blocks, you can come to consensus about the state of the child blockchain without knowing what the actual blocks are, just like SPV mode in bitcoin
18:14 < petertodd> and remember that miners who don't care about the particular child chain aren't checking the contents of the child chain's blocks, only that the child blockheaders are valid
18:15 < arbart> its like sharding but in bitcoin, i really like it
18:15 < petertodd> well, it sounds good... but there's a nasty problem with what I've described: What happens if a child-chain miner mines an invalid block, or mines a block and never gives anyone the actual block data?
18:16 < petertodd> Remember, we said the rule was that once the blockheader met the parent chain difficulty, it when in that chain and locked in that version of history so that we had 50% attack security rather than just 25%
18:17 < arbart> yes, i often wonder about that (the data block, where is it published? a concurrent distributed datastore?)
18:17 < petertodd> Excellent question! It's only "published" by giving it to other miners, there's no central place where a block goes.
18:18 < petertodd> So here we've accidentally created a system that grinds to a halt if a blockheader gets in the parent chain - with full difficulty - but the block itself never gets distributed. Ooops!
18:18 < arbart> i see, it is provable and thus accepted, but then missing
18:18 < petertodd> yup
18:18 < arbart> arg :/
18:19 < petertodd> However, we can fix this, with what I call a challenge: Mine another full-difficulty block that basically says "OK, I want this tx to be mined, and it spends these txouts. Prove that either the tx has been mined in the child chain, or that it's invalid. If you do neither, then we relax the rules and let the chld chain get reorganized anyway."
18:20 < petertodd> Or, equally the challenge could be "Where the !@#$ is block n? Stick it in this chain so we can all see it, and if you don't, we get to reorganize the chain."
18:21 < arbart> Oh, I get it now :)
18:21 < petertodd> With either version of the system (or both!) you still get the property that reorganizing the chain is hard *if* enough child-chain miners actually have the data - they can easily meet that challenge.
18:22 < petertodd> If the data gets lost somehow, or hidden maliciously, or whatever, then at least the system can recover and move on.
18:22 < petertodd> With the former version, where you can force a tx to be mined, you can always pay something like 2x the fees to get a tx mined even if some >25% attacker is trying to make the chian useless with empty block - not perfect, but better than nothing.
18:23 < petertodd> And of course, once you imagine a parent with two children... you can recurse this as deep as you want for as many tx's/second as you want.
18:24 < arbart> I was thinking recursive the whole time :)
18:24 < petertodd> hehe, good
18:25 < arbart> so who issues the challenge block? what basic condition triggers it?
18:25 < petertodd> Anyone can by mining a block meeting the parent PoW difficulty with the special challenge data in it.
18:26 < petertodd> Now, I'd expect that in a working implementation, you'd just make it possible for the 75% majority to see "Hey! Someone really wants a tx mined! Lets make it into a challenge."
18:32 < arbart> A challenge block would just have additional challenge code in it, so the miner is not forgoing tx fees and such?
18:33 < arbart> I do understand the tree-chain part itself and think it is a great idea.
18:33 < petertodd> Good question! I dunno exactly - challenges in themselves are probably possible to use in certain types of attacks. I mean, heck, you're forgetting the even bigger question of "How do I turn this crazy thing into a useful currency transaction system?"
18:35 < petertodd> For instance, can a tx on child left-left-left spend a txout from child right-right-right? Probably, with succinct merkle-path proofs. (like the (U)TXO stuff that people are working on) But what happens on a re-org? Didn't that just cause inflation?
18:35 < petertodd> (specifically double-spend inflation)
18:36 < arbart> This thing? are you referring to Bitcoin? I think it already is :) Tree-chains would augment it to enable killer apps beyond our imagination.
18:36 < petertodd> arbart: Or if not that, to enable killer headaches beyond our imagination. :P
18:37 < arbart> So tree chains might change the nature of Bitcoin as it is? I assumed txs would be rejected if they added inflation. But I think what you are raising then is things like that that would require checking the data? :)
18:38 < petertodd> Ah, but how does the miner on right-right-right know that spending a txout on left-left-left added inflation? Remember, they don't have the blockchain data, they just have a SPV-style proof that the txout existed and was spent.
18:39 < arbart> Yes, I'm seeing what you mean.
18:42 < petertodd> Heh, tough problem 'eh? I've got some ideas, but I'm not sure you can come up with a scheme that makes such systems have transactions as simple as bitcoin.
18:43 < petertodd> But anyway, given I seem to be able to explain it to some random passerby, it's an idea probably good enough to write up and publish. :) So thanks!
18:45 < arbart> It is indeed. If there was a clean recovery from missing blocks you mentioned, and an easy way for an arbitrary node to get any blocks inbetween two points (so alice on right-right-right, bob on left-left-left) in order to verify the merkle-path proofs and all :), that would solve inflation and make it no different than bitcoin as is (well, an evolution,
so hard fork as in new version of client, but not incompatible)
18:45 < petertodd> arbart: Crazy thing is you can probably do this as a *soft-fork* even!
18:45 < arbart> If you have it as a pet idea, do you think it is possible? or just interested in mentally checking every so often? :)
18:46 < petertodd> Well remember, the problem isn't getting the blocks, the problem is prohibiting those blocks from getting reorganized, and the txouts getting respent elsewhere.
18:47 < petertodd> Fundementally the system just doesn't have full consensus, and without that it's hard to prevent double-spends.
18:47 < arbart> I was kinda thinking that as you described it. It could be phased in and if not affecting inflation or security, Etc, would be accepted as simply a new version that enhances tx scaling.
18:47 < arbart> I see, possible friction :)
18:49 < petertodd> Yup. Now one possible solution is to move coins around in steps: IE, make left-left-left miners also be forced to mine right-right-right blocks in some pattern, and then move value through that path... but that's inconvenient and takes a long time.
18:49 < arbart> I see, and what bitcoin does is solve the double-spend. I agree that is not something to compromise.
18:50 < petertodd> Yes, although at least we did figure out how to solve double-spending locally and hiarchically. For instance, I could have a transaction spending some 1/4-value token and some 1/2 value token in a parent chain, where the 1/4 value move can only happen if the 1/2 value one does. (but not the other way around)
18:51 < petertodd> Also interestingly, if you have a scheme of binary-sized tokens Adam Back pointed out awhile back that you can easily wind up with something pretty much as private as zerocoin.
18:51 < arbart> Oh that is interesting
18:51 < petertodd> Tokens are kinda inconvenient, but it's a possibility.
18:52 < petertodd> Also, keep in mind that the system as described has inflation as the failure mode, that's stil better than "your tx got reversed and your money vanishes"
18:54 < arbart> Oh I see, interesting. I suppose as long as it is not really possible to purposely cause it in meaningful amounts as an attack.
18:55 < petertodd> well, it's still an attack on the system, arguably, but not an attack on an individual, arguably
18:56 < arbart> Yes, it does seem to eliminate the individual attack.
19:04 < arbart> petertodd: So the current alternative you mentioned many times :) is the trusted third-party. That is something like a (logical/trust) network of web wallets?
19:06 < petertodd> arbart: off-chain tx's? it's a third-party, although the nature of the trust involved depends on how you do it
19:09 < arbart> Actually, I just realized, the third parties wouldn't have to trust each other... just trust the math of the bitcoin-nanopayment?
19:10 < petertodd> Sure, but getting acceptance for that is a social problem.
19:12 < arbart> Heh, totally. My thought was the probailistic payments might not be accepted by the average joe, but perhaps it could work for bitcoin banks to settle with each other without needing to exchange records to settle balances (without them all being separate bitcoin txs),
19:13 < gmaxwell> micropayment channels are better for that.
19:14 < arbart> But what are the existing ideas? https://npmjs.org/package/bitcoin-nanopayment is now the closest one I know thanks to visiting here just now :)
19:14 < petertodd> arbart: ah, yeah if you're talking banks u-payments work well. Or ripple actually.
19:15 < arbart> I think it needs to work with bitcoin. Inflation proof.
19:17 < arbart> petertodd: I meant bank as a concept, even if it were a computer algorithm running somewhere.
19:17 < petertodd> arbart: inflation proofing third-party balances is pretty easy actually - you can always have the bank prove your balance is backed by real bitcoins
16:06 < andytoshi> we were able to specify it, then my girlfriend rosemary found a reduction to the partition problem, which means that it's NP-hard in general to detect whether a transaction might be a cj
16:06 < nsh> (well, it was a maximal-matching over bipartite graph)
16:06 < andytoshi> which is bad, because we wanted to know "how much" of a coinjoin the transaction might be
16:06 < nsh> right
16:07 < andytoshi> so we settled on just looking at the most popular output size and counting the outputs of that size to estimate the maximum possible # of participants, which is an awful estimate
16:07 < nsh> so was the intuition that there is a measure of coinjoin-iness unfounded?
16:07 < gmaxwell> hm? there is a measure. It's just potentially hard to compute.
16:07 < andytoshi> nsh: no, we were able to make the intuition pretty solid. we wanted to measure the amount of information an attacker gains by knowing the exact form of the join
16:07 < nsh> ah, right
16:07 < gmaxwell> though I assume that it's trivial in pratically all cases.
16:08 < gmaxwell> I think though we also realize that if you relax the form slightly and allow one coinjoiner to be paying another then the amount of information gained is far far lower.
16:08 < nsh> hmm
16:08 < andytoshi> yeah, i think we landed on that destroying pretty-much all information since your output owner-set could be completely unrelated to your input owner-set
16:09 < andytoshi> well, that's not quite true
16:10 < andytoshi> i guess in general it is because some participants could be paying several people at once.
16:11 < gmaxwell> if you have some sparsity requirement you still gain information, but its far less... I didn't bother thinking about a formal statement of the sparsity requirement in order to figure out how much less.
16:11 < nsh> is there a practical way to allow participants to negotiate paying for each other to decrease the derivable information?
16:12 < helo> ~ripple?
16:12 < nsh> hmm
16:12 < andytoshi> but otoh, for the joins that we've been doing with my client, everybody is just paying themselves and we have a ton of round outputs alongside N ragged ones. obviously the ragged ones are the change outs and this tells the attacker how many participants there are. and then you can guess which inputs are owned by the same people, and this makes your analysis way easier
16:13 < gmaxwell> (sparsity: each person is paying either 1 or 2 people (potentially but not necessarily including themselves), each output is being paid by 1 or 2 people (again), etc)
16:14 < nsh> i wonder how much correspondence there'll be between this and the zerocash "pouring" dynamics
16:20 < michagogo|cloud> gmaxwell: How far in does ..._1.ts start?
16:20 < gmaxwell> I'm not sure, basically as long as it took me to figure out how to save the data!
16:20 < gmaxwell> someone who actually saw it might be able to tell you.
16:20 < gmaxwell> looks like it's over?
16:25 < c0rw1n> you have the capture gmaxwell?
16:26 < gmaxwell> https://people.xiph.org/~greg/bitcoin_ny_hearing_3.ts is the afternoon session, and this one is complete from start to end.
16:26 < c0rw1n> ok thx :)
16:27 < michagogo|cloud> gmaxwell: So you don't know how much is missing prior to the start of the first file?
16:29 < gmaxwell> No, but for the sake of improving my communications skills, can you help me understand what ambiguity I left in my initial answer to that question?
16:30 < gmaxwell> phantomcircuit: so you say there is archived footage someplace?
16:30 < phantomcircuit> gmaxwell, it's available at the same link as the live video
16:30 < phantomcircuit> http://www.totalwebcasting.com/view/?id=nysdfs
16:33 < jtimon> wget + vlc seems to work just fine, thanks again gmaxwell
16:34 < andytoshi> +1 jtimon, thanks gmaxwell!
16:35 < jtimon> justanotheruser andytoshi I think retroshare does what you want by establishing a F2F network
16:35 < andytoshi> what does f2f stand for?
16:36 < c0rw1n> frined-to-friend
16:36 < jtimon> yep, it's basically a pgp web of trust
16:37 < jtimon> with chat, messages and file sharing
16:37 < gmaxwell> foe to foe network.
16:37 < c0rw1n> foe to foe, that's botnets ddos'ing each other?
16:38 < nsh> ("Old English gefa 'foe, enemy, adversary in a blood feud' (the prefix denotes 'mutuality'), from fah 'at feud, hostile,' from Proto-Germanic *fakhaz)
16:39 < phantomcircuit> retroshare seems like a reasonably good idea
16:39 < phantomcircuit> except i haven't seen anybody break anything on it yet
16:39 < phantomcircuit> which probably means nobody has looked very hard
16:40 < maaku> phantomcircuit: would be even better if they had a group of strong cryptographers looking at it
16:40 < maaku> they're mostly reusing PGP, so if they're even reasonably competent it's probably not horribly broken
16:40 < jtimon> I think the worse part is getting people using it so you're actually not a island in that f2f network...
16:41 < maaku> but that said, I'm not sure PGP is the right construct to use...
16:42 < jtimon> gpg ?
16:43 < phantomcircuit> maaku, doesn't provide for forward secrecy
16:43 < phantomcircuit> there's no reason for a f2f network not to have pfs
16:43 < maaku> jtimon: what phantomcircuit said
16:43 < maaku> deniability, perfect forward secrecy, etc.
16:44 < maaku> PGP is ideal for on-the-record, or point-to-point encrypted email
16:44 < maaku> not really designed for social networks...
16:44 < maaku> which is unfortunate - i wish there was an active #retroshare-wizards community
16:44  * jtimon si reading wikipedia's article on forward secrecy
16:45 < gmaxwell> maaku: I use PGP more than most people, and I can only think of three or four times when the non-repudiation it creates was desirable, and a bunch of other times where it was a liability.
16:46 < maaku> gmaxwell: is it possible to do non-repudiation over store-and-forward, non-interactive medium?
16:46 < gmaxwell> yes. sure.
16:47 < gmaxwell> you mean non-non-repudiation and the answer is still sure.
16:47 < maaku> er, yeah
16:47 < gmaxwell> e.g. just do ECDH with your pubkey and mine, and we have a encryption key which authenticates the channel but in a non-transferable way.
16:47 < gmaxwell> forward secrecy is a bit harder, but can be done.
16:49 < andytoshi> gmaxwell: how is that ECDH auth nontransferable?
16:49 < gmaxwell> E.g. the dumbest way to get forward secrecy is I just generate one pubkey for each month from now till my key expired 10 years from now, and concat them... and then as each month goes by I destroy more of the private key... this is functional but kinda daft.
16:49 < gmaxwell> andytoshi: because you can simulate it without my cooperation.
16:50 < gmaxwell> andytoshi: e.g. I give you my private key and a message encrypted with a session key generated with my private key and maaku's public key.  How do you know maaku wrote it and I didn't just make itup?
16:50 < andytoshi> oh, thx, i gotcha
16:51 < andytoshi> i was just being daft. my brain is not working properly today it seems..
16:52 < gmaxwell> Smarter non-interactive forward secrecy can be done using identity based encryption.	E.g. you make an IBE master key and use it to generate your zillion future private keys, but then your public key is juse the IBE master public key. You destroy the IBE master private key... and the ephemerical IBE keys as you go. This has the advantage of making the
public key the same size as a regular ECC public key.
16:52 < gmaxwell> (though your private data is large)
16:53 < gmaxwell> There are some IBE based schemes that eliminate the requirement to do precomputation of the ephemerial private keys, but I dunno how they work, just saw papers on them. (sadly most of these papers are not written in comprehensible english... so actually sorting out what they're doing takes more work than justfied unless you need the result
17:06 < phantomcircuit> andytoshi, the key is that you know maaku wrote it because you didn't forge the message, but anybody else cant prove that he did because you could have forged the signature
17:23 < maaku> in other words, you can only prove authorship is maaku OR andytoshi
17:24 < gmaxwell> maaku: not even
 you prove that the author had help from maaku or andytoshi (or anyone who has one of their private keys, which anyone who verifies it need to have)
17:24 < andytoshi> nice! i'm passingly familiar with the concept but i've never seen a simple example
17:25 < gmaxwell> a ring signature lets you do the actually do "authorship is maaku OR andytoshi" in a publically verifyable way, which can be useful in that space too.
17:25 < maaku> doesn't OTR also have some sort of construction such that after the fact some secret is revealed letting anyone construct fake transcripts?
17:26 < gmaxwell> maaku: yea, so what OTR does is uses seperate keys for authentication and encryption, and intentionally leaks the auth keys once they're used. Then it includes a tool to let you create forged transcripts.
17:27 < gmaxwell> But really, thats kinda unnecessary, the security properties are achieved even without it. But it does make it easy to make demonstrations that transcripts prove nothing.
17:29 < michagogo|cloud> 23:50:29 <gmaxwell> andytoshi: e.g. I give you my private key and a message encrypted with a session key generated with my private key and maaku's public key.  How do you know maaku wrote it and I didn't just make itup?
17:29 < michagogo|cloud> gmaxwell: is that what you meant to say?
17:30 < michagogo|cloud> ("give you my private key")
17:30 < gmaxwell> yes.
17:30 < michagogo|cloud> okay
17:31 < gmaxwell> If I don't give you my private key, even telling if the session key is a result of a maaku+me key agreement is the decisional DH problem and is believed to be intractable in a suitable group.
17:37  * michagogo|cloud assumes that in such a case you'd be using disposable privkeys?
15:32 < petertodd> nsh: seems to work, needs unittests with test-cases derived from something else though
15:32  * nsh nods
15:33 < nsh> on github?
15:33 < petertodd> Emcy: 200A service is fairly common, which is 24kW in theory
15:33 < gmaxwell> petertodd: per phase.
15:33 < petertodd> nsh: not yet, but I can if you want to
15:33 < gmaxwell> 'phase'
15:33 < gmaxwell> Emcy: 160 and 200amp breakers (at 240v) is pretty typical. so about 40-48KW.
15:33 < petertodd> gmaxwell: oh right! so double that for US-style wiring
15:33 < nsh> well, no rush on my part, but i'd like to see it whenever
15:33 < petertodd> nsh: if you can come up with a soruce of test cased that'd be great!
15:33 < petertodd> *cases
15:33  * nsh nods
15:34 < petertodd> Emcy: basically, you can easily spend ~$5/hour on electricity :)
15:34 < Emcy> you have a special 240v circuit?
15:35 < petertodd> Emcy: all us-style-wiring houses do actually
15:35 < nsh> people would draw ridiculous currents with massive over-the-top christmas lighting set-ups, before LEDs replaced a lot of the incandescent bulbs
15:35 < gmaxwell> Emcy: in the US our power is really 240v but wired with a center tap on the transformer so you can get 120 or 240 volts depending on how you're wired up.
15:35 < petertodd> Emcy: basically you have two 180 degree out of phase circuits referenced to ground, so 240V across the two
15:35 < Emcy> interesting
15:36 < gmaxwell> There are three lines down from the poll,  Hot, Neutral, Hot, and between the two hots you have 240v. Between any hot and the neutral you have 120v.
15:36 < petertodd> Emcy: norway (?) and a few other countries routinely run three phase into the home actually, so that's three 120deg out of phase wires
15:37 < Emcy> we have an earth pin instead ^^
15:37 < gmaxwell> Big applicances (electric stoves and dryers and air conditoners) are wired on 240v, the rest is usually wired up to 120v.
15:37 < petertodd> Emcy: no, everyone has earth (nearly)
15:37 < Emcy> your plugs have 2 pins, so i ssumed everything is double insulated
15:38 < petertodd> Emcy: earth is for safety, not for current
15:38 < gmaxwell> Emcy: we have an earth pin too. (and usually the neutral is also tied to earth, but some distance away, so it's not a great earth ground on its own)
15:38 < Emcy> lots of UK stuff has a dummy earth pin
15:38 < petertodd> Emcy: US does that too, it's just a engineering decision as to whether to use the earth pin or not to meet the safety requirments
15:38 < gmaxwell> (also if the neutral comes disconnected at the poll, all your appliances end up in series in between the 240v, and the neutral becomes electrified relative to ground, and bad things happen like fire. :P )
15:39 < petertodd> Emcy: pretty much anything with a metal case exposed to the user will use it as that makes it easy to keep the case at zero potential, but exceptions apply in both directions
15:39 < Emcy> two phase seems complicated for domestic wiring tbh
15:39 < Emcy> over here we have 30A cooker circuits for the big stuff but thats it
15:39 < petertodd> Emcy: nah, it's really simple actually, and makes meeting safety specs easier
15:40 < adam3us> so yes well i picked malta for a reason (very scientific, spread sheet involving a dozen factors and it came out on top for my preferences) i used to live in montreal for 3yrs when i was at ZKS, its not bad; i also spent time in zurich, my mom is from there, I like it a lot
15:40 < adam3us> apropos of telecommuting locations. have been doing it in malta >5 yrs now :)
15:40 < gmaxwell> adam3us: I wasn't aware of that, but I had the impression that your decision to live there was carefully considered.
15:40 < petertodd> Emcy: see, you guys have 240V to earth, so you need 240V-rated insulation, while we get away with just 120V insulation yet get the same advantage of 240V for high power stuff
15:40 < Emcy> and ive never understood how neutral is thus called when it will happily kill you dead too
15:41 < petertodd> Emcy: thing is, as it turns out 240V insulation safety isn't that hard, so just using 240V would be ok too - but that's not changing now
15:41 < Emcy> petertodd that makes sense
15:41 < petertodd> Emcy: you guys have neutral too actually
15:41 < Emcy> yes i know, its the blue one. But its still hot
15:41 < petertodd> Emcy: yes and no. it's only hot in the sense that it *can* be hot
15:42 < petertodd> Emcy: like, if you touch neutral, 99% of the time you'll be fine, but if you touch earth, 99.999% of the time you'll be fine :)
15:42 < Emcy> i like those odds :D
15:42 < gmaxwell> petertodd: well if it's not really well bonded to ground it may often have some residual potential.
15:43 < gmaxwell> e.g. neutral in my dads house was often 30 volts relative to a good earth ground and electronics whos cases ended up connected to neutral would arc against stuff.
15:43 < Emcy> ive gotten a smack of an earth pin before. I learned about PD
15:43 < petertodd> gmaxwell: exactly, and even if it is there's some voltage due to voltage drop
15:43 < adam3us> gmaxwell: from your skimming the delayed private key gen IBE seems interesting did u get the impression that could do the one of the NIFS sub-problems of having the private keys be in some sequence so you could compute forward but not backward? any idea of the hardness assumptions more or less conservative that weil-pairng?
15:43 < Emcy> ive gotten a smack off a tv tube too :(
15:43 < petertodd> Emcy: yeah, those are dangerous...
15:43 < petertodd> Emcy: you could have easily been killed there
15:43 < Emcy> yes
15:44 < Emcy> it wasnt even plugged in, just charged
15:44 < petertodd> Emcy: the problem with electric shock is parts of your body can withstand *much* higher currents than others - like any time you even feel a shock, that's actually enough to stop your heart, but 99.9% of the time the current isn't in the right place
15:44 < Emcy> from memory its 30mA across the heart
15:44 < petertodd> Emcy: so people get complacent when nothing ever happens, when in reality nothing happened only because the current bypassed their heart
15:44 < gmaxwell> adam3us: I didn't contemplate it. I was mostly trying to figure out if I could make the data smaller.  Do you see a big need for forward only?  My thinking is that sending a new key for every block/day whatever isn't a big overhead... and we actually want a filtering node to stop filtering when we're not connected.
15:45 < Emcy> and skin resisteance is 40v or so dry
15:45 < petertodd> Emcy: more like 1mA directly applied to the heart IIRC
15:45 < Emcy> i was taught to work with one hand wherever possible :)
15:45 < petertodd> Emcy: 40V is a voltage, not a resistance :)	but yeah, <48V tends to be safe pretty much wherever due to skin resistance
15:45 < petertodd> Emcy: however, something as simple as a probe cutting into your skin can lower the resistance enough to get you killed
15:46 < petertodd> Emcy: very good avice
15:46 < andytoshi> petertodd: i think he means there is a breakdown voltage of ~40v. i have heard this too but i don't think it's true
15:46 < Emcy> i mean ~40v before a bad current gets going
15:46 < Emcy> but youre right, humans are not zeners lol
15:46 < petertodd> andytoshi: it's very true, well-documented cases of that
15:47 < adam3us> gmaxwell: not strongly interesting for bitcoin reusable addr i guess.	fwd-secrecy i was just noticing in passig the other day could have some nominal value perhaps like if your disk got compromised, you couldnt even correlate your own old tx never mind help a full node do it :)
15:47 < petertodd> andytoshi: medical power supplies are orders of magnitude better isolated because of that - even static shocks can be life threatening when your chest is opened up
15:47 < Emcy> hmm thats a point
15:47 < petertodd> Emcy: yeah, but fortunately, when you're chest is opened up normally you're in the best possible place to get a heart attack :)
15:48 < andytoshi> psh. i always keep my chest open for easy maintenance
15:48 < petertodd> Emcy: the real safety concern there is actually that anasthetic gasses are often flammable
15:48 < Emcy> petertodd hell some treatments require it lol
15:49 < gmaxwell> petertodd: did you know that conman is an honest to god anesthesiologist?  I'd thought the whole putting people to sleep thing was incompatible with his templerment, but not that you mention the flammability. :P
15:50 < petertodd> gmaxwell: lol! is that the same guys that's a kernel dev?
15:50 < adam3us> about the non-transferable sigs (in store-and-forward comms) various permutations ian brown & I wrote some basic ideas for pgp http://www0.cs.ucl.ac.uk/staff/I.Brown/nts.htm	gmaxwell explained it fine abve Ian even drew pretty pictures.
15:50 < gmaxwell> yes.
15:51 < petertodd> gmaxwell: sheesh, some people just make you feel inadequate :P
15:51 < Emcy> adam3us are you adam back?
15:51 < adam3us> Emcy: yeah
15:52 < Emcy> ok
15:52 < petertodd> adam3us: heh, I've done that protocol by hand before
15:52 < gmaxwell> adam3us: I can't fathom why pgp still forces non-repudiation onto people after all this time, what it does is something basically no one wants. If you want encryption + non-repudiation what you want it a clearsigned message which is encrypted
 so that you can show it to people without dealing with their inability to decrypt.
15:53 < adam3us> gmaxwell: its horrendous.  mostly u do NOT want non-repudiability period IMO
15:53 < gmaxwell> yea, I mean, it's useful from time to time. But you always know when you want it.
15:53 < adam3us> gmaxwell: exactly.  99% of the time its unnecessary risk
15:54 < petertodd> adam3us: I'd love to see some court cases where this has actually come up - as I said on cryptography in reality repudation is hard to achive anyway
15:55 < adam3us> petertodd: yeah as i read it courts just make pragmatic decisions... preponderance of evidence bla blah.  but OTR with no logging is good.
04:58 < cads> the classes are taught with a combination of pre-recorded lectures, free digital copies of reading materials, and volunteer tutors/study group leaders.
04:59 < cads> and the coins you submit to the class just tell the professors that you have already learned the pre-requisite material
05:00 < cads> if you just want to dive into a high level class without coins, you are welcome to, and you will still earn coins at the end of the class - if you succeed
05:00 < cads> but professors might be discouraged from helping you unless you can prove your level of preparedness in other ways
05:01 < cads> I don't see that these coins would be spent, as such
05:02 < cads> the professors could win a certain part of the purse put up by the students of the class, to signify that they too learned something in the process
05:03 < cads> but the students would also get the coins credited back to them. in essence, the learning transaction would mint coins from nowhere, to signify that the increase in learning wealth came from nowhere but the students and teachers working together
05:04 < cads> if you have enough coins of the right type to qualify as being an expert in a field, you can translate them to a degree
05:04 < cads> or transfer them to a traditional university
05:05 < cads> this is all that I have so far
05:10 < cads> one objection that I have is that it might not be right to try to stretch the currency analogy to education systems. But to that objection, I agree it's easy to see that diplomas _are_ a form of good with a steady value, but they are not a medium of exchange, as they are not transferrable.
05:11 < cads> Here, education coins would not be transferrable as such: when you transfer a unit, you still keep the unit you had.
05:12 < cads> so it's certainly an interesting stretching of the concept, and maybe it's not too much of a stretch
05:13 < cads> I have plenty of other objections, including how could we make this system fair, could the system account for the fact that people forget things they learned (should education coins have built in demmurage that kicks in if you're not teaching or otherwise applying your knowledge?)
05:14 < cads> and who decides what constitutes a degree
05:14 < cads> any other questions or objections would be welcome
05:15 < cads> and I trust that my rant finds a good place here here in -wizards :)
06:44 < amiller> -wizards is a safe place for such rants :]
06:44 < amiller> at first i was gonna say that's a good idea but i don't think that has much to do with bitcoin
06:45 < amiller> but actually it kinda reminds me of something like Mozilla badges
06:45 < amiller> https://wiki.mozilla.org/Badges
06:45 < amiller> it's commonly understood that things like education degrees are a kind of "currency", not inherently a transferable one
06:49 < cads> certainly
06:52 < cads> there is a knowledge component and a related but partially independent social credential aspect, which allows you bank on that knowledge relative to some job market.
06:54 < cads> The knowledge (which we may take to encompass experience) required to do the work in that market is, as it were, just part of the market's entry cost. The other part is whatever means that workers use to signal that their knowledge is authentic.
06:55 < cads> Still a third cost is the investment into the social connections needed to provide an endpoint to receive your knowledge and knowledge credentials.
06:57 < cads> the 'education system' consists mostly of the means to acquire the first two aspects. It's reasonable that any theoretical distributed education system will fulfill those two criteria.
06:57 < cads> reasonable to assume*
06:58 < cads> At least I think so.
06:59 < cads> Most education systems also fulfill the third criterion - they teach which job markets exist, how much each one might profit you, and while you're learning they connect you to people who will support your search for an outlet for your new skills.
07:01 < cads> but I would point out that the best of the systems do a much better job at this last criterion than the lower quality education system.
07:01 < amiller> a cryptocurrency's role in this is pretty small then
07:01 < amiller> just a place where a degree issuer can register the credentials
07:02 < amiller> so for example if i want to convince someone i have a degree,
07:02 < amiller> i have to give them contact info to a university administration
07:02 < amiller> and they have to do things like send Official Transcripts and they're expensive and i'm worried that in 20 years the administration will deteriorate so much they'll fail to do that on demand or something
07:03 < amiller> so it would be simpler if that whole process just consisted of a credential being etched into a blockchain and kept queryable
07:03 < amiller> and by making it simpler like that it can lower the bar to entry so that other issuers could provide just as usable credentials (like badges) without needing that full overhead to be official
07:05 < cads> hmm, I agree
07:07 < cads> by making them like badges you might get higher granularity in the credential's ability to describe your skill set
07:08 < cads> by making them queryable you may also reduce the job search and hiring overhead
07:11 < cads> it's interesting to think that the actual knowledge transfer part may be the cheapest of the three aspects, in some sense
07:12 < cads> MIT has no problem, for example, exposing its courseware for free. But its tuition is higher than ever.
07:13 < cads> of course, the return on investment on a MIT education is the highest of any university in the USA
07:14 < cads> while the return on investing (your time) into the open courseware is "whatever you can make of it"
07:16 < cads> I think this is perhaps an unrealistic comparison, because being on campus, talking to peers, professors, all that contributes to a different and more complete experience than the online classes
07:16 < cads> finally, it builds your network
07:20 < cads> I'm not sure where I'm going with this. I'm free associating, by now :)
07:21 < cads> At some level the market must reward the MIT students the most because those students have been proven to be the most profitable, in the past.
07:24 < cads> But another factor is bound to be this : MIT is a trusted source of knowledge workers, and so hiring from their ranks poses a risk. Employers are willing to pay MIT grads more because they see it as hedge against the risk of hiring an incompetent worker
07:24 < cads> err
07:25 < cads> hiring from their ranks poses a _lower_ risk, I meant to say.
07:25 < cads> heh, that's all I have, for now :)
07:27 < cads> (but now I'm really far away from cryptocurrencies)
21:02 < jgarzik> [ANNOUNCE] OnionBC Escrow launched! - https://bitcointalk.org/index.php?topic=153967.0
21:02 < jgarzik> (as a responder implied, it might very well be a TorWallet-like scam; just noting its presence)
--- Log closed Sun Mar 17 00:00:28 2013
--- Log opened Sun Mar 17 00:00:28 2013
01:29 < warren> grau_: saw your bitsofproof git today.  I'm curious how big is the data if you use a SQL backend, and how fast is that?
01:29 < grau_> warren: about 12GB
01:30 < grau_> I tried derby and ProgreSQL
01:30 < grau_> The performance is a magnitude below of leveldb
01:30 < grau_> It is only interesting if you want to do quieries of the blockchain
01:31 < warren> I've wondered what kind of backend blockchain uses, you think it is anything like tihs?
01:31 < grau_> warren: I guess so. Performance with relational database is just a question of budget
01:31 < warren> I'd guess they can't achieve that kind of response time with a single SQl db.
01:31 < warren> ah
01:32 < grau_> Having a cluster of Teradata e.g. I would get the performance of LevelDB
01:32 < grau_> likelzy. Did not try
01:33 < grau_> warren: My relational store is also fully normalized
01:34 < grau_> BitcoinJ eg had relational store too but un-normalized. That way you can speed up a lot
01:34 < grau_> but data mining then is not that simple
01:34 < grau_> so it forgoes the point of relational db actually
01:34 < warren> how's memory usage of this?
01:35 < warren> grau_: is anything using this in production?
01:35 < grau_> Well it is Java, so it uses a heap you give it
01:35 < grau_> warren: I would not run under 500mb
01:35 < grau_> I have this running constantly on bitsofproof.com
01:35 < grau_> I do not claim production quality but its beta
01:36 < warren> no website I can load there
01:36 < warren> I just randomly found the git
01:36 < grau_> I know. but there is a bitcoin if you connect and it is bitsofproof
01:36 < warren> ooh
01:36 < grau_> warren: I have not yet pushed it besides dev forums until it is high quality
01:37 < grau_> I want to launch it big in San Jose
02:02 < warren> grau_: does this rely on openssl ecdsa too?
02:02  * warren didn't look at code yet
02:04 < grau_> warren: no, its bouncy castle
21:45 < sipa> just added signing code to my secp256k1... it's not exactly constant time, but close at least
21:45 < warren> sipa: awesome!
21:45 < warren> sipa: will you eventually have a replacement for openssl/ec.h ?
21:46 < sipa> yes, isn't hard now anymore
21:46 < sipa> still need key generation and probably (hell :S) parsing/saving in openssl's secret key format
21:49 < warren> sipa: might as well publish it as an independent library that can be used by other apps then.
21:50 < warren> that might encourage more eyes
21:57 < warren> sorry, meant to make that a question
21:57 < sipa> it's a good suggestion
21:57 < warren> sipa: haven't looked into it yet, but bitmessage is in a similar pickle here
22:27 <@gmaxwell> warren: I don't think bitmessage should care about ecdsa performance.
22:32 < warren> gmaxwell: performance is not the issue, the desire to use bit* without replacing openssl
22:35 < jgarzik> Sigh.  The only python irc library in Fedora repos handles its own I/O selecting/looping, presuming that it is the main process
12:27 < michagogo|cloud> Obviously we will never, ever manage to make then safe
12:27 < michagogo|cloud> Otoh....
12:27 < petertodd> We're not even going to get close frankly.
12:28 < michagogo|cloud> if we implement this warning, people will read more into it than they should
12:28 < petertodd> yup
12:28 < michagogo|cloud> (specifically, absence of said warning)
12:28 < petertodd> the "fix" is worse than the problem.
12:28 < michagogo|cloud> Also: would this also apply for transactions in blocks? Guessing not
12:28 < petertodd> But... I shouldn't discourage anyone, as it *does* help adoption of replace-by-fee.
12:29 < michagogo|cloud> The double-spend relaying thing could certainly be worth adding, if only for replace-by-fee
12:29 < petertodd> yup...
12:30 < michagogo|cloud> Hmm, actually
12:30 < michagogo|cloud> If you do that, you do need to implement some kind of warning
12:30 < petertodd> now if only I could convince gavin to add double-spend relaying that only relayed roughly same-sized txs :P
12:30 < michagogo|cloud> The two things are not separate from each other
12:30 < petertodd> michagogo|cloud: wait, do you know what the scorched earth strategy is?
12:30 < michagogo|cloud> ;;google scorched earth
12:31 < michagogo|cloud> Oh, no gribble
12:32 < michagogo|cloud> "destroy anything that we come across that the enemy might be able to use"?
12:32 < petertodd> https://bitcointalk.org/index.php?topic=251233.msg2669189#msg2669189
12:32 < michagogo|cloud> Or is there something else called that?
12:33 < petertodd> it's brilliant, although jdillon overstates it a little - it heavily depends on a jam-free communications layer, and DoS attacking that can cause it to fail. But overall it's pretty good.
12:34 < michagogo|cloud> Ah, interesting
12:35 < michagogo|cloud> So basically, if someone tries to double-spend a merchant doing this, the merchant will simply throw the amount away
12:35 < petertodd> yup
12:35 < petertodd> aligning the incentives of miners and merchants
12:35 < michagogo|cloud> Well
12:35 < petertodd> main thing I like about it is that it rejects the idea that miners should be "responsible" re: zeroconf
12:35 < michagogo|cloud> You'd still need to wait for confirmations
12:35 < petertodd> nope
12:36 < michagogo|cloud> Because even though an attacker couldn't take the money back
12:36 < michagogo|cloud> (afk for a moment, brb)
12:36 < petertodd> If you can assume that you will "quickly" know about a double-spend, and can "quickly" implement the scorched earth policy with a counter-double-spend, then the attackers gains converge to zero.
12:36 < OrP> Hey Michagogo - I'm from Israel - you guys were correct about NIS
12:37 < michagogo|cloud> petertodd: Even though an attacker couldn't get the money back
12:38 < OrP> Also - I wanted to point our the banks in Israel are investing alot on dollars
12:38 < OrP> A thing I can't figure out
12:38 < petertodd> michagogo|cloud: what do you mean?
12:38 < michagogo|cloud> If you rely on an unconfirmed for anything irreversible, the attacker could still keep the funds from the merchant
12:39 < michagogo|cloud> As a way to damage the merchant, even though you don't get the funds back
12:39 < michagogo|cloud> (though as jdillon says, "The transaction can also be constructed such that the payee pays slightly more in advance, with the merchant refunding the extra amount once the transaction confirms")
12:40 < petertodd> michagogo|cloud: sure, but in a *lot* of real world scenarios the actual damage to the merchant is minimal: for instance if you're selling ringtones you don't actually incur a cost on a double-spend, you just need to make sure it's worth it for the attacker to bother
12:40 < michagogo|cloud> not worth it, you mean?
12:41 < petertodd> michagogo|cloud: I wouldn't want to sell a car with it, but in most low-value circumstances scorched-earth is likely to be enough of a deterrant to keep people honest
12:41 < michagogo|cloud> Right, that's a good point
12:41 < michagogo|cloud> (also, this only helps if you advertise that you do it, right?)
12:41 < petertodd> Same reason coffee shops and bakeries get away with not actually having any sales staff...
12:41 < petertodd> well, if everyone has software that does it automatically...
12:42 < michagogo|cloud> Right, that counts as advertising that you do it :P
12:42 < petertodd> yup
12:42 < michagogo|cloud> Anyway, so it would make unconfirmed transactions somewhat more safe
12:42 < petertodd> even then, an attacker might steal one ringtone, so what?
12:42 < michagogo|cloud> Really, depending on the attacker's motive
12:42 < petertodd> yup, without the nasty politics of trying to regulate miners
12:43 < michagogo|cloud> It makes it much, much safer against an attacker trying to keep their money
12:43 < petertodd> keep in mind, I originally proposed replace-by-fee months ago, not realizing that scorched earth was possible, simply because I though it'd be worth getting miners to do this now before people started trying to take much more dangerous counter-measures to make zeroconf safe
12:44 < petertodd> jdillon came up with scorched earth after that
12:44 < michagogo|cloud> OTOH, since you'd basically be throwing away the money as soon as you detected this attempt, it would make an attack that simply is intended to hurt you much, much easier
12:45 < petertodd> sure, but as I say, in most real-world cases merchant cost is dominated by overhead
12:45 < petertodd> * for low value items
12:46 < michagogo|cloud> (also, worth noting that scorched earth required more than replace-by-fee -- it also requires cpfp)
12:46 < petertodd> yup, and beyond cpfp, it requires the ability to relay multiple-txs in one "packet"
12:47 < michagogo|cloud> Hm?
12:48 < petertodd> the merchant needs to relay both the original tx that paid them, and the pay to fees tx in such a way that even nodes that didn't see the original tx know it's worth replacing the attackers double-spend with the two txs
12:49 < petertodd> also, note how merchants shouldn't let people pay them with txs that are unusually large... which can be a limitation
12:51 < michagogo|cloud> Oh, I see
12:52 < petertodd> yup, really, guaranteed to work is single input, two P2SH outputs
12:52 < michagogo|cloud> Because if you only implement replace-by-fee and not full double-spend relaying, cpfp itself, to work fully, requires a way to relay the parent after or with the child
12:52 < petertodd> yup
12:53 < petertodd> but good cpfp needs that anyway
12:53 < michagogo|cloud> (and of course we don't want to store orphan transactions)
12:53 < michagogo|cloud> Yeah, that's what I just said
12:53 < michagogo|cloud> "cpfp itself, to work fully"
12:53 < petertodd> lol, right
12:53 < michagogo|cloud> :P
12:54 < petertodd> anyway, in the meantime, it's likely that double-spend notification will be implemented, in which case I can encourage miners to adopt replace-by-fee by advertising the fact that I'm making large fee double-spends - join in the fun!
12:58 < michagogo|cloud> lol, nice
12:58 < michagogo|cloud> Though, won't that require a bunch of the network to upgrade first?
12:59 < petertodd> again, no, because of double-spend notifications
12:59 < petertodd> basically you tell miners that you'll broadcast low-fee double-spends, and every time one gets mined, you'll increase the fee
13:00 < michagogo|cloud> Not necessarily replace-by-fee upgraded, but relay-double-spends upgraded
13:01 < michagogo|cloud> "every time one gets mined, you'll increase the fee"?
13:02 < petertodd> See, you want to give people a strong incentive to adopt replace-by-fee, but you also want them to adopt it in such a way that it can be used for any transaction. So by saying "prove to me you've upgraded first" they can't just, say, only do replacement on high-fee txs.
13:02 < michagogo|cloud> Ah, I see
13:02 < michagogo|cloud> (I think?)
13:02 < petertodd> heh
13:02 < michagogo|cloud> eep, power warning
13:03 < petertodd> ?
13:03  * michagogo|cloud goes to find power adaptor
13:03 < petertodd> ah
13:03  * michagogo|cloud is back
13:04 < michagogo|cloud> Well, what's to stop them from just detecting your transactions and mining them?
13:04 < petertodd> Do your double-spends while gambling on satoshidice.
13:05 < maaku> adam3us: atomic swap in freimarkets is in the transaction format, not a hashlock or related
13:06 < maaku> basically we allow hierarchical sub-transactions which themselves don't have to balance, so long as the entire transaction does (outputs < inputs for each asset)
13:07 < maaku> but yeah that's completely unrelated to chaum cash
13:13 < adam3us> maaku: ok, i took it it was still a scriptsig of some form with reference to a merkle root and a timestamp server
13:13 < maaku> for multi-server trade, yes
13:13 < maaku> at least that's one of many options
13:14 < maaku> you can have multiple private servers conditionally accept a transaction based on a timestamp oracle or the state of the public (Freicoin) chain
13:14 < maaku> in a two-phase commit architecture
13:15 < maaku> but within a single server/chain, ripple-like exchange or transitive payments are done by composing pre-signed orders together
13:16 < maaku> if chaumian cash requies a separate online redemption step, then it doesn't work for this
13:16 < maaku> i still need to wrap my head around creditional-chaum to see if it is compatible
13:31 < adam3us> see i think the online aspect is just an artefact of the way they chose to use it, because they did not have a certificate, just a signature, it can be easily stolen once disclosed to anyone, so the model was the recipient immediately deposits it
13:32 < adam3us> maaku: you can as easily have the blind signature be of a signature public key, then you can prove things with it, attach it to a script sig etc.
19:25 < jcrubino> so if I send a payemtn from a reusable address to another resuable address does zerocoin still have a use or case?
19:25 < gmaxwell> ugh yea, I really have mixed feelings on the whole feature.
19:25 < sipa> they are not a solution fo everything
19:25 < gmaxwell> adam3us: it's neither SPV compatible or incompatible.
19:26 < sipa> jcrubino: bitcoin doesn't provide anonimity
19:26 < sipa> even with reusable addresses
19:26 < adam3us> gmaxwell: well an spv client doesnt know what to put in its bloom filter absent another channel then shall we say
19:26 < maaku> adam3us: you'd use prefix filters for SPV
19:26 < gmaxwell> adam3us: well it can be specced with the bloombait idea.
19:27 < adam3us> maaku: yeah same thing i guess (my terminology was bloom bait, petertodd prefix) but that has privacy problems
19:27 < gmaxwell> then you can pick your anonymity set tradeoff. But its an extra thing that has to be 'decided' which is lame.
19:27 < maaku> adam3us: well bloom filters in general have privacy problems...
19:27 < adam3us> gmaxwell: its worse than bloom i think with its apparently small anon-set.  because its public to all and the statisitcal analysts will latch on to it
19:28 < gmaxwell> yea, it's worse than bloom, we don't have anything like bloom for it which is as secure in the semi-honest node model.
19:28 < adam3us> maaku: and use it multiple times in your potential graph to narrow in on you.	privacy leak stats is cumulative
19:28 < gmaxwell> In bloom you're completely private unless you connect to unfriendly nodes (well ignoring that our links aren't encrypted). So thats not terrible _casual_ privacy.
19:29 < gmaxwell> it's not privacy against powerful forces but its not half bad.
19:29 < adam3us> gmaxwell: yup and prefix is like permanent global record with cumulative privacy loss effect on stats.  as if we didnt have enuf stats build up problems.
19:32 < gmaxwell> so an improvement would be to make the bait hmac(tx_nonce,secret)[n-bits]  then you have to hand over a secret to the party you wish to scan for you... but it's not unforgable like handing over the agreement key.
19:32 < adam3us> gmaxwell: hmm bit of lateral thinking.  giving up on getting much from the reusable address.  but other than a bloom bait, what about some kind of randomized fingerprint, that you can illuminate different parts of in a bloom like way with help of the assisting node.  created by the sender based  on the reusable key
19:33 < gmaxwell> e.g. I could just pick any collection of transactions on the network and search for a secret that makes them part of the same group.
19:34 < gmaxwell> so someone who says "I ran a SPV node and found out adam3us's secret is
 and thus these transactions are his" can be challenged with "no way, thes transactions are three different other people with these other secrets"
19:34 < adam3us> gmaxwell: yes maybe a public key versoin of that
19:34 < gmaxwell> the fact that its not public key is what makes it forgable. :)
19:34 < adam3us> gmaxwell: so long as its a fuzzy match...
19:34 < gmaxwell> basically there exists some secret such that any selection of baits are related, but finding it takes work related to how specific you want to make the matching.
19:35 < gmaxwell> yea, thats why I said n-bits. it has to be small enough that searching for forgeries is easy.
19:35 < adam3us> gmaxwell: maybe could allow different query for same data somehow
19:35 < adam3us> gmaxwell: yeah i got that
19:36 < adam3us> gmaxwell: also in the hmac how do u get the key to the sender...
19:36 < gmaxwell> dunno maybe there is a way of constructing it with a linear code so that the match is always fuzzy but your real transactions will always have a hamming distance < x.  and then you ask for all <x solutions.
19:37 < gmaxwell> adam3us: you put it in the address.
19:37 < adam3us> gmaxwell: yes but then its not a secret, so ah ok its better than a prefix however got you.
19:38 < gmaxwell> yea its just a secret keyed prefix, with a denyable secret, unlike using the derrivation keys for scanning since they aren't denyable.
19:38 < adam3us> gmaxwell: already an improvement on prefix, and Jeremy's about to like write an RFC level of "awesomely done"
19:39 < gmaxwell> down side is that someone scanning for you can't precompute anything to index it... prefixes have that nice property.
19:39 < adam3us> gmaxwell: so the other feature we'd like is pecomputation
19:39 < adam3us> gmaxwell: yes
19:41 < adam3us> gmaxwell: ok i am gonna sleep on it (literally, getting late) interesting problem, with quite useful implications if it can be cracked (I mean I share Jeremy's interest, just not his conclusion about it being solved yet!)
19:42 < gmaxwell> well so, H(nonce) and then split into 16  16 bit parts.   pick a part at random, and compute part^secret_bait = prefix  and put the prefix in the transaction.
19:42 < gmaxwell> When you ask someone untrusted to scan for you you give them a set of secret baits you're insterested in, including a number of bogus ones you really don't care about.
19:43 < gmaxwell> and they return any transaction where any one of the part^prefix = one of your baits.
19:43 < gmaxwell> e.g. someone doing stats doesn't know which of the token the part is xored with.
19:43 < gmaxwell> obviously some parameter scaling needs to happen to make it sensible, I picked random numbers.
19:44 < gmaxwell> hm. they should probably be 8 bit. in any case, there you go.
19:45 < adam3us> gmaxwell: not bad i think
19:47 < gmaxwell> in any case, this is a member of an infinite space of related schemes based on locally decodable error correcting codes. Effectively this is a fountain code, effectively, the transaction picks a random high dimensional vector space, and when combined with the prefix the result is a codeword in that space which is always within a certian proximity of your
secret bait... and there is a cheap test of proximity.
19:48 < adam3us> gmaxwell: is that precomputably indexable?
19:48 < gmaxwell> it's still vulnerable to statstical analysis, in that you can keep intersecting things if you have a prior that they're related until you recover the bait.
19:48 < gmaxwell> adam3us: yea with overhead, e.g. you'd put every transaction in N indexes.
19:49 < gmaxwell> N picked based on how big the vector space is that you're embedding in.. More dimensions means more area covered by a given radius.
19:50 < gmaxwell> e.g. for my 16/32 example you'd be putting each transaction in the index 16 times. But thats okay, I mean, bloom filtering also pulls multiple keys from a transaction.
19:50 < adam3us> gmaxwell: my public key comment was that then it would not be bait recoverable.
19:51 < adam3us> gmaxwell: yes.  it seems reasonably good.  definitely a couple of increments better than prefix
20:33 < phantomcircuit> that reminds me
20:33 < phantomcircuit> nvm
22:05 < andytoshi> michagogo|cloud: i have refreshed the windows build, the only change is that it saves the rpcport= setting in cjclient.conf, before that would get overwritten
22:06 < andytoshi> michagogo|cloud: but i've got the testnet server working properly, it was just permission issues because i git clone'd the mainnet joiner over on my own unix account :P
23:25 < EasyAt> Where is the correct channel to ask about sybil attack mitigation in a decentralized WoT?
23:33 < amiller> EasyAt, maybe you want #bitcoin-wot
23:34 < amiller> but i'd like to hear about it here too
23:43 < EasyAt> amiller: One second, I'd like to state this concisely
--- Log closed Thu Jan 16 00:00:49 2014
--- Log opened Thu Jan 16 00:00:49 2014
00:14 < amiller> gmaxwell, i'm finally starting to realize you're right about snarks
00:14 < amiller> that so far they all require an obnoxious trusted setup
00:18 < maaku> amiller: but it's okay if you trust yourself, right?
00:18 < amiller> no not really
00:18 < gmaxwell> amiller: ones that don't are certantly possible (PCP theorem + fiat shamir shows its possible) though they would not be as compact as the GGPR ones, which are just ludicrously compact.
00:19 < amiller> if i wanted to show someone that the bitcoin community has already been pointing this out, would you recommend a forum post of yours?
00:19 < gmaxwell> maaku: if you don't care about public verifyability then you can use a like an interactive protocol. I'm pretty sure that GGPR is still ZK if the CRS was malicious generated.
00:20 < amiller> i've sort of not noticed it despite mouthing off about how cool my nonoutsourceable puzzle is based on snark
00:20 < amiller> it's more immediately relevant to zerocoin though
00:20 < amiller> i mean, they're aware of it too
00:20 < maaku> gmaxwell, I mean hypothetically if the scriptPubKey were the hash of the SNARK verifying key, and the scriptSig were the verifying key and proof (p2sh replacement)
00:21 < gmaxwell> amiller: http://www.reddit.com/r/ZeroCoin/comments/1uy35p/matthew_green_to_speak_about_new_zerocoin_version/ceo17ut
00:21 < amiller> maaku, creating a SNARK verify key requires someone to have some secrets they are trusted to delete
00:21 < gmaxwell> amiller: A GGPR-12 SNARK.
00:21 < maaku> amiller: yes, see ^^
00:21 < amiller> yes i just got back from that and chatted with him and his student about this
00:21 < maaku> amiller: if that snark is created by you and only used by you, why is it a problem if you have the trapdoor?
00:21 < gmaxwell> amiller: Eli supposidly is also working on a Linear PCP based on some fiat-shamir transform of a locally testable code, but none of the recent papers are about this.
00:22 < amiller> maaku, if that's the case sure, that's just a much different use case than what i have in mind (or what zerocoin/cash has in mind)
00:22 < gmaxwell> maaku: for _some_ applications it might not matter, for some it would.
00:45 < gmaxwell> That would largely remove the concern that CA's were secretly issuing certs that they ought not be issuing.
00:47 < gmaxwell> BlueMatt: well it's less horrifying than you might think it is: right now _many_ CAs will give a cert to anyone who can drop a file at http://domain/some_random_filename.txt  (note: http not https) so DNS control == cert already, but historically that took ~24 hours.
00:47 < gmaxwell> the cloudflare thing means you can do it in minutes.
00:47 < gmaxwell> so, e.g. you can do it to a running site and not be noticed.
00:48 < gmaxwell> in any case, we don't know for sure if a cert was ever issued for bitcointalk.org, because,
 of course, no normal browser logs the damn fingerprints.
00:48 < BlueMatt> well, ok, yes, but that doesnt mean its any less horrifying
00:49 < gmaxwell> and we can't tell except by asking the CA that cloudflare partners with.
00:51 < phantomcircuit> gmaxwell, a nice blog post about that would be hilarious
00:52 < gmaxwell> phantomcircuit: well I'm going to try to get Theymos to ask Chrome and Firefox to pin the bitcointalk.org CA.  Which will be halarious. "Yea, sure, we're a small site, but we've actually been abused this way; something you can't say for many other things that are pinned"
00:52 < phantomcircuit> lol
00:52 < phantomcircuit> Login temporarily discouraged
00:52 < phantomcircuit> lol
00:53 < gmaxwell> phantomcircuit: well the evil dns has not timed out yet, so users may not know if they're on the authentic site or not.
01:34 < midnightmagic> what does a cloudflare incoming connection appear to be to the end-server?
01:35 < phantomcircuit> midnightmagic, from cloudflare
01:36 < phantomcircuit> you can actually put in any ip address you want and cloudflare will gladly proxy requests for you
01:36 < phantomcircuit> including the freenode webchat
01:36 < phantomcircuit> so it's pretty easy to pretend to be cloudflare
01:36 < midnightmagic> name-based virtualhost for incoming cloudflare, plus catch-call?
01:37 < midnightmagic> "You are connecting via cloudflare. Please bug your ISP to update their name servers."
01:39 < phantomcircuit> midnightmagic, doing ip address -> ASN# is not trivial
01:46 < midnightmagic> phantomcircuit: ASN#?
01:47 < phantomcircuit> midnightmagic, basically like ISP number
01:51 < midnightmagic> Ah, that ASN. As in used in BGP routing..
01:51 < midnightmagic> I see. You're implying there are unpredictable IP addresses coming in from cloudflare.
05:44 < TD> gmaxwell: http://www.certificate-transparency.org/
05:45 < TD> gmaxwell: i think i mentioned that in my payment protocol FAQ. forcing CA's to publish certs they make is on the long term roadmap and is very likely to happen, it's funded, CA's are getting on board with it, it'll be in Chrome, etc
05:45 < TD> anyway, i fail to see what cloudfare has to do with this. if you lose control of DNS it's game over. it was ever thus and it's hard to see how else it could be.
05:46 < TD> your domain name IS your identity, that's why companies like Google use companies like MarkMonitor to defend their DNS registrations.
05:46 < TD> phantomcircuit: it's not that hard if you have the data set, it's only a few megabytes. i've implement IP to ASN mapping code a few times. the dataset can be obtained from a looking glass (or if you're big enough to have your own routers with BGP sessions, just downloaded directly from that)
05:53 < TD> gmaxwell: also if you look at the chrome pinning list, it's got all kinds of tiny sites in, even peoples blogs and stuff. AGL runs the list, he is very much an old school cypherpunk type, I doubt  we'd have any problem getting on the list
05:53 < TD> gmaxwell: but HSTS would be a pre-requisite, i think
05:56 < midnightmagic> TD: can any old joe-blow still grab a copy of the global routing table?
05:58 < TD> it's not exactly a secret. i'm sure you can find copies somewhere. if you want to do one-off queries that's easy, lots of ISPs run looking glass servers. they don't usually allow a full download though
05:58 < TD> the registrations (as opposed to what's actually being announced) are also available from IANA and other places if you ask nicely. you have to fill out a form and convince them you're not a spammer, basically
05:59 < midnightmagic> I seem to recall there was a way you could just randomly register an ASN as yourself and piggyback off the backbone types..
05:59 < TD> e.g. http://lg.level3.net/bgp/lg_bgp_main.php
06:01 < midnightmagic> The above.net crazies used to be pretty solicitous when they discovered you knew what BGP was.
06:01 < warren> TD: bitcointalk added HSTS today
06:02 < midnightmagic> well. how about that. above.net is gone as of last year and I didn't know it.
06:02 < TD> warren: good
06:02 < warren> i don't know if he did it correctly
06:02 < TD> warren: i hope they also get a better registrar .... and we should consider moving bitcoin.org as well. iirc it's with the same guys
06:03 < TD> midnightmagic: full downloads available here: http://www.ripe.net/data-tools/stats/ris/ris-raw-data
06:04 < midnightmagic> TD: ah nice, thanks man.
06:05 < warren> TD: I think they are moving to another registrar
06:05 < TD> warren: it looks correct to me
06:05 < warren> TD: what does he need to do to get chrome pinning?
06:05 < TD> warren: however it would not help in this case. HSTS simply says "SSL must be used and it must not be self signed". In this case SSL was used but it was being provided by a MITM. there's really no magic fix for losing control over DNS. never ever let that happen
06:06 < warren> TD: pinning would help though
06:08 < TD> yes
06:08 < TD> the process for pinning is basically, file a bug in the chromium bug tracker and ensure agl sees it, as far as I understand
06:09 < warren> TD: can you help after the bug is filed?
06:09 < warren> TD: is it a pain to get unpinned, to update the cert later?
06:10 < TD> or just email agl@chromium.org
06:10 < TD> you pin the public key hash
06:10 < TD> so the cert can change but they key cannot
06:10 < warren> ooh
06:11 < TD> if the key is compromised, then i guess you have to ask agl for another update. given how often bitcointalk has got hacked, i'm not sure he'd be thrilled by this idea - the fact that it still runs on an obsolete closed source copy of SMF is kind of embarrassing.  but theymos could ask.
06:11 < TD> http://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json
06:11 < TD> btw bitcointalk should probably also be forcing subdomains, even though they aren't used today.
06:11 < TD> in future he might want to change that
06:11 < warren> TD: I personally secured the new server
06:11 < TD> http://dev.chromium.org/sts
06:12 < TD> that's good to hear
06:12 < warren> TD: I couldn't guard against their registrar getting hacked though
06:12 < TD> unfortunately, i tend to assume anything written in PHP is automatically riddled with basic security holes. except maybe facebook.
06:12 < warren> TD: I crafted the new server to asssume the PHP still has backdoors ...
06:12 < TD> well the bar is always being raised. there are special registrars that have better security policies. obviously the anonymousspeech one isn't such a company
06:12 < TD> yeah. that's the best way.
06:12 < warren> no outgoing connections, no connect to local sockets
06:13 < warren> no writing to filesystem
06:13 < TD> cool
06:13 < warren> well, the forum has disabled features now
06:13 < TD> yeah. i saw i can't change the profile picture anymore
06:13 < warren> but it isn't hacked now, AFAIK
06:15 < TD> is it hosted on a dedicated machine ?
06:20 < warren> TD: on digitalocean of course =)
06:20 < TD> a VPS provider?
06:21 < fagmuffinz_> digital ocean is the shit
07:08 < fagmuffinz_> I've gotta say getting chef and capistrano to play nicely on Windows has been a royal pain in the ass
11:56 < gmaxwell> td: the only real difference the cloudflare part makes is that it makes it much faster. I tried simulating the attack previously but it was harder to do secretly because I had to proxy the site for almost 30 hours... and I also had to have another host to proxy it on, etc.  with the cloudflare its made somewhat easier to do without being noticed (though
they seem to have failed), because someones providing the proxy for you and you ...
11:56 < gmaxwell> ... don't have as long a window you need to run it on. OTOH, you don't get a copy of the certificate yourself.
14:00 < phantomcircuit> gmaxwell, try it again with startssl they issue certs within a few minutes during israeli business hours
15:12 < nsh> <nsh> so i had another look at the work of Eli Ben-Sasson, et al., which seems to have progressed a little since his talk at the bitcoin conference on Succinct Computational Integrity and Privacy. does anyone know if any efforts are underway to do some proof-of-concept for short verification of proofs of blockchain integrity for e.g. SPV clients?
15:12 < nsh> [..]  this paper seems to have enough skeleton for a scaled-down PoC: http://eprint.iacr.org/2013/507.pdf
15:13 < nsh> i think the circuit-building part of the key-generation is RAM-limited atm, so it might be (more) tractable to try with smaller chainstate distances
15:14 < nsh> (~1000 constraints per cycle iirc)
15:15 < gmaxwell> nsh: there are some annoying performance issues, e.g. sha256 implemented in tinyram is about 100x more gates than a straightforward circuit compiler version of it. Though I suppose that wouldn't get in the way of a test too much.
15:15  * nsh nods
15:16 < nsh> i suspect there is still room for optimizations though. i haven't managed to see how the circuits look in practice yet
15:16 < nsh> the stated performance of tinyRAM is pretty impressive (
15:17 < nsh> ~3-5x slowdown relative to x86
16:34 < jtimon> sorry, was pay-to-contract http://www.youtube.com/watch?v=qwyALGlG33Q
16:37 < sipa> adam3us: we should start by stopping to call them "addresses" and call them "key identifiers" instead
16:37 < gmaxwell> we're mostly failing to communicate to the public that these address things should be single use.  Joe bitcoin user has no idea of this.
16:37 < sipa> a key identifier can be used as an address if someone wants to receive a payment on it
16:37 < gmaxwell> Even the way bitcoin-qt (in release versions) works basically encourages reuse.
16:38 < maaku> sipa: that's a great idea. i'm going to start doing that
16:38 < sipa> indeed
16:38 < jrmithdobbs> gmaxwell: it's not exactly for a lack of trying, everyone just says "whatever" when it's explained to them and ignore it anyways
16:38 < jtimon> on the previous conversation, what was wrong with snark per hop hidden payments?
16:38 < gmaxwell> (git improves this a fair bit)
16:39 < sipa> most have never been confronted with this idea at all
16:39 < jtimon> what was impeding the prunning if you snark every hop?
16:39 < gmaxwell> jrmithdobbs: it is for lack of trying.
16:39 < sipa> people think bitcoin sends money between addresses
16:39 < gmaxwell> jtimon: pruning is incompatible with privacy.
16:39 < sipa> (and on some level, it does, unfortunately)
16:39 < gmaxwell> At lest git bitcoin-qt is better about not encouraging reuse.
16:40 < gmaxwell> although it does have a checkbox "Reuse an existing recieving address (not recommended)"
16:40 < sipa> i should try qt again
16:40 < gmaxwell> maybe we should change that word existing to something like "stale" :P
16:40 < maaku> gmaxwell: well, it has an address book
16:41 < gmaxwell> maaku: no, not unless you check the reuse thing.
16:41 < jtimon> gmaxwell, I see, H(c) will always be there to prevent double-spend if you snark redemption
16:41 < maaku> well, I mean the very concept of an address book (absent payment protocol or hd wallets) is suspect
16:41 < adam3us> gmaxwell: "pruning is incompatible with privacy." well as above i think its more privacy than current by a large amount
16:41 < gmaxwell> jtimon: unless you make H(c) public while SNARKing but then you are tracable.
16:42 < amiller> can anyone think of a way of estimating the distribution of mining resources among distinct individuals
16:42 < amiller> we really have no idea about that do we?
16:42 < gmaxwell> adam3us: by mining do you mean hashing?
16:42 < jtimon> gmaxwell, yes, undesrtood, you can't have teh cake and eat it too
16:42 < amiller> or how many gpus are out there mining as opposed to asics
16:42 < gmaxwell> amiller: there should be ~0 gpus now.
16:42 < maaku> amiller: politely ask the major mining pools for access to their logs
16:43 < amiller> if i already bought the gpus and i can't sell them, it's unlikely that there's anything to be gained by turning them off
16:43 < amiller> power is relatively cheap
16:43 < gmaxwell> amiller: 0_o
16:43 < adam3us> jtimon: the privacy leak is small compared to current syst
16:43 < amiller> or do you mean you can't even make profit vs the power consumption
16:43 < gmaxwell> amiller: correct.
16:43 < maaku> amiller: they should be very unprofitable by now
16:43 < gmaxwell> amiller: the whole network prior to the introduction of asics was about 20TH/s (and that included a lot of FPGAs), the current network is around 4000 TH/s.
16:44 < adam3us> jtimon: it would be a big net improvement - no value revealed, no addreses linkable.  yes poeple shouldnt link addresses.  but coin control fails.  and even if coin control was optimal there would still be linking
16:44 < jtimon> adma3us yes and it's after republishing, so it makes your example legal attack much harder
16:44 < gmaxwell> so that should give you some kind of upper bound on how many gpus could be in use. ... combined with gpus being power breakeven only if your power costs ....
16:44 < adam3us> jtimon: with scip you never need to republish, the miner just validates it in hidden form wth the scip
16:45 < maaku> amiller: actually you might be able to extra an order of magnitude estimate from the drop in hash following diff adjustment, and corresponding rises in litecoin
16:45 < gmaxwell> $0.028/kwh or lower.
16:45 < gmaxwell> (at $350 exchange rate)
16:46 < jtimon> adam3us: but republishing allows prunning and there's some agents that need transparency (say, nonprofits)
16:47 < adam3us> jtimon: but anyone can validate the scip and see the input is spent, and so the miners can attest to that
16:48 < adam3us> jtimon: its easy to create transparency, publish the hiding sym key
16:49 < jtimon> adam3us if the snark indicates what previous transaction can be pruned, how is this non-traceable?
16:49 < adam3us> gmaxwell: i am starting to feel i will be facing similar break even by the time BFL delivers my april ordered 5GHs never mind my feb 2014 600GH
16:50 < adam3us> jtimon: it does make a graph, but the graph is between opaque blobs
16:50 < gmaxwell> adam3us: You have my condolences for your purchase with BFL. :P
16:51 < phantomcircuit> adam3us, it depends entirely on the rate at which the network continues to grow
16:51 < phantomcircuit> which is to say
16:51 < adam3us> gmaxwell: it was more for amusement and hopefully recoup money than expectation of profit. to lose money might be a bit annoying, never mind, i'll just run it a my contrib to mining decentraliation -
16:51 < phantomcircuit> largely luck
16:51 < amiller> expected income per hash: 3.64e-15  dollars per hash	 expected power cost per hash, assuming 6 cents per kwh and the most efficient GPU: 8.33e-15
16:51 < jtimon> adam3us my march ordered jalapeno is on the customs (border) right now, I will pay the taxes but I highly doubt I will break even
16:52 < gavinandresen> mining is a zero-sum game
 you should try to play positive-sum games, the rewards are better and are potentially unlimited
16:52 < adam3us> jtimon: whats jalapeno, 5GH? or previous
16:52 < maaku> adam3us: if there's a graph, it's traceable, right?
16:52 < phantomcircuit> gavinandresen, a better way is to describe it as a perfect market
16:52 < maaku> gavinandresen: ain't that the truth
16:52 < adam3us> maaku: not exactly; it acts like a perfect coin control which is impossible otherwise
16:52 < gavinandresen> "perfect" is the enemy of
16:52 < jtimon> adam3us 4.5GH + 2 iirc
16:52 < warren> phantomcircuit: BFL sure is perfect. =)
16:52 < phantomcircuit> although actually i guess that's not true anymore since the barrier to entry isn't insignificant anymore
16:53 < phantomcircuit> gavinandresen, heh
16:53 < gavinandresen> I did make a tidy bitcoin profit flipping my ordered-first-day jalapeno
16:53 < maaku> adam3us: that seems like a total non-sequitur. i'm not sure what you mean
16:53 < gavinandresen>
 but my lesson learned was "don't mine"
16:53 < gmaxwell> phantomcircuit: it was never all that perfect when anyone cared. ... even in 2011, all ATI cards everywhere sold out.
16:53 < jtimon> adam3us a graph that comes back to the first public transaction, you can't divide amounts on hiden tx can you?
16:53 < adam3us> maaku: if you do as current and say well there's coin control etc peope should nly use addresses once, that doesn twork in reality
16:54 < sipa> gavinandresen: flipping?
16:54 < gmaxwell> adam3us: there isn't coin control.
16:54 < maaku> adam3us: what i'm saying is you can trace the final output back to the original input(s), even if you don't know what happened inbetween, right?
16:54 < adam3us> jtimon: i think the impilcation is the recipient learns an "argument of knowlege" of the value that he has, and enough to prove it onwards with reference to his own coin
16:54 < gavinandresen> sipa:  selling something soon after you bought it== flipping
16:54 < gavinandresen> (selling for a profit)
16:54 < sipa> thanks
16:55 < amiller> gavinandresen, "zero-sum game" more expected-utility dogmatism :p
16:55 < adam3us> jtimon: without scip yes you can divide and all the normal things; with scip i would think so too
16:57 < adam3us> maaku: with scip you would do per hop validation, and that is transitive so all transactions re visibile in a big fat graph, however you dont know the addresses/identities/amounts
16:57 < jtimon> adam3us with snark and divisions it must be traceable
16:58 < jtimon> hmmh, yeah, I guess you could hide the amounts
16:58 < adam3us> jtimon: yes i think you are right, tough the amounts would be hidden
16:58 < gmaxwell> adam3us: I can't see bitcoin doing a soft forking change (which are inherently risky!) and add costly crypto to achieve something that today people can already do.
17:01 < jtimon> maaku I think this would be better than in-chain chaumian cash
17:02 < maaku> jtimon: it'd be crazy expensive
17:02 < maaku> snark is not cheap to use
17:03 < maaku> hrm I think MMR + Chaum was a red herring, but what about this:
17:04 < maaku> store zerocoin serial number in a composable auth tree, and require a proof-path within the spend
17:04 < jtimon> wait, link to MMR? I still don't know what that is
17:04 < maaku> then validation storage requirements are just 256 bits per mint series, and proofs grow log2
17:05 < adam3us> h he i just had paypal cold call me to ask about butterfly
17:05 < adam3us> reckon they got a mountain of disupte and condiering cutting off bfl as a bad paypal user
17:07 < maaku> jtimon: https://github.com/opentimestamps/opentimestamps-server/blob/master/doc/merkle-mountain-range.md
17:07 < adam3us> gmaxwell: "something that today people can already do" isnt hidden tx + scip per hop hiding something new?
17:09 < gmaxwell> adam3us: people can already use a fresh address and then only have blob linkages.
17:09 < maaku> address != identity
17:10 < jtimon> but they can't hide amounts
17:10 < jtimon> that would ne new
20:01 < CodeShark> you provide them with a partially signed transaction
20:01 < CodeShark> now, to invalidate that transaction the way gmaxwell was talking about, you'd also have to incorporate another simple output that only you can redeem
20:02 < CodeShark> so now we need to mix the 2-of-3 policy account with another personal account
20:02 < CodeShark> just to allow us to pull the trigger on it
20:02 < CodeShark> the usability becomes horrendous
20:03 < CodeShark> an expiration time would be a very simple solution to this particular problem
20:03 < sipa> but a very significantly change to force onto every wallet on earth...
20:03 < CodeShark> ?
20:03 < gmaxwell> not just every wallet, but the whole incentive structure of bitcoin
20:03 < CodeShark> you can refuse to accept payments that expire soon
20:04 < gmaxwell> since now you need to think about miners being bribed to reorg or being unwilling to reorg to change to an honest chain because of txn that can't be included.
20:04 < gmaxwell> CodeShark: only if you can determine when the entire (perhaps exponentially sized) history's earliest expiration is.
20:05 < CodeShark> these are healthy concerns - this is why I like to talk to you guys :)
20:06 < sipa> we've heard these suggestion many times already :p
20:06 < CodeShark> however, in a real practical sense right now, one way or another I need a solution - and I don't think deliberately "double-spending" extra outputs is a very clean one, to say the least :)
20:07 < gmaxwell> yea, it's not just applicable to your application. E.g. people have wanted things like lotteries which can read the block hash of some subsiquent confirming block.
20:07 < gmaxwell> CodeShark: why don't you make your protocol such that the originator of the transaction signs last?
20:07 < CodeShark> blinding?
20:07 < CodeShark> hmm
20:07 < CodeShark> that could work
20:08 < CodeShark> yeah, I suppose it does make sense for the originator to be the one who broadcasts (or sends to recipient)
20:08 < maaku> gmaxwell: no i didn't investigate any JS solutions, but "javascript rsa" turns up some hits
20:09 < CodeShark> gmaxwell: without blinding, though, you still have a problem if the originator changes her mind
20:09 < gmaxwell> CodeShark: hm? why? they just don't sign then.
20:09 < CodeShark> but then you get the same issue in reverse
20:09 < CodeShark> now it's the person whose signature was requested that ends up in this unfinished situation
20:10 < gmaxwell> maaku: this is what I'm thinking of proposing, if you care: http://0bin.net/paste/yV7e4WCpZVHEj7nN#fi70f2LMSGO3JyrkNSeOG+ivIpfr2QirZzcNbVc2IXc=
20:10 < CodeShark> if only there were a way to ensure that the signature sharing were atomic :)
20:11 < gmaxwell> CodeShark: whats the problem with everyone except the originator pretending it didn't happen until it ends up in the blockchain?
20:12 < CodeShark> a few: they can't use those outputs without halting a transaction they want to happen, and if they pretend it didn't happen they might overspend their balance
20:12 < gmaxwell> e.g. if the funds in the account form a linked list (e.g. only a linear line of coins) then it's all atomic. Any parallel signatures are mutually exclusive.
20:13 < maaku> gmaxwell: it's a great idea
20:14 < gmaxwell> CodeShark: ISTM you're expecting bitcoin to function as a database for your application giving it SERIALIZABLE atomiticiy for all its data.
20:14 < gmaxwell> thats probably unrealistic in general, because there are probably non-transaction bits of data you'd eventually what to synchronize too.
20:15 < CodeShark> well, there are things like labels, but that's a separate problem for now
20:15 < gmaxwell> Instead of pretending your application is multi-master, it would be a lot simpler to make it master/signer  where all transactions are originated in one point normally (except for exceptional recovery cases)
20:15 < CodeShark> ideally I want to reduce the amount of data that needs to be sent over the block chain
20:16 < maaku> CodeShark: I'm a dissenting voice here. How is nExpireTime any different in principle than a coinbase output?
20:17 < maaku> there are very real advantages to having an nExpireTime, and other scripting extensions which invalidate txns over a reorg
20:17 < maaku> Making users wait to get the desired number of confirmations is not a big hurdle
20:17 < maaku> They should be doing that anyway
20:17 < gmaxwell> maaku: a coinbase output can't be spent in the blockchain for 100 blocks. If you wanted to have an identical limit for outputs from those txn, my objections would go away
 except to point out that it's really trying to cram application logic into bitcoin which might be a poor fit.
20:18 < CodeShark> ok, then how about this: set a limit on number of blocks before an nExpireTime transaction is spendable :)
20:18 < maaku> gmaxwell: I don't like the 100 block protocol rule
20:18 < gmaxwell> maaku: I'm sorry for you then.
20:18 < maaku> but i think clients / wallets should implement something similar
20:18 < CodeShark> doesn't have to be 100 blocks
20:18 < sipa> i think 100 is serious overkill, but the reason the rule exists is very real
20:19 < gmaxwell> CodeShark: I think it does need to be 100 blocks, simply because asking wallets to cope with _two_ kinds of behavior is burdensom.
20:19 < maaku> there's no problem building off a txn that can be reorg'd away, but the user interface better have big flashing red lights
20:19 < CodeShark> but require that any transaction confirmed close to the edge of nExpireTime sit on the block chain for a bit before it can be spent
20:19 < gmaxwell> meh, we've had reorg events a substantial fraction of 100.
20:19 < gmaxwell> Imagine we have another long fork event and then we _cannot_ fix it without people forever losing money. Even if there were no malicious spends. egads.
20:20 < CodeShark> the problem, as I understand it, is the potential for a long chain of dependencies from an edge transaction
20:20 < CodeShark> that seems to be the main concern, right?
20:20 < CodeShark> so we can alleviate that concern by taking similar measures as we do for coinbase transactions
20:20 < gmaxwell> maaku: you even have to be able to detect it. a SPV client can't tell how deep the newest expiring input is from some chained coin.
20:21 < maaku> CodeShark: well you'll get to play with this in any case. Freimarkets has an nExpireTime and other reorg-sensitive constructions
20:21 < gmaxwell> maaku: sadly none of that matters unless the system gets serious usage you'll never learn the folly of your ways.
20:21 < gmaxwell> :P
20:21 < CodeShark> if you have an nExpireTime transaction that confirms 100 blocks before expiration, no problem. but if it confirms one block before expiration, it should not be spendable for a few blocks :)
20:21 < maaku> gmaxwell: it could if you had utxo proofs with embedded heights
20:22 < phantomcircuit> zomg yes pizza
20:22 < maaku> (which is one reason why my proposal keeps the height field even though it is not strictly needed)
20:22 < gmaxwell> exponentially in size, since you have to trace the whole history.. having one height isn't good enough.
20:23 < gmaxwell> I guess you could track for every output a shortest-reorg-that-can-kill-it?
20:24 < gmaxwell> e.g. max(height)
20:24 < CodeShark> yeah
20:25 < sipa> bleh
20:25 < maaku> gmaxwell: I honestly don't think the risk is high enough to warrent doing that calculation
20:25 < maaku> which is not easy to do in general beyond the nExpireTime case
20:26 < CodeShark> I tend to concur, maaku
20:26 < gmaxwell> maaku: We've had long >20 block reorgs in bitcoin, where thousands of transactions would have been irrepariably invalidated if there were just one or a few unreorgable coins.
20:27 < gmaxwell> I think you guys are nuts, it's not even a theoretical problem. We've had at least three events where what you would have proposed would _probably_ have caused severe monetary loss if it were widely used.
20:27 < CodeShark> the risk could be mitigated
20:27 < CodeShark> I'm not saying "pretend the risk doesn't exist
20:27 < gmaxwell> and with expirations near the tip, we could be exposed on each and every block.
20:27 < gmaxwell> coins with the risk are not fully fungible with coins without the risk.
20:28 < maaku> gmaxwell: how is that any different than someone watching a major fork in progress, and doing a double-spend?
20:28 < CodeShark> so you simply don't allow spending of those coins for a while
20:28 < maaku> (as actually did happen back in March)
20:28 < maaku> from the perspective of someone building off the transaction, that is
20:28 < gmaxwell> Because it requires someone to actually be malicious, this doesn't.
20:29 < gmaxwell> CodeShark: if _you_ are defining the "a while" then you have an exponential complexity check of the history to make sure an earlier spender didn't use a more lax definition of 'a while'.
20:29 < gmaxwell> making it a rule as we do for coinbases makes it instantly SPV compatible.
20:29 < CodeShark> yes
20:30 < CodeShark> the "while" could be a predetermined, fixed amount
20:30 < gmaxwell> well, then we have such a number already, it's 100.
20:30 < gmaxwell> :P
20:30 < maaku> gmaxwell: there's a very easy way to make it SPV compatible: wait N blocks before taking action based on the txn
20:30 < maaku> you seem to want a user to absolutely trust a txn as soon as it has 1 confirm
20:31 < CodeShark> maaku: the problem is if there's a chain
20:31 < gmaxwell> maaku: egaha. The problem there is that you don't know if a transaction had an inherently risky past in a SPV compatible manner.
20:31 < gmaxwell> E.g. I want to wait 100 for coinbases, 6 for normal payments.  if coinbases were technically spendable at 1, then a spv node couldn't tell your txn was dependant on a coinbase 3 blocks ago.
09:01 < petertodd> Yeah, see here, the miner doesn't need to know anything about what coins the transaction spent, just that some scriptSig satisfied some scriptPubKey
09:01 < adam3us> petertodd: maybe there would be a way to have additional non-identifying info with the previous tx out, which can allow the miner to discard forgeries without having him be able to censor transactions
09:01 < petertodd> OK, so, remember what I said about transactions being two merkle trees?
09:02 < adam3us> petertodd: well a problem can be he scriptPubkey i recognizable to the previous spender in the chain, and who could collude with the miner to block the tx
09:02 < petertodd> See, if you have a txout in this scheme, there's no way to know what the rest of the transaction was, even though the txout irrovocably commits to it.
09:03 < adam3us> petertodd: thogh maybe committed tx itself has problems with that scenario .. its not censor resistant just leaves decisoins up to consenting users
09:03 < adam3us> petertodd: yes
09:03 < petertodd> You can also construct your transaction tree to commit to a nonce in the middle, and then reveal the nonce to others to prove to them the txout is actually linked to the txins, rather than just some data you bizzarely want to publish.
09:04 < petertodd> So yeah, I think this scheme does have the unlinkability that you want.
09:05 < adam3us> petertodd: well i think there is a dependency on the hash of public key being deterministic (precluding nonce) and meaning the previous spender if upset can try to get your onwards tx blocked
09:06 < petertodd> ?
09:06 < adam3us> petertodd: if the public key hash is allowed to have a random element (nonce) you cant prove to other people this key is not spent
09:06 < petertodd> So, a transaction output contains the following: (scriptPubKey, merkle-root), that's it
09:07 < adam3us> petertodd: actually H(scriptpubkey)
09:07 < petertodd> right, that's possible, but not required
09:07 < petertodd> remember that the txout id, is H(scriptPubKey, merkle-root)
09:07 < adam3us> petertodd: yeah depends if you're aimng for committed tx uncensorability or not
09:08 < adam3us> petertodd: yes but it is unprovable if that is spent or not in committed form i think
09:08 < petertodd> Ah, ok, so, lets ask what is being committed?
09:09 < adam3us> petertodd: what i had to do is commit the tx and commit the pub key as well
09:09 < petertodd> So here you're not committing to transations, your committing to things that spend transactions.
09:09 < petertodd> *that spend transaction outputs
09:09 < adam3us> petertodd: and the doublspend protection came from checking no one made a sig or spend with  key tht hashes to that pub key commit
09:10 < adam3us> petertodd: yes well both as a pair: a pair of commitments
09:10 < petertodd> Right, this is kinda like that.
09:10 < petertodd> So, going back to that radix tree, the default state is that a valid scriptSig has never been presented for H(txout) right?
09:11 < adam3us> petertodd: yes so without giving the miner more info or visibiity, i think you have to use h(scriptpub) as a second commit, and therefore the person who gave you that input if upset can try to get your onwards spend blocked
09:11 < petertodd> Well, when you show that scriptSig, what you also commit too is the rest of the transaction, but you only need to commit to H(tx) of course.
09:11 < adam3us> petertodd: right
09:12 < petertodd> So basically, in Bitcoin a block commits to a list of transactions. Here we commit to a list of spends of transaction outputs, and the transations themselves are committed to by the spends!
09:12 < adam3us> petertodd: something like that
09:12 < adam3us> petertodd: so how much does it help, what new unentangled things have we been able to optimize by this
09:13 < petertodd> This also means you don't give someone money by committing a transaction to the blockchain, rather, you give someone money by committing to one or more spends of a previous transaction, and then giving them that transaction!
09:14 < petertodd> Ok, so, the big deal re: unentanglement: because mining isn't about validating whole transactions, just individual spends of transaction outputs, to mine some part of that txout space you don't need any adjacent data at all.
09:15 < petertodd> This is a huge win, because that lets mine only a small part of that txout space, and you only need the bandwidth associated with that small part.
09:15 < petertodd> So, basically you need to keep up to date with that part, keep your part of the big radix tree up to date, but no more than that.
09:17 < petertodd> For users, when they receive funds, they are getting proof that some amount of hashing power was mining various parts of the blockchain history and that hashing power all considered there to have never been a conflicting spend.
09:17 < adam3us> petertodd: that sounds a pretty big potential win; i wonder if that fragments hashcash security though?
09:17 < petertodd> They can prove it to themselves by getting a complete copy of that small part of blockchain data.
09:17 < adam3us> petertodd: or i suppose full nodes hash as you said everything else from the last merkle roots they saw also
09:18 < petertodd> I don't think so: the security is about resistance to changing history, what the history itself actually is is ireelevant, because you're supposed to validate that yourself.
09:19 < adam3us> petertodd: one other unstated in the above list of what is bitcoin mining doing: its making a very compact proof of work: one valid one per 10mins (after orphan pruning) anything more distributed will tend to create multiple small proofs to store, not that they are very big .. a proof is probably < 64-bits
09:20 < petertodd> Right, I haven't talked yet about what exactly is going on re: the PoW.
09:20 < adam3us> petertodd: yes but bitcoin single chain model presents a one-true-history path for validatin that rejects orphans
09:20 < petertodd> So does this model, it's just that the history doesn't need to be "true" :P
09:21 < adam3us> petertodd: i think you could have a thicket where each proof of work hashes as inputs all non-conflicting proof tops
09:21 < adam3us> petertodd: i figured out i think that should actually work in the past, but i was thinking meh thats goig to be less space efficient; but maybe actually its not so bad
09:22 < adam3us> petertodd: its a fun fact yes; we dont care what history is, just that it doesnt change
09:22 < petertodd> Pragmatically speaking, so what does a wallet look like then? Well, I think wallet software should be programmed to keep up with enough of the blockchain data to prove, block by block, that your txout hasn't been spent. (particularly fraudulantly spent)
09:22 < petertodd> thicket?
09:23 < petertodd> Hidden problem: what's the incentive exactly to broadcast this data? In Bitcoin, it's because if you don't broadcast, people won't build upon your block. Here you have to figure out something similar.
09:24 < adam3us> petertodd: without the one-true-pow chain (orphans are killed) there becomes a bunch of valid non-conflicting small pows growing up in parallel, each should hash as inputs all non-conflicting tops it saw)
09:24 < petertodd> non-conflicting top? what do you mean by tops? (and for that matter, conflicting)
09:24 < adam3us> petertodd: yes my thicket idea got some hairy incentive scheme, so that was another meh part to.... change bitcoin it becomes worse because tis entangled, and also quite optimal
09:25 < adam3us> petertodd: say for simplicity you want to maintain two chains rather than one going upwards, each time you add to it, you include both chains as an input
09:25 < petertodd> yeah, see, re: incentives, one part to fix this could be to require mining to have the consent of some fraction - proof-of-stake style - of your neighbors in the UTXO space.
09:26 < petertodd> Ah right.
09:27 < adam3us> petertodd: it was another meh moment: bitcoin is entangled and highly optimized - i thought i could make it work, but it was more complicated (incentive rules) and bigger (more blocks) more redundant (repeated data in blocks) and so forth
09:27 < adam3us> petertodd: i mean it did seem to work, but it was worse on 2 or 3 fronts
09:28 < adam3us> petertodd: "pos consent of utxo neighbours" yes maybe
09:30 < adam3us> petertodd: i wonder if not caring about history means miner validation (vs pool validation) doesnt even matter; just mine some random crap blind, it'll define history
09:48 < petertodd> net died
09:48 < petertodd> ok, so, the only way I can find that gets around this issue is to entangle mining and keeping history
09:49 < petertodd> for instance, imagine a system where to get 1/256th of the reward, you had to prove, by mining, that you had 1/256th of the blockchain data
09:50 < petertodd> each enough to do: just require your valid PoW's to have randomly chosen fragments of the blockchain data.
09:51 < petertodd> it's a bit ugly, but it will work
10:24 < amiller> petertodd, adam3us, i'm trying to figure out a way to embed the constitutional rules more strongly
10:24 < amiller> to make it so that any deviation from the rules ruins all the signature security, for example
10:24 < amiller> like any blockchain that contains an invalid commitment also has a trapdoor that lets you make a valid-looking commitment for any signature
10:24 < amiller> something like this would give teeth to the thing everyone says bitcoin currently has, that "21 million limited inflation is guaranteed by a math algorithm cryptography!" which isn't even true, it's only guaranteed by the relative difficulty of getting everyone to change their minds at once
10:26 < petertodd> amiller: I don't think you'll manage to do that with crypto, but as a definition thing you easily can
20:31 < CodeShark> the min reorg depth would need to be somehow propagated through the chain
or the SPV client would need a way to obtain a simple proof of at least a certain depth
20:32 < maaku> so? you want it to be safe from any reorg less than 100 blocks? then wait 100 blocks after it hits the chain
20:32 < CodeShark> the burden of proof could be passed to the payer
20:32 < gmaxwell> also if the rule is not consistent we can't reason about the safty of forks. E.g. we know that coinbases are not spendable before 100 so if we must we can do a 99 block reorg to fix the chain and include no double spends and we won't invalidate any spent coins.
20:33 < maaku> so let the payer use old coins so they can provide a compact proof of stability
20:33 < gmaxwell> Also you've increased communications complexity between the payee and payer. Because as a payer now I need to know the payee has some preference for non-risky coins wich differs from payee to payee.
20:33 < maaku> otherwise, sucks to be them and the merchant makes them wait 100 blocks
20:34 < gmaxwell> having to wait 100 blocks at all times, or having to treat coins as highly non-fungible are both pretty poor solutions.
20:35 < gmaxwell> Esp. when the coin is some small improvement which you couldn't even explain to most people. :P
20:35 < gmaxwell> Perhaps its fine in some other system, I don't think its something we can reasonably do in bitcoin.
20:35 < maaku> well having signatures expire is pretty important when its used ina p2p exchange...
20:35 < maaku> or in a server-to-server consensus mechanism
20:36 < gmaxwell> 17:35 < maaku> or in a server-to-server consensus mechanism
20:36 < gmaxwell> yea... except dear gods, the bitcoin blockchain is NOT a communications mechenism for your server to server consensus!  _global broadcast network_
20:36 < maaku> gmaxwell: using the public chain as a semaphore for two-phase commit of a distributed transaction over multiple private asset servers
20:37 < gmaxwell> your asset servers are known in advance! use a freeking ordinary consensus.
20:37 < maaku> that's why we haven't even tried to get anyone onboard with deploying Freimarkets to bitcoin
20:37 < maaku> i just assume it wouldn't fly
20:38 < maaku> gmaxwell: you need to hit the public chain for public<-->private txns
20:39 < maaku> (e.g. atomic swaps of freicoins for private assets)
20:39 < gmaxwell> For anything like that you have a small number (because multisig scalablity) of known-in-advance servers. Which means you can do a regular n-of-m consensus totally external to bitcoin. E.g. an initatior proposes a distributed database update and get a supermajority of the servers to sign off on it.
20:39 < CodeShark> ok, perhaps amore interesting theoretical question (whose solution would work just as well for my problem): is there a practical way to achieve atomic data swaps between multiple entities?
20:40 < CodeShark> homomorphic encryption?
20:41 < CodeShark> would it require quantum crypto? :)
20:41 < gmaxwell> CodeShark: you basically want two people to trade data such that they either both get the data or neither do?
20:41 < CodeShark> exactly
20:42 < CodeShark> and the outcome shouldn't take forever to determine :)
20:42 < gmaxwell> I don't know if its possible, unless you assume both parties are equally computationally bounded.
20:43 < CodeShark> or you use quantum crypto
20:43 < gmaxwell> I'm not even sure how you'd do it with quantum crypto.
20:44 < gmaxwell> lemme think for a minute.
20:45 < gmaxwell> It has to be a two party protocol?  Can the protocol have N bystanders who help out, and the protocol is fair if most of the bystandards are honest?
20:46 < gmaxwell> I can give you protocols for this, but they don't work for the two-party case because they need an honest majority.
20:46 < CodeShark> escrow?
20:46 < CodeShark> yeah, the two party case seems to have much more profound theoretical implications
20:47 < gmaxwell> yea, kinda, you split the data up N ways such that N/2+1 can reveal. And then N/2+1 reveals to both and you're done. Of course it can be encrypted so that no one but the right parties learn anything.
20:47 < gmaxwell> With N=2 I think the best I can do involves bitcommitments and a cheater can terminate the protocol early and know 1 more bit than the other guy, plus then they can do computation to grind out the answer.
20:48 < gmaxwell> e.g. say you both can afford 2^64 work to grind out a missing key.  I abort the protocol early so that I am missing 64 bits and you are missing 65. It's even worse if the parties are computationally unbalanced.
20:49 < gmaxwell> e.g. you can afford 2^32 and I can afford 2^64. I can terminate it after learning K-64 bits and you're just screwed.
20:49 < CodeShark> right
20:51 < gmaxwell> I know there are some protocols which claim to be able to achieve 2-party active secure multiparty computation. So I suppose I should go look and find out what the catch is, becuase I think thats not possible.
20:51 < gmaxwell> (for the same reason as here)
20:51 < CodeShark> not even with quantum crypto?
20:53 < gmaxwell> I think if you can do it with quantum crypto then you can make something secure in the CRS model (e.g. where there is some magic trusted random tape).
21:06 < brisque> would anybody be available to help me isolate some network oddness? trying to work out if something I'm seeing is my peers behaving badly, or something on a larger scale.
21:06 < CodeShark> what are you seeing?
21:07 < brisque> I'm getting huge floods of double spend attempts in my logs- I know it's not an issue but it's extremely persistent
21:08 < brisque> usually around block boundaries I get 60+ transactions spending spent outputs, which is strange in my eyes. big blocks milliseconds apart.
21:08 < gmaxwell> brisque: I don't think thats anything too new or interesting, some things, e.g. bc.i uselessly flood peers with double spends.
21:08 < gmaxwell> also I think coinbase does this.
21:09 < gmaxwell> after a block that doesn't have some unconfirmed transaction it has, it uselessly floods all its peers readverting them, even if they're conflicted.
21:09 < brisque> ah. I've banned blockchain.info for that, but I wasn't aware anybody else decided it was a good idea.
21:32 < brisque> I'm definitely connected to blockchain.info or coinbase's nodes, but I've no way of knowing which they are out of hundreds of peers. might be a rainy day project to try and isolate them somehow.
21:53 < gmaxwell> brisque: unfortunately it's hard to distinguish idiotic spamming of conflicted transactions vs honest spamming of them from a peer which isn't quite caught up with the blockchain.
21:53 < gmaxwell> If it were, we could just automatically ban those nodes.
21:58 < brisque> gmaxwell: if you were intent on identifying one of the mentioned services, you presumably could just listen and isolate it by forcing the service to broadcast known transactions and measuring the latency. I don't have any inclination to, but even if they're not listening (I'm sure they're not) you could eventually find them. the number of listening nodes
in the network is quite small after all, anyone with enough
21:59 < brisque> I seem to remember that Bitcoind avoids talking to multiple peers in the same network, which would make that more difficult of course.
22:01 < gmaxwell> well mostly I think this crap wastes a lot of bandwidth, but right now people have very little incentive to write compently authored node software in any case that won't get them banned.
22:05 < brisque> I suppose bandwidth is cheap enough that nobody cares. ultimately their dodgy patches will just lead to them not updating, which is the real risk.
22:10 < gmaxwell> it's already the case... well it's not just 'dodgy patches', e.g. coinbase has their own node software... and yea, they get isolated from time to time as a result.
22:10 < gmaxwell> The bandwidth might be cheap for them, but it's pretty inconsiderate to the network.
22:10 < brisque> oh god. seriously!?
22:11 < gmaxwell> yea.
22:11 < brisque> why would anybody running a financial service run their own bitcoin node!?
22:11 < gmaxwell> And expose it directly to the world too.
22:12 < gmaxwell> In any case, maybe we could just keep a count of doublespends per-peer preferentially kick the worst offender.
22:13 < brisque> that's just ridiculous. the cost involved in building their own bitcoin node would far outstrip any benefit they would gain from it. no wonder they needed piles of VC money.
22:13 < brisque> it explains a lot, why their outgoing transactions are so slow, get stuck, often don't get broadcast.
22:14 < gmaxwell> it's not just that, if someone goes and finds yet another way to get them to reject the real chain, (which has happened by accident many times) they can potentially buy a bit of hashpower and rob them blind.
22:15 < gmaxwell> ... though in that particular case, I guess its not even the low hanging fruit. At least a month ago it was possible to deposit, and then withdraw before it confirmed.... (I reported it to them, dunno if they fixed it)
22:15 < brisque> surely they would have paid a bug bounty for you. they have a minimum 5BTC policy.
22:15 < brisque> that's an obscenely bad bug for an online wallet to have
22:15 < Luke-Jr> gmaxwell: now I can't even sell until it confirms :/
22:16 < gmaxwell> oh I guess they fixed it then.
22:16 < gmaxwell> brisque: I didn't ask about that.  .. hell I wasn't even trying to discover it. Worse, in the case where I discovered this there was actually a double spend on the network, and I could have _accidentally_ ripped them off.
22:17 < brisque> I think you could have the QT client scream "DONT ACCEPT ZERO CONF TRANSACTIONS" every 5 minutes and people would still do it.
22:18 < brisque> gmaxwell: I'm shocked nobody had realised that before.
Mined by dashengbaoer
06:04 < HM2> oh wait you mean pass pass red/blue = win
06:04 < sipa> and there is no difference in result between one being incorrect or all passing?
06:05 < gmaxwell> yea, pass pass pass is lose.
06:05 < gmaxwell> and wrong wrong wrong is lose.
06:05 < sipa> if 3 pass, 0% of winning
06:05 < sipa> if 2 pass, 50% of winning
06:05 < HM2> is it something to do with the order you leave the room?
06:05 < gmaxwell> as is wrong right right and so on.
06:05 < sipa> if 1 passes, 25% of winning
06:06 < gmaxwell> HM2: no, no side channels.
06:06 < sipa> do we know whether we lost, if someone gave the wrong answer?
06:06 < sipa> or does that also count as a side channel
06:06 < sipa> not that it matters, as we're lost in any case
06:06 < petertodd> that we all get to see the same thing minus our own hate is a information channel - is this an ideal situation, or can we use rules like "if the person on the left has a blue hat"?
06:06 < gmaxwell> yea thats communicaton.  You're all effectively answering concurrently.
06:07 < petertodd> s/hate/hat/
06:07 < gmaxwell> petertodd: you can see the other hats, you can have person specific rules if you want (so person ordering is fine)
06:07 < HM2> petertodd, that's what i was thinking. e.g. the person who left before me had a blue hat
06:09 < sipa> gmaxwell: do we have access to a RNG?
06:09 < sipa> (each individually)
06:09 < gmaxwell> sipa: sure, you can flip coins.
06:09 < sipa> oh, right, we can see the other's colors
06:09 < sipa> hmmm
06:09 < gmaxwell> but right.
06:10 < sipa> if i couldn't see the other's hats, i'd say each uses a RNG to determine whether he's going to answer or not
06:10 < HM2> well if 2 pass and 1 doesn't you have 50/50
06:11 < HM2> you have to be able to do better than that
06:11 < sipa> if my math is right, with answering with chance 0.45308, we have a 30% chance of winning
06:12 < petertodd> nothing says we can't agree before hand that two of us are going to pass no matter what, and the last man out always picks blue for 50%
06:12 < sipa> oh, we can communicate in advance?
06:12 < gmaxwell> yea, you can agree on the rules in advance. Sorry.
06:12 < HM2> it'd be a bit difficult to have a strategy if you couldn't communicate outside the room
06:12 < gmaxwell> but you know nothing of which hats you have then.
06:13 < sipa> is there a known probability distribution on the hat colors?
06:13 < petertodd> well, 50:50 is already sounding pretty good :)
06:13 < gmaxwell> coin flip, assume the coin is fair.
06:13 < sipa> ok
06:13 < petertodd> so we can't tell if our other teammates passed or picked right?
06:13 < HM2> If you saw 2 blue hats, write red. If you saw 2 red hats, write blue. If you saw differing colours, pass
06:14 < sipa> HM2: why?
06:14 < gmaxwell> petertodd: that would be communicating. No communicating.
06:14 < sipa> the hat colors are presumably independent
06:14 < gmaxwell> <3
06:14 < gmaxwell> "If you see two of the same color, call the opposite, otherwise pass"
06:14 < gmaxwell> 0 0 0 = 1 1 1  Lose
06:14 < gmaxwell> 0 0 1 = P P 1  Win
06:14 < gmaxwell> 0 1 0 = P 1 P  Win
06:14 < gmaxwell> 0 1 1 = 0 P P  Win
06:14 < gmaxwell> 1 0 0 = 1 P P  Win
06:14 < gmaxwell> 1 0 1 = P 0 P  Win
06:14 < gmaxwell> 1 1 0 = P P 0  Win
06:14 < HM2> sipa, because seeing 2 blue hats means if you have red the other 2 will pass
06:14 < gmaxwell> 1 1 1 = 0 0 0  Lose
06:14 < gmaxwell> P_win = 6/8 = 0.75
06:14 < HM2> likewise with 2 red hats
06:14 < sipa> right!
06:15 < gmaxwell> The awesome thing about this is that morons who fail at stats will actually get it right faster than non-morons.
06:15 < gmaxwell> Because if you think the hats are not independant you'll chance into that solution.
06:15 < HM2> So where's my million dollars?
06:16 < petertodd> ha, so I was at least right in thinking that the shared partial view was a communications channel
06:16 < gmaxwell> Now further mindblowing: This works with any number of people, but coming up with the assignment codes is hard. It becomes _more_ successful the more people you have.
06:17 < sipa> right, it's probably harder than generalizing to "vote the opposite of the majority you see"
06:17 < petertodd> right, so now I just need to construct a merkle tree of it, and start picking samples for my non-interative proof :P
06:17 < gmaxwell> This is the covering code problem: https://en.wikipedia.org/wiki/Covering_code
06:17 < HM2> it makes sense from a raw information perspective as well. each player effectively can convey 1 bit of information about what they saw. a guess (worthless) or no guess
06:18 < HM2> so you have 3 bits of information and 2^3 hat combinations
06:19 < HM2> so it at least seems feasible to me that there is a very good strategy
06:19 < sipa> if we're into riddles, here's another (which sounds similar): in a monastery, monks live solitary lives; they only meet once per day for dinner, and only the abbot is allowed to speak. one day he speaks: "brothers, a terrible disease has broken out. the disease is characterized by a black dot on the forehead; anyone who knows he has the disease has to commit
suicide at night". A week later, the disease is eradicated, and you can assume no...
06:20 < sipa> additional infections happened during the week
06:20 < sipa> how many were sick?
06:20 < gmaxwell> I'm glad it seemed feasable to you! But I took a while to even realize there was a dumb 50% strategy. :P
06:21 < HM2> the abbot poisoned their dinner
06:21 < sipa> HM2: perhaps, but irrelevant :)
06:21 < HM2> i'm confused as to what the problem is
06:21 < HM2> do they not have mirrors?
06:22 < sipa> nope
06:22 < sipa> no communication at all
06:23 < HM2> so no monks know if they're infected
06:23 < sipa> indeed
06:23 < HM2> and they can't tell their neighbours if they're infected
06:23 < HM2> and a week later the disease is gone
06:23 < sipa> indeed
06:23 < petertodd> was at least one monk infected?
06:23 < HM2> sounds like you have an empty monastary after one week
06:23 < gmaxwell> Do they all have the disease? No one said the disase kills you, only knowing about it.
06:24 < sipa> i'll strengthen: one week later, the disease is eradicated, and not earlier
06:24 < gmaxwell> ahh
06:24 < sipa> and nobody dies of the disease itself
06:24 < petertodd> can you die of the disease?
06:24 < sipa> not within one week :)
06:24 < petertodd> how does the disease spread?
06:24 < HM2> how can anyone commit suicide if they don't know they have it?
06:24 < gmaxwell> What I think happens is that the abbot is being replaced.
06:25 < sipa> petertodd: it doesn't spread within that week
06:25 < gmaxwell> hm.
06:25 < sipa> how we got the current situation is irrelevant
06:25 < petertodd> how can the monks learn they have it exactly?
06:25 < HM2> you cant' even collaborate if you can't communicate
06:25 < sipa> petertodd: for you to find out
06:26 < sipa> oh
06:26 < HM2> there can't be a protocol for solving it at dinner if they can't establish a protocol through communication
06:26 < sipa> no, nevermind
06:26 < sipa> HM2: no need :)
06:26 < sipa> (we have to assume all the monks are highly intelligent and obeying)
06:27 < petertodd> sipa: so basically this monestary is full of the borg?
06:27 < sipa> Potentially.
06:27 < gmaxwell> sipa: does the abbot say anything else or is this just a one time announcement?
06:27 < sipa> that's the only time he speaks within that week
06:27 < HM2> ah
06:28 < HM2> if you kill yourself, you don't show up for dinner the next day
06:28 < sipa> bingo
06:28 < HM2> so there's something there
06:29 < HM2> I'm not sure how that helps you determine if you have it though
06:29 < HM2> I guess dont' show up, then show up the next day and see if anyone is surprised
06:30 < sipa> everyone alive is required to be at dinner
06:30 < gmaxwell> We're all apparently dumb, because Kat solved it like instantly.
06:31 < sipa> i can't remember whether i actually ever found it myself
06:31 < sipa> probably with a lot of hints
06:31 < HM2> the protocol can't be that complex
06:31 < petertodd> can the monks know if the disease has been stopped?
06:31 < HM2> otherwise it couldn't be established without collaboration
06:31 < sipa> petertodd: no need
06:32 < sipa> assume there is only one sick person
06:32 < sipa> what happens
06:32 < HM2> nothing if he doesn't know he has it :|
06:32 < sipa> what does he see?
06:32 < petertodd> right, but the sick person has no way of knowing they are sick... and i take it monks won't kill themselves unless they know for sure
06:32 < HM2> oh, healthy monks
06:32 < sipa> bingo
06:33 < HM2> but how does that work in the general case
06:33 < sipa> first reason on
06:33 < sipa> one sick person; what happens?
06:33 < HM2> he goes home and kills himself because he knows he is the sick one
06:33 < sipa> and what does the rest see the next day?
06:33 < petertodd> sipa: so we damn well better catch it in the first case
06:34 < petertodd> sipa: healthy monks
06:34 < sipa> there you go
06:34 < sipa> now assume there were two sick
06:34 < sipa> what happens?
06:34 < petertodd> sipa: no-one kilsl themselves
06:34 < HM2> no
06:35 < HM2> they both kill themselves the following night
06:35 < sipa> why?
06:35 < HM2> because the next day they see the other is still alive
06:35 < petertodd> how do they know how many are sick?
06:35 < HM2> and realise they are the other unhealthy monk
06:35 < sipa> indeed
06:35 < HM2> and if there are 3 unhealthy monks it still works
06:35 < sipa> they expect that if they 1 see sick monk, that he will be dead the next day
06:35 < HM2> but 7 days only works for an upper bound on the number of monks, i think?
06:36 < sipa> obviously there are >=7 monks (abbot included)
06:36 < gmaxwell> 03:24 < sipa> i'll strengthen: one week later, the disease is eradicated, and not earlier
06:36 < petertodd> so exactly 7 monks were sick?
06:36 < sipa> indeed
06:36 < HM2> damn
06:36 < HM2> i	had forgotten the number of sick monks was the actual question
17:07 < amiller> on the other hand, i have a chance at succeeding, and it may discourage other miners from including that transaction because i can harm them too
17:08 < sipa> how so?
17:08 < sipa> they don't care about seeing a competitor-mimer fork off
17:08 < amiller> suppose i have 20% or so hashpower
17:09 < amiller> i have maybe a 1 in 25 chance of succeeding in undermining a block that i don't like
17:09 < amiller> if i commit to doing that anyway, despite the cost to me
17:09 < sipa> they would care if network nodes would start enforcing your rule
17:09 < amiller> then other miners may not want to include transactions that will make me fight them
17:10 < sipa> well if they suspect that you (and those thinking the same way) have more than 50% together, yes :)
17:10 < amiller> no it doesn't need to be anywhere near 50%  is what i'm arguing
17:11 < sipa> not sure how
17:11 < amiller> suppose i have 20% of the hashpower
17:11 < amiller> how often is it that i find two consecutive blocks?
17:11 < sipa> once every 25 blocks, i guess
17:11 < amiller> 1/25?
17:11 < amiller> okay
17:12 < amiller> so if i commit to making a one-block attempt to undermine anything with transaction x in it
17:12 < amiller> then you are losing 4% of your effective hashpower if you mine a block with transaction x in it
17:13 < amiller> regardless of what anyone else does
17:13 < sipa> unless they actively discourage a block that does not have x in it
17:13 < amiller> hm, well yeah
17:13 < sipa> in which case the majority sode will always wim
17:13 < sipa> side, win
17:14 < amiller> s/regardless of what anyone else does/assuming everyone else runs like normal
17:14 < sipa> colluding against a <50% party is easy, if you have >50%
17:15 < sipa> in case there are different colluding parties
17:15 < sipa> you only need more than the largest other + non-colluding ones
17:15 < amiller> so perhaps miners will check their work at "doeseligiushatemyblock.com" to make sure they aren't triggering any retaliation
17:16 < sipa> i hope such things won't be necessary :)
17:16 < sipa> but maybe it's inevitablre
17:17 < gmaxwell> hard to say, miners mostly take stock software these days. (eligius being the largest major exception afaik)
17:21 < amiller> i wonder if it would even be meaningful to define a completely zero knowledge consensus protoco.
17:22 < amiller> i guess that's a little bit like the stuff adam3us is trying to think of
17:23 < amiller> the only defense i can think of this is to obscure as much information about the block as possible so that an influencer like that wouldn't easily be able to pick a predicate and enforce it
17:23 < amiller> you'd even want it to be deniable so that it couldn't just hate on everything that doesn't whitelist with it firs
17:25 < gmaxwell> amiller: it's called a timestamper? :P
17:25 < amiller> well no i mean
17:26 < amiller> zero knowledge except for that all applicable validation rules have been followed :o
17:30 < gmaxwell> amiller: part of the challenge there is that when the state is incremental, you actually have to know the state for form another one.
17:31 < amiller> maybe. sort of like what we were just talking about with utxo proofs,
17:31 < gmaxwell> so you can prove to me in zero knoweldge that you have a valid block xxxyyy  ... but that isn't enough for me to be able to build a successor blockl
17:31 < amiller> potentially you only need to know about the portion of the state that changes
17:31 < amiller> each transaction output is basically it's own little isolated private state box, no interaction with any others
17:31 < gmaxwell> yea, well if your 'state' is 1 bit and only changed once....
17:31 < gmaxwell> and starts as zero...
17:38 < amiller> not necessarily?
17:39 < amiller> it's hard to define this even just using generic primitives like universal zk and unuviersal homomorphic encryption
17:39 < amiller> like it would be easy to define as a multiparty copmutation
17:39 < amiller> publicly verifiable private property
17:39 < gmaxwell> yea great, that doesn't help. :P
17:39 < gmaxwell> amiller: the validation essential stuff is just the spentness bit. Pretty much everything else could be encrypted.
17:40 < amiller> but the main problem is that you don't want everyone to have to touch it in every round
17:40 < amiller> only the person doing the transfer should have to interact
17:41 < amiller> so we should have one big encrypted state file where we each know the contents of one part of the file
17:41 < amiller> and if i have privileges to that file, i should be able to update the file without interacting with anyone else, with a publicly verifiable proof that i only interacted with the part that i had authority to
17:41 < amiller> oh or that
17:41 < amiller> perhaps we both have to interact to change both our states
17:41 < amiller> like if i put some of my coins into your account then we have to interact so that you learn you have them
17:41 < amiller> maybe we do a 2 player secure copmutation to pull that off
17:42 < amiller> but the conservation rule would be publicly verifaible
17:43 < amiller> the implicit rule is that people behave "rationally" with respect to incentives like having an auction, but not discretionary
17:43 < amiller> like you should treat all bitcoins as equal and fungible and look only at their amounts
17:43 < amiller> even though that may not be enforced, that's in principle what's expected
18:07 < amiller> maybe removing the blocksize limit could have an unintended consequence of triggering the development of rational mining software
18:08 < amiller> because then it will more clearly be up to individual miners whether to build on a block or delay building on a block for a while
18:16 < gmaxwell> amiller: that kind of decision making is really really bad for convergence.
19:02 < HM2> Ok, time to dive in to Spirit X3
19:03 < HM2> promises 3x the compilation speed of Spirit v2
19:32 < HM2> wow, i managed to fix the broken git HEAD
19:36 < maaku> amiller: are you aware of the "republicoin" discussion that went on surrounding freicoin about a year ago?
19:36 < amiller> no
19:36 < amiller> link?
19:37 < maaku> meh, it's spread all over the freicoin forums, and hasn't been brought together into a unified proposal like freimarkets yet
19:37 < maaku> i can try to find the right threads, but here's a summary :
19:37 < maaku> basically using proof-of-stake + proof-of-work voting to negotiate soft-fork changes
19:38 < amiller> i think proof-of-stake sucks because it's so poorly defined, but i am hoping to change my mind!!
19:38 < amiller> i'm eager to read it
19:38 < maaku> could be any type of soft-fork change, but specifically we were thinking about mandating budgets for the demurrage
19:39 < maaku> and expected that a somewhat parlimentarian style system would emerge - parties advocating their own budgets, forming coalitions, and the one with 51% of the bicamerate PoS + PoW vote would get to say how it is spent
19:40 < amiller> that reminds me a bit of an idea someone told me last week
19:40 < gmaxwell> maaku: I don't understand how having anything but a hashchain majority matters what what is actually a soft forking change... as that majority could just force whatever outcome they want.
19:40 < amiller> about why not make bitcoin, but for the US dollar, since the US has pretty good monetary policy
19:40 < gmaxwell> (or at least force the status quo)
19:40 < amiller> i actually like the idea!
19:40 < amiller> we don't really have a great model for how the monetary policy works
19:40 < amiller> so it's hard to make it an algorithm
19:40 < amiller> on the other hand it has a sort of well defined interface
19:40 < amiller> there's a trusted steward who sets a global interest rate
19:41 < amiller> then that interest rate is offered for overnight borrowing to a handful of trusted/appointed borrowers
19:41 < gmaxwell> amiller: we could call him "real solid"
19:41 < amiller> you could totally import any monetary policy system you like and implement it on top of whatever ledger/transaction/consensus system you want
19:42 < amiller> but hopefully no one would use it because trusted parties suck
19:42 < gmaxwell> There have been a number of coins that basically had centeralized control of inflation. (solidcoin in one of its worthless renditions, for example)
19:42 < amiller> it's not the slightest bit clear to me that parliamentary fighting is any more desirable either :/
19:42 < amiller> i think i like constitutioncoin better than republicoin
19:43 < amiller> ostensibly what we have is constitutioncoin
19:43  * gmaxwell votes to take amiller's bank account and split it equally among everyone else in the channel
19:43 < gmaxwell> All in favor?
19:43 < amiller> lol.
19:45 < maaku> amiller: heh, no, but freicoin has a perpetual 4.9% subsidy... simply giving all of that to the miners may be paying for too much security
19:45 < maaku> finding decentralized solutions to that is not easy...
19:46 < amiller> not easy, granted
19:46 < maaku> the big problem with republicoin is proof-of-stake - all the current systems suck, big time
19:46 < gmaxwell> maaku: yea thats one of the main arguments against any kind of inflationry coin, ... certantly giving the money to miners is potentially insane.
19:46 < amiller> who else do you give it to
19:47 < maaku> amiller: the republicoin answer is basically the same as the current (real-world) status quo: let a government elected by the people distribute it
19:48 < gmaxwell> amiller: you could lower inflation if you're paying too much for security.
19:48 < amiller> maaku, ^
19:48 < gmaxwell> but you'd still need a virtual bernake to make that call.
19:49 < maaku> gmaxwell: except in freicoin where "inflation" is determined by the nature of money, not security needs (4.9% demurrage required for 0% basic interest, nothing to do with security needs)
19:49 < maaku> but that's a discussion for #freicoin
12:24 <@sipa> CHECKSIG(P,S) checks whether S is a valid signature for pubkey P
12:24 <@sipa> oh, and CONST(X), just a constant
12:24 <@sipa> ok?
12:24 < HM> sure
12:25 < HM> i would be comfortable with C operators and parens , but more power to you :P
12:25 <@sipa> so a normal (forget addresses for a while) pay-to-pubkey would be
12:25 <@sipa> CHECKSIG(CONST(somepubkey),DATA(1))
12:25 < TD> i feel too muggle-like for this channel
12:25 < HM> siga: yep trivial
12:26 < HM> ok now i have to injerect a question
12:26 <@sipa> HM: ok, 2-of-2 multisig becomes: AND(CHECKSIG(CONST(somepubkey),DATA(1)),CHECKSIG(CONST(otherpubkey),DATA(2)))
12:26 < HM> hmm
12:27 < HM> Ok, as long as you're explicitly indexing params it doesn't matter which order things are evaluated in
12:27 < HM> How does a merkle hash play in this ?
12:27 <@sipa> exactly
12:28 <@sipa> well, first one way to write a 1-of-2 multisig:
12:28 <@sipa> OR(CHECKSIG(const(somepubkey),DATA(1)),CHECKSIG(CONST(otherpubkey),DATA(1)))
12:28 < HM> yup
12:28 <@sipa> nothing surprising, i guess, except that it requires two checksig operators, and one will always fail
12:29 <@sipa> now, what if we add a new operator: IF(bool,X,Y), which returns X if bool==true, and Y if bool==false
12:29 <@sipa> then you could write it as: IF(DATA(1),CHECKSIG(CONST(somepubkey),DATA(2)),CHECKSIG(CONST(otherpubkey),DATA(2)))
12:30 < HM> errr
12:30 < HM> ok...
12:30 <@sipa> so your input would be [true,sigforpubkey1] or [false,sigforpubkey2]
12:30 < HM> that would mean the final value is chosen by the redeemer
12:30 <@sipa> indeed
12:31 < HM> are we talking arbitrary scripts or just bools?
12:31 <@sipa> doesn't matter, you can restrict it to just bools if you like
12:31 < HM> ok
12:31 <@sipa> the observation is here that one of the two subbranches of IF will never be evaluated
12:31 < HM> yep, just like in code
12:32 <@sipa> so, in case the AST is merkleized, you could just provide the hash of the X or Y subtree, instead of its full data
12:32 < HM> and a path
12:33 < HM> derp derp
12:33 <@sipa> well, when spending, you give the script: IF(DATA(1),CHECKSIG(CONST(somepubkey),DATA(2)),HASH(X)))
12:33 <@sipa> + [true,sigpubkey1]
12:33 <@sipa> or the other way around
12:34 <@sipa> and the merkle root (which is what the txout specified) remains valid
12:34 < HM> what is X
12:34 <@sipa> the hash of the subtree CHECKSIG(CONST(otherpubkey),DATA(2))
12:34 < HM> right, so your partner in multisig has to construct that part of the script
12:34 < HM> slot in their signature
12:34 < HM> then hash it?
12:35 <@sipa> or you (as one of the receivers) just knew the two full pubkeys
12:35 <@sipa> the point is that you never have to disclose the pubkey you didn't use
12:35 < HM> right, i see. so basically you're revealing the script like P2SH but blinding branches for privacy
12:35 <@sipa> bingo
12:36 <@sipa> well, there's some mild data-size advantages as well
12:36 <@sipa> but indeed
12:36 < HM> hmm
12:36 < HM> but if the tree is binary you always reveal half
12:37 < HM> i.e. if it's complex and deep you still reveal quite a lot of the script on one side
12:37 <@sipa> if the tree is larger, you can cut away much larger subbranches
12:37 <@sipa> anyway, the largest scalability advantage is that txouts are always just one hash
12:37 <@sipa> which means the only thing that ends up in the UTXO set is one hash
12:38 <@sipa> of course, inputs become larger, and they still end up in the full blockchain
12:38 < HM> what about the implications for hash collisions
12:38 <@sipa> well, if those are a problem, bitcoin is fucked
12:38 < HM> if one branch is 5 levels deep and requires 1000 keys you still only need 1 hash collision to bypass that entire part of the script
12:39 <@sipa> you mean a preimage, not a collision
12:39 < HM> yes
12:39 <@sipa> well, we already assume our hash functions are preimage-resistant, because block mining would become trivial otherwise
12:39 <@sipa> or faking transactions
12:39 <@sipa> or faking signatures
12:40 < HM> hmm
12:42 < HM> How does OR work when you have OR(Somescript, HASH(DATA(1))
12:42 < HM> if you complete and evaluate Somescript you're done
12:43 < HM> but HASH(DATA(1)) isn't then required
12:43 < HM> or am I getting confused
12:43 <@sipa> HASH(X) is just raw data, it's not a real operator as X is not an AST
12:43 <@sipa> HASH_x is perhaps better notation
12:44 <@sipa> ans any attempt to actually evaluate HASH_whatever, probably should result in failure
12:44 <@sipa> as you've pruned a part of the subtree that was necessary for evaluation
12:44 < HM> right yeah
12:44 <@sipa> compare it to CONST_x, which always evaluates to x
12:45 < HM> argh
12:45 <@sipa> the HASH_x entries are just necessary to make the merkle root of the AST work out
12:45 <@sipa> they aren't really part of the script
12:45 < HM> if you have AND(X, Y) then you can't send a hash for one side of the script can you? both need to be evaluated
12:46 <@sipa> i suppose that you can replace Y by a HASH entry, if you can guarantee that X will evaluate to false
12:46 <@sipa> (short-circuiting behaviour)
12:46 < HM> but then the entire branch is false and might as well not be there
12:46 <@sipa> it may need to be there, to make the merkle root work out
12:47 < HM> so what non-trivial systems does this allow?
12:48 <@sipa> it allows just as much as our script system now (though in an easier way, imho)
12:48 <@sipa> but it permits selective revealing
12:48 < HM> you could just reveal 2 hashes
12:48 < HM> and provide no data?
12:48 <@sipa> anyway, i think it's best to see IF and HASH as one operator, and make that the only way to do selection
12:49 <@sipa> i.e., have an operator BRANCH1(X,hash) and BRANCH2(hash,Y)
12:49 <@sipa> which take the place of IF(true,X,HASH(Y)) and IF(false,HASH(X),Y)
12:50 <@sipa> afk!
12:52 < HM> you could also have an operator that simple duplicates it's sibling branch, but applied some transformation
12:52 < HM> like adding 1 to the index of data
12:53 < HM> that'd be easier if data could exist in pairs
12:54 < HM> AND(A.part1, B.part1) OR AND(A.part2, B.part2)
12:54 < HM> could be compressed to
12:54 < HM> DUP(AND(A,B))
12:54 < HM> or something
12:54 <@sipa> basically, you want subroutines :p
12:55 < HM> yeah but without having to have something insane
12:55 < HM> DUPing cousins would be difficult
12:55 < HM> you'd need a tree of data rather than an array
12:55 < HM> so each script node had its own parameters
12:56 <@amiller> well this no longer resembles a stack language so subroutine rather than dup is necessary
12:56 <@amiller> what you probably want is a closure?
12:56 < HM> where do you define your subrouting?
12:57 < HM> subroutine
12:57 <@sipa> amiller: yeah, let's just turn it into a untyped lambda calculus :p
12:58 <@amiller> well hopefully not untyped :x
12:58 <@sipa> church-encoding a pubkey shouldn't be hard!
12:58 <@amiller> no no no i promise i'm not trying to say that's practical :p
13:09 < andytoshi> i dunno, if you treat transaction outputs as "(defun [hash]0 ...)" "(defun [hash]1 ...)"
13:09 < andytoshi> you could build a lispchain
13:10 < andytoshi> wouldn't be much slower than emacs ;)
13:10  * andytoshi runs
13:11 < HM> i think it'd be wise to keep ops to a fixed size and then you can evaluate a script recursively without actually constructing a tree
13:13 <@amiller> anytoshi the cool thing about describing it that way is you can just refer to a function by its hash so that works perfect
13:13 < HM> e.g. the opcode and the immediate value, if any, e.g. DATA(2), was always a fixed size
13:13 <@amiller> yeah that's right, you'd want fixed size opcodes
13:14 < HM> yeah, so your script is always an odd number of bytes/opcodes
13:15 < HM> assuming it's a binary tree
13:15 < HM> the memory you need is basically fixed, you just need a register file
13:24 < andytoshi> amiller: right, an altchain that did this would hardcode its genesis block with a hundred or so utility functions
13:25 < andytoshi> i guess you'd also want a tiny recursion limit to prevent ddossing
13:27 < HM> recursion?
13:28 < HM> why are you allowing recursion
13:28 < andytoshi> HM: because it allows very tiny programs
13:28 < andytoshi> but now that i think about it, i think it's impossible if your functions are all named for their hashes
13:29 < andytoshi> so it's a moot point anyway
13:31 < HM> it also makes the thing difficult to reason about
--- Day changed Sun Mar 03 2013
03:37 < amiller> http://bitcoin.stackexchange.com/questions/3313/are-there-bitcoin-password-crackers-i-can-use-to-recover-forgotten-passwords
03:38 < amiller> it would be nice to be able to offer bitcoins for a reward like that directly in a transaction script, eh
07:40 < HM> hmm
07:41 < HM> this is why secret sharing would be a nice feature for high value wallet passwords
07:41 < HM> or some equivalent
08:15 < HM> http://echeque.com/Kong/anon_transfer.htm
08:15 < HM> i've been reading this explanation of blinded tokens using EC
08:16 < HM> Why i follow the logic, and see how the issuer (Toby) can be used to create valid tokens that retain privacy, I don't see how the transformation can't be used to create new tokens from spent ones
08:18 < HM> ah wait, of course you have to pay again
08:18 < HM> derp derp
08:18 < HM> Toby won't do shit for free
08:27 < HM> hmm toby presumably has to blacklist R when calculating kR otherwise both (R, kR) and (q, Q) are valid spendable tokens
08:30 < HM> still, i suppose token IDs and hashes can be of different lengths so you won't mistake one for another
08:40 < HM> I guess Toby just values everything he doesn't hash at 0
09:08 < HM> oh nm, of course R,kR wouldn't be valid anyway
12:00 < HM> Heh, wow.... digital signatures using merkle trees
13:44 < amiller_> hm yeah digital signatures were the first use of merkle trees
13:44 < amiller_> they're pretty limited on their own because they're sort of one-time use only
23:25 < jgarzik> ideally one generates an address for spending, that may only be redeemed by multiple parties.  Smells like P2SH at a minimum.
23:26 < jgarzik> then each party manages one key of a multisig
23:26 < jgarzik> (s/party/bot/ as needed)
23:38  * jgarzik trolls gmaxwell
23:41 < nanotube> jgarzik: if you want to troll gmaxwell, you have to mention DHTs, at least. :)
23:42 < amiller> did someone mention dhts
23:45  * jgarzik guesses...  Bots A, B, and C each generate a key.  When a user requests a fresh pay-to bitcoin address from (randomly selected) Bot B, B collects data from A and C, writes a multi-sig script, uses that script to generate a P2SH bitcoin address, and gives to user.
23:46 < weex> can the user talk to the other bots?
23:47 < jgarzik> possibly, depending on how the bot addresses are discovered
23:47 < jgarzik> shouldn't matter, for the purposes of internally creating bitcoin addresses for The Collective
23:49 < weex> just thinking you want the user to be able to verify any address with a party other than the bot they talked to
23:49 < weex> doesn't really stop B from losing their key though
--- Log closed Thu Mar 07 00:00:43 2013
--- Log opened Thu Mar 07 00:00:43 2013
00:21 < jgarzik> OK, initial project then
00:23 < jgarzik> (gotta start small)  Make bots that create P2SH addresses for users, and perform some tests on spending and redemption
01:21 < jgarzik> hrm
01:22 < jgarzik> downside of P2SH: other bots and public cannot scan the chain, and observe to whom a payment was made, versus non-P2SH multisig
01:22 < jgarzik> stating the obvious, yes, but had not thought of that WRT transparency and remote proofs
01:22 < jgarzik> non-p2sh multisig is easier to audit
01:23 < jgarzik> at payment time
01:23 <@gmaxwell> Well, _audit_ is fine, because the auditee guides you. It's harder to snoop. Sometimes snooping is what you want, but auditing is usually sufficient.
01:44 < jgarzik> I definitely understand the motivation behind gavin's work on payment protocol
01:44 < jgarzik> there needs to be a standard framework for passing around transactions before/during the signature process
08:19 < HM> that Multi-party talk is good
--- Log closed Fri Mar 08 00:00:45 2013
--- Log opened Fri Mar 08 00:00:45 2013
07:26 < HM2> sipa: how are things?
07:28 <@sipa> good, i guess
07:29 <@sipa> some strange findings though: my naive exponentiation ladder for field inversions runs in around 11us, OpenSSL needs 20us,... and GMP less than 1us
07:29 <@sipa> thankfully, we only need 1 field inversion per signature verification
07:29 < HM2> so GMP basically rocks?
07:30 <@sipa> must be
07:30 <@sipa> for normal field multiplications, my own code is still 3x faster than GMP, but it's very specialized for secp256k1
07:31 < HM2> have you got a full signature verifier built yet?
07:31 <@sipa> no
07:31 <@sipa> layer per layer :)
07:32 <@sipa> CodeShark wrote a field inversion that's a bit faster than mine, but still way slower than GMP
07:33 < HM2> perhaps GMP are using SSE and friends?
07:33 <@sipa> maybe
07:34 <@sipa> but i don't want to go into maintaining several branches of assembly code, for an operation that takes less than 10% of the total time
07:34 < HM2> Indeed
07:35 <@sipa> the fieldelem code i wrote already requires a __int128 type, which means a recent compiler and a 64-bit platform
07:35 <@sipa> so probably we'll need a more generic version that runs on 32-bit as well anyway
07:41 < HM2> pffft 32-bit
07:42 < HM2> bigints are such a pain in the arse, i'm beginning to wish all languages (at least JIT'd ones) just made them their default integer type
07:43 < HM2> Javascript has perhaps the most JIT engineering going in to it at the moment and the default numeric type is a bloody double
07:46 <@sipa> haha
11:10 <@gmaxwell> Anyone read http://matt.singlethink.net/projects/mpotr/oldblue-draft.pdf yet?  (may have usefulness for some of the bank stuff where you need to avoid people hiding disclosures, without invoking a whole blockchain for byzantine agreement)
12:02 < HM2> C++ is currently making me want to kill someone
12:14 < helo> that's the problem with human-computer interfaces imo
12:14 < jgarzik> all languages suck
12:35 < HM2> indeed
22:16 <@gmaxwell> petertodd: so wrt, the provable balance bank, we'd talked about having users publish signatures of the root once they've verified their balance, after which the service could forget their past transaction history (since they can no longer dispute it), and it could recover the balances of users who stop signing for too long. (preventing bloat and loss of
abandoned funds and encouraging people to check)
22:18 <@gmaxwell> that left an open question of how to avoid cases there the bank would 'fail' to recieve a signature for too long in order to steal funds.  An obvious solution there is to have the users share signatures in a broadcast medium, and each signature includes a hash of all the other signatures that signer was aware of.
22:18 <@gmaxwell> so a cheating bank couldn't selectively ignore a single user they wanted to screw.
22:19 <@gmaxwell> e.g. you submit your signature, bank says
 you have some sigs I don't provide them. So denying one parties signature rapidly makes the bank unable to accept any at all.
22:49 < amiller> that's really similar to truledger / opentransactions / the whole line of triple signed transactions stuff
22:50 < amiller> except that afaik none of those do it the way you described where it's better because it combines multiple users to make it harder for the server to selectively ignore just one of them...
22:51 < amiller> that's really close to a great solution i think...
22:51 < amiller> it's not in any individual's rational interest to include someone else's signatures
22:52 < amiller> it's a social good to do so - but if there's a risk that the server is trying to ignore someone's messages, if you include them then the server might try to ignore yours, so it's not your problem and you should just let someone else can help
22:53 <@gmaxwell> amiller: meh, it's ~costless and if the server ignores yours too you know the server is cheating which is the point. Someone else can them prove to themselves that the server is cheating by including yours and seeing that they also get ignored.
22:54 < amiller> well you can begin to suspect the server's cheating but you can't prove it
22:54 < amiller> i think that's fixable i don't mean to detract from the main idea there
22:55 < amiller> it's like red-balloons fixable
22:55 <@gmaxwell> Well, if you know how to make it sound I'm interest if just for novelty. The ideas we were talking about simple measures for a pratical system rather than a maximally sound one.
22:55 <@gmaxwell> s/interest/interested/
22:59 < amiller> also just providing a hash of the signatures you know about isn't really good enough
22:59 < amiller> because then you could easily dos someone by providing them a bunch of signed transactions that you _haven't_ sent to the server itself
22:59 < amiller> then the server would send back messages like 'i don't recognize that signature' and it would be legitimate
23:00 < amiller> you could relay all the transactions you know about sure
23:01 <@gmaxwell> well I was reducing to IRC length. You'd presumably send some determinstic tree root, and the server would iteratively query you to agreement. To keep the tree small the server could sign signatures he as recieved, allowing you to prune those.
23:04 < amiller> it's probably cheaper to send a bigger packet than wait for potentially numerous round trips
23:05 <@gmaxwell> true enough, esp if server signatures are constantly pruning the set of unknown signatures.
23:06 < amiller> for the time being i don't have any good clear answer for how to properly incentive-correct this but that would be a really cool goal and the normal way you described would be practical as it is
23:07 < amiller> i think having a good incentive solution for this + metavalidation rules would be exactly the two things needed to have networks of smaller blockchains
23:09 <@gmaxwell> mostly I'm trying to think in the space of ideas that can be implemented incrementally to take a simple system e.g. IRC micropayment bots and make them into something that isn't a straight up scam hazard... stuff that still has most of the scalablity, flexibility, and pratical privacy of centeralized systems but is a little more trustworthy.
--- Log closed Sat Mar 09 00:00:46 2013
--- Log opened Sat Mar 09 00:00:46 2013
15:58 < petertodd> gmaxwell: Sounds like a reasonable idea.
15:59 < petertodd> gmaxwell: I was thinking, a good first prototype might actually be an easywallet type site that's auditable via a merkle sum fee tree.
15:59 < petertodd> Just something really simple, but real.
17:37 <@gmaxwell> well, go a step further than that and approach instawallet and put it on a real site.
17:38 < petertodd> gmaxwell: Oh, that's exactly what I meant.
17:39 < petertodd> easywallet seems like a better target, purely because they're targeting slightly mroe techsavvy users from what I can see
17:39 < petertodd> w/ a javascript verifier would be great
17:40 <@gmaxwell> one challenge is that these sizes have a kazillion utxo... not really compatible with small proofs.
17:40 <@gmaxwell> thats why I thought a micropayment system was better than a wallet provider.
17:40 < petertodd> yeah, currently they do, that'll have to be part of the question of how to do it
17:40 <@gmaxwell> Because a micropayment system could quite reasonably just have a few utxo.
17:40 < petertodd> I like your suggestion of having a "backing balance"
17:41 < petertodd> Yup, uc too, although none yet exist, well, sorta.
17:41 <@gmaxwell> well it may be the case that they could easily aggregate 95% of their funds in a few utxo, and then provide the other 5% out of pocket in a single utxo.
17:41 < petertodd> In practice easywallet and instawallet are also upayment systems.
18:18 < Luke-Jr> living it up would be *Beyond* foolish
18:18 < Luke-Jr> you think he'd really fare much better under another jurisdiction?
18:19 < gmaxwell> Luke-Jr: I think there are a lot of other people where no one would care or would just simply have a hard time finding him
18:19 < Luke-Jr> so maybe he really *was* saving up for a cruise ship :P
18:19 < gmaxwell> hah
18:19 < midnightmagic> Luke-Jr: Yeah but he asked to be contacted by the drug suppliers *through the one that was blackmailing him.* I personally would find that pretty laughable, unless one or both of them were just idiots who thought the other was also an idiot.
18:20 < gmaxwell> idiots pretending to be non-idiots pretending to be idiots pretending to be non-idiots?
18:20 < Luke-Jr> midnightmagic: I'm no druggie, but I think I'd have done the same XD
18:21 < gmaxwell> or were they non-idiots pretending to be idiots pretending to be non-idiots pretending to be idiots pretending to be non-idiots?
18:21 < gmaxwell> Luke-Jr: seemed really weird from the messages. Like.. uh. isn't it protocol when asking for someone to kill someone that you first might politely ask if they knew someone who could handle it instead of just offering money?
18:22 < midnightmagic> It could have been just meant as a scare-tactic.
18:22 < gmaxwell> Yea, I think thats the case, honestly.
18:22 < gmaxwell> Unless there is some hidden law of drug dealers that all of them are also hitmen?
18:22 < gmaxwell> :P
18:23 < sipa> Luke-Jr: seeling drugs on SR i'd consider merely foolish
18:23 < midnightmagic> A scare-tactic would match the endless diatribal philosophy rants he would go on, and he was basically just some student in a $1000/month apartment in SF.
18:23 < midnightmagic> what the heck kind of craphole can $1000/month even buy in SF?
18:23 < sipa> running SR is already far beyond foolish :)
18:23 < gmaxwell> midnightmagic: a room in a craphole mostly.
18:23 < midnightmagic> lol
18:24 < sipa> midnightmagic: you mean rent, i hope?
18:24 < midnightmagic> sipa: rent, right.
18:24 < gmaxwell> I assume that its what it looked like to me: the blackmailer contacted DPR pretending to be his supplier, DPR saw through that (duh) and to scare the blackmailer he went straight into offering money to have him killed.
18:24 < gmaxwell> ::shrugs::
18:24 < HM3> SR apparently collected $80M in commission
18:24 < gmaxwell> HM3: at current bitcoin prices.
18:24 < HM3> yeah
18:24 < midnightmagic> blackmailer can't take that lightly, takes the lesser money (DPR actually negotiated a cheaper price than the original $250k which was half of the blackmailed money)
18:25 < gmaxwell> "and then he burried the private keys in seven 50gallon drums in the desert!"
18:25 < midnightmagic> +1 walter white reference
18:25 < midnightmagic> that nicholas weaver guy is pretty clever.
18:25 < gmaxwell> oh oh oh
18:25 < gmaxwell> If figured it all out
18:26 < gmaxwell> SR = government honey pot. They needed a plausable excuse to take it offline while the goverment was shut down.
18:26 < gmaxwell> :P
18:26 < midnightmagic> except this: https://twitter.com/NCWeaver/status/385428494361956352
18:27 < midnightmagic> :-( Mr. Weaver misses the possibility the browser is *already owned* prior to the view-source.
18:27 < gmaxwell> torify curl http://...
18:28 < midnightmagic> He suggested show-source to Brian Krebs rather than torify'd curl.
18:30 < HM3> why would they serve exploits on a site they've already conquered?
18:30 < HM3> if you're visiting SR it's probably because you have an account
18:30 < HM3> i bought a few items on silk road, nothing actually illegal though.
18:31 < HM3> I'm not worried
18:31  * HM3 buries his laptop
18:37 < gmaxwell> HM3: they served exploits on every site hosted on freedom hosting, including a bunch of totally innocuous sites.
18:38 < HM3> I don't think SR was on freedom hosting?
18:38 < HM3> and it was still a JS exploit.
18:39 < HM3> two big tor busts though in a few months
18:39 < gmaxwell> I was just responding to your "why would"
18:41 < K1773R> if this person only would have used not a single unencrypted wallet... well, such ppl deserve it...
18:41 < midnightmagic> HM3: actually, they got an image back in June, which coincides somewhat with the freedomhosting bust.
18:41 < jgarzik> DPR's opsec was so poor, it was an unintentional honeypot for a long time, I think
18:41 < HM3> Yeah, bit different though. With freedom hosting they were are consumers of illegal content. I doubt they'll go after many SR buyers unless they're worth police/Fed time
18:41 < jgarzik> buyers were also reselling
18:41 < HM3> maybe yeah
18:42 < HM3> Sellers though don't give out their addresses via the messaging system
18:42 < gmaxwell> HM3: they put that stuff up on lots of sites that were just boring stuff with nothing illegal... and generic services like tormail.
18:42 < HM3> lazy httpd config?
18:42  * midnightmagic is not going to call DPR's opsec shitty.
18:43 < HM3> midnightmagic, do you think he was somehow encrypting user->user messages?
18:43 < jgarzik> I mean reselling in the real world, using SR as a wholesaler.
18:43 < midnightmagic> jgarzik/HM3: No, I'm just not so sure most security researchers doing so wouldn't be just as caught if they were doing the same thing. :(
18:44 < HM3> jgarzik, ah, but the evidence for that would be light on SR itself
18:44 < midnightmagic> HM3: No, not at all. Perhaps as far back as his interview where he claimed he was not the first DPR he already knew he was caught and just waiting for the hammer to drop.
18:45 < jgarzik> midnightmagic, according to the indictment, he got forged passports and such shipped to where he lived, hacked in a near-constant locale near where he lived, publicly used his own email addresses a few times, ...
18:45 < jgarzik> either poor opsec or didn't care about being caught
18:45 < HM3> forged passports? intent to flee?
18:45 < midnightmagic> jgarzik: I don't think it's possible to be perfect. There's always info leaking.
18:46 < jgarzik> the indictment made it sound like he was using the forged docs to rent servers
18:46 < HM3> he should have used them to flee :P
18:46 < K1773R> midnightmagic: using public name and public email if you create a stack overflow question is just retarded, tough he edited it, he thougd after editing it would be gone... just idiots
18:47 < jgarzik> indeed
18:47 < K1773R> midnightmagic: ie related to SR
18:47 < gmaxwell> the SO question didn't really sound implicating at all.
18:47 < jgarzik> midnightmagic, Satoshi clearly thought through his entire identity
18:47 < K1773R> gmaxwell: dosnt matter, its a trail to follow. it would just take longer
18:47 < jgarzik> You must work really hard to bootstrap a truly anon id
18:47 < gmaxwell> "how do I use curl to access a hidden service" is hardly a smoking gun, except maybe in retrospect.
18:47 < gmaxwell> K1773R: no, it's not. there is as much trail for anyone else. Its just more supporting data.
18:47 < HM3> jgarzik, are you saying there aren't records like IP addresses somewhere that could reveal satoshi?
18:48 < gmaxwell> jgarzik: it's really really hard, and even satoshi didn't do it perfectly.
18:48 < K1773R> gmaxwell: i agree, finding out its him with jsut that questions isnt possible, but it can be used afterwards (as we see)
18:48 < jgarzik> gmaxwell, that's the difficulty with opsec
	with the Wayback Machine and such, hindsight / time reversal is everpresent
18:48 < gmaxwell> jgarzik: sure sure. But absent the other leaks that one probably wouldn't have mattered.
18:48 < jgarzik> nod
18:49 < jgarzik> it's the drip drip drip of tiny info leaks that lead Encyclopedia Brown to the source
18:49 < midnightmagic> K1773R: We are all idiots to someone.
18:49 < K1773R> midnightmagic: ACK, its relative :)
18:50 < HM3> they confirmed Rowlings book by analysing her writings.
18:50 < K1773R> anyway, hoping to see lower price for BTC to aquire more :P im out, n8!
18:50 < HM3> that was super cool
18:51 < HM3> little things like whether you punctuate on IRC and the frequency of your lols add a bit to your unique identity hash ;)
18:51 < midnightmagic> jgarzik: I'd be willing to bet that the early break-ins in the forum, plus sourceforge accesses, plus other things probably together yielded enough information to locate at least a real IP for satoshi.
18:52 < HM3> I would have thought he would have come forward by now tbh, or at least started a new project
18:52 < jgarzik> SR was probably one of the more successful San Fran startups ;p
18:53 < HM3> if you haven't cashed in on the glory then it suggests to me you're already cashing in in another way, or you are actually still involved in dev work
18:53 < jgarzik> midnightmagic, I think he's smarter than that, but you never know
18:54 < midnightmagic> HM3: that's pretty cynical of human nature.
18:54 < HM3> kind of
18:54 < jgarzik> HM3, sure, fingerprinting one's writing is nothing new.  That's why nutter criminals in past decades would paste together letters, hoping to fool handwriting analysis
18:54 < jgarzik> now computers and stats take it to a whole new leve
18:54 < jgarzik> *level
18:54 < HM3> I mean, i wouldn't walk away from a successful project like Bitcoin unless i was working on something else, or completely sick of it.
18:55 < HM3> Just saying "Yep, done that" and then retiring seems odd
18:55 < gmaxwell> it's very easy to be sick of bitcoin.
18:55 < midnightmagic> HM3: I would say Grigori Perelman embodies a certain spirit of a lot of the more interesting humans who probably wouldn't want money to pollute themselves with.
18:55 < jgarzik> I think statistics (data mining) and data storage growth, more than any government agency, will be the death of privacy.
18:56 < HM3> and if I were sick of it, i'd milk the glory to bootstrap other aspects of my life (work or play)
21:13 <@gmaxwell> ::sigh:: "Another point of evidence on address reuse is the popularity of vanity addresses. Are you suggesting people spend hours, sometimes days searching for an address only to use them once? I somehow find that unlikely."
21:13 <@gmaxwell> adam3us: thats basically the story of all altcoins.
21:15 < jgarzik> sadly true
21:15 <@gmaxwell> I mean, even freicon bubbled up to 0.0005 BTC per FRC and its supposted to be inflationary and not go through these speculative bubbles! :P
21:15 < adam3us> ***adam3us wants to kill all alts
21:15 < jgarzik> I like the proof-of-$somethingelse experiments
21:16 < jgarzik> just fiddling with algo choice or params is droll
21:16 <@gmaxwell> well, I'm certantly more happy when they write more than 0 lines of code with their alt.
21:16  * Luke-Jr likewise
21:16 <@gmaxwell> I thought someone was going to do an altcoin maker?
21:16 < Luke-Jr> I especially like that Freicoin also tries to deter scammers from abusing their alt
21:16 < adam3us> ah that reminds me, i was thinking there might be a way to let people play with alts without wasting electricity
21:16 <@gmaxwell> adam3us: regtest? merged mining?
21:17 < jgarzik> lawcoin: relies on proof-of-wasted-paperwork-filed-at-city-hall
21:17 < adam3us> or at least it would be interesting if a way could be found :) eg just some central trusted server would do, like coinwarz
21:17 <@gmaxwell> jgarzik: I had a few fun ideas like that, ... but SSL doesn't have any way to sign the traffic through it.
21:17 <@gmaxwell> There is that AWS thing for SSL quasi-non-repudiation though.
21:18 <@gmaxwell> Proof-of-frivilous-litigation: You must file a nussance lawsuit against pirate40 to mine a block.
21:18 < adam3us> gmaxwell: yes so general framework for merge mining plus dont waste cpu.  pay some virtual VPS and the central server allocates you some corresponding alts, proceeds go to something useful
21:18 < jgarzik> precisely
21:19 <@gmaxwell> I realized the existing merged mining code would only take a few lines of code to turn into a proof-of-attack against the chain its merging with.
21:20 < jgarzik> I do something wonder what the world would look like, if "bitcoin1" remained at 1MB etc. forever, and "bitcoin2" was layered on top of that as a day-to-day transactional currency, used in tandem with the asset-store bitcoin1.
21:20 < jgarzik> *sometimes
21:20 < adam3us> i mean these alts are mostly just a game, and have no non-speculative transactions; so they'd just as well own up to that reality.
21:21 < adam3us> jgarzik: did u see the idea BlueMatt & gmaxwell were talking about yesterday... a 1:1 peg feature, a better way to do bitcoin-staging
21:21 < jgarzik> adam3us, interesting, though not quite what I was thinking
21:21 <@gmaxwell> jgarzik: I dunno if you saw the sub-chain discussion from here with bluematt 24 hours ago.  Sounds like we could pretty 'easily' with some changes (perhaps just softforking) have a sub-coin where you could move bitcoin to and from the subcoin.
21:21 < adam3us> jgarzik: then we could make a bitcoin2 that safely allowed coins to be move between bitcoin1 & bitcoin2.  (the protection is only coins moved into it can be moved back so there is no security risk for people not participating)
21:21 < jgarzik> I just openly wonder about keeping 1MB forever
21:22 < jgarzik> My statement has always been "it will probably change"... notably not stating "it should change" of which I'm not yet convinced
21:22 < jgarzik> and then logically extend from there
21:22 <@gmaxwell> one of the complicating issues is that some of these ideas
 like the subchain stuff really only work if Bitcoin1 remains reasonable cheap to validate, because all the sub-things below it must commonly validate bitcoin1 (but not each other)
21:23 < adam3us> jgarzik: i think the 1:1 peg is he best idea i heard in quite a while in bitcoin land.  with that we could move ahead and develop the queued ideas and fixes without risking bitcoin1 funds
21:23 < adam3us> jgarzik: and yet avoiding the alt-coin trap and with no market / arbitrage cost/risk and no security risk to bitcoin1 funds
21:23 <@gmaxwell> adam3us: it's not even a new idea really, we've know for a long time that it was possible to do something like this, subject to some limitations. As I mentioned before script is _almost_ powerful enough to express it directly.
21:24 < jgarzik> hmm
21:25 < jgarzik> bah, baby bedtime, bbiah
21:25 <@gmaxwell> adam3us: the point you make about -staging is interesting though, I know you'd proposed 1way for staging, but I think one-way is not so interesting, the point that subchains would be useful for playing with new cryptocoin ideas is quite interesting.
21:27 < adam3us> gmaxwell: too much idea backlog to trace as close as i got was the 1-way peg; i was thinking a) cant change bitcoin because thats the problem the peg is trying to solve; and b) 1:1 peg while desirable requires btc change; and c) i didnt go further
21:27 <@gmaxwell> sort of interesting to consider that maybe in the future the bitcoin network goes away and its replaced with ... another bitcoin network.. and it all happens in a fully consentual way with people just migrating their coins into another system.
21:27 <@gmaxwell> adam3us: well I think we can make the one change to rule them all.
21:27 <@gmaxwell> ... the more useful things a change does the more justifyable the effort.
21:28 < adam3us> gmaxwell: yes i like it; i like that its seemingly possible with a focused change to do this, and this does seem like the one change to rule them all which is why i was interested in the staging idea - i think it solves a real-world dev problem
21:29 < adam3us> gmaxwell: forking things could be done on this network; maybe you can even move coins out, upgrade, move them back; or roll out new forking versions with the analogous coin move protocol
21:29 < adam3us> gmaxwell: all without risking bitcion n-1 funds
21:30 < adam3us> gmaxwell: and also version1.0 could reject further non-defect changes and focus on being a value store afterwards
21:31 < adam3us> gmaxwell: that could be the stable IP protocol on which payment internet is built (or other stupid / non-transferring analogies people like to make)
21:32 < adam3us> gmaxwell: (mostly they actually mean "yay were going to flood bitcoin scarce broadcast channel as if its an IP datagram network")
21:33 < adam3us> and eg people doing well considered script changes would have somewhere to do them outside of alt-space (eg like freimarket extensions)
21:35 < BlueMatt> gmaxwell: the idea of a 1:1 peg is that bitcoin1 could remain easy to verify forever since txn just happen on bitcoinN
21:36 < adam3us> BlueMatt: and reward mining could happen only on bitcoin1
21:36 < BlueMatt> yup
21:36 < BlueMatt> (eg 1MB blocks forever on bitcoin1...)
21:38 <@gmaxwell> BlueMatt: moreover, that kind of design strongly favors bitcoin1 being fairly small blocked, simply because you want bitcoin* also verifying it (so at least security in one direction was _full_, and so if a false proof shows up in the other direction the bitcoinN nodes can take action).
21:38 <@gmaxwell> this has long been one of my concerns with cranking the block size
 that once it happens some scalablity solutions are harder.
21:39 <@gmaxwell> it's also more egalitarian
 developers of your coin turning down your awesome automatic stolen coin recovery feature?  Okay fine, create a new altcoin, and migrate your coins into it.
21:40 <@gmaxwell> it could even go in hierarchies. Say that your "alt system" is too unblockchain like to be directly bound into bitcoin with this one-change-to-rule-them-all feature.
21:41 < BlueMatt> yup
21:41 <@gmaxwell> thats alright, you migrate your coins to bitcoin3 which has SNARK scriptpubkeys, and with those you can bind your wacky offchain system.
21:41 < BlueMatt> yup
21:44 <@gmaxwell> you could, if you wanted, even expirement with different economic formulas. You can't create bitcoin out of thin air, but you could tax inbound, store, and/or outbound coins.
21:45 <@gmaxwell> oh man, this guy won't give up.
21:45 <@gmaxwell> "'m not certain it's very much discouraged. I've been reading here and /r/bitcoin actively for the past 10 months and this is the first time I'm hearing about the importance of using addresses only once."
21:45 < BlueMatt> wtf
21:46 < BlueMatt> this is the point where you say "I'm sorry, but you're wrong, You should go ask people who actually know (ie work on bitcoin as devs) and give up reading idiots all day"
21:46 < adam3us> maybe the bitcoin fungibility thread might get the msg over (or not)
21:47 <@gmaxwell> Well, I'm not talking with him for the sake of arguing. I don't care about right and wrong, he is in my petri dish now.
21:47 < adam3us> people with that level of understanding are dangerous to be writing code others might use
21:47 < adam3us> brainwallet.org level
21:47 <@gmaxwell> He seems to be especially sour about avoiding reuse, I think because he'd been building an empire in his mind based on having identity services around static addresses.
21:48 <@gmaxwell> So I'm not sure how much is due to that vs the popularity of that misunderstanding in the population, I suspect its a bit of both.
21:48 <@gmaxwell> he was responding to me writing this:
21:49 <@gmaxwell> I hope I didn't come across as suggesting it never happens. Only that its problematic, discouraged, and not done by many (esp. those who know better, or whos livelihoods depend on using Bitcoin well).  Because of the rapid growth the overwhelming majority of people you interact with in Bitcoin space are very new to Bitcoin... and pick up bad habits like
using "brainwallet" which sound appealing but often burn them with subtle ...
21:49 <@gmaxwell> ... complications.
21:49 <@gmaxwell> ...
--- Log opened Fri Mar 01 15:37:32 2013
15:37 -!- petertodd [~pete@76-10-178-109.dsl.teksavvy.com] has joined #bitcoin-wizards
15:37 -!- Irssi: #bitcoin-wizards: Total of 4 nicks [1 ops, 0 halfops, 0 voices, 3 normal]
15:37 !niven.freenode.net [freenode-info] channel flooding and no channel staff around to help? Please check with freenode support: http://freenode.net/faq.shtml#gettinghelp
15:37 -!- Irssi: Join to #bitcoin-wizards was synced in 0 secs
15:37 <@gmaxwell> hi. I see you've arrived on wizard time.
15:37 < petertodd> Lol, it's all I seem to be interested in...
15:38 < sipa> a wizard is never late
15:38 < petertodd> It's interesting how this AST idea would have made adding data to transactions a total non-issue.
15:38 <@gmaxwell> Sort of interesting that it would result in some branches being more expensive to excute than others.
15:38 < helo> not a wizard, but enjoy being mystified
15:39 < amiller> imo being able to execute an AST partially is extremely important
15:39 <@gmaxwell> petertodd: well, it would be a one time hash_size scale increase in scriptsigs.
15:39 < amiller> this would entirely remove the concern about nonterminating scripts
15:39 < sipa> and AST have very strong static analysis abilities
15:40 < petertodd> amiller: Yeah, non-terminating would be rejected for having too much AST-related proof data.
15:40 < sipa> so the cpu cost for validation can always be known in advance
15:40 <@gmaxwell> interestingly you could have NP steps in your execution.
15:40 < petertodd> sipa: Well, defined in advance in a opcode cost table.
15:40 <@gmaxwell> If the spender provides a trace of the execution, effectively, then the network is just checking the execution proof.
15:40 < petertodd> gmaxwell: How so?
15:41 < sipa> yup
15:41 < petertodd> Ah, I see, so the algorithm can be NP, provided your n is small enough, and it's still staticly checkable.
15:41 <@gmaxwell> The idea is the network is not a computer, the network is a proof checker for computation the spender did.
15:41 < HM> o_o
15:42 < petertodd> HM is not a wizard...
15:42 <@gmaxwell> :)
15:43 <@gmaxwell> petertodd: I mean we already have NP steps, e.g. checksig. But looking at the network as a generalized proof checker for computation the spender did makes 'checksig' not so special sounding.
15:44 < amiller> i don't see how checksig is np
15:44 < petertodd> So basically a scriptPubKey is now just the AST head, simple enough, a scriptSig should be a list of index/value's, and then you have a scriptTrace, which is essentially the hash of the state of the stack at each step.
15:45 < petertodd> (scriptSig being index values to allow for provided the minimum proof if there could be a lot of potential input data)
15:46 < petertodd> If the scriptTrace includes each opcode executed, it's also staticly analyzable.
15:58 <@gmaxwell> amiller: "provide me a value that makes this ecc signature validation return true".
15:58 < amiller> ah okay i see
15:58 < amiller> yeah.
15:58 < amiller> so that's basically the way of encoding proof of work puzzles within the scripts
15:59 < amiller> it would be really useful to be able to encode a whole chain validation rule within the script
15:59 < amiller> that would be the basic technique to do multichain transactions
15:59 <@gmaxwell> results in ennnnooorrrmmooouuusss signatures.
15:59 < amiller> i don't see why
15:59 < amiller> you can still have ecdsa and hash as primitives
16:00 < petertodd> Yes, but signatures right now are like, 3 steps.
16:00 < petertodd> Unless you are relying on high-level opcodes only.
16:00 <@gmaxwell> doubly so if the other chain is a merklized linked list instead of a merkle mountain or merkle skiplist.
16:01 < petertodd> On the other hand, at least we're honestly forcing them to pay for all that execution.
16:02 <@gmaxwell> 11kbytes/day for a bitcoin SPV proof for just the headers alone.
16:02 < amiller> i don't follow what that consists of
16:02 < petertodd> ...although, it's interesting how now you can run into situations where someone says "Here, I'll pay you by giving you the scriptSig to spend this scriptPubKey" and you need to ensure the protocol knows damn well what kind of proof will be required.
16:02 < petertodd> *how long a proof is requried
16:04 <@gmaxwell> amiller: I make a payment to you conditional on a payment in another chain. To prove it you have to show the fragment, headers after the fragment to show its burried, and headers before the fragment to show its the right chain
16:04 <@gmaxwell> Otherwise I just make N minimum difficulty headers off in forkland and call it a day.
16:04 < amiller> hm
16:05 < amiller> ok i see so that's where the merkle mountain might help
16:05 < amiller> you could encode a looser rule
16:05 <@gmaxwell> if the other chain is something with log n lookup rooted at each block then its less bad.
16:06 < petertodd> Yes, although the merkle mountain chain now needs some idea of how to do random sampling to be sure you didn't just mine some choice headers in the right places.
16:06 <@gmaxwell> Then you want: fragment, next SECURITY_PARAM headers, and a sufficient path to show that the headers are a valid extension of that chain.
16:06 < petertodd> Ideally, which headers are asked for, should be randomly chosen and out of control of the sender.
16:07 <@gmaxwell> petertodd: well what I'd anticipated on my alt chain was making a skiplist where the random backsteps were picked by the apparent difficulty of each block.
16:07 < petertodd> Yes, that would work.
16:08 < petertodd> On the other hand, with merkle mountain, the chain height is provable.
16:08 <@gmaxwell> work being provable is more interesting than height.
16:09 < petertodd> Yes, but height is good for things like "anyone can spend" bonds.
16:09 < petertodd> So I dunno, put in both. :P
16:09 < amiller> even those are probably better off using work but sure
16:10 < petertodd> Ok, so here is a solid AST usage: fidelity bonded ledger refund scriptPubKey's.
16:10 < petertodd> Basically, write a big AST that can accept proofs from anyone wanting a refund, and then only the execution path for the given person being refunded needs to be provided.
16:11 < petertodd> And that path can result in the coins being spent in a way that the remaining people can still get another refund with that txout; IE the txout scriptPubKey will be partially constrained too.
16:12 < petertodd> So the AST itself will encode the bitfield or whatever of remaining tokens to be refunded.
16:12 <@gmaxwell> it simply replaces the terminal leaf with a 0 and then thats required to be the change?
16:13 <@gmaxwell> e.g. a rule that says rebuild this with this node turned to a 0, and thats the change output.
16:14 <@gmaxwell> so as you spend from a AST you could prune the AST to prevent the same code from executing twice.
16:14 <@gmaxwell> kind of a special case for recovery, I can't see another use right now.
16:14 < petertodd> Exactly, or even simplier, the AST includes it's own code in the next AST, and a changing bit of data.
16:15 < petertodd> Now, if these AST proofs are done as an opcode on their own, OP_PARSE_AST, the "what has been spent" thing can basically be just a second AST that puts the stack in the correct way.
16:15 < petertodd> Which means we can implement all this as a soft-fork...
16:16 <@gmaxwell> except for the whole rest of the system which must be replaced, and the security model changes, required to make ginormous signatures viable.
16:16 < petertodd> Finally, rather than provide the whole proof, provide just the hash of, say, the last step of execution, along with an execution counter. The minute that counter hits the limit, script validation stops, yet nodes can still statically analyize how expensive the script could be to spend.
16:17 < petertodd> Not quite as nice, but the scriptSigs are still small.
16:17 < petertodd> (er, sorry, that + the op codes, kinda like a P2SH almost)
16:18 < petertodd> Point is, each op code doesn't need a hash with it for the state of the AST.
16:20 <@gmaxwell> I'm not really following on the ' provide just the hash of, say, the last step of execution, along with an execution counter.' front.
16:21 < petertodd> wait...
16:21  * petertodd doesn't understand the meaning of merkleized...
16:22 < sipa> each node in the AST has a hash associated with it, which depends on that of its subtrees
16:22 < petertodd> yeah, big brain fart there
16:22 < sipa> so the scriptPubKey only needs the root hash
16:22 < petertodd> So basically, scriptSig size is 32 * #of opcodes + leaves
16:22 < sipa> and you provide the path through the tree that needs execution, and hashes of pruned side trees
16:22 < petertodd> (# of opcodes executed)
16:23 < petertodd> Yup
16:24 < petertodd> Actually, with a pile of expensive analyzis, it'd still work, because you would enumerate all the paths through your code... but, that's impractical for anything interesting.
16:24 <@gmaxwell> doesn't have to just be opcodes. The AST could be grouped at the basic block level. E.g. 32 * branches.
16:24 < sipa> yup ^
16:24 < petertodd> That's reasonable
16:24 < sipa> you'd probably just have one branching opcode
16:24 < petertodd> Yup
16:25 < sipa> that evaluated a boolean, and selects its left or right subtree
16:25 <@gmaxwell> no point in having seperate hashes for each opcode when they are always executed... and no harm in sending a few extra opcodes past an early termination.
16:25 < sipa> and takes a hash for the other
16:25 < petertodd> Yes, and if you hash the strings in reverse order, you can use midstate compression.
16:25 < petertodd> Only provide the proof from the last one you execute.
16:36 <@gmaxwell> random thought what would a txout that had a later specified script be useful for?  e.g. you branch to a bit of script that basically checks an ecdsa signature and serialized script on the stack, then OP_EVALS it?
00:45 < andytoshi> maybe withhold those hugs :) altoz replied with 'but this does encryption as well as signing', and he's already got a "can't wait to try it!" reply
00:46 < Luke-Jr> sigh
01:20 < Emcy> wow that guy accidentally sent 20btc fees and then had it mined by p2pool
01:20 < Emcy> super unlucky
01:31  * Luke-Jr thinks we should get rid of spendfrom.py example
01:59 < michagogo|cloud> Emcy: note that he was essentially crafting the transaction manually
02:01 < gmaxwell> bitcoin-qt/bitcoind wouldn't have sentraw that transaction now either.
02:14 < Emcy> yea. creating rawtxs to send coins to some gambling thing
04:10 < adam3us> Emcy: that confirms my thought that fee > value on non-dust level should be invalid (not fwded) its ridiculous.  10k pizza guy ok, but its not exactly a "cool' story to hear now and then of the $20k accidental wire xfer fee
04:17 < gmaxwell> adam3us: I disagree very strongly.
04:18 < gmaxwell> There is no reason to make it non-standard
 users can be protected by their software, and if the software doesn't then nothing can save them
, doing so would have had likely no effect here, since "brainwallet" passes the transactions directly and any miner is likely to instantly rip out that rule, at least after the first time they don't get some
mysterious big fee txn, and doing so would break some applications that depend on ...
04:19 < gmaxwell> ... having big fees.
04:19 < gmaxwell> (this stuff: https://en.bitcoin.it/wiki/Identity_protocol_v1 )
04:19 < gmaxwell> Bitcoind / bitcoin-qt already won't let you sendrawtransaction such a transaction, unless you give it an extra override switch.
04:23 < wumpus> there are tons of ways to shoot yourself in the foot if you work with bitcoin at such a low level. It could just as well have been "person sends 1000BTC with OP_RETURN script by accident"
04:25 < gmaxwell> wumpus: a fun mistake I've made while playing around with those sites:   highlight a pre-filled form to clear it out, but doing so copies the default address there and blows away the address in my copy buffer. Then I paste the default address back in, thinking it was the one I intended to use.
04:25 < wumpus> if you add all kinds of nice and fluffy safety measures at the protocol level, the end result may be making peopel *less* careful
04:25 < gmaxwell> (I asked joric to remove the default addresses from the site, pointing out this failure mode, and he declined ::shrugs::)
04:26 < wumpus> gmaxwell: ouch
04:26 < gmaxwell> fortunately I've never lost money that way, but I've been confused while screwing around with it casually.
04:29 < Emcy> does anyone ever worry in the future that a big bank might fuck up a large settlement by working with raw txs and send a good franction of the wealth of a nation to china or something
04:29 < wumpus> (end users should ideally be protected by a user-friendly layer on top... as for dangerous behaviour, you don't expect consumers to go mixing chemicals directly either to make food flavors, and then blame physics for them ending up in the hospital)
04:29 < Emcy> and plunge thier country into poverty......
04:29 < warren> presumably you would write a parser that double checks your tx before send
04:29 < warren> this isn't a toy anymore
04:30 < warren> (unless you're talking dogecoins)
04:30 < Emcy> only double? for a transfer like that?
04:30 < wumpus> Emcy: they should have actual humans review such a transaction
04:30 < Emcy> thats where the fuckups come in
04:30 < gmaxwell> Emcy: I've had some people on IRC ask me to review transactions of theirs, as a second party review of a large manually constructed transaction.
04:31 < gmaxwell> Emcy: defense in depth.
04:31 < Emcy> i remember the big one a few years abo where barcalays was down for like a week, some human fiddled with settlement code from 1950 or something
04:31 < wumpus> if you transfer such amounts of money, you can hire crypto experts to verify it
04:31 < Emcy> COBOL?
04:31 < gmaxwell> You have machines which cannot fail by design, and then you have humans check too, to catch when the infalliable machines fail. :)
04:32 < gmaxwell> wumpus: at the SJC conference I was joking that it would be fun to have some good "Bitcoin headlines from the future" in a keynotey talk... and I gave some suggestions.
04:32 < Emcy> gmaxwell im suprised you would do that
04:32 < Emcy> for truly serious amounts anyway
04:32 < wumpus> gmaxwell: hah, it sounds pretty weird worded that way
04:33 < Emcy> sounds interesting
04:34 < wumpus> what I sometimes worry about is bitflips due to overheated/damaged CPUs
04:34 < gmaxwell> "January 1st 2016 Kenya announces it's aquired a million bitcoins and is switching to bitcoin"  "January 2nd Apparently Kenya used a 'brain wallet'... Anonymous now the wealthies non-governmental entity in the world" "January 1st 2017, 4chan orbiting station launched"
04:34 < Emcy> that really almost never happens
04:34 < gmaxwell> Emcy: they do happen however, if rarely. They especially worry me with change.. e.g. bitflip changes your change address by 1 before signing. oops.
04:35 < Emcy> when it does i think its more liekly to be solar neutrinos or something and not an old electromigrated chip
04:35 < Emcy> quantum effects as chips approach bloody angstroms remain to be seen........
04:36 < Emcy> gmaxwell yeah its worrying that its possible. Wouldnt ECC memory catch it though for important operations?
04:37 < Emcy> then again wut if a bit flips in your pacemaker, or your plane or anything
04:37 < wumpus> gmaxwell: haha, such stories are a funny way to deliver the message not to use brainwallets
04:38 < wumpus> Emcy: planes have redundant systems (at least I hope so)
04:38 < Emcy> gmaxwell funny moot was depicted as inhabiting an orbital station in that 4chan cartoon short.....
04:40 < wumpus> gmaxwell: i suppose some problems could be avoided by doing a last-minute check on the transaction after signing but before broadcasting.. .then again, everything checked against may be corrupted, how can you ever be sure, it's really difficult to protect against fallible hardware
04:41 < gmaxwell> yea, I opened an issue as a "to do someday" ... after signing just go and check that the change address IsMine, that the amounts and outputs match what we think they should match.
04:41 < gmaxwell> If we redo the base58 decode it'll actually be very strong unless the error is repeatable, since that will check the checksum.
04:43 < wumpus> sounds like a good idea to do an isMine check; if it has a private key for the address, it must still be spendable
04:43 < gmaxwell> key generation should also double check, which I don't think I mentioned on that issue.
04:43 < warren> Coin control lets you set a change address of anything at the moment ...
04:44 < gmaxwell> yea, well, if you do that you get to keep the pieces.
04:44 < wumpus> warren: I've thought about that, not sure it's a good idea to allow non-owned addresses there
04:44 < gmaxwell> (that one could be checked by at least doing the base58 decode, same as regular outputs)
04:45 < wumpus> then again it's coin control not coin nanny
04:45 < gmaxwell> wumpus: it could be kinda handy, I suppose. e.g. if you're migrating between wallets gradually.
04:46 < warren> it says "experts only"
04:46 < wumpus> in any case, adding appropriate some sanity checks wouldn't hurt
04:46 < gmaxwell> I guess we'll see if anyone manages to
 say, put their destination address there twice "keep the change" not realizing that "change" could be 100 btc.
04:48 < wumpus> warren: I suppose brainwallet also has such a disclaimer though :p there is a point in not making user friendly interfaces for inherently dangerous expert things
04:49 < gmaxwell> there is no disclaimer on brainwallet.
04:49 < wumpus> okay
04:50 < gmaxwell> the guy who created it either doesn't get half these concerns or hes playing dumb.
04:52 < Emcy> why would he?
04:53 < gmaxwell> Well, calling someone stupid isn't nice, so I thought I'd at least credit him with stupid or evil.
04:53 < Emcy> it is just a tool, i suppose
04:54 < wumpus> it is, but it could at least come with a warning
04:54 < epscy> there should be a disclaimer
04:54 < gmaxwell> see some old logs, https://people.xiph.org/~greg/brainwallet.txt
04:54 < epscy> i would be worried about getting sued if that guy was me
04:54 < Emcy> though i had a look and saw a box to put your OWN passphrase in to generate a wallet AND it was prefilled with correct horse staple battery
04:54 < Emcy> thats just asking for it
04:54 < wumpus> the point is, it doesen't look dangerous... most physical dangerous tools at least look dangerous
04:55 < gmaxwell> it looks slick and its promoted by mainstreamish tech media to new users who've never used bitcoin at all.
04:55 < Emcy> if he took off the friendly rounded corners of the buttons do you think that would be enough to dissadle people lol
04:56 < gmaxwell> The broader bitcoin community (not just us tech heads) has started throwing red flags on it. At least now everyone who gets screwed via that site is getting called an idiot ( :(  but pretending you knew all along it was unsafe is the first step to actually knowing)
04:57 < Emcy> perhaps its a process which people just have to go thru?
04:57 < Emcy> being deprogrammed to just trust every slick website out there
04:58 < gmaxwell> well it's not just the slickness... all the ideas sound fun in principle, but the devil is in the details.
04:58 < Emcy> i loved the idea of a brainwallet until i learned why its almost always a bad idea
04:58 < Emcy> i still like it but i wouldnt do it
04:59 < gmaxwell> people are awful good at visualizing the sequence of events where everything goes right...
05:00 < Emcy> just another cognitive bias
ID_MSG	ID_TOPIC	ID_BOARD	posterTime	ID_MSG_MODIFIED modifiedTime	modifiedName	icon	smileysEnabled	subject body
10	1	3	1258658586	10	0		xx	1	Re: Welcome to SMF!	Another test message
11	4	3	1258695444	11	0		xx	1	SMF Config Notes	I left the admin account set to the original SMF theme so if I somehow completely wedge the custom theme I can still get in to fix it.<br /><br />I&#039;ve got a neat little 12x12 coin image to replace those pip stars with.&nbsp; Should look nice.&nbsp; Also some nice
button images to try.<br /><br />The registration page has &quot;hide your e-mail address&quot; unchecked by default.&nbsp; I must fix that in php before we can open up.<br /><br />The Announcements forum is currently moderator access only.
12	4	3	1258785763	12	0		xx	1	Re: SMF Config Notes	12x12 coin for pip stars done.<br /><br />Registration page &quot;hide your e-mail address&quot; checked by default done, haven&#039;t tested it yet.
13	2	3	1258825243	13	0		xx	1	Re: Testing the new site platform	I have to get the number of posts up over 20 so the topic will have multiple pages, so here goes with a bunch of blank posts.
14	2	3	1258825380	14	0		xx	1	Re: Testing the new site platform	blank
15	2	3	1258825426	15	0		xx	1	Re: Testing the new site platform	blank
16	2	3	1258825493	16	0		xx	1	Re: Testing the new site platform	blank
17	2	3	1258825532	17	0		xx	1	Re: Testing the new site platform	blank
18	2	3	1258825572	18	0		xx	1	Re: Testing the new site platform	blank
19	2	3	1258825602	19	0		xx	1	Re: Testing the new site platform	blank
20	2	3	1258825641	20	0		xx	1	Re: Testing the new site platform	blank
21	2	3	1258825776	21	0		xx	1	Re: Testing the new site platform	blank
22	2	3	1258825796	22	0		xx	1	Re: Testing the new site platform	blank
23	2	3	1258825868	23	0		xx	1	Re: Testing the new site platform	blank
24	2	3	1258825933	24	0		xx	1	Re: Testing the new site platform	blank
25	2	3	1258826046	25	0		xx	1	Re: Testing the new site platform	blank
26	2	3	1258826232	26	0		xx	1	Re: Testing the new site platform	blank
27	2	3	1258826291	27	0		xx	1	Re: Testing the new site platform	blank
28	5	1	1258913068	28	0		xx	1	Welcome to the new Bitcoin forum!	Welcome to the new Bitcoin forum!<br /><br />The old forum can still be reached here:<br />http://bitcoin.sourceforge.net/boards/index.php<br /><br />I&#039;ll repost some selected threads here and add updated answers to questions where I can.<br /><br
/>FAQ<br />http://bitcoin.sourceforge.net/wiki/index.php?page=FAQ<br /><br />Download<br />http://sourceforge.net/projects/bitcoin/files/<br /><br />
29	6	1	1258914704	29	0		xx	1	Repost: Bitcoin Maturation	--------------------<br />bitcoinbitcoin:<br />Bitcoin Maturation<br />Posted:Thu 01 of Oct, 2009 (14:12 UTC)<br /><br />From the user&#039;s perspective the bitcoin maturation process can be broken down into 8 stages.<br /><br />1. The initial network transaction
that occurs when you first click Generate Coins.<br />2. The time between that initial network transaction and when the bitcoin entry is ready to appear in the All Transactions list.<br />3. The change of the bitcoin entry from outside the All Transaction field to inside it.<br />4. The time between when the bitcoin appears in the All Transfers list and when the Description is
ready to change to Generated (50.00 matures in x more blocks).<br />5. The change of the Description to Generated (50.00 matures in x more blocks).<br />6. The time between when the Description says Generated (50.00 matures in x more blocks) to when it is ready to change to Generated.<br />7 The change of the Description to Generated.<br />8. The time after the Description
has changed to Generated.<br /><br />Which stages require network connectivity, significant local CPU usage and or significant remote CPU usage? Do any of these stages have names?<br /><br />--------------------<br />sirius-m:<br />Re: Bitcoin Maturation<br />Posted:Thu 22 of Oct, 2009 (02:36 UTC)<br /><br />As far as I know, there&#039;s no network transaction when you
click Generate Coins - your computer just starts calculating the next proof-of-work.&nbsp; The CPU usage is 100% when you&#039;re generating coins.<br /><br />In this example, the network connection is used when you broadcast the information about the proof-of-work block you&#039;ve created (that which entitles you to the new coin). Generating coins successfully requires
constant connectivity, so that you can start working on the next block when someone gets the current block before you.<br />
30	7	1	1258914720	30	0		xx	1	Repost: Request: Make this anonymous?	--------------------<br />anonguy54:<br />Request: Make this anonymous?<br />Posted:Thu 15 of Oct, 2009 (19:58 UTC)<br /><br />Are there any plans to make this service anonymous?<br /><br />e.g; Being able to route BitCoin through Tor.
31	6	1	1258914861	31	0		xx	1	Re: Repost: Bitcoin Maturation	It&#039;s important to have network connectivity while you&#039;re trying to generate a coin (block) and at the moment it is successfully generated.<br /><br />1) During generation (when the status bar says &quot;Generating&quot; and you&#039;re using CPU to find
a proof-of-work), you must constantly keep in contact with the network to receive the latest block. If your block does not link to the latest block, it may not be accepted.<br /><br />2) When you successfully generate a block, it is immediately broadcast to the network.&nbsp; Other nodes must receive it and link to it for it to be accepted as the new latest block.<br /><br
/>Think of it as a cooperative effort to make a chain.&nbsp; When you add a link, you must first find the current end of the chain.&nbsp; If you were to locate the last link, then go off for an hour and forge your link, come back and link it to the link that was the end an hour ago, others may have added several links since then and they&#039;re not going to want to use
your link that now branches off the middle.<br /><br />After a block is created, the maturation time of 120 blocks is to make absolutely sure the block is part of the main chain before it can be spent.&nbsp; Your node isn&#039;t doing anything with the block during that time, just waiting for other blocks to be added after yours.&nbsp; You don&#039;t have to be online during that time.
32	7	1	1258914915	32	0		xx	1	Re: Repost: Request: Make this anonymous?	There will be a proxy setting in version 0.2 so you can connect through TOR.&nbsp; I&#039;ve done a careful scrub to make sure it doesn&#039;t use DNS or do anything that would leak your IP while in proxy mode.
33	8	1	1259172957	33	0		xx	1	Repost: How anonymous are bitcoins?	--------------------<br />bitcoinbitcoin:<br />How anonymous are bitcoins?<br /><br />Can nodes on the network tell from which and or to which bitcoin address coins are being sent? Do blocks contain a history of where bitcoins have been transfered to and
from? Can nodes tell which bitcoin addresses belong to which IP addresses? Is there a command line option to enable the sock proxy the first time that bitcoin starts? What happens if you send bitcoins to an IP address that has multiple clients connected through network address translation (NAT)?<br />
34	8	1	1259173043	34	0		xx	1	Re: Repost: How anonymous are bitcoins? &gt; Can nodes on the network tell from which and or to which bitcoin <br />&gt; address coins are being sent? Do blocks contain a history of where <br />&gt; bitcoins have been transfered to and from?<br /><br />Bitcoins are sent to and from bitcoin
addresses, which are essentially random numbers with no identifying information.<br /><br />When you send to an IP address, the transaction is still written to a bitcoin address.&nbsp; The IP address is only used to connect to the recipient&#039;s computer to request a fresh bitcoin address, give the transaction directly to the recipient and get a confirmation. <br /><br
/>Blocks contain a history of the bitcoin addresses that a coin has been transferred to.&nbsp; If the identities of the people using the bitcoin addresses are not known and each address is used only once, then this information only reveals that some unknown person transferred some amount to someone else.<br /><br />The possibility to be anonymous or pseudonymous relies on
you not revealing any identifying information about yourself in connection with the bitcoin addresses you use.&nbsp; If you post your bitcoin address on the web, then you&#039;re associating that address and any transactions with it with the name you posted under.&nbsp; If you posted under a handle that you haven&#039;t associated with your real identity, then you&#039;re
still pseudonymous.<br /><br />For greater privacy, it&#039;s best to use bitcoin addresses only once.&nbsp; You can change addresses as often as you want using Options-&gt;Change Your Address.&nbsp; Transfers by IP address automatically use a new bitcoin address each time.<br /><br />&gt; Can nodes tell which bitcoin addresses belong to which IP addresses?<br /><br />No.<br
/><br />&gt; Is there a command line option to enable the sock proxy the first<br />&gt; time that bitcoin starts?<br /><br />In the next release (version 0.2), the command line to run it through a proxy from the first time is:<br />bitcoin -proxy=127.0.0.1:9050<br /><br />The problem for TOR is that the IRC server which Bitcoin uses to initially discover other nodes bans
the TOR exit nodes, as all IRC servers do.&nbsp; If you&#039;ve already connected once before then you&#039;re already seeded, but for the first time, you&#039;d need to provide the address of a node as such:<br />bitcoin -proxy=127.0.0.1:9050 -addnode=&lt;someipaddress&gt;<br /><br />If someone running a node with a static IP address that can accept incoming connections
could post their IP to use for -addnode, that would be great.<br /><br />&gt; What happens if you send bitcoins to an IP address that has multiple<br />&gt; clients connected through network address translation (NAT)?<br /><br />Whichever one you&#039;ve set your NAT to forward port 8333 to will receive it.&nbsp; If your router can change the port number when it forwards,
you could allow more than one client to receive.&nbsp; For instance, if port 8334 forwards to a computer&#039;s port 8333, then senders could send to &quot;x.x.x.x:8334&quot; <br /><br />If your NAT can&#039;t translate port numbers, there currently isn&#039;t a command line option to change the incoming port that bitcoin binds to, but I&#039;ll look into it.<br />
35	2	3	1259173429	35	0		xx	1	Re: Testing the new site platform	Test
36	9	1	1259342242	36	0		xx	1	Repost: Linux/UNIX compile	--------------------<br />scott:<br />Linux/UNIX compile<br />Posted:Thu 08 of Oct, 2009 (05:49 UTC)<br /><br />Can we get instructions or modifications to compile and install BitCoin on Linux? A command line version would be great.
37	9	1	1259342829	37	0		xx	1	Re: Repost: Linux/UNIX compile	The Linux version is on its way.&nbsp; Martti&#039;s Linux port was merged into the main code branch and New Liberty Standard has been testing it.&nbsp; It&#039;ll be in the next release, version 0.2.<br /><br />Command line is on the to-do list after 0.2.
38	10	1	1259362119	565201	1318188782	theymos xx	1	[OLD THREAD] Bitcoin version 0.2 development status	We&#039;ve been working hard on improvements for the next version release.&nbsp; Martti (sirius-m) added some nice features to make it more user friendly and easier to run in the background:<br /> - Minimize to system tray option<br />
- Autostart on boot option so you can keep it running in the background automatically<br /> - New options dialog layout<br /> - Setup EXE for Windows, in addition to the archive download<br /><br />I&#039;ve been working on a number of refinements to the networking code and laying the groundwork for future functionality.&nbsp; Also coming in version 0.2:<br /> - Multi-processor
support for coin generation<br /> - Proxy support
41	12	6	1260384310	41	1260385108	satoshi xx	1	Re: A few suggestions	Helpful suggestions, thanks.<br /><br />[quote author=madhatter link=topic=12.msg40#msg40 date=1260336886]<br />- When the bitcoin software establishes a connection with a peer (client TCP socket) have the client send the handshake string. Right now you have the server
(server TCP socket) send the handshake. My reasons for this are anonymity of course. It is far too easy for ISPs to portscan clients and detect they are running this program.<br />[/quote]<br />That&#039;s a good idea. &nbsp;The side accepting the connection just needs to withhold from sending anything until it receives a valid handshake. &nbsp;Any portscan would only get a
dead connection that doesn&#039;t volunteer to identify itself. <br /><br />[quote]<br />- Use some sort of encryption during the handshake (sort of goes with the statement/request above) to obfuscate what the software is during DPI (deep packet inspection). I am really thinking about people in non-free (as in freedom) countries such as China/Iran.<br />[/quote]<br />I have
thought about eventually SSLing all the connections. &nbsp;I assume anything short of SSL would be pointless against DPI. &nbsp;Maybe a better more immediate solution is to connect through TOR, which will be possible with 0.2. &nbsp;<br /><br />[quote]<br />- Some sort of an API is needed so that this system can be integrated with websites to provide instant-on services. A
simple https receipt mechanism would do wonders. Have the client post each incoming payment to an https url with all of the relevant information and provide status updates. Also an outbound payment mechanism would be nice. So one could automate payments (and batch payments) outbound. Status could be returned via the https receipt interface.<br />[/quote]<br />That&#039;s
one of the main things on the agenda after 0.2.<br /><br />[quote]<br />- Static port/Random port. Have a setting to randomly assign the port that it runs on. (also be able to set it statically for very restrictive firewalls).<br />[/quote]<br />Yeah, the other stealth stuff would be kinda pointless if it&#039;s always the same port number.<br /><br />[quote]<br />- UPnP
support. Have the client automatically create the port forward on upstream routers. Enabled by default. Can be turned off in the options menu.<br />[/quote]<br />I&#039;m looking forward to trying UPnP. &nbsp;Do most P2P clients typically have UPnP enabled by default?<br /><br />[quote]<br />- Ability to compile a headless (console only) install for *NIX systems. Also have
the ability to just run as a network service. Perhaps with a telnet-able port for control (or even a unix socket would be ok).<br />[/quote]<br />I&#039;m still thinking about how best to structure the management interface. &nbsp;Maybe command line commands to communicate with the background daemon to query transactions received and initiate sending transfers. &nbsp;That
Are blocks full? (self.Bitcoin)

submitted 6 hours ago * by danster82

360196 2015-06-09 21:52:17 659 0.02363314 BTC 731.46 kB

360195 2015-06-09 21:53:19 1776 0.18508596 BTC 976.41 kB

360194 2015-06-09 21:45:45 875 0.15928106 BTC 731.68 kB

360193 2015-06-09 21:53:16 2123 0.33089012 BTC 731.60 kB

360192 2015-06-09 21:13:04 1379 0.18733037 BTC 731.62 kB

360191 2015-06-09 21:03:25 737 0.15838678 BTC 731.51 kB

360190 2015-06-09 20:58:59 1092 0.32729993 BTC 731.61 kB

360189 2015-06-09 20:46:42 1208 0.17815014 BTC 731.55 kB

360188 2015-06-09 20:38:43 2747 0.51236461 BTC 976.43 kB

360187 2015-06-09 20:01:53 853 0.24938838 BTC 731.64 kB

360186 2015-06-09 19:55:39 749 0.14674868 BTC 731.56 kB

360185 2015-06-09 19:53:45 1721 0.28684495 BTC 731.68 kB

360184 2015-06-09 19:40:04 2035 0.28641087 BTC 731.60 kB

360183 2015-06-09 19:06:36 2118 0.26776094 BTC 731.50 kB

360182 2015-06-09 18:44:16 1957 0.26420190 BTC 731.49 kB

360181 2015-06-09 18:22:35 1933 0.29158244 BTC 877.96 kB

    144 comments
    share

all 144 comments
sorted by:
best

]93jsdksn30ala0 36 points 6 hours ago

Yes, however this sort of block fullness is very out of the ordinary.

https://blockchain.info/charts/avg-block-size?timespan=60days&showDataPoints=false&daysAverageString=1&show_header=true&scale=0&address=

I think someone is filling up the blocks (manipulating the market) to force the decision on the block size increase, and make it more likely/"necessary" right now.

    permalink
    save
    report
    give gold
    reply

]Defusion55 16 points 6 hours ago

You are correct.

    permalink
    save
    parent
    report
    give gold
    reply

]XL2Milk 7 points 2 hours ago

Regardless, if it is that easy.... isnt it a no brainer?

    permalink
    save
    parent
    report
    give gold
    reply

]MineForeman 5 points 5 hours ago

Kind of make me think we need higher fees.

It should be prohibitively expensive to dick around like this, when blocks get bigger it will only get worse.

    permalink
    save
    parent
    report
    give gold
    reply

]Defusion55 6 points 5 hours ago*

That is what a lot of people demanding 20MB blocks don't get. The miners get to choose which transactions are accepted on the block. I pay a VERY reasonable fee that is higher then all their stupid pointless transactions and I get accepted into the very next block! Imagine that? But wait...

They start to complain that there thousands of pointless near feeless transactions are on a back log and are unconfirmed for hours upon hours..

The real problem is when the fee becomes so high that its no longer reasonable to have to pay that high of a fee for a transaction that should be cheap. Which we are approaching, I am not denying that. But even with back logs we are still days faster than CC's. I don't think we should jump from 1MB to 20MB though I think gradually increasing is less risky.

    permalink
    save
    parent
    report
    give gold
    reply

]i_wolf 10 points 4 hours ago

    That is what a lot of people demanding 20MB blocks don't get.

That is why instead of hard limit miners should set their own fees and soft limits. Keeping a hard limit isn't a solution.

    I don't think we should jump from 1MB to 20MB though I think gradually increasing is less risky.

This is absolutely irrelevant.

    permalink
    save
    parent
    report
    give gold
    reply

]capistor 2 points 3 hours ago

I was wondering why miners couldn't set their own limits and let that be the solution.

    permalink
    save
    parent
    report
    give gold
    reply

]Noosterdam 1 point 2 hours ago

There was some objection to this, saying that large miners would make huge blocks to try to drive small miners out of business, but the Chinese miners from Discus Fish came in and refuted that.

    permalink
    save
    parent
    report
    give gold
    reply

]capistor 2 points an hour ago

What did the chinese say?

    permalink
    save
    parent
    report
    give gold
    reply

]rydan 1 point an hour ago

They refused to upgrade to 20MB blocks hence it is a non-issue.

    permalink
    save
    parent
    report
    give gold
    reply

]jstolfi 1 point 36 minutes ago

Actually, asked by CoinTelegraph or Coindesk, BTC-China and Huobi agreed that an increase would be necessary, only 20 MB is too much. OKCoin tweeted separately agreement with 20 MB.

    permalink
    save
    parent
    report
    give gold
    reply

]b_coin 1 point an hour ago

"refute"

    permalink
    save
    parent
    report
    give gold
    reply

]rydan 1 point an hour ago

They can set their own limits. But if I can spend 1 ms more to collect a penny I'm going to. The problem with bigger blocks is you can have 20x more transactions before you need to even begin increasing the fees to incentivize miners to pick your transaction over someone else's. This means more work for less pay in the shortrun. It will take an enormous amount of time for us to see them paid fairly. This is especially true now that we have things like bloom filters that speed up the processing.

    permalink
    save
    parent
    report
    give gold
    reply

]xygo -1 points 2 hours ago

That would really stop the blockchain spammers ! Yeah !!!

    permalink
    save
    parent
    report
    give gold
    reply

]kostialevin 5 points 5 hours ago

Higher fee? Should bitcoin be for rich only? What about the "poor world citizens" that want to start to save their little wealth in bitcoin? Higher fee could be too high for someone..

    permalink
    save
    parent
    report
    give gold
    reply

]MineForeman 5 points 5 hours ago

    Higher fee could be too high for someone..

Remember, you can avoid fees altogether by aging your coins 1 day and using an address only once. At the protocol level those kind of transactions are set to high priority.

Wallets should by default be doing this for you (but there are quite a few shitty wallets out there).

    permalink
    save
    parent
    report
    give gold
    reply

]cypherdoc2 4 points 3 hours ago

you expect ordinary users to figure that out?

    permalink
    save
    parent
    report
    give gold
    reply

]MineForeman 5 points 3 hours ago

Na, I expect wallets to be doing it for them.

    permalink
    save
    parent
    report
    give gold
    reply

]cypherdoc2 1 point 3 hours ago

hmm, you're asking alot. might as well increase the block size.

    permalink
    save
    parent
    report
    give gold
    reply

]MineForeman 5 points 3 hours ago

    hmm, you're asking alot.

Most wallets already do it.

    might as well increase the block size.

Get off your horse! Increasing block size is another issue altogether.

    permalink
    save
    parent
    report
    give gold
    reply

]cypherdoc2 -1 points 3 hours ago

    Get off your horse! Increasing block size is another issue altogether.

how so? the OP is about filled blocks.

    permalink
    save
    parent
    report
    give gold
    reply

]MineForeman 2 points 2 hours ago

    the OP is about filled blocks.

They are filled with spam, someone is dicking with the network.

    permalink
    save
    parent
    report
    give gold
    reply

continue this thread

]Noosterdam 1 point 2 hours ago

How the hell is a simple wallet solution less preferable? Increase the blocksize, yes, but don't be a dullard about obvious optimizations that don't even require doing anything with the protocol.

    permalink
    save
    parent
    report
    give gold
    reply

]cypherdoc2 1 point an hour ago

I don't know. You'd have to ask the 3 dozen or more wallet coders out there how complicated that would be. That's if you could find them all to ask and alert them to the problem. Is it that out of the question to increase block size? Is that really your position now?

    permalink
    save
    parent
    report
    give gold
    reply

]btcee99 1 point an hour ago

Aging one day is only (on average) for 1 bitcoin.

If you are sending 0.02 bitcoin, for e.g., then you need to age 50 days, because priority is proportional to the input amounts.

    permalink
    save
    parent
    report
    give gold
    reply

]MineForeman 2 points an hour ago

Just for reference the equation is;-

priority = sum(input_value_in_base_units * input_age)/size_in_bytes

So in essence you are correct BUT it is like being chased by a tiger, you don't have to run faster than the tiger you just have to run faster than the other guy.

Spam transactions like the one that is happening today have a miniscule priority because they are the same coins being transferred over and over again. That is why, even though this spam is going on, normal transactions are just popping through like normal. The normal transactions are higher priority so they win. The system works.

However, do we want these transactions at all, shouldn't it be more expensive for someone to use the blockchain against us like this? Blockspace is a premium and sometime in the future it may be critical.

    permalink
    save
    parent
    report
    give gold
    reply

]btcee99 1 point 56 minutes ago

That is indeed the equation, however what you've said is not true because priority has to meet a minimum threshold of 57,600,000. If the threshold is not met, the tx won't even be relayed (in Core 0.10), if it doesn't have a fee.

That's where the 1-day age figure comes from - and it refers to a 1 BTC transaction. If you are sending less than 1 BTC, then the time needed to reach the threshold is inversely proportional to the amount sent.

In practice, the time needed is somewhat less than 1 day (for 1 BTC), due to the fact that the size used in the equation is a modified tx size (which discounts inputs).

    permalink
    save
    parent
    report
    give gold
    reply

]MineForeman 1 point 35 minutes ago

Yeah, it is complicated, there are other factors that need to be considered but even if you cannot get into the 'free' category you can still have your transaction higher priority than spam ones.

.5 of a MB is still reserved for higher priority transactions so in order to have n kb of spam transactions you must have already n+1 kb of higher. ( n being whatever)

    permalink
    save
    parent
    report
    give gold
    reply

]btcee99 1 point 23 minutes ago

No, it is not "complicated", you just need to read the code.

Please stop saying factually wrong things such as "priority block size is a consensus rule" - that is not true at all.

The default priority block size is 50 kB (not sure where you get 0.5 MB from), but miners are free to change it as they like, for convenience it's even a command line option.

    permalink
    save
    parent
    report
    give gold
    reply

]rydan 1 point an hour ago

Nothing inherent to bitcoin makes them high priority. At the end of the day the miners decide what to include. Period.

    permalink
    save
    parent
    report
    give gold
    reply

]MineForeman 1 point 49 minutes ago

    Nothing inherent to bitcoin makes them high priority.

The priority equation built into bitcoin makes them high priority, its bu8ilt into bitcoin, is that inherent enough?

    At the end of the day the miners decide what to include. Period.

Not at all true, the first .5 MB of transactions in a block are reserved for high priority transactions. If you break that you are going to break consensus and your blocks are going to be orphaned.

    permalink
    save
    parent
    report
    give gold
    reply

]jstolfi 2 points 26 minutes ago

But a rule that depends on the state of the memory pools cannot be part of the protocol. Not everyone will see the same state, and the state will be lost very soon. That means that, by the time the block is mined, the nodes cannot check whether the miner respected the priority rules.

    permalink
    save
    parent
    report
    give gold
    reply

]btcee99 1 point 22 minutes ago

    the first .5 MB of transactions in a block are reserved for high priority transactions. If you break that you are going to break consensus and your blocks are going to be orphaned.

This is utterly false.

    permalink
    save
    parent
    report
    give gold
    reply

]MineForeman 1 point 4 minutes ago

    This is utterly false.

Why do you say that? It is in the code, you can read about it on the wiki.

Do you mean that the code does not work in some way?

    permalink
    save
    parent
    report
    give gold
    reply

]waigl -1 points 5 hours ago

    Remember, you can avoid fees altogether by aging your coins 1 day

Only if you have a whole Bitcoin. For smaller amounts, it's longer.

    permalink
    save
    parent
    report
    give gold
    reply

]MineForeman 1 point 4 hours ago

    Only if you have a whole Bitcoin. For smaller amounts, it's longer.

No, while smaller amounts are treated with lower priority they are still high priority, the actual equation is;-

priority = sum(input_value_in_base_units * input_age)/size_in_bytes

'Whole Bitcoin' don't come into the equation (at the protocol level there is no concept).

    permalink
    save
    parent
    report
    give gold
    reply

]HitMePat 2 points 2 hours ago

Thanks for this.

Why doesn't fee get included in the priority equation?

    permalink
    save
    parent
    report
    give gold
    reply

]MineForeman 2 points 2 hours ago

The idea is that there are two mechanisms to get into a block, the first being the priority.

But there are still circumstances when you just have to spend outputs that have a low priority so adding a fee effectively pays a miner to miner it anyway.

It is important to note though, high priority transactions have reserved blockspace (fee paying ones don't) so there will always be room for 'free' transactions for us normal people and the spammers just have to suck it and pay. I actually think they should be paying more.

    permalink
    save
    parent
    report
    give gold
    reply

]coinaday 2 points an hour ago*

    high priority transactions have reserved blockspace

Only by custom, if I recall correctly, not required by protocol. But I think it's a good example of people acting against their apparent short-term game theoretic behavior (don't allow priority rather than fee) and in support of the overall network, whether from the inertia of just using the defaults or because of conscious decision.

edit: Apparently I don't recall correctly.

    permalink
    save
    parent
    report
    give gold
    reply

]goldcakes 1 point 54 minutes ago

No, it is by custom. Many pools modify iit.

    permalink
    save
    parent
    report
    give gold
    reply

]MineForeman 0 points an hour ago

    Only by custom, if I recall correctly

It is actually enforced in the protocol. Miners could try to 'game it' but chances are they will break consensus and invalidate their own blocks.

It is most definitely not in their interest to do so.

    permalink
    save
    parent
    report
    give gold
    reply

continue this thread

]HitMePat 1 point 4 hours ago

Why does the unit of 1 whole coin effect it? If you hold 0.5 btc for a month can you expect a transaction to be high priority?

    permalink
    save
    parent
    report
    give gold
    reply

]IronVape 1 point 2 hours ago

.5 for one month = 1.0 for 15 days = 3 for 5 days etc.

    permalink
    save
    parent
    report
    give gold
    reply

]Defusion55 2 points 5 hours ago

This confuses me. Are you just assuming a higher fee means a fee that is unreasonable for a poor citizen? When you think of higher fee what do you think of? Like $5 or what? Cause I am paying "a higher fee" than the spammers are paying to fill the blocks and i am paying $.03 do you consider that too expensive for the poor?

    permalink
    save
    parent
    report
    give gold
    reply

]kostialevin 7 points 4 hours ago

I just want to say that with the higher fees solution, there's the risk to leave someone out of bitcoin because too expensive.

    permalink
    save
    parent
    report
    give gold
    reply

]cypherdoc2 2 points 3 hours ago

yes

    permalink
    save
    parent
    report
    give gold
    reply

]xygo 0 points 2 hours ago

That's what payment channels are for. You net together several payments and send them all with one fee.

    permalink
    save
    parent
    report
    give gold
    reply

]jmaller 1 point 3 hours ago*

Until fees are $35 for a transaction and settle in 3-5 days (bank transfer) or 10-20% for large transactions (WU) I think the poor world citizens would still benefit from bitcoin. Not to mention that anyone who can do math and connect to the internet can use bitcoin as opposed to the required documentation needed to create a bank account. And banking infrastructure.

Edit: If you are referring to it for remittances, but I see you mention storing their wealth, not sure why they would care about the fee's if that was their intention.

    permalink
    save
    parent
    report
    give gold
    reply

]JacobBubble 3 points 4 hours ago

We do that by increasing the amount of transactions then network can handle, not the transaction fees. Give us a tps of 4000, cut the fee by ten fold and you'll have a resilient network. Fill that up and the miners will be happy too.

    permalink
    save
    parent
    report
    give gold
    reply

]xygo 2 points 3 hours ago*

Hmm lets see, a tps of 4000 would imply approximately 1.5GB block size. Which in turn would require 75 TB of data storage per year. At current prices you would need to pay something like $10,000 - $20,000 per year for the privilege of running a full node.
I think we need to find another solution.

    permalink
    save
    parent
    report
    give gold
    reply

]pointjudith 3 points 2 hours ago

Yeeeeaaah, I'm not mondo stoked about these tps reports so if you could just go ahead and make up some better numbers that'd be great.

    permalink
    save
    parent
    report
    give gold
    reply

]xygo 2 points 2 hours ago

LOL :D

    permalink
    save
    parent
    report
    give gold
    reply

]JacobBubble 3 points 2 hours ago

That's if your only solution is a bigger block size.

Full nodes won't really be feasible for the average person. Pruned nodes, that just keep a couple blocks could become more commonplace instead without reducing security significantly.

That's just an example I used to show that the solutions should be to scale up, not shrive down into obvlion with higher transaction fees, small block sizes, etc.

    permalink
    save
    parent
    report
    give gold
    reply

]MineForeman 4 points 3 hours ago

No, increasing the blocksize won't help stop/slow spam (it may make it worse by providing more space).

The fee mechanism is designed to catch spam transactions and it is tuned to let 'normal' transactions through while making spam prohibitively expensive. That is what I am saying might need tuning.

Repeat: This is not a blocksize issue, it is a spam one.

    permalink
    save
    parent
    report
    give gold
    reply

]xygo 2 points 3 hours ago

Exactly.

    permalink
    save
    parent
    report
    give gold
    reply

]MineForeman 5 points 3 hours ago

Thanks, everyone is so keen to argue about blocksize at the moment they think everything is about the blocksize.

(Apologies to the strawman).

    permalink
    save
    parent
    report
    give gold
    reply

]JacobBubble 1 point 2 hours ago

The issue is high transaction fees. Bitcoin needs to have lower, not higher transaction fees. There's no reason they have to be what they are. The required fees with Bitcoins are NOT market pressures, rather they're somewhat hard coded.

    permalink
    save
    parent
    report
    give gold
    reply

]MineForeman 3 points 2 hours ago

I am afraid you just don't understand why fees are there in the first place.

    permalink
    save
    parent
    report
    give gold
    reply

]MineForeman 3 points 2 hours ago*

Fees are the only mechanism we have for controlling spam. Without them, no matter what the block size we will have full blocks.

    permalink
    save
    parent
    report
    give gold
    reply

]Noosterdam 0 points an hour ago

Tunnel vision. I think we need way bigger blocks, but I'm not blind to the fact that there way wayyyyy the hell more optimizations that could be done at the present level.

    permalink
    save
    parent
    report
    give gold
    reply

]MineForeman 2 points an hour ago

    Tunnel vision.

Indeed, this is not about blocksize this is about filling blocks with spam.

    I think we need way bigger blocks

A side point, but I tend to agree.


Sounds good, but again, block size is not the issue with spam.

    permalink
    save
    parent
    report
    give gold
    reply

]JacobBubble 1 point 2 hours ago

The main issue with "Spam" transactions are the issues we're seeing now. People are spamming the network, clogging up blocks.

If the network is able to handle 20x more trans., it will be about 20x more expensive to clog the system.

The other issue cited with spam transactions is the same with email. They're annoying. That should be filtered at the wallet level, not the protocol level. It doesn't affect end users if there's 50,000 transactions that don't affect them.

    permalink
    save
    parent
    report
    give gold
    reply

]MineForeman 1 point 2 hours ago

So your solution for email spam would be for everyone to get bigger hard drives?

Dont you think we should have a mechanism to prevent (or filter) out the spam?

    permalink
    save
    parent
    report
    give gold
    reply

]JacobBubble 1 point an hour ago

What? No. We have spam filtering systems in email.

Some wallets already have filtering systems so they don't show tiny "dust" or "spam" transactions in the transactions list.

Raising the transaction fee would destroy real world uses cases and possibilities for Bitcoins.

That's the mechanism we can use. The same one the email uses. All without reading transaction fees.

    permalink
    save
    parent
    report
    give gold
    reply

]MineForeman 1 point 58 minutes ago

    Raising the transaction fee would destroy real world uses cases and possibilities for Bitcoins.

We dont need to target them.... why on earth would we?

    That's the mechanism we can use.

That is just not seeing the problem, it still would be there.

    permalink
    save
    parent
    report
    give gold
    reply

]portabello75 1 point an hour ago

Of course, as a pool operator you have no stake in the game of higher fees..

    permalink
    save
    parent
    report
    give gold
    reply

]MineForeman 1 point an hour ago

    Of course, as a pool operator you have no stake in the game of higher fees..

Is this some poorly thought out attempt as character assassination? You know I am not a pool operator right?

    permalink
    save
    parent
    report
    give gold
    reply

]cypherdoc2 0 points 3 hours ago

    It should be prohibitively expensive to dick around like this

what's your evidence this is happening and not ordinary users getting hung up with normal tx's?

    permalink
    save
    parent
    report
    give gold
    reply

]MineForeman 3 points 3 hours ago

    what's your evidence this is happening and not ordinary users getting hung up with normal tx's?

I am not saying that, the evidence is that normal transactions are getting though.

What I am saying is 'spamming for the fun of it' should be prohibitively expensive.

    permalink
    save
    parent
    report
    give gold
    reply

]cypherdoc2 0 points 3 hours ago

ideally yes the problem being able to identify it. furthermore, who is doing the defining? Lukejr thinks colored coins, factom, and CP is spam from what i understand. i'm sure those guys don't think so. who gets to decide?

bottom line is if blocks are getting filled we should be doing something about it otherwise we are going to lose users who are what drives the system.

    permalink
    save
    parent
    report
    give gold
    reply

]MineForeman 2 points 3 hours ago

    ideally yes the problem being able to identify it.

The default equation at the moment is;-

priority = sum(input_value_in_base_units * input_age)/size_in_bytes

    bottom line is if blocks are getting filled we should be doing something about it otherwise we are going to lose users who are what drives the system.

Could not agree more, that is why I am saying we might need to look at making sure that spam is prohibitively expensive (as intended).

    permalink
    save
    parent
    report
    give gold
    reply

]cypherdoc2 1 point 3 hours ago

i missed the part about how you were to distinguish btwn spam and cc, factom, and cp.

    permalink
    save
    parent
    report
    give gold
    reply

]Noosterdam 1 point 2 hours ago

Let fees increase a bit, is what he's saying.

    permalink
    save
    parent
    report
    give gold
    reply

]xygo 0 points 3 hours ago

Yes. And the worst possible solution is to remove the blocksize limit completely or to grow it aggressively as some have suggested.

    permalink
    save
    parent
    report
    give gold
    reply

]cypherdoc2 2 points 3 hours ago

b/c the miners and users are incapable of establishing a fee mkt?

    permalink
    save
    parent
    report
    give gold
    reply

]xygo 1 point 2 hours ago

Oh sure they can. Just that somebody might be willing to pump up the fee market to produce such large blocks that it would effectively end decentralisation in bitcoin. Are cheap transactions really more important to you than decentralisation ? Do you not care about privacy and unblockable transactions ?

    permalink
    save
    parent
    report
    give gold
    reply

]cypherdoc2 3 points 2 hours ago

talk me thru that end decentralization logic again. the one you tested.

    permalink
    save
    parent
    report
    give gold
    reply

continue this thread

]jrmxrf 1 point 3 hours ago

http://data.bitcoinity.org/bitcoin/blocksize/2y?r=month&t=l

it's getting there slowly

    permalink
    save
    parent
    report
    give gold
    reply

]btcdrak 3 points an hour ago

Oh look, an average of 400kb blocks, just like /u/luke-jr said there were...

    permalink
    save
    parent
    report
    give gold
    reply

]v4vijayakumar 1 point 2 hours ago

Who's filling blocks? Known pool, or unknown pool? They just fill the blocks, or also transmit across network (found in others mempool)? These transactions can be traced to a wallet (set of addresses)? Is coin mixing main purpose of these filler transactions?

    permalink
    save
    parent
    report
    give gold
    reply

]btcdrak 2 points an hour ago

A number of people have been talking about filling the blocks as an experiment, especially filling up the UTXO set. e.g. https://bitcointalk.org/index.php?topic=1075590

    permalink
    save
    parent
    report
    give gold
    reply

]v4vijayakumar 1 point 52 minutes ago

Browsed through the posts. Someone is providing 'spamming as a service', but why?

    permalink
    save
    parent
    report
    give gold
    reply

]danster82[S] 6 points 6 hours ago

cant the pools at least adjust their blocksize to 1mb

    permalink
    save
    report
    give gold
    reply

]SatoshisGhost 6 points 5 hours ago

apparently the default is autoset to 750, but yet they don't change it...

    permalink
    save
    parent
    report
    give gold
    reply

]xygo 2 points 2 hours ago

The costs for the spammer would increase by 20%. Thats not very much help.

    permalink
    save
    parent
    report
    give gold
    reply

]rodfeher 6 points 6 hours ago

check out this guy.

https://blockchain.info/address/1jFHVUDY1GT4YJtdLhPPWcrusrVTm4zeu

    permalink
    save
    report
    give gold
    reply

]SatoshisGhost 5 points 5 hours ago

he must have forgot the stress test ended several days ago lol

    permalink
    save
    parent
    report
    give gold
    reply

]xygo 3 points 2 hours ago

Could well be this guy: https://bitcointalk.org/index.php?topic=1075590 he seems to think it's a good idea to spam the blockchain.

    permalink
    save
    parent
    report
    give gold
    reply

]Defusion55 10 points 6 hours ago

Naturally full? nah. manipulative full? Yes. Is that a bad thing? not really.

    permalink
    save
    report
    give gold
    reply

]tophernator 3 points 4 hours ago

It's not a bad thing that someone is deliberately spamming the network and bloating the blockchain in an attempt to force their own agenda?

    permalink
    save
    parent
    report
    give gold
    reply

]Logical007 9 points 4 hours ago

Not really. Free market at work.

    permalink
    save
    parent
    report
    give gold
    reply

]felipelalli 6 points 4 hours ago

Free money to the miners! :) More security to us.

    permalink
    save
    parent
    report
    give gold
    reply

]capistor 3 points 3 hours ago

Are those paid spam transactions or free spam transactions?

    permalink
    save
    parent
    report
    give gold
    reply

]Noosterdam 1 point an hour ago

It will just force rationality. Most likely an increase in fee structure by the miners. Blocksize will need to increase once there blocks full of transactions paying a very low but slightly higher fee, and should probably be increased preemptively.

Bottom line: both fees and blocksize need to increase, though fees only slightly.

    permalink
    save
    parent
    report
    give gold
    reply

]rodfeher 5 points 6 hours ago

fullish

    permalink
    save
    report
    give gold
    reply

]pointjudith 2 points 2 hours ago

burp

    permalink
    save
    parent
    report
    give gold
    reply

]rodfeher 4 points 6 hours ago

thank you for paying miner's electricity bill.

    permalink
    save
    report
    give gold
    reply

]cypherdoc2 5 points 2 hours ago

the more users leave, the richer miners become!

    permalink
    save
    parent
    report
    give gold
    reply

]vbenes 1 point 6 hours ago

http://statoshi.info/#/dashboard/file/default.json?panelId=6&fullscreen

    permalink
    save
    report
    give gold
    reply

]nobodybelievesyou 1 point 41 minutes ago

Are blocks empty?

360231  6,422.05 BTC 437.65kB

360230  25.00 BTC   0.18KB

360229  4,092.81 BTC 185.14kB

360228  15,478.52 BTC 720.99kB

360227  4,202.02 BTC 286kB

360226  25.00 BTC   0.2kB

    permalink
    save
    report
    give gold
    reply

]rabidus_ 1 point 6 hours ago

Yep, blocks are full.

    permalink
    save
    report
    give gold
    reply

]brilliantey -1 points 5 hours ago

Poor guy, probably wakes up in the middle of the night with the subj words. Then in the middle of work he logs on to IRC channel to ping like "Are blocks full?".

Be honest to me "Are blocks full?".

Are blocks full?

Are blocks fucking full?!?!

    permalink
    save
    report
    give gold
    reply

]HitMePat 4 points 5 hours ago

WHAT'S IN THE BLOCKS?!

    permalink
    save
    parent
    report
    give gold
    reply

]_EuroTrash_ 2 points 3 hours ago

The blocks are a lie

    permalink
    save
    parent
    report
    give gold
    reply

]itisike 2 points 57 minutes ago

But How Can Blocks Be Full If Spam Isn't Real

    permalink
    save
    parent
    report
    give gold
    reply

]kigam 1 point an hour ago

Nothing! Absolutely nothing! You so stupid!

    permalink
    save
    parent
    report
    give gold
    reply

]jcoinner 1 point 3 hours ago

Where's the beef?

    permalink
    save
    parent
    report
    give gold
    reply

]Phrenico 2 points 3 hours ago

Fucking reddit activists.

    permalink
    save
    report
    give gold
    reply

]jwBTC 5 points 2 hours ago

WHAA! 1MB/640K ought to be enough for anybody eh?

    permalink
    save
    parent
    report
    give gold
    reply

]Phrenico 3 points 2 hours ago

If I don't think increasing the blocksize by 20x is advisable, it means I want blocks to remain at 1 MB forever?

I should get caught up with the straw men you guys tell me I believe.

    permalink
    save
    parent
    report
    give gold
    reply

]rydan -4 points 4 hours ago

This is just a targeted attack on bitcoin trying to get us to increase the blocksize to 20MB. The 20MBers are getting really desperate to try to pull this. My advice is to just ignore it and it will go away.

    permalink
    save
    report
    give gold
    reply

]cypherdoc2 5 points 2 hours ago

everyone will go away.

    permalink
    save
    parent
    report
    give gold
    reply

]jstolfi 1 point 22 minutes ago

    targeted attack on bitcoin ... The 20MBers are getting really desperate to try to pull this.

It could be seen that way. Or those guys can be seen as heros, who are spending their money to try to show to everybody what would happen if the Blockstream gang is allowed to take bitcoin away from the individual users and turn it into a tool for bankers and big corporations. </trolling>

    permalink
    save
    parent
    report
    give gold
    reply

[+]luke-jr comment score below threshold  (1 child)

That said, this entire debate has jumped the shark. I think people have way too much free time. Just fire up XT and when/if the various 2.0 schemes are tested and deemed safe they'll have their time in the sun as well.

    permalink
    save
    parent
    report
    give gold
    reply

]bitdoggy 3 points 19 hours ago

What's the big deal? 20MB now is the same as 1MB 7 years ago.

    permalink
    save
    report
    give gold
    reply

]BusyBeaverHP 7 points 1 day ago*

Mike mentioned that Gavin has the ability to revoke Github push access of the rest of the core developers.

If this is true, it's an amazing testament to Gavin's patience in handling the obstructionist refusal to acknowledge any changes to the blocksize limit.

    permalink
    save
    report
    give gold
    reply

]statoshi 17 points 1 day ago

Such a move by Gavin would be considered tyrannical by most of the community and he knows full well that the fallout would not be pretty.

    permalink
    save
    parent
    report
    give gold
    reply

]cypherdoc2 1 point 1 day ago

i wonder what would happen if gmax were in that position...

    permalink
    save
    parent
    report
    give gold
    reply

]BusyBeaverHP 6 points 1 day ago*

GMaxwell thinks he's libertarian, but he's extremely tyrannical by the fact that he thinks his beliefs of what is decentralization should be imposed on others for their own good.

An excerpt:

    I believe that a Bitcoin like that would be a failure even if the coins somehow retained high value, because it would be just a reboot of the existing infrastructure, but probably worse-- lacking the a design purpose fit for a centralized world, as well as the regulatory history and experience of the traditional systems...

    ...Instead, I believe Bitcoin can be successful as a truly decentralized system which depends on cryptographic proof rather than trust. To get there we have to frankly face the extreme costs of having a decentralized system, and potentially tolerate slower short term adoption...

So Maxwell's got his million dollars from Blockstream's VC rounds, and has leisurely time to mull about theoretical things without running real numbers backing them up, and has no incentive to increase the value of the network in the face of innumerable alt-coins waiting for Bitcoin to fuck up.

Just as the construction of the blockchain is a competition, Bitcoin is a zero-sum contestant in the cryptocurrency space. Having less value while there are many competitors who are faster to adopt whatever slow changes you throw their way plus their own innovation, is asking for death by a thousand cuts.

When given a chance to raise Bitcoin's value, never, ever, ever back down, because the moment we do, the Alt-coins and powers-that-be will not waste a moment's time to capitalize on it.

Last I checked, wasn't Blockstream funded to improve the cryptographic protocol and not impose ill-researched economic decisions on the entire ecosystem? If I was running a company and some engineer was spouting some bullshit like holding off our company's growth (hence increased revenue) in the face of competition, I'd fire him on the spot.

Last but not least. GMaxwell's shining leadership on display:

    If the Bitcoin community wants to go commit suicide, I'm confident that I can sell my most of my bitcoins before most of the public has realized things have gone wrong.

    permalink
    save
    parent
    report
    give gold
    reply

]cypherdoc2 3 points 1 day ago

i agree

    permalink
    save
    parent
    report
    give gold
    reply

]Adrian-X 3 points 23 hours ago

Nice rant more need to understand this.

    permalink
    save
    parent
    report
    give gold
    reply

]saxon84 1 point 12 hours ago

Maxwell is a ginger terrorist.

    permalink
    save
    parent
    report
    give gold
    reply

[+]lorempsum comment score below threshold  (0 children)

[+]Vibr8gKiwi comment score below threshold  (7 children)

]jojva 6 points 1 day ago

Censoring other core devs would be an extremely stupid and ineffective strategy.

    permalink
    save
    parent
    report
    give gold
    reply

]Vibr8gKiwi 4 points 1 day ago*

It's pretty clear from this that certain devs are more interested in other systems than bitcoin and are actively trying to undermine bitcoin and cause people to leave. These devs should no longer be bitcoin core devs. What does it take to remove them?

    permalink
    save
    parent
    report
    give gold
    reply

]BusyBeaverHP 6 points 1 day ago

    What does it take to remove them?

An overwhelming majority vote with our nodes. I've installed XT as a vote that I no longer want the likes of Maxwell to dictate our economic policies by ways of obstructionist gridlock.

    permalink
    save
    parent
    report
    give gold
    reply

]donbrownmon 1 point 12 hours ago

Sounds like Gavin can remove them. Do it, /u/gavinandresen !

    permalink
    save
    parent
    report
    give gold
    reply

]yyyaao -4 points 1 day ago

Yes, Hearn and Andresen want a Paypal 2.0.

    permalink
    save
    parent
    report
    give gold
    reply

]110101002 1 point 1 day ago

The same could be said of the other four core developers who can do the same and think the opposite of him.

    permalink
    save
    parent
    report
    give gold
    reply

]shesek1 4 points 1 day ago

Doing that would be completely insane. He has no authority to make such a move. It has nothing to do with being patience.

    permalink
    save
    parent
    report
    give gold
    reply

]donbrownmon 2 points 21 hours ago

What makes you think he doesn't have the authority to do that?

    permalink
    save
    parent
    report
    give gold
    reply

]petertoddPeter Todd - Bitcoin Expert 3 points 1 day ago

If Gavin did that I wouldn't be at all surprised if github sided with the other half-dozen people with commit access and reversed it.

    permalink
    save
    parent
    report
    give gold
    reply

]dooglus 1 point 22 hours ago

If Gavin did that the other developers with commit access would simply switch to working on a different fork of the project.

Nobody cares which repository a client was built from. People will either download the real bitcoin client or Gavin's altcoin, depending on which side of the fork they want to be.

    permalink
    save
    parent
    report
    give gold
    reply

]WinkleviBitcoinTrust 1 point 1 day ago

who grants commit access?

    permalink
    save
    parent
    report
    give gold
    reply

]rydan 5 points 1 day ago

Not sure what Peter Todd is talking about. Github isn't going to get involved in infighting and politics. The account has access, it removes access from others, that's the end of the story.

    permalink
    save
    parent
    report
    give gold
    reply

]tropser 1 point 13 hours ago*

Like childs playing in a sandbox.. pfff... time to grow up.

    permalink
    save
    parent
    report
    give gold
    reply

]ProHashing 1 point 5 hours ago

In the end, such an action would matter little. By the time you and Andresen finished arguing with each other and Github, Coinbase will have forked the client, implemented its own block size solution, and issued professional press releases explaining why they have offered the solution. People will download it and control of the bitcoin protocol will be permanently shifted away from you to commercial enterprises.

What is not present here is actual code. Developers like to talk, but if there really are ten different competing ideas, then why aren't there ten different forks that people can download and vote with their nodes? If everyone's solution is superior to all the others, then why isn't it out there being run?

I hope that people understand that there's never going to be a magic consensus formed to this problem. There is no democratic election process in a set of bitcoin bylaws. If nobody releases actual code, then nothing is going to get done. Given the outcry here, the solution is going to come from outside the current developers if nobody takes charge soon.

    permalink
    save
    parent
    report
    give gold
    reply

]pizzaface18 -1 points 1 day ago

Shady. Nice to see where your head is at.

    permalink
    save
    parent
    report
    give gold
    reply

]seb2point0 -1 points 20 hours ago

I hope you're not being serious.

    permalink
    save
    parent
    report
    give gold
    reply

]awemany 0 points 16 hours ago

He was patiently arguing for this since years.

He made several proposals, and tried to came closer with his blocksize-increase proposal to what the other devs might accept.

But all he got was deafening silence and arguments which basically amount to concern trolling.

    permalink
    save
    parent
    report
    give gold
    reply

]ProHashing 1 point 6 hours ago

The new thing on reddit is to call everyone who expresses a disagreement "trolls."

Sometimes there are people who have genuine disagreements. Those differing viewpoints should be welcomed, not labeled as being made in bad faith.

    permalink
    save
    parent
    report
    give gold
    reply

]BlockchainOfFools 1 point 1 day ago

#justsaying #itcouldhappen

    permalink
    save
    parent
    report
    give gold
    reply

]danster82 4 points 1 day ago

Are we just waiting for the fun of it then? or can we implement a dynamic increase now please.

    permalink
    save
    report
    give gold
    reply

]anddrade 3 points 1 day ago

I don't understand why Mike and Gavin are talking only about a single 20 MB increase, instead of some hard coded schedule for increasing the cap every so many blocks, kind of like the difficulty adjustments. Any ideia why that is?

    permalink
    save
    parent
    report
    give gold
    reply

]awemany 2 points 16 hours ago

    I don't understand why Mike and Gavin are talking only about a single 20 MB increase, instead of some hard coded schedule for increasing the cap every so many blocks, kind of like the difficulty adjustments. Any ideia why that is?

They did, but to please the other devs - they tried to came down with their proposal, to have a smaller, hopefully more agreeable increase.

But all they got is vetoing, arguments which amount to concern trolling, and no constructive input at all.

You can see this if you google for 'Gavin blocksize increase' (and similar) and look for different times that he brought this issue up. It is nothing new at all. Gavin has been very reasonable and patient arguing for this since years, but it now looks like Greg and some of the others became outright obstructionist.

    permalink
    save
    parent
    report
    give gold
    reply

]AmIHigh 0 points 23 hours ago

If it's dynamic, it's possible to abuse it by spamming transactions to artificially increase it over time. It might cost a lot of money ,and will it actually happen who knows, but that is a reason to consider a hard cap, until a real solution is decided on, and fully tested.

    permalink
    save
    parent
    report
    give gold
    reply

]tropser 2 points 1 day ago

It's almost like now or never... If nothing happens until blocks are full and network is clogged we can leave this shit like it is now. There's no reason to do much with it anymore if that's the case.

    permalink
    save
    parent
    report
    give gold
    reply

[+]smartfbrankings comment score below threshold  (0 children)

]smartfbrankings 4 points 1 day ago

It's getting more obvious how he's arriving at his conclusions by treating Bitcoin like a website that hits a capacity spike, so I do appreciate that insight!

    permalink
    save
    report
    give gold
    reply

]aminok 5 points 1 day ago

They're both hosted by servers. The Bitcoin network's full nodes act as redundant, syncronized servers of data.

    permalink
    save
    parent
    report
    give gold
    reply

]smartfbrankings 1 point 1 day ago

There are certainly similarities. There are also differences. We are all bound by our own biases, so it's natural we go to them. The key is to recognize when we are blinded by them.

    permalink
    save
    parent
    report
    give gold
    reply

]Apatomoose 2 points 1 day ago

What are the differences?

    permalink
    save
    parent
    report
    give gold
    reply

]smartfbrankings 0 points 1 day ago

The downsides of "reaching capacity" of a hosted website vs. Bitcoin are significantly different, for starters. The behavior as you start reaching capacity are also different.

The decentralization aspect is also different. For a centralized service like Google Maps, you only need to consider costs and serving the customer. Decentralization is another angle to consider impact, and simply isn't relevant when using the compare.

The competition is also different. If Google Maps goes down, people are going to have several other choices immediately available, and chances are a lot of those people never come back.

The market is a lot different as well. Bitcoin is not even at early adopter phase, and comparing it to mainstream adoption of something like Google Maps has flaws. Super early adopters are far more tolerant of flaws than mainstream adopters. If they weren't, they wouldn't have jumped through the many hoops to come to Bitcoin in the first place. I'd also rather have the pain now than say let's say that Bitcoin adoption rates went up 40x.

Analogies are great and mindset is great, but you have to realize what parts of them break down and where, and what things you are being blindsided by.

    permalink
    save
    parent
    report
    give gold
    reply

]zombiecoiner 1 point 1 day ago*

One thing I've noticed in these threads is that votes tend to be more toward 1MB arguments the deeper in the thread tree they get. To me this means people who are spending the most time on this issue (much like most of the core developers) lean toward staying at 1mb for the time being. If you don't really care, it's easy to downvote a few highly visible comments you don't like and move on.

    permalink
    save
    report
    give gold
    reply

]wonkeydoreyy 8 points 1 day ago

That's because the 1MBers constantly have to explain themselves, because the justifications don't add up to being in Bitcoin's best interest.

    permalink
    save
    parent
    report
    give gold
    reply

]smartfbrankings 1 point 1 day ago

Yes, always question the motives of anyone who disagrees with you.

    permalink
    save
    parent
    report
    give gold
    reply

]zcc0nonA 2 points 1 day ago

I think we've been in different forums. As far as I can tell no one is for keeping the 1 mb block long term. Instead everyone agrees it must be raised but how to do it in a responsible way is the question.

Any static increase, 3, 8, 20, 21mbs, they will all need to be changed later on and are bad choices. But some feel we are running low on time, so we should push the danger further away and investigate more on a long term solution.

Then others want to come up with that long term solution now, so that the number of hard forks in the future is less. This seems like a good option but then the question becomes if such a system could get adequate testing before launch.
But before we can address that the aforementioned long term solution must be found. People don't want something that can be manipulated, so it would have to be tied to some other value, the question then is what to peg it to and how. Perhaps a number of metrics, but it would need to be resistant to stalls and surges in the network and usage.

    permalink
    save
    parent
    report
    give gold
    reply

]smartfbrankings 2 points 1 day ago

5 minutes in, and Mike's strawman arguments are strong.

    permalink
    save
    report
    give gold
    reply

]marcus_of_augustus 7 points 1 day ago

Mike Hearn has been making shit up ever since he started working in Bitcoin.

His whole "when I was emailing satoshi" spiel is exaggeration bordering on lies. Yes he was emailing him, but satoshi hardly ever responded .... it seems to have gotten worse since then.

    permalink
    save
    parent
    report
    give gold
    reply

]petertoddPeter Todd - Bitcoin Expert 1 point 1 day ago

    satoshi hardly ever responded

FWIW there are no publicly available emails from Satoshi to Mike Hearn. There are leaked emails that are publicly available from Mike Hearn to Satoshi however.

    permalink
    save
    parent
    report
    give gold
    reply

]marcus_of_augustus 2 points 1 day ago

mmm, so it's on Hearn's word that satoshi ever responded. Seems to have milked a lot of mileage on some reflected glory of a dubious basis.

    permalink
    save
    parent
    report
    give gold
    reply

]Adrian-X 4 points 1 day ago

Care to explain?

    permalink
    save
    parent
    report
    give gold
    reply

]smartfbrankings 3 points 1 day ago

"These people think we should never increase it." was the first one.

Saw a few others, but basically he constantly misrepresents any opposing argument for his own benefit.

    permalink
    save
    parent
    report
    give gold
    reply

]Adrian-X 6 points 1 day ago

Most of us see through that, I didn't even notice that, what I see is the one's who say we should wait are not telling us why. I suspect they are not ready to release there other scaling technology embodied in sidechains.

The most credible wait solution is if it's a problem we'll fix it.

This is not a rush we are just committing to a proposed change in 9 month, while we find a better solution.

    permalink
    save
    parent
    report
    give gold
    reply

]smartfbrankings 2 points 1 day ago

I see that argument and understand it. The failure of many is to think this is a permanent solution and we'll just keep upping the size, much like the debt limit.

The counter to that argument is increasing this and not letting that pain now will make greater pain later. What is the incentive to solve a problem that when you fear it will be perpetually kicked down the road? A bigger issue is at stake than simply delaying.

    permalink
    save
    parent
    report
    give gold
    reply

]BlockchainOfFools 0 points 1 day ago

    Most of us see through that

More and more of this argument is being aimed at VCs and other forms of professional money which does not see the nuances in these issues, is under pressure to allocate funds as fast as possible to get the scoop on competitors, and whose regard for the allocation of said funds focuses on who seems to have the best team and exhibits strong leadership, not whose hair splitting argument is technically superior.

That's where all the brinksmanship talk and doomsaying demagoguery in this debate as well as its close cousin, the "Blockchain without Bitcoin" is creeping in from.

    permalink
    save
    parent
    report
    give gold
    reply

]donbrownmon 2 points 10 hours ago

    "These people think we should never increase it." was the first one.

Judge them by their actions, not their words.

    permalink
    save
    parent
    report
    give gold
    reply

]smartfbrankings 3 points 10 hours ago

How can we judge them by their potential actions? Why can't Mike just stick to facts like "They have given us no objective criteria to when they'd consider moving it." That's a fair argument and accurate.

    permalink
    save
    parent
    report
    give gold
    reply

]BusyBeaverHP 3 points 1 day ago

But that's the truth, there are these people who think we should never increase it, and somehow create an off-chain wormhole to push potential Bitcoiners onto trusted system.

Oh, and you're a Buttcoiner.

    permalink
    save
    parent
    report
    give gold
    reply

]smartfbrankings -1 points 1 day ago

    But that's the truth, there are these people who think we should never increase it

Find me such a person. They are certainly in the minority on this one. No one is pushing for a "trusted" system. People are pushing for untrusted semi-centralized services, if anything.

Personal attacks are the sign of not having an argument.

    permalink
    save
    parent
    report
    give gold
    reply

]i_wolf 4 points 1 day ago

    Find me such a person.

Luke-jr

    permalink
    save
    parent
    report
    give gold
    reply

]smartfbrankings 1 point 1 day ago

Find me a place where he says he'd never advocate raising it.

    permalink
    save
    parent
    report
    give gold
    reply

]petertoddPeter Todd - Bitcoin Expert -1 points 1 day ago

I'm a much better example than Luke-Jr... and my position is I expect that the science of decentralized blockchains will advance to the point where the notion of a "blocksize limit" doesn't even make any sense anymore. (e.g. my treechains concept has that goal in mind)

    permalink
    save
    parent
    report
    give gold
    reply

]i_wolf 3 points 1 day ago

Good. Then there's no reason why the limit shouldn't be raised to fulfill growing demand while the science isn't ready yet.

Also if treechains and other offchains are so good that people would eagerly user them instead of blockchain, then there's no reason for the limit: blocks just will not grow.

    permalink
    save
    parent
    report
    give gold
    reply

]shesek1 3 points 1 day ago

    treechains and other offchains

Peter's treechains proposal is not an offchain solution.

https://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg04388.html

    permalink
    save
    parent
    report
    give gold
    reply

]i_wolf 1 point 19 hours ago

Then we can safely raise the limit.

    permalink
    save
    parent
    report
    give gold
    reply

]petertoddPeter Todd - Bitcoin Expert -1 points 1 day ago

Well, tl;dr: the supermajority of Bitcoin devs, including myself, see raising the limit right now as a last-resort measure with significant downsides.

    permalink
    save
    parent
    report
    give gold
    reply

]i_wolf 2 points 19 hours ago

The blocks are 40x times larger today than 5yrs ago. What significant downsides do you see in this fact, that would make reducing the limit to 10kb desirable?

    permalink
    save
    parent
    report
    give gold
    reply

]luckdragon69 -1 points 1 day ago

Mike Hern thinks your supermajority is in the minority LOL.

    permalink
    save
    parent
    report
    give gold
    reply

]smartfbrankings 1 point 1 day ago

We could also see technological advances were 1MB today is like 1KB of 20 years ago, and no one would think twice about making it 2MB or 20MB.

I'm of the opinion we should not take emergency action unless there is an emergency. Hearn thinks that someone not being able to send a nickel for under a penny fee is an emergency, so that's why he's advocating for this so strong.

    permalink
    save
    parent
    report
    give gold
    reply

]marcus_of_augustus 3 points 1 day ago

Hearn has vested interests in these business models that rely on bigger blocks:

Lighthouse's 'crowdfunding' is more like tribe-funding because the size of the crowd is limited by the blocksize https://groups.google.com/forum/#!topic/lighthouse-discuss/J2MHPw5kUBU

BitcoinJ will be better able to compete with the federated server models of Electrum and libbitcoin (currently it is getting smoked) so he becomes more relevant again.

Yep, it is safe to say that Hearn is conflicted when it comes to blocksize debate. He might become irrelevant if this doesn't happen now and other business models take over.

    permalink
    save
    parent
    report
    give gold
    reply

]i_wolf 1 point 19 hours ago

Mike Hearn is irrelevant. Blocks can grow due to raise in demand; If you're implying lighthouse will be actively used for sending money than its good for Bitcoin; that's exactly what Bitcoin was created for.

    permalink
    save
    parent
    report
    give gold
    reply

]smartfbrankings 1 point 12 hours ago

I don't think it's his vested interests that define this, but his view of what Bitcoin should be influences what kinds of projects he wants to work on.

Same thing with the other side.

    permalink
    save
    parent
    report
    give gold
    reply

]petertoddPeter Todd - Bitcoin Expert -1 points 1 day ago

    We could also see technological advances were 1MB today is like 1KB of 20 years ago, and no one would think twice about making it 2MB or 20MB.

That said, this entire debate has jumped the shark. I think people have way too much free time. Just fire up XT and when/if the various 2.0 schemes are tested and deemed safe they'll have their time in the sun as well.

    permalink
    save
    parent
    report
    give gold
    reply

]bitdoggy 3 points 19 hours ago

What's the big deal? 20MB now is the same as 1MB 7 years ago.

    permalink
    save
    report
    give gold
    reply

]BusyBeaverHP 7 points 1 day ago*

Mike mentioned that Gavin has the ability to revoke Github push access of the rest of the core developers.

If this is true, it's an amazing testament to Gavin's patience in handling the obstructionist refusal to acknowledge any changes to the blocksize limit.

    permalink
    save
    report
    give gold
    reply

]statoshi 17 points 1 day ago

Such a move by Gavin would be considered tyrannical by most of the community and he knows full well that the fallout would not be pretty.

    permalink
    save
    parent
    report
    give gold
    reply

]cypherdoc2 1 point 1 day ago

i wonder what would happen if gmax were in that position...

    permalink
    save
    parent
    report
    give gold
    reply

]BusyBeaverHP 6 points 1 day ago*

GMaxwell thinks he's libertarian, but he's extremely tyrannical by the fact that he thinks his beliefs of what is decentralization should be imposed on others for their own good.

An excerpt:

    I believe that a Bitcoin like that would be a failure even if the coins somehow retained high value, because it would be just a reboot of the existing infrastructure, but probably worse-- lacking the a design purpose fit for a centralized world, as well as the regulatory history and experience of the traditional systems...

    ...Instead, I believe Bitcoin can be successful as a truly decentralized system which depends on cryptographic proof rather than trust. To get there we have to frankly face the extreme costs of having a decentralized system, and potentially tolerate slower short term adoption...

So Maxwell's got his million dollars from Blockstream's VC rounds, and has leisurely time to mull about theoretical things without running real numbers backing them up, and has no incentive to increase the value of the network in the face of innumerable alt-coins waiting for Bitcoin to fuck up.

Just as the construction of the blockchain is a competition, Bitcoin is a zero-sum contestant in the cryptocurrency space. Having less value while there are many competitors who are faster to adopt whatever slow changes you throw their way plus their own innovation, is asking for death by a thousand cuts.

When given a chance to raise Bitcoin's value, never, ever, ever back down, because the moment we do, the Alt-coins and powers-that-be will not waste a moment's time to capitalize on it.

Last I checked, wasn't Blockstream funded to improve the cryptographic protocol and not impose ill-researched economic decisions on the entire ecosystem? If I was running a company and some engineer was spouting some bullshit like holding off our company's growth (hence increased revenue) in the face of competition, I'd fire him on the spot.

Last but not least. GMaxwell's shining leadership on display:

    If the Bitcoin community wants to go commit suicide, I'm confident that I can sell my most of my bitcoins before most of the public has realized things have gone wrong.

    permalink
    save
    parent
    report
    give gold
    reply

]cypherdoc2 3 points 1 day ago

i agree

    permalink
    save
    parent
    report
    give gold
    reply

]Adrian-X 3 points 23 hours ago

Nice rant more need to understand this.

    permalink
    save
    parent
    report
    give gold
    reply

]saxon84 1 point 12 hours ago

Maxwell is a ginger terrorist.

    permalink
    save
    parent
    report
    give gold
    reply

[+]lorempsum comment score below threshold  (0 children)

[+]Vibr8gKiwi comment score below threshold  (7 children)

]jojva 6 points 1 day ago

Censoring other core devs would be an extremely stupid and ineffective strategy.

    permalink
    save
    parent
    report
    give gold
    reply

]Vibr8gKiwi 4 points 1 day ago*

It's pretty clear from this that certain devs are more interested in other systems than bitcoin and are actively trying to undermine bitcoin and cause people to leave. These devs should no longer be bitcoin core devs. What does it take to remove them?

    permalink
    save
    parent
    report
    give gold
    reply

]BusyBeaverHP 6 points 1 day ago

    What does it take to remove them?

An overwhelming majority vote with our nodes. I've installed XT as a vote that I no longer want the likes of Maxwell to dictate our economic policies by ways of obstructionist gridlock.

    permalink
    save
    parent
    report
    give gold
    reply

]donbrownmon 1 point 12 hours ago

Sounds like Gavin can remove them. Do it, /u/gavinandresen !

    permalink
    save
    parent
    report
    give gold
    reply

]yyyaao -4 points 1 day ago

Yes, Hearn and Andresen want a Paypal 2.0.

    permalink
    save
    parent
    report
    give gold
    reply

]110101002 1 point 1 day ago

The same could be said of the other four core developers who can do the same and think the opposite of him.

    permalink
    save
    parent
    report
    give gold
    reply

]shesek1 4 points 1 day ago

Doing that would be completely insane. He has no authority to make such a move. It has nothing to do with being patience.

    permalink
    save
    parent
    report
    give gold
    reply

]donbrownmon 2 points 21 hours ago

What makes you think he doesn't have the authority to do that?

    permalink
    save
    parent
    report
    give gold
    reply

]petertoddPeter Todd - Bitcoin Expert 3 points 1 day ago

If Gavin did that I wouldn't be at all surprised if github sided with the other half-dozen people with commit access and reversed it.

    permalink
    save
    parent
    report
    give gold
    reply

]dooglus 1 point 22 hours ago

If Gavin did that the other developers with commit access would simply switch to working on a different fork of the project.

Nobody cares which repository a client was built from. People will either download the real bitcoin client or Gavin's altcoin, depending on which side of the fork they want to be.

    permalink
    save
    parent
    report
    give gold
    reply

]WinkleviBitcoinTrust 1 point 1 day ago

who grants commit access?

    permalink
    save
    parent
    report
    give gold
    reply

]rydan 5 points 1 day ago

Not sure what Peter Todd is talking about. Github isn't going to get involved in infighting and politics. The account has access, it removes access from others, that's the end of the story.

    permalink
    save
    parent
    report
    give gold
    reply

]tropser 1 point 13 hours ago*

Like childs playing in a sandbox.. pfff... time to grow up.

    permalink
    save
    parent
    report
    give gold
    reply

]ProHashing 1 point 5 hours ago

In the end, such an action would matter little. By the time you and Andresen finished arguing with each other and Github, Coinbase will have forked the client, implemented its own block size solution, and issued professional press releases explaining why they have offered the solution. People will download it and control of the bitcoin protocol will be permanently shifted away from you to commercial enterprises.

What is not present here is actual code. Developers like to talk, but if there really are ten different competing ideas, then why aren't there ten different forks that people can download and vote with their nodes? If everyone's solution is superior to all the others, then why isn't it out there being run?

I hope that people understand that there's never going to be a magic consensus formed to this problem. There is no democratic election process in a set of bitcoin bylaws. If nobody releases actual code, then nothing is going to get done. Given the outcry here, the solution is going to come from outside the current developers if nobody takes charge soon.

    permalink
    save
    parent
    report
    give gold
    reply

]pizzaface18 -1 points 1 day ago

Shady. Nice to see where your head is at.

    permalink
    save
    parent
    report
    give gold
    reply

]seb2point0 -1 points 20 hours ago

I hope you're not being serious.

    permalink
    save
    parent
    report
    give gold
    reply

]awemany 0 points 16 hours ago

He was patiently arguing for this since years.

He made several proposals, and tried to came closer with his blocksize-increase proposal to what the other devs might accept.

But all he got was deafening silence and arguments which basically amount to concern trolling.

    permalink
    save
    parent
    report
    give gold
    reply

]ProHashing 1 point 6 hours ago

The new thing on reddit is to call everyone who expresses a disagreement "trolls."

Sometimes there are people who have genuine disagreements. Those differing viewpoints should be welcomed, not labeled as being made in bad faith.

    permalink
    save
    parent
    report
    give gold
    reply

]BlockchainOfFools 1 point 1 day ago

#justsaying #itcouldhappen

    permalink
    save
    parent
    report
    give gold
    reply

]danster82 4 points 1 day ago

Are we just waiting for the fun of it then? or can we implement a dynamic increase now please.

    permalink
    save
    report
    give gold
    reply

]anddrade 3 points 1 day ago

I don't understand why Mike and Gavin are talking only about a single 20 MB increase, instead of some hard coded schedule for increasing the cap every so many blocks, kind of like the difficulty adjustments. Any ideia why that is?

    permalink
    save
    parent
    report
    give gold
    reply

]awemany 2 points 16 hours ago

    I don't understand why Mike and Gavin are talking only about a single 20 MB increase, instead of some hard coded schedule for increasing the cap every so many blocks, kind of like the difficulty adjustments. Any ideia why that is?

They did, but to please the other devs - they tried to came down with their proposal, to have a smaller, hopefully more agreeable increase.

But all they got is vetoing, arguments which amount to concern trolling, and no constructive input at all.

You can see this if you google for 'Gavin blocksize increase' (and similar) and look for different times that he brought this issue up. It is nothing new at all. Gavin has been very reasonable and patient arguing for this since years, but it now looks like Greg and some of the others became outright obstructionist.

    permalink
    save
    parent
    report
    give gold
    reply

]AmIHigh 0 points 23 hours ago

If it's dynamic, it's possible to abuse it by spamming transactions to artificially increase it over time. It might cost a lot of money ,and will it actually happen who knows, but that is a reason to consider a hard cap, until a real solution is decided on, and fully tested.

    permalink
    save
    parent
    report
    give gold
    reply

]tropser 2 points 1 day ago

It's almost like now or never... If nothing happens until blocks are full and network is clogged we can leave this shit like it is now. There's no reason to do much with it anymore if that's the case.

    permalink
    save
    parent
    report
    give gold
    reply

[+]smartfbrankings comment score below threshold  (0 children)

]smartfbrankings 4 points 1 day ago

It's getting more obvious how he's arriving at his conclusions by treating Bitcoin like a website that hits a capacity spike, so I do appreciate that insight!

    permalink
    save
    report
    give gold
    reply

]aminok 5 points 1 day ago

They're both hosted by servers. The Bitcoin network's full nodes act as redundant, syncronized servers of data.

    permalink
    save
    parent
    report
    give gold
    reply

]smartfbrankings 1 point 1 day ago

There are certainly similarities. There are also differences. We are all bound by our own biases, so it's natural we go to them. The key is to recognize when we are blinded by them.

    permalink
    save
    parent
    report
    give gold
    reply

]Apatomoose 2 points 1 day ago

What are the differences?

    permalink
    save
    parent
    report
    give gold
    reply

]smartfbrankings 0 points 1 day ago

The downsides of "reaching capacity" of a hosted website vs. Bitcoin are significantly different, for starters. The behavior as you start reaching capacity are also different.

The decentralization aspect is also different. For a centralized service like Google Maps, you only need to consider costs and serving the customer. Decentralization is another angle to consider impact, and simply isn't relevant when using the compare.

The competition is also different. If Google Maps goes down, people are going to have several other choices immediately available, and chances are a lot of those people never come back.

The market is a lot different as well. Bitcoin is not even at early adopter phase, and comparing it to mainstream adoption of something like Google Maps has flaws. Super early adopters are far more tolerant of flaws than mainstream adopters. If they weren't, they wouldn't have jumped through the many hoops to come to Bitcoin in the first place. I'd also rather have the pain now than say let's say that Bitcoin adoption rates went up 40x.

Analogies are great and mindset is great, but you have to realize what parts of them break down and where, and what things you are being blindsided by.

    permalink
    save
    parent
    report
    give gold
    reply

]zombiecoiner 1 point 1 day ago*

One thing I've noticed in these threads is that votes tend to be more toward 1MB arguments the deeper in the thread tree they get. To me this means people who are spending the most time on this issue (much like most of the core developers) lean toward staying at 1mb for the time being. If you don't really care, it's easy to downvote a few highly visible comments you don't like and move on.

    permalink
    save
    report
    give gold
    reply

]wonkeydoreyy 8 points 1 day ago

That's because the 1MBers constantly have to explain themselves, because the justifications don't add up to being in Bitcoin's best interest.

    permalink
    save
    parent
    report
    give gold
    reply

]smartfbrankings 1 point 1 day ago

Yes, always question the motives of anyone who disagrees with you.

    permalink
    save
    parent
    report
    give gold
    reply

]zcc0nonA 2 points 1 day ago

I think we've been in different forums. As far as I can tell no one is for keeping the 1 mb block long term. Instead everyone agrees it must be raised but how to do it in a responsible way is the question.

Any static increase, 3, 8, 20, 21mbs, they will all need to be changed later on and are bad choices. But some feel we are running low on time, so we should push the danger further away and investigate more on a long term solution.

Then others want to come up with that long term solution now, so that the number of hard forks in the future is less. This seems like a good option but then the question becomes if such a system could get adequate testing before launch.
But before we can address that the aforementioned long term solution must be found. People don't want something that can be manipulated, so it would have to be tied to some other value, the question then is what to peg it to and how. Perhaps a number of metrics, but it would need to be resistant to stalls and surges in the network and usage.

    permalink
    save
    parent
    report
    give gold
    reply

]smartfbrankings 2 points 1 day ago

5 minutes in, and Mike's strawman arguments are strong.

    permalink
    save
    report
    give gold
    reply

]marcus_of_augustus 7 points 1 day ago

Mike Hearn has been making shit up ever since he started working in Bitcoin.

His whole "when I was emailing satoshi" spiel is exaggeration bordering on lies. Yes he was emailing him, but satoshi hardly ever responded .... it seems to have gotten worse since then.

    permalink
    save
    parent
    report
    give gold
    reply

]petertoddPeter Todd - Bitcoin Expert 1 point 1 day ago

    satoshi hardly ever responded

FWIW there are no publicly available emails from Satoshi to Mike Hearn. There are leaked emails that are publicly available from Mike Hearn to Satoshi however.

    permalink
    save
    parent
    report
    give gold
    reply

]marcus_of_augustus 2 points 1 day ago

mmm, so it's on Hearn's word that satoshi ever responded. Seems to have milked a lot of mileage on some reflected glory of a dubious basis.

    permalink
    save
    parent
    report
    give gold
    reply

]Adrian-X 4 points 1 day ago

Care to explain?

    permalink
    save
    parent
    report
    give gold
    reply

]smartfbrankings 3 points 1 day ago

"These people think we should never increase it." was the first one.

Saw a few others, but basically he constantly misrepresents any opposing argument for his own benefit.

    permalink
    save
    parent
    report
    give gold
    reply

]Adrian-X 6 points 1 day ago

Most of us see through that, I didn't even notice that, what I see is the one's who say we should wait are not telling us why. I suspect they are not ready to release there other scaling technology embodied in sidechains.

The most credible wait solution is if it's a problem we'll fix it.

This is not a rush we are just committing to a proposed change in 9 month, while we find a better solution.

    permalink
    save
    parent
    report
    give gold
    reply

]smartfbrankings 2 points 1 day ago

I see that argument and understand it. The failure of many is to think this is a permanent solution and we'll just keep upping the size, much like the debt limit.

The counter to that argument is increasing this and not letting that pain now will make greater pain later. What is the incentive to solve a problem that when you fear it will be perpetually kicked down the road? A bigger issue is at stake than simply delaying.

    permalink
    save
    parent
    report
    give gold
    reply

]BlockchainOfFools 0 points 1 day ago

    Most of us see through that

More and more of this argument is being aimed at VCs and other forms of professional money which does not see the nuances in these issues, is under pressure to allocate funds as fast as possible to get the scoop on competitors, and whose regard for the allocation of said funds focuses on who seems to have the best team and exhibits strong leadership, not whose hair splitting argument is technically superior.

That's where all the brinksmanship talk and doomsaying demagoguery in this debate as well as its close cousin, the "Blockchain without Bitcoin" is creeping in from.

    permalink
    save
    parent
    report
    give gold
    reply

]donbrownmon 2 points 10 hours ago

    "These people think we should never increase it." was the first one.

Judge them by their actions, not their words.

    permalink
    save
    parent
    report
    give gold
    reply

]smartfbrankings 3 points 10 hours ago

How can we judge them by their potential actions? Why can't Mike just stick to facts like "They have given us no objective criteria to when they'd consider moving it." That's a fair argument and accurate.

    permalink
    save
    parent
    report
    give gold
    reply

]BusyBeaverHP 3 points 1 day ago

But that's the truth, there are these people who think we should never increase it, and somehow create an off-chain wormhole to push potential Bitcoiners onto trusted system.

Oh, and you're a Buttcoiner.

    permalink
    save
    parent
    report
    give gold
    reply

]smartfbrankings -1 points 1 day ago

    But that's the truth, there are these people who think we should never increase it

Find me such a person. They are certainly in the minority on this one. No one is pushing for a "trusted" system. People are pushing for untrusted semi-centralized services, if anything.

Personal attacks are the sign of not having an argument.

    permalink
    save
    parent
    report
    give gold
    reply

]i_wolf 4 points 1 day ago

    Find me such a person.

Luke-jr

    permalink
    save
    parent
    report
    give gold
    reply

]smartfbrankings 1 point 1 day ago

Find me a place where he says he'd never advocate raising it.

    permalink
    save
    parent
    report
    give gold
    reply

]petertoddPeter Todd - Bitcoin Expert -1 points 1 day ago

I'm a much better example than Luke-Jr... and my position is I expect that the science of decentralized blockchains will advance to the point where the notion of a "blocksize limit" doesn't even make any sense anymore. (e.g. my treechains concept has that goal in mind)

    permalink
    save
    parent
    report
    give gold
    reply

]i_wolf 3 points 1 day ago

Good. Then there's no reason why the limit shouldn't be raised to fulfill growing demand while the science isn't ready yet.

Also if treechains and other offchains are so good that people would eagerly user them instead of blockchain, then there's no reason for the limit: blocks just will not grow.

    permalink
    save
    parent
    report
    give gold
    reply

]shesek1 3 points 1 day ago

    treechains and other offchains

Peter's treechains proposal is not an offchain solution.

https://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg04388.html

    permalink
    save
    parent
    report
    give gold
    reply

]i_wolf 1 point 19 hours ago

Then we can safely raise the limit.

    permalink
    save
    parent
    report
    give gold
    reply

]petertoddPeter Todd - Bitcoin Expert -1 points 1 day ago

Well, tl;dr: the supermajority of Bitcoin devs, including myself, see raising the limit right now as a last-resort measure with significant downsides.

    permalink
    save
    parent
    report
    give gold
    reply

]i_wolf 2 points 19 hours ago

The blocks are 40x times larger today than 5yrs ago. What significant downsides do you see in this fact, that would make reducing the limit to 10kb desirable?

    permalink
    save
    parent
    report
    give gold
    reply

]luckdragon69 -1 points 1 day ago

Mike Hern thinks your supermajority is in the minority LOL.

    permalink
    save
    parent
    report
    give gold
    reply

]smartfbrankings 1 point 1 day ago

We could also see technological advances were 1MB today is like 1KB of 20 years ago, and no one would think twice about making it 2MB or 20MB.

I'm of the opinion we should not take emergency action unless there is an emergency. Hearn thinks that someone not being able to send a nickel for under a penny fee is an emergency, so that's why he's advocating for this so strong.

    permalink
    save
    parent
    report
    give gold
    reply

]marcus_of_augustus 3 points 1 day ago

Hearn has vested interests in these business models that rely on bigger blocks:

Lighthouse's 'crowdfunding' is more like tribe-funding because the size of the crowd is limited by the blocksize https://groups.google.com/forum/#!topic/lighthouse-discuss/J2MHPw5kUBU

BitcoinJ will be better able to compete with the federated server models of Electrum and libbitcoin (currently it is getting smoked) so he becomes more relevant again.

Yep, it is safe to say that Hearn is conflicted when it comes to blocksize debate. He might become irrelevant if this doesn't happen now and other business models take over.

    permalink
    save
    parent
    report
    give gold
    reply

]i_wolf 1 point 19 hours ago

Mike Hearn is irrelevant. Blocks can grow due to raise in demand; If you're implying lighthouse will be actively used for sending money than its good for Bitcoin; that's exactly what Bitcoin was created for.

    permalink
    save
    parent
    report
    give gold
    reply

]smartfbrankings 1 point 12 hours ago

I don't think it's his vested interests that define this, but his view of what Bitcoin should be influences what kinds of projects he wants to work on.

Same thing with the other side.

    permalink
    save
    parent
    report
    give gold
    reply

]petertoddPeter Todd - Bitcoin Expert -1 points 1 day ago

    We could also see technological advances were 1MB today is like 1KB of 20 years ago, and no one would think twice about making it 2MB or 20MB.

Indeed we may! Once those technological advances have happened and have been shown to work, coming to consensus to raise the blocksize appropriately probably won't be hard; until then, without those technological advances raising the blocksize significantly reduces the security margin of the Bitcoin system.

    Hearn thinks that someone not being able to send a nickel for under a penny fee is an emergency, so that's why he's advocating for this so strong.

Indeed - I and many others simply don't agree with him.

    permalink
    save
    parent
    report
    give gold
    reply

]i_wolf 1 point 19 hours ago

    without those technological advances raising the blocksize significantly reduces the security margin of the Bitcoin system.

Raising the limit doesn't raise the block size; blocks grow due to the growth in demand. Skyrocketing demand for transactions implies security is sufficient in the eyes of the market. Higher adoption brings more decentralization and security. Bitcoin is much more secure now than 5yr ago with 1kb blocks. Rejecting the demand cripples Bitcoin's utility and value and prevents further decentralization and endangers its growth when it's needed the most.

    permalink
    save
    parent
    report
    give gold
    reply

]platypii 0 points 1 day ago

He supports scaling transactions through payment channels, which are trustless.

    permalink
    save
    parent
    report
    give gold
    reply

]aminok 3 points 1 day ago*

and also unproven as full substitutes for on-chain txs, and also need a higher block size limit even if they work perfectly.

    permalink
    save
    parent
    report
    give gold
    reply

]Throwahoymatie 2 points 1 day ago

What ever shall we do?

    permalink
    save
    report
    give gold
    reply

]Adrian-X 12 points 1 day ago

Run an XT node?

    permalink
    save
    parent
    report
    give gold
    reply

]Apatomoose 2 points 1 day ago

If anything is going to get done we need strong leadership with a coherent plan. Gavin and Mike have that. I'm not seeing it from the other side.

    permalink
    save
    report
    give gold
    reply

]VanquishAudio 1 point 1 day ago

What would happen if we increased the block size while the network was super congested? Would that fix the delay for all new transactions?

Do we have to wait for every big miner to agree to one update before everyone starts updating their Bitcoin client? What would happen if only a fraction of Bitcoin nodes updated their software?

I'm not too technically proficient in Bitcoin so excuse me for poor terminology!

    permalink
    save
    report
    give gold
    reply

]Apatomoose 2 points 1 day ago

Most of the miners have to upgrade to the new version before the change takes effect or the blockchain will split in two.

    permalink
    save
    parent
    report
    give gold
    reply

]VanquishAudio 1 point 1 day ago

I've heard that so what does that imply? Can 2 coexist?

    permalink
    save
    parent
    report
    give gold
    reply

]Apatomoose 2 points 1 day ago

A split would be a very bad thing. It would cause a lot of uncertainty about which side will win out. It also causes compatibility issues. If a customer is running on one fork and a merchant is running on another then the customer can't pay the merchant. A divided network isn't as strong as a unified one.

The way a split is avoided is each miner includes the number of the version they are running in each block header. A change doesn't go into effect until a minimum number of the last X blocks, 800 out of the last 1000, for example, have the version for that change. That way a change doesn't happen until everyone is on board.

But getting everyone on board can take time.

    permalink
    save
    parent
    report
    give gold
    reply

]livinincalifornia 1 point 1 day ago

Raise the block limit dynamically through a system based algorithmically on availability of resources and transactions per second.

    permalink
    save
    report
    give gold
    reply

]usrn 1 point 23 hours ago

Shouldn't that be a next step? Bitcoin is still small and we have plenty of time experimenting.

Also, personally I couldn't care less about chinese miners and volume inflating/fractional reserve playing shady chinese exchanges.

    permalink
    save
    parent
    report
    give gold
    reply

]ganesha1024 1 point 8 hours ago

To grease the wheels of consensus, we need to create honourable ways for the opposition to change their mind. If consensus can only come from a very public figure of the community tucking tail and supplicating, it probably won't happen. If instead they can save face and continue to be well respected while changing their minds, then we have a chance at consensus.

So basically we need to have a culture in which people can admit they were wrong without getting humiliated.

Just something to think about.

    permalink
    save
    report
    give gold
    reply

]bcn1075 0 points 1 day ago

I didn't realize how divided the bitcoin core devs were until listening to this. Bitcoin is starting to look like a startup with a leadership team (core devs) that are unable to execute because of infighting and misalignment.

    permalink
    save
    report
    give gold
    reply

]thieflar 10 points 1 day ago

First time you've ever closely inspected a large open source project's development, eh?

    permalink
    save
    parent
    report
    give gold
    reply

]kvnn 4 points 1 day ago

You are paying attention to the wrong things. Look at the release log. This "debate" is certainly distracting, but its not halting development by any means.

    permalink
    save
    parent
    report
    give gold
    reply

[+]michelebtc comment score below threshold  (12 children)

]yyyaao -3 points 1 day ago

Mike is even less trustworthy than Gavin when it comes to preserving Bitcoin's foundation of value: decentralization.

Those who want another Paypal can use the Hearndresen-fork, I'll stay with Bitcoin.

    permalink
    save
    report
    give gold
    reply

]i_wolf 1 point 18 hours ago

Bitcoin is far more decentralized today with 400kb block than it was with 10kb blocks. Decentralization is a function of adoption. Limiting adoption limits decentralization.

    permalink
    save
    parent
    report
    give gold
    reply

[+]PhiMinD comment score below threshold * (1 child)

]ProHashing 0 points 11 hours ago

This headline makes it seem as if the debate is between retaining the existing block size and increasing it.

While there are some people in favor of retaining the existing size, it's not accurate to say that the debate is primarily about that issue. Most people support an increase but cannot agree on the size of the increase or its parameters. It's important to keep a balanced view of this topic.

    permalink
    save
    report
    give gold
    reply

]smartfbrankings 1 point 10 hours ago

No, this is not an accurate assessment.

    permalink
    save
    parent
    report
    give gold
    reply

]ProHashing 1 point 10 hours ago

Since there are no concrete numbers, we'll have to agree to disagree.

It may be true that the developers are more likely to support keeping the blocksize small, but in these posts it's difficult to find users who agree with that sentiment.

    permalink
    save
    parent
    report
    give gold
    reply

]smartfbrankings 1 point 9 hours ago

The idea that core developers should be excluded from the debate is completely wrong.

    permalink
    save
    parent
    report
    give gold
    reply

]donbrownmon 1 point 10 hours ago

    Most people support an increase but cannot agree on the size of the increase or its parameters. It's important to keep a balanced view of this topic.

The other devs 'can't agree' because they're not interested in coming to agreement. They want to push Blockstream's technologies and make money consulting on those.

    permalink
    save
    parent
    report
    give gold
    reply

[+][deleted]  (3 children)

Gavin Andresen: "A lot of people are pushing me to be more of a dictator (like Mike) ... that may be what has to happen with the block size. I may just have to throw my weight around and say this is what it's going to be. If you don't like it, find another project." (youtube.com)

submitted 1 day ago by lorempsum

    350 comments
    share

all 350 comments
sorted by:
best

]BluSyn 39 points 1 day ago

I would certainly prefer this not to happen. However, at some point somebody has to actually do something. Preferably before it's too late. If Gavin is the only one willing to actually make a decision, then so be it.

I would prefer to have broader agreement across the core devs. This seems very unlikely currently.

    permalink
    save
    report
    give gold
    reply

]clone4501 14 points 1 day ago

Core developers are not the only Bitcoin stakeholders. Consensus as applied to Bitcoin is a vague term. A better word is needed because the community is too large to reach a consensus on just about anything.

    permalink
    save
    parent
    report
    give gold
    reply

]pluribusblanks -3 points 16 hours ago

Consensus is not a vague term at all. Consensus is greater than 50% of the fully validating nodes. If greater than 50% of the nodes adopt the change, the change happens. If they do not, the change does not happen.

Gavin cannot dictate anything. Even if he commits the change to Bitcoin Core on Github, he cannot force node operators to upgrade. If the majority of node operators do not upgrade, the network remains exactly as it is today.

    permalink
    save
    parent
    report
    give gold
    reply

]MarshallBanana 9 points 13 hours ago

    Consensus is not a vague term at all. Consensus is greater than 50% of the fully validating nodes. If greater than 50% of the nodes adopt the change, the change happens. If they do not, the change does not happen.

That's not remotely what "consensus" means, nor is it how Bitcoin works.

    permalink
    save
    parent
    report
    give gold
    reply

]awemany 1 point 9 hours ago

Consensus is 50% of the mining power. That's rule zero.

    permalink
    save
    parent
    report
    give gold
    reply

]aminok 10 points 1 day ago*

    This seems very unlikely currently.

Well gmaxwell put forth some possible approaches to doing the hard fork, and if he takes it further and makes a specific proposal, there could be a major shift in the core dev stance. Pieter has always seemed to be quite open-minded about how to define decentralization, and by extension, the optimal block size limit.

    permalink
    save
    parent
    report
    give gold
    reply

]BluSyn 5 points 22 hours ago

Agreed. Pieter seems pretty reasonable, and I've discussed this with him in person. We disagree on some details, but I think he's interested in finding a good balance.

Everything so far is pretty theoretical. I do hope maxwell or someone will actually put in an official BIP that can be directly discussed, rather than many wildly different counter proposals.

    permalink
    save
    parent
    report
    give gold
    reply

]rydan 3 points 19 hours ago

They all made decisions. You and Gavin just don't like them. But don't kid yourself and say they made none.

    permalink
    save
    parent
    report
    give gold
    reply

]viajero_loco 4 points 9 hours ago*

that would be a very dangerous thing to to. i really don't get why /u/gavinandresen is pulling this discussion on to a puplic stage, instead of keeping it on a technical level, where it belongs?!

why, for example, are /u/nullc 's and others concerns not being addressed?

    Right. The most important thing is to first understand and accept that there is a fundamental trade-off between the cost of verifying the network and its decentralization. I would be much much more gung-ho about increases to block size if they were modest and not being proposed against super-massive consolidation in node operations and mining that we've seen since 2011;
    and if they were accompanied by the controls that would avoid completely undermining the long term security model of Bitcoin.

http://www.reddit.com/r/Bitcoin/comments/394k1t/petertoddbtc_gregory_maxwells_confidental/cs0g85v

I mean, pretty much all the other developers besides mike are opposed to his proposal.

and now gavin is using the /r/bitcoin torch and pitchfork crowd to back him up. that strategy is fucking ridiculous and might very well be the end to bitcoin in the long run!

this decision has to be made by ppl with the actual technical knowledge and by seriously considering the different tradeoff's, not by /r/bitcoin!!!

    permalink
    save
    parent
    report
    give gold
    reply

]btcdrak 8 points 8 hours ago*

Preach it brother. It's interesting as the dust settles more and more people are seeing the weird politics that Gavin/Mike have been playing and more people seeing there are valid concerns from practically every other technical peer.

To be disregarding so many technically competent people is foolhardy and arrogant.

The hard forking coup is surely to fail spectacularly though: no-one is going to seriously risk their business by trying to force consensus. The only people claiming victory are people with nothing to lose. Go long on popcorn because this might be the best way for the bad apples to fork themselves out of relevance.

I might point out that Gavin did force the issue once before with P2SH (BIP16). He rushed it with sky is falling urgency. No-one used it for 2 years, then when it was finally used in the wild we found serious issues and limitations with it (all too late). BIP17, the counter proposal was not just better but light years better.

    permalink
    save
    parent
    report
    give gold
    reply

]john_doe_1337 1 point 9 hours ago

I can't agree more, brother. The primadonna has gone too far. He labeled good developers 'poisonous' in the past, he is throwing 'his weight' here and there. The emperor of the dust.

    permalink
    save
    parent
    report
    give gold
    reply

]Bitcoin_Error_Log 1 point 8 hours ago

Gavin has been compromised and we don't need him anyway.

    permalink
    save
    parent
    report
    give gold
    reply

]VP_Marketing_Bitcoin 12 points 1 day ago

Then do it already.

    permalink
    save
    report
    give gold
    reply

]muchwaoo 12 points 14 hours ago

Fine. Just do it Gavin :)

    permalink
    save
    report
    give gold
    reply

][deleted] 18 hours ago*

[deleted]

]awemany 2 points 9 hours ago

    Please let Bitcoin prosper AS IT WAS DESIGNED.

Exactly. And as it was designed and proposed by Satoshi himself.

And this guy predicted the current messy situation as far back as 2010.

    permalink
    save
    report
    give gold
    reply

]clone4501 38 points 1 day ago*

No one can fault Gavin for trying to reach consensus. He worked hard at it and for a long time. Lets face it, with such a large, diversified, and dispersed community consensus is virtually impossible. The most anyone can hope for is to have enough of the major players and community leaders on board to compel the rest of the community to comply and a majority is then achieved.

    permalink
    save
    report
    give gold
    reply

]oakpacific 4 points 12 hours ago

    with such a large, diversified, and dispersed community consensus is virtually impossible.

Funny thing, that's exactly what Bitcoin was built to solve.

    permalink
    save
    parent
    report
    give gold
    reply

]laisee 14 points 23 hours ago

Blockstream is blocking, for commercial reasons. Likewise, other naysayers have agendas which they will not openly discuss.

    permalink
    save
    parent
    report
    give gold
    reply

]Adrian-X 18 points 21 hours ago

I have an agenda I'll disclose it for you. I want to see the Bitcoin network grow and benefit society.

I don't want other blockchains (sidechains) with rules like PoS or inflation coin to leverage off the Bitcoin network. We are not the economic majority, the network the economic majority use will be the one. I'm invested in making that Bitcoin. The economic majority believe in Fairy Tail economics and inflation, I don't want to see Adam Black vision of a government sponsored
Sidechains with all the Keynesian economics fluff siphon off value From Bitcoin, I want it to fail in its own right.

I've asked 3 of the Blockstream developers to conduct an economic impact peer review study and all three said no way. Not one is prepared to invest a fraction of their $21M to challenge the negative side effect sidechains will have on bitcoin.

    permalink
    save
    parent
    report
    give gold
    reply

]b_coin 0 points 18 hours ago

    Not one is prepared to invest a fraction of their $21M to challenge the negative side effect sidechains will have on bitcoin.

You should read this last sentence again and think about the potential negative side effects for Blockstream. Suddenly you will realize free market forces don't move in the same direction as logic...

    permalink
    save
    parent
    report
    give gold
    reply

]awemany 1 point 9 hours ago

    He worked hard at it and for a long time.

Since years, one might add. And, simply put, he wants to keep Bitcoin true to its original vision, that was also proposed by Satoshi.

A Bitcoin that is able to scale to very high transaction rates!

    permalink
    save
    parent
    report
    give gold
    reply

]Bitcoin_Error_Log 1 point 8 hours ago

That's why Bitcoin is awesome, and why decentralization is a design choice of safety and security, not speed and convenience.

    permalink
    save
    parent
    report
    give gold
    reply

[+]lorempsum[S] comment score below threshold  (2 children)

]KevinBombino 15 points 22 hours ago

Action is better than inaction. If it sucks, we can always change it back. I'm with you Gavin.

    permalink
    save
    report
    give gold
    reply

]Vibr8gKiwi 9 points 16 hours ago

They already have found another project. You're just letting them control bitcoin to help that other project. Stop talking and just do it.

    permalink
    save
    report
    give gold
    reply

]everydaymotherfucker 10 points 17 hours ago

Just do it and get it over with.

    permalink
    save
    report
    give gold
    reply

]DanSantos 4 points 1 day ago

Can anyone give me a basic run-down of the debate? I'm a little lost.

    permalink
    save
    report
    give gold
    reply

]treebeardd 6 points 1 day ago

The question: Should we expand blocksize from 1MB?

Pro-increase: More transactions possible per block/per second.

Con-increase: More "low-value" transactions sitting in the blockchain, forever.

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 11 points 1 day ago*

Actual argument...

Pro increase: There is a crisis emerging and we need to act now with a forceful 20x increase to avoid hitting the transaction/second limit! We can worry about the impact on running nodes (keeping the network decentralized) later.

Con increase: There is no crisis, let's remember that nodes have been declining, and that nodes will be under further pressure and harder to run if blocks increase 20x. Let's increase it less, and give more time for true scalability solutions to emerge, and time for internet bandwidth to increase so that increasing block size does not make nodes more difficult to run. If
it turns out the network is under more pressure with transactions increasing quickly, we can form consensus quickly to raise the block size to deal with it. But, let's not rush into hasty decisions now itself.

Also, comment by 'GreenAddress', which is technically a very sophisticated wallet provider:

    "GreenAddress is against immediately increasing the block size with disregards to centralization issues, especially without consensus. We don't think one megabyte is a magic number or the final answer but increasing to 20 megabytes today doesn't make the blockchain scale on its own, you still need likes of lightening network, payment channels and who knows, maybe
    sidechains or treechains. In our mind increasing the block size like this is just pushing the problem a little further at potentially unfixable costs."

    permalink
    save
    parent
    report
    give gold
    reply

]fwaggle 12 points 1 day ago

That's not really a genuine reflection though, because miners and node operators will still be free to specify a 1MB block limit for the foreseeable future via a configuration option on their clients.

The issue is that if we do hit that limit and it turns out to be a problem, it's a lot easier to convince 51% of miners to enable the option for large blocks than it is to hurriedly push out a patch, test it, and encourage every single node to upgrade when it does become an issue.

    permalink
    save
    parent
    report
    give gold
    reply

]dooglus -3 points 22 hours ago

    miners and node operators will still be free to specify a 1MB block limit for the foreseeable future

Miners will still be allowed to mine small blocks, sure, but miners and node operators will need to download and validate up to 20MB of junk transactions every 10 minutes. You can't opt out of that spam without opting out of being a full node. Full 20MB blocks would makes it impossible for some to continue to run a full node. And the whole "20MB is just the limit" argument
doesn't work. If an attacker wants to he can easily create enough just transactions to fill 20MB blocks at relatively little cost.

    permalink
    save
    parent
    report
    give gold
    reply

]seweso 6 points 17 hours ago

What attacker can spam the blockchain AND guarantee that its actually mined? A 20Mb cap doesn't mean all blocks will suddenly be 20Mb, thats insanity.

    permalink
    save
    parent
    report
    give gold
    reply

]i_wolf 5 points 16 hours ago

    miners and node operators will need to download and validate up to 20MB of junk transactions every 10 minutes.

The evidence rejects your theory. Nobody needs to download 1MB junk transactions every 10 minutes just because the limit is 1MB.

Can we stop fantasizing and stick to reality already? I'm tired of hearing such arguments over and over again.

    permalink
    save
    parent
    report
    give gold
    reply

]persimmontokyo 4 points 13 hours ago

Remember Dooglus abandoned bitcoin to promote Clams.

    permalink
    save
    parent
    report
    give gold
    reply

]i_wolf 2 points 13 hours ago

I hope they make 1KB limit, for true decentralization.

    permalink
    save
    parent
    report
    give gold
    reply

]ncsakira 2 points 15 hours ago

Well they are miners if they do not want to process transactions they may as well move to other coins where there are almost no TXs.

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 0 points 23 hours ago

Hmm, you make good points, and I'm not sure what the counter-argument is against modification of the miner soft block size limit, or if there even is one.

But, I'll disagree over this point:

    it's a lot easier to convince 51% of miners to enable the option for large blocks than it is to hurriedly push out a patch, test it, and encourage every single node to upgrade when it does become an issue.

The argument made is that the patch can be created and tested beforehand (now). Further the 'communication' aspect needed to communicate with all parties (nodes, miners, large companies, etc.) would also be done now itself. The 'emergency patch' would then be ready for quick implementation, if and when the time came.

    permalink
    save
    parent
    report
    give gold
    reply

]i_wolf 7 points 15 hours ago

    There is a crisis emerging and we need to act now with a forceful 20x increase to avoid hitting the transaction/second limit! We can worry about the impact on running nodes (keeping the network decentralized) later.

There's no forceful increase. Increasing the limit will not make blocks bigger. The 1MB limit has been in place for the last 5 years, it didn't affect any running nodes at all. The increase is planned on 2016, not now. Decentralization comes from adoption adoption comes from usage, not from limits.

    There is no crisis, let's remember that nodes have been declining, and that nodes will be under further pressure and harder to run if blocks increase 20x.

The nodes declining has nothing to do with the block limit. Increasing the limit will not suddenly make all blocks 20MB. If there's no crisis, then it safe to upgrade now. Advocating for hardfork during a crisis is literally asking for a crisis and much more dangerous than today when it's calm.

Actual number of running full nodes doesn't reflect decentralization, by the way. Many people can run full nodes but don't see it as necessary, because Bitcoin is perfectly safe at the moment. What you suggest is to forcefully "decentralize" Bitcoin without actual reason by crippling its utility, which will prevent actual decentralization.

    Let's increase it less, and give more time for true scalability solutions to emerge,

Raising the limit exactly gives more time for another solutions. It's also the first necessary and unavoidable step for all other solutions.

    and time for internet bandwidth to increase so that increasing block size does not make nodes more difficult to run.

Increasing the limit doesn't affect bandwidth requirements. But rejecting the demand for transactions reduces the number of new nodes and miners that would appear due to spike in adoption and price.

    If it turns out the network is under more pressure with transactions increasing quickly, we can form consensus quickly to raise the block size to deal with it. But, let's not rush into hasty decisions now itself.

"If it turns out", really? If it turns out that blocks will never ever grow up to 1MB, then we can consider it dead already. If we don't anticipate growth in demand, then everything is useless. But if we do, then postponing hardfork to the times of crisis doesn't make any sense.

    permalink
    save
    parent
    report
    give gold
    reply

]Noosterdam 2 points 22 hours ago

Sounds like GreenAddress just read one recent particular comment of Greg Maxwell's here and parroted it :/

    permalink
    save
    parent
    report
    give gold
    reply

]ThePenultimateOne 2 points 1 day ago

Two clarifications, if I may.

1) the pro side doesn't say the impact on nodes will be fixed later, they say that the impact won't be immediate and there are already some scaling solutions (though not enough to get 20x more efficient).

2) many in the con side do not support an increase at all. I would say that the quiet majority support a smaller increase, but you would be remiss to not include this third camp.

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 1 point 1 day ago

Agreed with the clarifications.

Regarding 2), I'll add that those who say "no increase at all" or "decrease the block size" are just as extremist as the "raise the block size 20x" folks.

I'm advocating a sensible middle ground that represents a real compromise between the two camps, and thereby takes into account the legitimate concerns of both sides.

    permalink
    save
    parent
    report
    give gold
    reply

]mmeijeri 1 point 21 hours ago

Many? Who are these mysterious 1MB forever proponents? I don't think I have seen any, let alone many.

    permalink
    save
    parent
    report
    give gold
    reply

]gizram84 0 points 11 hours ago

    nodes will be under further pressure and harder to run if blocks increase 20x

How so?

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 0 points 7 hours ago

Extra bandwidth requirement, since it takes more bandwidth to transmit 20x more data (20MB vs. 1 MB).

    permalink
    save
    parent
    report
    give gold
    reply

]gizram84 1 point 7 hours ago

But again, as has been pointed out like a few hundred billion times, blocks won't just magically jump to 20mb. This is just an upper limit increase.

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 1 point 7 hours ago

True, but then where is the research that shows at what rate blocks will get filled, and so at what rate bandwidth demand will increase? Hand-waving claims of "many years until blocks will be bigger" lack weight.

    permalink
    save
    parent
    report
    give gold
    reply

]Cocosoft 1 point 11 hours ago

    We can worry about the impact on running nodes (keeping the network decentralized) later.

That's not true. Gavin has pretty clearly thought about the impact on running nodes. Read his blog posts.

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 1 point 7 hours ago*

He said this:

    Twenty megabytes downloaded plus twenty megabytes uploaded every ten minutes is about 170 gigabytes bandwidth usage per month

It's not trivial that a node will go from needing 8.5 GB to 170 GB (equal to 5.7 GB/day). Most internet connections come with data caps of about 250 GB on average, or less. Having to spend 68% of your cap just for 1 node seems absurd, compared to the prior 3.4%. This is like making the choice of running a node and having a cap of instead 80 GB, rather than 250 GB. I can't
possibly rationalize this, which means I'd likely never run a node.

The 20x increase in bandwidth also means 33 KB/s download and upload, but this is much more minor.

    permalink
    save
    parent
    report
    give gold
    reply

]usrn -2 points 23 hours ago

Stopped reading at "crisis". Stop overdramatizing the situation.

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 1 point 23 hours ago

Please read this similar criticism of my usage of the word "crisis", and the ensuing responses:

    https://www.reddit.com/r/Bitcoin/comments/393fym/gavin_andresen_a_lot_of_people_are_pushing_me_to/cs05nnf

    permalink
    save
    parent
    report
    give gold
    reply

]thieflar -1 points 1 day ago

I don't think anyone intelligent actually believes that a "crisis is emerging". Certainly no core devs have made that absurd claim.

That is absolutely disingenuous to pretend like that's the actual argument.

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 6 points 1 day ago

It's not disingenuous, as this is in fact the argument. Gavin and Hearn both argue this (Gavin says transactions will soon hit a 'wall' and Hearn talks about the coming capacity 'cliff' -- the implication and direct suggestion being that this is a 'crisis' that needs to be addressed). See their various blog posts.

    permalink
    save
    parent
    report
    give gold
    reply

]thieflar 4 points 1 day ago

You know what? I'll actually concede this point. Solid defense.

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 3 points 1 day ago

Thanks!! :) Now if only we could have a nice facts-only debate over every other aspect of this issue, there would be no problem. The core members themselves need to have such a debate, preferably in a single public Reddit thread in which only they can participate... why they don't, is beyond me.

    permalink
    save
    parent
    report
    give gold
    reply

]thieflar 4 points 23 hours ago

Interesting idea. I don't necessarily agree that reddit is the best venue for this to take place in (the dev mailing list might be more appropriate), but I think setting aside one particular day for the core developers to hash things out and come to a verdict of some sort is a fantastic idea.

Paging /u/gavinandresen, /u/pwuille, /u/jgarzik, /u/luke-jr, /u/nullc, /u/petertodd, /u/mikehearn, and /u/luke-jr -- does this not sound like a good idea? Scheduling a particular timeslot or day for everyone to civilly discuss the different proposals and options available, voicing your respective concerns and preferred courses of action and doing whatever is possible to
come to some sort of agreement?

    permalink
    save
    parent
    report
    give gold
    reply

]thieflar 2 points 23 hours ago

(I do realize that all of you have posted your various thoughts on the subject in blog posts and comments scattered around the web, but the idea here would be a consolidated discussion where the focus was on the merits and demerits of each specific proposal and everything could be aired out in one go.)

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 2 points 23 hours ago

+21,000,000

Specific, focused, concise, point-by-point debate, where the facts alone reign supreme.

    permalink
    save
    parent
    report
    give gold
    reply

]martinBrown1984 4 points 22 hours ago*

The block size debate is more political than technical because the issues in question are more economic than technical. The technical issues are easy to settle by facts, e.g. what's the max block size that could be supported with current average node bandwidth? (supposedly 8MB blocks, not 20MB).

But the political/economic issues would not be easily settled by point-by-point debates. Would a larger block size increase "centralization" (i.e. lead to fewer full nodes)? Is it preferable to have more full nodes? Is it preferable to have low transaction fees? Should users be able to pay for coffee with on-chain transactions? The answers to such questions depend on whether
you ask a miner, a user, or an Austrian Economist, and so on. It comes down to political views and opinions, not facts.

    permalink
    save
    parent
    report
    give gold
    reply

]Noosterdam 2 points 22 hours ago

I think they'll say that's what they do on the mailing list already. Reddit does have the advantage of threaded comments making things easier to follow, but not everyone likes that. Perhaps the mods could sticky the post at the top and forbid anyone else to comment (perhaps after a week or so).

    permalink
    save
    parent
    report
    give gold
    reply

]awemany -1 points 9 hours ago

The 250kB softlimit can aptly be described as a crisis...

    permalink
    save
    parent
    report
    give gold
    reply

]awemany 1 point 17 hours ago

We had a confirmation time mess when we ran into the too-low default softlimit (was it 250kB) a while ago.

It was horrible. So I very much think their point is valid.

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 1 point 7 hours ago

It's an issue for a small amount of time (matter of days), until the emergency patch would be implemented. Then, confirmation time issues gone. No permanent damage.

    permalink
    save
    parent
    report
    give gold
    reply

]optimiz3 2 points 23 hours ago

Smaller blocks = higher fees due to increased competition to get transactions recorded.

Miners want smaller blocks, users want lower fees.

    permalink
    save
    parent
    report
    give gold
    reply

]i_wolf 5 points 17 hours ago

    Smaller blocks = higher fees due to increased competition to get transactions recorded.

You're assuming people are willing to pay them.

    permalink
    save
    parent
    report
    give gold
    reply

]Cocosoft 0 points 11 hours ago

If miners are stupid and short mined, they would want 1KB blocks.
But almost everyone (including miners) want bitcoin to succeed in the long run (as a system that "everyone" can be a part of).

    permalink
    save
    parent
    report
    give gold
    reply

]mmeijeri 1 point 21 hours ago

No, the question is not whether we should increase the block size limit. Nearly everyone agrees we will need to do so eventually. The dispute is over when to do it and by how much and whether to do it without near consensus or not.

    permalink
    save
    parent
    report
    give gold
    reply

]BTCisGod -4 points 18 hours ago

Alright, wake me up when that's decided and I'll buy back. Otherwise I don't really see any point holding toy bitcoins.

    permalink
    save
    parent
    report
    give gold
    reply

]Logical007 14 points 1 day ago

Pretty much.

If people don't like it then they won't upgrade or will go to another "coin", simple as that

    permalink
    save
    report
    give gold
    reply

]dooglus 5 points 21 hours ago

If people don't like Gavin's new version of Bitcoin they can stay with the original Bitcoin. I expect both will be traded on exchanges and so the market can decide which it values.

    permalink
    save
    parent
    report
    give gold
    reply

]seweso 2 points 18 hours ago

Most people will have coins on both side of the fork. And you should be able to send transactions to both. Its the value of newly mined coins which is most interesting. Actually the whole fork is super interesting. I already want to grab a bag of popcorn!

    permalink
    save
    parent
    report
    give gold
    reply

[+]whitslack comment score below threshold  (2 children)

[+]luke-jr comment score below threshold * (18 children)

]pizzaface18 62 points 1 day ago*

He's not a dictator because it takes the market of exchanges and miners to make it happen. It sounds like majority of them are already onboard. The only folks that are against it are the blockstream guys. Coincidence?

    permalink
    save
    report
    give gold
    reply

]lorempsum[S] 8 points 1 day ago

Once the change is part of the official Git repository, uses the "Bitcoin" name, offered for download on bitcoin.org, packaged on Linux repositories under the name "bitcoin", it would be very hard to stop that change from happening.

Whoever has the power to do these things has a low of power over Bitcoin. Do not underplay the importance of that.

    permalink
    save
    parent
    report
    give gold
    reply

]sgornick 4 points 13 hours ago

Maybe hard to stop it from happening but without near universal consenus it is not hard to make that end up being a foolish, catastrophic move.

    permalink
    save
    parent
    report
    give gold
    reply

]lorempsum[S] 11 points 1 day ago

Enough with that "the core devs are against that because of blockstream" nonsense. There are core devs who oppose it and has nothing to do with blockstream, and the ones who are related to blockstream has publicly stated their opinion long before sidechains was a thing.

    permalink
    save
    parent
    report
    give gold
    reply

]everydaymotherfucker 11 points 17 hours ago

There is a conflict of interest NOW. Whether there was one before blockstream was a thing is irrelevant.

    permalink
    save
    parent
    report
    give gold
    reply

]exo762 13 points 18 hours ago

There is no proof that "some of core devs are against block size change because of blockstream". But there is a obvious conflict of interest here.

And worst thing - those guys:

1) don't have experience running huge services (fee market? more like price diving into $20-$50 range because of panic and lost of trust)

2) don't really offer any solutions. Peter Todd gives a great example of "leadership" by summoning huge amount of "what ifs" (e.g. "if govs all around the world will crack down on Bitcoin, we will not be able to run nodes behind TOR" nonsense).

    permalink
    save
    parent
    report
    give gold
    reply

][deleted] 12 hours ago

[deleted]

]chrisrico 2 points 11 hours ago

Check your bullshit. Peter Todd is the #15 committer to the bitcoin repository, as github clearly shows.

    permalink
    save
    report
    give gold
    reply

]laisee 24 points 23 hours ago

Blockstream has a vested interest in delaying an increase in block size until their solutions are ready. Someone holding an opinion on block size before the company was created does not mean there is not a conflict of interest now. There are 21M reasons why this might be the case.

    permalink
    save
    parent
    report
    give gold
    reply

]zombiecoiner -2 points 22 hours ago

Large companies and governments have a vested interest in a block chain that requires more resources to access. What do I worry about more? One Blockstream or 100 Coinbases? Who is able to do more damage if they get their way?

    permalink
    save
    parent
    report
    give gold
    reply

]killer_storm 4 points 19 hours ago

Yes, people who were in favor of sidechain-like approaches were more likely to join Blockstream. E.g. Greg Maxwell described a similar approach back in 2013.

    permalink
    save
    parent
    report
    give gold
    reply

]aminok 7 points 1 day ago

Agreed. The Blockstream folk obviously care deeply about Bitcoin and it is this that motivates their stance on the block size limit proposal. Sidechains and the LN, both of which Blockstream is working on, are super positive for Bitcoin, and we should all be glad for Blockstream's existence for moving these concepts along.

    permalink
    save
    parent
    report
    give gold
    reply

]donbrownmon 1 point 11 hours ago

    the ones who are related to blockstream has publicly stated their opinion long before sidechains was a thing.

Well, what was blockstream working on before sidechains?

    permalink
    save
    parent
    report
    give gold
    reply

]usrn 3 points 23 hours ago

What would these miners and exchanges do without users?

The users rule this space not exclusively miners and (hopefully) soon to be useless exchanges.

    permalink
    save
    parent
    report
    give gold
    reply

]pizzaface18 -1 points 23 hours ago

Ya, when bitcoin is the defacto currency of the web, but we're not there yet, so we need KYC gateways into and out of crypto.

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus -4 points 1 day ago*

List which core devs / core committers (the real experts and architects and writers/maintainers of Bitcoin) are for the 20MB increase, and which are not. I think you'll be quite surprised at the wide gulf in opinion for/against the increase... and hence the absurdity of Gavin's totalitarian 'my way or the high way' statement.

    permalink
    save
    parent
    report
    give gold
    reply

]awemany 9 points 17 hours ago

Bullshit! Gavin repeatedly changed his proposal to try to please the naysayers that like to have Bitcoin hit the blocksize wall. He never, ever went 'my way or the highway'. Not even now, he's basically saying, 'ok, I am going to fork and let the market decide'. Nothing totalitarian about this at all.

Gavin worked on this and argued for an increase since years. To have reliable planning of the hardfork, well in advance.

Without any constructive counter proposal by Greg and the others.

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus -1 points 7 hours ago

Are you aware that 20MB means 170 GB/month or 5.7 GB/day of bandwidth is required per node? My Comcast cable 105/10 Mbps service has a data cap of about 250 GB. 170 GB is 68% of the cap, leaving me 80 GB free in a month for my regular internet activities. That is insane... and so I would never cause my effective cap to drop to 80 GB just to run a node.

This is the main problem with the 20MB block size increase. My internet service is much better than most people's, yet even I would not be able to run a node.

    permalink
    save
    parent
    report
    give gold
    reply

]conv3rsion 1 point 5 hours ago

120 mb per hour is 2.8 GB per day (20 x 6 x 24) or 62 GB per month. This only if 100% of blocks were completely full 24 hours a day.

I really don't think people need to be able to run nodes from their homes, but it still isn't a problem in this scenario for most people.

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 1 point 3 hours ago*

The math is incorrect:

20MB up AND down = 20+20 = 40 MB every 10 minutes 40 MB * 6 = 240 MB every 1 hour

240 MB * 24 * 30 = 172,800 MB = ~170 GB/month

And yes, it only applies with 100% full blocks, but we don't have real research in this debate to inform us of what to really expect in terms of the rate of block size increase. Because of this, and because 170 GB/month is really excessive, a 20MB increase doesn't seem advisable. We need to address the research concern, at least, so we have hard data on what to expect and can model better.

    permalink
    save
    parent
    report
    give gold
    reply

]conv3rsion 1 point 2 hours ago

You are telling me your 250 GB cap includes upload bandwidth?

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 1 point an hour ago

Yep.

    permalink
    save
    parent
    report
    give gold
    reply

]pizzaface18 23 points 1 day ago

Your highway is a single lane dirt toll road. Gavin wants to pave it.

    permalink
    save
    parent
    report
    give gold
    reply

[+]eragmus comment score below threshold  (19 children)

]hellobitcoinworld 12 points 1 day ago*

Based on every single poll I've ever seen on the subject of whether or not to increase the blocksize, the majority of people do want the increase. In fact, I've never come across a poll where the majority did not want not to do it.

So why would you put a what a smaller group of individuals wants over what the masses wants? That makes no sense and seems highly dictatorial.

It actually matters more what the majority of the bitcoin users want.

So, I ask: why do some people (such as yourself) negate against what the majority seems to want?

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 15 points 1 day ago*

The coders understand the complexity, as they wrote the actual Bitcoin software. The masses understand it at a far more superficial level. I choose the experts over the mob any day.

Also, you make a completely straw argument, since the extreme majority of the 'experts' also support an increase, only disagreeing with the amount of increase and time frame.

    permalink
    save
    parent
    report
    give gold
    reply

]hellobitcoinworld 12 points 1 day ago

That's like saying that no one else's opinion matters though, even the majority.

Also coders are not necessarily financial experts. I don't trust a coder to be any more skilled at determining the specifications of a piece of financial software.

I really think we're dealing with politics here more than anything else.

    permalink
    save
    parent
    report
    give gold
    reply

]laisee 6 points 23 hours ago

Exactly. Ability to code one github repo of c++ code does not an economist make. People talking about 'fee markets' when its clear they know very little how markets can, and do, fail.

    permalink
    save
    parent
    report
    give gold
    reply

]Noosterdam 8 points 22 hours ago

Fee markets would work, but code changes have to be made, and there are risks. Testing would be required. In fact the risks of hitting the hard cap seem to outweigh the risks of bigger blocks.

Somehow, though, a number of people have managed to reframe Satoshi's temporary measure as a new "core tenet of the Bitcoin social contract," and although the very nature of the cap means it has no effect until hit, so that hitting it is a huge change in the way Bitcoin works from the heretofore norm of being uncapped in any presently effective way, they have gotten away
with painting those who want to maintain the status quo of how Bitcoin operates - growing continually without being effectively capped - as some kind of radical "change," when it is they who want the radical change, justified only by the technical triviality that the relic cap happens to still be in the code largely due to these same people's blockading. The circularity
and topsy-turviness of that position is dizzying.

    permalink
    save
    parent
    report
    give gold
    reply

]approx- 5 points 19 hours ago

That's a really good point actually - advocates of a 1MB block actually want to change Bitcoin, since up to now, the cap hasn't been hit for any extended period of time.

    permalink
    save
    parent
    report
    give gold
    reply

]solex1 6 points 15 hours ago

Correct. This is the most insidious aspect of the 1MB: it is dormant software.

Until recently it has had no effect, so Bitcoin has effectively functioned for 6 years without a block size limit. Imposing one now is the radical change, a radical economic experiment which has a far higher probability of causing harm than good.

    permalink
    save
    parent
    report
    give gold
    reply

]zombiecoiner 2 points 22 hours ago

What if it were a roundtable of top economists saying that we should keep this limit? Would the majority here be with or against them? Do knowledge and/or credentials matter with a crowd making a popular vote?

    permalink
    save
    parent
    report
    give gold
    reply

]justusranvier 5 points 11 hours ago

Depending on your source of "top economists", their credentials could count against their credibility.

    permalink
    save
    parent
    report
    give gold
    reply

]hellobitcoinworld -2 points 23 hours ago

Yes, plus look at what the majority wants. It's very clear:

http://www.reddit.com/r/Bitcoin/comments/3947ck/multiple_polls_results_regarding_bitcoin/

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 5 points 1 day ago

I'm not saying that, of course. Obviously the masses' (users') opinion matters. However, it is simply a fact that the coders understand the complexity of the matter more than the users do. Why am I saying this? Because they have written the Bitcoin software, which involves meticulously considering at every turn how they are affecting the incentives (economic, game theoretic,
and otherwise) involving miners, users, developers, nodes. Users just use the software and read superficially what they come across. The people (coders) who are actually writing the software are 'applying' what they have read and learned in practice. This makes them more of an expert on the matter.

I don't think it's politics at play. Those against the 20MB increase are against it primarily because of the effect it has on increasing bandwidth required to run a node, by a factor of 20x. This is virtually the argument, summarized in 1 line. This argument is not political, but a matter of keeping the network decentralized by allowing the max number of people possible to
run nodes. Nodes decide what rules the network follows, so they are very important.

    permalink
    save
    parent
    report
    give gold
    reply

]hellobitcoinworld 1 point 23 hours ago

    Those against the 20MB increase are against it primarily because of the effect it has on increasing bandwidth required to run a node, by a factor of 20x.

It doesn't immediately increase the bandwidth by factor of 20. That will most likely take many years to happen. This change only increases the LIMIT on the block size allowed.

Blocks are not instantaneously going to become 20mb blocks if that update goes into effect.

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 3 points 23 hours ago

I suppose: It would take 1 year before it's even possible to happen, since that's the plan. Further, like you say, miners can mine whatever size they want. If this is all the case, then the argument against raising the limit is lowered, I suppose.

I welcome anyone more knowledgeable to jump in and answer this, if there is an answer.

The only argument that comes to mind is: that nodes still must process everything, both 20MB and non-20MB blocks. So, even if every block is not 20MB, nodes must be capable of it, and so will still be impacted.

    permalink
    save
    parent
    report
    give gold
    reply

]approx- 1 point 19 hours ago

Larger blocks means a higher orphan rate. Most miners will begin to selectively include transactions (i.e., only include transactions that have a fee high enough to offset the increased risk of an orphan block). The market will thus tend towards only having fee-based transactions, but those fees will still be quite low and we'll have many transactions still propagating through the network.

In my opinion, keeping transactions free/cheap is a big key to ensuring the eventual success of Bitcoin, at least at this stage in Bitcoin's growth.

    permalink
    save
    parent
    report
    give gold
    reply

]CyrexCore2k 2 points 23 hours ago*

    The coders understand the complexity, as they wrote the actual Bitcoin software.

What aspects of the block size debate would significantly benefit from an intricate knowledge of the codebase?

    permalink
    save
    parent
    report
    give gold
    reply

]zombiecoiner 5 points 22 hours ago

The code base is a manifestation of the rules and knowledge of much of it is coincident with understanding the weaknesses of the system when it comes to security and independence. So I would say all of it and none of it at the same time.

I have touched little of the code and read only slightly more. I do however understand Bitcoin's weaknesses in the short and long-term as, knowing I'm not going to dedicate myself to core development, I've chosen to at least keep up with them.

People here seem most concerned about making the choice that will lead to greater adoption. Others, like myself, are most concerned with not allowing catastrophic outcomes for the system like centralization and PoW attack.

    permalink
    save
    parent
    report
    give gold
    reply

]CyrexCore2k 2 points 22 hours ago

    So I would say all of it and none of it at the same time.

No offense but when you say this it makes your whole comment seem like a non-answer.

From my perspective the discussion about the size increase has primarily been focused on economic concerns. We're pretty far into uncharted territory here and so in that regard the devs are speculating just as much as anybody.

    permalink
    save
    parent
    report
    give gold
    reply

]zombiecoiner 0 points 22 hours ago

I was trying to make the point that it's not about the code base itself but about learning about the rules of the system along with how it's used.

It's true that there must be speculation in the face of an unknowable future but those who have studied the system intimately should be able to better model the trade-offs and make a better decision.

    permalink
    save
    parent
    report
    give gold
    reply

]CyrexCore2k 2 points 22 hours ago

Now you're hedging. Should or can?

    permalink
    save
    parent
    report
    give gold
    reply

]zombiecoiner 0 points 22 hours ago

If you want me to speak in absolutes, I'm sorry to disappoint you. The choice is not clear. I was hoping that you were asking about aspects of the code base because you wanted to know if you should study the code. Instead it seems you wish to argue that people don't need to know about this system to decide its fate.

    permalink
    save
    parent
    report
    give gold
    reply

continue this thread

]eragmus 1 point 6 hours ago

Well, the importance of node decentralization, for one, which users just hand-wave away. The impact of 20MB is this:

    https://www.reddit.com/r/Bitcoin/comments/393fym/gavin_andresen_a_lot_of_people_are_pushing_me_to/cs0xznd

Thus, many people will stop running nodes, which makes the network more vulnerable.

    permalink
    save
    parent
    report
    give gold
    reply

]CyrexCore2k 1 point 6 hours ago

Your comment is a good one but I don't see how it demonstrates that there is a significant benefit to an intricate knowledge of the codebase when discussing the blocksize increase.

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 2 points 6 hours ago*

Hmm, well I suppose I could agree. But, the reason why I'm reluctant to is this: how many of the members of the community understand the point I made above? If they did understand (and it's a simple argument, so I don't see why they wouldn't), then why do people still fervently support 20MB blocks and denounce anti-20MB-ers as having an ulterior motive (zOMG it's Blockstream
members and their sidechains business!) and trying to subvert or harm Bitcoin? Where does all this uncalled for passion and conspiracy theory come from?

I'd propose the reason is they don't understand how important the role of the node is in Bitcoin, and thus how important it is to keep the running of nodes as decentralized as possible. Someone who writes the Bitcoin Core software (the node's software) and understands the technicals of how the protocol works will deeply appreciate the various incentives that make the system
work. This includes appreciation for the importance of nodes.

If one understands the bandwidth argument, along with the importance of decentralization of nodes, then one will argue one side or another much more gingerly, instead of being full gung-ho for one side. However, most people are not arguing like that, which is why I think there is a difference in opinion between the coders vs. the users.

    permalink
    save
    parent
    report
    give gold
    reply

]CyrexCore2k 1 point 6 hours ago

    I'd propose the reason is they don't understand how important the role of the node is in Bitcoin, and thus how important it is to keep the running of nodes as decentralized as possible. Someone who writes the Bitcoin Core software (the node's software) and understands the technicals of how the protocol works will deeply appreciated the various incentives that make the
    system work. This includes appreciation for the importance of nodes.

Prior to all of this block resizing debate there were numerous discussions that pointed out nodes will have to be incentivized eventually. Do you feel that nodes will never have to be incentivized if the limit remains at 1mb?

In addition to that, as has been stated in a number of these arguments, the miners themselves can keep whatever soft limit they like. If a pool with 33% of the hashing power decides to keep a soft limit of 1mb that will effectively make the average block size 13.53mb even if every other miner maxes out blocks at 20mb. The miners have adjusted their behavior in the past when
it affected the price. Why don't you have any confidence they would do the same in this case?

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 1 point 6 hours ago

Regarding incentives for nodes, if the limit is kept at 1MB, then transactions will eventually fill up the blocks completely and there will be increasing delays for transactions to be included in blocks. There are peaks and troughs in normal activity, but eventually, even the troughs of activity won't be enough to take care of delayed transactions.

In this situation, I'm not sure nodes would behave differently. The 1MB limit would be static either way. It's extra effort to run a node though, even at only 8.5 GB/month or 283 MB/day. Besides understanding the importance of nodes and altruism, there doesn't seem to be much benefit.

So, a incentive structure is probably the best way to address the issue regardless of block size, right? But apparently incentives can result in problems too, and I haven't thought enough or read enough to really speak on it. Surely there must be an intelligent incentive structure to address concerns though! I can't believe that no sustainable solution exists.

In terms of miner soft limits, yes, they can modify the ultimate block size. However, the issue with block size is bandwidth demand's impact on the ease of running a node. I'm not sure this relationship is easily related to the exchange rate, but rather to the intangible benefit of 'decentralization' of the network, making it more resistant to possible bad actors. It's more
of an amorphous idea, so we probably need it decentralized as an overarching goal, to help keep the network strong as possible 'just in case'.

    permalink
    save
    parent
    report
    give gold
    reply

]derpUnion 3 points 23 hours ago*

The masses also want moar welfare payments, nice cars, not have to work, moar benefits. Why isn't the government giving what the majority wants? That makes no sense and seems highly dictatorial!

The masses cant even read 5 lines into the bitcoin white paper, don't run a full node, wtf do they know of the pains of having a gigantic blockchain. Nobody owes the masses anything, SPV wallets today function only because of the altruism of people running full nodes. If i need to spend thousands of dollars on a high end rig/power/net connection, why should i let the masses
leech off my full node?

    permalink
    save
    parent
    report
    give gold
    reply

]CyrexCore2k 6 points 23 hours ago

The full node argument is coming from the wrong angle. Regardless of block size full nodes are going to need to be incentivized somehow. They can't rely on altruism forever.

    permalink
    save
    parent
    report
    give gold
    reply

]i_wolf 2 points 17 hours ago*

    The masses also want moar welfare payments, nice cars, not have to work, moar benefits.

That's a really weird comparison. Limiting the size is essentially a wefare for "small" miners and an "anti-trust" regulation. The majority in Bitcoin are for free market, that's why we reject that bullshit. We know that freedom gives more decentralization than artificial limitis on the market. Nobody owes "small" miners nodes anything or obligated to protect them from competition.

It's not "your" node! Nobody forced you to run it. Your node is not special, we need more nodes and miners, not "small". Artificially limiting usage and the adoption only limits decentralization.

    permalink
    save
    parent
    report
    give gold
    reply

]aminok 2 points 20 hours ago

There is a difference between the 'masses', and economic stakeholders. This would be more analogous to shareholders, where they have skin in the game and aren't voting to socializing their costs, but rather, are voting on how to manage their capital.

    permalink
    save
    parent
    report
    give gold
    reply

]imaginary_username 1 point 17 hours ago

"Nobody owes the masses anything"

You, a holder of coins, owe it to yourself to push mass adoption.

    permalink
    save
    parent
    report
    give gold
    reply

]hellobitcoinworld -1 points 23 hours ago

That kind of logic is what makes communist states exist.

    permalink
    save
    parent
    report
    give gold
    reply

]i_wolf 1 point 17 hours ago

The logic that we all should limit ourselves for the sake of subsidizing smaller miners and nodes.

    permalink
    save
    parent
    report
    give gold
    reply

]platypii 1 point 23 hours ago

    So why would you put a what a smaller group of individuals wants over what the masses wants?

Ironically, you've got this backwards when considering opinions expressed through code rather than online polls or forum posts. I'll explain:

If you want to actually enforce your opinion on the correct state of the blockchain, this requires doing full validation on it, so that you can determine whether it's following or violating your expected consensus rules (whether this be 1MB block cap, 20MB, or any other hard fork changes). By running an SPV node, you're actually forgoing your ability to enforce the rules
trustlessly, and instead you're outsourcing validation to other parties that you have to trust to follow those rules for you. These parties you trust essentially control your vote on the chain rules.

Increasing the block size penalizes fully validating nodes and encourages more SPV-validating nodes. This means that the number of people determining the protocol rules is smaller (centralization) which makes future hard forks far easier to implement without consent of the SPV users. By keeping blocks small enough that users can fully validate the chain, this is preserving
the ability of individual users to vote with their software and enforce their own preferred consensus rules.

In short: those supporting small blocks are doing so to protect the opinions of the masses from the opinions of the few.

    permalink
    save
    parent
    report
    give gold
    reply

]persimmontokyo 4 points 13 hours ago

You're committing the common fallacy of ignoring the unseen.

You're not asking yourself - how many more nodes might we have with an economic system that isn't artificially constrained, and therefore admits more users and businesses to adopt it because it can accommodate their usage requirements? Standing still and doing nothing itself causes economic actors to evaluate your potential solution to their problems and dismiss it as
"capacity constrained" or "unscalable", and therefore not even take part in the system in the first place.

Give it a chance to scale and decentralise, and it just might. Think of the negativity Satoshi faced when he proposed bitcoin. All naysayers. He ignored them and proved them wrong by doing it. And here we are today.

Central planning doesn't work. Let the system breathe and find its own way.

    permalink
    save
    parent
    report
    give gold
    reply

]awemany 0 points 9 hours ago

Exactly. I feel the people who want Bitcoin to run into the 1MB wall have much more responsibility to state their reasons than the people who want to tear down this artificial wall - and basically keep it growing as it is already!

    permalink
    save
    parent
    report
    give gold
    reply

]CyrexCore2k 3 points 23 hours ago

Full nodes are eventually going to need incentives whether the block size is 1mb or 500mb. They can't rely on altruism forever.

    permalink
    save
    parent
    report
    give gold
    reply

]pluribusblanks 2 points 16 hours ago

What monetary incentives are there to run Tor relays? None. Yet there are 6000+ Tor relays. People run them because they believe privacy is important.

People run Bitcoin nodes because they believe decentralized, transparent digital money that works the same way for everyone on the internet is important.

    permalink
    save
    parent
    report
    give gold
    reply

]awemany 1 point 9 hours ago

One incentive is reachability of a full node.

I bet if it ever would get so bad (which I doubt it will) that there only very few nodes, overloaded with SPV-wallet connections and the like, there will be nodes emerging that you can pay for access to the blockchain. Because it is essentially only public data, that market will also be competitive.

    permalink
    save
    parent
    report
    give gold
    reply

]hellobitcoinworld 2 points 23 hours ago*

I think this is a false reason though. For two reasons:

1.) Blocks will not become 20mb right away. That will take many, many years. We are only talking about the maximum size being raised.

2.) If you take a look at hardware advances since the 1mb block limit was put in place, then why haven't we increased the limit accordingly, in-ratio? You can look at it that way too. If you think hardware will not be able handle 20mb blocks by the time they happen, I think this is a poor estimation of technology advances.

The reverse way of stating it: Should we leave the limit at 1mb despite increases in storage capacity and bandwidth? I think that also is lacking in logic.

    permalink
    save
    parent
    report
    give gold
    reply

]platypii 1 point 22 hours ago

    The reverse way of stating it: Should we leave the limit at 1mb despite increases in storage capacity and bandwidth? I think that also is lacking in logic.

Well there used to be 250,000 fully validating nodes back when bitcoin had a smaller user base. And now the user base has grown but we're down to less than 10,000 nodes. You could blame this on a number of things, but not least of which is the increase is the size of blocks.

So I think the signs are that we should leave it at 1MB and give decentralization some time to catch back up to where it's at a more comfortable level.

    permalink
    save
    parent
    report
    give gold
    reply

]exo762 4 points 17 hours ago

    250,000 fully validating nodes back when bitcoin had a smaller user base

This is a very ... weak statement because of two things. First, full nodes were used as wallets because of lack of better wallet alternatives. Second - number is bogus. Ways of measuring the number of full nodes have changed. Right now we count full nodes only if they are available all the time.

    permalink
    save
    parent
    report
    give gold
    reply

]i_wolf 2 points 17 hours ago

    Well there used to be 250,000 fully validating nodes back when bitcoin had a smaller user base. And now the user base has grown but we're down to less than 10,000 nodes. You could blame this on a number of things, but not least of which is the increase is the size of blocks.

By making this argument you're explicitly advocating keeping Bitcoin back in the past when nobody wanted it. You don't see that growth of blocks is directly linked to growth of demand and adoption.

    permalink
    save
    parent
    report
    give gold
    reply

]exo762 1 point 18 hours ago

    So I think the signs are that we should leave it at 1MB and give decentralization some time to catch back up to where it's at a more comfortable level.

This will lead to crash, because fee market will not happen. Think "transaction without fee" problem but on massive scale. Every time you send money there is a chance that they will hang in limbo for 2 weeks. Market is possible if there is a meaningful feedback loop or at least some way of checking the prices. Money being blocked in case of fee too low is not feedback,
it's a kick in the nuts. Even if we will assume that fee market is possible, it is not realistic right now because of lack of software supporting it.

    permalink
    save
    parent
    report
    give gold
    reply

]platypii 0 points 16 hours ago

These problems can be fixed without even a hard or soft fork. Either child-pays-parent or first-seen-safe-replace-by-fee will fix the stuck transaction problem, and the mempool janitor patch will fix the out-of-memory issue.

    permalink
    save
    parent
    report
    give gold
    reply

]exo762 2 points 15 hours ago

This is a huge amount of patching. Including UI for users wallets, hot wallets of exchanges, convincing people to roll out those patches. And it does not even addresses viability of thing called "fee market".

How much time do you think Bitcoin has right now with 1MB block? I bet - less then a year.

    permalink
    save
    parent
    report
    give gold
    reply

]platypii 1 point 15 hours ago

The fee market exists.. what do you mean? There is fee estimation in bitcoin core. Is there some particular feature you're looking for?

    permalink
    save
    parent
    report
    give gold
    reply

continue this thread

]platypii -2 points 23 hours ago

So if your everything-will-be-ok argument relies on blocks growing slower than the cap, why lift the cap so high? The max exists as a limit for what size will be considered acceptable. Raising to 20MB right away means we accept 20MB right away.

    permalink
    save
    parent
    report
    give gold
    reply

]i_wolf 1 point 17 hours ago*

    So if your everything-will-be-ok argument relies on blocks growing slower than the cap, why lift the cap so high?

Because if it in fact grows, it will be beneficial to Bitcoin, and limiting it will cripple its value and adoption. And if it won't grow, then it's perfectly safe.

    permalink
    save
    parent
    report
    give gold
    reply

]hellobitcoinworld 1 point 23 hours ago

    If you think hardware will not be able handle 20mb blocks by the time they happen, I think this is a poor estimation of things.

But you and I both know that won't happen. The number of transactions will continue as they have been. Increasing the max block size does not increase the number of transactions being executed on the network. And even if it did instantly, magically jump to 20mb full blocks, hardware right now is not so shitty that it can't handle 20mb blocks. But again, that isn't what's
going to happen in reality. So please keep that in mind if you decide to respond to this.

    why lift the cap so high?

Because look at how much work it takes to get a fork put out. It's like total bitcoin chaos, lasting for months. We should minimize these occurences.

    permalink
    save
    parent
    report
    give gold
    reply

]ColdHard 2 points 15 hours ago

Months? You know the discussion and coding on this issue have been going on for more than 3 years. Thank you for your contribution to it. Which, in summary appears to be: <Talking is scary, lets hard fork> Did I get that right?

    permalink
    save
    parent
    report
    give gold
    reply

]Richy_T 1 point 22 hours ago

Minimize the occurrences or the need for manual intervention, though? (Though technically it's not a fork* if it doesn't require manual intervention, I hope you see where I'm coming from)

*Though technically, it wouldn't be a fork anyway unless die-hards kept using the old codebase

    permalink
    save
    parent
    report
    give gold
    reply

]Viacoin66 1 point 16 hours ago

http://www.reddit.com/r/Bitcoin/comments/37y8wm/list_of_bitcoin_services_that_supportoppose/

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 1 point 7 hours ago*

I don't think services (users of Bitcoin) are of the same caliber as core developers, who write the Bitcoin software. Services have lots of money and can run nodes, but the issue is that regular people will not be able to run nodes with 170 GB bandwidth requirement every month (equivalent to 5.7 GB/day). One big reason why is data caps are average 250 GB/month, so a node will suck too much data.

    permalink
    save
    parent
    report
    give gold
    reply

]lxq7 0 points 19 hours ago

I already did that ones for /u/pizzaface18 in another thread, but he doesn't care about facts.

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 1 point 5 hours ago

Looks like we were wrong, check this out:

    https://www.reddit.com/r/Bitcoin/comments/393fym/gavin_andresen_a_lot_of_people_are_pushing_me_to/cs08nbj

    permalink
    save
    parent
    report
    give gold
    reply

]zveda -2 points 22 hours ago

The real experts eh? https://en.wikipedia.org/wiki/Argument_from_authority

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 1 point 7 hours ago

It's a fact that the writers of the software are more expert than the users of the software (software which abstracts out the complexity).

    permalink
    save
    parent
    report
    give gold
    reply

]zveda 1 point 6 hours ago

It is and I agree with you. However an 'expert' is not always right, especially about something like the future direction our project should take. We would make a big mistake as a community if we let a few experts control and guide our project completely. If you read the link I gave in the previous message, it goes into more detail why this plan, of letting experts decide
everything, is often a very bad idea.

Also check out https://en.wikipedia.org/wiki/Groupthink

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 1 point 6 hours ago

Okay, sorry, these are good points... and I'm not really arguing against them.

I guess what I was trying to say, but in too few words, is this:

    https://www.reddit.com/r/Bitcoin/comments/393fym/gavin_andresen_a_lot_of_people_are_pushing_me_to/cs0zcrv?context=3

See the first 4 posts, ending with my reply as the 4th post. If you have questions after that, then feel free to reply and we can continue.

    permalink
    save
    parent
    report
    give gold
    reply

][deleted] 19 hours ago

[deleted]

][deleted] 19 hours ago

[deleted]

][deleted] 18 hours ago

[deleted]

][deleted] 18 hours ago*

[deleted]

]GibbsSamplePlatter 0 points 9 hours ago

You mean all but Gavin in the repo?

    permalink
    save
    parent
    report
    give gold
    reply

]fangolo 25 points 1 day ago*

Fork. Let the market decide. Until there's technical alternatives, the status quo doesn't look attractive. Make it 8MB to give time for the ecosystem develop alternatives while keeping the overhead reasonably low.

If most parties feel slightly uneasy, it's probably the best solution. Gavin should give a bit of ground and move ahead.

    permalink
    save
    report
    give gold
    reply

]d4d5c4e5 8 points 1 day ago

I'm really starting to see it this way. Two factions can't come to an agreement, that's fine. If you can't work it out, it's time for a divorce.

    permalink
    save
    parent
    report
    give gold
    reply

]Noosterdam 7 points 23 hours ago

That's what forking is for. And it probably won't be a divorce. Devs want to maintain their positions, not code for an irrelevant version. It's possible that some would quit out of principle, but I doubt it.

    permalink
    save
    parent
    report
    give gold
    reply

]Throwahoymatie 11 points 1 day ago

I agree with this. I'm tired of reading about this debate. Just put the code out there and let adoption happen. This whining is getting to be too much (on both sides).

    permalink
    save
    parent
    report
    give gold
    reply

]pitchbend 1 point 20 hours ago

Yeah, let's fork Bitcoin against the will of many core devs and Chinese exchange operators, what could possibly go wrong... I'm sure it'll help adoption, nothing inspires more confidence that a civil war where your coins are useless depending of the chain you choose.

    permalink
    save
    parent
    report
    give gold
    reply

[+]lorempsum[S] comment score below threshold  (28 children)

]DakotaChiliBeans 3 points 15 hours ago

2,4,8,16,20,21,32.

Pick a number Do it. Just do it. YES, You can.... Arrrrrhhrhrhhhrhhghhhh.

    permalink
    save
    report
    give gold
    reply

]SatoshiBittinger 7 points 17 hours ago

Just. DO IT

    permalink
    save
    report
    give gold
    reply

]walloon5 4 points 22 hours ago

No one can force anyone in bitcoin and that's how we like it.

    permalink
    save
    report
    give gold
    reply

]ProHashing 3 points 11 hours ago

Finally, someone gets it!

How long will it take until people realize there is no more research that can be done, that the mailing list is just rehashing the same points over and over, and that increasing the block size to a static 20MB is not going to magically cause there to be fewer problems when that size limit is hit?

The first person to put out an actual solution, in code, that permanently fixes this problem, will be the one to have his solution adopted. This is not a problem where the exact solution even matters. And the code for this solution is not especially difficult either.

Does nobody follow politics? Do they not see that there is nobody in a position of authority here to hold and enforce a vote on this topic? Has there ever been a case in history where thousands of people talk and talk about a decision and they magically agree and it gets resolved? Time after time, the only way things get done is when a leader emerges, seizes power, and
dictates what is going to happen. Sometimes, the leader remains a dictator, and sometimes he gives up power to a democracy with defined rules.

Given that there is no existing governance for this project, the only way that a solution is going to be obtained is for someone to take charge and impose a structure. Andresen has the best chance of doing that, but so far he is all talk. He's been blogging and tweeting about things he might do for six weeks now.

I wonder if the best chance now is that someone who we don't even know yet will be the first to release working code and his solution will be adopted. Given the deadlock now, whoever gets the first working code out is going to be seen as the new leader of the bitcoin project. That might remain as Andresen, or if he continues to delay, it may be Mike Hearn or someone else who we don't know yet.

    permalink
    save
    report
    give gold
    reply

]lorempsum[S] 6 points 1 day ago

Does that seem acceptable to anyone?

    permalink
    save
    report
    give gold
    reply

]dudemanguysirmister 23 points 1 day ago

It does to me. Free market, let Maxwell fork it to Maxcoin v2 and Todd fork it to Toddcoin v1 and I'll keep running Bitcoin without needing an additional layer on top of it.

I think most of the community is behind Gavin's proposal. I'd even be fine with 8 MB.

However, no increase is untenable.

    permalink
    save
    parent
    report
    give gold
    reply

]lorempsum[S] -1 points 1 day ago*

I signed up for Bitcoin as a system that's ruled by consensus, not by dictatorship. If any of the core devs wants to make an hard-fork change that can't gain consensus, he should indeed make a new coin. That includes Gavin and Satoshi too.

And I don't think anyone sensible is pushing for no increase at all. The debate is about the timing and the mechanism. The devil is in the details.

    permalink
    save
    parent
    report
    give gold
    reply

]aminok 12 points 1 day ago*

    I signed up for Bitcoin as a system that's ruled by consensus, not by dictatorship.

Consensus is only defined as consensus among developers? Or stakeholders at large? What percentage of stakeholders need to support a change for it to be consensus in your opinion?

Gavin proposed 20 MB and then 50% per year increase after that. None of the other core developers agreed, and none provided a counter proposal other than 'wait and see' with the 1 MB limit.

He proposed 20 MB and then 40% per year increase after that. Again none of the developers agreed, and none provided a counter proposal.

6701	642	4	1280517545	6701	0		xx	1	Re: Bug: &quot;Immature&quot; coins lost in wallet.dat during transaction	I don&#039;t get how it let you send if it was not matured.&nbsp; Your balance would have been lower than the amount.&nbsp; It would have said balance 0.01, right?&nbsp; If I try that it says &quot;you don&#039;t
have enough money&quot; or &quot;Insufficient funds&quot; from the command line.<br /><br />How many blocks did it say it had left to mature when you sent?<br /><br />There&#039;s a chance it might still go through.<br /><br />Have you copied or moved your wallet.dat in any way?<br /><br /><br />
6706	611	6	1280518854	6706	0		xx	1	Re: [PATCH] implement 'listtransactions'	What are you needing to use listtransactions for?<br /><br />The reason I didn&#039;t implement listtransactions is I want to make sure web programmers don&#039;t use it. &nbsp;It would be very easy to latch onto that for watching for received
payments. &nbsp;There is no reliable way to do it that way and make sure nothing can slip through the cracks. &nbsp;Until we have solid example code using getreceivedbyaddress and getreceivedbylabel to point to and say &quot;use this! use this! don&#039;t use listtransactions!&quot;, I don&#039;t think we should implement listtransactions.<br /><br />When we do implement
listtransactions, maybe one way to fight that is to make it all text. &nbsp;It should not break down the fields into e.g. comment, confirmations, credit, debit. &nbsp;It could be one pretty formatted string like &quot;0/unconfirmed &nbsp; 0:0:0 date &nbsp; comment &nbsp; &nbsp; &nbsp;debit 4 &nbsp;credit 0&quot; or something so it&#039;s hard for programmers to do the wrong
thing and process it. &nbsp;It&#039;s only for viewing the status of your server. &nbsp;I guess that would be kinda annoying for web interfaces that would rather format it into html columns though.
6711	626	1	1280519586	6711	0		xx	1	Re: *** ALERT *** Upgrade to 0.3.6 ASAP!	[quote author=knightmb link=topic=626.msg6702#msg6702 date=1280517847]<br />I can only imagine the pain you went through to get these builds because I&#039;m trying to build the program on a Ubuntu 9.04 box and so far I can&#039;t seem to find
all the dependencies to compile no matter how much I keep installing packages and compiling source, LOL.<br />[/quote]<br />I can&#039;t understand why you&#039;re having so much pain. &nbsp;I just followed the instructions in build-unix.txt. &nbsp;I made a couple little corrections for Boost 1.37, which I&#039;ll put on SVN the next time I update it, noted below:<br
/><br />Dependencies<br />------------<br />sudo apt-get install build-essential<br />sudo apt-get install libgtk2.0-dev<br />sudo apt-get install libssl-dev<br />sudo apt-get install libdb4.7-dev<br />sudo apt-get install libdb4.7++-dev<br />sudo apt-get install libboost-all-dev (or libboost1.37-dev)<br /><br />wxWidgets<br />---------<br />cd /usr/local<br />tar -xzvf
wxWidgets-2.9.0.tar.gz<br />cd /usr/local/wxWidgets-2.9.0<br />mkdir buildgtk<br />cd buildgtk<br />../configure --with-gtk --enable-debug --disable-shared --enable-monolithic<br />make<br />sudo su<br />make install<br />ldconfig<br /><br /><br />added a comment in makefile.unix:<br /><br /># for boost 1.37, add -mt to the boost libraries<br />LIBS= \\<br /> -Wl,-Bstatic
\\<br /> &nbsp; -l boost_system \\<br /> &nbsp; -l boost_filesystem \\<br /> &nbsp; -l boost_program_options \\<br /> &nbsp; -l boost_thread \\<br /> &nbsp; -l db_cxx \\<br /> &nbsp; -l crypto \\<br /> -Wl,-Bdynamic \\<br /> &nbsp; -l gthread-2.0<br /><br />
6728	626	1	1280526244	15289	1286200082	satoshi xx	1	Re: *** ALERT *** Upgrade to 0.3.6 ASAP!	[quote author=knightmb link=topic=626.msg6713#msg6713 date=1280520259]<br />So that last command should simply be<br />[b]sudo apt-get install libboost1.37-dev[/b]<br />[/quote]<br />Except that wouldn&#039;t work for boost 1.40+ (on Ubuntu
10.04), where you need to get libboost-all-dev.<br /><br />Seems they changed everything around in Boost recently, &quot;-mt&quot; and all that, makes it hard.<br /><br />BTW, I tried Boost 1.34 but it didn&#039;t have the boost.interprocess stuff.<br /><br />Mac OSX version is available now. &nbsp;See bitcoin.org or the SourceForge link.
6751	648	6	1280536160	6751	0		xx	1	Re: 4 hashes parallel on SSE2 CPUs for 0.3.6	That&#039;s amazing... <br /><br />So are you saying you use 128-bit registers to SIMD four 32-bit data at once?&nbsp; I&#039;ve wondered about that for a long time, but I didn&#039;t think it would be possible due to addition carrying into the neighbour&#039;s value.
6760	651	6	1280539928	6820	1280586454	satoshi xx	1	Webpage idea: Next predicted difficulty change	It would be neat if someone had a page (like that handy calculator at http://www.alloscomp.com/bitcoin/calculator.php) that projects what the next difficulty adjustment will be.<br /><br />projected difficulty adjustment multiplier = <br
/><br /> blocks_since_last_adjustment / 2016<br /> ------------------------------------<br /> time_since_last_adjustment / 14_days<br /><br />For instance, if it already got half way to the next adjustment in only 3.5 days instead of 7, we would expect difficulty to double:<br /><br /> (1008/2016) / (3.5/14) = 0.5/0.25 = 2.0<br /><br />Also, it could show the predicted time
when the next adjustment will occur, and tell when the last adjustment was and how much it changed.
6822	612	4	1280587132	15289	1286199361	satoshi xx	1	Re: Linux distribution download It can be built with Boost 1.37 or later.<br />
7057	655	4	1280770767	7057	0		xx	1	Re: Linux version =&gt; No GUI after upgrade.  WTF?	Did it print anything to the console?&nbsp; Are you sure you didn&#039;t run &quot;bitcoind&quot;?<br /><br />Try version 0.3.7.
7068	660	4	1280772140	7068	0		xx	1	Re: Mac Client Problems Outlined...	&quot;Minimize to the tray instead of the taskbar&quot; &amp; &quot;Minimize to the tray on close&quot; must not be implemented yet on the Mac.&nbsp; We should grey them out in the next version.<br />
7084	648	6	1280775766	7085	1280776495	satoshi xx	1	Re: 4 hashes parallel on SSE2 CPUs for 0.3.6	Is it 2x fast on AMD and 1/2 fast on Intel?<br /><br />[quote author=tcatm link=topic=648.msg6797#msg6797 date=1280571158]<br />Btw. Why are you using this alignup&lt;16&gt; function when __attribute__ ((aligned (16))) will tell the compiler
to align at compiletime?<br />[/quote]<br />Tried that, but it doesn&#039;t work for things on the stack.&nbsp; I ran some tests.<br /><br />It doesn&#039;t even cause an error, it just doesn&#039;t align it.
7090	632	6	1280780528	7090	0		xx	1	Re: Protocol Buffers for Bitcoin	The reason I didn&#039;t use protocol buffers or boost serialization is because they looked too complex to make absolutely airtight and secure.&nbsp; Their code is too large to read and be sure that there&#039;s no way to form an input that would do something
unexpected.<br /><br />I hate reinventing the wheel and only resorted to writing my own serialization routines reluctantly.&nbsp; The serialization format we have is as dead simple and flat as possible.&nbsp; There is no extra freedom in the way the input stream is formed.&nbsp; At each point, the next field in the data structure is expected.&nbsp; The only choices given
are those that the receiver is expecting.&nbsp; There is versioning so upgrades are possible.<br /><br />CAddress is about the only object with significant reserved space in it.&nbsp; (about 7 bytes for flags and 12 bytes for possible future IPv6 expansion)<br /><br />The larger things we have like blocks and transactions can&#039;t be optimized much more for size.&nbsp;
The bulk of their data is hashes and keys and signatures, which are uncompressible.&nbsp; The serialization overhead is very small, usually 1 byte for size fields.<br /><br />On Gavin&#039;s idea about an existing P2P broadcast infrastructure, I doubt one exists.&nbsp; There are few P2P systems that only need broadcast.&nbsp; There are some libraries like Chord that try to
provide a distributed hash table infrastructure, but that&#039;s a huge difficult problem that we don&#039;t need or want.&nbsp; Those libraries are also much harder to install than ourselves.
7155	682	3	1280812643	7325	1280867860	satoshi xx	1	New user registration e-mail	I suspect the reason e-mails from bitcoin.org such as the validation e-mail from the wiki are getting spamblocked is because we didn&#039;t have e-mail validation turned on for the forum, so maybe spammers used the forum to set their e-mail to people they
wanted to send spam to and then PM themselves so it would e-mail there. &nbsp;The only way to really know would be to look at the mail server logs and see if there&#039;s a large volume and what it is.<br /><br />I turned on e-mail validation of new accounts on the forum, but now people can&#039;t sign up because the validation e-mail gets spamblocked. &nbsp;Someone said
gmail is one case.<br /><br />So here we are, nobody new can sign up to the forum.<br /><br />It would help if we could turn off the forum&#039;s notification e-mail features. &nbsp;I tried to disable what I could, but it only had settings for forum thread notifications. &nbsp;Can someone tell me if PM notifications are still active or any e-mail notification anywhere else
on the forum.<br /><br />Maybe we should disable the forum&#039;s access to the e-mail server entirely, then turn off registration e-mail until we work this out further. &nbsp;I don&#039;t know where that setting is in the SMF interface.<br />
7328	454	6	1280868971	7328	0		xx	1	Re: Builds for Ubuntu?	[quote author=nimnul link=topic=454.msg7282#msg7282 date=1280857875]<br />Is satoshi noWx patch in 0.3.7 already? Before that bitcoind required wx, and I never seen Satoshi announcing that it&#039;s in trunk<br />[/quote]<br />Yes, 0.3.7 has it.&nbsp; It was in rev 112.
7331	685	6	1280869508	7331	0		xx	1	Re: Bitcoind x86 binary for CentOS	[quote author=sgtstein link=topic=685.msg7275#msg7275 date=1280856637]<br />I have successfully built it with 4.8, 4.7 never would but with 4.8 bitcoind locks up whenever it dumps the initial block download to disk. :-\\<br />[/quote]<br />I urge you not
to use BDB 4.8.&nbsp; The database/log0000* files will be incompatible if anyone uses your build and then goes back to the official build.<br /><br />
7335	689	6	1280870786	7376	1280881157	satoshi xx	1	Re: Content-Length header and 500 (was Re: Authentication, JSON RPC and Python) [quote author=gavinandresen link=topic=689.msg7299#msg7299 date=1280861804]<br />[quote author=jgarzik link=topic=689.msg7288#msg7288 date=1280858948]<br />bitcoin requires the Content-Length header, but several
JSON-RPC libraries do not provide it. &nbsp;When the Content-Length header is absent, bitcoin returns 500 Internal Server Error.<br />[/quote]<br />Can you be more specific about which JSON libraries don&#039;t provide Content-Length ? &nbsp;It&#039;d be nice to document that.<br />[/quote]<br />I guess we should try to support the case where there&#039;s no Content-Length
parameter. &nbsp;I don&#039;t want to rip and replace streams though, even if it has to read one character at a time.<br /><br />Edit: That is, assuming there actually are any libraries that don&#039;t support Content-Length.
7356	661	1	1280875507	7356	0		xx	1	Re: What happens when network is split for prolonged time and reconnected?	creighto: I agree with that idea. &nbsp;After a few hours, it should be possible for the client to notice if the flow of blocks has dropped off by more than would be likely just by chance. &nbsp;It could tell if
it&#039;s not hearing the hum of the world anymore.<br /><br />[quote author=knightmb link=topic=661.msg7303#msg7303 date=1280862133]<br />[quote author=gavinandresen link=topic=661.msg7293#msg7293 date=1280860724]<br />Or if the split lasted long enough (more than 100 blocks), transactions that involve generated coins on the shorter chain would be invalid at the merge.<br
/>[/quote]<br />Interesting info, so other than some double-spending issues, as long as the block chain isn&#039;t separated for more than 100 or so blocks (or 16+ hours), <br />[/quote]<br />In practice, splits are likely to be very asymmetrical. &nbsp;It would be hard to split the world down the middle. &nbsp;More likely it would be a single country vs the rest of the
world, lets say a 1:10 split. &nbsp;In that case, it would take the minority fork 10 times as long to generate 100 blocks, so about 7 days. &nbsp;Also it would be super easy for the client to realize it&#039;s hearing way too few blocks and something must be wrong.<br /><br />[quote author=knightmb link=topic=661.msg7303#msg7303 date=1280862133]<br />If there a hard coded
limit on split delay? Meaning if I had a small network split from the public network, spent some coin around, came back a few days later and got them sync up to the public network (other than coin generation if it happened) transactions should be fine?<br />[/quote]<br />There&#039;s no time limit. &nbsp;Assuming you weren&#039;t spending coins generated in the minority fork,
or spending someone&#039;s double-spends you received, your transactions can get into the other chain at any time later.<br /><br /><br />
7364	696	1	1280878818	7364	0		xx	1	Please upgrade to 0.3.8!	Version 0.3.8 adds an important security improvement.&nbsp; Everyone should upgrade to get this change.<br /><br />The new safety feature displays a warning message in the status bar and locks down RPC if it detects a problem that may require an upgrade.<br
/><br />If it sees a longer chain, but it can&#039;t process it, then it knows something is wrong.&nbsp; It displays &quot;WARNING: Displayed transactions may not be correct!&nbsp; You may need to upgrade.&quot; and makes most RPC commands return an error.&nbsp; It still keeps generating as normal, which is necessary for the stability of the network.<br /><br />There
were important security updates in the versions before this too, so if you haven&#039;t upgraded recently, it&#039;s extremely important that you upgrade now!<br /><br />Also, don&#039;t forget, we recently added 2.4x faster generating thanks to tcatm&#039;s mid-state caching optimisation and BlackEye&#039;s help getting ASM SHA-256 working.<br /><br />Download:<br
/>http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.8/
7372	685	6	1280880572	7372	0		xx	1	Re: Bitcoind x86 binary for CentOS	[quote author=knightmb link=topic=685.msg7365#msg7365 date=1280879206]<br />There are two versions, one built from stock code, the other modified to accept up to 1,000 nodes (hence the super node name)<br />[/quote]<br />I&#039;d rather you didn&#039;t
make a build of the 1000 node connecting version available.&nbsp; It won&#039;t take very many people running that before we have to make another release just to limit the incoming connections.
Mined by AntPool sc182
15:03 < amiller> not something that was waiting for optimizations to be around
15:04 < amiller> there's one counterexample where someone wrote about proof of work consensus, but they seemed just to think it would be irrelevant
15:05 < nsh> "64k hashes should be enough for anyone"
15:05 < maaku> well the idea of using a scarce resource for consensus is old
15:06 < maaku> the application of hashcash to make thermodynamic potential that scarce resource is new
15:06 < maaku> new and very novel
15:06 < petertodd> maaku: well, one way is to structure your proof-of-publication in such a way that you only need to scan part of the blockchain
15:06 < petertodd> maaku: which is what TXIN commitments does
15:07 < jrmithdobbs> petertodd: anyways, back to something you said earlier as an offhand comment ... assuming all ops were enabled i thought it was already feasible to store state in scripts?
15:08 < petertodd> jrmithdobbs: not at all, none of the ops can do anything related to state
15:09 < petertodd> maaku: more generally, any key-value consensus system that allows multiple *time ordered* values for one key lets you efficiently determine the validity of your coins by tracing them back to genesis
15:09 < maaku> petertodd: why is it objectionable to require miners to do a little bit of work to earn their coins, for communal benefit?
15:10 < helo> maaku: are you taking much from https://en.bitcoin.it/wiki/User:Gmaxwell/namecoin_that_sucks_less for your namecoin?
15:10 < maaku> petertodd: which is still very suboptimal from a user's perspective
15:11 < maaku> helo: i wasn't aware of that wiki page
15:12 < helo> it has some neat suggestions, but it may be in a different direction than you were headed
15:12 < petertodd> maaku: because you need to look at the system as a whole - having to store utxo data forever sucks
15:13 < maaku> helo: regarding storage of the names themselves, yes, it's a different direction. my system doesn't require validator storage at all, beyond the root hash
15:13 < maaku> but the name-hidden-with-hash idea is something I hadn't considered
15:13 < helo> i like the "If you haven't guessed a name, or someone hasn't told you about it
 it's none of your business that it exists."
15:14 < helo> yep
15:14 < maaku> petertodd: in the absence of well-defined suckiness, I disagree
15:15 < maaku> the UTXO set *is* what we all care about
15:15 < maaku> having access to the whole UTXO set is not an intrinsically bad thing
15:16 < petertodd> maaku: but it's not! wallets don't even care about the UTXO set - they only need to care about their own UTXO's
15:17 < maaku> the bitcoin economy is not a collection of purely self-interested wallets
15:17 < maaku> people also care about macroeconomic issues like estimations of lost coins, potential inferences of wealth distribution, etc.
15:17 < maaku> which require the whole utxo set
15:18 < petertodd> right, and all those things can be maintained by people who need it, people who don't need that and just want to mine and/or run full nodes don't need that stuff
15:18 < maaku> the difference between your approach and mine is that I'm trying make full use of the structure and incentivise people to make it available
15:18 < maaku> whereas you seem to be doom-and-gloom predicting its enevitable demise
15:19 < helo> ensuring miners can't make rule changes requires a lot of non-mining nodes to be involved in deep validation
15:19 < maaku> petertodd: neither miners nor full nodes need the utxo set!
15:19 < maaku> that what updatable proofs are about
15:19 < petertodd> maaku: I know, but now to spend a coin you need the assistance of someone who does, where as with TXO commitments you do not
15:20 < petertodd> you just need blockchain data from now to when the txo was created
15:20 < petertodd> that's a significant savings
15:20 < maaku> yes, but don't pretend that TXO commitments don't have down sides
15:21 < petertodd> yes, but as I argue the fact that electrum implements transaction lookup, rather than UTXO lookup, is indicative of the fact that those downsides aren't actually all that important
15:22 < maaku> ... that's a total non-sequiter
15:23 < petertodd> how so?
15:23 < maaku> with TXO you are requiring access to the full block chain since the txo was created, vs a summary of that data
15:23 < jrmithdobbs> petertodd: oh wow, i missed the 10-20 minutes before hand to understand the context of that state comment, different than what i meant by state ... and this whole conversation makes much more sense (and is more evil) now that I have
15:25 < maaku> and i'm not sure offering electrum up is a model for how we should do things
15:25 < maaku> jrmithdobbs: transactions are responsive to state already (the UTXO state)
15:26 < maaku> the objection to having state in scripts is that a reorg could make the transaction invalid ... but that can already happen
15:27 < maaku> so long as the conditions for invalidation can be quantified and other unconfirmed transactions checked for that, the status quo remains
15:28 < petertodd> maaku: right, so I have a wallet, I'm m blocks behind, and I need to sync it to get the current balance. With UTXO commitments that's a O(log2(n)) lookup per scriptPubKey, with TXO commitments thats O(m*log2(n))
15:28 < petertodd> OTOH, if I also want to get transactions too - which it seems that users like having - they're both the same
15:29 < petertodd> I argue that the common case is m is small - people sync their wallets reasonably frequently - so the additional overhead isn't a big deal and *is* worth it in the context of long-term viability of the system.
15:29 < maaku> petertodd: no, the UTXO record has the block height, which they can go to directly
15:32 < petertodd> maaku: ok, I'll grant you that: if you assume transactions involving the scriptPubKey's were all not spent then you don't need to scan, but if you want to see all possible tx's, including spends, you do need to scan
15:33 < petertodd> maaku: also with regard to my point about security, having the heigh *does not* change the single-confirm security that UTXO commitments give you
15:35 < maaku> why?
15:35 < maaku> you know when it was originally confirmed, to the extent that you can trust the index at all
15:38 < petertodd> maaku: how do you know transactions between that single *tx proof* and now do not exist?
15:39 < petertodd> you still only have a single confirm of evidence about the state of the UTXO set
15:39 < maaku> by watching the blocks go by ... same as TXO commitments
15:42 < petertodd> maaku: no, with txo commitments you naturally do that at startup is my point
15:42 < petertodd> maaku: anyway, the security aspect wasn't the main issue I had with UTXO
15:43 < petertodd> again, long-term scalability is really important; txo commitments pushes the costs of a UTXO to the right people
15:44 < maaku> petertodd: this is my disagreement. the right people are, imho, the miners
15:44 < maaku> they're being paid to provide a service. they should actually provide useful service
15:47 < petertodd> well I'd like them to wipe my ass while we're at it :P
15:47 < petertodd> anyway, the most important service they provide is decentralization, so optimize for that
15:47 < petertodd> you optimize for that by keeping costs low
15:47 < maaku> gmaxwell: it seems SHA-512 is faster on 64-bit CPUs? then it's a better choice, no argument there
15:48 < petertodd> and full-node decentralization matters too, so keep costs low for that too so you have verification that the miners are actually being honest
15:48 < nsh> (or by keeping costs from scaling sublinearly)
15:48 < nsh> (ideally)
15:48 < petertodd> nsh: ideally every node is a full node!
15:48 < petertodd> nsh: less than that is a compromise
15:48 < maaku> petertodd: i imagine a future where asic/fpga validators much these utxo proofs
15:49  * nsh nods - all is compromise
15:49 < petertodd> maaku: that's not particularly decentralized - that's custom hardware
15:49 < maaku> yes, but mass produced and widely distributed
15:49 < maaku> the asic rollout has shown that this aids decentralization, compared with general-purpose computing solutions
15:49 < petertodd> that's a bunch of handwaving frankly
15:50 < nsh> i think without dual-use you get specialization, which is kin to, if not a species of, centralization
15:50 < petertodd> no, asics are a decentralization disaster: control of bitcoin is held by well under a half-dozen companies
15:50 < petertodd> the last thing we need is more of that
15:51 < maaku> petertodd: control is held by the people who own the asics
15:51 < maaku> that's more than a half-dozen companies
15:51 < maaku> and it's way better than when I first got involved with bitcoin and it was 2-3 botnets that controlled bitcoin
15:51 < petertodd> anyway, asics can't fix the problem that to start a new node requires getting the UTXO set from someone else, and the size of that data may be huge
15:53 < petertodd> maaku: the number of companies with competitive chip fabs is about three
15:53 < petertodd> maaku: sub-contractors don't count
15:54 < petertodd> maaku: er, I mean companies that contract those designs to those fabs
15:55 < petertodd> We're probably stuck with ASICs for the PoW, but there's no reason to think involving more of them is a good thing, especially since if Bitcoin fails because of chip-fab-related centralization it'd be much preferable to take the same technology and replace the PoW with a more asic hard one.
16:24 < helo> is botnet-related centralization better or worse than chip-fab-related?
16:24 < helo> not a false dichotomy afaict
16:37 <@gmaxwell> maaku: {cite} Bitcoin was never controlled by botnets,
 having seen detailed logs from large pools there certantly were large botnets, but gpu powered bots were largerly a later revelation.
17:11 < amiller> i'm trying to come up with a way of projecting what the relative cost per operation would be using rsa operations rather than sha2
19:10 < gmaxwell> wow, unethical headlines say what? "bitcoin-protocol-vulnerability-could-lead-to-a-collaps"
19:58 < petertodd> gmaxwell: meh, don't fall in love with your babies. It's a deeply ugly issue, just like all the other centralizing forces are, and we're naive to assume it won't be a problem.
19:59 < gmaxwell> petertodd: I'm not saying its a non-issue, I'm saying it's being heavily exagerated, and I think it's _less_ of a centralizing forces than many other ones that people don't care about at all.
19:59 < petertodd> The deeper problem is it's easy to see how Bitcoin could still be useful to some people, and hence valuable, even if it was mostly centralized... like right now in the short term. Add some more centralizing forces and that can become a long-term, permanent thing, where mining is a weird cartel.
20:00 < petertodd> gmaxwell: Sure, but given that those other issues *are* plenty real, I'm going to call the headline reasonable, even if it's more than just one issue that makes it reasonable.
20:01 < gmaxwell> I suppose it's fine to see people pointing out the centeralizing forces are a risk. I suppose thats news to people who are not me. :)
20:01 < petertodd> Well, yeah, lots of people don't understand that stuff at all.
20:02 < petertodd> Anything that gives people the accurate impression that Bitcoin's decentralization is mostly a function of the community at best is probably a good thing, and I'd say it's ethical reporting.
20:02 < gmaxwell> This is kind of a lame context for it though.
20:02 < petertodd> (IE the technology is broken, and absent community pressure we'd see 51% pools)
20:05 < petertodd> Anyway, tech question: has anyone ever seriously analyzed the effects of a chain-selection algorithm that counted total work, that is one where work could be worth more if it was especially under the target?
20:09 < gmaxwell> petertodd: yea, I ran a simulation on that (counting target instead of work) in 2011, uh, I should look for logs. What I concluded was that it created huge incentives to delay announcing solutions.
20:10 < petertodd> gmaxwell: Right, that's what I concluded. On the other hand, if you add a cutoff, where work is never more valuable than a certain amount, that seems to reduce the incentives, while maybe preventing the selfish miner attack.
20:11 < gmaxwell> I'm doubtful but haven't tried that. I haven't really had time to think about it much though.
20:12 < gmaxwell> through the day I've warmed a little to their "solution"
20:12 < petertodd> Well, basically the decision to not announce is based on the strength of your solution, given that there's a certain chance the other hashing power would come up with a better solution than you do.
20:12 < petertodd> ha, for me it's the exact opposite: their solution asks miners to do what's against their short-term economic incentives.
20:13 < gmaxwell> oh to actually be random? interesting point.
20:13 < petertodd> Yeah. Even with someone trying to carry out that attack, you're better building on the block the majority is regardless.
20:15 < petertodd> I gave it a go at working out the actual equations for expected return for a given amount of hashing power, and first try popped out the answere that if solution value is random, it always makes sense to reveal your blocks. Though I suspect I screwed that up somewhere...
20:17 < gmaxwell> petertodd: if the solution is random and you have a lot of hashpower, then you should delay.	I thought the threshold was like 40% but uuk was saying 33% earlier.
20:17 < petertodd> uuk?
20:20 < sipa> UukGoblin
20:21 < petertodd> ah. Anyway, that's why I suspect I screwed up. :)
20:23 < sipa> i seem to remember a number closer to 40-45% ish
20:23 < sipa> but i never thought hard about it, or looked up where the number came from
20:24 < petertodd> Yeah, anyway, IMO something like that wouldn't be too bad, so long as the incentives to hide blocks were under control - the paper's solution worries me given that it's not economically rational. Good to have an alternative.
22:07 < midnightmagic> how does withholding a block not penalize the selfish miners and wouldn't their activity be discernible without an accompanyingly-expensive sybil network?
22:08 < midnightmagic> Also, if centralization is a risk to the value of the currency, then why would "rational" miners mine to increase centralization and thus decrease trust in the currency?
22:09 < gmaxwell> it would be trivally discernible.
22:09 < gmaxwell> midnightmagic: why do we have mining pools with 30% hashpower or whatever?
22:09 < midnightmagic> because everyone thinks the magic number is 51%
22:10 < gmaxwell> midnightmagic: delaying the block only peanlizes them if they lose the race against a competing block as a result, the paper argues that with the right network stunts they can avoid that.
22:10 < gmaxwell> well perhaps this paper will help then.
22:10 < gmaxwell> or make it worse.
22:10 < gmaxwell> if people think a 30% pool is doing bad thing perhaps they'll join it.
22:10 < midnightmagic> it seems to me all this is already well-known.
22:11 < midnightmagic> (at least among people who care anyway)
22:11 < gmaxwell> well I don't think I had considered the ability to network-attack to shift the balance.
22:33 < petertodd> midnightmagic: my ELI5 explanation: https://bitcointalk.org/index.php?topic=324413.msg3484951#msg3484951
22:35 < petertodd> Basically the attack leverages an investment in low-latency nodes and networks - if all miners do it the miner that wins is the one with the least-latency per dollar, very roughly speaking.
22:36 < petertodd> Unfortunately least-latency per dollar is very likely to mean "huge up-front costs", a strong-centralization force.
22:58 < midnightmagic> hrm..
23:14 < midnightmagic> p2pool blocks seem a tad innoculated against it.
23:18 < petertodd> why?
23:18 < midnightmagic> p2pool simultaneously releases blocks to all member bitcoind when a successful p2pool share exceeds bitcoin target
23:19 < midnightmagic> ..  or so I thought
23:19 < petertodd> p2pool doesn't do anything "simultaneously" any more than the bitcoin network itself does
23:19 < midnightmagic> the p2pool share is smaller than a bitcoind block. its propagation is faster.
23:20 < midnightmagic> in a minor sense, we're already using the nature of p2pool to get our blocks broadcast faster than normal pools with monolithic network infrastructure can
23:22 < midnightmagic> this is probably why this new paper doesn't feel novel.
23:24 < midnightmagic> of course, gmaxwell can correct this in the event it's a misapprehension of p2pool operation
23:24 < midnightmagic> or forrestv
23:24  * midnightmagic waves.
23:27 < midnightmagic> of course, I guess they could just listen to the p2pool network for solutions and short-circuit us that way..
23:31 < midnightmagic> but we're still short-circuiting actual block propagation.. so..
23:31 < petertodd> exactly. I suspect this stuff will turn out to be latency driven, so a succesful selfish miner will be one with access to low-latency optimized networking
23:32 < midnightmagic> if we presume our txn list is similar across the network, could we use a p2pool-like short-msg to propagate blocks more rapidly over the pre-existing network?
23:33 < midnightmagic> and thus make the attack more expensive, without convincing everyone to use p2pool subgroupd
23:33 < petertodd> of course we could, but we'll still lose out to the guy with access to dedicated fiber arranged along min-distance great circles...
23:35 < amiller> you can use my bitcoin mapping technique to find the best number of people to connect to to be one hope away from everyone
23:36 < petertodd> amiller: email them! I spoke briefly in private with them, and they sounded interested in writing more papers
23:37 < midnightmagic> it would amuse me if the long-run fiber being contemplated in canada to avoid US traversal became a superior bitcoin-propagation network due to a decreased number of router fabric traversal
23:37 < midnightmagic> poor-man's geographic bisection
23:40 < petertodd> that would frighten me... I pointed out on the email list how in general orphans will encourage bitcoin mining pools, and even the hardware itself, to be centrally located geographically
23:58 < midnightmagic> petertodd: What would frighten you? Everyone moving to a bunch of p2pool subgroups or amiller's suggestion to map bitcoin and accelerate the coming of a new Mining Age? :)
23:58 < midnightmagic> not to mention possibility of network segmentation
23:59 < midnightmagic> also: amiller is this the mechanism you were discussing with me a while back?
23:59 < petertodd> heh, nah, just how it'd give strong incentives for everyone's pools to move to the same country/town/datacenter
23:59 < midnightmagic> ah, yeah for sure
--- Log closed Tue Nov 05 00:00:20 2013
--- Log opened Tue Nov 05 00:00:20 2013
00:05 < gmaxwell> p2pool effectively preforwards blocks to peers, and announces simultaniously from the whole p2pool network. in theory this confers some latency advantage, but it probably only just balances out poorly run nodes.
00:06 < gmaxwell> Although its at 103.2% of its alltime expectation, and that includes a swath of working before those changes when it was at <100% (though now its kind of relatively small compared to the current hashrate)
00:06 < gmaxwell> well, indeed "simultaneously"
00:06 < midnightmagic> gmaxwell: Are you able to translate this? https://twitter.com/eevee/status/397578223434752000
00:07 < gmaxwell> midnightmagic: the fix they propose introduces a vulnerability, though reasonable people could debate if it were better or worse.
17:03 < gmaxwell> jtimon: at some point it becomes "look, just donate a @#$@ dollar to us, as it'll let us do 1000x more computation than we could do if we used you"
17:03 < maaku> jtimon: no it's only in the range of 3-5 repititions, max
17:03 < jtimon> I see
17:04 < gmaxwell> since users do many jobs if they assume users will cheat consistently I assume they don't need many reps to actually be reasonably confident that a user isn't cheating.
17:04 < jtimon> it was maaku who made me believe in that curecoin dream first, so shame on you ;)
17:05 < gmaxwell> It's good to dream.
17:05 < maaku> well snark proved useless for that, but curecoin is easily adopted onto colored coins
17:05 < jtimon> yeah, gmaxwell I was asuming they were "overconfident on their users" but that was 100x
17:05 < maaku> especially with the new boinc point system
17:06 < jtimon> have you heard about gridcoin?
17:06 < gmaxwell> I'm not yet sure how important it is that the work be worthless, but I'll point out that the difficulty adjustment in bitcoin at least drives the system so that the profit from mining tends to 0. So if 99% of your mining profit comes from the side effect work, the incentive to not use your hashpower to attack (or rent it to someone else who _might_ use it
to attack) isn't terribly great
17:06 < gmaxwell> I think for something like boinc remote attestation is probably more useful than SNARKs.
17:07 < jtimon> my friends like grindcore, but that's a diffeent topic
17:07 < jtimon> gmaxwell the problem is not really profits but the value destroyed
17:08 < jtimon> in bitcoin the problem is only in the initial issuance, but in freicoin is perpetual
17:08 < gmaxwell> jtimon: it's no more "value destroyed" than the cost of building a safe or the guy who sits guarding it instead of writing the great american novel.
17:09 < jtimon> what bitcoin does is maximizing production costs to minimize seignoriage
17:09 < jtimon> no, gmaxwell, that's when the 21 M are issued
17:09 < gmaxwell> jtimon: hm? we need high hashpower forever to have acceptable security. Worse we don't have a control loop to set it. maybe less bad than freicoin though since 5% may turn out to be way out of wack if freicoin is widely adopted.
17:10 < jtimon> yeah our concern is 5% being to much security
17:11 < jtimon> if it's too little tx fees are supposed to cover the rest, arent they?
17:11 < gmaxwell> jtimon: yea but there is no control loop to make sure it does.
17:11 < gmaxwell> Since the system can't detect insecure.
17:12 < jtimon> can we, humans?
17:12 < gmaxwell> If everyone was still cpu mining you could have a difficulty floor that nodes imposed based on how fast they personally could hash... but in the current enviroment we have no way to achieve a decenteralized control loop on the minimum difficulty.
17:13 < gmaxwell> Even humans are bad at detecting insecure until its too late, the system doesn't fail especially softly.
17:13 < jtimon> my point is that in this case is directly impossible for the machine
17:14 < gmaxwell> and I expect that if bitcoin is a big thing in the future and if it does fall too low that will be the excuse states need to step in and say "this decenteralized thing failed, obviously we need centeral bank signed blocks from now on"
17:14 < jtimon> the algorithm cannot be based on something exterior
17:14 < gmaxwell> well I dunno, for example, I do have some interesting ideas, but I think they're too weak.
17:14 < maaku> gmaxwell: i think what jtimon is alluding to is freicoin's plan to use proof-of-stake voting process to determin what percent-of-the-5% is given to the miners (vs. distributed through other means)
17:14 < gmaxwell> maaku: most of those schemes reduce to "miners control" because miners can censor the vote.
17:15 < maaku> so humans through proof-of-stake voting determine the amount of perpetual demurrage adjustment paid towards security, and therefore the break-even difficulty
17:15 < maaku> gmaxwell: hence my recurring interest in this channel in a voting scheme that avoids that, through committed/encrypted votes or some other mechanism
17:15 < jtimon> butthe security needed is always proportional to the value transacted, no?
17:15 < gmaxwell> RE: other interesting ideas, here is my best
 but it only works retrospectively
	if you show the network a long fork, any node you show it could could impose a minimum difficulty of some multiple of that in the fork.
17:16 < jtimon> mhmm
17:16 < jtimon> yeah, as you annoounced it, weak, but interrrsting
17:16 < gmaxwell> jtimon: no, in a consensus ledger system the value transacted isn't in a simple relationship with security, because the invalidation of your $0.01 transaction could invalidate a $100000 transaction.
17:18 < gmaxwell> I just don't know how to make that fork-minimum difficulty scheme work prior to a devistating attack, except via altruists that use it to peg up the difficulty.
17:18 < jtimon> gmaxwell, yeah, because inputs/outputs are not accounts, I never though it that way
17:19 < jtimon> so it is completely impossible to have an appropriate security regulated from within, again, that's not a fatal flaw
17:19 < gmaxwell> I am no longer so quick. I used to say a secure decenteralized consensus system was impossible.
17:19 < jtimon> you just need to soft-fork minimum fees...wait I don't want ot go that route
17:20 < gmaxwell> miner collusion breaks a lot of other assumptions in the system.
17:20 < gmaxwell> Maybe it would be tolerable in something where everything was encryted and anonymous and collusion couldn't usefully be used to do other things.
17:20 < jtimon> hehe, yeah, I think many of us knew bitcoin like that "look, this impossible thing turned out to be possible"
17:20 < gmaxwell> but even then, thats not a security control loop.
17:21 < jtimon> you want feedback
17:22 < jtimon> and I'm telling you you can't hear anything from the outside because the outside is real and you're not
17:22 < jtimon> "you" are the network
17:23 < gmaxwell> jtimon: for example, we can happily prevent miners from advancing the network clock far into the future and mining up all the coins.
17:23 < jtimon> "because the outside is real and you're not" wasnt very appropriate
17:23 < gmaxwell> if security were detectable by single nodes, we could enforce security the same way.
17:23 < gmaxwell> E.g. if the best you could do was cpu mining and cpus were relatively consistent, then every node could enforce a minimum reasonable difficulty based on their own speed.
17:30 < midnightmagic> whoah. no route to host?!
17:33 < midnightmagic> jtimon: Are you on dialup or something?
17:34 < jtimon> sorry, my laptop died
17:37 < jtimon> and I have to dinner...
17:37 < jtimon> minimum difficulty intuitively sounds bad though
19:17 < jgarzik> This is fun: http://www.foreignpolicy.com/articles/2013/11/19/stuxnets_secret_twin_iran_nukes_cyber_attack?page=full
19:18 < jgarzik> Iranians compensated for unreliable centrifuges with volume, just like we compensate for unreliable P2P nodes with volume
20:06 < maaku> Iran's cyber security gurus: "we keep building you secure facilities, and you total newbs keep plugging in usb drives you found in the f@*&ing street"
--- Log closed Sun Dec 01 00:00:22 2013
--- Log opened Sun Dec 01 00:00:22 2013
04:46 < fagmuffinz> I hear you're all smart as fuck
05:06  * gmaxwell puts on his robe and wizard hat
05:09 < Mike_B> here's a question that probably belongs here rather than #bitcoin-pricetalk... i've been thinking a lot about generalized PoW functions, and how to make sense of them from the standpoint of computational complexity. has anyone worked that out before?
05:09 < Mike_B> for instance
05:09 < Mike_B> let's say hashcash is a function hashcash(input, nonce, d), where d is difficulty, written in unary. given that definition of hashcash, it'd be in TFNP, right?
05:10 < Mike_B> sorry, to be clear, i'm envisioning d as "number of leading zeros," or something like that
05:11 < gmaxwell> right you're being clear, but you may want to repeat that in a few hours when adam3us rejoins, since I'm sure he'll be interested too. :)
05:11 < Mike_B> so that brute forcing a solution is O(exp(d)), but checking a solution is O(whatever SHA256 is)
05:11 < Mike_B> oh is that adam back?
05:12 < gmaxwell> (there is some interesting history on hashcash about the target, apparently the idea of just using a trivial preimage was a later idea... IIRC from comments adam made in the past)
05:12 < gmaxwell> Yea.
05:12 < azariah4_> Mike_B: it would depend on the algo in question though, not sure how much one can say about it in the generalized case
05:13 < Mike_B> gmaxwell: yep, i read the hashcash paper and i saw where he talked about someone suggesting later to just use x leading 0s
05:13 < gmaxwell> well if you want to talk about the difficulty of partial preimages, I suppose the complexity depends on the distribution of the values. e.g. I can give you a constant time hashcash, the hash function always returns all zeros, for example.
05:13 < azariah4_> in general hash functions have 2^B where B is number of bits to brute force and constant time to verify
05:14 < azariah4_> though technically its not constant I guess, but also depends on number of bits, which is just constant on modern CPU archs if e.g. the number of bits fits in 2 words
05:15 < Mike_B> gmaxwell: yeah, i guess i'm making the assumption that the probability distribution for which things hash to which SHA256 hashes is totally flat
05:15 < Mike_B> (i could formalize that nicely with natural density if you like)
05:16 < Mike_B> but i suppose it could be the case that SHA256 doesn't have anything hashing to less than a certain max value, so that if difficulty is less than that, hashcash will never halt
05:16 < Mike_B> azariah4_: yes i agree
07:51 < petertodd> So secure timestamping - or to be exact ordering - is necessary but not sufficient: a timestamp is only valuable if I can be guaranteed to know about the conflicting transaction. Thus the blockchain serves as a publication medium, where anyone accepting a payment can be confident that by looking in the blockchain they are aware of all possible double-spends.
07:52 < adam3us> petertodd: i am unclear why you say readership though - the fact that a random powerful miner (or a lucky weak miner) voted on a tx does not guarantee that everyone saw it
07:52 < petertodd> Of course, because double-spends are invalid, *as an optimization* we don't allow them into blocks. But remember, that's just an optimization!
07:52 < adam3us> petertodd: ok yes, we are saying the same thing
07:52 < petertodd> Sure, but it is proof that the people doing the miner saw it.
07:53 < petertodd> Yeah, and currently Bitcoin is a really, really primative proof-of-publication system, because the blockchain itself has no structure, so to convince *yourself* that a double spend doesn't exist you need the whole damn thing.
07:53 < adam3us> petertodd: i made an observation that an auditable namespace is actually the same function .. ie if you set the txout to the nme you can build that on a decentralized auditable namespce, or conversely you can use bitcoin as an auditable namespce if you encoe you rname in the txout (or in its hash inputs)
07:53 < petertodd> Yup.
07:54 < petertodd> So, UTXO commitments are then just a way of getting proof that some data - a spend of the txout - was *not* published in the blockchain without having the whole chain.
07:54 < adam3us> petertodd: hence namecoin - i guess those guys saw the same thing as their motivation but i wrote about auditable namespace in 2001 http://www.cypherspace.org/p2p/auditable-namespace.html
07:55 < adam3us> petertodd: (not so interesting) but it useful simple concept to think about
07:56 < adam3us> petertodd: yes.  so is this the idea to encode them in a trie so you can more efficiently have a compact proof of present/notpresent in a tree?
07:56 < petertodd> So back to our original point about decoupling, when it comes to proof-of-publication, using proof-of-stake to prove publication would actually be totally reasonable. (for instance)
07:56 < petertodd> adam3us: Yes: take the whole UTXO set, put it in a merkelized radix tree, and commit to the top-level hash in the block somewhere.
07:56 < adam3us> petertodd: yes i think proof of stake is an interesting strengthening factor over pure mining anti-sybil, it maybe able to help
07:56 < petertodd> Even though proof-of-stake for mining reward is horribly flawed.
07:59 < petertodd> Yeah, I think proof-of-stake is going to be found to be a necessary but not sufficient requirement to get new crypto-coin systems bootstrapped in the future.
08:00 < adam3us> petertodd: k lets continue this problem definition .. i feel you should possibly sleep :) and i need some breakfast its 1pm here :)
08:00 < petertodd> So, as an example, you could have a proof-of-publication by proof-of-stake coin that looked like this: 1) assume the existance of a secure timestamping service 2) publish transactions to a blockchain 3) use proof-of-stake to show that a supermajority of coin owners know about the transaction 4) trust any transaction that everyone knows about.
08:00 < petertodd> ha, nah, I woke up crazy early...
08:01 < petertodd> *that everyone knows about and isn't a double-spend
08:04 < adam3us> petertodd: ok ... i think its interesting that other than spv clients you dont even need validation (miners to check inputs add up etc) just double use of signature (ordering enforcement or namespace of txouts)
08:04 < adam3us> petertodd: it mybe that one way to untangle the dependencies would be to say screw spv, try to improve things without it then get the otpimal solution, and try to figure how to resupport spv afterwards
08:05 < adam3us> petertodd: otherwise i think we're stuck in a local design maxima area of very polished satoshi design but possibly non-global optimum
08:06 < petertodd> Interesting isn't it? Bitcoin could have absolutely been designed as a system that did nothing more than give miners the opportunity to create arbitrary 1MB blocks of data; what that data actually means can be determined later by upper layers in the system.
08:06 < adam3us> petertodd: (i know a gifted programmer/crytpo guy who makes very elegant, clever but entangled designs, one of my satoshi suspects)
08:07 < petertodd> adam3us: heh, entangled is a great word for this.
08:07 < adam3us> petertodd: and i think it wouldve been a better system for it
08:07 < petertodd> Me too! Pushing validation to clients is a very good thing for the security of the system as a whole.
08:08 < adam3us> petertodd: yes less smarts in the network enforced rules = more security from coding bug mishap
08:08 < petertodd> Interestingly parasitic consensus systems like Mastercoin and Colored Coins are re-learning this, although I don't think the people behind them fully understand this stuff. (or even partially understand)
08:08 < petertodd> Yeah, of course, having some structure in blocks sure is convenient, but just don't forget that the structure is purely an optimization.
08:09 < petertodd> (yet another thing I need to write a paper on...)
08:09 < adam3us> petertodd: dont you need ordered chunks in blocks?
08:10 < adam3us> petertodd: ie like hash of public key or something with enforced non double use
08:10 < adam3us> petertodd: with committed transactions thats actually all i ended up relying on - the networ validation is disabled as it cant read the tx contents, cant tell who is paying who how much
08:10 < petertodd> Nope. Just validate the whole chain and make sure the transaction was the first one spending the txout. Subsequent ones can be ignored.
08:11 < petertodd> Again, the fact that subsequent ones are *banned* allows you to *optimizise* by only reading part of the chain, but that's an optimization, not a requirement.
08:11 < adam3us> petertodd: i see, even better; all you need is a timestamping server
08:12 < adam3us> petertodd: maybe you could scale via a tree of time-stamp servers
08:12 < petertodd> Yup. And this line of thinking shows you how the "proof-of-publication" domain required is on a per-txout basis: you need to know about double-spends for a particular txout, not all double-spends.
08:12 < petertodd> Obviously this is inherently shardable!
08:13 < adam3us> petertodd: yes thats an interesting line; however maybe you also need to know the non-double spent status of the previous 6-blocks worth of inputs the output depends on
08:14 < adam3us> petertodd: well i guess you mean youre valiating htem all anyway so just wait until the tx you care about is 6-blocks deep
08:14 < petertodd> For instance, you could define a system where every Bitcoin node maintains some small part of the TXO space, ordered lexographically: the blockchain still exists as a means of timestamping/ordering data, and you can determine if a double-spend exists by examining whatever small shard of the TXO data would have a spend of your transaction.
08:15 < adam3us> petertodd: yes
08:15 < petertodd> The definition is now that a transaction is considered confirmed once the proof-of-publication is sufficiently confirmed.
08:15 < adam3us> petertodd: yes
08:15 < petertodd> Wonderful isn't it?
08:15 < adam3us> petertodd: yes thats pretty f'ing cool :)
08:15 < petertodd> You don't even need to care if other inputs to the transaction are valid! That's the responsibility of the receiver to check, not the miner!
08:16 < adam3us> petertodd: right, ala committed transactions
08:16 < petertodd> If a transaction is invalid because some inputs were double-spent, so what? That's just some extra baggage in the blockchain.
08:16 < adam3us> petertodd: so long as they pay fees for their baggage it no worse than mastercoin
08:17 < petertodd> You also don't need to know about those inputs either: they can be hidden behind a merkle tree, and the miner doesn't need to have them.
08:17 < petertodd> Yup
08:17 < adam3us> petertodd: yes i reached somewhat analogous conclusion in thinking about the limits of respending committed transactions without revealing to the block chain
08:18 < adam3us> petertodd: does it reduce blockchain bandwidth though?
08:19 < petertodd> So the only issue with this, is you need *some* way to control the total volume of data, but that's not a big problem: shard this data into more and less expensive versions. Now you can determine what security level you're interested, while allowing people with really low-value transactions the ability to play in their dangerous playground.
08:19 < adam3us> petertodd: i am thinking it maybe could, with committed tx a problem i ran into was people stuffing the blockchain with forged spens, making your tx unspendable as you couldnt prove that spend was faked
08:19 < petertodd> adam3us: summed over the whole system, no, but the increase is along the lines of log(n), however it does reduce the minimum bandwidth required, and that's the important part
08:19 < adam3us> petertodd: but other than that (and maybe there are otherw ays to fix that with protocol changes) all you need is a hash output
08:20 < adam3us> petertodd: so the other thing i was thinking, is order doesnt actually matter
08:20 < adam3us> petertodd: ie you need to known an order, but you dont care which order is chosen it could be random for all you care
08:21 < petertodd> Right. So a subtety here is that for the sharding to be useful, if a transaction spends a txout it must be considered a valid spend regardless of whether or not the rest of the transaction is invalid.
08:21 < petertodd> What do you mean by random?
00:17 < HM> it's high street and investment banks that people think of as the devil
00:17 < HM> so just use cash, right?
00:18 < gmaxwell> HM: if you've not read
 http://p2pfoundation.ning.com/forum/topics/bitcoin-open-source
00:19 < gmaxwell> But I absolutely do think that a lot of people worry about central banks, for a great many reasons... (some more dumb than others
 e.g. inflation seems to be the most worried about thing, but its probably one of the less harmful things. They engage in incredible acts of economic distortion on a worldwide scale.)
00:21 < gmaxwell> We've invented what amounts to national-scale indentured servitude substantially via the excessive economic power of central banks, which props up worldwild wealth inequality. (And even if I were some kind of inhumane pure libertarian I would sill observe that wealth distributions which are too unequal are not just socially unfair, they're objectively
inefficient and lower mankinds longterm odds of survival.)
00:24 < HM> I've not really made up my mind on all that stuff
00:26 < gmaxwell> well the proof that too much inequality is inefficient is pretty simple, though it doesn't tell you exactly where too much is:  at some point the have-nots will find it in their best interest to take by force, and so increasing amounts of resources have to be diverted to preventing that or defending from it. In the end, cooperation has certian fundimental efficiencies. :)
00:33 < HM> competition and war is also a fairly good equaliser
00:34 < HM> if you're in competition or in a battle, the stable state is parity
00:35 < HM> if you suck, you'll die. if you're too good, they die. either way the competition ends. if it is to continue then parity has to be achieved.
00:36 < HM> it's not clear to me how cooperation is naturally efficient
00:36 < HM> you can pool resources but you can do that through trade
00:38 < Luke-Jr> cooperation/dependency is efficient because you have each person specialise in their one task
00:39 < Luke-Jr> (on the other hand, it has scaling issues at a point)
00:43 < HM> I guess the bottom line is, i'm not yet convinced that monetising debt and loose cannon central banks are really a new kind of threat to society
00:44 < HM> forcing the money supply to grow means you're forcing people to fill the world with goods and services or face desperate inflation and unemployment and mockery from other nations or whatever
00:45 < HM> but everyones doing it, so it's a bit more like an arms race than anything else
00:45 < amiller> the whole concept of money is a wrong design, it only works if it's "universal," by definition, and it's unrealistic to make it universal
00:46 < HM> i can't agree with that
00:47 < amiller> if economists realized how difficult even 'barter' is to enforce without police, the whole mythic story of money would be a lot different
00:48 < HM> if every nation had their own sovereign bitcoin
00:49 < HM> nobody would be able to set an exchange
00:50 < amiller> that's invalid, there's plenty of exchange between bitcoin and the other goofball knockoffs
01:00 < HM> I'm not so sure it'd work. I think a bit of currency manipulation, while negative overall, can help to smooth off the sharp edges when it comes to trade imbalances
01:07 < HM> i guess what you mean by universal is the
01:07 < HM> not a universal bitcoin that can't be floated.
02:02 < gmaxwell> Someone should create a P2SH address that serves as a bounty for a SHA-256 collision. The script would be something like "OP_2DUP OP_NUMNOTEQUAL OP_VERIFY OP_SHA256 OP_SWAP OP_SHA256 OP_EQUALVERIFY"
02:05 < sipa> ha
02:06 < gmaxwell> We can do this for SHA1 too. :P which is actually more exciting, since that one is more likely to happen.
02:06 < sipa> is there a sha1 opcode?
02:06 < gmaxwell> yup.
02:06 < sipa> orly?
02:07 < gmaxwell> OP_RIPEMD160 / OP_SHA1 / OP_SHA256 / OP_HASH160 / OP_HASH256	 (the last is sha256^2 of course)
02:07 < gmaxwell> I think the idea was to use them for binding external systems.
02:11 < gmaxwell> I'm a little surprised that no such bounties already exist.
02:11 < gmaxwell> I looked through every singual unusual script in the utxo set and there is basically nothing interesting there.
02:12 < gmaxwell> (well, there were 5 anyone-can-takes which I took, and a single puzzle one for 0.09 btc which I solved. And I will not be surprised if petertodd made that one)
02:13 < gmaxwell> there may be other puzzles but they're ones that involve just guessing the keys.
10:37 < Luke-Jr> psst, come play https://github.com/chronokings/chronokings on testnet with me :P
10:43 < michagogo> Luke-Jr: What is it?
10:43 < Luke-Jr> michagogo: blockchain-based game
10:44 < michagogo> What do I need to get it working?
11:21 < Luke-Jr> michagogo: qmake && make
11:23 < michagogo> Luke-Jr: On Windows?
11:45 < Luke-Jr> michagogo: good luck :P
11:45 < michagogo> Luke-Jr: lol
11:45 < michagogo> What are the dependancies?
11:45 < michagogo> I guess I could boot up my vm
11:45 < Luke-Jr> same as Namecoin-Qt I guess
11:46 < michagogo> Namecoin-Qt?
11:50 < michagogo> Luke-Jr: Hmm, just noticed https://github.com/chronokings/chronokings/blob/master/contrib/easywinbuilder/README.md
11:50 < michagogo> I'll give it a try
14:12 < michagogo> Luke-Jr: Meh, can't get it to build
14:13 < michagogo> Not even in an Ubuntu vm
22:29 < gmaxwell> sipa: in your libsecp256k1 can't you eliminate/highly abbreviate the secp256k1_ge_is_valid when using a compressed key?  I think for our curve the definition of being a valid point is not being the point at infinity, and the same y criteria as public key recovery.
22:30 < gmaxwell> sipa: if so, that should make your code a bit faster for compressed keys. (actually, I think it would make compressed keys almost the same speed as non-compressed ones)
22:32 < gmaxwell> (I was looking to see if various things checked that the public point was valid
 seeing if I can break anything with the fact that the twist of secp256k1 can easily have the DLP solved for it)
23:32 < gmaxwell> (I was impressed the the 'factor' command could handle 1286578769603068245382716924545379906921918859152521322839515520912848165551 )
23:32 < gmaxwell> (a 256 bit number)
23:39 < gmaxwell> Luke-Jr: did you get that game working? I think I just got it compiled.
23:40 < Luke-Jr> gmaxwell: yeah, played for a bit and got bored :P
23:40 < Luke-Jr> guess I can hop back on
23:40 < gmaxwell> do I just run the resulting executable does it need a node running?
23:40 < gmaxwell> is it namecoin based?
23:41 < Luke-Jr> it seems to just work
23:41 < Luke-Jr> yes
23:41 < Luke-Jr> bah, someone killed me again I think
23:41 < Luke-Jr> gmaxwell: note all activity is testnet
23:41  * Luke-Jr ponders if Eligius should have rate-limited it
23:41 < Luke-Jr> (mining, I mean)
23:42 < gmaxwell> oh, its namecoin testnet?
23:42 < Luke-Jr> I hope not the real namecoin one!
23:42 < Luke-Jr> I would feel bad for polluting it
23:42 < gmaxwell> I don't appear to be connected.
23:43 < Luke-Jr> hrm
23:43 < gmaxwell> got a node I can -connect?
23:44 < Luke-Jr> wait, UPnP is broken
23:44 < Luke-Jr> so that won't work :/
23:44 < Luke-Jr> try 192.241.222.65
23:45 < Luke-Jr> hrm
23:45 < Luke-Jr> my client keeps crashing due to memory allocation failures :/
23:46 < gmaxwell> hacking directly on the client is a dumb way to implement something like this. :P
23:47 < Luke-Jr> :p
23:48 < gmaxwell> yea, can't reach that host.
--- Log closed Tue Sep 10 00:00:23 2013
--- Log opened Tue Sep 10 00:00:23 2013
01:05 < sipa> gmaxwell: only around 50% of possible x coordinates lay on the curve
01:05 < sipa> as for each x, there are 2 y coordinates
01:06 < sipa> and the field amd group sizes are very similar
01:06 < gmaxwell> yes they're similar, but the twist group order has a bunch of factors.
01:06 < gmaxwell> So it should be pretty inexpensive to solve the DLP over it (though I've never done it!)
01:06 < gmaxwell> (maybe I should try)
01:08 < gmaxwell> sipa: I guess I knew that 50% of the X were on the curve, as I wrote that to mike in an email this morning! but after staring at a bunch of math I wasn't seeing the missing condition after key recovery.
01:08 < gmaxwell> I guess I'll work it out on paper.
01:09 < phantomcircuit> gmaxwell, hehe
01:09 < phantomcircuit> i hate when that happens
01:10 < phantomcircuit> "WAIT I KNOW THIS"
01:10 < gmaxwell> it's not too hard to reason yourself into corners.
01:17 < gmaxwell> sipa: fwiw, http://en.wikipedia.org/wiki/Pohlig%E2%80%93Hellman_algorithm
01:23 < Luke-Jr> gmaxwell: do HD wallets have a possible privacy vulnerability where if you can identify N of them maybe-in-sequence, you can figure out the master pubkey?
01:25 < gmaxwell> Luke-Jr: No, not without like .. most impressive crypto break ever.
01:25 < Luke-Jr> hmm ok
01:27 < gmaxwell> the most obvious way to do this would be to crack two of their private keys in sequence, then find their difference, then search for an extended public key,i such that i and i+1 give you that difference. This is made hard because the extended public key goes through sha512 hmac.
13:55 < Guest4867> gmaxwell: re CoinJoin: if the outputs are sorted by signature, then doesn't that achieve a random shuffle?
13:55 < Guest4867> in other words the person proposing the join no longer knows the identity of outputs
13:56 < maaku> ^^ was me
13:58 < maaku> the participant contributes a blinding, and the proposer contributes the signature, but separately there's no way for either party to figure out what the unblinded signature will be, and therefore the final ordering
14:00 < gmaxwell> I think that sounds fine, but I may not understand what you're trying to solve there. e.g. just putting them in the order they were disclosed would be okay if parties waited random amounts of time to disclose
20:51 < gmaxwell> that bit itself isn't secure, since someone could find another message where all the words had higher values than your message, but you can add a couple more checksum words, e.g. 3 for the case of 64 words. with their heights set to a sum of the others such that you can't reduce any of the message words without increasing at least one of checksum words.
20:52 < gmaxwell> in any case, that covers both the kinds of branching we've talked about.
20:54 < gmaxwell> so I suspect that if our language is done well, it actually reduces to one of these hash signatures... it's just doing some extra execution along the way. :P
20:54 < gmaxwell> or at least these signature schemes should express themselves very naturally in the script.
20:57 < gmaxwell> sipa: so here is another kind of 'choice': a choice where the permitted script is provided by the ScriptSig, validated by a key provided in the script and a checksig instead of a hash in the script.
20:57 < sipa> gmaxwell: actually, that fold operator can just be encoded using choice
20:57 < sipa> at every iteration you do a choice that just contains another instance of f
20:57 < gmaxwell> choiceL( choice(choice()))
20:57 < gmaxwell> yea..
20:58 < sipa> of course, if you provide a normal language construct for fold
20:58 < sipa> as an optimization
20:59 < sipa> you could provide a merkleizing one too
21:01 < gmaxwell> adam3us: So, is there a way with ECDSA, given three messages pick a pubkey,r,s  such that pubkey,r,s is a valid signature of any one of the three messages?
21:02 < gmaxwell> I guess pubkey,r,s isn't going to be smaller for just three. Alas.
21:02 < gmaxwell> (so much for my ghetto homorphic hash idea. :P)
21:19 < jcrubino> is there a workbook for bitcoin wizards in training?
21:22 < gmaxwell> No. I suppose I should make a references list?
21:22 < gmaxwell> a lot of the things we discuss have no references though.
21:22 < gmaxwell> E.g. I can't cite anything for merkelized abstract syntax trees.
21:30 < sipa> roconnor came up with those in an IRC pm with me :)
21:44 < petertodd> jcrubino: I keep threatening to write a book
21:44 < jcrubino> petertodd: I'll help
21:44 < jcrubino> Is it possible to download the dev mailing list from source forge?
21:45 < petertodd> jcrubino: I don't think so
21:45 < petertodd> how far back do you want?
21:47 < jcrubino> As far back as can be got
21:47 < jcrubino> I would like to do this: http://www.princeton.edu/~achaney/tmve/wiki100k/browse/topic-presence.html
21:47 < jcrubino> for the mailing lists
21:48 < jcrubino> tldr: topic modeling of the message contents
21:49 < petertodd> jcrubino: I've only got just under a years worth
21:50 < jcrubino> I could post to bitcointalk to ask for donations; but not sure how uniform they will be comming from different mail clients
21:51 < petertodd> jcrubino: well, test should be same I guess?
21:51 < petertodd> you can compare against different peoples copies by message id
21:56 < jcrubino> petertodd: how close to live release is mastercoin?
21:56 < petertodd> jcrubino: it has been released, for some value of "release"
21:56 < petertodd> jcrubino: there's live code out there that lets you move mastercoins around - is that useful however? good question
21:56 < jcrubino> true enough
21:57 < jcrubino> I was going to ask what is going to be the first real workd use case and then I remembered Willets original slide presentations
21:58 < petertodd> ...and what did you remember?
21:58 < jcrubino> A better question then is how far is bitcoin from 2.0?
21:58 < sipa> we're not even at 1.0...
21:58 < jcrubino> The good and the bad; he included it all
22:01 < jcrubino> sipa: will we have no idea what 2.0 will be untill we get there?
22:02 < sipa> i suppose
22:02 < petertodd> jcrubino: huh, interesting view of it... I'd say JR didn't include much at all, at least from what I remember
22:02 < petertodd> jcrubino: there will be multiple competing 2.0's is my prediction
22:02 < sipa> yeah
22:05 < jcrubino> ok wizards what is the most important thing to grok about bitcoin at the protocol level for wizards in training to be effective developers?
22:07 < sipa> i doubt wizards are a subser of developers
22:07 < sipa> *subset
22:07 < sipa> here it's much more about things that are cool to think about, beyond-bitcoin
22:07 < sipa> some that may be far from ever being implemented
22:08 < sipa> i see myself much more as a developer than as a wizard (mostly because of lack of time to keep up...)
22:09 < petertodd> sipa: agreed, and in the exact opposite situation personally
22:11 < andytoshi> jcrubino: the first reference i was given here was about random oracles, and that led me through a very enlightening reference chase:
22:11 < petertodd> jcrubino: I think the most fundemental thing I've discovered is the concepts of how mining can be separated into timestamping and proof-of-publication
22:11 < andytoshi> http://blog.cryptographyengineering.com/2011/09/what-is-random-oracle-model-and-why.html
22:11 < andytoshi> http://blog.cryptographyengineering.com/2011/09/what-is-random-oracle-model-and-why.html
22:11 < andytoshi> http://cseweb.ucsd.edu/users/mihir/papers/ro.html
22:11 < andytoshi> also see the fiat-shamir paper and 'probabilistic encryption' by goldwasser and micali
22:11 < andytoshi> if you can grok all those, that's enough background to ask intelligent questions re the crypto discussion
22:12 < andytoshi> petertodd: you have a writeup about this which i think is a very concise introduction to that idea
22:13 < andytoshi> i've lost the link and i didn't actually read it the first time, but that was my impression from the first few paragraphs :P
22:13 < andytoshi> s/concise/detailed
22:13 < petertodd> andytoshi: thanks
22:13 < jcrubino> thank you all, looks like some great reads
22:14 < petertodd> andytoshi: and I think that good writeup is also another important wizard lesson about Bitcoin: it's actually got very little to do with cryptography as you normally think of it
22:15 < andytoshi> petertodd: agreed, the regular crypto is necessary to banter about specific signature schemes (and to understand security models), but distributed consensus is its own field
22:17 < andytoshi> people here are very good at designing protocols which use bitcoin as a secure timestamp oracle, something i haven't quite got the hang of
22:17 < petertodd> andytoshi: yeah, and furthermore *decentralized* distributed consensus is it's own field again, notably a field where discussions of things like politics actually are relevant
22:19 < andytoshi> petertodd: yeah, i had a non-bitcoin-related political discussion earlier today and i realized that my naive libertarian beliefs have been greatly changed by discussion here about incentive structures in decentralized systems
22:20 < andytoshi> at that distance, i suppose it's just game theory, but decentralized distributed consensus systems give a very efficient model of this
22:20 < andytoshi> where a lot of the noise of human interaction is removed (by design) thanks to the trustless protocols
22:22 < petertodd> yup, and a very unforgiving model too, where you get to deal with relatively non-ideal participants
22:22 < gmaxwell> well when you spend a lot of time thinking in an adversarial model it changes how you think.
22:23 < gmaxwell> Normal thinking is strongly biased to thinking about the common cases, adversarial model thinking is biased to spend time thinking about the worst possible outcome.
22:25 < petertodd> which is what the non-wizards find so hard to deal with - witness the discussions of GHas.IO for instance
22:29 < gmaxwell> petertodd: I've found it interesting that people think there is no issue, then they get this "51% attack" idea in their head and think that like
 if ghash.io gets 51% then suddenly all the bitcoins will be theirs
 and then that misconception is removed and they're back to saying that there is no issue at all.
22:30 < gmaxwell> I guess this happens with all things.   Foo causes cancer! No it doesn't. Oh great! Everyone eat foo! Wait wait.
22:30 < petertodd> gmaxwell: suggests to me that people don't really understand the nature of the signatures in transactions, heck, likely they don't understand them at all
22:31 < CodeShark> most bitcoin users still probably believe that their bitcoins actually reside on their own computers and that addresses are where they are actually kept
22:32 < petertodd> CodeShark: oh, that's a good addition to the -wizards basic training list: understand semiotics and the distinction between sign, signified, and signifier
22:32 < gmaxwell> CodeShark: well the whole question of 'residing' deserves a Mu.
22:35 < gmaxwell> The answer "in the blockchain" is also wrong thinking
 what happens if a blockchain is MMR compressed and only you have the data to prove your coins exists? Is it back in your possession now? What if that data has been further split into multiple parts with an error correcting code and spread to multiple machines. Now where does the coin reside?
22:35 < andytoshi> gmaxwell: oh, Mu is a very clean answer, thanks
22:36 < petertodd> gmaxwell: a good counter-question to that falicy is to ask people where does the song "Happy Birthday" reside exactly?
22:36 < andytoshi> gmaxwell: i spent an hour with a math grad the other day describing various cryptosystems and asking "where is the information stored"?
22:36 < gmaxwell> (and of course even ignoring MMR and whatnot wizards wank, it's kind of surprising to say something "resides" someplace public but can't be taken from there by anyone with access)
22:38 < gmaxwell> But also equally insane to say something like a coin resides with its private key, when the private key could be on a relativistic rocket and forever causually disconnected from any payments to it... :)
10:33 < andytoshi> at this point it's probably okay to do so without irritating anyone
10:34 < andytoshi> ;;cjs
10:34 < gribble> Coinjoin Status: The current session is open for 15 more minutes. There are currently 1transactions in the pot. The most popular output value is 0.107428.
10:34 < andytoshi> ;;cjs 196bfaf16b1dbfb9
10:34 < gribble> Coinjoin Status: The current session is open for 15 more minutes. There are currently 1transactions in the pot. The most popular output value is 0.107428.
10:34 < andytoshi> hmm, it should say the codeword as long as you give it the hex..
10:34 < andytoshi> ;;cjs 196bfaf16b1dbfb9
10:34 < gribble> Coinjoin Status: Session Propaganda Aum 20755-6000 Privacy bet PRF : open for 15 more minutes. There are currently 1transactions in the pot. The most popular output value is 0.107428.
10:39 < jgarzik_> cute
11:31 < kinlo> 15 min is a bit short, no?
11:31 < andytoshi> kinlo: i think so, it's hard to say what would be optimal. if it's too long people will forget about it
11:32 < kinlo> true, you do want people to get it over with, sign within a certain time frame
11:32 < kinlo> but 15 min requires some coordination
11:32 < andytoshi> yeah -- but if you have coordination, 15 is almost too long :P
11:33 < kinlo> perhaps some kind of untimed participation would be better, just create one, get a private url to paste to those working together, then close off by the one creating it? :)
11:33 < kinlo> just brainstorming here
11:34 < andytoshi> nah, i like this, it minimizes the trust/obligation of the participants
11:34 < andytoshi> if it were popular, 15 minutes would be fine
11:35 < andytoshi> i just bumped it up to 20, we'll see how that works
11:35 < kinlo> I'm just considering the boycot options, if I just add into your transaction and never sign, the entire thing is going to fail
11:43 < andytoshi> yeah, that's also an argument for low timeouts
11:44 < andytoshi> if it gets to be a problem, i'll make people sign with their inputs, and blacklist them, and require more than 1 conf
11:44 < andytoshi> but i don't think so, it's a fairly complex technical and you don't get to see your victims' reactions
11:46 < andytoshi> technical troll*
11:49 < jgarzik_> like a technical virgin?
14:02 < michagogo|cloud> andytoshi: inputs are somewhat cheap :-/
14:07 < andytoshi> michagogo|cloud: this is true, the goal would be to rate-limit an attacker .. there's not much i can do with a UI like this
14:08 < andytoshi> maaku's design is entirely automatic, so it's easy to blacklist inputs then try again a second later
15:18 < petertodd> bitcoin source code from nov 2008: https://bitcointalk.org/index.php?topic=382374.0
15:41 < maaku> petertodd: do you have a link to your OP_CODE_SEPARATOR delegation thoughts?
15:42 < petertodd> maaku: https://bitcointalk.org/index.php?topic=255145.msg2773654#msg2773654
16:12 < maaku> in freimarkets we introduced a delegation separator, which works kinda opposite the way a code separator does
16:13 < maaku> and lets the delegated signer add restrictions
18:44 < sipa> https://github.com/bitcoin/bitcoin/pull/3370#issuecomment-31150656
18:50 <@gmaxwell> Thats the rule I believe we should have.
18:53 < andytoshi> there was a neat question on the mailing list requesting a document to explain distributed consensus systems to newbies
18:54 < andytoshi> idk how much of our language or concepts are standardized by this point
19:17 < TD> sipa: gavin is on vacation at the moment
19:17 < sipa> ok
19:20 < TD> sipa: it's not possible for two blocks to have identical time received, right? is this in case of future multi-threading?
19:20 < TD> (assuming a high enough resolution clock)
19:22 < sipa> it uses a microsecond clock, but that isn't available on windows
19:22 < sipa> actually, there should be no need for that
19:23 < sipa> just an incrementing sequence id
19:23 < TD> yeah
19:23 < TD> windows does have high resolution clock APIs
19:23 < sipa> good to bring that up
19:23 < sipa> yeah, but not available through the boost function we're using now
19:23 < sipa> in any case, sequence id is easier and faster
19:26 < TD> .. // Check trees node between the current best chain and the candidate.
19:26 < TD> that comment is a little unclear, imo
19:26 < TD> what's a "trees node"
19:26 < sipa> that comment makes no sense :)
19:30 < TD> sipa: what happens if a thread is interrupted whilst it's in the middle of re-organising in this new way?
19:30 < sipa> hmmm
19:31 < TD> i see interruption points, but no discussion of what happens if there's an abort
19:31 < sipa> you're right
19:31 < sipa> this could be a problem
19:32 < TD> i should add these comments to the github really
19:32 < sipa> please comment on the pullreq, not on the commits
19:32 < sipa> the commit comments sometimes get lost in rebasings
19:34 < TD> hmmm
19:34 < TD> i'm not sure how to do that. doesn't that lose the line references?
19:35 < sipa> yeah :(
19:35 < TD> oh well. no matter. you have comments in your inbox now
19:47 < sipa> TD: thanks
19:48 < TD> np
22:58 < andytoshi> is there a channel like #bitcoin except everyone is not illiterate?
23:00 < Luke-Jr> #eligius ?
23:58 < nanotube> andytoshi: heh maybe this one.
23:59 < andytoshi> :P i'd like to get a coinjoin going without the same five people :P
23:59 < andytoshi> oops, i put too many :P's in there..
--- Log closed Tue Dec 24 00:00:22 2013
--- Log opened Tue Dec 24 00:00:22 2013
00:06 < nanotube> one can never have too many :Ps. >_>
00:06 < nanotube> but i guess if you're looking for a larger audience, maybe -dev.
00:06 < nanotube> or make a forum post >_>
00:15 < andytoshi> yeah, i'll make a forum post
00:15 < andytoshi> and try to preempt all the "TL;DR" and "nobody will use it, too complicated" posts..
00:16 < maaku> or even #bitcoin
00:17 < andytoshi> well what prompted my question was, i tried it on #bitcoin, and was flooded with "too complicated, just a toy, tl;dr, nobody would ever use this"
00:17 < andytoshi> apparently if you can't do something better to bitch about it than to either learn or ignore it
00:21 <@gmaxwell> andytoshi: Bitcoin-otc might be a better venue.  People are silly, obviously its not for everyone.
00:22 <@gmaxwell> andytoshi: you should probably announce a time in advance in order to get people to expect to be there. E.g. I was thinking of organizing a weekly thing.
00:25 <@gmaxwell> andytoshi: as far as a channel with technically interested people... hell if I know. Bitcoin is a complete mystery to me in that respect.
01:19 < andytoshi> gmaxwell: well, thanks for the convo that just happened on #bitcoin then :P
01:19 < andytoshi> also, i don't have your comments on ed25519
01:19 < andytoshi> there was a power outage where my logger lives, i think it was then
03:37 < Emcy> andytoshi did you make a coinjoin bot or something
03:40 < _ingsoc> Is the code available?
10:16 < nsh> --
10:16 < nsh> Alfred Menezes, who has studied the new algorithm as a cryptographic researcher at the University of Waterloo in Ontario, Canada, calls it "a fantastic algorithm
a stunning development." He says, "If I were a company today considering the use of pairing-based cryptography, I would be terrified of using small-characteristic pairings." In one case he studied,
the algorithm succeeds in
10:16 < nsh> 274 operations, vs. 2103 operations with the previous best algorithm. "While the 274 computation is certainly a formidable challenge, with an organization like the NSA, it becomes feasible."
10:16 < nsh> -- http://cacm.acm.org/news/170850-french-team-invents-faster-code-breaking-algorithm/fulltext
10:18 < nsh> i'd like to see an animation of a las vegas descent tree algorithm in operaiton
10:33 < andytoshi> Emcy, _ingsoc_: no, ;;cjs just pings my website to get the current status
10:33 < andytoshi> the website is here: https://www.wpsoftware.net/coinjoin/ , the source to the interesting stuff is here: https://www.wpsoftware.net/coinjoin/
10:34 < andytoshi> but there's a lot of surrounding code which runs the website which is not public, it's too ugly
10:35 < andytoshi> i meant, the source is here: https://github.com/apoelstra/coinjoin
10:51 < Emcy> oh god rawtxs
10:52 < Emcy> A1 for effort, needs huge red 72pt warnings though
10:54 < andytoshi> there is quite a lot of work put into making it idiotproof
10:54 < andytoshi> i'm not a very creative idiot, but i can't think of what people could do wrong here
10:55 < Emcy> spending all change as fees is quite popular with the mortals who attempt to mess with rawtxs
10:56 < andytoshi> yeah, gmaxwell had a clever idea for that ... all the fees should be sent to a magic address, and the joiner does the fee calculations itself
10:57 < andytoshi> so submitted transactions are required to have inputs == outputs
10:59 < Emcy> is that possible in bitcoin right now
10:59 < andytoshi> no, the joiner actually modifies the transactions before asking for signatures
11:04 < michagogo|cloud> ;;cjs
11:04 < gribble> Coinjoin Status: There is no currently open session.
11:12 < Emcy> its a good start, but we know this all has to be completely transparent eventually if its going to make any real impact on the system
11:12 < michagogo|cloud> Emcy: AIUI, this isn't supposed to become what everyone uses, or make any real impact on the system
11:12 < michagogo|cloud> At least not as-is
11:13 < Emcy> this or CJ in general?
11:13 < Emcy> CJ absolutely has to work wide-scale, or something like it
11:14 < michagogo|cloud> Emcy: this
11:14 < michagogo|cloud> Not CJ in general, of course
11:14 < Emcy> the alternative is having such a powerfult technology as bitcoin turned against us
11:15 < Emcy> and im kind of sick of seeing civil society forge its own chains by accident
11:23 < nsh> we are bound by no faster iron than our flocksome follies and unfounded fear
22:38 < warren> jgarzik: writing the irc micropayment thing?
22:38 < jgarzik> warren: Looking into doing so, yes
22:47 < jgarzik> Everybody tells me not to use twisted, but twisted sure seems to have all the gadgetry in their framework.
22:47 < jgarzik> Another option is process-based plugins:  have a master process, and then sub-processes (like IRC) are python scripts that the master will fork+exec, and communicate with via stdin/stdout
22:48 < jgarzik> then I don't care whether my IRC library and my Jabber library want to use different frameworks
22:48 < jgarzik> and things are largely language independent
22:51 <@gmaxwell> +1 to processes. :P
22:51 <@gmaxwell> makes isolation for security easier.
--- Log closed Mon Mar 18 00:00:30 2013
--- Log opened Mon Mar 18 00:00:30 2013
06:00 < warren> sipa: missing 'obj' directory from your secp256k1 git
06:00 < sipa> mkdir obj
06:01 < warren> I know
06:01 < sipa> ok, thanks, i'll fix it
11:00 <@gmaxwell> sipa: using openssl for the bignums is 21% slower than GMP on your code. Crazy.
11:01 < sipa> gmaxwell: yes; gmp does a modular inversion in <3us; openssl takes 26us
11:01 < sipa> given that the entire verification takes 150us, that is significant...
21:15 < warren> you folks going to the bitcoin conference?
21:28 < jgarzik> da
21:30 < sipa> i'm sure gmaxwell and jgarzik are going
21:35 <@gmaxwell> sipa: I think it would be productive for you to come. Considering some of the stresses lately spending some time in person would probably be helpful.
21:37 < sipa> yeah i'd certainly like to meet gavin and you in person once
21:38 < jgarzik> beer.  There should be beer.
21:39 < sipa> well, jgarzik too of course, but i met him already :)
22:41 < sipa> gmaxwell: i wonder, with the PoW-that-proves-fast-UTXO-access
22:41 < sipa> seems that means you also needs the UTXO set to validate PoW
22:41 < sipa> which would mostly kill SPV usage?
22:44 <@gmaxwell> sipa: if you look how I stated the construction I 'solved' that.
22:45 <@gmaxwell> basically you stick an extra H() on top of whatever comes out of the UTXO lookup.
22:45 <@gmaxwell> so that when you send a block you also send the result of H()... so you can do a context free check.
22:45 < sipa> right
22:45 <@gmaxwell> Also, if the lookup is really a UTXO fragment from a committed UTXO structure, you send the fragment.
22:46 <@gmaxwell> e.g. H(header) tells you a path you walk through the utxo tree... and you just send that walk. the hash of the walk is hashed with the header.
22:47 < sipa> i'll have a look at this, at a non-4am point in tim
22:54 <@gmaxwell> like any of this NP pow stuff, the searcher is O(N) and the client is O(1).  Now perhaps you could cheat the pow by just picking a few random paths through the utxo that you happen to know then searching through nonces that happen to pick those paths.
22:55 <@gmaxwell> This can be avoided by requiring sufficiently long paths, but that makes the workload high on the validatees.
23:32 < warren> coblee seems confused about the 0.8.1 hardfork reason.  I'm trying to explain it to him.  Let me clarify one detail... If 0.8 didn't exist, 0.7.x is still vulnerable to a certain depth of reorg failure due to the BDB limit?
23:33 < warren> If miners increased the block size limit (which is "legal" under the 0.7.x protocol), and sufficiently large blocks are adjacent to each other, it could cause a reorg failure and fork between clients of the same 0.7.x with BDB limit?
23:35 <@gmaxwell> warren: correct. <0.8 is not self-consistent.
23:35 < warren> gmaxwell: thank you.
23:35 <@gmaxwell> though it's not clear that any amount of lock tuning can completely resolve the issue, at least according to luke's reports today. Though it can probably make it hard enough to trigger to not be a pratical issue for bitcoin.
23:36 < warren> what's the new limit?
23:38 < warren> I mean, the May 15th limit
23:38  * warren looks for it...
23:41 <@gmaxwell> warren: there is no limit after may 15th.
23:41 <@gmaxwell> just the regular limits we always though were there.
23:42 < warren> so technically, all bitcoin clones should hardfork for the same reason, as they are now attackable.
23:43 < warren> Probably not with the existing miners (not enough tx's for them to increase the block size limit), but their hash rate is so low, it wouldn't take much to attack the network with rogue miners.
23:44 <@gmaxwell> the blocksize target in older code was 500k. And technically crafted txn can trigger problems with 500k blocks. These txn would be non-standard in bitcoin, but not all alts have the same rules.
23:44 < warren> 0.6 had a soft limit of 500KB, but that was reduced in 0.7?
23:45 <@gmaxwell> correct, but it was also much harder to hit in 0.6... due to the fee ramping.. though LC's fees are all miscalibrated and have always been.
23:46 < warren> It would be expensive (in fees) to attack using the standard miners, but rogue miners could avoid enforcing the fees.  You just need a surge of enough miners and a temporary partition to destroy the chain consensus.
23:47 < warren> That's pretty hard to pull off.
23:47 <@gmaxwell> a rogue miner would just mine their own txn... and the soft limit wouldn't matter at all.
23:47 < warren> yeah
23:48 < warren> Just thinking how hard it would be to break litecoin now.
23:48 <@gmaxwell> well getting some nodes to accept it and some to choke is the hard part.
23:48 <@gmaxwell> you have to be right at the limit.
23:49 < warren> Is the standard way to partition by DoS attack?
23:49 <@gmaxwell> huh?
23:49 < warren> How you would isolate nodes
23:49 <@gmaxwell> you don't isolate nodes.
23:50 <@gmaxwell> oh I suppose you could use isolation to make the reorg version of the attack happen. but for that, you just do a race. You mine two blocks at the same height and announce at once.
23:51 <@gmaxwell> but I was thinking you'd break it with a _single block_ break.
23:51 < warren> "getting some nodes to accept it and some to choke"  oh... it's a random timing issue.  If some haven't received the main fork deep enough yet to fail the reorg, then they will disagree with the nodes that did fail the reorg.
23:51 < warren> Oh, single block? hmm
23:51 <@gmaxwell> warren: there are two main attack vectors here.
23:51 <@gmaxwell> One is that you mine a single block which is near the limit,
 the 0.7 limit is fuzzy it depends on the internal state of bdb.
23:51 <@gmaxwell> so you can make a block which some nodes will accept some will reject.
23:52 <@gmaxwell> but getting that right is hard. Too big and almost all reject, too small and almost all accept.
23:52 <@gmaxwell> your goal is 50% of the hashpower on each fork.
23:52 <@gmaxwell> an 'easier' attack
 targeting wise, is to mine two blocks and simultaniously announce, ... but thats harder mining wise.
23:53 <@gmaxwell> you can also attack newly bootstrapping nodes in a very effective way.
23:53 <@gmaxwell> and that doesn't even need high power mining.
23:53 < warren> just lucky timing
23:54 < warren> gmaxwell: aren't the newly bootstrapping nodes going to just be on their own fork without miners, thus impotent?
23:54 <@gmaxwell> yea, just catch nodes when they're new, feed them the real chain up to some height, then a set of choke blocks... and they will later hear the whole real chain but can't reorg off it.
23:54 <@gmaxwell> warren: _you_ can be their miner. :P
23:54 <@gmaxwell> mining away at minimum difficult.y
23:54 <@gmaxwell> giving them confirmations that are totally bogus.
23:55 < warren> they'll see the pre-fork difficulty though.  It's hard to mine as fast as the entire main network.
23:55 <@gmaxwell> warren: does anything actually display the difficulty in a place a user would notice it?
23:56 < warren> no, but they might notice the confirmations coming slowly
23:56 <@gmaxwell> warren: .. uh. you only have to mine at minimum difficulty.
23:56 <@gmaxwell> because you fork off the network at a point where its still at or near minimum difficulty.
23:57 < warren> ok, that doesn't describe some of the alt chains now.
23:57 <@gmaxwell> I suppose what will actually save them is the "you're on a shorter fork" warning.
23:57 <@gmaxwell> warren: what do you mean "that doesn't describe some of the alt chains now"?
23:57 < warren> "because you fork off the network at a point where its still at or near minimum difficulty."
23:57 <@gmaxwell> ...
23:57 <@gmaxwell> warren: the attacker choses the point in the networks history that he creates a fork from.
23:58 < warren> OH
23:58 < warren> ok
23:58 <@gmaxwell> he can choose to start his fork at block 1.
23:59 < warren> OK, so by observing main, you the only miner can make them think they are good until you defraud them.
--- Log closed Tue Mar 19 00:00:04 2013
--- Log opened Tue Mar 19 00:00:04 2013
--- Day changed Tue Mar 19 2013
00:00 <@gmaxwell> right. though as noted the wallet software isn't a complete rube, it'll whine when it sees a longer but "invalid" chain.
00:00 <@gmaxwell> so if you can't isolate them too they may be safe. and if you can isolate them you could have skipped the forking fun
00:00 < warren> It seems the other attack is more insidious.  Very difficult to do, but fatal.
00:01 <@gmaxwell> warren: there are a bunch of other attacks altcoins are vulnerable too, some similar but easier to pull off.
00:01 < warren> gmaxwell: moral ... they should hardfork to avoid this particular risk entirely.
00:02 <@gmaxwell> ::shrugs:: maybe. who knows. Why bother if they're not fixing other stuff.
00:02 <@gmaxwell> They should all be really glad there is no effective way to short their currencies.
00:03 <@gmaxwell> - if there was I expect they'd all be dead.
00:03 < warren> There is a way to short LTC now.
00:03 <@gmaxwell> ...
00:03 <@gmaxwell> really?
00:03 < warren> yeah, it isn't well known yet.
00:03  * gmaxwell starts his stopwatch
15:19 < K1773R> https://github.com/runn1ng/namecoin-files <-- some public horrible implementations :P (i made a own one)
15:20 < petertodd> K1773R: ha, did you know that namecoin disabled the IsStandard() test?
15:21 < warren> is it rickrolled?
15:22 < petertodd> warren: a lot worse than that...
15:22 < petertodd> http://explorer.dot-bit.org/b/7f48b8b9c494479c6f7cf980e0458167d4fddb92aeb1e5c468143e51bdd022a4
15:28 < petertodd> gmaxwell, warren: http://gpg.ganneff.de/policy.txt_v1.3 <- interesting example of two PGP keys signing a single document without the multiple PGP block solution we came up with; I wonder what tool made that
15:29 < midnightmagic> I was using namecoin as a datestamper.
15:30 < petertodd> midnightmagic: note how merge-mining automatically links it to the more secure bitcoin blockchain in that case
15:31 < midnightmagic> yes. Uuk's cryptostamper was too difficult to use also.
15:31 < petertodd> Uuk's?
15:32 < sipa> chronobit
15:32 < midnightmagic> Uukgoblin wrote a cryptostamper you could merge-mine on using (i.e.) p2pool's --merged option.
15:32 < midnightmagic> yes, chronobit.
15:32 < petertodd> oh, that piece of shit...
15:32 < midnightmagic> oh now.
15:33 < petertodd> really annoys me to see people bringing up chronobit; perfect example of geeks completely ignoring usability
15:33 < sipa> i never used it; what was bad about it?
15:33 < sipa> ah
15:33 < petertodd> sipa: takes about a thousand times more work than just using bitcoin directly
15:33 < warren> currently your chronobit timestamp granularity is maybe a day, if you're lucky, unless you keep the entire sharechain which nobody does.
15:33 < sipa> yes, but it scales O(1) !!
15:33 < petertodd> sipa: so does Bitcoin given the 1MB blocksize... :P
15:33 < midnightmagic> just difficult to use. I got it self-claiming it was working and it could verify stamps and such, but then i just gave up because even the email-to-usenet pgp stamper from the uk was easier
15:34 < petertodd> warren: p2pool has the same 2 hour logic as bitcoin, so it'll never be better than that
15:35 < petertodd> midnightmagic: yup, bitcoin timestamping is just so easy to understand and verify
15:36 < petertodd> w/ bitcoin utxo timestamping I've been thinking how you could do a really nice - for the user - standard for OpenPGP keys/sigs that was "co-operative": create the timestamp with a UTXO entry, and if you see a sig without a timestamp, create one too for everyone to use.
15:37 < petertodd> what's "lovely" is how bc.i has the API to make it all easy to verify, and you can fall-back to searchrawtransactions, or in the future, UTXO proofs + whatever crap Mike and co are going to implement to make SPV nodes lives easy
15:41 < petertodd> note that for PGP, timestamping doesn't need much granularity - you just want a timestamp that you can use to reason that at the time a signature was created, the corresponding key wasn't compromised/revoked
15:42 < petertodd> true of a heck of a lot of uses actually...
15:50 < gmaxwell> lol hogwash 12:33 < petertodd> sipa: so does Bitcoin given the 1MB blocksize... :P
15:50 < gmaxwell> "It's O(1) so long as no one uses it" is hardly a great argument.
15:50 < petertodd> gmaxwell: No, it's O(1MB) :P
15:51 < petertodd> gmaxwell: In fact, most algorithms are O(the entire universe)...
15:51 < gmaxwell> If you're happy to have some random website store your data so you can search for it... it'll be a lot cheaper to just ask them to store it than try to compete with people for 1MB space, since that site surely can have more disk space than limited blocks. :)
15:52 < petertodd> gmaxwell: Keep in mind, my usual argument is that yes, that's true, but how many uses of data are out there than *can* pay x cents per KB that "cheap" transactions imply?
15:53 < petertodd> Namecoin is an especially ugly example, because a Namecoin on Bitcoin can afford to pay rather large fees for name updates; way in excess of what a cheap transaction is.
15:57 < petertodd> gmaxwell: Oh, have I explained to you yet how I don't think UTXO bloat is a problem?
15:57  * sipa is curious
15:57 < amiller> go on
15:59 < petertodd> It's really simple: create a *TXO* commitment data structure with a merkle mountain range; this is a data structure that has ~O(1) appends, and O(log n) updates. Txouts in this structure are marked unspent or spent.
16:00 < petertodd> The key thing is that you can prove the current state of any txout with a proof of O(log n) size, and you can also use those proofs to update the state securely. This means every tx can now just have proofs of the txouts existance, and miners can update the txo commitment without actually having the blockchain data.
16:00 < petertodd> Thus your UTXO set is an optimization, rather than a requirement, and in essense storing the UTXO data is pushed to the people who actually own the UTXO's.
16:01 < petertodd> Realisticly you'd want to just have nodes store, say, the last 1 year worth of UTXO's or something; essentially expiration, but you can still spend old UTXO's, just at greater cost.
16:02 < amiller> so you need *part* of the UTXO to construct the proof that *your* tx is valid
16:02 < petertodd> amiller: exactly
16:02 < amiller> utxo as a service makes sense to me
16:03 < petertodd> yup, and that service can be distributed easily too - you only need the part of the utxo set/part of blocks relevant to what you want to store
16:05 < amiller> there are some things like
16:05 < amiller> polynomial representations of sets
16:05 < amiller> that are pretty efficient
16:06 < amiller> where if the set contains your element
16:06 < amiller> and you know your element
16:06 < petertodd> you still get the compact fraud proofs that utxo sets get you too in this scheme
16:06 < amiller> you can take any representation of the set
16:06 < amiller> and easily prove that your element is in it
16:06 < petertodd> lol, how do those work?
16:07 < amiller> http://www.cs.berkeley.edu/~dawnsong/papers/set-int-full.pdf
16:08 < amiller> maybe this one http://www.ece.umd.edu/~cpap/published/cpap-rt-nikos-11.pdf
16:10 < amiller> hmm.
16:10 < amiller> basically you have a polynomial in some field
16:11 < amiller> the polynomial looks like f(x) = Product{  a0(x0 - x), a1(x1 - x), ....  aN(xN - x)  }
16:11 < amiller> so that polynomial has roots at x0 and x1 and such
16:11 < amiller> and you represent the polynomial just by its evaluation on a random element in the field s
16:12 < amiller> i dunno maybe that doesn't work
16:12 < sipa> those aN's seem useless
16:12 < petertodd> huh, can't say I understand it
16:12 < gmaxwell> petertodd: how do you prove if your coin is already spent or not in your mountain range thing?
16:13 < petertodd> gmaxwell: you just provide a merkle path from the txout to the TXO commitment - the mountain range gets modified every time a txout is spent and the commitment of the current version of it is included in every block
16:14 < gmaxwell> oh you made inserts cheap, but updates need the longer proof so you can modify it?
16:14 < sipa> so you need to know the mountain range locally, to be able to prove a coin still exist?
16:14 < gmaxwell> (inserts just need the current 'rightmost edge'
16:14 < gmaxwell> )
16:14 < sipa> so transactions can't be valid across block updates?
16:15 < petertodd> gmaxwell: yeah, *appends* are essentially O(1), and updates need to update the log n hashes from the txout to the tip
16:15 < petertodd> sipa: what do you mean?
16:15 < sipa> say i want to spend a coin
16:15 < gmaxwell> like you write a txn containing an update proof, and the the txn next to it in the set is updated.. not your proof is no good.
16:15 < petertodd> sipa: oh, right, they can still be valid though, because nodes in between have enough block data to rewrite the parts that are changed
16:15 < sipa> right
16:16 < gmaxwell> Iff they do, right?
16:16 < petertodd> Like, if I have a full copy of the blockchain data, and so do you, for me to prove some tx is valid, I don't need to give you any proof at all. If you're missing part, I may need to give you some proof, and that proof may change on the next block. (but only part of the proof will change)
16:16 < petertodd> gmaxwell: yeah, I wouldn't have people *sign* the proofs that a tx is valid for instance
16:17 < gmaxwell> might couple well with OWAS fees, since relaying nodes would be paid for keeping a txn valid.
16:17 < amiller> you might be able to structure the utxo so that an old proof is likely to stay valid
16:18 < amiller> like you can pay to put your coin in the VIP section that isn't updated so often
16:18 < petertodd> gmaxwell: Yup, or for finding the up-to-date proof that a tx is valid.
16:18 < gmaxwell> well if the proof has the right structure, then the composition rule stuff we talked about would apply.
16:18 < petertodd> amiller: Yeah, I was thinking about that, but proving compactly that a given txo is in the "vip section" gets tricky and ugly fast. :(
16:18 < petertodd> gmaxwell: composition rule?
16:18 < gmaxwell> e.g.	if you have proof A and see a block that would invalidate it then you would also know enough to fix the proof.
16:19 < petertodd> gmaxwell: oh right, yeah that's easy to implement
16:19 < gmaxwell> petertodd: e.g. if you have a proof of   A->B and A->C  you can form A->{B,C}
16:19 < petertodd> gmaxwell: better yet, you can parallize all this stuff too
16:19 < gmaxwell> well, parallel has fungibility problems, no?
16:20 < gmaxwell> e.g. if you have coins in streams, spending cross streams would be more costly.
16:20 < petertodd> gmaxwell: no, by parallize I just mean how if you have n txs, the actual updates to the data structure can be done in parallel on your local computer
16:20 < gmaxwell> oh oh okay I thought you were saying you could have N mountain ranges.
privacy worse (for non-static uses)
14:46 < adam3us> maaku_: nice write up
14:47 < adam3us> maaku_: i guess also that interpreter escape would be calamitous if that is not impled!
14:50 < maaku_> adam3us: good, i'll add that
14:58 < jtimon> maaku_ reading now
15:10 < jtimon> maaku_ looks great, nothing comes to mind to add
15:16 < jtimon> very good idea to approach those commmunities
15:17 < jtimon> I guess petertodd still prefers forth and gmaxwell and sipa still prefer the AST
15:19 < jtimon> but it will be interesting to see what those forums think, where are you sending that maaku_?
15:19 < maaku_> the concatenative yahoo group
15:19 < maaku_> also #concatenative
15:19 < jtimon> ughh, yahoo groups...
15:20 < maaku_> [13:59:44] <gmaxwell> adam3us: really? I think forth is basically ideal.
15:20 < maaku_> I think sipa is the only one interested in a more imparative AST
15:21 < sipa> imperative?
15:21 < sipa> if anything i prefer it is not imperative...
15:21 < jtimon> now they want my phone number...
15:22 < maaku_> jtimon: just sign up for the mailing list, no yahoo account required
15:22 < maaku_> jtimon: i'm not a fan of programming in concatenative languages... yuck, honestly. but this is the textbook case for where they excell
15:24 < maaku_> sipa: very poor choice of words on my part
15:25 < maaku_> but is there any advantage to the system you advocated before over a concatenative, point-free language?
15:26 < maaku_> i tried to think of an example the last time we talked, but couldn't
15:26 < sipa> it's a bit vague to me what that means
15:26 < sipa> i'll look up joy
15:28 < jtimon> AST are used in a phase of compilation I think, so sipa's point is I think for maybe having different compilers to the AST (also being a tree, easily merklizable)
15:29 < sipa> it may be possible to convert joy to an AST of the type i suggested
15:29 < maaku_> well it's loose terminology so i'm not sure what exactly is meant
15:29 < jtimon> and everybody uses the same AST, well, I'm just speculating about his reasoning
15:30 < maaku_> Forth-like language such as Joy have an AST as well
15:30 < sipa> anyway, i like the idea of these types of script to essentially be an expression
15:30 < jtimon> yes, compile joy to an ast should be possible, maybe you can ask that too "should we use joy or the AST compiled from joy?"
15:30 < sipa> it has a natural merkleization
15:31 < sipa> is trivial to analyse wrt to execution time
15:31 < maaku_> sipa: http://evincarofautumn.blogspot.com/2012/02/why-concatenative-programming-matters.html
15:31 < maaku_> and http://www.kevinalbrecht.com/code/joy-mirror/j01tut.html
15:31 < maaku_> probably the best introducitons
15:32 < jtimon> maybe we can even write the scripts in python and compile them to ast, I'm sure the pypy guys have something to build from
15:32 < maaku_> with a Merklized Joy, you'd consider quotations to be a branch of the AST
15:32 < maaku_> so, for example, an if statement is: pred [true-branch] [false-branch] if
15:32 < sipa> what advantage does joy/... have?
15:33 < maaku_> you can separately merklize the true and false branches
15:33 < jtimon> sipa I think maaku_'s point is that dealing with the AST directly is ugly and joy is a functional lisp-like lang
15:33 < maaku_> sipa: implementation and type analysis is very simple (unless you f' up the language design)
15:34 < sipa> i don't understand what's ugly about it
15:34 < sipa> it's just an expression
15:34 < jtimon> oh, and then the strong typing thing, but that's cat, no?
15:34 < sipa> it's pretty much the most natural way of writing *simply* conditions i can think of
15:36 < sipa> but maybe we need to actually try to write some actual things in these sorts of languages first
15:38 < sipa> i guess my usage of the word 'AST' is also a bit confusing, as that's just an compiler step
15:39 < maaku_> sipa: you won't find an argument about concatenative languages being better than lambda abstraction or vice versa, because they are equivalent
15:39 < sipa> i'm *certainly* not planning to introduce lambdas
15:40 < sipa> i'm a big fan of higher-order strongly-typed functional languages, but lambda's would make implementation significantly more difficult, and analysis even more so
15:40 < maaku_> but as an intermediate language, stack based concatenative languages are trivially simple to implement in an imperative or JIT interpreter (close to the machine), and do so safely
15:40 < sipa> evaluating an expression tree is surely even simpler
15:40 < maaku_> sipa: a concatenative language like Joy has the power of lambda abstraction without those added complexities
15:41 < sipa> maybe i should just write a toy implementation...
15:44 < sipa> maaku_: heh, i guess i didn't realize this before
15:44 < sipa> i presume joy is turing complete?
15:45 < sipa> with some recursion primitives, i'm sure it is
15:45 < maaku_> yes
15:46 < sipa> right, i'm not aiming for that
15:47 < sipa> if you need that, a concatenative approach is probably easier to implement than having higher-order functions and lambdas in an expression language
15:47 < sipa> but i'm unconvinced about the need for that
15:49 < maaku_> well need is a word that carries baggage
15:50 < maaku_> i was recently convinced of the utility of turing complete scripting, which is to say i understand the desire for it and it is worth experimenting with
15:50 < sipa> right, sure
15:50 < maaku_> but "need" encompasses so many tradeoffs I'm not comfortable making yet :)
15:50 < sipa> i'm just talking about a bitcoin script 2
15:50 < sipa> not about anything more ambitious than that
15:53 < andytoshi> maaku_: nice links. i just clued in that 'postfix' the language is named for 'postfix' the notation :P
15:59 < jtimon> I thought joy hadn't recursion because didn't need it
16:00 < sipa> well, the wikipedia article on it has an example with a 'binrec' primitive
16:01 < jtimon> this sentence is very confusing to me "Combinators in Joy behave much like functionals or higher order functions in other languages, they minimise the need for recursive and non-recursive definitions."
16:02 < jtimon> I'll keep reading the links, hopefully I'll have a clearer idea after that
16:02 < maaku_> jtimon: it doesn't have recursion in the traditional sense, but it has the equivalent of an 'eval' opcode
16:02 < maaku_> and since code is data, that's enough to build whatever you need
16:03 < maaku_> combinators (like binrec) are just a variety of built-in variants of this idea
16:04 < jtimon> I don't really have a strong opinion on joy vs ast really
16:06 < sipa> i *really* dislike code==data
16:06 < jtimon> maybe allowing everyone to build their own python, lisp, js, C or whatever to AST compiler and letting the AST interpreter itself be the "consensus sensible"  part is a better solution
16:06 < sipa> it makes analysis horrible
16:07 < killerstorm> are you discussing new awesome cryptocurrency?
16:07 < jtimon> yeah, I would definitely ask the concatenative guys what they think about using an AST directly and then compile from other language
16:08 < jtimon> killerstorm: new awesome scripting language that among other things, could be used for native colored coins
16:08 < sipa> that requires an OP_EVAL like sturcture :S
16:09 < sipa> which means you cannot possibly analyse without executing...
16:09 < killerstorm> native colored coins can be implemented using OP_CHECKCOLORVERIFY (https://bitcointalk.org/index.php?topic=253385.0)
16:09 < killerstorm> I mean the basic kind.
16:09 < jtimon> although some people don't like the idea of covenants in the hostcoin
16:09 < jtimon> killerstorm, yes, but that's 1 op = 1 use case
16:10 < jtimon> thi, being more generic, would allow many other things
16:11 < jtimon> within freimarkets for example it would allow you to always be able to buy your p2p interest-bearing debt back
16:11 < killerstorm> I'm afraid that implementing anything non-trivial via scripts will result in a huge bloat
16:11 < jtimon> http://0bin.net/paste/kMkgAK+zO2+mTK0E#Lua4/1g5fGVyv44fpRkftnd37RetgnrDrItXAp9FyvA=
16:11 < jtimon> I still think tagged CCs are better
16:12 < maaku_> [13:06:14] <sipa> it makes analysis horrible
16:12 < maaku_> not with a strong type system
16:12 < maaku_> killerstorm: yeah sortof, a scripting extension/replacement that will probably make it into freimarkets
16:12 < jtimon> I don't even think interest/demurrage bearing assets are possible with them
16:12  * andytoshi waits as "rustcoin" stops being funny and starts being considered..
16:12 < jtimon> /with/without
16:13 < amiller> wtf is the point of opcheckcolorverify? the color checking operation is massive/exponential/bad
16:13 < sipa> maaku_: well, then code isn't data :)
16:14 < sipa> maaku_: as the type system can determine in advance what is executable
16:14 < maaku_> sipa: not sure i follow
16:14 < killerstorm> amiller: The idea is to add color tags to utxo db. then it is trivia.
16:14 < sipa> maybe you mean something else by code==data than i do... for me it means i can construct a random string/sequence operations/whatever using code, and then execute it
16:15 < maaku_> jtimon: the "common AST" *is* a concatenative language. there's a reason the JVM and .NET intermediate languages are concatenative...
16:15 < maaku_> everything compiles down to that
16:15 < sipa> JVM bytecode language is certainly not an AST
16:15 < amiller> killerstorm, a lot of effort goes into keeping the utxo as small as possible, how do you quantify what change that incurs?
16:15 < maaku_> yes, it's a stack-based language
16:15 < sipa> it's an imperative stack-based language, afaik
16:15 < maaku_> exactly
16:16 < sipa> i need to stop using the word AST, as it's much wider than what i mean
16:16 < jtimon> amillar the point is making CCs SPV-friendly
16:17 < maaku_> killerstorm: the scripts are in the scriptSigs, so they're immediately pruned
04:30 < warren> http://www.asrock.com/news/index.asp?cat=News&ID=1765  <---- Wow.  Only a little late.
04:33 < gmaxwell> lol
04:33 < gmaxwell> Enterprise speed
04:49 < Luke-Jr> and they didn't even cut the x1 slots so you could put GPUs directly in
04:49 < Luke-Jr> FAIL
04:51 < gmaxwell> maybe it was a product intended for some other purpose... :P
04:55 < warren> Luke-Jr: if you have GPU's that close together they overheat anyway
04:55 < Luke-Jr> warren: I suppose
04:55 < Luke-Jr> gmaxwell: maybe they want BFL to offer them $ for a partnership :p
04:57 < gmaxwell> Luke-Jr: I have to admit I'm happy to see someone doing a gpu formfactor miner.
04:57 < warren> that pcie monarch card will actually use pcie for communicatoin?
04:57 < Luke-Jr> warren: barely :/
04:57 < gmaxwell> pretty easy to stick a usb controller on pcie. :P
04:57 < Luke-Jr> gmaxwell: I wish
04:57 < gmaxwell> oh is some horiffic bitbang interfac?E
04:58 < Luke-Jr> if only
04:58 < Luke-Jr> think the current USB protocol, using PCI-e memory
04:58 < Luke-Jr> if they have time, there might be an interrupt for nonce found
04:59 < warren> better nonce handling latency than serial?
04:59 < Luke-Jr> I suppose.
05:00 < gmaxwell> warren: with what luke is saying your latency advantages there will probably get lost by the protocol desyncing and other nonsense.
05:00 < warren> not to mention it being delivered maybe in 2015
05:01 < Luke-Jr> nah, I expect them to be within a month this time around
05:01 < Luke-Jr> certainly won't be a bigger screwup than SC
05:01 < gmaxwell> warren: I suspect the chips are coming from another supplier. :P
05:29 < adam3us> i guess you'd need watercooling gpu mods and not sure if you can get a case to hold 6x double height cards so then you're building  franken-miner
05:33 < gmaxwell> adam3us: I ran lots of systems like that ... case? lol. yea no, the only way to work with 6gpus on a board is either with special engineered high speed fans or to spread the things out.
05:33 < gmaxwell> e.g. http://www.bitcoinminingrigs.com/wp-content/uploads/2013/09/200-amp-3-phase-480-...-165kW.jpg
05:34 < gmaxwell> or less ambitious: http://i.imgur.com/tb124Nm.jpg
05:41  * gmaxwell is so glad to be rid of gpus
05:41  * gmaxwell hopes to never use a gpu again
05:44 < warren> direct neural port
05:46 < gmaxwell> vt100 forever!
05:59 < sipa> the information revolution will be fought on the command line
06:08 < warren> it looks like scrypt FPGA's are ramping up
06:08 < warren> hashrate is higher than ever, and litecoin was too cheap to warrant buying new GPU's for the past few months
06:31 < HM2> scrypt FPGAs....
06:31 < HM2> wasn't scrypt designed with killing FPGA and ASICs in mind?
06:31 < midnightmagic> litecoin screwed up when they chose the scrypt parameters.
06:32 < HM2> Don't they have an equivalent difficulty?
06:32 < midnightmagic> What do you mean?
06:32 < HM2> or did they just use bitmasking of the output like Bitcoin
06:32 < HM2> The difficultly should be the scrypto params, right?
06:32 < HM2> *scrypt
06:33 < gmaxwell> HM2: no because that would screw up the verifying costs
06:34 < gmaxwell> (and it's already screwed up)
06:34 < HM2> hmm
06:34 < warren> the FPGA's so far are only like 2-5x more power efficient at an incredibly high cost
06:34 < HM2> then how do they apply difficulty? if your params are fixed and difficultly just depends on a partial hash collision on the output, you haven't really addressed the issue of improving hardware
06:35 < warren> someone just approached me saying they'll pay for my attendance of the Vegas Dec 10th conference
06:35 < warren> "what's the catch?"
06:35 < warren> no response.
06:35 < gmaxwell> HM2: you're laboring under the impression that it was well thought out. It wasn't.
06:35 < HM2> warren, ask for gambling expenses
06:36 < gmaxwell> HM2: it was a "yippie! gpu proof!"
06:36 < warren> We still haven't revealed Litecoin's secret sponsor.
06:36 < warren> AMD!
06:36 < HM2> not ARM?
06:36 < petertodd> warren: lol
06:36 < HM2> We all want mining on the smartphone. Sponsored by Sanyo batteries
07:38 < adam3us> warren: you know bitshares momentum hash had the interesting design objectives: memory hard to mine, but no memory (2 or 3 hashes) to verify
07:38 < adam3us> warren: unfortunately its harder than they thoght, an their attempt is triply broken
07:39 < adam3us> warren: but maybe they knew that and built a well optimized tuned custom box to exploit the heck out of it
07:39 < gmaxwell> nah
07:39 < petertodd> they aren't that smart...
07:39 < gmaxwell> right
07:39 < gmaxwell> I'm sure they are smart in their own ways.
07:40 < petertodd> ...or if they are, they are also good actors
07:40 < adam3us> gmaxwell, petertodd: yeah bytemaster seemed to take some convincing, but i believe paid otu the $5k bounty for the first two defects
07:41 < adam3us> gmaxwell, petertodd: well they also did the classic gross miscalc of impact of slow difficulty adjust and mined 6months planned in 7days followed by emergency hard fork
07:42 < adam3us> ***adam3us chortles
07:42 < petertodd> damn
07:42 < gmaxwell> adam3us: I assume they made the mistake of making their diff update continious and then scaling back the safty non-linearly to some tiny value so they were always in the non-linear region?
07:43 < adam3us> gmaxwell: i didnt do the calc myself (7day to 6mo) but  guy who rented a ton of vsps did and seems sharp, i think they just didnt adjust for2 weeks normal params
07:43 < adam3us> gmaxwell: and it was a natural effect of their initial param being too easy
07:44 < gmaxwell> adam3us: huh, the way bitcoin works is that the adjustment is triggered on blocks not time precisely for that reason. :)
07:44 < gmaxwell> I guess they must have broken that.
07:44 < adam3us> gmaxwell: i didnt quite get the hard fork, same guy was telling me the put a manual 32x diffi increase automatically at the adjust or something instead of 4x
07:45 < adam3us> gmaxwell: i think the target was made 4x less easy on an accelerated schedule, but it wasnt enough gven the massive mining race, so they changed it to 32x, and i guess they had 5min target locks, but they were going at 15sec or something real
07:45 < gmaxwell> adam3us: bitcoin clamps the difficulty adjustment to 4x / 0.25x at retarget, prevents stranding, and still leaves you with quartic convergence. .. and its far enough off nominal you shouldn't ever really get weird incentives from the non-linearity.
07:46 < adam3us> gmaxwell: i exect that is what they adjusted from 4x to 32x in their patch, their curve was almost vertical
07:46 < adam3us> gmaxwell: so even though the adjustment happened the limit applied and prevented enogh adjustment, oving their intentionally short (1yr?) schedule forward by 6mo
07:48 < adam3us> maybe they accidentally effectively increased the number of blocks per adjust interval in the code, not sure.
07:49 < adam3us> i wasnt enough interested to try figure it out, but it was nevertheless hilarious to spectate.  i mined a few hrs on my 4.8ghz watercooled 3930k 6 core and gave the coins to the guy who asked me to look at it :)
09:30 < adam3us> Fistful_of_LTC: did patching semiOrderedMap.cpp give you an n^2 momentum speed boost?	curious how the constants work out
09:32 < Fistful_of_LTC> adam3us: i haven't figured out how
09:33 < Fistful_of_LTC> i'm actually using another client, https://github.com/Tydus/jhProtominer/blob/master/src/jhProtominer/protosharesMiner.cpp
09:33 < adam3us> Fistful_of_LTC: is it faster than ptsminer?
09:33 < Fistful_of_LTC> yes, a few times faster
09:34 < Fistful_of_LTC> what change do i need to make to patch ptsminer/this one?
09:39 < adam3us> Fistful_of_LTC: so it looks like this one lets u use up to 4GB ram.. how much do you have?
09:40 < adam3us> Fistful_of_LTC: he has the same code repeated like 5 times with the constants changed for 256,512,1024,2048,4096 (MB)
09:40 < adam3us> Fistful_of_LTC: I think cut & paste one more time, change it again in the same way as from 2048 to 4096,
09:40 < Fistful_of_LTC> 64 gb
09:41 < Fistful_of_LTC> you think there will be an even greater improvement?
09:43 < adam3us> Fistful_of_LTC: it depends on how fast it takes to fill the ram, if its less than the block time interval, then yes, 2x ram should be > 2x faster
09:44 < adam3us> Fistful_of_LTC: the only thing that seems to change is #define COLLISION_TABLE_BITS	    (29)
09:48 < adam3us> Fistful_of_LTC: so just change it to 32, i think that should give you 16GB
09:51 < Fistful_of_LTC> i tried that it wouldnt compile, i'm going to try it again
10:07 < adam3us> #define COLLISION_TABLE_BITS	 (32)
10:07 < adam3us> #define COLLISION_TABLE_SIZE	 ((uint64)1<<COLLISION_TABLE_BITS)
10:08 < adam3us> Fistful_of_LTC: you are runnning -m4096 right? is that the fastest choice (vs -m2048 or -m1024)?
10:10 < Fistful_of_LTC> the fastest choice seems to be 512 mb actually, but i just noticed i'd been running an old version
10:11 < adam3us> Fistful_of_LTC: all cores busy?
10:13 < adam3us> Fistful_of_LTC: (if thats the case this wont work, my edit was to create -m16384)
10:14 < Fistful_of_LTC> you have it somewhere i can dl/test it?
10:15 < Fistful_of_LTC> i just have to wait for the pool to come back up
10:19 < adam3us> Fistful_of_LTC: 1sec...
11:22 < adam3us> btw an amusing zerocoin thought experiment: bitcoin already has one-use addresses (if you use them as intended).  zerocoins have fixed denomination (tke your pick.. 1btc, 0.001 btc soeone has to decide)
11:23 < adam3us> if bitcoin users used 1 coin denomination (say 0.001 btc) with strict one address it would have close to the same privacy guarantees as zercoin, because you wold never send yourself change
11:28 < gmaxwell> yep.
11:29 < gmaxwell> really if used in the right manner the gap between an actually anonymous system and bitcoin is not _that_ large.
05:17 < gmaxwell> Mike_B: right, and we can't prove otherwise, though structurally it seems really really unlikely (esp for bitcoin where we do have >256 bits of input to the process)
05:19 < gmaxwell> (random aside: I read a neat paper a while back where they show how to use error correcting codes to efficiently solve hamming distance threshold paritial collision problems efficiently by searching for partial preimage collisions on a coded version of the output.)
05:20 < Mike_B> what do you mean by partial collision problems here?
05:20 < Mike_B> like two strings whose hamming distance is less than some threshold?
05:20 < gmaxwell> Mike_B: yes.
05:21 < Mike_B> hmm, interesting
05:22 < gmaxwell> (http://eprint.iacr.org/2012/731.pdf)
05:25 < Mike_B> very neat
05:25 < Mike_B> another paper for me to wade through :)
05:26 < Mike_B> there's also this i found, which relates to the question i was asking earlier
05:26 < Mike_B> http://www.hashcash.org/papers/bread-pudding.pdf
05:26 < Mike_B> so i assume adam already knows about it :)
05:26 < Mike_B> seems to classify proofs of work
05:50 < TD> good morning
07:41 < azariah4_> reading the WP article about commitment schemes, I was suprised to not see hashing as a example
07:42 < azariah4_> e.g. if alice creates hash = SHA-256(foo_msg) and gives it to bob, she has commited to foo_msg without revealing it, and can later reveal it for checking
07:43 < gmaxwell> azariah4_: it may be because cryptographic protocols which are 'merely' secure in the random oracle model are somewhat out of fashion with academic cryptographers.
07:46 < azariah4_> ah yeah, to get perfect binding in a commitment scheme using a hash requires that the hash is a perfect hash function
07:46 < azariah4_> well, the article does mention signature schemes
07:47 < azariah4_> No real function can implement a true random oracle.[citation needed]
07:47 < azariah4_> WP <3
07:48 < gmaxwell> The other aspect of that is a lot of fancy things are built effectively out of commitment schemes that have extra properties like certian kinds of homorphism or proofs... so non-symetric commitment schemes are generally more interesting because they do have these properties.
07:50 < azariah4_> ah
07:50 < gmaxwell> I'm not a big fan of loss of love for the random oracle model, much of that is driven by a set of papers that show you can have a a protocol which is secure in the random oracle model but not secure in practice... and in fact cannot be secure with _any_ real hash function in place of the random oracle.  Anything (so far) know to do this is totally contrived,
but it's created an excuse to avoid proofs based on reduction to random oracle.
07:51 < gmaxwell> s/know/known/
07:51 < azariah4_> aha, interesting
07:52 < azariah4_> going through some ZKPs examples which uses commitment schemes
07:53 < gmaxwell> ...personally I'd usually take a well studied hash function and a proven secure in the random oracle model protocol over something depending on gap-dh.
07:54 < gmaxwell> azariah4_: yea, some of the most powerful ZKP stuff is basically a special kind of homorphic hashing where you can hash encrypted 'wire' values in a circuit and still apply the tests that the circuit is satisfied. ... and then hash this validation itself and so on.
08:22 < TD> gmaxwell: what kind of schemes are secure in ROM but not when instantiated with a real hash function?
08:39 < gmaxwell> TD: there are a couple layers to it they start with a contrived scheme where you take a regular secure signature scheme and then wrap it
08:40 < gmaxwell> with a if (messsage,oracle(message))
 table then return secret key.
08:40 < gmaxwell> and then modify the verifier to also accept for that message.
08:42 < gmaxwell> and then go on to describe how to fill out the table in a way which it is computationally intractable if you use a real random oracle but possible for any real hash function.
08:42 < gmaxwell> (I don't actually recall what they do there)
08:43 < TD> ok
09:50 < azariah4_> just found the libzerocoin docs on github, awesome stuff
09:51 < azariah4_> helps understand the protocol since its from a integration point of view rather than the pure crypto/math description
09:52 < azariah4_> this in particular is quite interesting: https://github.com/Zerocoin/libzerocoin/wiki/Generating-Zerocoin-parameters
09:53 < azariah4_> so the initialization of a zerocoin instance depends on a single trusted entity
09:54 < gmaxwell> yep.
09:54 < gmaxwell> and that entity has inflation power, at least up to the total amount ever put into the accumulator (assuming the system is engineered to track that)
09:58 < azariah4_> it mentions distributed multiparty generation of the modulues however
09:59 < azariah4_> and another paper linked for that, crap
09:59 < azariah4_> feels like im going down the rabbit hole with this, too many papers bookmarked already :P
10:00 < gmaxwell> azariah4_: yes, though the state of pratical multiparty computation is sad (non-implemented, slow (quadratic communication usually), half of it is secure against only lame threat models), but ignoring that: you're still left with some cabal of parties to performed that act... tricky to not have people constantly fudding the cabal.
10:00 < azariah4_> yes indeed
10:00 < gmaxwell> e.g. you have 3 people do MPC to produce the value...  and okay, so it's two of three who people fearmonger about. :)
10:01 < azariah4_> I imagine there has been some thought about multiple instances of zerocoin to reduce the risk given a single generation of N per instance is used
10:01 < azariah4_> however anonymity is reduced if e.g. my txs are in a zerocoin instance with only 10 other people
10:02 < gmaxwell> maybe with enough resources and effort you could do a really big MPC scheme where some parties seal computers in bunkers and blow them up after the fact.. :) sort of an open question over what would be enough.
10:02 < gmaxwell> A somewhat frequent bit of FUD bitcoin gets is confused people claiming that satoshi has a master key that gets him unlimited bitcoin or the like. Fortunately these are easily shut down because you can show it impossible.
10:03 < gmaxwell> In such a scheme it's not possible to show that its impossible for a cryptographic backdoor to exist.
10:04 < azariah4_> exactly
10:07 < azariah4_> would it be insane to instead of generating 2 safe primes that multiplied gives N, generate a larger set of safe primes and multiply all together?
10:11 < azariah4_> ah, integer factorization is hardest when the integer N is semiprime
10:17 < sipa> i wonder, could you create a script system that allows outputs which 1) prevent spending before X confirmations, and 2) are able to observe the block hash of block X further
10:18 < CodeShark> you mean able to reference external state?
10:19 < sipa> well it's state that will exist at the time you're going to spend the output
10:19 < sipa> nothing external to it
10:19 < gmaxwell> sipa: I thin you can, just have a PUSH_<thing that would have been in the future>. opcode.
10:19 < gmaxwell> e.g. push it by reference.
10:20 < gmaxwell> But what would you accomplish with this? oh to prove another transaction was in the chain?
10:20 < sipa> it would allow some betting schemes that aren't vulnerable to "mining the transaction hash", and without secret state for the operator
10:21 < CodeShark> by "external" I meant outside just the input script and output script
10:21 < sipa> not sure that's something to encourage, or whether there aren't any better ways
10:22 < sipa> but you could have a script that uses H(txid + H(block_N_in_the_future)) < some_value
10:26 < CodeShark> what do you mean "mining the transaction hash"?
10:26 < CodeShark> sha256 collisions?
10:26 < gmaxwell> CodeShark: basically you use the hardness mining a block to boost the security of a random selection scheme.
10:27 < gmaxwell> e.g. output can be spent by A only if the next block hash &1==0 otherwise spendable by B.
10:27 < CodeShark> ah
10:27 < gmaxwell> sipa: on this general subject I'd like there to be a way to do a probablistic micropayment that doesn't produce any transactions when the payment fails.. which I suspect needs a similar kind of change.
10:35 < gmaxwell> (e.g. a signature which is only valid if the next, yet unknown block's hash passes a test.)
10:38 < sipa> next, or 100th following even
10:38 < sipa> if you want to prevent people mining blocks specifically to revert it
10:39 < gmaxwell> well for low value transactions you basically trust that throwing out $subsidy+$typical_fees	is much worse than losing the micropayment.
10:39 < sipa> right, sure
10:42 < gmaxwell> sipa: where is your simulation of your charts with constant hashrate?
12:07 < petertodd> jtimon: in a txin commitments system you probably have to pay tx fees with pow rather than fees per-se, though I think it'd be better if mining was forced to be more decentralized in that fashion.
12:08 < petertodd> maaku: it's not a spent-txin set, it's just a txin set - a txin implies a spend. :) seriously though, the advantage is reducing the data the blockchain actually handles - in that system the blockchain doesn't even have full transactions, hence less privacy risks and potentially better scalability
12:23 < jtimon> thanks petertodd, pow anti-spam ala hashcash is what I had thought
12:25 < jtimon> related to maaku's question, can you have SPV nodes with this scheme?
12:25 < petertodd> yup, granted, I'd *like* there to be a way for users to pay hashers to do the pow for them, but that can be a separate mechanism and can change
12:25 < petertodd> *NO*
12:25 < jtimon> yeah, outsourcing the pow would be interesting
12:26 < petertodd> remember that the whole point of SPV is you let someone else do verification for you on the principle that they're probably going to do it because of the incentives with mining
06:18 < TD> gmaxwell: it just needs a few bug fixes and packaging work basically, and then it's ready to go. the first step towards StorJ!
06:19  * TD is quite excited to see if it really happens
06:19 < TD> adam3us saw it at the amsterdam conference
06:20 < adam3us> http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg02944.html
06:21 < adam3us> err who is TD? (mike demoed me payfile at ams) is TD mike?
06:21 < TD> yes
06:21 < adam3us> doh ok , hello
06:21 < TD> hi :)
06:21 < TD> one day i should really abandon this nick. but i had it so long ...
06:22 < gmaxwell> TD is secretly TD bank.
06:22 < adam3us> TD: no prob, still catching up on associating bitcointtalk, real name & irc nicks
06:22 < gmaxwell> adam3us: looks like luke hasn't updated the next stuff since july.
06:23 < gmaxwell> adam3us: I decided to make that easy (nick / name matching) a decade ago.
06:23 < warren> hm, I wonder if that guy who wanted to buy my IRC nick for 100 BTC still wants it.
06:24 < adam3us> gmaxwell, warren: yes but my point with staging is to do a bitcoin next/bitcoin omg but with a one-way peg to insulate bitcoin core from bitcoin next and have real value in it AND associate it with bitcoin itself, foundation etc, not with an altcoin
06:24 < gmaxwell> Every once in a while I still run into someone who goes "holy crap! you're nullc!" (which was my irc nick since ~1993)
06:24 < adam3us> http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg02944.html
06:24 < TD> the nick "mike" was only registered in 2011 and has only been used once. goddamnit.
06:24 < adam3us> gmaxwell: yes i figured out nullc was you from reddit or something
06:25 < gmaxwell> adam3us: I'm not sure you can do live developement in something with value. initial testnet was a disaster even as a testnet, not something for rules expirementation.
06:25 < adam3us> warren: staging, staging, staging
06:25 < warren> adam3us: I found it much easier to fix a critically broken altcoin than to win any political battle here.
06:26 < adam3us> gmaxwell: staging is not testnet, it wouldbe like litecoin level of care
06:26 < adam3us> gmaxwell: but one-way pegged to bitcoin
06:26 < gmaxwell> And anything with value is a competition with bitcoin. I really can't express how demoralizing it is to be compeating with your own work. Even if you try to set it up so it won't be that way, e.g. premine out the altcoin thing, some altcoin will just copy the code and exploit it.
06:26 < adam3us> gmaxwell: so for mindshare and other purposes the coins are bitcoin, its partly an anti-mindshare dilution argument
06:27 < gmaxwell> adam3us: ah, with some cross chain transfer?
06:27 < adam3us> gmaxwell: i think y'all didnt read it, or follow
06:27 < adam3us> http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg02944.html
06:27 < gmaxwell> adam3us: I stopped reading those threads because the initial ideas proposed were not very interesting to me, sorry. If you're telling me again its interesting I'll read it.
06:27 < adam3us> gmaxwell: the staging idea is bitcoin staging (need better name) has no native mining, the only way to get coins in is to move them from bitcoin
06:27 < gmaxwell> adam3us: yea great, and when an altcoin copies the code and removes that limitation?
06:28 < adam3us> gmaxwell: and then there is 2-way trade in the reverse direction
06:28 < gmaxwell> Certantly I like the idea that the market can decide to support the new thing by chosing to use it rather than having a speculative feature forced on it via hardforks.
06:28 < adam3us> gmaxwell: altcoins can float or not on their own, you cant prevent it with opensource; but bitcoin staging can capture the early adopter and feature hungry people like mastercoin, colorcoin, warrren (bitcoin omg), lukejr (bitcoin next)
06:29 < warren> how does the staging coin confirm things?
06:29 < adam3us> gmaxwell: which undermines most of the altcoin impetus and mastercoin arguments about faster dev
06:29 < adam3us> warren: side-chain
06:29 < warren> so you mean no subsidy, not no native mining
06:30 < adam3us> warren: right
06:30 < gmaxwell> adam3us: altcoin people hey aren't asking for new features and almost never have any, except for highly trivial changes. They're asking for a get rich scheme.
06:31 < gmaxwell> I don't think you can offer that while making the currency bitcoin. :)
06:31 < adam3us> warren: i wanted to see a way to overcome the must be careful not to damage core value, and see still conservative but faster feature dev, without that being under an altcoin with its own floating value
06:31 < adam3us> gmaxwell: yes; but mastercoin was able to use it as one argument to justify their existence
06:32 < warren> adam3us: there are more complicated issues preventing that aside from the lack of funding
06:32 < gmaxwell> True, fair enough. At least it could prevent that, which might have redirected some of the funding.
06:32 < warren> adam3us: for example, political will is a limited commodity too.  It's demoralizing to work on things that you know will be shot down by <whoever>.
06:32 < adam3us> gmaxwell: i mostly mean like the argument warren gives that litecoin can provide ne wfeatures faster
06:33 < TD> like what things?
06:33 < gmaxwell> I really wish I had some way to estimate how many people actually understand the concept of decenteralized cryptocurrency, e.g. where a hypothetical paypal-bucks and bitcoin are distinct in their minds.
06:33 < adam3us> gmaxwell, warren: so i think its more interesting to capture the new features under the bitcoin foundation umbrella as bitcoin staging than have those features motivate or drive adoption of an altcoin
06:34 < adam3us> TD: features? eg like armory's request to have the signature include the value, so he oesnt have to transfer 1MB to validate a tx
06:35 < warren> adam3us: you're missing the fractured camps of different groups out there upset with the bitcoin foundation for different reasons, ranging from the anarcho-capitalist crazies to sane technical people.
06:35 < gmaxwell> It might actually turn out that there really are only a few thousand people that are really very of the underlying ideas, which would explain some of the lack of progress.
06:35 < warren> adam3us: Bitcoin Foundation does not control Bitcoin
06:35 < gmaxwell> It's going to control Bitcoin. The general public already believes it does.
06:36 < TD> adam3us: i meant what stuff was warren seeing being shot down
06:36 < gmaxwell> And most of them believe it always did, because the idea of something not being produced by an instution is too foreign to contemplate in any case, so they're not upset about it as a landgrab.
06:36 < adam3us> warren:  my point was the mind share for new features should stay with bitcoin (less worried about foundation arguments)
06:36 < warren> TD: I sometimes rather give up on pushing things that would protect Bitcoin, it's easier to prove it elsewhere first.
06:37 < warren> adam3us: that's a reasonable goal, lacking funding
06:37 < adam3us> warren: well a great example is the sig includes input value i gave, armory badly needs that to make more secure offline wallet
06:37 < TD> warren: like what?
06:37 < adam3us> warren: as is they have to send the full tx details just to be able to validate
06:37 < warren> TD: really too late to get into this right now.
06:37 < TD> warren: i mean you assert that we shoot down all your great ideas, but i don't remember this happening
06:38 < TD> well, alright.
06:38 < gmaxwell> Well I certantly shoot down ideas. :P
06:38 < TD> but just be aware that maybe some ideas get shot down for valid reasons :)
06:38 < gmaxwell> some of them are even good sounding ones. :P
06:39 < adam3us> TD: 'm guessing he would more mean good ideas, that are delayed for risk arguments, like armory's request i saw that iscussed and most seemed to think it a good fix, but i am not sure when its going to happen as any kind of fork is a scary scary thing to navigate for good reason
06:39 < gmaxwell> Like I think we should have UTXO expire in bitcoin, because it will increase supply certanty, reduce validation costs, and protect the network from cracking attacks bringing back long lost coins.. but I also think that doing so would be economically incompatible with bitcoin
 a violation of our promises.
06:40 < TD> adam3us: i don't think that's delayed for "risk reasons". nobody has written the code, have they? so the question of when to do such a hard fork has never even come up yet.
06:40 < gmaxwell> adam3us: I haven't yet seen a softforking value-in-txn design that wasn't ugly as sin. Certantly no one has even drafted a bip for one.
06:41 < adam3us> TD, gmaxwell: fair enough i guess i should get off my butt and write one... but i am not blowing smoke i think to say the core has to be rightly extremely cautious about changes
06:42 < gmaxwell> sure, and indeed it is
 but thats not the cause for changes not existing.
06:43 < adam3us> gmaxwell: hmm i suspect warren thinks different, and i saw sipa said the only way to make faster change was a rewrite i dont know as i havent tried it first hand
06:44 < adam3us> gmaxwell: ah maybe the issue is the softfork - the actual (probably hardfork) design and idea seemed extremely simple and clean I thought
06:44 < warren> TD: it isn't my great ideas, and it isn't about quantity
06:44 < TD> yeah. doing it with a hard fork isn't that hard. i'd like to see this happen too.
06:45 < gmaxwell> adam3us: changing transaction syntax in a hardfork would be trivial (but god, I hope that input values wouldn't be all that we'd change)
06:45 < gmaxwell> but now what are you going to do with the fact that parties like mtgox and coinbase use their own node software and are already not able to keep it working right.  How will they adopt this hardfork?
20:12 < gmaxwell> justanotheruser: dude, wtf. you are trying to employ bitcoin to do one of the things it doesn't really do at all
 antijamming.  If you can assign ballots to people the voting process is largely done, nothing hard remains.
20:12 < justanotheruser> gmaxwell: anonymizing remains
20:12 < petertodd> justanotheruser: there are much better ways to anonymize votes
20:12 < gmaxwell> (well, except anti-coercion is basically impossible in a online voting context)
20:13 < gmaxwell> anonymizing is kinda pointless if you don't generally have anti-coercion, but anonymizing is trivial, go look up "reencryption mix"
20:13 < justanotheruser> petertodd: anything other than zerocoin of a central authority?
20:13 < gmaxwell> electronic voting is a _very_ well studied subject.
20:13 < petertodd> justanotheruser: this has been a "sexy" problem in crypto for years, and people way smarter than any of us have spent whole phds on the subject
20:14 < gmaxwell> invoking bitcoin for it is just a redneck suggesting his trusty shotgun as a solution to multivariet calculus. :P
20:14 < gmaxwell> Bitcoin solves an entirely unrelated problem, and it doesn't solve the important problems in voting.
20:14 < petertodd> justanotheruser: if you need decentralized consensus about the results of a vote then blockchain's can make sense, but rarely do you need that
20:14 < justanotheruser> Is there another decentralized voting method?
20:14 < petertodd> justanotheruser: so why is this vote required to be "decentralized", and what do you mean by that term?
20:15 < justanotheruser> petertodd: I would like it to be decentralized because it prevents vote manipulation and what's happening in Russia.
20:15 < gmaxwell> justanotheruser: what you were suggesting didn't sound decenteralized. But assuming you get as far as somehow giving ballots to voters, there are systems which are no less decenteralized than bitcoin.
20:15 < gmaxwell> justanotheruser: how do you plan on giving each person one ballot without someone getting 500 in a decenteralized manner?
20:16 < petertodd> justanotheruser: right, so you're applying this voting scheme to a typical thing where the list of voters is already defined by a central authority, so you don't need blockchains - existing crypto works just fine
20:16 < justanotheruser> gmaxwell: That is centralized, but you can verify that someone isn't getting too many votes, no votes, or that imaginary people are getting votes.
20:16 < petertodd> justanotheruser: you can't with crypto - those are all human problems
20:16 < gmaxwell> okay if you can do that you can just apply the mountains of evoting lit.
20:17 < justanotheruser> petertodd: Yes it is
20:17 < justanotheruser> *Yes they are
20:17 < petertodd> justanotheruser: I mean, once you solve the problem of figuring out who the voter list is, you can start using crypto, but you already have a central authority so standard algorithms and techniques work - they don't use blockchains
20:18 < gmaxwell> and blockchains don't work, because you get crap like "a majority of hashpower can rig the election" which is undesirable to a high degree.
20:19 < petertodd> gmaxwell: yes, unless the voter list is defined in terms of hashing power :P
20:19 < gmaxwell> I do kinda like idea of using OWAS to create a jamming proof communications mesh, I don't think I've seen that proposed outside of #-wizards.
20:19 < gmaxwell> petertodd: yea okay, sure you can just leave out the voters list then... miners decide. :P
20:19 < petertodd> gmaxwell: more seriously, with my timelock thing you *can* do a vote with well-defined limits for how easy it is to rig the election
20:20 < fagmuffinz> OWAS?
20:20 < justanotheruser> gmaxwell: yes, that was my original problem, I wanted to have the merged mining to be paid it bitcoin somehow. This would increase the number of miners and prevent 51% (hopefully)
20:20 < gmaxwell> fagmuffinz: One Way Aggregatable signatures.
20:20 < fagmuffinz> donka
20:20 < gmaxwell> fagmuffinz: cryptographic signatures which you can merge and still validate, but you cannot unmerge.
20:21 < gmaxwell> fagmuffinz: so e.g. you give me your vote and I merge in the vote I have (which is a merge of petertodd and mine) and then we pass it on.. and someone can't later pick apart our votes to only includ yours in the election, unless they get a clean copy of yours from you.
20:22 < fagmuffinz> I looked up your previous explanation =]
20:22 < fagmuffinz> Would be decent for building the mesh
20:23 < gmaxwell> well my though is that politics often follow social lines, so you could still perhaps rig, but it would be highly detectable when virtually all of the votes for one candidate disappear. :P
20:24 < maaku> petertodd: but how do you have a timelock system that isn't at the DoS-mercy of the person running the timelock?
20:24 < fagmuffinz> Yea, still, it's not quite the long-term solution yet
20:24 < fagmuffinz> There's probably no good way, without centralized trust, to resolve that issue
20:25 < gmaxwell> fagmuffinz: oh nah, in most cases the voting systems don't really need jamming free communication. what they do is make it easy to check what votes are included before the count, and then trust that if your vote is omitted you will scream from the hilltops.
20:25 < fagmuffinz> Yea, that'd be sufficient
20:25 < gmaxwell> e.g. disencranchisement is detectable.
20:25 < fagmuffinz> Assuming good citizenry
20:25 < fagmuffinz> Yea
20:25 < maaku> which works in democracy, but not automated consensus systems
20:25 < petertodd> maaku: read the paper, it's not a central timelock, just a sequantial hard algorithm
20:26 < fagmuffinz> Yea, guaranteeing that your vote made it after the count is sufficnet
20:26 < fagmuffinz> sufficient ***
20:26 < petertodd> maaku: obviously cracking the timelock is computationally intensive of course
20:26 < fagmuffinz> petertodd: Is a timelock explanation above?
20:27 < maaku> fagmuffinz: only if there is repercussions for cheating
20:27 < midnightmagic> if a citizen doesn't care if his vote is counted, it's not really disenfranchisement.
20:27 < maaku> in some applications - PoS vote on validation rules, for example, it is useless to complain
20:27 < fagmuffinz> Voting is a social system
20:28 < fagmuffinz> Separate from guaranteeing existence in something
20:28 < maaku> the votes drive some consensus process, and there's no way to back out other than to abondon the whole system, which would be a successful DoS outcome
20:29 < fagmuffinz> DoS is a universal threat that you have to accept upon automating this shit
20:29 < fagmuffinz> The only sure way of mitigating DoS is having enough infrastructure
20:30 < justanotheruser> fagmuffinz: not necessarily in a decentralized system
20:30 < justanotheruser> for example: Bitcoin is very difficult to DoS
20:30 < maaku> petertodd: ok i understand, it just maks decrypting have a cost
20:30 < fagmuffinz> Hence you're trying to use it for voting
20:31 < fagmuffinz> Correct?
20:31 < justanotheruser> fagmuffinz: that's not the reason I want to use it for voting. It's more to verify that everyone who got a vote had their vote counted.
20:32 < maaku> petertodd: if some joker puts a ballot in that is ill-formed, junk, or encrypted with different key, it would be nice to have a compact, quickly verified proof of that
20:35 < petertodd> maaku: yeah, that's a very interesting crypto problem actually, I suspect it may be incompatible with the sequential-hard scheme
20:36 < fagmuffinz> justanotheruser: Are you just inquiring or do you have some partial plan?  I'm thinknig about what gmaxwell put forward in terms of aggregating a single score for verification...
20:36 < maaku> petertodd: i have a rather near term application if a jamming-resistant proof-of-stake voting scheme can be found
20:36 < fagmuffinz> You could tell your vote made it into the list
20:37 < petertodd> maaku: of course the whole thing is dependent on the fact that the fastest sequential implementations of a lot of algorithms are reasonable close to each other in performance - off-the-shelf is basically the best you can get within an order of magnitude
20:37 < petertodd> maaku: oh yeah?
20:37 < fagmuffinz> You'd need to take additional steps to ensure the list was properly counted
20:37 < justanotheruser> fagmuffinz: Is is possible to do that anonymously?
20:37 < maaku> yeah, demurrage distribution - "repbulicoin". i forget if I've told you about it already
20:38 < petertodd> maaku: ah yeah, that'd work
20:38 < maaku> demurrage distributed according to forced coinbase payments determined by a proof-of-stake vote on a jamming-free ledger
20:39 < petertodd> maaku: damn expensive those in terms of cpu-power
20:39 < maaku> i got it worked out up to the jamming-free part :\
20:39 < petertodd> s/those/though/
20:39 < maaku> yeah, hence the need for cheap verification..
20:40 < maaku> i'm okay with votes being expensive, but validating nodes that count the votes need to be cheap
20:40 < petertodd> yup, and I'm pretty sure that's been proven to be impossible
20:40 < maaku> well you could do it with gmaxwell's ticking timelock pow for example
20:40 < petertodd> obviously you can easily pass around the decryption keys proving a vote exists, but not the other way around
20:40 < maaku> so there's an existence proof
20:40 < maaku> oh you mean the cheap validation
20:41 < maaku> darn
20:41 < petertodd> well keep in mind that part of the reason why the scheme can work if embedded in otherwise-normal looking transactions is that miners would (in theory) find it too expensive to just block all transactions
20:42 < petertodd> the moment you have a "well-known" place where the vote would be recorded it becomes much easier for miners to rig the vote
20:48 < maaku> yes it would have to be either steganographically encrypted, or taken out of the miners hands
18:29 < gmaxwell> ... systems were bonded with mining donations, which might help, but its very murky to me.
18:31 < maaku> gmaxwell: well if most txns don't hit the chain, it's okay for those which do to pay the price
18:31 < maaku> it seems some people want 10,000 tps with <$0.01 txn fees
18:32 < maaku> i'm more in the camp of only slightly larger blocks, with much higher fees
18:32 < maaku> and moving most transactions off-chain (even day-to-day payments - heretical I know)
18:32 < gmaxwell> maaku: yea, indeed. And until we get magical pixie dust computers and networks we cannot do 10,000 tps without losing decenteralization.
18:32 < adam3us> maaku: as long as the properties you get off chain are matching the on chain properties (unseizable, relatively fungible, not relying on indivdual servers, p2p survivabiity and durability of asset ownership)
18:33 < maaku> gmaxwell: also, freicoin. (demurrage payments to miners)
18:33 < adam3us> maaku: it is another model for funding miner.. free tx for the cost of a small demurrage; however it doesnt prevent dust payment spam
18:33 < gmaxwell> maaku: mostly I worry that so long as bitcoin is maxmally decenteralized you can build more scalable systems on top of it. But if bitcoin loses some of its decentralization you cannot build a more decentralized system on top of it.
18:34 < gmaxwell> maaku: the inflation model implies a free parameter which there doesn't seem to be a way to make the system set which could be wildly wrong. ::sigh::
18:35 < gmaxwell> If we knew that processors would never become more powerful or energy more plentiful we could use potentially use hashrate to control inflation to pay for mining... but thats clearly wrong.
18:35 < gmaxwell> I hope at least bitcoin will advance the minimum difficulty over time.
18:37 < gmaxwell> maaku: also one of the biggest concerns is that we're _clearly_ losing decentralization already. I don't this can be debated, but I don't think the causes are as clear as the symptoms.
18:37 < maaku> adam3us: If there was a less expensive solution that had all of those properties, it would completely replace bitcoin. If you find that holy grail, let me know so I can short BTC.
18:37 < maaku> Otherwise, for a given application there are probably one or two of those requirements you can relax in return for some performance.
18:38 < maaku> It won't match all applications, but for yours it will work. And when you really need every single property of bitcoin, use bitcoin.
18:38 < maaku> And pay the cost
18:38 < gmaxwell> e.g. like the tamperresistant hardware that exchanges private keys... security is .. meh. but it works offline and is untracable!
18:38 < adam3us> maaku: well i'm interested in improving bitcoin
18:40 < adam3us> i think there is systemic danger even from the existence of altcoins, not just to bitcoin specifically but to digital scarcity coins in general
18:40 < adam3us> if litecoin overtook bitcoin then what - would bitcoin nosedive to 0?
18:40 < adam3us> and then people in litecoin would be look at feathercoin, novacoi etc and wondering if the same thing is going to happen
18:40 < gmaxwell> adam3us: I agree. Or I'll explain more concretely. I think there is a nontrivial risk that the first time an altcoin replaces bitcoin all decenteralized cryptocoins will substantially die.
18:41 < maaku> You can't extrapolate from an inconsistent assumption.
18:41 < jtimon> gmaxwell, you earier said: The point is that you can do an interactive hashtree proof where you interact with the network. E.g. you give the miner a big proof, and the block hash tells it how to subset the proof. Because the block hash requires 2^lots work, creating a false proof is at least as expensive as mining many blocks and throwing them away.
18:41 < gmaxwell> adam3us: oh you're saying exactly the same thing I am.
18:41 < adam3us> its fun for the people who get in selfishly, but it could be lethal if too succesful individually in a given altcoin
18:41 < maaku> Litecoin won't overtake bitcoin - neither will freicoin, either (I'm not biased!)
18:41 < jtimon> can't this be combined with adam3us's blind timestamping?
18:41 < adam3us> gmaxwell: ah i didnt read your bit, yes we coincidentaly said the same thing
18:42 < maaku> There's just no mechanism that could happen except rich people blindly throwing money away (unlikely)
18:42 < gmaxwell> maaku: Right, but assume Makku-ultimate-coin does. Doesn't matter which one does. Say it does.  Once it does the people holding it are going to wonder .. hey when will something else overtake ... this.
18:42 < gmaxwell> so if it ever happens it could unwind the whole thing.
18:43 < gmaxwell> Though I'm not expressing an opinion on how likely that is to happen, the network effect and first mover advantage are enormous.
18:43 < adam3us> yes sad though it is that no one can again become rich like satoshi
18:43 < gmaxwell> jtimon: perhaps.
18:43 < adam3us> if they try and succeed it maybe the end
18:43 < maaku> gmaxwell: my point is that won't magically happen overnight. if it did happen, it'd be for a specific reason, and that specific reason would determine the answer to the question about what people would do/think next
18:43 < jtimon> on the altcoin stuff, if one falls because a new one is better
18:44 < gmaxwell> maaku: there are lots of ways to improve on bitcoin, as everyone in here knows. :)
18:44 < sipa> i don't think bitcoin will be taken over by anything, until it actually fails
18:44 < jtimon> maybe people learn their lesson and start saving in real assets and credit instead of scarce-money
18:44 < adam3us> jtimon: the issue is the undermining of the concept of scarcity and longevity of the logscale graph heading to market saturation
18:45 < gmaxwell> sipa: I think the question of if something overtakes it at all even after depends on how it fails.
18:45 < jtimon> but that doesn't mean the new one won't have enough value to serve as medium of exchange
18:45 < adam3us> jtimon: it might create destabalization and fundamental loss of confidence in the concept that doesnt reinflate
18:45 < gmaxwell> or maybe not, ... I mean I'm shocked at how scammy things can be and people still participate. perhaps its unstoppable.
18:46 < jtimon> I disagree, maybe because I never considered bitcoin or  any other money to be a store of value
18:46 < adam3us> jtimon: the phenomena is seen historically with money that became fractional, suffered hyperinflation (collapse) and then could not be restarted without going back to gold backing
18:46 < gmaxwell> adam3us: or USD backing. :P
18:47 < adam3us> the bootstrap phase, expectation, and psychology matter;
18:47 < maaku> adam3us: just because something hasn't been done before, doesn't mean it's impossible
18:47 < adam3us> this is the road to the digital tulip story
18:47 < jtimon> I don't think that's true, I think fiat was restarted in germany just with another denomination
18:47 < maaku> but this is probably not an argument for -wizards
18:47 < jtimon> sure
18:47 < sipa> #bitcoin-psychology ?
18:47 < gmaxwell> Interestingly, bitcoin may be the only currency in "widespread" use which isn't at least indirectly tracable to being fixed to gold/silver at some point.
18:48 < adam3us> anyway i am more interested in improving bitcoin than altcoins and they maybe a danger to the concept of digital scarcity
18:48 < adam3us> gmaxwell: yes i think economically its writing history
18:49 < gmaxwell> (the closest I could find was ILS but it was fixed to the israel lira, which was fixed to the ukp, which was fixed to the usd (!), which was previously fixed to gold)
18:49 < adam3us> a new asset class etc, but the potential risk ith digital scarcity is new scarcity runs can be started on whim; thre needs to be a "gold tandard" of scarcity that people do not jump away fro
18:50 < adam3us> so i think altcoins should use the 1 way peg to bitcoin method i proposed for bitcoin-staging, and innovation should go into bitcoin staging
18:50 < jtimon> I don't think altcoins are a danger to digital scarcity and I couldn't disagree more with the need of a "gold standard"
18:50 < adam3us> we have enough dev resource shortage with out fragmenting
18:50 < gmaxwell> adam3us: thats partially why I wanted someone to create an altcoin generator.. basically keep the basin of low value stuff constantly flooded.
18:51 < gmaxwell> and remove the prospect of ever making big money with yet another worthless altcoin.
18:51 < jtimon> what bitcoin "backing" has to do with development fragmentation?
18:51 < adam3us> gmaxwell: well iw as thinking something related that these parm tweaks, surely they can be made to coexist on a meta chain
18:51 < maaku> <adam3us> we have enough dev resource shortage with out fragmenting
18:51 < adam3us> then the people who wnt to do them can just publish a paramset gensis msg
18:51 < gmaxwell> adam3us: the param tweaks are marketing not merit for the most part.
18:51 < maaku> <-- which is why we shouldn't bring currency politics into this
18:52 < adam3us> maaku: not getting t you guys - friecoin and friemarkets aimed for real innovation
18:52 < sipa> s/ie/ei/g
18:52 < adam3us> yes
18:52 < jtimon> I actually don't think freicoin is about innovation but about another monetary theory
18:52 < jtimon> freimarkets is about innovation, but it's not freicoin specific
18:53 < sipa> well, at least they are interesting experiments
18:53 < sipa> whether you agree or disagree with their theory
18:53 < gmaxwell> My comments whining about altcoins are always to the extent that they didn't do anything interesting. Something inflationary is pretty distinct (even if economically its less so than people guess at first).
18:53 < maaku> hrm maybe we shouldn't have named it "freimarkets"
18:53 < sipa> litecoin's scrypt was also an interesting experiment, but we're way past that point
17:09 < adam3us> gmaxwell: you know i noticed petertodd and warren both put just the keyid on their biz card in lieu of a proper fp
17:10 < gmaxwell> adam3us: yea, thats why my cards had the full fingerprints. esp people with short ids (32 bit) on their cards. egads.
17:10 < adam3us> gmaxwell: peter put 64-bits warren only 32-bits.. i'm not sure i can sign warren's key on that basis - its trivial to brute force that espeically if can vary meta data
17:10 < adam3us> gmaxwell: peter said  yeah but 64-bits is reflective of the practical security (intentional humor or something)
17:11 < gmaxwell> adam3us: I'm planning, when I upgrade my pgp key to ECC to grind out a silly ID .. e.g something with 64 bits of zeros.
17:12 < adam3us> gmaxwell: awesome :) vanity keyid, vanity fp etc
17:12 < BlueMatt> adam3us: pm?
17:14 < BlueMatt> gmaxwell: you should share that code :)
17:14 < BlueMatt> (for the lazy among us)
17:14 < Luke-Jr> so we all have key id 000000000 ?
17:14 < gmaxwell> BlueMatt: I have an old patched up version to timestamp grind. .. but to get a 64 bit result I'm going to need to use a fpga cluster.
17:14 < gmaxwell> its just sha1 though, so it should be pretty fast.
17:15 < BlueMatt> ahh
17:15  * BlueMatt needs to invest in a fancy hardware setup with fpgas...
17:16 < gmaxwell> well I'm hoping to buy up some ex mining farm hardware but crazy people are bidding them up
17:19 < adam3us> u know the point of the guy who made this collision is that he thought gpg might do something stupid in this case :)
17:19 < adam3us> gmaxwell: u know there is opencl code for hashcash-sha1 mining contact the guy who did the 48-bit stamp on hashcash.org
17:20 < adam3us> gmaxwell: probably no hard to modify the existing sha256 opencl code either, according to the sha1 guy his code was not super optimized
17:22 < Luke-Jr> adam3us: the SHA256d OpenCL code is pretty super-optimised..
17:33 < adam3us> Luke-Jr: yeah, apparently the sha1 opencl not so much (he didnt release it but probably would on request), its probably better starting point to modify the otpimized sha256 to sha1
17:34 < gmaxwell> adam3us: all the password cracker projects now have stupidfast ocl SHA1.
17:34 < adam3us> perfect
17:34 < adam3us> gmaxwell: so you're going to fpga it?
17:35 < gmaxwell> that was my vague plan
 but I was waiting for the 400 bit DJB curve stuff to make its way into openpgp.
17:36 < sipa> I have 5 ztex FPGA's that are unused now :)
17:36 < sipa> (each did around 200 MH/s of bitcoin-double-sha256-mining)
17:37 < gmaxwell> sipa: that hits the spot!  art had said that sha1 on the lx150s was much faster than sha256.
17:38 < sipa> but doing 2^64 iterations on those is still 584 years for double-SHA256
17:43 < gmaxwell> I think sha1 being 20x faster isn't unreasonable, but 500x faster seems unlikely. So obviously I'll need to find more fpgas. :P
18:23 < lolcat9> #bitcoin-dev
18:46 < sipa> gmaxwell: in some future keysigning party: "Dang, we have a bunch of former Bitcoin miners joining... they all have the same key id :("
18:47 < Luke-Jr> former? :<
18:49 < gmaxwell> hahah
18:50 < sipa> Luke-Jr: using pre-ASIC hardware
18:50 < Luke-Jr> sipa: hopefully we all upgraded to ASICs!
18:50 < Luke-Jr> gmaxwell: you have ops in #bitcoin-dev right?
18:51 < gmaxwell> yep
18:51 < sipa> so do i
18:51 < Luke-Jr> sipa: but you weren't there :P
21:15 < Skyminerlabs> http://www.skyminerlabs.com/ we have released our V2 of our mining simulator for the PCI-E 600GH/z product check this out!
21:16 < gmaxwell> Skyminerlabs: wtf. fuck of scammer.
21:58 < Emcy> mining simulator? what even is?
22:39 < andytoshi> i'm kinda curious about that too..
22:39 < andytoshi> i guess that's a way to scam, go into the wizards channel and post a link to something that's just gotta be some sorta something..
22:48 < nOgAn0o> Bearcubbys, I am loving you tonight.
22:49  * nOgAn0o toke
22:49  * Luke-Jr wonders how he learned about -wizards :<
22:50 < BlueMatt> we need #bitcoin-wizards-nospam
22:50 < nOgAn0o> Wow, like someone was talking about anything the 9 minutes prior?
22:50 < nOgAn0o> I apologize for disturbing!
22:51 < nOgAn0o> May the Lord Jesus Christ bless you all.
22:51 < nOgAn0o> And maybe if you wouldn't spend all day coding and on IRC you wouldn't be so grumpy all the time.  Just a suggestion.
22:53 < BlueMatt> nOgAn0o: no one was talking about you (until now)
22:54 < nOgAn0o> Oh.  *blushes*
23:05 < gmaxwell> Luke-Jr: I believe there is a way to /list with a wildcard.
23:05 < nOgAn0o> ./list bitcoin got me here
23:05 < nOgAn0o> mIRC
23:06 < BlueMatt> gmaxwell: I thought you werent supposed to be able to see what chans people are in unless you're in them too :(
23:06 < nOgAn0o> I just can't believe there are not more people in here watching what you guys are up to.. on an 11 billion dollar currency.. heh?
23:07 < gmaxwell> BlueMatt: there is a channel mode that hides the channels.
23:08 < gmaxwell> nOgAn0o: this channel isn't a production channel, little we talk about here has near term relevance to bitcoin.
23:08 < BlueMatt> gmaxwell: it will become relevant when we can get someone to hire bitcoin core devs to work on bitcoin core full time...
23:10 < nOgAn0o> gmaxwell, I need a favor.. I need to find an old ASIC.. Jalapeno or something.. 2GH USB stick.. or super cheap 336 Block Erupters.. I've been wanting to mine for 3 years and never had money for hardware.. But I need a small unit and good deal.
23:10 < BlueMatt> nOgAn0o: please at least ask that on #bitcoin, but probably not in a channel...
23:11 < nOgAn0o> I am sorry for the spam but please anyone who can help message me.. I have .22 BTC and 1.0 LTC and can access more.
23:11 < nOgAn0o> Sorry BlueMatt
--- Log closed Sat Dec 14 00:00:54 2013
--- Log opened Sat Dec 14 00:00:54 2013
00:35 < adam3us> hmm seems like some wikipedia action on bitcoin history... new page on nick szabo created 8th dec claiming bitcoin is basically szabo's bit gold ; and new section in bitcoin history with the same claim created 5 dec
00:35 < adam3us> by same wikipedia account dbabbitt
00:36 < adam3us> i fixed it to refer to b-money & hashcash & rpow later but got curious to look when this appeared!
00:36 < adam3us> https://en.wikipedia.org/w/index.php?title=History_of_Bitcoin&diff=584693698&oldid=584684996
00:36 < adam3us> scroll to bottom
00:37 < adam3us> new 'pre-history' section "bit-gold [...] is the direct precursor to the Bitcoin architecture."
00:41 < Luke-Jr> adam3us: meh, Wikipedia isn't usable when there are trolls around
00:43 < adam3us> curious meme though... someone trying to cement szabo as probable satoshi - is it szabo doing the edits and about out to out himself?	or someone took the latest speculation that it might be satoshi and decided stamp that speculation as near fact on several wikipedia pages
14:16 < michagogo|cloud> 06:06:02 <BlueMatt> gmaxwell: I thought you werent supposed to be able to see what chans people are in unless you're in them too :(
14:16 < michagogo|cloud> That's usually the case
14:17 < michagogo|cloud> A non-shared channel won't show up in /whois if the user being whoised has umode +i (which is the default) and/or if the channel in question is cmode +s (which is enabled by default for unregistered channels, but is disabled by default for registered channels)
14:18 < michagogo|cloud> This channel is -s, so if any user in here is -i, anyone who whoises that user will see this channel
15:29  * andytoshi-logbot is logging
23:26 < HM2> PT Mono may be the best programming font of all time
23:26 < HM2> even ugly template code looks pretty
--- Log closed Sun Dec 15 00:00:56 2013
--- Log opened Sun Dec 15 00:00:56 2013
01:46 < Emcy> http://www.quora.com/Distributed-Systems/What-does-a-career-in-distributed-systems-feel-like-In-terms-of-the-kind-of-programming-you-have-to-do-nature-of-bugs-or-issues-work-life-rhythms-etc/answer/Bram-Cohen?srid=CW&share=1 interesting comments
01:46 < Emcy> "Then I run into... how to put this... barriers to commercialization which don't apply to most products.
01:46 < Emcy> "
01:46 < Emcy> I think he means lobby money.......
11:31 < gwern> hola. so I need to tell Gavin about a possibly-schizophrenic stalker that seems to be targeting him. does anyone have a real contact email for him they wouldn't mind giving me? (given the nature of the issue I'd prefer to tell him sooner rather than later)
11:55 < gwern> anyone?
11:55 < gwern> alright, whatever, I'll just use
11:55 < gwern> gavinandresen@gmail.com
11:55 < gwern> it *probably* isn't a real threat, after all
12:01 < michagogo|cloud> gweIs that somehow a non-real contact email?
12:01 < michagogo|cloud> :-/
12:01 < michagogo|cloud> combination if the user leaving and lag eating keystrokes
14:38 < amincd> Hi guys, any feedback on this idea would be appreciated: https://bitcointalk.org/index.php?topic=365392.msg3900881#msg3900881
16:42 < gmaxwell> andytoshi: maaku: phillipsjk gave an attack on multiparty CJs that either I hadn't considered or I considered and forgot. https://bitcointalk.org/index.php?topic=279249.msg3982242#msg3982242
16:44 < warren> adam3us: good criticism on the 32bit keyid on card
16:51 < andytoshi> gmaxwell: thx, i'll check it out
16:52 < andytoshi> and agreed, i am not going to distinguish between fee and donation
16:52 < andytoshi> if people don't trust me, they can verify the transaction themself before signing
16:52 < andytoshi> unfortunately "andrew stole all the fees" and "somebody put a ton of inputs in without paying a corresponding donation" will look the same..
16:53 < andytoshi> ah, that is essentially the phillipsjk attack
16:57 < gmaxwell> andytoshi: well it means that e.g. if two people pay extra fees because they want faster confirmation, you could be eating them anyways.
17:03 < andytoshi> right
17:03 < andytoshi> so i think, i'll do that always and be upfront about it :P
20:53 < gmaxwell> Your signed submission.
20:53 < gmaxwell> Success! If all signatures arrive, the transaction will be broadcast at the start of the next session. Thanks!
20:53 < gmaxwell> Your unsigned submission.
20:53 < gmaxwell> Thanks for submitting an unsigned transaction.
20:53 < gmaxwell> Sorry, this session was not found.
20:53 < gmaxwell> Thanks for helping bitcoin's privacy.
20:53 < gmaxwell> andytoshi: also, you should do something visually drastic when its ready to sign
20:53 < gmaxwell> andytoshi: like change the page background to blue.
20:54 < gmaxwell> I'm also now getting at the front index:
20:54 < gmaxwell> The current session is open for -1387158864 more seconds. There are currently 0 transactions in the pot. Note that if there are less than two transactions in the pot at the end of the session, this session will be invalidated.
20:54 < gmaxwell> and a constant rescroll to the top of the page. :P
20:54 < gmaxwell> heh
20:55 < gmaxwell> The way it works is as follows: every -1387158602 seconds, a new session opens. During each session, users submit transactions to be joined, and recieve a URL specific to that session.
20:55 < michagogo|cloud> gmaxwell: You're nullc, right?
20:57 < andytoshi> gmaxwell: sorry, this is a bad time for you to test :)
20:58 < andytoshi> it should be right in half an hour or so...
20:58 < andytoshi> when i changed the cronjob to run every minute, i broke the session management pretty badly
20:59 < typex> what are you working on andytoshi?
21:03 < andytoshi> typex: i am writing a web interface to handle coinjoining via rawtransactions
21:03 < typex> coo
21:03 < typex> cool
21:04 < andytoshi> :q
21:06 < gmaxwell> michagogo|cloud: yes
21:06 < typex> andytoshi, I'll gladly help to test if you want
21:07 < gmaxwell> typex: right now his service is running on testnet, so if you're not running testnet
21:07 < gmaxwell> andytoshi: oh I don't mind, I'm just testing it periodically.
21:08 < gmaxwell> andytoshi: In my mind the deal is I keep testing it and don't mind that it doesn't work, and you
 don't mind that I keep reporting things for you to fix. :)
21:08 < typex> sure
21:08 < typex> hehe
21:10 < andytoshi> thx a ton for your time and suggestions, gmaxwell
21:10 < andytoshi> typex: yeah, that'd be great
21:10 < andytoshi> http://testing.wpsoftware.net/coinjoin/
21:10 < gmaxwell> andytoshi: no problem, this sort of thing fits the time I actually have available, stolen moments as I get blocked (or wait for a compute job) on other projects I'm working on.
21:11 < typex> bitcoin-qt shouldn't get messed up in any way if I switch it to testnet right?
21:15 < michagogo|cloud> nope
21:15 < gmaxwell> typex: nah, perfectly fine to switch (or run both at once, in fact)
21:15 < michagogo|cloud> You can even run test and mainne-
21:15 < typex> great
21:15 < michagogo|cloud> what gmaxwell said
21:16 < gmaxwell> I run both at once
 every once in a while I run the wrong one and I'm very confused.
21:17 < gmaxwell> "whooo! solo block!" ... "aww"
21:17 < typex> :-)
21:19 < michagogo|cloud> heh
21:30 < michagogo|cloud> andytoshi: getting a Failure: output value not equal to input value. Check the section on Donations and Fees below.
21:30 < michagogo|cloud> But as far as I can tell, inputs and outputs are equal
21:30 < andytoshi> can you msg me the raw transaction?
21:31 < michagogo|cloud> http://pastebin.com/4QNDyyqR
21:34 < andytoshi> sigh, effing php..
21:34 < michagogo|cloud> Heh, overflowing the input field?
21:34 < andytoshi> nope, just saying 24.45 != 24.25
21:34 < michagogo|cloud> Well, that's true
21:34 < andytoshi> to be fair, this is probably not php's fault..
21:34 < michagogo|cloud> But in this case, 24.45 == 24.45
21:34 < andytoshi> lol, i meant 25.45 == 25.45
21:35 < michagogo|cloud> Ruby calculates the total of the outputs as 25.450000000000095...
21:35 < michagogo|cloud> stupid floating points
21:35 < andytoshi> i guess, i'll put a 'within 1 satoshi' check and that should do it
21:36 < michagogo|cloud> heh
21:36 < andytoshi> can i get bitcoind to send me satoshis instead of floating-point numbers?
21:36 < michagogo|cloud> It actually sends you decimals
21:36 < michagogo|cloud> :-P
21:36 < andytoshi> :)
21:36 < michagogo|cloud> You just need to get php to not treat it as a float
21:37 < michagogo|cloud> (if that's possible...)
21:37 < andytoshi> cool, it accepted your transaction
21:37 < andytoshi> http://testing.wpsoftware.net/coinjoin/sign.php?session=cba2c4be86cdda9f6828baa4294dbff5e04d09413e6b15252d986679be6d1399
21:37 < andytoshi> i highly doubt it's possible
21:37 < michagogo|cloud> In Ruby, I might try multiplying by 100000000 and calling to_i
21:38 < andytoshi> yeah, i could do that actually
21:38 < michagogo|cloud> (if the inaccuracy is sub-satoshi)
21:40 < andytoshi> ok, so if you are idling on the link i sent you, in about 6 mins we should both hear a ding, which means that we can sign
21:41 < michagogo|cloud> BTW, probably you should include the fee/donation address on the sign page
21:41 < michagogo|cloud> Aww, you require a confirmation on inputs?
21:41 < michagogo|cloud> :-/
21:42 < andytoshi> yeah, sorry
21:42 < michagogo|cloud> At least it didn't kick me back to the front page on a failed transaction
21:42 < andytoshi> yeah, i fixed that..very very annoying
21:42 < michagogo|cloud> Oops
21:42 < michagogo|cloud> Accidentally just sent 0.05 BTC to the fee/donation address
21:43 < andytoshi> the one-conf thing is to prevent double-spends, and it's kinda an antidos
21:43 < andytoshi> with sendtoaddress?
21:43 < michagogo|cloud> Nah
21:43 < michagogo|cloud> By signing and sending 0100000001a1188d6860b79fcd97d87d488cd8c86dbdd99c1139490f98cef42ffd939bd4a80100000000ffffffff0280fe210a000000001976a91443dc321b6600511fe0a96a97c2593a90542974d688ac404b4c00000000001976a9140332073851cbdfd5b4e6a18891963ea0c546d74688ac00000000
21:43 < andytoshi> ah
21:43 < andytoshi> damn
21:44 < michagogo|cloud> (that was the unconfirmed transaction I was trying to spend into the pool, sending most of the tBTC back to the faucet)
21:44 < andytoshi> maybe i can use vanitygen to get the privkey :P
21:44 < michagogo|cloud> Sure, as soon as you harness all the energy in the entire universe
21:44 < michagogo|cloud> times about a million?
21:44 < michagogo|cloud> (disclaimer: that last number is made up)
21:45 < michagogo|cloud> By the way, why do you start the timer on a session while it has 0 inputs?
21:45 < michagogo|cloud> You could just have it idle, and leave the session open for 20 mins or whatever from the first input
21:47 < andytoshi> i could, i might do that
21:48 < andytoshi> so, if you refresh your page we can sign now
21:49 < andytoshi> the ding didn't come, the timer went into negative territory and then it autorefreshed while perl had the database locked
21:51 < michagogo|cloud> Uh
21:51 < michagogo|cloud> There's 0.47 going to mforFeesAndDonationsSpendHerdYm2jT
21:51 < andytoshi> really?
21:51 < andytoshi> wtf
21:52 < michagogo|cloud> "n" : 100
21:52 < andytoshi> also my server is crashing..
21:52 < midnightmagic> it take 45 TH to average one solo block per day right now
21:53 < midnightmagic> :-(
21:53 < midnightmagic> i don't think i'll ever be back on board with solo mining
21:53 < michagogo|cloud> Well, it does take ,,(calc [nethash] * 1000000000 * 600) hashes to find a block...
21:53 < michagogo|cloud> ;;help nethack
21:53 < gribble> Error: There is no command "nethack".
21:54 < michagogo|cloud> ;;help nethash
21:54 < gribble> (nethash takes no arguments) -- Shows the current estimate for total network hash rate, in Ghps.
21:54 < michagogo|cloud> ;;calc [nethash] * 1000000000 * 600
21:54 < gribble> 5063132752673999872
21:54 < michagogo|cloud> over 5 quintillion hashes
21:55 < andytoshi> michagogo|cloud: this is definitely a bug, i'll deal with it whenever i can get my server back
21:55 < andytoshi> for now i think we'll have to stop testing :(
21:56 < michagogo|cloud> Here's my signed version of that: http://pastebin.com/UNckGWLM
21:57 < andytoshi> thx, but if it's got money going to mforFeesAndDonationsSpendHerdYm2jT i won't use it
21:58 < michagogo|cloud> It's less than 1% of a block
21:58 < michagogo|cloud> (though I guess that's still an UTXO in the UTXO set forever...)
21:59 < michagogo|cloud> wait a minute
21:59 < michagogo|cloud> How did it get to be 5 am
22:00 < andytoshi> haha oops
22:00 < michagogo|cloud> o_O
22:00 < andytoshi> it's only 9pm over here
22:00 < michagogo|cloud> US Central?
22:01 < michagogo|cloud> Okay, I need to go to sleep
22:01 < michagogo|cloud> Fortunately there's no school tomorrow (well, technically today) because everyone's still recovering from the snowstorm
22:02 < andytoshi> alright, i'll let you go, whenever you wake up this should be fixed
22:45 < andytoshi> michagogo|cloud: whenever you get this, the url for signing is http://testing.wpsoftware.net/coinjoin/sign.php?session=b3b098642a36f1aa62a333f5a15a6e98a04dfb7622e4eb3dd74f3d706f149d7b
--- Log closed Mon Dec 16 00:00:59 2013
--- Log opened Mon Dec 16 00:00:59 2013
00:26 < gmaxwell> andytoshi: you need to convert all the numbers to integers. Don't use floats for this stuff.
00:26 < gmaxwell> andytoshi: you can just remove the . and you have an integer. :P
03:34 < adam3us> seems like it would be better if people who pool mine without using getblocktemplate (without being a full node) got their coinbase from power users they know (finding full nodes at random would be vulnerable to sybil)
03:35 < adam3us> otherwise its a vote abdication leading to policy centralization and double spend abuse (like ghash.io seemingly gaming the satoshi-dice clone)
03:35 < maaku> adam3us: is there any one left that doesn't use getblocktemplate (excepting stratum)?
03:36 < maaku> getwork can't keep up with asic speeds
06:47 < gmaxwell> P2SH has failed to be adopted by most alt implementations, even just for send-to, making it almost useless for everyone. ... and its a very simple change.
06:48 < adam3us> TD, gmaxwell: another use case eg the visual wallet (forgot the name & link) like an armory wallet but using animated qr code interface on an android tablet wallet with a physically disabled wifi; its hard to do that because of the bandwidth or its safer than usb that armory uses
06:48 < TD> animated qrcodes? ye gods. bluetooth exists, people!
06:48 < adam3us> gmaxwell: well... with bitcoin staging you do your advanced stuff, then you trade it back to btc to deal with likes of gox
06:49 < gmaxwell> "and bluetooth is still airgapped! see, no wires!"
06:49 < adam3us> TD: the idea is to have optical interface only - isolation from remote network/bluetooth stack compromise
06:49 < gmaxwell> and then they overflow your transaction parser. :P
06:49 < adam3us> armory tries but then you have a usb going back and forth, and there is risk of "bad bios" usb compromise of the bios firmware
06:50 < adam3us> gmaxwell: indeed thats the new attack surface however its software so at least you can look at it unlike bios firmware
06:51 < warren> Snowcrash bitmap to brain infection...
06:51 < adam3us> gmaxwell: yes about tx parser, but thats in the realm of magic pgp message that compromises the targets machine when he processes it
06:51 < gmaxwell> adam3us: if you're going to buy into that badbios stuff you might as well hypotize that the table is already compromised and the high frequency sound modem in your computer is already bridging the airgap (something else dragos claimed... )
06:51 < gmaxwell> in any case, no one is arguing that making the data smaller is important.
06:52 < adam3us> gmaxwell: half the bad bios was space alien paranoia unsubstantiated, but my hacker buddy says the firmware compromise part is plausible
06:52 < warren> computers already infect humans with psychological diseases
06:52 < gmaxwell> yea, it's unsubstantiated but plausable.
06:52 < gmaxwell> (if you look, alans' original signer stuff... it didn't send the inputs, I pointed out to him that it had to... so I'm not unaware of what a pain that is)
06:53 < gmaxwell> though I don't really know if including the value is the best solution, or just restructuring the transactions so that the inputs are always super compact.
06:53 < adam3us> gmaxwell: yes i saw you on the bitcoin thread talking about it (didnt know/recal that you first observed the issue, ok)
06:53  * warren sleep
06:53 < adam3us> 'night
06:54 < warren> adam3us: "core has to be rightly extremely cautious about changes"  core really needs to be a lot smaller
06:54 < warren> ok, really going
06:55 < adam3us> gmaxwell: an explicit change amount might help, the saving from implicit change is the core problem
06:55 < adam3us> gmaxwell: sorry implicit fee i mean
06:55 < gmaxwell> adam3us: e.g. if the txid:vout in a transaction was really just a txout hash, and the transaction itself was a hashtree, then proof of the relevant inputs is always compact. (just provide the inputs)
06:56 < gmaxwell> In the general case for security
 assuming scripts beyond regular pay-to-pubkey, its not adequate that the signer know the value, he actually needs to know the scriptpubkey he's signing for.
06:56 < adam3us> gmaxwell: implicit fee seems silly, then we have screw ups now and then
06:57 < adam3us> gmaxwell: yes
06:57 < gmaxwell> implicit fee is needed so that anyonecanpay can be used to add fees later.
06:57 < gmaxwell> if the fee is under the signatures you can't do that. :(
06:59 < adam3us> gmaxwell: i guess initial fee could be validated with =, anyonecanpay increased fee with >
07:00 < gmaxwell> > leaves you with the fee overpayment accident issue still. :)
07:01 < adam3us> gmaxwell: yes; i am going to refrain talking to you for a while os you go sleep - tomorrow:)
07:01 < gmaxwell> if instead you could extract inputs compactly the signing process could be  createraw / add-inputs / signraw (which _requires_ inputs and can tell you the fee in return)
07:01 < gmaxwell> goodnight
07:01 < adam3us> 'night
08:41 < michagogo|cloud> 13:24:49 <TD> the nick "mike" was only registered in 2011 and has only been used once. goddamnit.
08:41 < michagogo|cloud> Well, actually...
08:41 < michagogo|cloud> It's never been used at all
08:42 < michagogo|cloud> Also, the requirement that new accounts have email addresses has been in place for more than 2 years
08:42 < michagogo|cloud> The account mike has noemail [sic]
08:42 < michagogo|cloud> And also, it has the Hold flag, which means an account doesn't expire, and that flag can only be set by freenode staff
08:43 < michagogo|cloud> Conclusion: 1 year, 46 weeks, 5 days, 13:00:53 ago, freenode staff registered that as a dummy account to make it unusable
12:57 < maaku> <gmaxwell> Something which works but due to honesty and understanding can't promise future riches... not clear there is much demand.
12:57 < maaku> ain't that the truth
12:58 < maaku> you should see the negative reactions we got to freimarkets
12:58 < maaku> "what? there's no built in way to 'invest' in this? then why should I care when we've got mastercoin?"
12:58 < maaku> ...
13:00 < gmaxwell> I guess its no shock, there is a selection bias in the bitcoin community. A lot of the bitcoin users are bitcoin users because they heard they could make a quick buck. :)
13:01 < maaku> yeah
13:02 < maaku> i got 3btc for coinjoin so i'm going to update the code this week
13:02 < maaku> 3btc actually goes pretty far now :)
14:17 < adam3us> maaku, gmaxwell: i think if someone wants to take funds to do something it would be more normal to issue stock in a conventional company, in exchange for the investment; then the owner is a stakeholder in the company as with any other investment
14:19 < adam3us> maaku, gmaxwell: whereas mastercoin was like nuts: if this takes off you the investor will own a slice of global digital certificate fee currency for ever as it grows to $1triliion (or however it is that msc relates to the stock certificate concept on mastecoin)
14:20 < maaku> adam3us: the issue is how to monetize colored coins in the first place, how to make a business plan out of it
14:20 < adam3us> maaku, gmaxwell: even if it took off thats nuts, that	few gullible investors who feel for the join in the next x hours and get a 10% discount, time limited offer time-share like pitch, any rational person would abstain from participating on principle
14:21 < maaku> i could sell you shares in my company, but if my business plan is "develop open source software!" ... i'm not sure why you'd invest. a share of 0 is still 0
14:21 < adam3us> i am not sure how public this log is, but there are some folks giving it a go to attract conventional angel/investment into just that, with various monetization of the company but with open coloredcoin code & IP
14:22 < adam3us> maaku: personally i think why not - if coloredcoins (or preferably something side-chain that doesnt create nominal value bitcoin tx) does succeed, and in my view the blockchain innovation and smart contracts are so stark that it must sooner or later
14:23 < BlueMatt> the difference being mastercoin is selling shares in itself in some way that looks very clearly scammy, whereas there are better ways that dont look so ridiculous
14:23 < adam3us> maaku: there have to be multiple avenus for that company to collect on being the developers of it, having the expertise, enterprise versions, certification, hookups with auditors to certify issuers, etc etc
14:24 < adam3us> maaku, BlueMatt: exactly, to buy shares in a company and share in its success (or failure) in proportion to other investors and with a written prospectus and investment contract is actually largely uncontroversial
14:25 < maaku> Of course colored coin efforts will succeed. imho bitcoin is a toy and colored coins is where the real action is moving forward.
14:25 < maaku> (Otherwise I wouldn't have spent so much of my free time designing Freimarkets)
14:25 < maaku> the issue is, if you directly try to monetize it, you end up like Ripple.com or Mastercoin, both of which are paths to the dark side
14:25 < adam3us> maaku: yep, and i others were frustated by the progress of it being available in a user level sense; though actually i dont know much about friemarkets
14:26 < maaku> whereas if you simply ask the question "what's the best decentralized, distributed way to do colored coins?" the answer is not directly monetizable by the people who make it
14:26 < adam3us> maaku: (of colored coin not being availalble to user leve i mean).. its probably more than making a stable secure client, there is regultion to consider
14:26 < maaku> adam3us: https://bitcointalk.org/index.php?topic=280292.0
14:27 < adam3us> maaku: i dont think thats true re what i said above "there have to be multiple avenus for that company to collect on being the developers of it, having the expertise, enterprise versions, certification, hookups with auditors to certify issuers, etc etc"
14:27 < gmaxwell> I'm skeptical that colored coins are actually useful at all, but I'm happy to see people try.
14:27 < maaku> Yes, that's our path forward right now, but it hasn't been easy...
14:28 < maaku> Jorge and I have started a St. Vincent domiciled company to do a hosted colored coin solution  - "github for colored coins"
14:29 < adam3us> maaku: go maaku & jtimon, now thats what i'm talking about - action beyond code
14:29 < maaku> But most of our conversations with bitcoin investors have ended up along the lines of "Why don't you just do a new alt chain so we can invest in the idea directly like mastercoin?" etc.
12:59 < Emcy> mainly because certain people WANT to beleive you can link people. And have paid to create that narrative. Same might happen with btc addresses
12:59 < petertodd> TD: specifying ranges is more useful for both straight merge avoidance and merge+cj by giving more flexibility
13:00 < TD> yes, it could be extended in future to do better
13:00 < petertodd> TD: if the amounts are all fixed it's harder to find a useful combo
13:00 < TD> i'd like to see a bip32 extension first though, for recurring payments.
13:00 < TD> Emcy: in many cases you can. ignore big aggregating proxies and go for consumer DSL. most people are downloading from home anyway. not very complicated.
13:02 < Emcy> open wifi, kids were doing it parents had no clue, ISPS fucked up the records, stupid torrent monitoring cottage industry company fucked up the records, sueing-people-as-a-business-model law firm fucked up the records. It all happens.
13:04 < TD> yeah, but they don't need "impossible to be anything else". even for criminal penalties it's just "beyond reasonable doubt"
13:04 < TD> for civil it's "balance of probabilities" (usually)
13:04 < TD> (depends on the country)
13:04 < Emcy> usually the civil standard, which fucking sucks anyway but thats another thing
13:05 < TD> well, it's intended for lighter weight disputes with lighter weight penalties
13:05 < TD> arguably even the civil standard is much too heavyweight for copyright enforcement
13:05 < TD> hence the focus in recent times on developing "three strikes" type rules for internet access.
13:05 < TD> not sure that's the right way to go but the idea of lighter weight justice isn't a bad one
13:06 < petertodd> Ah yes, the justice standard of "Yeah, you might have done something wrong, although we don't even have to prove it's more likely than not."
13:06  * TD shrugs
13:06 < TD> look at speeding penalties
13:06 < Emcy> yeah dont worry, the UK has law on the books that puts the standard at a simple accusation by one of these vampire torrent monitoring companies
13:07 < TD> the evidence comes from cameras controlled by the police. the punishment is a fine or points on your license. it basically works.
13:07 < petertodd> Speeding penalties are on a "more likely than not" standard.
13:07 < Emcy> cameras dont reduce harm. But they make money
13:08 < TD> yes, but emcy's argument would apply to them too. all it takes is an accusation from a trusted party, basically. you could come up with excuses (not me driving the car, etc), police could screw up records, etc.
13:08 < TD> people tolerate this laxity because the punishments are not very severe unless you keep doing it, or were doing it as massive scale
13:09 < Emcy> are you going to argue in favour of every thing that seems nifty on face but doesnt actually work and has side effects which are convenient for someone or other tonight?
13:09 < TD> Emcy: speed limits absolutely reduce harm, though, that's well documented
13:09 < petertodd> Anyway, all this suggests that we'll do well to get CJ implemented as widely as possible so it's "more likely than not" that a CJ user was using a standard Bitcoin privacy feature, and it's more likely than not that a given txin isn't owned by the person requesting a given txout.
13:10 < petertodd> It'll be interesting to see how governments respond of course, but we're certainly better off by starting with those principles.
13:10 < TD> well, the unfortunate possibility is that if bitcoin is perceived to be a significant enabler of abuse, it would just end up banned a la china
13:11 < TD> politicians and the people who vote for them are rarely interested in theoretically cool uses of the technology, like micropayments. they tend to focus on the here and now, and assign more importance to threats than benefits
13:11 < TD> or it just ends up de-facto blocked by other institutions that aren't governments, like now
13:11 < Emcy> petertodd right, we need to stop the idea of txid = person/action before it even takes root. It might be too late to do so after.
13:11 < Emcy> probably will be too late
13:11 < petertodd> It's also worth remebmer how if governments make the argument that CJ indicates you are trying to hide your tracks - an activity that doesn't cost you more in fees - then if anything merge avoidance - which does cost extra fees - seems even more damning.
13:12 < petertodd> "Your honor, the defendent paid $1000 USD over the course of the past two years to avoid merging transaction outputs; doesn't that sound like soomething someone with something to hide would do?"
13:13 < petertodd> Emcy: we won't know that it's too late until we try...
13:13 < TD> i guess it wouldn't work like that. merge avoidance is not intended to "hide your tracks". it just avoids information leaks about your balances or incomes.
13:14 < petertodd> TD: something coinjoin also does, but for less money
13:14 < petertodd> Cut-thru-payments are interesting in that respect, as they both reveal less information, and save money on fees. (potentially a significant amount)
13:15 < petertodd> Cut-thru-payments also really need a payment protocol with flexibile value range support, so I should do up a pull-req soon...
13:16 < TD> there's no point adding features to the protocol when no released wallet even supports the current set yet
13:16 < TD> it would be much more effective to implement some server software that would make it easy for people who don't want to rely on bitpay etc to use it
13:16 < petertodd> TD: all the more reason to do it now before the infrastructure is built
13:16 < Emcy> petertodd were pretty fucked if it becomes acceptable to argue that being proactive about your privacy at all is evidence of mens rea
13:16 < petertodd> Emcy: agreed
13:16 < Emcy> i think that might be the case here already actually though under RIPA. wouldnt surprise me
13:17 < petertodd> Emcy: at least with bitcoin the privacy issues are such that anyone in the world can violate your privacy - ugly
13:18 < nsh> Emcy, there's a good chance we'll see a RIPA test-case next year
13:18 < TD> in the USA they deleted the mens rea requirement from money laundering laws in the patriot act, unfortunately. so attempting to avoid red tape by breaking up payments can lead to ML convictions or asset seizure. pretty messed up.
13:18 < Emcy> yeah - that tinkles my tinfoil about bitcoin being the world currency of the NWO conspiracy......
13:18 < Emcy> lol
13:18 < petertodd> TD: right, which sounds like merge avoidance is legally risky
13:19 < TD> nope, not at all
13:19 < petertodd> TD: it's all about breaking up payments
13:19 < TD> you need to go read the laws i'm talking about before spreading more FUD
13:20 < Emcy> nsh for the encryption? Already been done. Coppers harassing a paranoid schizophenic man about his truecrypt container and telling him everyone will think hes a paedo of he doesnt give up the password
13:20 < Emcy> he didnt give it up and he did 2 and half years for it
13:20 < TD> structuring only applies when making deposits to an institution. breaking your own $100 bills is not structuring, for obvious reasons.
13:21 < petertodd> TD: I have actually, not going to claim I understood the legalize as well as I would like, but the chain of logic is easy to see, and fundementally the issue is that the law is interpreted by humans who tend to read the spirit of it.
13:21 < Emcy> of course if he really was a paedo the correct course of action from his point of view is to keep his mouth shut.........but logic and the law have never played nice
13:22 < TD> Emcy: well these problems are inherent the moment you define "information crimes"
13:22 < nsh> Emcy, well, i've been informally advised by the NCA to expect RIPA orders, possibly in six weeks, and am completely incapable of imagining a scenario in which i'll be even remotely inclined to entertain them
13:22 < petertodd> TD: what it comes down to is that if coinjoin is legally risky, the reasons why it would be are identical to why merge avoidance would be legally risky, with the additional risk that merge avoidance costs more than not doing it, which just plain looks bad
13:22 < nsh> and i am only marginally crazy and far less marginally resolute and resourceful :)
13:23 < TD> petertodd: which is the opposite of what you're doing - structuring rules are intended to stop people from trivially gaming the system to avoid reporting requirements. if there are no deposits to an institution there are no reporting requirements and thus no "structuring" is possible
13:23 < Emcy> nsh good luck bro
13:23 < nsh> thanks :)
13:24 < Emcy> i know someone else who is on bail right now because someone used his tor exit to harass women on twitter
13:24 < TD> petertodd: again, no. but i explained why not in the article. not going to bother going around this again.
13:24 < Emcy> theyve had all his shit for months and months
13:24 < petertodd> TD: exactly, and coinjoin *in that interpretation* isn't structuring either. But if courts take the broader interpretation that the "institution" is the blockchain itself - quite possible - then they're both possible to consider as structuring.
13:24 < TD> ah, i didn't say coinjoin was structuring. perhaps that's the source of confusion
13:24 < TD> i merely noted that mens rea is not a requirement any longer in the USA for AML conviction
13:24 < petertodd> TD: (this is pretty much a conversation I had a few weeks ago with a lawyer specializing in this stuff FWIW)
13:24 < Emcy> thats bail with no charge too, hes not charged (mainly because he didnt bloody do it)
13:26 < TD> Emcy: what if he did?
13:26  * TD thinks harassing people on twitter should not cause legal problems, but that's a different matter
18:39 < adam3us> jtimon: not centrally motivating ("philoshophical problem related to non-scarce scarcity.") i agree issued assets are the most useful thing to make smart-contracts interesting.
18:40 < jtimon> again, I don't see the loss of zercoin and bitcoin floating: they're different currencies with different properties, why should they have the same price?
18:40 < adam3us> jtimon: but i think bitcoin is also the most interesting digital scarcity, basically because it got there first, and has the most merchant integration, intrinsic (transactional) value etc, but thats history - its here now, the investors took real risks early to bootstap it and the supply curve is tapering, and its the most secure.
18:41 < jtimon> so this is all about bitcoin winning the race? that sounds greedy...
18:41 < adam3us> jtimon: so given an interest in smart-contracts, issued assets, and bitcoins it seems natural to me that you'd want to be able to do in-chain contracts between those 3 types of things
18:41 < jtimon> what if zerocoin wins, what would the world lose ?
18:42 < jtimon> a nice logo?
18:42 < adam3us> jtimon: hey i missed the first 4yrs 3mo of the race, i'mnot the winner here
18:42 < petertodd> adam3us: re: digital scarcity, so what would you think of a alt-coin using my demurrange + balanced mining ideas for zero inflation, where to get said coins you had to prove a bitcoin sacrifice? that maintains scarcity I would argue, even if where the coins go has different economic structure
18:43 < maaku_> adam3us: we are still way, way early in the adoption curve
18:43 < maaku_> most institutional support for bitcoin is using it as a payment network, not for wealth storage
18:43 < adam3us> jtimon: well if that were the only risk, i'd say go for it, lets see who wins in the market.  but i think the outcome could be worse.	see what if litecoin overtkes bitcoin or gets clsoe... the bitcoin price plummets?  give it a few month and litecoin notice feathercoin is gaining fast, do that a couple of times and the even concept of digital scarcity
could be irrepairably damaged, it might go in the history bookss like a digital tulip.
18:44 < killerstorm> petertodd: Well, I don't know much about game theory, but here's how it might work in practice: suppose somebody makes a patched version of bitcoind which implements this kind of a strategy, let's call him a-bitcoind. Miner Bob can see that if everybody upgrades to a-bitcoind, but he doesn't, then his payouts will be lower. If we assume that miners
think identically, they will either all upgrade to a-bitcoind, or keep using bitcoind.
18:44 < maaku_> adam3us: if that happened, who would be hurt? people sitting on bitcoins, but not the institutional players
18:44 < maaku_> they make their money (counted in fiat) on activity not market caps
18:45 < adam3us> maaku_: humanity because digital scarcity is a useful thing
18:45 < petertodd> killerstorm: right, but we *can't* assume miners think identically, and neither can those miners
18:45 < jtimon> adam3us this is not logic: if litecoin gets greater than bitcoin, feathercoin will get greater then litecoin
18:45 < justanotheruser> Proposal for distributed storage without polluting the blockchain in a few sentences: There is a web of trust to choose mediators trusted mutually between the uploader and the host. The uploader send the file to the hosters and the mediators after making a tx that gives a small amount to the hoster given that either the uploader signs it, or M of
N mediators sign it. The mediators take hash(random nonce0,file), hash(random
18:45 < killerstorm> petertodd: and, again, in practice, a-bitcoind might leave a certain mark in coinbase transaction which identifies it. but I'm not sure if we can use it in game-theoretic model as that mark can lie.
18:45 < maaku_> meh i don't think that makes sense as an economic argument
18:45 < jtimon> and the two propositions are very unlikely independently
18:45 < adam3us> jtimon: point is it sets a precedent
18:45 < petertodd> killerstorm: you can make mechanisms for those miners to *co-ordinate* their actions, e.g. soft-fork majority upgrade mechanism, but when you're talking about delibrate re-orgs that's much tricker
18:46 < jtimon> I think that's likely to happen, but with something better than bitcoin, not litecoin
18:46 < jtimon> bitcoin 2.0 if you like
18:46 < jtimon> and I don't have any problem with that
18:46 < petertodd> justanotheruser: bootstrapping your mediator trust is a damn nightmight
18:46 < petertodd> *nightmare
18:46 < maaku_> adam3us: your argument hinges on the thing overtaking bitcoin being "just another" coin
18:46 < maaku_> i see no rational basis for that ever happening
18:46 < adam3us> petertodd: exodus eh?	did u see there was one proposed recently a new alt, like mastercoin except by proof of burn?
18:47 < maaku_> but if something came out genuinely better, the story would be different
18:47 < petertodd> adam3us: yup, last I checked they got like 500 coins
18:48 < adam3us> jtimon: markets doing work based on propositional logic, but by herd behavior and economic decisions and a large port of psychology and emotive reaction of individuals
18:48 < justanotheruser> petertodd: Any solutions for bootstrapping mediator trust?
18:48 < petertodd> justanotheruser: solve that and you're halfway to making a crypto-currency...
18:48 < adam3us> petertodd: holy moly 500 btc !
18:48 < petertodd> adam3us: probably even more now :/
18:48 < petertodd> adam3us: not much source-code to it either...
18:49 < justanotheruser> petertodd: couldn't you bootstrap your mediator trust by making non-mediator transactions successfully?
18:50 < jtimon> adam3us so since markets are irrational, it is more rational to peg them?
18:50 < adam3us> maaku_: yes litecoin & ftc are currently not plausible to overtake, but warren does try to do innovation, and maybe eg if btc-china had started pushing ltc while it was 60% of market volume (charlie & bobby lee being brothers) or some new feature is added to litecoin (say zerocash).. who knows
18:50 < petertodd> justanotheruser: define "successfully", and for that matter, how are you going to prove they were successful in a mathematical way?
18:50 < adam3us> petertodd: counterparty that was what it was called (the msc-like meta coin  with PoB)
18:51 < justanotheruser> petertodd: I don't understand what you mean. It is a web of trust like bitcoin-otc. Success is defined by trusted people trusting you.
18:51 < maaku_> adam3us: again, if warren turns litecoin into a genuine improvement over bitcoin, then there is no reason the world need collapse if it overtakes bitcoin
18:51 < petertodd> justanotheruser: where's the root of trust?
18:51 < petertodd> adam3us: yeah, counterparty
18:51 < justanotheruser> petertodd: you are the root of trust for yourself
18:52 < adam3us> jtimon: the peg is just a firewall mechanism between two versions of what would be by intent the same coin.  it could be applied to any alt-coin.
18:53 < petertodd> adam3us: https://blockchain.info/address/1CounterpartyXXXXXXXXXXXXXXXUWLpVr <- 1,165 BTC now
18:53 < adam3us> maaku_: i think that would be challenge.  i am not sure how people would react.  maybe they just take it as competition and say great the new better bitcoin
18:53 < petertodd> adam3us: that's actually more than msc got in dollar value
18:53 < maaku_> adam3us: it is a cool concept. it has applications if it could be made safe enough to deploy, which it is not yet. but i don't thik it does everything you think it does
18:53 < adam3us> petertodd: amazing.
18:53 < adam3us> petertodd: i know!
18:54 < maaku_> wait, did people just irrecovably destroy $1MM of coins?
18:54 < petertodd> adam3us: gonan be a lot of disappointed people I suspect...
18:54 < petertodd> maaku_: yup
18:54 < adam3us> maaku_: yes
18:54 < maaku_> w. t. f.
18:54 < justanotheruser> I wish people would use OP_RETURN
18:54 < petertodd> maaku_: based on a few hundred lines of code and a shoddy specification...
18:54 < justanotheruser> seems like it is from "XPC Proof of Burn"
18:55 < adam3us> maaku_: well from their perspective its still a comparable investment as msc they are investing in the future potential of the idea
18:55 < adam3us> maaku_: the only difference being xcp has now no btc to fund development
18:55 < petertodd> justanotheruser: heh, original counterparty burn tx's used OP_RETURN to embed a *message* and the coins were still burnt to a address
18:55 < maaku_> and yet we've been able to find just 3 people to donate <$1000 to freimarkets :\
18:56 < jrmithdobbs> i don't even want to think about how much the coins i sold at various points would be worth right now
18:56 < adam3us> maaku_: its a sad fact that scammy/grandiose advertising works seemingly in crypto currency space.
18:56 < justanotheruser> petertodd: how were they burnt to an address? No public key can spend them can they?
18:56 < petertodd> justanotheruser: it's a vanity address with like 12 X's in it... rather unlikely they have the sec key
18:57 < adam3us> petertodd: i thought at one point they burnt them to miner until someone pointed out a miner could mint unlimited coins
18:57 < petertodd> adam3us: ha, I know eh
18:57 < petertodd> adam3us: someone mentioned my announce/commit scheme at one point, but as I said to them, using an address has a lot of advantages re: advertising
18:57 < justanotheruser> petertodd: OP_RETURN?
18:58 < petertodd> justanotheruser: https://blockchain.info/tx/685623401c3f5e9d2eaaf0657a50454e56a270ee7630d409e98d3bc257560098
18:58 < justanotheruser> petertodd: oh, multiple outputs
18:58 < petertodd> justanotheruser: yup
18:59 < justanotheruser> what is the usual reason for their proof of burn?
18:59 < petertodd> justanotheruser: what do you mean?
17:38 < gmaxwell> Right, I realize that.  _Usually_ trying to threshold on latency is not what we want. but I guess I could see the argument.
17:39 < gmaxwell> Though if you have a system predicated on low latency it likely makes anonymous mining utterly impossible.
17:39 < gmaxwell> (ugh, I hate that 'anonymous' is overloaded, I mean the one that is made impossible by low latency. :P )
17:40 < amiller> it wouldn't necessarily need to be used like that all the way odwn to the individual level, something like towns or states or w/e
17:40 < gmaxwell> amiller: e.g. unless you start saying that this is for nation-states,  communities of interest are often only moderately geographically coorelated. Even at the nationstate level.. should tokyo be able to partition hawaii?
17:41 < amiller> perhaps tokyo could force hawaii to move its transactions up to the larger network (i.e., global bitcoin) where it's a bit more expensive and less responsive
17:42 < amiller> the main motivation for adding more model complexity like this isn't just to have small networks, but to work towards a way of building larger networks out of smaller ones, where the smaller ones also work when possible
17:42 < gmaxwell> Sounds interesting to me!
17:43 < amiller> ok thanks :D
17:43  * amiller keeps working
17:51 < Luke-Jr> amiller: wtf?
17:51 < amiller> :p
17:51 < Luke-Jr> seriously, don't feed the trolls' myths
17:52 < amiller> well, who else should i pretend operates the death star
17:52 < Luke-Jr> maybe some guy who actually does stuff like that
17:56 < sipa> you mean Satoshi?
17:57 < Luke-Jr> sipa: O.o?
17:58 < sipa> this comes close: http://abstrusegoose.com/509
17:59 < gmaxwell> I like the idea of Luke as darth vader.
17:59 < gmaxwell> Mostly because he's the least darthvadery person I know.
17:59 < sipa> Have you ever seen him waring a Vader-suit?
18:00 < gmaxwell> "Luke, I am your certified personal accountant."
18:08 < Luke-Jr> "bitcoin should just limit each human alive to 1% of the network"
18:08  * Luke-Jr facepalms
18:09 < gmaxwell> I'd missed http://abstrusegoose.com/509 !
18:13 < sipa> I do wonder why he'd choose Hitler's birthday to make love to that fish.
19:15 < jgarzik> sipa, 420 means something different in the US, http://www.urbandictionary.com/define.php?term=420
19:19 < sipa> eh, ok
21:43 < jgarzik> sipa, there are, um, green-related parties on 4/20 all over the US as a result
21:44 < jgarzik> Atlanta, Portland, Seattle and other cities have festivals
21:44 < jgarzik> it's pretty funny
21:45 < gmaxwell> I had no clue that was hitler's birthday, thats pretty fantastic.
21:47 < gmaxwell> would be amusing to show up at the big outdoor weed smoking festival in santa cruz dressed in nazi regalia and pretend to be really confused and cause confusion for all the chemically confused people.
21:53 < jgarzik> heh
--- Log closed Thu Aug 08 00:00:14 2013
--- Log opened Thu Aug 08 00:00:14 2013
03:16 < midnightmagic> LOL
--- Log closed Fri Aug 09 00:00:19 2013
--- Log opened Fri Aug 09 00:00:19 2013
--- Log closed Sat Aug 10 00:00:25 2013
--- Log opened Sat Aug 10 00:00:25 2013
--- Log closed Sun Aug 11 00:00:30 2013
--- Log opened Sun Aug 11 00:00:30 2013
--- Log closed Mon Aug 12 00:00:35 2013
--- Log opened Mon Aug 12 00:00:35 2013
11:39 < jgarzik> There needs to be a mechanical-turk-like API that will send a human out to buy me X product or service with fiat currency.
11:39 < jgarzik> StorJ-like systems want such.
11:40 < gmaxwell> that exists here.
11:42 < gmaxwell> uh. I forget what its called. it's not quite as normalized as mechnical turk. but you can load a url and make people go do things.  My SO has used it some, and she's on a plane now, so I'm currently down whatever mental space I've outsourced entirely to her.
11:42 < jgarzik> interesting
11:47 < gmaxwell> yea, this business is going to fail though because I can't figure out how to find it even knowing that it exists!
11:52 < gmaxwell> https://www.taskrabbit.com/
11:52 < gmaxwell> fuck it took me 12 minutes to find it.
11:53 < petertodd> gmaxwell: I use taskrabbittaskrabbit myself to figure out WTF taskrabbit's URL is
11:53 < gmaxwell> yea, I suppose I could have used mechnical turk to find taskrabbit.
11:54 < petertodd> lol, but mechanical turk is a pain to use, what you need is some kind of mechanicala turk to hire a dev to create your mechanical turk job...
11:55 < gmaxwell> yea, MT is kinda useless for one shot jobs.
11:55 < gmaxwell> I wish there was a good bitcoin replacement for it, for both bulk and one shot jobs.
11:55 < petertodd> I thought someone di launch a bitcoin replacement? whatever happened to it? coinworker I think it was called?
11:56 < gmaxwell> well what coinworker is   is a front end on a MT alternative that lets you work and get paid BC.
11:56 < gmaxwell> I don't believe anyone had done the other side of that.
11:56 < gmaxwell> where you pay for work with BC.
11:57 < petertodd> right, so the coinworker api is basically still sucky
14:36 < gmaxwell> Research Talk: Philippa Gardner
14:36 < gmaxwell> Where: Ten Forward and streaming / recorded on Air Mozilla
14:36 < gmaxwell> When: Wednesday August / 14, 10 AM PST
14:36 < gmaxwell> Title: A Trusted Mechanised Specification of the JavaScript Standard
14:36 < gmaxwell> Abstract:
14:36 < gmaxwell> JavaScript is by far the most widely used web language for client-side applications.  Whilst the development of JavaScript was initially led by implementations, there is now increasing momentum behind the ECMA standardisation process. The time is ripe for a formal, mechanised
14:37 < gmaxwell> specification of the language, to serve as a trusted basis for high-assurance proofs of language properties, the compilation of high-level languages, and JavaScript implementations.
14:37 < gmaxwell> We have demonstrated that modern techniques of mechanised specification can handle the complexity of JavaScript.  We present JSCert, a mechansised specification of ECMAScript 5 in the Coq proof assistant, and JSRef, a reference interpreter for JavaScript extracted from Coq to OCaml. We establish trust in several ways: JSCert is designed to be `eyeball close'
to ECMAScript 5; JSRef is provably correct with respect to JSCert; and JSRef is te
14:38 < gmaxwell> that should be interesting. I think this is only the second provable language implementation.
16:29 < amiller> i like the way that abstract is written
16:30 < amiller> i like that the specification itself is given a name (JSCert) and it's claim is that it's human-inspectable to match a natural-language specification
16:31 < gmaxwell> they're also clear that JScert is not exactly the same as the specification  (what would that even mean?)
16:31 < amiller> maybe the spec can be used to illustrate the reasoning for js-wats like {}+[]
--- Log closed Tue Aug 13 00:00:41 2013
--- Log opened Tue Aug 13 00:00:41 2013
04:05 < gmaxwell> amiller: hopefully I wasn't too harsh here: https://bitcointalk.org/index.php?topic=272709.msg2922718
09:31 < amiller> i think you're right on, actually, gmaxwell.
09:31 < amiller> i don't know what to do about it, but it's a real problem!
09:31 < amiller> these ETH Zurich people are one of the few that have a science grant to study bitcoin
09:32 < amiller> the bitcoin community and its various fora produce an enormous of writing, thought, invention, code and *science*, of which maybe 1% isn't bullshit chaff?
09:33 < amiller> in other words, not a whole lot different than the enormous and expensive academic machine...
09:37 < amiller> i think they're professionals and should not be excused from shoveling through all the forum posts ever and citing MerkleTrees420 for brute forcing a good invention
09:58 < sipa> i met christian decker once
09:58 < sipa> he's visited zurich bitcoin meetups before
10:06 < amiller> maybe a good solution would be to place anonymous papers on the bitcoin forum to help with the peer review?
10:06 < amiller> sending a note to the editors would be appropriate
10:07 < amiller> they are self selected as the interface to this sort of thing
17:45 < jgarzik> "It looks as though our system is unable to verify you social security
17:45 < jgarzik> number and other information. We use a third party vendor, Lexis
17:45 < jgarzik> Nexis, to verify that information we do not see the data, simply a
17:45 < jgarzik> score and your score is not high enough to move forward. "
17:46 < jgarzik> gmaxwell, so spake Dwolla, when I tried to open a personal account.  I wonder if anything tagged with bitcoin is now making the rounds...
17:46 < jgarzik> My credit score is north of 800, and nothing but traffic tickets in the criminal record, so I cannot think of what it might be.
17:47 < jgarzik> anyway, heads up
17:48 < petertodd> interesting! kinda ugly if they are going out and finding people's names to add to a blacklist database...
17:50 < jgarzik> Two guesses are (a) Dwolla refuses anything that links $person and "bitcoin", and (b) I'm now in some database somewhere
17:50 < petertodd> quite possibly (a) and (b)
17:51 < petertodd> if it gets to the point where this is applied to bank accounts in general I'd be worried...
17:51 < gmaxwell> jgarzik: tell them that you're concerned that your identity may have been stolen then, because you don't get that result, and ask for a copy of the paperwork so you can follow up with lexis?
17:52 < petertodd> gmaxwell: smart
17:53 < gmaxwell> there is always some pedestrian possibility, like they're actually pulling up someone elses record by mistake.
17:54 < petertodd> or someone already pulled some actual fraud with jeff's good name
17:55 < jgarzik> I had my identity stolen 15+ years ago.  some bum put my name + address in Atlanta on a military id with their picture, and tried to scam 9 Wachovias with it
16:12 < gmaxwell> BlueMatt: kinda, tor is where the whole open world is currently focusing their anti-censorship efforts... and they seem to be winning the cat and mouse game mostly.
16:12 < BlueMatt> if you think we need tor for an internet with speech where you can do whatever the fuck you want, you have to look no further than tpb
16:12 < BlueMatt> gmaxwell: not afaict, at least in china getting tor access means having someone else set up a bridge for you to use
16:12 < petertodd> BlueMatt: Tor over consumer connections is *currently* widespread, so I want to scale the network with that we have a pretty good chance of having available to us for the next few years. In 10 years *maybe* we'll decide making it possible to mine over dial-up *is* a good idea and reduce the blocksize. I sure hope not, but it may be a reasonable thing to do.
16:12 < BlueMatt> and that means most people just use vpns
16:13 < BlueMatt> wait, wtf?
16:13 < BlueMatt> really?
16:13 < gmaxwell> petertodd: technically mining works over dialup okay now, so long as you use a p2p protocol that looks like p2pool's.
16:13 < petertodd> gmaxwell: yup, and you can always just mine zero-tx blocks too.
16:13 < gmaxwell> (one where you only need to send the hashes when you find a block, as you've preforwarded the txn)
16:14 < BlueMatt> anyway, its clear we fundamentally disagree on what we need to protect (and what is actually useful and possible, even if we try to protect it)
16:14 < BlueMatt> so I dont think arguing helps anything
16:14 < gmaxwell> s/zero/few/
16:14 < BlueMatt> you are free to work on solutions that allow mining over tor, and the rest of us will just work on something else
16:14 < petertodd> BlueMatt: Exactly. We *do* agree on the technology side of things, we do not agree on what is important beyond tech.
16:15 < BlueMatt> I certainly dont think its a bad idea that someone allows one to mine over tor, just that it shouldnt impact big-picture decisions for the actual network
16:15 < zooko> Good to realize that so you can productively collaborate on understanding what is possible.
16:15 < gmaxwell> BlueMatt: funny, I see you both largely argreeing. That there is actually a tradeoff between decenteralization and scale. And that compromising the former for the latter completely is unacceptable.  You're arguing over approaches, boundaries, and silly details.
16:15 < petertodd> gmaxwell: Exactly! It's a political decision end of story.
16:16 < gmaxwell> petertodd: I think you should do a writeup on bitcoin primarily as a reserve currency.  Thats sort of an implicit premise of what you talk about wrt off chain txn, but I don't know that it's clear that you're thinking of it that way.
16:16 < petertodd> gmaxwell: Though of course having real world off-chain tech with auditing and fraud protection, rather than purely examples like easywallet without those protections, needs to be implemented to show people.
16:16 < petertodd> gmaxwell: Yeah, that's a good idea.
16:17 < BlueMatt> no, Im arguing that the "dystopian" future presented in that video is not only ridiculous, but significantly harmful to the ability of people to have reasonable discussions about the political and/or technical parts of this
16:17 < sipa> i think you should present thigs in a different way
16:17 < sipa> presenting it as a dystopian future putsany people off
16:18 < sipa> thinking you are talking about some potential worst case situation
16:18 < sipa> i like to look at it this way:
16:18 < sipa> bitcoin is an experiment in creating a decentralized currency
16:18 < sipa> the experiment is more useful the less it requires trust
16:19 < sipa> a system that is able to function in the presence of worst-case conditions is strictly more interesting
16:19 < warren> sipa: hi.  Would you be interested in an affected wallet.dat plus patches to load the alternate address schema, would that be helpful?
16:19 < petertodd> sipa: Good idea. Having a system that can function in the dystopian future makes it a lot less attractive to force us to that distopian future anyway, why try regulating what you know can't be?
16:20 < zooko> I haven't seen the video and haven't read all this irc log carefully, but it kind of sounds like the video was exciting or polarizing and some residual energy for that is still bouncing around in this conversation...
16:20 < BlueMatt> petertodd: and then we can have a discussion of increased block sizes for purely technical reasons and not political "the sky is falling" arguments :P
16:21 < BlueMatt> petertodd: but I certainly think it would be awesome to have something that could mine successfully over dial-up or some other ridiculously low-bw connection
16:21 < petertodd> BlueMatt: It still doesn't work that way. The technical tradeoffs are there, but what tradeoffs are important will always be political.
16:21 < sipa> warren: not now
16:21 < gmaxwell> One of the reasons I don't share BlueMatt's view (and I suppose could be said to have tacitly encouraged petertodd because I didn't say "NO STOP!" when he posted the initial script) is because we are very rapidly racing towards increasing the size, and both Gavin and Mike have argued for _unlimited_ and argued that it was actually uncontroversial and that
concerns were unreasonable. I don't think thats fair. And I think that having the ot
16:21 < warren> sipa: ok.  i'll debug more, maybe I can figure it out on my own.
16:21 < sipa> gmaxwell: the ot[...]
16:22 < BlueMatt> gmaxwell: yes, I would agree there that infinite size is just not ok
16:22 < gmaxwell> And I think that having the other extreme making their argument makes it _easier_ to have a discussion about tradeoffs instead of wasting our time arguing if there is no concern at all or not.  But maybe I'm stupid. It happens.
16:22 < petertodd> gmaxwell: Indeed. I sure wouldn't have made the video if they had been more resonable there - I did propose that we have a strict "wait a year" period regardless. The worst that can happen is growth is slowed temporarily.
16:23 < BlueMatt> ahhhh, this google reader -> feedly switch is insane, do you want to share this, what about with facebook, no linkedin? no G+, no? twitter, no, you WANT TO SHARE!!!!111one
16:23 < zooko> Haha, so you're responsible for the video that I just implicitly criticized.
16:23 < petertodd> zooko: lol, yup.
16:24 < zooko> By the way, I unfortunately didn't speak to you at the conference, but I listened with great interest to your contribution to the "core dev meetup crowd" thing.
16:24 < petertodd> zooko: Thanks! I thought that discussion wound up happening in a pretty reasonable fashion.
16:24 < zooko> Yeah, not too bad.
16:24 < petertodd> Nice to see the payment protocol is uncontroversial too. :P
16:25 < zooko> Hee hee.
16:25 < zooko> Ah, so I was all hot under the collar about having PKI in the payment protocol
16:25 < zooko> (note:
16:25 < zooko> *not* about x.509 being a bad PKI, about PKI being a bad thing to have in the payment protocol)
16:25 < gmaxwell> petertodd: one of the problems we'll face here is that the deployment of any change will have a huge leadtime. And so it means that if we have to suffer to trigger making the change it means we'll suffer for a huge time. I really do not have a solution for that, and help thinking of one (beyond "never change") would be really productive.
16:25 < zooko> and I got to talk Gavin's ear off about it with Brian Warner, and much to my astonishment Gavin convinced Brian and me that it was better than the alternatives in there.
16:26 < zooko> And I should emphasize, Brian and I are the last two people who would ever agree to that...
16:26 < petertodd> Ha, yeah, I don't like PKI either, but it's a nice easy first step for sure.
16:26 < zooko> I even have a basic geometric shape named after my dislike of PKI.
16:26 < gmaxwell> zooko: we believe we need non-repudiation in it, and the ability to identify who you're paying. (of course the identity could be a pseudonomymous one if you like)
16:26 < zooko> gmaxwell: that isn't what convinced me.
16:26 < petertodd> gmaxwell: Heh, I've been arguing that deploying a blocksize change can happen relatively quickly...
16:27 < petertodd> zooko: basic geometric shape?
16:27 < gmaxwell> petertodd: it's a hardfork though... Though, I suppose the may 15 thing actually proved it could be done.
16:27 < petertodd> gmaxwell: Exactly. *If* there is consensus, changing it is not such a big deal.
16:27 < gmaxwell> And we don't mind if it's some other kind of things like namecoin+gpg or whatever. The protocol itself doesn't have to care really. .. it's just that there is little in actually workable alternatives right now.
16:28  * BlueMatt -> gone, and really dont want to discuss politics further, its too...political
16:28 < petertodd> gmaxwell: Hasn't proved it yet...
16:28 < gmaxwell> petertodd: I'll have to think about that some. I think I was taking it as fact that the actual change had to take forever. But perhaps just the software validation does.
16:29 < petertodd> gmaxwell: People can upgrade relatively quickly. The real issue is we can't change it very much quickly; doubling the blocksize can probably be done and tested in six months.
16:31 < petertodd> gmaxwell: An order of magnitude increase, or worse, unlimited, will break stuff that we can't even think of, let alone test for.
16:34 < zooko> petertodd: there's this thing named "Zooko's Triangle" which could be used in an argument that PKI is inherently unsuitable for the payment protocol.
16:34 < petertodd> zooko: oh, that's you! cool
16:35 < petertodd> I love talking to non-tech people about that triangle.
16:35 < zooko> Thanks.
16:40 < petertodd> alright guys later
16:41 < zooko> cheers
19:07 < jgarzik> warren: Somebody's making money, so they add it.
19:08 < jgarzik> warren: Don't be surprised if there aren't "I'll give you 1 million alt-coins, to add it to your exchange" deals either.
19:12 < warren> CFTC
s Chilton: Want to ensure Bitcoin is not
19:12 < warren> As the Commodity Futures Trading Commission weighs regulating Bitcoin, Commissioner Bart Chilton sought to spell out its interest in the virtual currency.
19:14 < warren> jgarzik: this made me wonder if our tribe can come up wit a set of best-practices guidelines to help media and potential regulators weed out the pump-and-dumps from the honest efforts.
19:19 < warren> jgarzik: a privately operated, not-for-profit rating agency that looks at various factors of <arbitrary decentralized virtual currency> and makes it easy for readers to understand the differences, not only in technology, but also transparency, accountability, activity of development, how responsive it is to security CVE's, vendor adoption, etc.  This could
help to better legitimize the safety and stability of Bitcoin while simultaneously mak
19:19 < warren> ing it easy to see the *stark* contrast with all the alt coins.
19:50 < jgarzik> warren: I think there should be quite a number of ratins agencies
19:50 < jgarzik> warren: or, if possible, a ratings bot
19:50 < jgarzik> *ratings
20:01 < gmaxwell> jgarzik: "Don't be surprised" not only is it not surprising, in some cases it's publically know. E.g. one of these coins premined coins specifically for that purpose.
20:03 < gmaxwell> warren: as far as "weed out" well thats the 'problem' (actually advantage in some cases) of decenteralized systems. You can't generally regulate the general public. When you try ... poof.. they vanish.
20:03 < warren> gmaxwell: right, not really regulate, more 'scare people away from things' with objective measures
--- Log closed Wed May 08 00:00:13 2013
--- Log opened Wed May 08 00:00:13 2013
21:59 < gmaxwell> amiller_: I have come up with a new SCIP application in the context of bitcoin.
22:00 < gmaxwell> You make all your protocol rules have nice clean reference enforcement code which can execute in a secure computing enviroment.
22:00 < gmaxwell> and then you make peers produce proofs that they actually ran the reference enformcement code
22:00 < gmaxwell> no more crack ass alternative implementations that don't actually implement the rules consistently. :P
--- Log closed Thu May 09 00:00:15 2013
--- Log opened Thu May 09 00:00:15 2013
10:39 < warren> "You been drinking the Gavin juice too much. If I want to send a 0.00000001 BTC to someone, I can't under 0.8.2. If I want to do that in 0.8.1, the fees are high but that still means I CAN DO IT. Do you now see the censorship."  Why is the clueless hate focused on "gavin"?  Wasn't Gavin against this at first.  It was originally advocated by others.
10:40 < BlueMatt> clueless hate is clueless?
10:42 < warren> Need more clueless hate lightning rods.
--- Log opened Thu May 09 12:37:59 2013
18:41 < amiller_> gmaxwell, i don't follow the scip thing you said
--- Log closed Fri May 10 00:00:40 2013
--- Log opened Fri May 10 00:00:40 2013
02:29 < petertodd> new alt-coin: cacoin
02:30 < petertodd> the PoW function is to come up with a random number, and then your goal is to prove you posess, via a SSL certificate, a DNS name such that H(name) is closest to that number
02:31 < petertodd> (obvs the random number needs to be generated properly, a random beacon of some sort would be good, or a a protocol where the parties precommit to generate one)
02:31 < gmaxwell> closest-to pows are not very scalable... huge floods of traffic.
02:31 < petertodd> I'm sure that'll be the least of cacoin's problems :P
02:33 < petertodd> the other issue with closest too is it's way too easy to find someone was closer after the fact, causing a huge reorg
02:33 < gmaxwell> haha... "this coin is a member of the family HighExternalityCoins"
02:33 < petertodd> yeah, another nifty one would be to use TPM hardware signing keys
02:34 < petertodd> I especially like how you could construct the TPM hardware coin in a way to prove fraud on the part of the tpm hardware vendors
02:34 < petertodd> even if the hardware is not secure
05:35 < warren> sipa: to backport secp256k1 to 0.8.1 I need to redo those last four patches?
06:21 < warren> sipa: nm, figured it out
09:39 < zooko_> petertodd: are you familiar with Hal Finney's Reuable Proofs Of Work?
10:53 < amiller_> i don't like RPOW because it crucially relies on a central/global tpm
11:35  * zooko_ nods
12:21 < petertodd> zooko_: Who isn't in this crowd? :)
12:22 < petertodd> zooko_: amiller is quite correct, although when you have a reserve currency like Bitcoin handy, at least you can move value to and from it to switch tpm's and so on
12:39 < zooko_> Hm.
12:40 < zooko_> Do you know about Physically Unclonable Functions?
13:56 < zooko> Hello.
13:56 < zooko> PUFs
13:58 < amiller_> even pufs are still a poor choice for a global tpm
13:58 < amiller_> everyone concerned would have to agree that it was built correctly
13:59 < amiller_> like landing on the moon
13:59 < amiller_> a puf can't attest to the fact that it is a puf
14:39 < petertodd> amiller_: Indeed. That said, with some cleverness with fraud proofs and what not you can make a TPM manufacture have pretty strong incentives not to allow the TPM security to be cracked. I wouldn't trust it to buy a house, but to buy your morning coffee isn't a big deal. The hard part is making sure the damage from any one hacked TPM is limited.
14:40 < petertodd> I suspect that's what MintChip has planned with their mysterious "additional authentication" fields and what not in the protocol.
15:24 < zooko> I didn't mean to suggest a PUF for a global TPM. I don't even understand how that could work.
15:27 < zooko> Since midnightmagic just told me about a bitcoin theft (over on #tahoe-lafs, he told me about that), it reminds me of a wishlist item I have for future cryptocurrencies:
15:28 < zooko> I'd like to be able to emit spends from a wallet that has no information going into it, only out.
15:36 < gmaxwell> Frequently bad recommendation #123901319
15:37 < gmaxwell> Requires an entirely different architecture where you have persistant balances, reuse addresses, and don't identify the specific funds you're spending. And the last point has a bunch of surprising negative consequences when you work through the details.
15:39 < zooko> Haha. I found out why I didn't automatically rejoin this channel. I join #bitcon-wizards instead.
15:39 < zooko> gmaxwell: I'm not yet convinced that it is a bad idea.
15:40 < zooko> Also, I need to see that list! The other 123901318 are probably very interesting to me...
15:41 < BlueMatt> half of them include the term "DHT"
15:41 < zooko> Heh heh heh.
15:41 < gmaxwell> zooko: sorry, I'm busy atm or I'd find you the better of the several forum threads on it.
15:42 < zooko> gmaxwell: thanks anyway! I long since lost insight into the bitcointalk forum... :-/
15:42 < zooko> I'm waiting for amiller to ask me what I was thinking of PUFs for, then...
15:42 < gmaxwell> But there are a whole bunch of screwed up corner cases like.... pay alice, pay bob, oops alice's payment didn't have enough fee and is not confirming fast enough, pay alice again with more fee. oops now alice got paid twice and you've ripped off bob.
15:42  * zooko nods.
15:43 < zooko> It makes a case that already exists: malicious or (rarely) accidental double-spending or other weirdness, into a more common case.
15:43 < zooko> Maybe there isn't any "other weirdness".
15:43 < gmaxwell> plus it requires address reuse, which undermines our privacy model. (perhaps seems less bad at the moment, but I expect we'll see existing reuse go down once BIP32 address chains are common, and once the payment protocol is deployed)
15:44 < zooko> Eh, that part could be worked-around.
15:44 < zooko> Yeah, in fact that can be totally eliminated.
15:44 < zooko> In a sufficiently unconstrained-by-compatibility cryptocurrency.
15:44 < gmaxwell> zooko: it makes transaction replacement into double spending.
15:44 < zooko> Err, wait, maybe I'm wrong...
15:44 < zooko> What's transaction replacement?
15:45 < gmaxwell> replacing a transaction with another one such that only one is allowed to survive. An intetional, consentual, harmless (e.g. pays the same parties, but pays them more or increases fees) doublespend.
15:45 < zooko> Hm.
15:46 < amiller_> zooko, indeed, what is it that you were thinking for PUFs and RPOW if not a giant central rpow server staypuft monster
15:46 < gmaxwell> and I mean what you want to do is actually not possible fundimentally, you need to know your balance to spend it.
 if you don't you'll randomly doublespend your payments) I just assumed you meant knowing no more than your balance.
15:46 < zooko> gmaxwell: I don't think that's fundamentally true.
15:47 < zooko> I mean, you can *try* to spend it.
15:47 < zooko> You can emit a message that says "I, $PUBKEY_X, hereby transfer to $PUBKEY_Y 10 units. If I have any. Love, X."
15:47 < zooko> I think you are right that how the rest of world deals with that message could get complicated.
15:48 < zooko> And I think you already introduced me to some complications that I hadn't thought of, in the last few minutes.
15:48 < gmaxwell> zooko: yea, great, and when you do this and make multiple spends before one is confirmed (which you can't tell because you have no information) you'll potentially conflict earlier ones. You could have a sequence number, but then a byzantine network loses one of them and none none of your future payments work.
15:48 < gmaxwell> yea, I'm not saying it's impossible, but it has a lot of surprising negative tradeoffs.
01:22 < pigeons> and ripple is worse than bitcoin for pricavy
01:22 < pigeons> altough there is a feature for making subkeys that are suppsoedly not linked to your master key but can spend but i dont understand it
01:23 < pigeons> because an address needs a certain XRP "resever" to be activated and how would that appear for the subkeys? and i assume you could link them that way
01:23 < gmaxwell> thats annoying they could have made the privacy stronger than bitcoin, since if an issuer is online you could automatically ask them to replace your coins with unrelated coins.
01:24 < gmaxwell> how do the reserve settings and such get changed? it used to be like 300 ripples reserve, but now I see its 69.
01:24 < gmaxwell> oh sorry 75
01:25 < pigeons> the same consensus process that aggres on which transactions are part of the ledger agrees on current reserves
01:27 < pigeons> well the concept of "coins" isnt really the sames. with bitcoin you need to be able to trace every step of the input back to its generation, but with ripple you just look at the validated balance really
01:28 < gmaxwell> right. this is why I look forward to an altcoin attack.
01:29 < gmaxwell> What happens when the UNL stuff goes public and a majority of trusted parties decide that opencoin reserves ought to be more like 0 xrp?
01:30 < pigeons> you mean when more of the people running nodes start including more vlaidators in their UNL that may be likely to do that? we'll see
01:30 < pigeons> just clarifying by "going public" cause the daemon source is public but yes most use similar UNL
01:31 < pigeons> wait what do you mean by "opencoin reserves"?
01:31 < gmaxwell> thats what I mean by going public, sorry. Defacto public not dejure.
01:31 < pigeons> as opposed to reserves applying to any node/address
01:31 < gmaxwell> wherever the larger amounts of xrp consolidations are still left that haven't been given out.
01:32 < pigeons> you can't change balances by consensus
01:32 < pigeons> you need to have a signed transaction spending it
01:33 < gmaxwell> pigeons: I'm pretty sure you can. the other nodes won't ever accept the change, but a client will accept the majority ledger.
01:33 < pigeons> amiller: what do you say about that?
01:34 < gmaxwell> (IIRC, it would be like bitcoin if we only had a small number of miners (gulp) and everyone but miners was on spv nodes)
01:34 < gmaxwell> generally you couldn't do it without undermining trust in the system, but redistributing xrp
 which a lot of people already consider insanely unfair, I bet could be done.
01:35 < amiller> yeah i agree with that unfortunately, i am pretty sure they cut a lot of steps in terms of what kinds of validation we can expect ordinary users to run
01:35 < amiller> full validating ripple nodes are pretty expensive to operate if i understand it right
01:35 < amiller> the web wallet that most people use is not a full validating client, for example
01:35 < amiller> it's effectively the same as SPV, yeah.
01:35 < pigeons> i operate one (yeah down atm) and verifying isnt that expensive but keeping history is
01:35 < amiller> how large is the state file/
01:36 < gmaxwell> heh. bitcoin's current state is about 250mbytes. :P
01:36 < pigeons> i dont know i was running on a smallish vps, and i dont understand the internals very well, which was why i was running it, but had some other projects and i've borrowed that box
01:37 < amiller> either way i don't think even that is an insurmountable problem
01:40 < Mike_B> well
01:40 < Mike_B> i just read the entire thread, as well as this irc convo
01:40 < Mike_B> gmaxwell: quite interesting
01:40 < Mike_B> this reinforces my impression of ripple as a cool service, but not really decentralized
01:40 < Mike_B> which, i guess, if they're trying to compete with paypal and visa, is fine
01:41 < Mike_B> but i agree with the analysis that the trust network concept can easily lead to topologies where the network gets screwed even if most nodes are honest
01:41 < gmaxwell> Yea, as amiller says. it's busted.
01:41 < Mike_B> i dunno how they intend to get other people running validator nodes anyway
01:42 < Mike_B> alright well, that was a very full answer to my question
01:42 < Mike_B> i'll have to bbl but thanks for pointing me to all of that
01:42 < gmaxwell> I think mostly the "decenteralized" thing on ripple is a regulatory dodge. I hope for them that it works... also for bitcoin, since if they decide that ripple's decenteralization is pretext, perhaps they'll suspect the same of bitcoin and go after .. say.. me.
01:42 < pigeons> ripple labs' nodes are very unreliable i guess they are under high load, so when mine isnt running i was looking for some others to use and one issue i thought of as far as trusting nodes you submit your signed transactions to is what if a "bad" server sends me a next sequence number far in the future, which causes my transaction to be rejected, but the
bad server keeps my signed transaction and submits it when i reach that sequence number, a
01:43 < pigeons> far fetched i know, but i was running a few different clients at once and getting mixed up on sequence numbers and was thinking
01:43 < gmaxwell> Mike_B: we did come up with a somewhat elegant (IMO) way to get people to run archive nodes in a bitcoin like network, but it wouldn't apply to ripple.
01:44 < pigeons> gmaxwell: where is that discussed?
01:44 < gmaxwell> here.
01:44 < gmaxwell> :P
01:45 < pigeons> ok i'll scroll up, thanks :)
01:45 < gmaxwell> Mike_B: basically the idea is that we can (with massive protocol changes) effectively eliminate the utxo set, making validation nearly storageless, and require txn to provde proof that their inputs existed and are unspent.  Now the storage is required to produce those proofs. So if you're a storageless wallet, you can find an archive node and pay them a
bit of fee in your txn to add the proof to it so you can get it mined.
01:47 < gmaxwell> though there is some bandwidth tradeoff to operate in this manner, and I dunno if anyone has worked out all the concrete numbers yet to see how it would work out in practice, asymptotically it looks good. and of you use SNARKS to compress the proofs then the bandwidth is similar to what is required today.
03:08 < _ingsoc> !seen swulf--
03:08 < _ingsoc> Does that work here? :(
04:19 < edulix> now, this channel has an awesome name (hi!)
04:22 < edulix> the coincovenant sounds like a really awesome-crazy-bad idea by the way gmaxwell
04:24 < edulix>  Alternative chains have been suggested as ways to implement DNS, P2P currency exchanges, SSL certificate authorities, timestamping, file storage and voting systems << which voting systems?
05:02 < Mike_B> 01:45 gmaxwell: Mike_B: basically the idea is that we can (with massive protocol changes) effectively eliminate the utxo set, making validation nearly storageless, and require txn to provde proof that their inputs existed and are unspent.	Now the storage is required to produce those proofs. So if you're a storageless wallet, you can find an archive node
and pay them a bit of fee in your txn to add the proof to it s
05:02 < Mike_B> o you can get it mined.
05:03 < Mike_B> not sure i understand - when you talk about "storage" here, do you mean the blockchain? so when you say storageless validation, you mean no blockchain is required or something?
05:06 < edulix> Mike_B: I assume he means "local storage of the blockchain" i.e. in your HD
05:06 < edulix> which is currently quite large already, 12GB or something like that
05:08 < Mike_B> oh, i see what you mean
05:10 < gmaxwell> Mike_B: no blockchain storage is required for validation alread, but the utxo set is ...
05:11 < Mike_B> sorry, i'm a bit confused here. does this relate to how ripple does things somehow, or is this a different topic?
05:11 < gmaxwell> Mike_B: when bitcoin downloads the blocks it makes a summary of all the spendable coins. It never accesses the blocks again except for reorgs (which only needs the most recent few blocks, or we're doomed) ... and bootstrapping new nodes.
05:11 < Mike_B> i thought this was in the context of ripple and consensus
05:11 < gmaxwell> nah, not ripple. not sure how that tangent got picked up.
05:11 < phantomcircuit> lol ripple
05:11 < TD> this is the merkle mountain ranges thing?
05:11 < Mike_B> ok, got it
05:12 < phantomcircuit> Mike_B, let me help you, nothing works like ripple because ripple doesn't work
05:13 < Mike_B> gmaxwell: so the idea is that various miners basically advertise cryptographically that they have access to the valid utxo set, then you just query them for a fee?
05:14 < Mike_B> or well, not miners, but "archive nodes"
05:14 < Mike_B> maybe you could work it into mining somehow
05:14 < gmaxwell> Mike_B: sort of, the merkle mountain ranges basically eliminates the utxo but replaces by restructuring the blockchain data to make it easy to produce efficient provable queries.
05:14 < gmaxwell> so then transactions ship with the proofs, and verifiying nodes (including miners) don't strictly have to have the history themselves anymore.
05:14 < gmaxwell> Though someone has to have it, in order to produce the proofs.
05:15 < gmaxwell> But that could be users, miners, random nodes who sell their services (e.g. by requring a fee in transactions they provide proofs for)
05:15 < TD> very interesting
05:16  * TD re-reads gmaxwells post
05:17 < TD> the need to combine independent updates to the tree sounds a bit like the operational transform algorithm.
05:19 < gmaxwell> I think petertodd and maaku had some futher enhancements which might make it easier. E.g. having a write only "existing coins" MMR.  and a writable spent coins tree.  The write only tree doesn't require any online activity, once you have your coin proof once you have it forever.
00:16 < amiller> the more cool stuff i can do "conditionally secure" on the definition working out, the easier it will be to justify working on the definition?
00:17 < amiller> i mean it feels unhealthy to say i'm going to go off and assume i can use all these things that aren't justified yet
00:17 < amiller> but whatever, #yolocrypto
00:21 < gmaxwell> yea, well, I think it's helpful to think about how this stuff would be used. e.g. the proof of knoweldge being strong is important for the CoinWitness type usage.
00:23 < amiller> yeah, i'd be really interested to come up with a more satisfying definition than the extractor
00:23 < amiller> what are some important implications of 'knowledge of a witness'
00:23 < amiller> certainly if you could 'know' a witness and no such witness existed it wouldn't make sense
00:24 < amiller> when witnesses vacuously exist like in the hash preimage case it's stranger because "knowing it exists" isn't as good as "knowing it"
00:28 < gmaxwell> I think a lot of this stuff is going to remain dumb and unknown until it gets into actual use with actual stakes.
00:28 < gmaxwell> Too much academic output works itself into little useless ruts with definitions which are mathmatically fun but meaningless in practice.
00:30 < amiller> it's an especially difficult balance with security/crypto
00:31 < amiller> since the actual attackers are invisible/untestable
00:32 < gmaxwell> not quite, I mean
 set things up so there are bitcoin which can only be moved if the system is compromised. (may require keeping a victim to interact with online)
00:33 < amiller> yeah that sort of helps
00:33 < amiller> it would have to be pretty big to actually motivate serious effort from cryptanalysts
00:33 < gmaxwell> thats what secures my laptop. :P  I dunno, people take things where there is no reward simply because they can publish on it.
00:33 < amiller> also it's just as likely it would reveal a minor implementation error rather than the fundamental failure of a concept
00:34 < amiller> so i think the most productive thing to do is take snarks and run with them.
00:34 < gmaxwell> and yea, thats a problem... I'd like to get the tresor hardware wallet people to embed a private key of theirs in every device... and have the wallet willing to signmessage for the key to prove its in there. ... with some bounty coin assigned to the key.
00:34 < gmaxwell> so that when someone has compromised the hardware security, people know about it.. but unfortunately that doesn't give you much information...
00:35 < gmaxwell> and you'd find that it was compromised with a really hard attack, thats not all that interesting.
00:39 < amiller> recursive snarks are just so damn sexy, it will have instant practical appeal
00:39 < amiller> this ben-sasson character is nuts if he thinks we're actually going to recompile the whole verifier for every possible batch-size of blocks :p
00:40 < gmaxwell> amiller: oh, you know their forumulation fixes the UPPER size, right?
00:41 < gmaxwell> you can just pad out the computation to make it meet the upper size.
00:41 < amiller> yeah
00:41 < amiller> ok every "possible" batch size is an exagerration
00:41 < gmaxwell> so then with log2() extra calculations for sizes you have only a worst case ~2x overhead in prover work.
00:42 < amiller> yes but it's still a big circuit to compile eacch time
00:43 < amiller> bootstrapping etc
00:46 < amiller> also all the proving would have to be redone for each different block size
00:46 < gmaxwell> I thought the bootstraping version of Eli's stuff didn't require any preprocessing anymore.
00:47 < amiller> the thing i want to do is just a simpler form of bootstrapping
00:47 < gmaxwell> the downsides of it is that the proofs are larger for equal security, and they don't have a strong zero-knoweldge property... but they eliminate the generator and in particular the need for the generator to have a strongly secret random string.
00:47 < amiller> the papers that advocate bootstrapping and do it without incurring the extractor-blowup problem bend over backwards to have only 'constant depth' bootstrapping
00:48 < amiller> they haven't implemented the bootstrapping, rihgt?
00:51 < gmaxwell> I don't know where their implementation stands, I know they have running the generator based version and have all kinds of benchmarks on it. They certantly have _plans_ for the bootstrapping version.
00:52 < gmaxwell> The generator version kinda sucks because if the prover is in cahoots with the generator he can easily generate fake proofs. Plus the prover keys are enormous. Plus the generation is, like the proving, slow.
00:55 < amiller> lets ask how the bootstrap version is coming along :o
03:50 < gmaxwell> So, that idea I had for making lamport signatures smaller by using a tree structured CSPRNG to build your secrets.  I came up with another thing to apply it to where it is way more powerful.
03:51 < gmaxwell> Say you want to produce an encrypted card deck for someone, which is correct with high probablity and randomly shuffled with high probablity.
03:52 < gmaxwell> First you build a set of
 secret values, using a tree structured CSPRNG.
03:52 < gmaxwell> Then you build a hash tree over them, and tell Bob (you are alice) the root hash of your secrets.
03:53 < gmaxwell> Bob them picks a random value and tells it to you.
03:54 < gmaxwell> You generate 65536 regular card decks in order. And you take half of each of your secrets and encrypt each card deck.  You then take the other half of each secret hash it with bob's random value and use it to run a PRNG to shuffle each deck.
03:54 < gmaxwell> You now have 65536 encrypted, shuffled decks. You build a hash tree over them. and tell bob the root of the hash tree.
03:55 < gmaxwell> Bob picks 65535 out of the 65536 decks for you to reveal.
03:56 < gmaxwell> So you then find the minimal number of nodes in your secret value tree such that when you reveal them bob learns all your secrets except for the excluded result.
03:56 < gmaxwell> you also give bob the excluded result deck but not its secret and bob can compute all the decks except the excluded one, and verify the root.
03:57 < gmaxwell> Bob is now convinced that he knows an encrypted fairly sorted deck.
03:57 < gmaxwell> and you only had to transmit to him one deck and log2(65536)=16 plus a few hashes.
05:22 < gmaxwell> petertodd: so, if you combine all my recent ideas you can do guy fawkes signatures in a blockchain cryptosystem in one stage, and elimiate the announce/commit crud.
05:24 < gmaxwell> petertodd: the idea is that you create a tree compressed lamport signature in your transactions and flood to the network, with everything but the signature hashroot external to the transaction. When it gets mined, the block hash is used as the source of random selection to reduce the proof size.
05:24 < gmaxwell> once sufficiently burried the signature is pruned down to nothing and it's effectively just a guy fawkes signature.
06:55 < petertodd> gmaxwell: nice!
11:02  * Luke-Jr wonders if GCC can be compiled with SCIP to make gitian obsolete
21:51 < jorash> I think I may have found a channel open to the project I'm part of...
21:51 < jorash> We're a bunch of quantum information scientists working on the problem of efficient classical emulation of universal computation (answer the question of does P = BQP in the positive)
21:52 < jorash> One of the implications is that miner can be developed which runs a quantum search algorithm (such as Grover's square root speedup, or Gross-Pitaevskii's constant time speedup) and yields mined coin much faster than current hardware brute force methods
--- Log closed Sat Aug 31 00:00:58 2013
--- Log opened Sat Aug 31 00:00:58 2013
--- Log closed Sat Aug 31 03:03:05 2013
--- Log opened Sat Aug 31 03:03:22 2013
--- Log closed Sat Aug 31 03:07:52 2013
--- Log opened Sat Aug 31 03:08:29 2013
13:01 < amiller> gmaxwell, the single stage guy-fawkes thing is neat
13:01 < amiller> it seems like it would be computationally expensive to do the signing, 65536x2 hashes to evaluate?
23:29 < jorash> What happens when someone breaks SHA-2 and all the coins are mined in a day?
23:34 < Luke-Jr> jorash: it won't happen.
23:36 < jorash> Did your wizardly crystal ball tell you that?
23:36 < jorash> So you think it will take until 2140 until all 21m btc are in circulation?
23:36 < Luke-Jr> I didn't say that.
23:36 < jorash> well hardness will just kepe going up
23:37 < jorash> so decades at least, if we don't crack the problem from a computational complexity vantage point
23:37 < jorash> so what if the hardware gets better... hardness catches up
23:40 < jorash> so yea... long winded way of saying I'm working with a handful of quantum information scientists on a means of running Grover's algorhtm (and thus weakening SHA2)
23:41 < jorash> scam alert!
23:41 < Luke-Jr> weakening SHA-2 won't get you all the coins
23:41 < jorash> that's true
23:41 < Luke-Jr> even if you perfected quantum mining, you'd be slowed to a block every 10 mins
23:41 < jorash> if you can pull off Grover's you get a sqrt speedup, and hardness would catch up around the 100,000-300,000 btc mark
23:41 < jorash> (after mining that much)
23:42 < jorash> however, if you pull off constant time (gross-pitaevskii search http://arxiv.org/abs/1303.0371 ) then you get all the coin
23:43 < jorash> the first is the open question of P vs BQP --- ie. can universal quantum system be simulated efficiently by Turing machines. We answer teh question yes
23:43 < jorash> the second is teh question of whether linear quantum systems can efficeintly simulate nonlinear quantum systems.. We have the answer probably, but not sure.
20:03  * gmaxwell claws his eyes out at "cryptos"
20:06 < gmaxwell> if someone has ethical concerns on BM's tool, BM could just add a warning that says "poor selection of the parameters here can result in a trivially insecure coin, the site makes no promises that the settings are good"
20:06 < gmaxwell> "make heavily demanded features are believed by experts in the Bitcoin world to be terrible for security in subtle or even vulgar ways, sometimes thats why Bitcoin doesn't do them. Buyer Beware."
20:06 < andytoshi> the ethical concern from earlier is that i suggested 'secretly' adding wizarding experiments
20:07 < gmaxwell> oh well I don't think there is anything secret needed. You can just add them and make people _pay_ for them.
20:07 < sipa> indeed, just make them extra features
20:08 < gmaxwell> or make turning them off an extra (pay for) feature if you like.
20:09 < Luke-Jr> maybe BlueMatt would donate the site to -wizards ;)
20:10 < Luke-Jr> it'd be neat to make it list all mergable pull requests as options..
20:11 < Luke-Jr> perhaps unmergable ones too, and give a warning about "There is an additional charge for this feature which cannot be calculated automatically. You will receive a quote within 3 business days if you choose it."
20:11 < Luke-Jr> :D
20:11 < Luke-Jr> and then let anyone competent bid on it
20:11 < sipa> it probably needs some deterministic seed
20:11 < sipa> so that new versions of existing coins created with it can be generated
20:12 < sipa> if the upstream source is updated
20:12 < sipa> (which determines magic bytes etc)
20:13 < Luke-Jr> sipa: that would break the merging features a bit
20:14 < Luke-Jr> "I have a magic node which keeps track of peers for each coin and forwards them on in addr messages, but if no one else is running a node, youre sol."
20:14 < Luke-Jr> wow, that probably took some effort
20:15 < gmaxwell> nah, if you get an inbound connection you're silent, the connector sends the network version
20:15 < gmaxwell> so then its just like one of those 100 line python "node" implenmentations with a dict of addresses per network.
20:16 < Luke-Jr> <.<
20:24 < Luke-Jr> wow, BlueMatt's thing has made over $500 already :P
20:25 < warren> it has no disclaimer of warranty
20:27 < Luke-Jr> I suppose sipa's auto-upgrader could bill you
20:28 < sipa> why what?
20:28 < sipa> my what?
20:32 < Luke-Jr> sipa: the idea to let people come back for upgraded builds of the same coin
20:32 < Luke-Jr> sipa: my objection was that it would break merges - but it could work if you get billed for any conflicts ;)
20:33 < warren> Luke-Jr: why do you care about the maintainability of scam coins?
20:33 < sipa> well, my concern about them is pretty much irrelevant, as i have no interest in using the tool
20:33 < sipa> but if the users were serious to any extent about the coins they are creating, they should demand it
20:33 < Luke-Jr> warren: I'm just thinking financing development and testing this way, ignoring how the end products are used ;)
20:34 < warren> Luke-Jr: I think this current tool renames everything to make merges impossible
20:40 < Luke-Jr> warren: maybe.
20:40 < Luke-Jr> warren: I was thinking more of merging before s&r
20:40 < Luke-Jr> ie, rebuild the scamcoin from scratch
20:41 < warren> Luke-Jr: you would have done well as a litecoin dev =)
20:42 < Luke-Jr> well, arguably litecoin *is* using my code.. :P
22:14 < Luke-Jr> too bad Script is neutered
22:14 < Luke-Jr> could make a transaction-fee-for-only-future-blocks..
22:14 < Luke-Jr> sPK: "<txver><inputcount><txinput>" OP_SWAP OP_CAT OP_HASH256 OP_DEPTH 1 OP_SUBTRACT OP_FOR OP_CAT OP_HASH256 OP_ENDFOR OP_SWAP OP_CAT OP_CAT OP_HASH256 <block target> OP_LE
22:14 < Luke-Jr> sS: "<blkver><prevblk>" "<ntime><bits><nonce>" "<end of txn data>"
22:15 < Luke-Jr> petertodd: ^
22:16 < gmaxwell> looping in scrypt is yuck though. e.g. while(true)OP_HASH256.
22:17 < gmaxwell> if you just want to burn coins OP_RETURN them, poof gone and trivially provable they were burned.
22:25 < Luke-Jr> but then they're "too" burned :P
22:26 < Luke-Jr> OP_FOR isn't the same as OP_WHILE :p
22:26 < Luke-Jr> OP_FOR would inherently be non-forever
22:38 < andytoshi> in an alt where fees were tied to runtime, you could do cool things like this
22:38 < andytoshi> it seems to me that even "non-forever" is not sufficient to prevent DoS attacks
22:39 < andytoshi> if you can loop for tens of thousands of iterations, that can cause bad problems .. if you can nest loops, etc
22:39 < andytoshi> otoh, if you -can't- do those things then that sucks
22:43 < gmaxwell> Luke-Jr: yea, 4 billion SHA256 ... big improvement over forever.
22:44 < Luke-Jr> [03:38:09] <andytoshi> in an alt where fees were tied to runtime, you could do cool things like this <-- there is no reason this would be an alt
22:44 < gmaxwell> tying things to runtime is really really likely to cause hardforking bugs.
22:44 < Luke-Jr> gmaxwell: only if they are hard rules
22:44 < gmaxwell> since you need a precise instruction counter.
22:44 < gmaxwell> Luke-Jr: they must, because non-miners must evaluate script too
22:45 < gmaxwell> otherwise you have mining pools incentivized to put in fast hardware script execution engines and no one else can keep up validating the coin
22:45 < Luke-Jr> gmaxwell: I'm okay with letting miners decide on the upper runtime limits, within reason.
22:47 < gmaxwell> within reason is the problem there == hardforks. :P
22:48 < Luke-Jr> nah, within reason is vague enough to use opcode counters
22:48 < andytoshi> gmaxwell: sorry, i meant 'instruction count' which could be defined very precisely in a forth-like script
22:50 < gmaxwell> andytoshi: yes, it can be. What OP_CHECKMULTISIG does is also very precisely defined and that didn't stop several alt implementers from getting it wrong.
22:50 < andytoshi> ah, this is true
22:51 < gmaxwell> this may ultimately be an argument for replacing script with verficiation for some proof of execution, since it may actually be easier to get it right.
22:52 < gmaxwell> or at least alt implementors are less likely to try to reinvent crypto constructs.
22:53 < gmaxwell> it's nuts. SCRIPT is actually a public key signature system itself. People writing their own ECDSA code as a my-first-project would be super frowned on, and yet they re-write script. though somewhat annoying in that at least there are libraries for ecdsa.
22:55 < andytoshi> i think i will start pushing the meme on #bitcoin that cryptography is serious business and that only morons try to roll their own or work with it without understanding it
22:55 < andytoshi> ...which appeared to be common knowledge until altcoins became a thing
22:55 < gmaxwell> Okay, I think I'm going to give up on bitcoin, jesus christ: http://blockchain-link.com/#future
22:57 < andytoshi> gmaxwell: agreed on "this is an argument for snarks", aside from the usual novel crypto warnings it seems to me they'd be way easier from a blockchain engineering perspective
22:57 < andytoshi> and i'd be really jacked to see a turing complete script (and maybe one which could do things like read the past blockchain)
22:58 < andytoshi> gmaxwell: where did you get that URL?
22:59 < gmaxwell> #bitcoin
22:59 < gmaxwell> oh thank god those are fethercoin amounts
22:59 < gmaxwell> I was thinking this person had recieved over 600 btc in donations
22:59 < andytoshi> ahhh wtf
22:59 < gmaxwell> I think if that was true I would probably just never do anything with bitcoin again. I'm getting seriously depressed about all the money flowing into fucking things up.
23:00 < gmaxwell> I am not a very coin operated guy myself, but the funds flowing specifically to _bad_ things is especially demotivating.
23:01 < andytoshi> gmaxwell: as personal advice i'd say you do way too much to correct misinformation and engage with these idiots ... but otoh it does a massive amount of good for the bitcoin communitiy, so i dunno what to say
23:02 < gmaxwell> well I certantly know that I have the option of ignoring everything I don't like.
23:02 < gmaxwell> And I actually consciously ignore enormous swaths of stuff (though I know it doesn't seem like it)
23:03 < andytoshi> maybe i will write a "why alts are retarded" FAQ which discusses cryptography and the horrors of using it blindly or stupidly ... and reminding people that crypcocurrencies are a novel cryptographic concept and these lessons apply -even more so- because of that, and then -even more so- because there is monetary value involved
23:04 < andytoshi> because it appears that people think this shit is magic, people talk as though "cryptos" are a thing , a collection of magical systems that are all on equal footing
23:05 < gmaxwell> you can probably pull up some of the old sci.crypt faqs
23:05 < gmaxwell> things like "anyone can make a cryptosystem that they themselves can't break"
23:06 < gmaxwell> it all applies to the _entire_ altcoin. The whole thing
 minus some frills around the edges, but everything that actually makes it an alt
23:06 < gmaxwell> e.g. the decision to go with 10 minutes vs 5 minute block times is a cryptographic decision, and one that isn't very completely understood!
23:06 < gmaxwell> (though more understood than some other things)
23:07 < andytoshi> good call on sci.crypt -- i was a young child when it crossed into mostly-insanity so i forgot all about it :P
23:07 < andytoshi> i'll hack something up this week and post it here, maybe just github the latex and give you all push access
23:07 < gmaxwell> it was pretty much always insanity, but the boundary of sane and not is what produced some of the arguments you need.
23:07 < andytoshi> or rather, git.wpsoftware.net it ... i don't think github likes direct pushing
18:11 < maaku> helo: it's essential that the bids be committed coins
18:11 < helo> yes
18:12 < maaku> because keep in mind that the adversary is sharing a cost, even if just opportunity cost
18:12 < helo> with a space carved out for first-come-first-served, i'm not so worried :)
18:14 <@gmaxwell> maaku: yea, but money has a non-uniform value. Joe acvitists might consider $50/month upkeep unreacable, while nike might think nothing of droping $60k on shutting up a nussance.
18:14 <@gmaxwell> yea, if both exist its less of a concern.
18:14 < nsh> why not... first come, first served with a (reasonably short ~6 month) julibee period
18:14 < nsh> owner has preference to keep domain through jubilee, but at a nonzero cost
18:15 <@gmaxwell> you mean initial obtaining is behind a auction? the problem there is that even if you're a dumb robot, stealing other people's names is perhaps a good strategy.
18:15 <@gmaxwell> people have done that with namecoin: snatching up names on expiration.
18:15 <@gmaxwell> assuming that people's original registrations are a good estimate of value.
18:15 < nsh> hmm
18:16 <@gmaxwell> though the idea of how hard it is to kick the holder depending on how hard they've held it isn't terrible.
18:17 < nsh> maybe how easy it is to keep a domain should be a function of html/css aesthetics
18:18 < nsh> although you'd want to have a "geocities peak" in the distribution somewhere
20:39 < wangbus> digging sounds more difficult :p
21:34  * andytoshi-logbot is logging
22:51 < Dylan_> I had some ideas for bitcoin, would anyone want to listen?
22:52 < BlueMatt> Dylan_: its always best to just go for it instead of asking if you can...whether or not you get responses is a function of who's online, but there are plenty of people who read scrollback, so it'll be seen eventually
22:57 < Dylan_> I was thinking about an automated system for the distribution of electricity (watts of the network) to reward people for to caputre electricity using solar panels, in the same way the miner are rewarded for computation
23:00 < Dylan_> I figure there are two ways to do it. 1. to have a box that plugs into the volage meter, that would send bitcoins to a wallet for electricy into the grid 2. to have a premined coin that was regulated by a power company that was sent when an owner put power into the grid
23:01 < Dylan_> but, I am stuggling over the first solution. How would one design a box to assure someone didn't break the voltage meter.... etc
23:02 < Dylan_> Has anyone been thinking about this?
23:04 < BlueMatt> I'm not sure if you can/want to handle checking of hardware modification at the currency layer...
23:05 < BlueMatt> there are ways to try to address it (make the thing fail if its case is opened, have someone physically go check it every month, etc), but I think thats all at a layer way higher than what you're paying with
23:06 < Dylan_> well, its definately a plan for after the ASIC's come out, and I definately need help to figure out if authenticating the watts is worth it....
23:06 < Dylan_> yeah, my intuition says it is possible, but my conscious brain says... duh
23:07 < Dylan_> maybe I need more long walk, and showers or something
23:08 < Dylan_> would love to make it open source
23:08 < BlueMatt> I think dealing with hardware drm is something that happens way higher level than here
23:08 < Dylan_> and easy enough for my grandmother to use
23:09 < BlueMatt> (eg put private key in the thing, wipe the key when the box is opened, require key for payment from the power company)
23:10 < Dylan_> that way would use the premined version
23:10 < Dylan_> all a distributed system would need is a web page/server
23:13 < Dylan_> maybe having both systems to compete against eachother would also be good
23:17 < BlueMatt> I'm not sure what your model is here, if you mean no power company and completely decentralized grid...I'm not sure how well thats gonna work to begin with
23:27 < Dylan_> well, it depends on the country and the existing grid... but I would like to at least try to develope a model for both of them
23:27 < Dylan_> centralized and decentralized grids....
23:29 < Dylan_> but solar panels are pretty good for both types of grids, which is why I would like to start there... and perhaps try and limit it there, because I don't think fosil fuel or wind tech are very good,
23:30 < Dylan_> maybe geothermal.... but now I am rambling...
--- Log closed Sat Dec 21 00:00:15 2013
--- Log opened Sat Dec 21 00:00:15 2013
01:12 < eristisk> /msg NickServ IDENTIFY iojfdys!df9876ds7%%
01:13 < eristisk> oops, better change that.
01:15 < _ingsoc> Lmao.
01:16 < eristisk> *^_^*
01:52 < Emcy> wow RSA took $10 measly MM of NSA cash to deliberately gimp thier crypto
01:53 < Emcy> Had a long chat with my friend who worked on RSA's BSafe. Two comments: "i saw that this morning and was filled with a sense of shame"
01:53 < BlueMatt> yea, see the thing I find the most surprising in that story is it only took $10 million...
01:53 < Emcy> But no, he had no idea NSA had done some payoff and he was working on code apparently deliberately gimped. ;(
01:53 < Emcy> hmm those are quote tweets, i jave no RSA friend
01:54 < Emcy> BlueMatt yeah its not a lot of money for flushing your company rep down the toilet is it. NSA total budget for this sort of aubterfuge is 250MM apparently
01:56 < Emcy> I SINCERELY hope the word gets out about this far and wide and the market sorts this one out
02:36 < Dylan_> has anyone heard news about truecrypt's independent audit?
02:47 < Emcy> theyve engaged an audit firm
02:47 < Emcy> what i dont know is whats stopping that firm getting a nice fat NSL about it
03:44 <@gmaxwell> Personally I'm waiting to hear about the lawsuits from ex-NSA people who are now unemployable.
04:01 < Emcy> they picked thier side
05:30 < maaku> Dylan_: http://blog.cryptographyengineering.com/2013/12/an-update-on-truecrypt.html
09:03 < adam3us> some scroll-back comment: petertodd or maaku were talking about how the minimal function needed from the network is tx ordering (if you ignore SPV functionality).  i agree with this.  the fact that committed tx are respendable in committed form to full nodes is in fact an illustration of this fact.
09:07 < adam3us> in some way you can see that the distributed function offered by bitcoin network if you remove tx validation (as respendable committed tx do) is that it is a secure namespace.  (first come first served, first to announce owns; and can opt to transfer ownership.	transferring ownership decommits because it involves a signature.  anyway a distributed namespace
is a slightly higher level function built on a distributed timestamp.
09:10 < adam3us> and in fact again, other than for optimization, full nodes could survive fine with a distributed timestamping service only (no name uniqueness guarantee) as the timestamping defines ordering. they can therefore build first to publish just by ignoring later republications (and validating themselves either via committed tx key knowledge, or by validating
clear text but unvalidated tx)
11:36 < petertodd> adam3us: just ignoring later publications isn't good enough though, you need to be able to be sure that a prior publication *doesn't exist* at all
11:37 < petertodd> adam3us: if you can't, then you're not sure if your coins are valid
11:37 < petertodd> adam3us: assuming bitcoin-style fixed inflation that is...
11:38 < petertodd> adam3us: you could have a system where double-spends were valid if accompanied by more pow of cource
11:38 < petertodd> *course
11:39 < petertodd> adam3us: basically the scheme I came up with back in highschool for a decentralized crypto-currency after reading a certain paper about hashcash :P
11:39 < petertodd> adam3us: dunno if you've heard about it, you do a partial-preimage against... :P
12:02 < adam3us> petertodd: yes.  i meant to imply the full node scans from genesis and is thereby convinced that a given string is the first copy
13:55 < maaku> adam3us: "if you ignore SPV functionality" <--- that's a big thing to ignore
13:56 < maaku> it's the difference between academic wankery and a system that is actually deployable and workable
13:57 < petertodd> maaku: this is -wizards, we're doing research and development
14:04 < andytoshi> maaku: i think if you're aware of the simplifications (and ofc petertodd is), spherical blockchain reasoning is useful
14:05 < andytoshi> eg bitcoin solves problems independently enough that you can think of timestamping apart from everything else
14:07 < petertodd> anyway, with additional technology you probably can make such systems usable on low-resources too, for instance via SCIP to compactly validate coin histories, or via economic tricks to limit the scope of fraud
14:12 < CodeShark> I wish more of petertodd's ideas were being tried in practice :)
14:13 < petertodd> CodeShark: same :P
14:13 < petertodd> CodeShark: it'll be nice finally getting some free time to work on them properly soon
14:18 < CodeShark> need any help?
14:18 < CodeShark> or rather, would you like some help? :)
14:18 < petertodd> yes!
14:18 < petertodd> although frankly, I think right now coinjoin is what needs dev effort on the most
14:19 < petertodd> other stuff is cool, but it really needs to actually see implementations
14:19 < CodeShark> not sure whether stronger privacy or blockchain/utxo prunability are a higher priority
14:20 < adam3us> maaku: yes SPV is the current scaling model.  i like to re-examine assumptions.  sometimes i find ways to re-write them along the way.  so thinking back to the minimal function for the global part is good.	more secure even.  and then try other ways to scale maybe there are better ways.
14:20 < petertodd> it's easier to throw hardware at making bitcoin scale than it is to throw hardware at making bitcoin private
14:20 < adam3us> maaku: eg commitd tx have strong policy advantages over clear/validated tx
14:21 < adam3us> maaku: more resistant to centralization for example
17:28 < petertodd> again, the first time this came up I had a paying contract to tell mastercoin if they should, or shouldn't, stick with putting data in the blockchain. I said the existing design was very secure if you used steganography for anit-censorship, PoW chains were possible to 51% attack, and merge-mine would make 51% trivial by a big pool
17:28 < jtimon> jrmithdobbs I don't follow
17:28 < petertodd> given that censorship of MSC txs in the blockchain is *way* harder than people realize, obviously I told them some techniques to improve on that and stick with what they had
17:28 < petertodd> (this is why MSC adopted an encoding scheme where the data looks like valid pubkeys)
17:29 < jrmithdobbs> jtimon: just because it is in their economic interest to mergemine instead of attack alt coins doesn't mean that is the decision that will always be made.
17:29 < sipa> bah
17:29 < petertodd> sipa: heh, I think lots of people didn't realize that was so easy...
17:29 < sipa> petertodd: this is a nice example of what i'd call suddenly changing how selfish a particular party acts
17:29 < petertodd> sipa: indeed, and BTC better realize how easy what MSC did is
17:29 < jtimon> jrmithdobbs  just because it is in their economic interest to mine at ghash.io instead of using p2pool/gbt doesn't mean that is the decision that will always be made.
17:30 < jtimon> that's my point, how is difffernt?
17:30 < petertodd> sipa: basing scalability assumptions, esp re: the UTXO set, on "oh, people will play nice" is idiotic
17:30 < Luke-Jr> hmm, I wonder if deploying P2SH^2 might not be as hard as we think
17:30 < petertodd> Luke-Jr: MSC is P2SH^2 proof
17:30 < Luke-Jr> petertodd: I mean real bitcoin
17:30 < jrmithdobbs> petertodd: i think sd proved that already.
17:30 < petertodd> Luke-Jr: "real bitcoin"?
17:31 < petertodd> Luke-Jr: I mean, adopting P2SH^2 *doesn't* stop the MSC encoding scheme (well, with the trivial modification to wrap the CHECKMULTISIGs in P2SH txs)
17:31 < Luke-Jr> petertodd: I'm not sure what MSC came up for, I'm talking about Bitcoin itself
17:31 < petertodd> jrmithdobbs: no, they stopped
17:31 < Luke-Jr> petertodd: why do I care about that?
17:31 < jtimon> petertodd: I see your point, MM is less secure than MSC, true, but it's also more scalable
17:31 < jrmithdobbs> petertodd: like a year later
17:31 < petertodd> Luke-Jr: oh, I'm assuming you meant P2SH^2 to stop MSC
17:31 < sipa> Luke-Jr: MSC is putting data in bitcoin's chain...
17:31 < Luke-Jr> petertodd: no, P2SH is to stop data spam
17:31 < Luke-Jr> ^2*
17:31 < Luke-Jr> sipa:
17:32 < petertodd> Luke-Jr: well, that's my point, you can't stop data spam *except* to stop it from getting in the UTXO set, and even that's weak
17:32 < Luke-Jr> petertodd: you can
17:32 < petertodd> Luke-Jr: you can't stop schemes that encode hashes in the UTXO set, and there's lots of usees for that
17:32 < Luke-Jr> scriptSig can require preimages or valid ECDSA sigs too
17:32 < Luke-Jr> petertodd: not really, no
17:32 < petertodd> Luke-Jr: read this: http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03524.html
17:33 < petertodd> Luke-Jr: without some pretty drastic changes to the way scripts work you can't
17:33 < sipa> Luke-Jr: then the preimage would be in the blockchain
17:33 < Luke-Jr> sipa: not necessarily
17:33 < petertodd> Luke-Jr: also, stopping data spam 100% stops you from soft-forking in a lot of potential new features, for instance new signature algorithms
17:33 < sipa> Luke-Jr: that would prevent you from validating it afterwards
17:34 < Luke-Jr> I'm assuming the P2SH^2 enforcement is done by miners only
17:34 < petertodd> Luke-Jr: and timestamp/proof-of-publication spam is really handy to a lot of protocols, and bloats the UTXO set even
17:34 < Luke-Jr> and tx relay
17:34 < sipa> Luke-Jr: then it only requires an out-of-chain deal with a miner to put it in anyway
17:34 < Luke-Jr> petertodd: there is no need to bloat the UTXO set
17:34 < petertodd> Luke-Jr: e.g. P2SH^2, even gmaxwell's v2.0 version, doesn't stop you from doing namecoin int he UTXO set
17:35 < petertodd> Luke-Jr: for many protocols abusing the UTXO set is cheaper and more secure and there's fuck all we can do about it other than ask nicely to stop
17:35 < jtimon> what's P2SH^2 please?
17:35 < jtimon> link?
17:35 < Luke-Jr> petertodd: *technically* yes
17:35 < Luke-Jr> jtimon: miners only mining stuff that is proven to be a hash
17:35 < petertodd> jtimon: https://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg01987.html
17:35 < sipa> jtimon: have P2SH-only in the txouts, but to relay a transaction, you must add SHA256(script) to it
17:36 < petertodd> Luke-Jr: yes, and getting a hash into the UTXO set is enough to implement namecoin
17:36 < sipa> jtimon: so you prove that the data in the P2SH output is a real hash of something, and not data
17:36 < Luke-Jr> petertodd: it makes it more expensive
17:37 < petertodd> Luke-Jr: namecoin is already expensive, irrelevant
17:37 < Luke-Jr> the point is to make blockchain bloat more expensive than merged mining
17:37 < petertodd> Luke-Jr: as I told Mastercoin, their transactions are worth a lot more than the least valuable Bitcoin transactions, so they'll be able to outbid those and still get their data in the chain
17:37 < petertodd> Luke-Jr: that's irrelevant, merge-mining is less secure
17:38 < Luke-Jr> only if you're scamcoining.
17:38 < sipa> i'm not sure what intent has to do with it
17:38 < petertodd> Luke-Jr: sure, which is why I told Mastercoin to stick with the current system!
17:39 < petertodd> Luke-Jr: After all, what is or isn't a scamcoin is a matter of public opinion, so you're safer assuming people think you are and acting appropriately.
17:39 < Luke-Jr> sipa: if you're just interested in the security, you can do merged mining in a secure way
17:40 < Luke-Jr> if every Bitcoin block is a valid Altcoin block, and Altcoin uses the same difficulty and requires merged mining, then the worst someone can do is equivalent to not participating
17:41 < petertodd> Luke-Jr: that's not at all true and stop saying that
17:41 < sipa> petertodd: totally different subject; if we'd have a system with TXO MMR's... that would require every wallet to remain up-to-date with all blocks, to find operations that affect the path of its unspent outputs to the roots of the range?
17:41 < petertodd> Luke-Jr: you've just come up with a system where the block interval is really long if there isn't that much hashing power, that is still vulnerable to 51% attack
17:41 < killerstorm> I have a question about Bitcoin security: do we need to  assume that majority of miners (hashpower-weighted) are not colluding (i.e. making a secrete arrangements) with each other for Bitcoin to be secure? Or do we assume that they are rational and rational miners won't collude?
17:41 < maaku_> petertodd: it's disengenous to say that merged mining is insercure too
17:42 < Luke-Jr> petertodd: only if the attacker 51%s bitcoin as well
17:42 < petertodd> sipa: nothing explicitly of course
17:42 < maaku_> bitcoin-parasitic vs merged mined alt? of course the parasitic option is better
17:42 < petertodd> Luke-Jr: no, think about it: altcoin is 1% of hashing power, so the block interval is 10min * 100, I can still 51% attack that by mining more blocks than the other miners regardless of the interval
17:42 < maaku_> merged mined alt vs non-merged mined alt? that's a different story
17:43 < Luke-Jr> petertodd: no, you may have 51% of blocks, but you cannot reorg it
17:43 < maaku_> killerstorm: depends on the context. colluding to do what?
17:43 < Luke-Jr> petertodd: you'd need to have 51% of *bitcoin* blocks and reorg bitcoin, to reorg the altcoin
17:43 < sipa> short-term-selfish miners will always collude if they can
17:43 < petertodd> Luke-Jr: ah, but if I can't re-org it, and it's a timestamp system, then what happens if I mine a longer chain in secret and reveal it?
17:43 < maaku_> but in many cases yes, 51% is sufficient to censor the chain, for example
17:44 < Luke-Jr> petertodd: you'd need a longer *bitcoin* chain
17:44 < petertodd> Luke-Jr: mining a block doesn't magically make it available to the world
17:44 < sipa> as it means their 51% becomes 100%
17:44 < petertodd> Luke-Jr: no, bitcoin block #10 mines altcoin block 1, bitcoin block #11 mines alt block 2a, bitcoin block #12 mines alt block 2b
17:44 < petertodd> Luke-Jr: was 2a or 2b the valid best block?
17:45 < Luke-Jr> petertodd: altcoin does not have a prevblock header.
17:45 < Luke-Jr> it is ALWAYS tied to the bitcoin chain
17:45 < petertodd> Luke-Jr: yes it does, the prevblock header just happens to skip a few steps
17:45 < Luke-Jr> your scenario is not possible
17:46 < Luke-Jr> if bitcoin block 11 mines alt block 2, then bitcoin block 12 must mine alt block 3
17:46 < petertodd> Luke-Jr: after all, if the miner of bitcoin block #11 doesn't tell anyone he mined 2a, then how does 2b know that?
17:46 < petertodd> Luke-Jr: remember, this is a merge-mine chain: participation is voluntary
17:47 < sipa> i wasn't aware of the fact that merged-mined chains had no own prevhash
17:47 < sipa> but it seems to make sense
17:47 < Luke-Jr> sipa: the existing ones do, but that's not the system I was talking about
17:47 < Luke-Jr> petertodd: ok, I remember this now.
17:47 < petertodd> sipa: luke's very mistaken...
17:47 < Luke-Jr> petertodd: I forget if I found a solution to that issue or not
17:47 < maaku_> sipa: they do, i think Luke-Jr is describing something novel/different
17:47 < sipa> ok
17:48 < sipa> i'm not sure what the problem is with it that petertodd is describing
14:32 < petertodd> maaku: but that's the thing, # of unspent outputs can be very large, leading to a large proof
14:33 < petertodd> maaku: I'm also extremely reluctant to make the CCoins compression a consensus thing - it's very likely standard transaction forms will change in the future
14:34 < petertodd> maaku: much simpler is just to commit to the uncompressed forms, and do compression (if warrented) as a optimization for the on-disk format
14:34 < maaku> petertodd: I would find that compelling if it weren't for P2SH
14:34 < petertodd> maaku: and for that matter, for the on-network format too
14:34 < petertodd> maaku: P2SH may change in the future
14:35 < petertodd> maaku: like I say, if you don't commit to the exact compression format that doesn't stop you from using one anyway
14:35 < maaku> yes that is true
14:36 < maaku> i'm already considering a different hash format for gmaxwell's SNARK concerns
14:36 < phantomcircuit> SNARK
14:36 < phantomcircuit> how do you people come up with these names
14:36 < maaku> well not different, just expanded with fields having fixed width and fixed offsets
14:36 < petertodd> maaku: another interesting issue is that if this is a pure UTXO thing, then we don't have any committment to OP_RETURN data, which shuts out a lot of valid applications for it where a per block index of that data would be very useful
14:37 < maaku> phantomcircuit: the quality of your acronym determines your funding when government research dollars are at stake, alas
14:37 < petertodd> maaku: e.g. my stealth address stuff
14:37 < phantomcircuit> maaku, lol
14:38 < petertodd> maaku: suppose we find we picked the wrong hash format, what's the plan? that consideration should be documented
14:38 < phantomcircuit> tbh my donations are largely based on hilariousness of acronyms
14:38 < petertodd> phantomcircuit: PHANTOMCIRCUITISADICKHEAD
14:38 < phantomcircuit> lol
14:39 < phantomcircuit> petertodd, im going to hack you and steal all your research funding
14:39 < phantomcircuit> see whose laughing then!
14:39 < petertodd> phantomcircuit: IGTHYASAYRF <- that's not even pronouncable, lame
14:40 < maaku> petertodd: so one advantage of committing to a compressed serialization format (for network and disk at least) is the ability to distribute the UTXO set and get a validating node online quickly, then move backwards validating to genesis
14:41 < maaku> --
14:41  * maaku is thinking
14:41 < petertodd> maaku: but that's not true: you can just as equally commit to the uncompressed format and pass around compressed data
14:41 < petertodd> maaku: the only advantage is that the amount of data being hashed is less, but compressed-vs-uncompressed is a tiny difference
14:42 < maaku> petertodd: yes, but the compression may not be lossless (pruning of spent data)
14:42 < phantomcircuit> even if you're using a proper custom dictionary you're not going to get more than about 15% compression
14:42 < petertodd> maaku: huh? I'm talking about CCoins compression here
14:42 < maaku> CCoins does not contain spent outputs
14:43 < maaku> that's what I'm talking about
14:44 < petertodd> maaku: right, but then you're talking about TXO vs UTXO sets
14:46 < petertodd> maaku: if you work with a full UTXO set, there's not much of a difference between the two - the TXO version needs some extra data to fill in the missing parts of the tree, but we're talking about a log(n) difference
14:48 < petertodd> maaku: you can also get up and running faster with a TXO set, as you can grab the UTXO's that are most likely to actually get spent first, reservingthe less likely ones for later (or never bothering)
14:58 < Emcy_> http://www.bbc.co.uk/news/technology-25506020 i cant believe this is the first exposure thousands of people will have to the concept of public key crypto
18:57 <@gmaxwell> oh good, there is now a storage spam coin: http://datacoin.info/index.php?id=index
18:58 < CodeShark> haha
18:59 < nsh> cryptocurrencies: fuzztesting the fascade of economic rationality since 2008
18:59 < BlueMatt> heh
19:00 < CodeShark> we're about to see an avalanche of alt coins - it has barely even begun
19:00 < BlueMatt> seems like there is a business model in double-spending tiny coins and breaking these exchanges that allow you to trade literally anything...
19:02 < sipa> we should really release a tool to generate your own altcoin source...
19:02 < CodeShark> I've been thinking about that - an alt coin wizard
19:02 < CodeShark> :)
19:03 < CodeShark> set the chain params, set the name/datadir, set the pow hash function - and poof
19:03 < CodeShark> also, set the block reward rule and the retargetting rule
19:03 < CodeShark> I think that pretty much covers it, no?
19:03 < BlueMatt> sipa: Ive heared that from like 10 people...
19:04 < nsh> there was a coin that had all the generally-tweaked parameters pulled out into a config file
19:04 < BlueMatt> make lots of nice sliders and checkboxes so you can make your own alt that is designed to fail miserably under load
19:04 <@gmaxwell> nsh: it's not the tweaking that needs help, half the wannabe altcoin makers can't even compile it.
19:04 < nsh> well, aye
19:04 <@gmaxwell> so the thing has to do all the technical stuff for you.
19:05 < nsh> "The difficulty is already at 10 so I basically missed out on mining it already I'll probably launch another coin tomorrow" --https://bitcointalk.org/index.php?topic=380683.0
19:05 < CodeShark> well, gmaxwell, the wizard could also create a virtual machine that builds it as well as a website to promote it :p
19:06 < nsh> just monitor knowyourmeme or whatever equivalent to see the latest crazy and autotheme
19:06 < CodeShark> for full generality, the hash function as well as the block reward and retargeting rules would have to be dynamically loadable
19:06 < sipa> dynacoin
19:06 < Luke-Jr> 1nshahahaha
19:07 < sipa> launch new module -> hardfork
19:07 < sipa> Luke-Jr: 1ns hahahaha?
19:07 < sipa> that's a short laugh
19:08  * nsh smiles
19:09 < CodeShark> rather than requiring separate builds for different parameters, I prefer dynacoin :)
19:09 < CodeShark> set the chain params via config file and use dynamic linking for hash pow function
19:09 < BlueMatt> holy shit, these exchanges take literally all the diff-1 altcoins...I'd bet a ton you could double-spend them and just break the exchange software so easily...
19:10 <@gmaxwell> CodeShark: virtual machine?! wtf. You mean, "OP_JMP_TO_THIS_CODE"
19:10 < CodeShark> we don't need separate builds for each
19:10  * sipa suggests OP_X86
19:10 < CodeShark> hehe
19:10 < petertodd> sipa: ah yes, rootcoin
19:11 < sipa> also, OP_SUDO
19:11 <@gmaxwell> rootcoin can only be run as root.
19:11 <@gmaxwell> (it's to make it more fair)
19:11  * petertodd really needs to release an alt-coin that scans your hard-drive for wallet.dat files and uploads them to the P2P network
19:11 < sipa> petertodd: mines them into the blockchain, you mean
19:12 <@gmaxwell> pretty sure its been done.
19:12 < nsh> eeep
19:12 <@gmaxwell> well not the blockchain part
19:12 < petertodd> sipa: kinda obvious, but why not
19:12 < petertodd> anyway, namecoin is a perfectly good datacoin given that IsStandard() is disabled...
19:16 < CodeShark> there clearly are applications to decentralized data storage using some spinoff from bitcoin - but it feels like we're missing a second structure, besides the blockchain
19:16 <@gmaxwell> yea, but you don't have to feel bad about spamming this one.
19:16 < petertodd> gmaxwell: I thought feeling bad was a pow function to limit spam
19:16 <@gmaxwell> CodeShark: by itself some blockchain thing is not really useful for that.
19:17 < CodeShark> gmaxwell: right, we need a second decentralized structure and a mechanism that compensates people for providing storage resources on the network in the coin that is generated in the block chain
19:17 <@gmaxwell> petertodd: I mean, say you find some really _epic_ way to break namecoin with spam... you couldn't take credit for it without people being mad at you, so no sense in looking for one.  This thing, otoh, I think is free target.
19:18 < CodeShark> if only we had a reliable time-lock encryption mechanism :)
19:18 < petertodd> gmaxwell: true
19:19 <@gmaxwell> CodeShark: I think you can make POW into ticking for timelock encryption. Maybe.
19:19 < petertodd> CodeShark: gmaxwell has a coin for that
19:19 < CodeShark> petertodd: yeah? :)
19:19 < CodeShark> actually, I should be asking gmaxwell
19:20 < petertodd> CodeShark: basically you make the pow be breaking a timelock crypto problem, devils in the details though...
19:20 <@gmaxwell> CodeShark: the idea is just that you make the system generate random instances of a hard problem sutable for asymetric crypto, and POW is attacking those random instances.
19:20 <@gmaxwell> Doing it with discrete log in ec groups isn't great though because rho is not progress free.
19:21 < sipa> 01:16:41 < petertodd> gmaxwell: I thought feeling bad was a pow function to limit spam   -> if only it converged
19:21 <@gmaxwell> hahah
19:21 < petertodd> lol
19:21 <@gmaxwell> guiltcoin
19:21 < CodeShark> lol
19:22 < sipa> PoG
19:22 < petertodd> sipa: cryptographically signed court records are gonna make this one easy...
19:23 <@gmaxwell> CodeShark: in any case, I do think that timelock crypto ticking for pow is possible, though the details may make it a bit messy.
19:23 < petertodd> sipa: one murder per block
19:23 < petertodd> sipa: gives new meaning to the term "orphan"
19:23 < CodeShark> gmaxwell: do you have anything written up on the topic somewhere?
19:24 <@gmaxwell> https://en.bitcoin.it/wiki/User:Gmaxwell/alt_ideas   search for timelock
19:05 < petertodd> jtimon: basically, your utxo/txo/txin set in a cryptographic accumulator, and you can only update the state of that set if you have the transactions that have happened, thus somehow you have to ensure you don't end up with that data getting lost
19:05 < maaku> petertodd: that doesn't have generic-coloring stuff you were just talking about right?
19:05 < petertodd> jtimon: easy to do in a single consensus-realm system, but quickly becomes an existential risk if you try to scale more than that
19:05 < petertodd> maaku: not explicitly, but the basic ideas in that paper can be applied to such schemes
19:06 < maaku> petertodd: is this accurate to what you are talking about:
19:06 < maaku> <maaku> So one can imagine a coloring script that acts kinda like a virus: it loads the transaction, does some checks to make sure it doesn't invalidate any coloring constraints, and then attaches itself (referencing it's own source code) to the colored outputs
19:06 < jtimon> petertodd: in that thread you only had commited utxi, not utxo
19:06 < petertodd> maaku: yup
19:06 < petertodd> jtimon: right, but the logic applies equally to utxo too
19:06 < maaku> you'd need a much more powerful script language to do interesting things with that
19:07 < maaku> but you certainly could do interesting things
19:07 < petertodd> maaku: heh, I'll say... such scriptPubKey's are quine's after all!
19:07 < jtimon> I'm sorry guys, I'm not sure I follow
19:07 < gmaxwell> petertodd: the coloring constraint can even validate a issuing authority signature, to make sure the the initial attachment was permitted.
19:07 < maaku> jtimon: http://en.wikipedia.org/wiki/Quine_%28computing%29
19:07 < jtimon> but what I meant by making the utxi scalable through expriries
19:07 < gmaxwell> So you can't just go affixing it ot new random coins.
19:08 < petertodd> jtimon: so in bitcoin, when a miner finds a block, what forces them to release the actual block contents rather than just the block header?
19:08 < petertodd> gmaxwell: yup, or make it part of the program operating "if prev txout == magic return true"
19:09 < gmaxwell> petertodd: and to avoid the awful outcomes in my covenant thread... you make sure the color virus has a kill switch.
19:09 < jtimon> petertodd, other miners won't mine on top of your block if they can't see it in full, it could be invalid
19:09 < gmaxwell> e.g. a way to spend it to tell it to not attach to the output.
19:09 < maaku> petertodd: we originally had introspective scripts in the freimarkets spec but gutted it because we didn't see a compelling use case, but this changes things
19:09 < maaku> it's a bit of complexity, but probably worth it
19:10 < petertodd> jtimon: Exactly. But other than that, what actually forces them to do that? For instance, what if you could prove a transaction was valid without the UTXO data itself?
19:11 < petertodd> maaku: I gotta read the freimarkets spec...
19:11 < jtimon> nobody forces them, is just the best they can do, not sure I understand the second question...
19:12 < gmaxwell> http://www.itbusiness.ca/news/royal-canadian-mint-readies-its-version-of-bitcoin-mintchip/46113  mintchip is moving forward? heck yea.
19:12 < petertodd> jtimon: well, we can make systems where transactions can be accompanied by short proofs that their txins are valid, and those proofs can be used to update things like committed UTXO set trees. Those two things let miners mine while fully validating, but without any blockchain data.
19:12 < maaku> petertodd: well its not in any public version of the spec, but I wouldn't be opposed to adding it back in
19:12 < maaku> petertodd: it may be sufficient reason to revamp script entirely
19:13 < petertodd> gmaxwell: I'll be interested to see if that alleged privacy leak is still in the spec...
19:13 < maaku> (we mostly dropped it because doing introspection was a kludge without LISP-like semantics)
19:13 < petertodd> maaku: it's a pretty useful feature IMO - I first thought of it for fidelity-bonded bank stuff
19:13 < petertodd> maaku: I suspect you can do it reasonably nicely with real forth semantics
19:14 < gmaxwell> petertodd: man, I wish I'd thought to ask them to be able to do something to do trustfree binding with bitcoin.
19:14 < petertodd> gmaxwell: if it was possible by accident they probably would have changed it to prevent it...
19:15 < gmaxwell> petertodd: e.g. just a "I've been paid!" message signed by your chip is enough.
19:16 < petertodd> gmaxwell: sure, although good luck on it being crypto-compat with bitcoin
19:16 < maaku> has anyone looked at hard-fork scripting improvements? other than Merklized scripts
19:16 < petertodd> maaku: I'm not sure there are any scripting improvements that actually need a hard fork you know...
19:16 < gmaxwell> Merklized scripts don't have to be a hardfork improvement.
19:16 < gmaxwell> You just P2SH deploy the update.
19:17 < jtimon> petertodd: does this require any snark-like tech? maaku: what are the differences from "regular stateless validation"
19:17 < jtimon> ?
19:17 < petertodd> jtimon: not at all
19:17 < maaku> jtimon: i think petertodd is explaining stateless validation
19:17 < petertodd> maaku: yup
19:18 < gmaxwell> maaku: things I want merklized scripts, restore missing opcodes, extra checksig flexibility, true scalable threshold signatures (e.g. schnorr).
19:19 < petertodd> "Money instantly moves from one cloud-based, MintChip account to another" <- it's cloud-based now? hmm...
19:19 < jtimon> ok, I guess then I don't undesrtand stateless validation well enough because I don't see how would you do coloring or what the power of the scripting language has to do with it
19:19 < gmaxwell> oh also, I eventually invented a much better scheme for hash based signatures, only to realize I invented something that has long been known. E.g. one time use hash based signature with 128 bit security (using 256 bit hashes) = 2.1kbytes.
19:19 < petertodd> jtimon: it's got nothing to do with either
19:19 < gmaxwell> petertodd: oh dear, did they make it suck?
19:20 < petertodd> gmaxwell: wouldn't surprise me... they probably noticed phones don't have card-readers
19:20 < petertodd> gmaxwell: and if they made it suck, they probably also made it possible to reverse tx's due to hacks...
19:20 < gmaxwell> damnit
19:20 < jtimon> can't you put an NFC card near a phone?
19:21 < petertodd> jtimon: that's harder than making it suck
19:21 < gmaxwell> I hope they didn't make it suck.
19:21 < petertodd> jtimon: and seriously, even that is susceptable to hacks - you really need a NFC card with a LCD display
19:21 < gmaxwell> Even without trustless binding it was going to be awesome for bitcoin.
19:22 < maaku> gmaxwell: i've been compiling a list of things that might make it in an updated freimarkets spec, and those are on it
19:22 < jtimon> yeah, I guess you need a lcd and a couple of buttons in the card
19:22 < maaku> i'd love both lamport signatures and ed25519-derived schnorr signatures (if that is possible)
19:22 < petertodd> jtimon: yup, and then you really want the cards to be registered to people's names, so the lcd displays who it's really going too...
19:22 < maaku> using the sighash byte to keep compatability
19:22 < gmaxwell> I am less enamored with ed25519 than I was. I like our curve better now. :P
19:23 < maaku> why?
19:23 < gmaxwell> maaku: just have a second checksig operator.
19:24 < gmaxwell> maaku: because ed25519 has a cofactor of 8, and because the "standard" software for it is incompatible with things like BIP32.   (also, because one of the things I thought was weak about our curve turned out not to be.)
19:25 < gmaxwell> I believe our curve also has higher security against all known attacks, outside of implementation mistakes, not that it matters much.
19:25 < maaku> but it is faster & resistant to timing attacks, isn't that pretty significant?
19:26 < gmaxwell> no, in fact it's not resistant to timing attacks unless you drop the compatiblity with BIP32. (or make it much slower)
19:26 < gmaxwell> To make it constant time (and faster) they require the most siginficant bit of the private key be 1.
19:26 < maaku> i mean I'm in aggreement with our curve not being weak, but I thought ed25519 was strictly better in most cases
19:26 < gmaxwell> which means that you can't have a 'randomly' generated private key, e.g. from a public derrivation.
19:27 < gmaxwell> and without that you make it slower and you take away the constant timeness (though you could get back the constant timeness with a major slowdown, just like for our curve)
19:27 < maaku> sorry confusing pronoun dereferencing : ed25519 is resistant to timing attacks and secp256k1 is not, right?
19:27 < gmaxwell> and the speed difference isn't so huge.
19:27 < maaku> hrm. ok
19:29 < maaku> i see, so it'd be quite a bit of work for little payoff
19:29 < gmaxwell> maaku: _curves_ aren't resistant or not, their implementations are, though curve choice can limit what implementations are available.  ed25519's canonical implementation is both fast and timing resistant, but requires that the most significant bit of the private key be 1.
19:29 < maaku> which kills bip32, i understand now
19:29 < petertodd> so why does that kill bip32?
19:29 < gmaxwell> which is neat, but if you take away that bit, then its not timing resistant, and making it timing resistant makes it not fast. (though it may still be better off than secp256k1)
19:30 < gmaxwell> petertodd: it kills type-2 derrivation since you can't tell if the private key will have the MSB set.
19:30 < gmaxwell> now
 it may not be much work in reality, because the tor project has this whole big proposal for a redo of hidden services.
19:31 < gmaxwell> And it does something very similar to type-2 derrivation to prevent HS directories from enumerating which hidden services are in use.
21:39 < Emcy> his heart seems to be in the right place wrt bitcoin......
21:39 < Emcy> i hope he can get back somehow
21:40 < petertodd> i dunno, if I had a family to think about and that happened, I'd think very hard about quiting :(
21:42 < Emcy> what has he really got to be afraid of
21:43 < Emcy> its a step from i hacked u lul to ill kill youre family
21:43 < petertodd> Emcy: he told me he works in intelligence...
21:43 < Emcy> oh
21:43 < Emcy> US?
21:43 < petertodd> Emcy: dunno
21:44 < petertodd> Emcy: https://bitcointalk.org/index.php?topic=335658.msg3607994#msg3607994
21:44 < Emcy> maybe hes done then
21:45 < maaku> hell i would be too
21:45 < petertodd> fuck, worst-case is he just committed suicide by two gunshots to the back of the head...
21:46 < Emcy> how macabre
21:46 < Emcy> when you said web bugs, you meant nasty payloads embedded in sites right
21:47 < Emcy> dillon always seemed pretty damn clued up
21:47 < petertodd> Emcy: links to images embedded in comments - gives up the ip addresses of everyone who views the comment
21:47 < Emcy> but we do know now that if a (US at least) agency wants your computer you cant stop it
21:48 < Emcy> perhaps the forum should disable hotlinking
21:48 < petertodd> Emcy: yeah, I thought at first he was the alt of someone in the community, but that's kinda presumptuous to think there aren't smart people out there who understand bitcoin well
21:48 < petertodd> the forums really should
21:52 < Emcy> so it seems proponents of blacklisting and stuff are playing dirty
21:53 < Emcy> petertodd based on what he said there, i doubt hes coming back ever
21:55 < petertodd> maybe... i dunno, this is either some misguided hacker who has no understanding of politics - don't make martyrs out of people - or it's some scary spook shit meant to scare off employees from leaking anything/having political opinions
21:55 < petertodd> I hope it's the former, for his sake.
21:56 < Emcy> yes
21:56 < petertodd> if it's the latter, hopefully it means that Tor works and his employers still don't know who he is, so figured a warning was the best they could do.
21:56 < petertodd> or it's something else entirely
21:58 < Emcy> he could have done a dead drop of another pgp key for you at the conf, incase something like this happened
21:58 < Emcy> in the toilet maybe........
22:00 < petertodd> nah, bitcoin timestamp a message in advance is the obvious thing to do
22:01 < Emcy> oh right yeah thats perfect
22:01 < phantomcircuit> petertodd, what kind of silly person allow javascript on bitcointalk
22:02 < Emcy> if anything this shit demonstrates why privacy is important
22:02 < Emcy> also the lartyr thing
22:02 < Emcy> martyr
22:02 < petertodd> Emcy: agreed
22:02 < Emcy> babbys first politics
22:02 < phantomcircuit> petertodd, this is why i mostly chat with OTR
22:03 < Emcy> like how the republicans shut down your govt in a tantrum over obama health lol
22:03 < petertodd> phantomcircuit: yeah, that we use IRC for everything is not good
22:03 < phantomcircuit> unfortunately jabber which is the easier to use otr with is a mess
22:04 < phantomcircuit> and running our own irc server is well
22:04 < phantomcircuit> nothx
22:04 < petertodd> I mainly use ChatSecure on android for OTR
22:05 < warren> OTR for IRC seems unusable
22:06 < petertodd> works well on irssi, at least for me
22:06 < Emcy> hmm are freenodes interserver links encrypted even
22:06 < Emcy> or m/any of the other big networks
22:07 < petertodd> Emcy: dunno
22:11 < phantomcircuit> Emcy, i doubt it
22:15 < theymos> I hear there are concerns about forum security?
22:16 < warren> gmaxwell: hey, are you interested in being part of a group who defines the formal requirements for the next generation forum?
22:16 < warren> gmaxwell: including the things we discussed earlier
22:16 < petertodd> theymos: you see how jdillon was compromised?
22:17 < petertodd> theymos: probably not related, but I mentioned how twice people have tried to put web-bugs in forum messages on -talk and the foundation forum
22:17 < warren> theymos: it's hard to know for certain exactly what vector he fell to
22:19 < Emcy> if that leak was meant to reveal some sort of ulterior motives from you and john, it failed imo.
22:19 < theymos> I just read about that a few minutes ago. That's what caused me to come on IRC. Seems interesting.
22:20 < Emcy> its more like people do things in private related to what they also do in public, welcome to earth
22:20 < petertodd> Emcy: thanks, though the reddit discussion especially is remarkable at missing the point
22:20 < theymos> It seems that he was not compromised via the forum, as his GPG and email were also compromised.
22:20 < warren> It seems everyone in those communications clearly wants to protect Bitcoin.
22:20 < theymos> Web bugs in PMs are known and common.
22:21 < warren> looks like some of those copied leaked messages were PM's
22:21 < warren> others were GPG mail
22:21 < petertodd> theymos: yeah, I doubt a webbug would have done anything other than give a tor exit server ip address in this case...
22:21 < warren> Emcy: yeah, I don't know what agenda was meant in leaking that.
22:22 < Emcy> petertodd in fact it only really strengthens your position of wanting the technical side of bitcoin to remain true to its founding principles
22:22 < Emcy> not something that was exactly a secret with you or others mentioned there
22:23 < warren> Emcy: well, I spelled out the regular practice of hiding security/dos fixes in commits that don't mention it ...
22:23 < Emcy> theymos disable HTML on the forum man
22:23 < Emcy> or the parts of BBS markup that allow hotlinking and stuff
22:23 < warren> theymos: yeah, forum should be telnet only
22:23 < petertodd> warren: what if my modem has a zero-day?
22:24 < Emcy> lol i meant forum markup with the []
22:24 < theymos> petertodd: Yes, he was using Tor.
22:24 < petertodd> Reasonable compromise with hotlinking would be to filter to, say, imgur-only
22:25 < Emcy> petertodd if it was his agency trying to get him, thats not enough
22:25 < petertodd> You know, one plausible vector is github of course...
22:25 < theymos> I was thinking recently of using http://images.weserv.nl/ , but I haven't had time to do it.
22:26 < petertodd> Emcy: I'll say - could be any number of browser zerodays
22:27 < Emcy> how did firefox react to all that......they were specifically targetted too i think, according to the leaks
22:27 < warren> Emcy: that was an old version of firefox
22:27 < Emcy> youd expect it from the likes of IE
22:27 < Emcy> how old
22:28 < petertodd> Emcy: I mean, hell, this is a guy who I think was sticking to a fixed posting schedule for anti-timing analysis... heck, I'd joked to warren before that he was probably scheduling his vacations to correspond with mine to throw people off.
22:28 < Emcy> could be true.......
22:29 < Emcy> the bloom thing has since been publicly dealth with right? I think i remeber something
22:29 < warren> petertodd: oh.	I'm guessing the "leak" is the bitcoin foundation communications that were posted in public.
22:29 < petertodd> if I were trying to keep a my IRL identity anonymous I'd use IRC chat logs and only post when some well-known community member did...
22:30 < warren> Emcy: the bloom thing is not much of a secret anymore
22:30 < petertodd> warren: yeah. it did leak that I was the one who sent him mike's post in the first place
22:30 < Emcy> irc chat logs/
22:30 < petertodd> Emcy: there's been some fixes that make it a fair bit harder to exploit - far from perfect, but it's a good step that gives us time
22:30 < Emcy> ?
22:30 < warren> Bitcoin Foundation forums is not much of a secret.  it costs what $40 to be able to read it?
22:31 < Emcy> yeah i dont know why they dont just make that read only for non members. all the good stuff gets out any way
22:31 < Emcy> plus the foundation has a bit of an air of exclusivity to dispell, if it cares to
22:31 < petertodd> Emcy: with anti-timing analysis, you want to make sure someone can't try to match up your IRL schedule to when you post things with your pseudonym. So, use IRC logs to delibrately match the schedule of *someone else* to throw any investigators off the trail.
22:31 < Emcy> right yes
22:31 < petertodd> Emcy: I noticed a while back he'd almost only ever been posting on sundays too...
22:31 < Emcy> so someone else gets black bagged and not you lol
22:32 < petertodd> Emcy: yup
22:32 < Emcy> In addition to what I said earlier, I mentioned your status to a friend
22:32 < Emcy> of mine who is a former spook and well aware of the dangers of the
22:32 < Emcy> business to anyone with a sense of ethics.
22:32 < Emcy> ^saddest passage in there imo
22:33 < petertodd> Emcy: the fact that the people I know IRL who tend to be strongest in support of snowden have been from intelligence/military backgrounds really says something
22:34 < Emcy> kind of puts paid to the shitty assertion that if people really cared, theyd put on a suit and change the system from the inside
22:34 < Emcy> it jsut doesnt work like that
22:34 < petertodd> fuck no
22:34 < petertodd> well... they get into the system, and use that access to leak...
22:34 < Emcy> i heard it stated lots as a glib dismissal of the whole occupy thing.......annoyed me
22:35 < petertodd> yeah
22:36 < Emcy> (what occupy apparently was in the beginning i mean, before being sybil attacked by hippies)
22:36 < petertodd> though snowden really made it clear to people how rotten things were - these organizations can be reasonably good at compartmentalizing stuff, so you don't necessarily know that stuff is going on
22:36 < petertodd> Emcy: "sybil attacked by hippies" <- brilliant
22:36 < Emcy> heh, thats what i saw from the streams and such
22:37 < Emcy> and when they started segregating men and women in the camps
22:37 < Emcy> nope to that
22:37 < Emcy> men from women more accurately
22:37 < Emcy> anyway
11:17 < jtimon> but I disagree on "the idea is mining is like to get the right to vote on what the next block is"
11:17 < adam3us> jtimon: if thsoe problems could be convincingly fixed, it might be quite interesting
11:18 < jtimon> the idea of mining is sequencing events irreversively
11:18 < adam3us> jtimon: correct, and to vote on their validity (for SPV client reliance)
11:19 < adam3us> jtimon: but interestingly the actual sequence doesnt matter, just that eveyrone agree on a sequence.  if they could do it via coin toss that would be just as good
11:19 < wallet42> stealth addresses are base58_check encoded compressed pubkeys?
11:19 < jtimon> toss?
11:19 < adam3us> jtimon: (except for some issues with 0-confirm security model where network propagation such as it is provide some modest security)
11:19 < wallet42> whats the versionbyte?
11:20 < jtimon> justanotheruser: I think ppc is less secure for having pos, but it would be much more insecure if it didn't had pow at all
11:21 < adam3us> jtimon: (this was part of the entangled design discussion i had with petertodd that he wrote about it a bit in that same post.  at the lowest level you could obtain a distributed consensus sequence from a distributed timestamping service)
11:21 < jtimon> justanotheruser: apart from the "I buy the system to destroy it" attack, as adm3us pointed out: "many PoS have actual protocol defect to allow mining on multiple candidate block sin parallel so devolve to PoW"
11:22 < jtimon> adam3us, of course, the challenge is the infinitely scalable p2p timestamping system
11:22 < adam3us> justanotheruser: gmaxwell gave some arguments that PoS fails because users can rationally vote on both sides of a fork, or on many forks to get higher voting power so it devolves to PoW.  so i think it doesnt quite work in practice with the consensus mechanism as anyone can construct multiple candidates
11:24 < adam3us> jtimon: yes.  well my offline exploration was to see if you could pull the bitcoin design apart, work out the minimum required dependency and features and put it back together in another way with any useful improvement.  that experience led me to declare bitcion design is "entangled" because many security features rely back on the same PoW chain.
11:25 < adam3us> jtimon: and also to declare bitcoin only just works, or the design is fairly optimal.	because each design change i considered of dozens always made things worse or more complicated or less efficient.
11:25 < jtimon> yeah, I agree, I have made similar journey while exploring possibilities for ripplecoin (where the hostcoin was actually more of a problem than a requirement)
11:25 < adam3us> jtimon: the ghost idea was one of these, but i considered it wrose because its more complicated  perhaps i was too hasty on that one they claim its a useful design alternative.  apparently ethereum is considering it.
11:27 < jtimon> adam3us: it looks interesting to me, but of course that doesn't solve all the scalability problems, is just a little bit of help
11:27 < adam3us> jtimon: at this point i would've taken any improvement :) my exploration of the design space was a failure.  pools do seem a problem worth removing.
11:29 < stonecoldpat> are miners pools not just a natural process that cant really be removed? It's a bit like industrialisation...
11:29 < adam3us> jtimon: but like i say adding an indirection between mining and voting seemed to create perverse behavior opportunities with like saving up voting power for one moment of abuse (hashcash had this problem) or selling votes
11:30 < adam3us> stonecoldpat: well one thing is industrial scale mining, thats perhaps somewhat inevitable.  the other thing is people giving their vote to a pool operator while it is the user actually with the mining power.  that should be avoided if we could find a way IMO
11:31 < stonecoldpat> is the vote to choose the correct branch? or how to distribute the coins?
11:31 < stonecoldpat> i remember having a thought about this before christmas (how to distribute coins) - i seen it as a pretty bad problem
11:31 < adam3us> stonecoldpat: correct branch and form part of a kind of distributed signature attesting all the transactions are valid
11:33 < stonecoldpat> adam3us: i dont know if a distributed signature is really necessary, a block with an incorrect transaction won't be accepted by the rest of the community (unless this pool has over 50%) - so it is in the interest of the pool lead to verify the transactions are correct
11:33 < stonecoldpat> adam3us: and choosing the correct branch is hard - since they are both correct. it may lead to greater vulnerabilities (by tricking the voters) - im sure some politician tactics could be deployed
11:33 < adam3us> stonecoldpat: yes but the SPV (smartphone/limited bandwidth) clients accept whatevr is claimed by sampling a few nodes
11:35 < adam3us> stonecoldpat: so eg a smartphone may download only the hashchain and ask for merkle proof that a tx is in a block, and then just assume its valid.  if someone can get enough power to create 6 blocks they could print money in the eyes of SPV clients... so i just mean the distributed signature in the sense that it is hard for someone with << 50% of hash power
to win 6-blocks in a row
11:36 < adam3us> stonecoldpat: yes if all candidate blocks are valid tossing a coin to choose a block at random would be just fine.
11:44 < Luke-Jr> I wonder if stealth addresses can be combined with P2SH^2 somehow
11:46 < jtimon> stoencoldpat: the network will never accept an invalid transaction no matter the % of hashing power, the only thing 51 attackers could do is change the order (for double-spending purposes?) or freeze the chain
11:47 < jtimon> stoencoldpat: if you have ideas for coin distribution, maybe you're interested in this: http://foundation.freicoin.org/#/about
11:48 < jtimon> adam3us: about your "pools problem" what about this other approach: *somehow* prevent non-p2pool pools from mining
11:48 < jtimon> adam3us: solo miners could only mine on their own p2pool alone
11:49 < jtimon> /only/always
11:49 < Luke-Jr> jtimon: p2pool isn't special
11:49 < adam3us> jtimon: yes that is an interesting direction (prevent pool security) amiller had some idea relating to this.  i dont think it quite worked however
11:49 < Luke-Jr> there is no reason to prefer it over other decentralised schemes
11:50 < jtimon> Luke-Jr I thought it was (and by p2pool I include eligious, just exclude "centralized pools")
11:50 < adam3us> jtimon: i have a friend who elects to solo mine as a kind of lottery.	it'll take him years to get $25,000 payout.  the limitation is that.  if the reward could be made less lumpy maybe.
11:51 < jtimon> maybe that term is more appropriate centralized vs p2p pools
11:51 < Luke-Jr> jtimon: p2pool is a specific pool, both decentralised and also p2p
11:51 < Luke-Jr> jtimon: BitPenny was the original decentralised pool ;)
11:51 < jtimon> I see
11:51 < Luke-Jr> unfortunately, they died out
11:51 < jtimon> well, I think most frc pools are based on p2pool software, that may have contributed to my confussion
11:52 < jtimon> in frc there's only centralized pools and p2pools
11:52 < Luke-Jr> makes sense, GBT isn't feasable for FRC as-is
11:53 < jtimon> my point for adam3us was "instead of thinking about micro-mining, think of a way were only p2p pools are allowed"
11:53 < forrestv> as usual, Luke-Jr ignores other benefits of p2pool
11:53 < Luke-Jr> ok, but my point is that p2p is a bad thing; what you want is decentralisation
11:53 < forrestv> 's complete decentralization
11:53 < Luke-Jr> forrestv: there are none, to the network
11:55  * jtimon doesn't understand the difference between decentralized and p2p in this context
11:57 < Luke-Jr> jtimon: decentralised = miners create the blocks; p2p = there's no server to coordinate things
11:58 < jtimon> I see, yeah decentralized is enough since all miners validate everything, no?
11:58 < forrestv> Luke-Jr, you really need to use a name other than "decentralized," considering that eligius definitely has a central server..
11:58 < Luke-Jr> well, all nodes validate everything, miner or not
11:58 < Luke-Jr> forrestv: the mining isn't centralised though
11:58 < jtimon> I mean, in a centralized pool, a miner only hashes, doesn't see anything else
12:00 < jtimon> the validation node of a centralized pool can do more harm than the coordination server of a decentralized pool
12:00 < adam3us> jtimon: agreed
12:01 < adam3us> jtimon: a way of putting is it that miners are giving their vote to the pool.	they should exercise their own vote, by doing their own validation
12:01 < jtimon> I don't know how this could work, probably changing the PoW, just wanted to inspire you adam3us
12:01 < Luke-Jr> jtimon: it cannot work.
12:02 < Luke-Jr> jtimon: if you take away centralised mining, hosted mining will flourish
12:02 < jtimon> I don't really like the word vote, then people say stupid things like "miners vote the rules of the system"
12:02 < Luke-Jr> "voice" perhaps
12:03 < adam3us> Luke-Jr: hosted mining is even worse, so that is a bad game theory outcome.
12:03 < helo> shoehorn?
12:03 < jtimon> which degenerates in even more stupid things like "scrypt is more democratic than SHA256"
12:03 < Luke-Jr> adam3us: that's my point
12:03 < Luke-Jr> adam3us: stopping hosted mining is impossible, and that's what we'll get if we take away centralised mining
12:04 < adam3us> Luke-Jr, jtimon: it seems to me what you want is a mining algorithm with diseconomy of scale.	not sure if that is significantly possible however
12:04 < jtimon> Luke-Jr, why?
12:04 < sipa> Luke-Jr: decentralized != trust-free
12:04 < sipa> Luke-Jr: eligius is trust-free, but centralized
12:04 < brisque> "hosted mining" is a sham anyway. there's no reason anybody would rent out mining equipment unless they're expecting their customers to take a loss.
01:58 < gmaxwell> petertodd: surely you can agree that special purpose hardware can get 4x to perhaps 10x more price or power efficiency over general purpose stuff no matter what you do algorithimically.
01:59 < petertodd> gmaxwell: Yes, but 4x is manageable in the context of a proof-of-work system IMO. It's the 100x and 1000x speedups that are really scary.
01:59 < gmaxwell> well then you also have to think about process improvements. It's a lot easier to port dram to better processes than other kinds of logic.
01:59 < petertodd> gmaxwell: I accept I can't stop custom hardware entirely, but I can keep to the level where it's a cottage industry where guys doing PCB layouts stuffed with memory and FPGAs can still compete.
02:00 < adam3us> maybe if you could fully exercise the gpu hardware you could force the attacker to build a gpu
02:00 < adam3us> however even then probably much of the hw is junk for the purpose of mining; eg video rendering, vga/dvi etc
02:00 < gmaxwell> in general POW functions will always allow for super regular hardware implementations "10000 copies of this circuit".. and that lowers the costs substantially to get it to a better process.
02:00 < adam3us> so it will be improvable
02:01 < gmaxwell> OTOH, bitcoin asics are _nowhere_ near process state of the art
 I don't even mean lithography. There is a lot of optimization that they're not doing on their current process.
02:01 < gmaxwell> yea, just throwing out all the IO hardware you don't care about saves considerable power and area.
02:01 < gmaxwell> (esp power
 driving a bunch of IO is power hungry and general purpose hardware doesn't bother power gating most of that stuff)
02:02 < petertodd> gmaxwell: Is that actually true? The Avalon chips are apparently surprisingly dense for the process node they were fabbed on.
02:02 < gmaxwell> petertodd: from talking to them they aren't doing anything exceptionally clever.
02:02 < adam3us> well i guess the other issue is that its probably going to be difficult to design something efficiently verifiable and memory hard and dynamic (requiring CPU-like branching)
02:03 < petertodd> gmaxwell: I'm thinking of a third-party teardown that was done.
02:03 < petertodd> gmaxwell: s/teardown/decapping/
02:03 < amiller_> i don't believe that, i think you can make an efficiently verifiable pow for basically any task
02:03 < adam3us> a problem i see is getting hardware, seems fair chance butterfly are premining the hardware their customers paid for
02:04 < gmaxwell> amiller_: I'm skeptical about non-memory hard validation for memory hard POW. Certantly you can make POWs that allow partial validation.
02:04 < adam3us> and that other manufacturers who put increasing design/fab resources are economically going to do the same
02:05 < adam3us> well eg in the early days of hashcash i was thinking about floating point tweak to SHA1 etc, but then what if your hash function turns out to be attackable
02:05 < amiller_> gmaxwell no that's totally possible, you can just keep doing cut and choose over and over again until it's a constant size sample
02:05 < amiller_> gmaxwell, this constant-verification merkle tree proof of work paper from 2009 has a really general form
02:06 < petertodd> adam3us: ugh... you really don't want to start putting stuff like floating point into your PoW in a hard-consensus system, because that just makes that set of features a nice optimization target.
02:06 < gmaxwell> amiller_: okay thats a different kind of memory hard function than I was thinking of
in that its a read mostly one where the validatior can have a copy which has trustworthy updates.
02:06 < adam3us> well my point is that designing one-way hash function is hard, eg sha0 got broken, md4, md5 got broken etc history is littered with broken hash functions
02:07 < petertodd> amiller_: How well does non-interactive cut and choose work though? You run the risk of putting the work into gaming the cut-and-choose system if you are not careful.
02:07 < amiller_> non-interactive cut and choose is always about making you finish all the work before you make the first cut
02:07 < petertodd> adam3us: All the litter is kinda old though... :)
02:07 < gmaxwell> amiller_: and yea what petertodd says.. I just keep 1 nth the database and do Nx more queries. Often the trade off is non-linear.
02:07 < amiller_> gmaxwell, no, sequential accesses prevents that
02:08 < adam3us> amiller_: are you talking about the coelho paper ("onstant-verification merkle tree proof of work paper from 2009")
02:08 < amiller_> yes
02:08 < amiller_> that doesn't include the sequential access thing
02:08 < adam3us> well i am sure the sha3 competition has some more litter :)
02:08 < amiller_> but it's also not about a memory hard puzzle
02:08 < gmaxwell> amiller_: I don't see how you can enforce sequential access with a memoryless validator.
02:08 < adam3us> one winner, may losers
02:09 < amiller_> gmaxwell, the memory is a merkle tree, the memoryless validator validates merkle tree paths, but the puzzle solve has to access random locations in the memory in sequence
02:10 < gmaxwell> amiller_: right which is fine, but I can just have 1 nth of the tree or you must increase your proof size by ~O(N) to stop me.
02:10 < gmaxwell> I suppose that its sort of like the PCPs though, fairly little N really does a bang up job at preventing me from subsetting.
02:11 < petertodd> gmaxwell: Yup, PCP's was exactly what I was thinking of.
02:11 < amiller_> gmaxwell, no because you can build a merkle tree then cut and choose over that proof too
02:11 < adam3us> i suppose what you are saying about validating anything is true but with a work/validation ratio of N/(P.log(N)) which is not a great ratio
02:12 < gmaxwell> amiller_: I suppose I'll have to walk through that to see how that works to make the proof compact, but I'll take your word for it.
02:12 < adam3us> to do better you have to rely on a pow and those are not general, they require a one-way function of some kind
02:12 < gmaxwell> (To be honest, I was mostly happy with lite proof validation for memoryless nodes)
02:13 < gmaxwell> (e.g. construct your POW so that them memory hard part is burried behind another hash
 and you just transmit that intermediate state and storageless nodes just don't veryify the memoryhardness)
02:13 < adam3us> gmaxwell: the idea is populate a merkle tree with pow, then use the hve the verifier use the root hash of the tree to select a subset of paths to validate
02:13 < gmaxwell> adam3us: Thank you for making it clear to me!
02:13 < gmaxwell> Thats elegant.
02:14 < petertodd> gmaxwell: the problem there is how do you make partitioning a node expensive?
02:14 < petertodd> gmaxwell: partitioning them undetectably that is
02:15 < gmaxwell> petertodd: with proofs of cheating which can be bigger because they're only sent in the exceptional case
 and it still reduces to non-memory hard POW otherwise. But yea, the non-interactive cut and choose is indeed better than I was thinking and solves the problem.
02:16 < amiller_> hrm, yeah i think there's sort of a glitch where you can just make a small number of your pow's bogus and it's unlikely they'll be included in the sample that gets chosen
02:16 < amiller_> PCP basically addresses this but it does it with enormous error correcting codes that are a huge burden on the prover
02:16 < petertodd> gmaxwell: Yeah - by "partitioning" I'm assuming the node has no communication to anyone to even tell them fraud has been commited. It's a problem in Bitcoin too, but at least we can easily make reasonable assumptions about network hashing power.
02:17 < gmaxwell> yea, I mean, it's not hard to implement big RS codes over in hardware... but kinda defeats the memoryhardness.
02:17 < gmaxwell> FFT multipliers makes such nice circuits.
02:18 < gmaxwell> (staged POW still is useful for anti-DOS)
02:18 < petertodd> adam3us: You know, thinking a bit more about your comment about multi-port ram, it's interesting how if your pow-data set is static, at the extremes the difficulty becomes the routing hardware required to make the multiple ports actually work together nicely.
02:19  * gmaxwell &
02:20 < petertodd> adam3us: In practice though, I think the right approach is to have a master UTXO copy, populate the scratchpad memory for your work function, then do some work that consumes random access bandwith >>>> BW required to populate, then proof via NI cut-n-choose partial merkle proof.
02:21 < petertodd> An optimal hardware design in that case has swiftly diminishing returns, because the non-optimal one only doubles the memory cost.
02:22 < petertodd> The trick is then to have a hashing function at the base of all this that can keep up with the main memory bandwidth.
02:22 < petertodd> IE the cheapest one possible so the slowness of the CPU implementation doesn't matter.
02:29 < adam3us> anyway it seems like the asic problem is an economic problem, and the solution is a not-for-profit that aggressively designs and manufactures state of the art asics and flood the market with them at-cost
02:30 < adam3us> seems to me that the players so far have not had that mindset so we have some kind of mining oligopoly
02:30 < petertodd> That's hopeless for decentralization: the world is rapidly converging to the global economy being able to support exactly 1 chip fab.
02:31 < petertodd> You need to ensure that whatever *commodity* magic that 1 chip fab is producing is as close to optimal as possible hardware for your proof-of-work function.
02:31 < adam3us> if there were enough chipfabs to be non-discriminatory
02:31 < adam3us> u say: adapt the proof-of-work function to what they are building - maybe yes
02:31 < petertodd> There just won't be - you get better performing chips from a chip fab by making the fab more expensive. Thus we used to have hundreds of fabs capable of producing top of the line chips, and that number has been dropping ever since.
13:58 < petertodd> Sure, I just worry you're creating a bunch of very specific special purpose code, where more general is better.
13:58 < jgarzik> I want to get the identity alt-chain demo-able (if not usable) out of the gate, too
13:58 < jgarzik> petertodd, understood.  though make it too general and nobody interoperates usefully ;p
13:59 < jgarzik> It is easy enough to change details like sacrifice minimum cost, sacrifice  or timestamping chain used for validation
13:59 < petertodd> Well, remember I've got the experience of making a general timestamper, and in the end it turned out to be really not a big deal basically.
13:59 < petertodd> About as easy as a Bitcoin tx specific one
14:02 < jgarzik> The optional timestamping is not really an important component of disposable SINs.  Just thought it might be useful.
14:02 < petertodd> Well, leave it out then for v0.1 :)
14:02 < jgarzik> Could leave it out entirely, and let users solve that problem in whatever way they wish.
14:02 < jgarzik> :)
14:02 < petertodd> Making SINs scarce is the innovative thing anyway
14:03 < jgarzik> yep.  and with disposable SINs you are given a choice between the two.
14:03 < petertodd> what language are you looking at implementing it in first anyway?
14:04 < jgarzik> petertodd, sadly for python fans, probably javascript.  I'm ultimately a C programmer, FWIW, so my left-to-own-devices choice would be that, create a "libsin" in C.  Might do that eventually anyway.
14:05 < jgarzik> JavaScript looks C-esque (personal taste), seems faster than python, and is browser friendly.
14:05 < petertodd> javascript is good for web stuff, not a bad choice
14:06 < petertodd> I always knew opentimestamps would need javascript client libraries to be really useful
14:07 < jgarzik> indeed
14:09 < petertodd> Incidentally, proof-of-sacrifice can be used to make a inherently 51% proof alt-chain.
14:09 < jgarzik> petertodd, in a mostly unrelated note, txtool will be gaining easy ability for people to create timestamping OP_RETURN transactions
14:09 < petertodd> Ah cool
14:10 < petertodd> You design your chain such that to create coins on it you need to sacrifice Bitcoins, and at the same time that sacrifice is how consensus is determined.
14:10 < jgarzik> petertodd, I still need to review IRC chat notes, and think through how the identity alt-chain might work.  For convenience' sake, it might be useful to have a chain that is not PoW at all, but is provable through timestamping + sacrifices in another chain.
14:11 < petertodd> You also allow users to sacrifice the alt-coins to mine blocks as well. Now this *isn't* proof-of-stake because given a jam-proof-network you are in fact giving up something of value.
14:11 < jgarzik> petertodd, i.e. a bitcoin sacrifice could grant the right to update the identity chain
14:11 < jgarzik> thus paying in bitcoin to update the identity database
14:12 < petertodd> The trick is that any attacker trying to 51% the blockchain for profit has the problem that they have to spend as much as the history is worth to people - a double-spend doesn't work because the person you are double-spending will sacrifice up to 100% of what you are gaining, and on top of that you'll affect third-parties with similar incentives.
14:13 < petertodd> Such a "blockchain" can easily be done as one tx per block, and can be done as a DAG. In the case of zerocoin, the accumulator is inherently serial though, so a dag doesn't make sense.
14:13 < petertodd> However... this does mean the zerocoin blocks can be created at the same rate as zerocoin tx's can be verified, completely bypassing the crazy slow verification problem, especially when you further couple it with fraud proofs and nodes only verifying part of the chain.
14:14 < petertodd> jgarzik: Makes sense, sounds like my zookeyv protocol.
14:14 < jgarzik> petertodd, zookeyv?
14:15 < petertodd> Add in some decent primatives for trading zerocoins to bitcoins and you have a solid way to bolt on zerocoin to bitcoin without performance issues.
14:15 < petertodd> jgarzik: what I'm calling the key-value store I originally mentioned to you; named after zooko's triangle
14:15 < jgarzik> petertodd, gotcha
14:16 < jgarzik> petertodd, indeed, the identity database is ultimately a key/value database
14:17 < petertodd> jgarzik: you planning on letting people grab human readable names?
14:18 < jgarzik> petertodd, well the toplevel is a flat SIN namespace.  Under that, key/value pairs attached to each SIN.  In theory, each SIN could assert name.real="Garzik, Jeff"
14:20 < petertodd> jgarzik: hmm... tricky. Remember that with any consensus system what maps to what is up to the biggest spender.
14:22 < jgarzik> petertodd, Updates to each SIN are validated by MPK digital signatures. At least that bit is easy to prove.
14:23 < jgarzik> petertodd, If the alt-chain is wholly depending on timestamped transactions in the bitcoin blockchain, the consensus problem becomes making sure everybody sees the same view of data, when parsing the blockchain.
14:23 < petertodd> jgarzik: Right, but someone can even rewrite the chain so the updates didn't happen.
14:23 < jgarzik>  a lot simply depends on the alt-chain design itself
14:24 < jgarzik> nod
14:24 < petertodd> Only if the data itself - or at minimum the hashes of the pairs - is in the blockchain.
14:24 < petertodd> er, I mean H(key) H(value)
14:24 < petertodd> heck, OP_RETURN H(key) H(value) :)
14:25 < jgarzik> In this scenario, I imagined each alt-chain update would require a bitcoin sacrifice transaction that includes a hash of the record update
14:25 < jgarzik> obviously there are other validations that must occur, before it can make it into the alt-chain
14:26 < jgarzik> but that would be the anchro
14:26 < jgarzik> *anchor
14:26 < jgarzik> H(alt chain transaction)
14:26 < jgarzik> which would include SIN, key and value
14:26 < petertodd> H(alt chain tx) is no good because that leaves open the possibility of a withholding attack
14:27 < jgarzik> petertodd, that's true of any hash, though
14:27 < jgarzik> petertodd, otherwise you're back to OP_RETURN <full alt-chain tx>
14:28 < petertodd> No, because if I want to associate name:"Peter Todd"==0x12345 I can determine if there exist any H(name:"Peter Todd") in the blockchain and outspend their sacrifices
14:28 < petertodd> Without that I can never know if someone has a sacrifice waiting to be published
14:30 < jgarzik> I guess you could consider it all one big key/value namespace, if you prefix every key with the SIN being updated
14:31 < jgarzik> key="1234-5678-9abc name", value="Garzik, Jeff"
14:31 < jgarzik> key="1234-5678-9abc age", value="38"
14:31 < petertodd> Right, but if it's just sins as keys, what do you really need consensus for?
14:32 < petertodd> Just make it a big gossip network with anti-DoS
14:32 < jgarzik> petertodd, The problem being solved by the alt-chain is admittedly not consensus, simply decentralized storage and maintenance of the identity database.
14:32 < jgarzik> I don't think DHT will offer good disconnected operation
14:33 < jgarzik> thus looking at a replicated db like an alt-chain
14:34 < petertodd> Yeah, although having said that, consensus can still be useful: consensus about the overall contents of the global database.
14:34 < jgarzik> bitcoin-the-database-technology :)  Google for "D1HT", an acronym I just learned last year
14:34 < petertodd> Leave the contents themselves to SomeOtherDatabase(TM)
14:34  * jgarzik couldn't believe they invented a new term for "copy the whole damn database to everyone"
14:35 < petertodd> ha, yeah d1ht's are funny
14:35 < petertodd> Note though that for consensus on overall contents all nodes actually need to store is the list of 64-bit truncated hashes of every db item.
14:36 < petertodd> (2nd-preimage is sufficient, maybe do 80-bit or 128-bit if you want to be really safe)
14:38 < jgarzik> petertodd, the solution does need a consistent overall view of the global identity database
14:40 < petertodd> perfect, make sacrifices commit to that overall view then
14:40 < petertodd> (or commit to being part of a dag)
14:40 < jgarzik> petertodd, hmmmmm, indeed
14:41 < jgarzik> petertodd, need to figure out how to resolve a race, then
14:41 < jgarzik> petertodd, i.e. two conflicting identity db databases arrive in parallel, and make it into same block
14:41 < jgarzik> er, identity db updates
14:42 < petertodd> highest sacrifice... which is zookeyv, but if it's really just SIN=value that will only happen accidentally
14:44 < petertodd> Sometime else to keep in mind is that sacrifice/byte is a good way to do anti-spam - tier the database and give nodes the option of dropping the lowest tiers.
14:45 < petertodd> Or simply order every bit in the database and drop everything about n GB
14:45 < petertodd> s/every bit/every record/
14:46 < jgarzik> The identity database just needs to serve the latest version of a SIN's key/value pairs, so updates are insta-prunable (modulo the obvious buried-in-chain safety factor)
14:47 < jgarzik> i.e. answer queries such as $value = lookup($sin, "name")
14:47 < petertodd> Sure, but total bytes are still important
14:48 < jgarzik> agreed, though not sure how you would tier this database
14:48 < jgarzik> any active record could potentially be queried
14:48 < jgarzik> idea was to create an anti-spam barrier up front, in sacrifice-to-update-db
14:48 < petertodd> Nodes just have to contribute what they can
14:49 < jgarzik> but then drop nothing (I hope?  <insert prayer to $diety>)
14:49 < petertodd> Point is, what is your overall resource consumption model going to be? There *have* to be limits overall
14:49 < jgarzik> a fair point and open question.  maybe identities should retire, and require republishing (at a cost)
14:50 < jgarzik> to maintain the database, and expire old stuff
14:50 < petertodd> Something... but figure it out in advanced
14:50 < petertodd> *advance
14:50  * jgarzik kicks xchat
14:51 < petertodd> heh
19:24 < sseehh_> Occupy Bitcoin http://www.ingenesist.com/general-info/occupy-bitcoin.html What if Everyone Was a Bitcoin? http://www.ingenesist.com/general-info/what-if-everyone-was-a-bitcoin.html Curiosume: The Resume Must Die http://www.ingenesist.com/general-info/curiosume-integrating-social-innovation.html http://curiosume.org
19:25 < CodeShark> ah, I should check that page more often :)
19:25 < petertodd> gmaxwell: last update oct 18th? you been slackin'
19:25 < CodeShark> yeah, I guess so :(
19:26 <@gmaxwell> CodeShark: thats been there since the start. Actually the timelock idea might have been what inspired me to actually make a page for that stuff.
19:26 < CodeShark> haha, ok - then I guess I never really read through it all
19:27 < BlueMatt> sseehh_: spammer go away (gmaxwell...stop slacking)
19:27 <@gmaxwell> Wow, I didn't even see that.. was totally invisible to me.
19:31 < sipa> you're just dropping packets with insufficient proof of intelligence
19:32 < sipa> perfectly normal behavior
19:32  * nsh smiles
19:32 < CodeShark> so with a timelock, we can now rent storage space by giving people an encrypted data packet along with a key they can use to claim some coins
19:33 < CodeShark> yes, the devil's in the details - but in principle this should work
19:34 < petertodd> CodeShark: no, the idea is if the pow is a timelock algorithm your data is safe from pre-mature decryption on the theory that any attacker would earn more by cracking the timelock pow instead
19:35 < petertodd> CodeShark: in short, your data is safe so long as it's worth less than the total value of the timelock crypto system
19:35 < CodeShark> yes, I understand that - just pointing out another application
19:35 < petertodd> CodeShark: true, I guess you could do a timelock scheme with data storage bolted on as well
19:35 <@gmaxwell> CodeShark: hm. interesting. So I give you data, and a zero knoweldge proof that later you'll be able to decrypt the data and get coins out of it... with some large block encryption so that you can't throw away any of it.
19:36 < CodeShark> gmaxwell: exactly
19:36 < petertodd> CodeShark: see, that works well with standard timelock crypto
19:36 <@gmaxwell> I think I know how to do that without timelock crypto.
19:37 < CodeShark> how?
19:37 < petertodd> CodeShark: just put funds in a multisig spendable by the timelock cracker and the enclosed key, with a nLockTime'd refund in the future
19:37 <@gmaxwell> Take the data. Build a hashtree over it. The coins pay to the hashtree. Later, you can claim the coins if and only if you can produce a proof that looks like H(future block || data hash root) == index, and the spv proof of that index is the thing you must provide to get the coins.
19:37 <@gmaxwell> basically the network is the interactive party in proving you still have the data.
19:39 <@gmaxwell> gee imagine the amazing things these altcoins could do if they only bothered to think about the problem space for what..  10 minutes?
19:40 < CodeShark> gmaxwell: interesting!
19:40 < CodeShark> you'd also have to prove availability, though - not just that you have it at time T
19:41 < CodeShark> at least if you want random access
19:41 < nsh> (perhaps their conception of problem space occupies a different domain [e.g. how do i become important and make money and advance my position] than ours [how can we make advances in the theory and practice of various interesting and socially-beneficial problem-sets])
19:41 < petertodd> nsh: tl;dr: they're stupid
19:41  * nsh nods
19:43 < petertodd> I don't think the interesting alts out there are based on mining anyway - mining is just too insecure when you're trying to start a new alt.
19:43 < petertodd> Either your alt matters so little it hasn't been attacked, or it starts to matter and it gets killed off.
19:44 < nsh> it should be possible to create an alt with an tapered creator mining advantage, i'd think
19:44 < CodeShark> I have a slightly different view on alts - yes, the vast majority of blockchain-based alts out there are cheap imitations of bitcoin
however, I like the idea of affording some flexibility in certain coin parameters
19:44 < nsh> that way you have a more smooth / less dangerous incubation period
19:44 < petertodd> nsh: then it's centralized
19:45 < CodeShark> we might as well just do dynacoin :)
19:45 < nsh> sure, but you can taper the centralization off algorithmically, maybe?
19:45 < nsh> perhaps my intuition is being seasonally optimistic
19:45 < petertodd> nsh: sure, although to do it right it can't be algorithmically or you may find the schedule was wrong
19:45 < nsh> ah, right
19:45 < nsh> though if you define the parameters for safe coin incubation well-enough...
19:46 < nsh> you could target the decentralization
19:46 < nsh> (dynamically)
19:46 < maaku> nsh: how do you measure decentralization?
19:46 < nsh> not sure. i was wondering that recently...
19:46 < petertodd> well, you just make it that you the creator get to sign statements allowing more decentralization as a one-way rachet
19:46 < nsh> ah, yeah
19:47 < nsh> so a certain (set of) key(s) has a mining advantage, that can only decrease with some broadcast signal
19:47 < petertodd> nsh: yup
19:47 < nsh> mmm, dunno, sensing implementation difficulties the more i think about it
19:47 <@gmaxwell> CodeShark: well you could do something like prove you have it at _every_ block, and then to later spend the coin produce a snark that compresses all the proofs.
19:47 <@gmaxwell> hm. well I suppose thats not quite right, since you could have only had it at the end.
19:47 <@gmaxwell> Well in any case, it's better than doing nothing.
19:48 < CodeShark> gmaxwell: right, that's the problem
19:48 < maaku> nsh: you could lower the difficulty by the percentage of proof-of-stake signatures a block has
19:48 < petertodd> nsh: nah, no difficulties there: the signature is a substitute for PoW. you being the creator you'll use it responsibly; obviously you can play games and destroy things with that power too
19:48 < maaku> then an itsy bitsy premine gives you an advantage that slowly tapers off
19:48 < CodeShark> gmaxwell: to prove availability at a particular time, wouldn't you need to provide a challenge at that time?
19:48 < BlueMatt> CodeShark: though flexibility in researching optimal parameters is cool, a) there are more interesting things to research, but, more importantly, b) by just forking Bitcoin and creating an alt, you decrease the value of the digital scarcity that defines Bitcoin
19:48 < BlueMatt> 's value
19:49 < nsh> hmm
19:49 < sipa> meh
19:49 < sipa> i don't care
19:49 < CodeShark> BlueMatt: whether or not it decreases Bitcoin's value, it is an inevitable phenomenon - therefore, if Bitcoin cannot withstand it, we have a serious problem
19:50 < BlueMatt> I find that argument ridiculous: "its inevitable, so we shouldn't try to prevent it and should instead fully support it!"
19:50 < BlueMatt> makes no sense to me
19:50 < maaku> BlueMatt: I don't this is zero-sum. Stupid people throwing stupid money at alts aren't necessarily going to speculate on bitcoin instead
19:50 < CodeShark> the exact same features that make Bitcoin so difficult to stop applies to any of these alts
19:50 < sipa> support?
19:50 < nsh> BlueMatt, i'm not sure i follow how more (of any kind of) cryptocurrency decreases the scarcity... isn't the scarcity defined relative to the utilization of mining resources?
19:50 < petertodd> BlueMatt: well, here's an interesting thought question: if I create BTCv2 that is just transactions embedded in BTCv1 with a fancy new scripting system, what happens? BTCv2 transactions still need to pay fees in BTCv1, and I can design my scheme that both are 1:1 convertible (by allowing v1 to be destroyed to create v2)
19:50 < BlueMatt> maaku: oh, I'm not saying its zero-sum, I'm saying that its not independent, and far closer to zero-sum than independent
19:51 < nsh> so if more people mine alts that wouldn't be mining btc, then you've dilution, but if that mining power is not diverted but added...
19:51 < BlueMatt> petertodd: fuck mastercoin ;)
19:51 < BlueMatt> nsh: no, its defined as relative to the number of people interested in cryptocurrencies
19:51 < petertodd> BlueMatt: hehe, I have a lot of incentive to make such a thing work...
19:51 < sipa> petertodd: ??
19:52 < BlueMatt> nsh: mining isnt the important part to me, but it is as well
19:52 < BlueMatt> sipa: petertodd works for mastercoin.....
19:52 < sipa> heh?
19:52 < petertodd> sipa: I am mastercoin's chief scientist now...
19:52 < sipa> wtf?
19:52 < nsh> BlueMatt, hmmm. question is then how the elasticity of coin interest responds to the proliferation of alts
19:53  * Luke-Jr notes MasterCoin was offering a very low salary :P
19:53 < nsh> i suspect it's pretty nonlinear
19:53 < petertodd> sipa: I had decided I was going to quit the day job, and then by good luck they offered me a job at the same time
19:53 < petertodd> Luke-Jr: meh, salary isn't everything
19:53 < BlueMatt> petertodd: in any case, if a coin is 1:1 trade-able for bitcoin, and mined on its own chain (I agree currently merged-mined isnt very good, but I think we should work on making that more accessible instead of saying lets put shit on the chain) I fully support it as awesome fucking research
19:54 < BlueMatt> nsh: I disagree very highly
19:54 < nsh> then you're probably right :)
19:54 < petertodd> BlueMatt: well, what's interesting is how much data do you actually need in the chain? data-hiding is a serious issue, but maybe you can make the incentives to not hide data and/or recover from lost/hidden data. (see zookeyv)
19:54 < Luke-Jr> petertodd: it isn't, but does Mastercoin really offer anything more? :P
19:54 < BlueMatt> nsh: heh, I'm by no means a wizard, even if I do hang out here :p
19:54 < petertodd> BlueMatt: if everyone played nice timestamping would just be enough
19:54  * nsh smiles
19:55 < CodeShark> if everyone played nice we wouldn't need currencies :p
04:29 < EasyAt> Heavy clients are heavy :)
04:29 < maaku> interesting, i don't run my nodes on ec2
04:29 < EasyAt> Has there been any write ups, even broad strokes about http://utxo.tumblr.com/?
04:30 < maaku> ?
04:30 < petertodd> maaku: I stopped recently because bandwidth usage was getting nuts
04:30 < maaku> i'm working on some new posts, and a few bips
04:30 < maaku> it's on the documenting stage
04:30 < maaku> was that your question?
04:31 < EasyAt> Mine?
04:31 < maaku> yes
04:32 < EasyAt> maaku: A few bips regarding the link I posed/
04:32 < EasyAt> Sorry. keyboard bleh
04:32 < maaku> yes
04:32 < EasyAt> fun
04:32 < maaku> regarding the index structure, and various applications of it
04:32 < EasyAt> I look forward to reading.  Is that you?
04:33 < maaku> yes
04:33 < EasyAt> omg
04:33 < EasyAt> nice
04:33 < EasyAt> \o/
04:33 < EasyAt> I'm quite excited to hear more of your ideas
04:33 < petertodd> maaku: are you still going into the UTXO set direction?
04:34 < maaku> yes. the authenticated prefix tree is more broadly useful though so I want to take a generic approach now
04:34 < EasyAt> While speaking with my firend the same approach accored to me
04:34 < petertodd> maaku: huh, generic how so?
04:34 < EasyAt> I really like it
04:36 < EasyAt> maaku: Are things progressing nicely/
04:36 < EasyAt> bad keyboard :\
04:36 < maaku> merged mining, document timestamping, namecoin-like record updates,
04:37 < maaku> things like that which we have been discussing here on wizards
04:37 < EasyAt> I love the doc timestamping
04:37 < maaku> also i want to explain MMR for a lay audience, and the tradeoffs vs. commited tree hashes
04:37 < EasyAt> Sorry, I am normally away from #wizards.  I don't mean to be redundant
04:38 < petertodd> maaku: ah, yeah, merge mining a UTXO commitment seems reasonable to me - can always be ditched later.
04:39 < petertodd> maaku: it might even be ok to reject blocks that have an invalid merge-mined UTXO commitment, but not reject ones with no such commitment at all
04:39 < EasyAt> indeed, it isn't bad. It's and it's easy
04:39 < maaku> petertodd: there's an application of the index structure to enabling zerocoin double-spend protection without requiring validating nodes to keep the double-spend db in memory
04:39 < EasyAt> petertodd: that's a very good idea
04:39 < petertodd> maaku: it creates a less than 51% attack of course, but with sufficient hashing power that may be deemed ok
04:39 < EasyAt> Or that should be in the software to check whether the commitment is valid
04:40 < maaku> also proof-of-stake voting.. lots of applications showing up
04:40 < EasyAt> if not ignore and trust nothing until a block with a valid utxo stamp and highest in chain
04:40 < maaku> yeah, the hash commitments will probably be merged mined first
04:40 < petertodd> maaku: yeah, I was thinking about that... I think what you've done is shifted the burden of updating that tree from the miners to those using it - it doesn't scale any better, but at least the people affected by the bad scaling aren't miners
04:41 < petertodd> maaku: (shifted in the sense that because it's a random access tree it doesn't scale)
04:41 < maaku> well i think it does scale better - you just have to keep up with your own proofs, not everyone's proofs
04:41 < maaku> same reason MMR scales better
04:42 < maaku> still limited by the processing speed of the minimum-requirements validator node, but there's plenty of room to grow there
04:42 < EasyAt> Sorry, can you tell me what MMR is or keywords to google for
04:42 < EasyAt> because MMR bitcoin yeields nothing useful :)
04:42 < maaku> not really, that's the problem
04:42 < petertodd> MMR = merkle mountain range == https://github.com/opentimestamps/opentimestamps-server/blob/master/doc/merkle-mountain-range.md
04:42 < maaku> i need to write up a better description
04:42 < petertodd> maaku: heh, me too
04:43 < EasyAt> petertodd: thank your
04:43 < maaku> ^^^ is peter's document, but probably opaque unless you have a strong bitcoin-dev background
04:43 < petertodd> maaku: hey! I have pretty pictures in that one at least! :P
04:43 < maaku> :)
04:43 < petertodd> maaku: my ex understood it... so she claimed...
04:43 < EasyAt> maaku: I like to think I have a moderate knowledge
04:44 < EasyAt> I have written code to push through the chain and check all values.  But haven't contributed yet.  Still leveling up
04:44 < petertodd> maaku: so, I think the thing with tree stuff for zerocoin and similar will be that you can't get away from storing the whole tree. OTOH I agree that bandwidth could potentially be split up into shards with some careful work.
04:44 < EasyAt> But you guys are contirbuting so fast there is a lot to study
04:44 < maaku> petertodd: it's a fine document. you just didn't go over motivation & such which you need to explain it to a wider audience
04:45 < petertodd> maaku: yup, that's completely correct - and the motivation when I wrote it was timestamping too
04:45 < maaku> petertodd: in the zerocoin application, the entire tree is recoverable from the spend history in the block chain, but nodes don't have to keep it resident in the UTXO set
04:46 < maaku> since a spend provides the path to the place to insert the newly spent token
04:46 < petertodd> maaku: right, but to construct that spend you need access to the whole set, although that access can be distributed across multiple nodes
04:46 < petertodd> maaku: so it's in between the scalability basically
04:47 < maaku> yes, or offloaded to librarian nodes with an explicit fee, etc.
04:47 < petertodd> yup, all better options than the alternatives
04:47 < maaku> actually not the whole set, no
04:48 < maaku> you just at one time need to get your path through it, and then you just maintain that path
04:48 < maaku> so er, yes the whole set, but not at all times
04:48 < petertodd> right, but I mean, out there *somewhere* needs to be a copy of all that data. Sure it can be split up and you don't have to have it all on hand at once, but it can't ever be deleted. (unless coins have expiration times)
04:48 < maaku> once you get your path which you can have at any time, you just update that as spends are seen
04:48 < maaku> but unlike MMR, it requires an update on every spend :\
04:48 < EasyAt> Do you think fees will eventually not be distributed amongst just miners, but that perhaps miners will not nexessarily keep full chains and that a portion of funds will go to nodes that only maintain and issue work
04:49 < EasyAt> Or am I just describing a mining pool
04:49 < petertodd> yup, MMR is unique that way... if only just barely powerful enough to be useful at all
04:50 < petertodd> EasyAt: miners don't have to keep full chains - heck, they don't even have to validate...
04:50 < EasyAt> indeed
04:50 < petertodd> EasyAt: they should, but nothing forces them to do that
04:50 < EasyAt> just take work and chomp
04:51 < maaku> EasyAt: the MMR proposal or a proof-updatable prefix tree could be used to require transactions to provide proofs of their own validity
04:51 < EasyAt> Has there been a proposal for a blochain solution to voting.  As in in real life politics?
04:51 < maaku> then nodes don't have to store UTXO data at all
04:51 < EasyAt> intersting
04:52 < maaku> EasyAt: not a complete one, but that's a project i'm working
04:52 < maaku> it has special application to freicoin
04:52 < EasyAt> fun
04:52 < EasyAt> I have not looked at feicoin
04:52 < EasyAt> bitcoin is still too immersive
04:52 < petertodd> EasyAt: https://bitcointalk.org/index.php?topic=230864.15
04:53 < EasyAt> jdillon! so cloak and dagger
04:55 < petertodd> EasyAt: yeah, and good ideas too
04:55 < EasyAt> hm
04:55 < maaku> once again, i've found a way to apply the index structure to recording proof-of-stake votes without requiring validating nodes to track that data
04:55 < petertodd> EasyAt: note what he's proposing very carefully avoids the usual trap of having miners vote on anything
04:55 < petertodd> EasyAt: er, I mean, having miners able to control the vote
04:55 < maaku> but the bigger problem is the usual stuff for voting - miners have significant control over the election process by being able to block votes
04:56 < EasyAt> I like it a  lot
04:56 < EasyAt> maaku: correct
04:56 < EasyAt> Until every single node is homogeneous there will always be power dispairties
04:56 < petertodd> maaku: yeah, jdillon's blocksize limit vote might be the *only* case where miners can't control a vote, and that's because in one sense they alredy can control half of the possible outcome
04:56 < maaku> you can mitigate that somewhat by encrypting votes, somewhat like committed transactions
04:57 < maaku> but then they can always block the revelation
04:57 < maaku> petertodd: yeah
04:57 < maaku> freicoin has a substantial perpetual mining subsidy (4.9% of the monetary base per year), so we're looking at ways to do proof-of-stake voting on distribution
04:58 < maaku> but miners would be naturally hostile - their best outcome is to gerrymander a 100% to the miners budget, then block all votes thereafter
04:58 < maaku> overcoming that is tricky... and I don't have funding to look at it now
04:58 < petertodd> maaku: makes sense - in that case the "anti-miner-option" could be that without the proof-of-stake the mining subsidy goes into thin air
04:58 < maaku> but if you can think of a solution let me know :)
04:59 < maaku> yeah a sort of nuclear option
04:59 < petertodd> it's MAD, but it just might work
04:59 < EasyAt> How much of a consideration does altruism take?
04:59 < EasyAt> 0?
05:00 < warren> maaku: btw, your coin is currently sha256 PoW?
05:00 < EasyAt> I suppose in sec. it should be 0. right?
05:00 < maaku> warren: yes
05:00 < warren> how do you avoid reorg attacks?
05:01 < EasyAt> How does ones reorg attack unless constantly producting 2 blocks at very similar times?
05:01 < maaku> the same way bitcoin does? not sure I understand the question
05:01  * EasyAt looks up reorg attack
23:27 < Luke-Jr> IIRC the first time the French tried to force SI on their people, they had a revolt and had to reverse it
23:28 < Emcy> you can deny that universal SI has benefitted just about everyone though. Even if its not the best system.
23:28 < Emcy> apart from the us of course
23:29 < Luke-Jr> I think I can deny that.
23:29 < Luke-Jr> while there are benefits to having a universal measure system, there are also drawbacks of having only one system
23:29 < Luke-Jr> it's like multilingual vs single-language education
23:29 < Luke-Jr> even if you only ever use one language in your life, you benefit from having learned multiple
23:30 < Emcy> if pretty much everyone speak the one "language" though, you wouldnt need to
23:30 < Luke-Jr> personally, I think the ideal (history aside) would be universal education of tonal and dozenal
23:30 < Luke-Jr> it's not a matter of need to
23:30 < Luke-Jr> it's a matter of flexibility in your brain
23:31 < Emcy> i dont follow
23:31 < Luke-Jr> if you only know one language/number system, it's somewhat "hard coded" in your brain
23:31 < Luke-Jr> if you learn multiple, you at least have the flexibility there
23:31 < Luke-Jr> even if you don't need/use the others, it's a good trait
23:32 < Emcy> if youre talking about the cognitive benefits of biligualism, im not sure that applies to measurements
23:32 < Emcy> any more than you could get from having a decent levels of maths like we exepct from most people anyway
23:33 < Luke-Jr> there's certainly benefit from multiple number systems, even if you want to debate whether that extends to measurements
23:33 < Emcy> actually knowing hex and stuff is pretty damn useful
23:34 < Luke-Jr> there are a lot of practical application that benefits from dozenal and/or tonal units, which is why mankind has always evolved toward using tonal/dozenal units historically
23:34 < Emcy> i learned how to go from hex to denary to duonary (?) and back once
23:34 < Luke-Jr> (decimal units have only come about by unnatural means)
23:36 < Emcy> well shit if its gonna change now
23:36 < Emcy> you think bitcoin consensus is hard.......
23:37 < Luke-Jr> heh
23:37 < Luke-Jr> the great thing about tonal is that it doesn't need a consensus
23:38 < Emcy> well not when its best advocates go around breaking peoples fonts.....
23:39 < Luke-Jr> it doesn't break fonts ;p
23:39 < Luke-Jr> your fonts are just missing symbols
23:39 < Luke-Jr> easily solved by installing a better font
23:39 < Emcy> i like tahoma
23:40 < Emcy> its antialised and doesnt have any stupid serifs
23:41 < Emcy> cat just blatantly came up here and clawed me in the nipple wtf
23:42 < Luke-Jr> lol
23:42 < Emcy> why does the internet like cats again, they are murderous apex predator beasts
23:42 < Luke-Jr> Emcy: they taste good?
23:42 < Emcy> you live in the south right?
23:44 < wizkid057> florida isnt really a southern state anymore
23:45 < Emcy> i thought luke lived in georgia
23:45 < Luke-Jr> Florida
23:46 < Luke-Jr> at the moment
23:46 < whatnick> Big cats share the same tapeworms with humans
23:46 < Emcy> nice
23:46 < whatnick> http://scientiarules.wordpress.com/tag/origin-of-human-tapeworm/
23:47 < Emcy> house cats parasitise thier human hosts to better do thier bidding
23:47 < Luke-Jr> not mine :>
23:47 < Emcy> you wouldnt know
23:47 < Luke-Jr> she goes on the table, I toss her
23:47 < Luke-Jr> lol
23:48 < Emcy> well i was talking about the brain parasite they carry
23:48 < Emcy> but yeah my cat has recently decided she is finished with jumping up places and just wails until someone physically lifts her instead
23:49 < Emcy> im probably infected so i have to comply
23:49 < Emcy> she is lso beating up the dog more often
23:50 < Emcy> which i have to let happen due to dog psychology
23:53 < maaku> Emcy: can cats train dogs?
23:54 < Emcy> sure seems like they can
23:54 < Emcy> operant conditioning moderated by the claw
23:57 < Luke-Jr> lol
23:57 < Luke-Jr> debating whether to just let her live her life out spayed and alone; or let her have kitties and cook her once they weak
23:58 < Luke-Jr> wean*
23:59 < Emcy> spay unless you enjoy your house seiged by beefy tomcats
23:59 < Luke-Jr> meh, can get rid of excess kitties too I'm sure
23:59 < Luke-Jr> well, not so sure
--- Log closed Tue Nov 19 00:00:02 2013
--- Log opened Tue Nov 19 00:00:02 2013
--- Day changed Tue Nov 19 2013
00:00 < Luke-Jr> maybe FL has some stupid laws
00:58 < dejasun> "no one can reist the clas "
00:58 < dejasun> resist*
00:59 < dejasun> "nothing can stop the claw!"
02:33 < gmaxwell> warren: should I go make a sign  "XYZ BTC bounty for fixing Bitcoin-qt on OSX" and stick it outside of apple?
02:56 < maaku> gmaxwell: that's not a bad idea
02:56 < sipa> with below the same in USD
02:57 < maaku> heh there's a bunch of protesters in front of infinite loop now. maybe I can get someone to stand there with a big "BTC BOUNTY!" sign
02:57 < sipa> strikethrough'ed many time
02:57 < sipa> with increasing usd numbers
02:57 < gmaxwell> need an electronic sign.
02:57 < gmaxwell> maaku: what are they protesting?
02:58 < maaku> offshore tax schemes
02:58 < gmaxwell> ah, I suppose that makes sense, they're ... far from alone in that.
02:59 < gmaxwell> but I suppose unlike most companies their customers might care.
02:59 < maaku> meh. i think it's more like reporters care. more likely for the protestors to get media attention if they focus on apple
03:05 < gmaxwell> Luke-Jr: so lets imagine that you have some anonymous cryptocurrency like that discussions we were having in here last week(end) with adam3us's encrypted coins + proofs ... which had the property that there was a UTXO set that you couldn't remove spent coins from as they were spent because if the network knew which coins they were spending then it wouldn't
be anonymous (we mentioned this problem last week),  and it also had a spent coin li
03:05 < sipa> gmaxwell: you still need splitlong.pl
03:05 < gmaxwell> where was I truncated?
03:06 < sipa> spent coin li
03:06 < gmaxwell> ...you need an entry in the spent coin list to prevent it from being respent, once  it has been spent once.
03:06 < gmaxwell> Luke-Jr: now lets say its possible for someone who has spent a coin to seperately produce a proof that says "this entry in the utxo set is spent  now, go ahead and remove it." unconnected with their spend so they're still anonymous.  And likewise, once that ha happened they could produce a "this spent coin is nolonger in the utxo set" proof.
03:07 < gmaxwell> But only the anonymous spender of the coin could do this.
03:07 < gmaxwell> How the heck could you incentivize users to emit these additional messages?
03:07 < gmaxwell> keeping in mind is that if the result is giving them another anonymous coin, you're not achieving net reduction in the utxo set size, except via batching.
03:09 < Luke-Jr> offer them pizza?
03:09 < Luke-Jr> <.<
03:11 < gmaxwell> Interesting economic insight. Have you ever considered seeking a job at the fed?
03:11 < gmaxwell> :P
03:11 < Luke-Jr> :P
04:01 < midnightmagic> Yeah. I'd do quite a lot for a pizza dinner..
04:06 < warren> Luke-Jr: cfields wants to know if the deterministic linux -> mac cross-compile is good enough for the .app or it must be the .dmg.  He thinks the .app is possible deterministic but not the .dmg.
04:06 < Luke-Jr> why wouldn't .dmg be possible? -.-
04:06 < Luke-Jr> it's just a disc image
04:14 < warren> Luke-Jr: he can explain
04:15 < warren> Whoa.  Someone just donated to us $4,500 in one tx.
04:17 < Luke-Jr> for what?
04:18 < Luke-Jr> "in one tx" isn't surprising though :P
04:18  * Luke-Jr regularly sends over $100k in one tx
04:18 < warren> o_O
04:19 < Luke-Jr> well, why split it up?
04:19 < Luke-Jr> I guess I could get rid of more dust that way..
04:21 < Luke-Jr> you can always tell when it's mine too - I'm the only one who sends that kind of volume in TBC :P
05:14 < petertodd> gmaxwell: make a second currency whose proof-of-work is replace by proof-of-emitted-utxo-removal
05:14 < petertodd> gmaxwell: duh
05:18 < adam3us> gmaxwell, petertodd: still not 100% convinced it hurts to have a best-effort utxo reduction, full nodes want to do that to conserve ram
05:19 < petertodd> adam3us: utxo isn't in ram
05:19 < TD> good morning
05:19 < adam3us> gmaxwell, petertodd: however unless there is a ZKP proof that the coin stems from another coin & inputs addup to outputs, you cant do it
05:20 < adam3us> TD: 'morning
05:21 < petertodd> adam3us: big problem is the very idea of a utxo set is ugly, because it becomes something that can be attacked, or just ignorantly abused - better off to make that irrelevant
05:21 < adam3us> so then you're looking at like homomorphic values and ringcoin would kind of do it except they are 1.4kB per value and 3kB for ringcoin ones (where you prove you spent either of 2 coins, one of which you dont even own by proving either you own it, or you are ading 0 to its balance)
05:22 < adam3us> petertodd: yes i agree and its definitely easier if one can say screw utxo size, however its necessary for spv bloom and that or something similarly effective for bandwidth constrained devices is necessary for scalability
05:22 < petertodd> adam3us: well ~kB isn't a disaster if your underlying chain is scalable, which I think we need to do anyway in some fashion due to the centralization incentives that tx fees have (and I think this ends up being applicable to most types of crypto-currency systems)
05:23 < adam3us> btw charles hoskinson seems to be trying to cook up a big x-prize bounty for solving this problem.  i am not 100% sure its necessary or will help as most people with the skills to stand much of a chance are already working on it, but ou can never discount the power of 1000 fresh eyes
05:23 < petertodd> which problem exactly? anonymity or scalability?
05:24 < adam3us> petertodd: cryptographic anonymity without damaging decentralization or existing scalability, and using conservative crypto assumptions
has the unusual property of being additively homomorphic and capable of trapdoor discret
16:00 < adam3us> justanotheruser: truncated much was that?
16:01 < justanotheruser> adam3us: yes, quire discret
16:01 < justanotheruser> *quite
16:01 < justanotheruser> Does your client not automatically make the truncated bit a new message?
16:01 < adam3us> justanotheruser: ... [pallier] capable of trapdoor discrete log with the private key which could be an interesting trick in many settings
16:02 < adam3us> justanotheruser: and a relatively recent invention (1999) for a basic assumption simple crypto system
16:06 < justanotheruser> interesting
16:08 < adam3us> justanotheruser: indeed not, this is pidgin, though there is probably a plugin that could make it do so.
16:08 < justanotheruser> It's not interesting?
16:12 < adam3us> justanotheruser: i thought pallier was an interesting trick, but i collect interesting crypto constructs in a mental check list to have in mind to build esoteric or interesting protocols with
16:17 < justanotheruser> Oh, I was confused by "interesting not"
16:17 < fagmuffinz_> trapdoor discrete log?
16:21 < nsh> adam3us, is this still in the context of leakfree signature systems?
16:23  * nsh muses
16:23 < adam3us> nsh: not really, though blinding is one of the technique brands others used to remove leaks (aka subliminal channels) from semi-trusted wallets with observers, and this DG thing was one of the parts used to make the DSA blinding monstrosity .  seems simpler to use ecschnorr/ed25519
16:24 < nsh> right
16:24 < maaku> is there any "unofficially official" conference this year, like bitcoin 2013 was last year?
16:24 < adam3us> fagmuffinz_: so the way you decrypt is you can compute the discrete log with the private key but otherwise
16:24 < justanotheruser> maaku: theres the financial cryptography conference
16:24 < fagmuffinz_> Could someone give me a link to this trapdoor I keep hearing about?
16:24 < justanotheruser> http://fc14.ifca.ai
16:24 < justanotheruser> fagmuffinz_: It has to do with asymmetric signatures.
16:25 < justanotheruser> ;;google trapdoor cryptography
16:25 < gribble> Trapdoor function - Wikipedia, the free encyclopedia: <http://en.wikipedia.org/wiki/Trapdoor_function>; rsa - What is the meaning of "trapdoor" in cryptography ...: <http://crypto.stackexchange.com/questions/10087/what-is-the-meaning-of-trapdoor-in-cryptography>; rsa - What is a trapdoor permutation? - Cryptography Stack Exchange: (1 more message)
16:25 < fagmuffinz_> Oh
16:25 < fagmuffinz_> K, that's fine.  Just didn't know what "trapdoor" specifically meant
16:26 < adam3us> fagmuffinz_: pallier trapdoor is unusual in providing a trap door discrete log, usually discrete log crypto systems just work around the non-trap door nature, by knowing existentially the discrete log by having set it up; pallier allows computing it
16:26 < fagmuffinz_> Are there other kinds of asymmetric encryption that don't involve "trapdoors?"
16:26 < fagmuffinz_> Time for me to do some reading =]
16:26 < maaku> eh.. not really. that's just a single day workshop run by non-bitcoin people
16:27 < justanotheruser> fagmuffinz_: In asymmetric cryptography you shouldn't be able to get the private key from the public key. The function to get the public key from the private key is the trapdoor (because you can't go back)
16:27 < maaku> i probably only have funds for one trip this year and want to make it count :\
16:28 < justanotheruser> maaku: I agree (12:33:33 PM) justanotheruser: Seems like a bunch of PhDs are going to explain bitcoin to the bitcoin devs
16:28 < adam3us> maaku: i guess you can get to the san jose one being local to u, plus one other.
16:28 < fagmuffinz_> I understand that justanotheruser
16:28 < fagmuffinz_> Just didn't know terminology - thanks though
16:28 < justanotheruser> yep no problem
16:28 < adam3us> maaku:  i was thinking a wizards only "conference" aka a bunch of wizards and a lot of white boards
16:28 < maaku> adam3us: there's another san jose one?
16:29 < fagmuffinz_> I would pay for a plane ticket to that
16:29 < justanotheruser> adam3us: what's the san jose one? A meetup or a conference?
16:29 < adam3us> maaku: i dont know how it works, is it always in san jose? or does it move around the us?
16:29 < adam3us> justanotheruser: last april was the first one i went to so i am not in the loop, just perhaps incorrectly assumed the main one would be in san jose each year
16:30 < maaku> as far as I can figure out from google that was a one-time thing
16:30 < maaku> i'm not involved with the foundation though, which is why i asked
16:30 < justanotheruser> I'm interested in going to a bitcoin conference this year, what usually happens there? New ideas are talked about?
16:31 < fagmuffinz_> adam3us: http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=B473A49B56321FCEF247063B856A1751?doi=10.1.1.8.5384&rep=rep1&type=pdf this?
16:31 < maaku> if it was happening again in may I would assume there'd be announcements & calls for speakers by now...
16:31 < adam3us> maaku: me either.  but what about a wizards only mini-conf with no registration fees (at cost for space)?  wizards mostly go to like sit on the edges and talk to each other and scoff at the incorrectness of the presenters at anything semi-tech
16:31 < fagmuffinz_> ^
16:32 < maaku> adam3us: sure that'd be fun and I'd go to that
16:32 < maaku> but i'm asking more because I have talks I'd like to give to the wider bitcoin audience
16:32 < adam3us> adam3us: y'all could come to malta, maybe the flights wouldnt be so bad out of season.  the hotels are cheap out of season.
16:32 < adam3us> maaku: if you're talking some places will pay your flights i think
16:33 < maaku> i'm still up for an iceland meetup if people want to do that :)
16:34 < adam3us> maaku: note iceland not good out of season.. my wife's niece went there and lost lots of $ for damaged rental car (not insured for such things) storm with like big rocks flying by!  smashed window, tow, undrivable in the weather conditions
16:38 < adam3us> maaku: plus could snag a visit to the btc mining data center running on geothermal and "open the window" cooling
16:49 < BlueMatt> maaku: adam3us duke conference!
16:50 < BlueMatt> (I'm trying to get together a wizards meetup where wizards are essentially just their own conference but give one or two talks to people
16:51 < adam3us> fagmuffinz_: http://en.wikipedia.org/wiki/Paillier_cryptosystem has link to the paillier's own paper.	damgard-jurik also simplified it
16:54 < adam3us> BlueMatt: yeah i'm pumping malta as a location :)  actually i bumped into the FC organizer guy ray hirschfield at the amsterdam btc conf and he was suggesting malta as next location after bahamas i think 2015.
16:54 < adam3us> BlueMatt: tho i realize thats more flight expensive for more people.  some of the other costs might balance it.
16:55 < BlueMatt> adam3us: well, a conf for bitcoin is being organized at duke anyway, so I figure I'll steal some of their money and put it towards wizard-flights
16:56 < andytoshi> you'd think wizards would be able to fly of their own accord..
16:56 < andytoshi> maybe we could add something to the blockchain to enable that :)
16:57 < adam3us> BlueMatt: oh ic its another university in the same state as unc (i am limited at times in finer points of us geography so missed the connection)
16:57 < nsh> i think you have to enable flying via a separate protocol layer built on top of the blockchain andytoshi
16:57 < nsh> let me set up an exodus address
16:58 < BlueMatt> (not a big conf, but like a local one)
16:59 < adam3us> andytoshi: oh noes, exodus. pump & dump.  stop!!  but yes it is a curious effect that $12 bil long term partly depends on fixing some non-trivial ideas that wizars seem to be the most likely to figure out, and yet many cant afford a flight, or understandably not inclined to take $2k out of their own hard earned $ to donate to it.
17:00 < adam3us> andytoshi: seems like a snowcrash hiro protagonist problem (wealthy by brownie points on the metaverse but penniless in meatspace)
17:01 < warren> meatcoins
17:01  * andytoshi has snowcrash on his HDD, but still hasn't read it..
17:01 < BlueMatt> adam3us: yea
17:01 < warren> andytoshi: read "The Great Simoleon Caper" first, prequel
17:02 < andytoshi> warren: will do
17:02 < warren> then The Diamond Age
17:02 < andytoshi> does cryptonomicon fit into this ordering?
17:04 < warren> no
17:04 < andytoshi> ok, thx
17:05 < adam3us> warren: someones read his stephenson :) man i gotta read the ones i missed some time.	but bitcoin draw is stronger.  eat. sleep. bitcoin.
17:05 < andytoshi> warren: thanks a ton, i have 23 books by stephenson on my system, haven't read one :P
17:06 < gmaxwell> if you hold the meetup around DC maybe I can get stephenson to show up? :P
17:06 < warren> apparently I'm supposed to read something called HPMOR but I refuse.
17:06 < andytoshi> warren: you should, it's good fun
17:18 < andytoshi> so, a few days ago tholenst was asking about script extensions to allow outputs with rules like "cannot be spent unless (a valid signature is provided AND blockheight >= 300000) OR (some proof that txin XYZ was double spent is provided)"
17:19 < andytoshi> what he proposed was pretty powerful and it was easy to think of outputs which interacted very badly with reorgs, hurting fungibility
17:19 < andytoshi> but i think, adding a single op FAIL_IF_BLOCKHEIGHT_LESSTHAN [minimum height] would be safe across reorgs
17:19 < andytoshi> am i right?
17:21 < andytoshi> the idea is, once an output can be spent, nothing should change to make it unspendable, otherwise a reorg could invalidate a huge swath of transactions ... but change in the opposite direction (unspendable output suddenly becomes spendable) is safe
17:21 < gmaxwell> andytoshi: perhaps safe enough. technically the chain can shrink.
17:22 < andytoshi> gmaxwell: right. absent deliberate effort this is insanely unlikely though
00:39 < brisque> not even that, just skimming 5% of the hash power wouldn't be noticed. over 1000 units they claim to have found, that's uh.
00:39 < brisque> 30TH.
00:40 < gmaxwell> well he only got into 28 of them I think.
00:40 < brisque> the "disclosure" is shit because we know that most of these units won't be patched in a reasonable timeframe. there's a lot that are now going to be under attack by people hoping to make a quick buck.
00:45 < gmaxwell> brisque: they don't need to be 'patched' they just need to have their password changed to something not crackable.
00:49 < brisque> gmaxwell: haven't brainwallets showed that users, even technical ones, can't make secure passwords to save their own money?
00:50 < gmaxwell> brisque: brainwallets add the extra expectation that they'll remember those passwords.
00:50 < gmaxwell> No need to remember these... just write them down.
00:51 < brisque> the point is more that people won't no matter what is being told to them. protecting $10000 of mining equipment is a difficult job when they're advertising what they are at connect time.
00:53 < gmaxwell> brisque: uh? all my miners have 128 bit passwords...
00:53 < brisque> you're not an average user.
00:53 < gmaxwell> (even though they're not internet exposed, just a standard practice. If I weren't a chickenshit I'd turn off the web interfaces entirely, but I'm a bit afraid of getting locked out.)
00:54 < gmaxwell> brisque: in any case, it's easy to give good advice for this.  Well, give a little credit: An average user doesn't own a $10,000 asic miner.
00:58 < brisque> I suspect a lot of miners are in the hands of casual users though, which is why there's exposed KNC miners in DCs in the first place.
01:03 < gmaxwell> how casual can you be with a $10k device in a data center? come on
 signing up for the colocation is more complicated than using a password generator and a text file. :P
02:27 < midnightmagic> ha ha ha
02:31 < midnightmagic> It would be great if that were gobbles.
02:52 < BlueMatt> I'm assuming this has been seen already: http://miki.it/pdf/BitIodine_presentation.pdf
02:53 < gmaxwell> anyone try out their software?
02:53 < gmaxwell> I queued that presentation for reading and forgot about it
02:53 < brisque1> they did a hell of a lot os scraping
02:53 < brisque1> s/os/of
02:54 < BlueMatt> it looks like they've actually thought coin analysis through, unlike most of the shit we've seen so far
02:54 < BlueMatt> mostly because of the huge amount of scraping they did
02:55 < justanotheruser> BlueMatt: "When a transaction has multiple input addresses, we can safely assume that those addresses belong to the same wallet, thus to the same user."
02:55 < justanotheruser> biggest flaw I found
02:56 < BlueMatt> yea, they didnt get that right, at least they could have said "we can usually safely assume"
02:56 < BlueMatt> because, realistically, today, you can
02:56 < brisque1> justanotheruser: generally a safe assumption, especially with some online wallets reusing addresses for change.
02:56 < brisque1> in that case you don't even have to assume.
02:57 < gmaxwell> oh wow, the presentation is kinda worthless.
02:58 < gmaxwell> BlueMatt: nah, even today a really substantial fraction of txn on the network are shared wallet transactions.
02:58 < gmaxwell> so you can't do the common inputs = same user thing.
02:58 < justanotheruser> "If multiple outputs, change is never the last output. Fixed only in January 2013!"
02:59 < justanotheruser> Most interesting thing I learned
02:59 < gmaxwell> justanotheruser: I like how it's like "software is flawed" except it was fixed long before their work. Should say 'was' but oh well.
02:59 < brisque1> you can often tell what is change just from the values. if there's a 0.1BTC output another with 8 places, you know certainly which is the change.
02:59 < gmaxwell> Gavin introduced the bug in .. what, 2010?  Hal found the bug at the end of 2012.
03:00 < gmaxwell> brisque1: yea, thats a somewhat helpful hurestic. though not always true.
03:00 < BlueMatt> gmaxwell: true, though you can safely assume that the users are using the same shared wallet (which is likely the intended meaning here, though its not explicitly stated)
03:00 < gmaxwell> e.g. when the amount I move is up to me, I make the third party get the change like amount sometimes.
03:01 < gmaxwell> BlueMatt: eh. but thats strictly less useful. Because you may not know either of the users are using a shared wallet at all.
03:01 < BlueMatt> oh, sure, but its still more than nothing
03:01 < BlueMatt> and if you know which shared wallet, you can sometimes tell via other things (coinbase does some dumb double-tx shit to make the "from" address work)
03:02 < gmaxwell> yea, coinbase does dumb stuff. Strongcoin does dumb stuff.
03:02 < gmaxwell> (strongcoin makes every transaction pay some donation address of theirs)
03:02 < brisque1> seriously? coinbase wants to have "return" addresses?
03:03 < gmaxwell> brisque1: dude not just that, coinbase's merchant thing was randomly "refunding" things when it wasn't expecting a payment. (and causing people to lose bitcoin forever, dunno if its fixed yet
03:03 < gmaxwell> brisque1: every transaction into or out of coinbase result in two transactions. Except sometimes it doesn't
03:04 < brisque1> gmaxwell: that's not giving me the warm fuzzy feeling their "safe and secure" animation says I should.
03:04 < gmaxwell> BlueMatt: in any case, share wallets are still a huge source of noise and uncertanty in this kind of analysis.
03:05 < gmaxwell> BlueMatt: just because until you have evidence that its a shared wallet you'll be falsely merging some users.
03:05 < BlueMatt> gmaxwell: yes, but I'd like to see these guys figure out ways to analyse coinbase txn to link them too, etc
03:06 < _ingsoc> brisque1: What animation?
03:07 < brisque1> _ingsoc: coinbase.com has a sort of flip clock thing that says "safe and secure" when you visit the page.
03:07 < _ingsoc> Ah, thank you. I like animations.
03:07 < gmaxwell> BlueMatt: I still think we should have some switch you can set when sending coins that lets it round up to x amount more to eliminate or round-off change.
03:08 < BlueMatt> gmaxwell: I still think all wallets should work together to make this kind of analysis impossible (coinjoin et al), but until the analysis gets amazingly accurate, we may not see that
03:14 < gmaxwell> certantly I think it's useful if the publically disclosed analysis is as powerful as any privately held analysis may be.
06:38 < jtimon> hello, does anyone has what was talked after this?
06:38 < jtimon> [02:36:09] <gmaxwell> 17:35 < maaku> or in a server-to-server consensus mechanism
06:38 < jtimon> [02:36:43] <gmaxwell> yea... except dear gods, the bitcoin blockchain is NOT a communications mechenism for your server to server consensus!  _global broadcast network_
06:38 < jtimon> [02:36:52] <maaku> gmaxwell: using the public chain as a semaphore for two-phase commit of a distributed transaction over multiple private asset servers
06:38 < jtimon> [12:08:31] <-- jtimon (~quassel@87.pool85-53-148.dynamic.orange.es) has quit (No Ping reply in 180 seconds.)
07:05 < jtimon> a pastebin would do it
07:06 < brisque> I'd help you out but I don't have scrollback that far. someone will surely have logs.
11:19 < andytoshi> jtimon: i have logs at http://download.wpsoftware.net/bitcoin/wizards/2013-12-31.txt which cover what you want
12:13 < jtimon> cool andytoshi thank you
12:23 < phantomcircuit> gmaxwell, bitcoin.org was moved to a dedi and the dedi died under the load
12:23 < phantomcircuit> wat
12:23 < phantomcircuit> it's like
12:23 < phantomcircuit> all static content
12:23 < phantomcircuit> how is that even
12:25 < jtimon> I'm not sure I understand this part:
12:25 < jtimon> 01:38:28 <maaku> gmaxwell: you need to hit the public chain for public<-->private txns
12:25 < jtimon> 01:39:11 <maaku> (e.g. atomic swaps of freicoins for private assets)
12:25 < jtimon> 01:39:27 <gmaxwell> For anything like that you have a small number (because multisig scalablity) of known-in-advance servers. Which means you can do a regular n-of-m consensus totally external to bitcoin. E.g. an initatior proposes a distributed database update and get a supermajority of the servers to sign off on it.
12:26 < jtimon> freimarkets options also need expiries
12:27 < jtimon> but the first use case when it was reallly necessary are transitive (ripple-like) trasactions involving several in-chain and off-chain assets
12:28 < jtimon> when all the asset are off-chain you can just use a regular timestamping server all the private chains agree upon
12:29 < jtimon> what we used to call "registries" in 2PC Ripple http://archive.ripple-project.org/Protocol/RegistryCommitMethod
12:32 < jtimon> I don't know how can you implement my example "5.6.3 Hybrid Transitive transaction" (pubA -> pubB -> privC -> privD -> pubE -> userA) without block expiries
12:32 < jtimon> of course, whether you think that's an important use case or not is another question
12:34 < jtimon> as for the "dangers of expiries" the way I see it, the responsability to decide how many blocks to wait to consider a transaction "safely buried" should ALWAYS rely on the recipient
12:34 < jtimon> 6 blocks is just an orientation
12:35 < jtimon> it depends much more on the quantity than in previous transactions or expiries
12:36 < jtimon> well, it will usually will, but it's still the payee's problem
12:38 < jtimon> in fact all of the examples in our off-chain transactions section rely on expiries (the all off-chain asset transaction example is missing, but it's basically 2PC Ripple)
12:57 < andytoshi> jtimon: the problem is that it the whole transaction sub-DAG is risky .. IMO requiring 100 blocks before any nExpiresTime output can be spent would solve this, and it'd be better than having no expiry time
16:39 < warren> cfields: hmm, one user reports they have the mac corruption without time machine
16:40 < warren> they didn't say which version they were running though
16:41 < cfields> Luke-Jr: unfortunately, the cleanest approach to the next step is to begin modding the hfs+ kernel module. And at that point, I don't think it's really worth it
16:41 < cfields> either that, or ofc writing a new tool from scratch
16:43 < warren> cfields: timestamps in the filesystem and checksums differ, I'm guessing?
16:45 < cfields> warren: most linux tools use loopbacks to mount an image file. mounting/unmounting causes alterations like last-accessed times, next fsck time, mount-count, etc
16:46 < cfields> better option would probably be to start hacking on genisoimage, but iirc its output was much more random
16:49 < Luke-Jr> I suggest 7z920/CPP/7zip/Archive/DmgHandler.cpp
16:49 < Luke-Jr> not sure if the Linux version is built with DMG support, but at least the code exists
16:52 < warren> the way mac itself makes the .dmg is a loopbac mount
16:52 < cfields> Luke-Jr: i'm not saying it's not possible. I'm saying that i suspect that a bit of randomness may be functionally necessary
16:53 < cfields> could you link those sources btw? my google-fu must be weak today
16:53 < Luke-Jr> http://downloads.sourceforge.net/sevenzip/7z920.tar.bz2
16:54 < Luke-Jr> deterministic randomness is possible for anything DMG could possibly need
16:54 < cfields> thanks
16:54 < Luke-Jr> sorry, "randomness" in quotes..
16:54 < Luke-Jr> ie, tar & hash the .app a few times as a seed..
17:01 < warren> cfields: you also going to change all the .zip's to tar?
17:01 < Luke-Jr> deterministic tar is likely more work
17:02 < Luke-Jr> since it saves more attributes
17:03 < cfields> warren: i'd like to, yes
17:04 < Luke-Jr> imo ideal would be to have the deps build deterministic debs - but that's probably more trouble than it's worth :p
17:05 < warren> I'd like fedora to just ship upstream's determinsitic binaries in their rpm
17:05 < Luke-Jr> good luck
17:05 < Luke-Jr> it's a shame there's so much politics in Gentoo development
17:05 < Luke-Jr> so much potential there
17:06 < Luke-Jr> could have the entire OS be deterministic :D
17:09 < warren> Luke-Jr: ask cfields for his patches to make binutils deterministic
17:17 < Luke-Jr> :o
17:18 < cfields> looks like they'll make it into 2.24: https://sourceware.org/ml/binutils/2013-11/msg00214.html
17:20 < cfields> Luke-Jr: it's worth noting that I haven't even reached the point of trying to create a deterministic dmg. Any dmg must first contain a deterministic filesystem...
17:20 < cfields> So that means creating/formatting/writing an hfs+ partition in some deterministic way
17:25 < sipa> i think having a determinstic binary is already a huge step
17:25 < Luke-Jr> indeed
17:26 < cfields> well, the question is: what is "good enough" for distribution?
17:27 < sipa> right now, the only ones checking determinism are those that build and sign
17:27 < cfields> the .app is the only thing that ends up on the target machine, so i would call a deterministic app "good enough" for the most part
17:27 < sipa> which is a pity
17:27 < cfields> problem comes with the verification process of that .app
17:27 < sipa> but being able to compare your installed binary with published signatures is very nice already
17:28 < sipa> it may actually matter more than deterministic installers, i just realized
17:28 < sipa> what if the deterministic installer secretly downloads data?
17:28 < cfields> how could it do so secretly?
17:28 < sipa> well, the same argument holds for the binary of course...
17:28 < cfields> heh, right :)
17:28 < Luke-Jr> cfields: we could in theory distribute a tar of the app
17:29 < cfields> Luke-Jr: well, that's really abou the same thing, no? user un-tar's, discards the tar, ends up with the same .app
17:29 < cfields> only thing that changes is a possible attack vector in the dmg itself
17:29 < Luke-Jr> well, I mean a deterministic tar of course :P
17:30 < cfields> oh, i see. so at least the download could have a checksum next to it
17:30 < Luke-Jr> deterministic tar vs deterministic dmg, not sure anyone cares about the diff
17:30 < cfields> Luke-Jr: btw, i agree with you that it should be possible to recreate a dmg. I'm not sure where the fuzzing is happening, but i'm sure that it could be tracked down
17:30 < Luke-Jr> but you'd have to ask Mac users I guess
17:31 < cfields> whether it's worth the trouble, that's where i take issue
17:31 < cfields> as an osx user (i hate admitting that), any download that's not a dmg gets on my nerves
17:31 < cfields> unless it's a .pkg for good reason
17:31 < Luke-Jr> so it sounds like we should get .dmg to work
17:32 < cfields> yea...
17:32 < cfields> i'll keep at it
17:32 < cfields> at this point, i'm checking out genisoimage. Sources there should point me to something
17:32 < Luke-Jr> cfields: can you rename .iso to .dmg and have it work quietly? ;)
17:33 < sipa> just rename the .tar to .dmg *ducks*
17:33 < cfields> heh. the main thing with dmg is the convenience of dragging it to the applications shortcut
17:33 < cfields> i'd say users expect that, to the point of possibly being lost if it's not there
17:34 < Luke-Jr> cfields: but do you get that if you rename an iso maybe?
17:34 < cfields> Luke-Jr: no, that's scripted as part of the dmg-building process
17:34 < Luke-Jr> O.o
17:34 < sipa> scripted disk images
17:35 < sipa> what's next?
17:35 < sipa> object-oriented assembly?
17:35 < sipa> power over wireless ethernet?
17:35 < cfields> sipa: i guarantee you someone's hacked wireless charging pads to carry data :p
17:36 < cfields> aha...
17:36 < cfields> -getpid()				  = 12125
17:36 < cfields> +getpid()				  = 12158
17:38  * cfields starts with some LD_PRELOAD fun
17:47 < cfields> hah, got it
17:47 < cfields> i'm a moron.
17:51  * sipa doubts this
17:55 < cfields> heh, you'd be surprised
17:57 < Luke-Jr> ?
18:06 < phantomcircuit> i think there's a regression in master
18:07 < phantomcircuit> i have a 0.8.5 client connected to a server running master that keeps failing with "CheckBlock(): block timestamp too far in the future"
18:07 < phantomcircuit> BlueMatt, is the build bot working?
18:09 < phantomcircuit> gmaxwell, ^
18:21 < cfields> deterministic dmg up and running
18:22 < cfields> Luke-Jr: i assume you'll cut me some slack if the initial process isn't exactly pretty :p
18:22 < warren> cfields: too much of a headache.  <one hour later> done
18:23 < warren> cfields: so ... gitian .yml to build clang and whatever tools, tar it up and gitian.sigs that, use it as an input for another gitian .yml?
18:23 < cfields> warren: heh, was just a case of me being stupid
18:23 < cfields> warren: uses ubuntu's existing clang
18:23 < warren> which ubuntu?
18:24 < cfields> well, that part still needs to be investigated. I'm currently using a nightly build of llvm/clang, but I don't think it's actually needed
18:24 < cfields> (I'm on raring)
18:24 < phantomcircuit> nvm the clock is just wrong on the client
18:25 < cfields> i'll drop back to system packages and see what breaks
18:25 < warren> Gavin will enjoy a 4th gitian VM =)
18:25 < cfields> anyway, now that it's working, i'll start packaging it all up so it can be automated cleanly
18:26 < cfields> will be a few days i'm sure
18:27 < sipa> warren: i think Gavin will enjoy not doing OSX releases manually
18:29 < gmaxwell> phantomcircuit: your time/ timezone is wrong.
18:29 < gmaxwell> phantomcircuit: on the node reporting that.
18:29 < warren> sipa: I suppose the build-to-old-glibc goal really isn't that important.
18:29 < gmaxwell> it means you've got a block with a timestamp >2 hours in the future.
18:30 < phantomcircuit> gmaxwell, yeah i just fixed it
18:30 < phantomcircuit> it's weird that it stops the initial sync though
18:35 < Luke-Jr> [23:22:24] <warren> cfields: too much of a headache.  <one hour later> done <-- yeah, lol
18:35 < sipa> he clearly found some aspirin in that hour
18:36 < Luke-Jr> :D
18:53 < gavinandresen> warren solved the cross-compile-for-OSX problem?
18:54 < sipa> no, cfields did
18:54 < gavinandresen> ah, excellent!
18:55 < warren> gavinandresen: on your system where leveldb corrupts on mac, do you have time machine enabled?
18:55 < gavinandresen> warren: No, no time machine
18:55 < warren> there goes that theory
18:56 < phantomcircuit> gavinandresen, can you consistently cause a corruption?
18:56 < gavinandresen> phantomcircuit: no
18:56 < phantomcircuit> heh
18:56 < warren> some of the users can consistently reproduce it
18:56 < phantomcircuit> quick everybody run in circles
18:56 < warren> some users can't at all
18:56 < phantomcircuit> i wonder if it would be worth buying on of their computers...
19:02 < cfields> gavinandresen: you get leveldb corruption on current master?
19:03 < warren> cfields: yes, and 0.8.5 OMG3 which contains the same pathes
19:03 < warren> patches
19:03 < gavinandresen> cfields: last corruption I got was master as of about 1 Nov
19:03 < warren> cfields: the remaining corruption that users report when testing 0.8.5 OMG3 seems to happen during clean shutdown
19:03 < cfields> gavinandresen: built on which version?
19:04 < gavinandresen> cfields: I dunno, master as of 1 Nov
19:04 < cfields> gavinandresen: sorry, i meant which osx version
19:04 < gavinandresen> cfields: oh, OSX 10.7
19:04 < warren> cfields: 10.6.8 in our case
19:04 < warren> cfields: using xcode 3.2.6 (gcc, not clang)
19:05 < cfields> gavinandresen: i spent some time tracing the code last night, and really couldn't find much of anything that looks osx specific. I've started to wonder if it's a gcc vs clang thing
19:05 < cfields> hah!
19:05 < warren> cfields: the official bitcoin and litecoin releases are built on gcc
19:05 < cfields> another theory crossed off :)
19:05 < sipa> one thing maybe worth investigating is mmap vs io access to files
19:05 < sipa> iirc mmap is only used in leveldb on 64-bit platforms
23:05 < realazthat> gmaxwell: is it perhaps possible to send the verifier itself as the SCIP program
23:05 < realazthat> and instead of verifying the actual program,
23:06 < realazthat> you verify that the verifier ... verifies the hashes of the outputs of small sections of the program
23:06 < realazthat> like,
23:06 < realazthat> instead of running on the entire blockchain
23:07 < realazthat> P(B)
23:07 < realazthat> you chain P_i(B_i, S_i),
23:07 < realazthat> S_i being the state of P_(i-1) at completion
23:08 < realazthat> and the guy validates the signatures of this
23:08 < realazthat> and you verify that he verified each of them
23:08 < realazthat> then your T is T(verification)
23:08 < realazthat> mm
23:08 < realazthat> nvm that can still be a lot
23:09 < realazthat> I think you might be able to get sqrt(T) out of that
23:10 < realazthat> by spliting the blockchain into sqrt(|B|) for each B_i
23:15 < amiller> i think sqrt(T) is reasonable sure
23:15 < amiller> i'm trying to find papers that talk about lower preprocessing time
23:15 < amiller> i have two leads
23:16 < amiller> one is bootstrappable/recursive SNARKs
23:16 < amiller> http://eprint.iacr.org/2012/095.pdf
23:16 < realazthat> yeah I think this is one level of recursion
23:16 < realazthat> my idea
23:17 < realazthat> so, can a SNARK be reused?
23:18 < realazthat> or must each use of it have some sort of unique random challenge?
23:18 < amiller> and
23:18 < amiller> http://eprint.iacr.org/2013/229.pdf
23:18 < amiller> a snark can be reused yeah
23:18 < realazthat> ah ok cool
23:18 < amiller> basically think of it as compiling a circuit once
23:19 < amiller> and then you can choose different inputs to the circuit and then verify the whole thing in one step
23:19 < realazthat> mmm so why don't they build this recursion idea directly into it
23:19 < amiller> a circuit is like a C program except with all the loops unrolled, it's like definitely the *worst case* execution
23:19 < realazthat> so as to reduce the initial setup time
23:20 < amiller> maybe that's possible
23:21 < realazthat> it would slightly increase the poly's of the runtime I think
23:21 < amiller> i don't have a good intuition for how either of these two papers work
23:21 < realazthat> ah me neither, but I think I intuitively understand the recursion idea
23:22 < amiller> how is it not cheating though lol
23:22 < realazthat> what do you mean cheating?
23:22 < amiller> what is it you compile exactly in the first step
23:22 < amiller> how do you get larger computations out of it
23:22 < realazthat> oh I'll writ it up
23:22 < realazthat> I have it on scrap paper
23:26 < amiller> In attempting to construct the reduction we seek, we encounter the following problem: an arbitrary
23:26 < amiller> machine M running in time t (on some input x) may in general use a large amount of memory (possibly as
23:26 < amiller> large as t), hence na
vely breaking its computation into smaller computations that go from one state to the
23:26 < amiller> next one, will not work
 the resulting nodes may need to perform work as large as t (just to read the state).
23:26 < amiller> To deal with this obstacle, as a
rst step, we invoke a result of Ben-Sasson et al. [BSCGT12] showing
23:26 < amiller> how to use Merkle hashing to transform any M to a new
computationally equivalent
23:26 < amiller> that
 memory and dynamically veri
es its consistency. (See Remark 7.4.) As a second step, we can
23:26 < amiller> then engineer a compliance predicate for ensuring correct computation of M0
23:26 < amiller> , one state transition at a time.
23:27 < realazthat> oh yeah I haven't considered memory
23:29 < amiller> well lets just assume we have merkle utxo implemented so that there's no memory needed
23:29 < amiller> so validating a single *update* takes only log M time or so where M is some bound on the number of outstanding utxos at any time
23:29 < amiller> and validating the blockchain really just consists of T of those
23:30 < amiller> really the merkle UTXO isn't much different of a solution than the merkleization result [BSCGT12] mentioned up there
23:30 < amiller> i still don't see how to do the recursive combination yet
23:30 < amiller> we could compile a circuit that does a single update but then we'd need T of those proofs
23:31 < amiller> or if we unroll the loop then we can compile a circuit that does all T blocks at once but then that's a pain to preprocess (even worse than *linear* to preprocess)
23:31 < amiller> so i can't figure out how to read this recursive composition step if it actually gets us better than linear
23:33 < realazthat> http://codepad.org/bBPyKcWw
23:33 < amiller> i should try to undersatnd this proof carrying data PCD and Ram Compliance Theorem which seem fundamental here
23:33 < amiller> obviously the goal is to write one tiny program that inserts/deletes one item into a utxo that has some maximum size like log(21e8) satoshis
23:34 < amiller> and then check a proof that any arbitrary number T of them are done correctly in sequence with only a single operation!
23:36 < amiller> ok no i don't follow this code
23:36 < realazthat> questions?
23:36 < realazthat> P' does the work
23:36 < realazthat> V' is what needs be verified
23:37 < realazthat> V' verifies that all the sigs that Pi produces are correct
23:37 < amiller> yes but it's not clear where the compilation occurs from this code
23:37 < amiller> the preprocessing step
23:37 < realazthat> you do preprocessing on V'
23:37 < amiller> SCIPVerify also requires compilation
23:37 < realazthat> yes
23:37 < amiller> if you give it different arguments
23:37 < realazthat> thats the recursive part
23:37 < amiller> so you SCIPVerify the SCIPVerify program
23:37 < realazthat> yes
23:38 < amiller> okay so that doesn't get you a cost savings
23:38 < Luke-Jr> wait, was there code for SCIP released? :o
23:38 < gmaxwell> 20:19 < amiller> a circuit is like a C program except with all the loops unrolled, it's like definitely the *worst case* execution
23:38 < gmaxwell> ^ no, that is _NOT_ how Eli's stuff works.
23:38 < amiller> yeah ram compliance theorem and whatnot
23:38 < gmaxwell> Yea.
23:39 < gmaxwell> Thats why its log() instead of quadratic (or exponential) in the program size on the prover.
23:41 < realazthat> amiller: why do you say it doesn't get a time savings?
23:41 < amiller> well if i think of this  SCPVerify as working just on circuits
23:41 < amiller> then the problem is that the SCPVerify function itself has to have a worst case running time
23:41 < realazthat> you break P into sqrt(|B|) peices
23:41 < realazthat> yes even so
23:42 < realazthat> mmm wait
23:42 < amiller> so if it is able to take itself as input
23:42 < realazthat> well SCIPVerify runs in O(|s|) time
23:42 < amiller> then it can't process itself using less gates than its own size
23:42 < realazthat> mmm
23:43 < realazthat> er
23:43 < realazthat> O(s)
23:43 < realazthat> yeah that would make it seem impossible
23:44 < realazthat> well wait
23:44 < realazthat> then there would slightly two different versions of SCIPVerify
23:44 < realazthat> SCIPVerify(Pi) << this would be hardcoded in the one used in V'
23:44 < realazthat> it runs in O(s) time
23:45 < realazthat> so V' runs in O(n*s) time, where s = |P|
23:46 < realazthat> if n = sqrt(|B|) and P runs on B (blockchain) T \in O(|B|), and Pi runs on a section sqrt(|B|), and Pi \in O(sqrt(T))
23:47 < realazthat> so V' should run in O(sqrt(|B|)*s)
23:47 < realazthat> am I making zero sense lol
23:48 < amiller> zero sense proof
23:48 < amiller> nah that might make sense
23:49 < amiller> so there's code about to be released by microsoft research for SNARKs
23:49 < realazthat> oh cool
23:49 < amiller> but like you have to feed it circuits and so it's kind of a ridiculous game of unrolling loops and proving to the compiler that you use bounded ram and bounded time and such
23:50 < amiller> so this proof carrying data concept is i think different
23:50 < amiller> but builds on it
23:50 < amiller> in which case maybe this is possible after all i guess
23:50 < realazthat> mmm
23:50  * realazthat wants codes to play with
23:52 < amiller> Coming... This Summer... The Fancy Crypto Drama you've been waiting for
23:52 < realazthat> lol
23:53 < amiller> Faster Verification! Shorter Proofs! Zero Interaction!! and *ZERO KNOWLEDge*
23:53 < gmaxwell> I hate the culture around movies we have
 there is so much _super_ interesting stuff we can't make movies out of because we don't know how to show someone doing anything intellectual in a movie.
23:53 < realazthat> I've been thinking on ways to make a blockchain that does useful work, trades work jobs for coins, etc.
23:54 < realazthat> gmaxwell: mmm
23:54 < amiller> right on realazthat that's my favorite overall thought
23:54 < gmaxwell> "quick, cue the photomontage of sciency shit" "fuck, they're doing crapytography, there is nothing to show but paper!"
23:54 < realazthat> Traveling Salesman
23:54 < realazthat> haven't watched it though
23:54 < amiller> lol Traveling Salesman the Musical
23:54 < realazthat> http://en.wikipedia.org/wiki/Travelling_Salesman_(2012_film)
23:54 < realazthat> lol
23:54 < amiller> everyone's sad when he leaves because they know he wont ever be back again
23:54 < gmaxwell> yea, I'm aware of that movie, haven't found a way to see it.
23:55 < gmaxwell> hahah
23:55 < realazthat> gmaxwell: same haha
23:55 < gmaxwell> amiller: plot twist: the optimal path was also a hamiltonian!
23:57 < realazthat> mmm someone get eli into this channel :P
23:57 < realazthat> or #bitcoin-dev
23:58 < amiller> aahahahah that is a good plot twist
--- Log closed Sun Jun 02 00:00:57 2013
--- Log opened Sun Jun 02 00:00:57 2013
00:01 < amiller> well he was really clear about encouraging people to email him if interested :)
00:01 < realazthat> I have
00:01 < realazthat> thu night
00:03 < realazthat> and he just responded!
16:43 < gmaxwell> uh. I'm just realizing that debating the scalablity stuff probably shouldn't be done in a not very public IRC channel, and we should probably avoid doing that in the future. (not sure it should be done in bitcoin-dev either, as it wasn't a near-term technical discussion)
16:45 < BlueMatt> gmaxwell: political discussions over irc are impossible, over email they are significantly worse...
16:45 < zooko> Maybe post logs of this channel? Few would read them. I wouldn't.
16:45 < zooko> But at least they'd be out there.
16:45 < gmaxwell> zooko: doesn't really solve my concern. I'm not the sort to believe that a log no one would read addresses transparency.
16:46 < BlueMatt> having them in bitcoin-dev makes sense
16:46 < gmaxwell> (I mean, fine to do that too as far as I'm concerned)
16:46 < BlueMatt> and its not like we're gonna do anything tomorrow
16:46 < BlueMatt> things will happen on the ml long before anything real happens
16:46 < gmaxwell> BlueMatt: yea, I think bitcoin-dev is okay so long as we can stop the discussion when something currently important comes up.
16:47 < BlueMatt> well, at least get community input for important topics long before merge
16:47 < BlueMatt> though, again, anything non-technical is impossible over irc and significantly more impossible on a ml
16:47 < BlueMatt> it would be ideal to do face-to-face, like...at a conference
16:47 < gmaxwell> Sure sure. I just generally don't want to be in the habbit of having multi-party discussions of things with real impact in private.
16:48 < BlueMatt> bitcoin-dev is probably fine, the people going there to ask noob questions shut up when real discussions happen
16:48 < gmaxwell> (it's really seductive to create your little private channels and only invite in the people you agree with ...)
16:48 < BlueMatt> obviously, hence bitcoin-dev
19:45 < sipa> hmm, even my 0.8.2rc1 instance needs several seconds for a getblocktemplate
19:45 < gmaxwell> sweet.
19:46 < sipa> ~ 2400 transactions in mempool
19:46 < warren> sipa: p2pool folks are increasing mintxfee up a bit to reduce GBT latency
19:51 < gmaxwell> fast here but I keep restarting my node for testing.
19:53 < sipa> right after restart it's 0.04s
21:27 < sipa> ok, removed free relay policy and dust check, and made my node send mempool command to peers at connect time
21:27 < sipa> instantly mempool size > 4000
21:28 < sipa> made a few improvements to CreateNewBlock too... still GBT latency is 0.4s
21:29 < sipa> but not 5s as it was before restart (though that may have been a more complex mempool)
21:29 < gmaxwell> seems very weird.
21:30 < gmaxwell> Very deep unconfirmed chains now?
21:31 < sipa> no idea
21:31 < sipa> what is weird?
21:31 < gmaxwell> 0.4 seconds is high compared to what I thought it had previously been.
21:32 < sipa> well, given my dust and free relay policy are turned off, i may have a pathological mempool now
21:32 < gmaxwell> I seem to remember times like 0.08 seconds but it's been a few months since I was watching it.
21:32 < sipa> i should check without the optimizations i just did
21:32 < gmaxwell> okay. true.
21:32 < warren> p2pool users on 0.8.2rc1 were reporting GBT latency as high as 11 seconds
21:32 < warren> until they bumped up mintxfee
21:33 < gmaxwell> well I _know_ it wasn't that slow last week. Because I often run it from the commandline to answer questions about txn delays.. and I would have noticed 11 seconds.
21:34 < warren> perhaps it was at a particular time during the battery horse staple protest
21:34 < warren> I'm just repeating what I read.  I wasn't using bitcoin at that time.
21:36 < sipa> retrying now without the improvements i did
21:36 < sipa> (there were some unnecessary CCoins copies, and an unnecessary cache layer)
21:43 < sipa> 11s !
21:46 < sipa> 21s !
21:47 < sipa> poolsz 5000
21:52 < sipa> again on the improved version: 0.6s with poolsz > 5000
--- Log closed Tue May 21 00:00:09 2013
--- Log opened Tue May 21 00:00:09 2013
01:17 < warren> sipa: when are you flying back home?
03:52 < sipa> warren: 31st
08:12 < warren> I ran out of time.  switching back to openssl or now.  I just need to get this done.  I'll get back to secp256k1 later.
08:13 < warren> Aside from the wallet.dat privkeys rejected by secp256k1, there is some other database related corruption from my secp256k1 gitian builds. I am unable to reproduce it on fedora 18, but it happens often on Ubuntu 12.04.  An identical build with openssl has no issue there.
--- Log closed Tue May 21 14:27:17 2013
--- Log opened Tue May 21 14:29:11 2013
20:45 < gmaxwell> anyone want to take bets on freicoin's new control system being unstable? :P
20:49 < warren> gmaxwell: URL?
20:49 < gmaxwell> see conversation in #bitcoin-dev
20:49 < warren> is there a log somewhere?
20:50 < warren> gmaxwell: I'm halfway through regression testing a rebase of litecoin.  the litecoin lolbertarians are upset about me "taking away our independence from bitcoin".
20:51 < gmaxwell> warren: rot13 all the variable names to make it independant?
20:51 < warren> gmaxwell: that might make it hard for the 10 new clone coins a week to understand litecoin code.
20:51 < sipa> also, swap a's and e's
20:52 < warren> OTOH, they don't actually change anything, so that may not make any difference.
20:52 < jgarzik> ;p
20:53 < warren> I'm slowly introducing every crazy anti-spam idea I can think of.
20:53 < gmaxwell> warren: remove the block size limit while you're out it in order to test out suppositions about bitcoin scalablity for us. :P
20:54 < warren> gmaxwell: I was considering removing the soft limit because the onerous fees have discouraged people from filling the blocks anyway.
20:55 < gmaxwell> makes sense, but why not remove the hard limit too and just add a bit of code to prefer to build on blocks that are smaller?
20:55 < warren> prefer in what way?
20:56 < sipa> when comparing a new block to the best chain, consider it better if the work is equal but smaller
20:56 < warren> Hmm, if I remove block size limits, then doesn't that remove the > 50% preference for higher than minimum fees?
20:57 < gmaxwell> No one knows. Some credible and trustworthly people argue that removing the limits is completely viable and would like to do it in bitcoin very soon. (where very soon is like.. a year or two)
20:57 < warren> I've read those writings by "credible and trustworthly people", and I disagree with them.
20:58 < sipa> you're not alone
20:58 < sipa> (then again, they aren't either)
20:58 < gmaxwell> I'm a chicken and don't agree but I must confess that my position is dominated by an absense of evidence rather than evidence that disproves their positions.
20:59 < gmaxwell> I don't think Bitcoin can afford to get it wrong, however. I think it's more likely that litecoin can.
20:59 < gmaxwell> OTOH litecoin isn't a great test because we might never get a useful answer.. not enough usage.
20:59 < warren> I was also putting secp256k1 into test builds for the small private QA group just to give it more test exposure.  Nobody has managed to artificially create a new wallet with 0.6 that causes secp256k1 to fail, but 80% of old wallets with lots of keys and transactions have trouble with secp256k1.  none of them are willing to share their wallet.dat though.
21:01 < warren> (It bombs out immediately with: init message: Loading wallet...\n Error reading wallet database: CPrivKey corrupt \n Error reading wallet database: CPrivKey corrupt \n Error loading wallet.dat: Wallet corrupted
21:01 < sipa> warren: can i see the code?
21:01 < warren> sipa: yes, hold
21:02 < warren> It's in a hidden github repo, I don't have access to grant permission.  would a diff be ok?
21:02 < sipa> i prefer to see it entirely
21:02 < sipa> as i have no clue what other changes litecoin has or hasn't
21:02 < warren> let me figure out where I can put it where it remains private
21:04 < warren> sipa: please provide me your ssh pubkey at a URL I can grab
21:05 < sipa> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOGWpqoVnJ0IrKARDDrSKbdoyCQonG+fAUX8XNhgO7VTkUfOAnqByVh6xG1RfzNI1UiE3AG3lv3cB2Pyz43cRzc=
21:05 < warren> hah.  my server can't do ecdsa
21:05 < gmaxwell> ^ thats part of the point for him in changing out openssl!
21:05 < warren> exactly
21:05 < sipa> ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxs4zxmvGrtdtzCFrEyVhaxj/nB29TrcExZzqLhb8pZK+7zl3njGUbVNf3HZ3EgTVDyfSZsw44qNIwAg4XeWllIy/h8bdLZoUgd53Y1J3vJu+CNwZqw+4lKZG7Wj2bzSD+DM/GmreEbqtDuFLG5gnO8FKssSuopWEzkSiA+8HXYOsRd9b3PdmwVJbGdULd5HKPe8wtWD1GLBag5rwOh6UiSZdD1zXvPNCOLPRs1tk64bmJ1ntHckEp4MiZxvTE1tahldd4OG5uEsnOW7+T89hBtE7RPEe6B2Te62Evw16RqI/QCh0Jr6XWz1So0oTsAO+rQ3opE2SkNUl0kwx1XbUew==
21:06 < warren> well, i tried to rebuild Fedora 18's openssl with ecdsa yesterday.  It needs patching to actually build.  jgarzik said he gave up on it.
21:06 < gmaxwell> really? ... weird! did you replace the tarball?
21:07 < warren> yes
21:07 < warren> it's all the fedora patches on top of it that complicate it
21:07 < sipa> do you need those patches?
21:07 < warren> probably not.  I haven't tried removing them all yet.
21:07 < gmaxwell> The procedure is to replace the openssl tarball with the matching one from the site (the one fedora gives is gutted), comment out the patch in the spec, and then remove the no-ecdsa stuff in the configure line.
21:08 < gmaxwell> I just did the latest F17 ones the other day without issue. I don't yet have a F18 host so I haven't tried that.
21:08 < warren> Yeah, it bombs out with missing references to ecdsa stuff from fipscanister.o
21:08 < warren> F18 has a rebased openssl
21:08 < gmaxwell> :-/
21:08 < jgarzik> gmaxwell, not that easy anymore.  Now makefiles require patching
21:09 < warren> jgarzik: you switched to Ubuntu now? =)
21:09 < jgarzik> that plus EFI #fail forced me onto Ubuntu
21:09 < jgarzik> :(
21:09 < warren> =(
21:09 < warren> I wonder how many users/developers bitcoin lost in these past years over this.
17:56 < gmaxwell> I had an ex-gf that went through two years of having a damn hard time getting hired. Then she'd been working for a place as a contractor for some time, and they wanted to bring her on full time
 when they checked her references, the national drug store chain she worked for for four years, told them that she had only showed up for work for two days and
  ... turned out that there had been someone else in another state wit
17:56 < sipa> another state wit[...]
17:56 < gmaxwell> with the same name.
17:57 < sipa> hint: /script load splitlong.pl
17:57 < gmaxwell> so anytime a prospective employer checked her references they got told that her biggest block of employement on her resume was a lie.
17:57 < sipa> right...
17:57 < gmaxwell> Thanks, dunno how that got unloaded.
17:57 < petertodd> sheesh, you can see why in some places the law is such that all companies really can do is confirm that you worked there
17:58 < petertodd> though that has it's own problems...
17:58 < gmaxwell> petertodd: normally you'd consider confirming duration to be pretty safe. It really sucks that this caused her problems for _years_ and we had no idea.
17:59 < gmaxwell> in any case, all kinds of boring ways for things to go wrong, so it pays to find out why if you can.
18:00 < jgarzik> gmaxwell, that's pretty smart RE Dwolla response, btw, done ;p
18:02 < petertodd> gmaxwell: Kinda reminds me of how when my brother applied to join the air force, they lost his application, but the record of him applying was in their system, so every time he called to ask how it was going they said it was still in processing...
18:03 < petertodd> gmaxwell: He worked at a call center at the time, and he spent his whole lunch hour every day for about two months calling them over and over again until finally they got annoyed enough that they asked the actual processing department, who of course said they had never got it.
18:04 < sipa> i've been told about cases where the recruiter who was supposed to tell a candidate about the outcome of their job application, had left the company
18:04 < petertodd> human systems often have remarkably bad error handling...
18:05 < petertodd> sheesh
18:06 < petertodd> I actually had the opposite of that happen to me kinda: I got hired to be the electronics lab night shift monitor at uni, and somehow no-one ever told my boss I had been hired, and being night shift I never had any interactions with him...
18:06 < sipa> so some day: "who are you?
18:06 < petertodd> exactly!
18:07 < petertodd> it also made very clear how people had been stealing thousands of dollars from payroll through fake time sheets...
18:36 < jgarzik> "Please enter the address that can be found on your current photo ID"
18:36  * jgarzik just moved and got a new photo ID
  that might be possible cause (c)
18:37 < jgarzik> The System wants my old address
18:37 < jgarzik> perhaps
18:39 < Luke-Jr> wtf is NEL?
--- Log closed Wed Aug 14 00:00:47 2013
--- Log opened Wed Aug 14 00:00:47 2013
--- Log closed Thu Aug 15 00:00:53 2013
--- Log opened Thu Aug 15 00:00:53 2013
09:50 < realazthat> http://www.scipr-lab.org/
09:50 < realazthat> SCIP website is up
09:50 < realazthat> and I am still working on LLVM backend
13:41 < gmaxwell> realazthat: their site is broken on IPv6. :P
13:41 < petertodd> gmaxwell: ? worked for me
13:43 < realazthat> heh dunno
14:37 < gmaxwell> realazthat: oh, so the proofs are smaller in this final version of the paper than I'd thought from the draft.
14:37 < gmaxwell> They are saying the proofs are 2576 bits for 80 bit security.
14:38 < realazthat> mmm
14:38 < petertodd> that's pretty small!
14:38 < realazthat> that is good then
14:41 < gmaxwell> yea, it's 12 group elements, but they are G1 elements which are 184 bits. (I think I'd figured the size I'd concluded from them based on their G2 elements or something)
14:50 < gmaxwell> the keys are larger, of course.
14:52 < gmaxwell> I'm not actually sure how big they are,  they say n+2 G1 elements, plus 6 G2 elements  (184 bits for g1 elements, 550 bits for g2 elements)
14:52 < petertodd> so what's a group element mean?
14:53 < gmaxwell> EC points.
14:54 < petertodd> huh, how does that work?
14:56 < gmaxwell> but I'm not clear what N is there, they give an example with a computation which is 1105 instructions takes 11,001 steps and the verification key is 9 G1s + 6 G2s or around 5000 bits.
14:58 < gmaxwell> petertodd: I'd tell you to read the paper, which you should. But really you have to read all the papers it cites and all the papers they cite several levels back.  But basically it amounts to the proofs being proofs of arithemetic circut satisfyability over a special EC field constructed to make the computation tractable.
15:00 < gmaxwell> In any case, the paper on the site is intended to give you an engineering view of the system.
15:00 < gmaxwell> It's not perfect for that purpose, but you should actually read it.
15:04 < petertodd> will do then
15:04  * petertodd shouldn't have gone to art school
15:05 < petertodd> Sounds like it's one of those things where a "simple explanation" just doesn't cut it yet. :)
19:28 < gmaxwell> petertodd: they didn't teach abstract algebra in art school?
19:33 < petertodd> gmaxwell: yes, but it's called post-modernism there
19:33 < petertodd> also, there's only one thing to learn really: bottom == post-modern
20:09 < gmaxwell> Luke-Jr: you might want to look at their tinyram spec, http://www.scipr-lab.org/system/files/TinyRAM-spec-0.991.pdf  since you have some interest in emulators and such.
20:37 < gmaxwell> ah the n+2 is the number of words in the public input to the verification program.
--- Log closed Fri Aug 16 00:00:59 2013
--- Log opened Fri Aug 16 00:00:59 2013
21:33 < gmaxwell> So, we've mused about how SCIP could give us provable checkpoints, well except for the fact that the program execution for validation of the blockchain is currently not pratical with existant systems.
21:34 < gmaxwell> Consider this
 the SCIP validator is pretty fast, within the general order of magnitude of what we could have in a block (it's perhaps as expensive as 1000 checksigs).  You could send txouts to a proof verification key.  Okay nothing amazing here other than giving you superpowered scripts.
21:35 < gmaxwell> Except the proof verification key could actualy be validing a long chain of off chain transactions, potentially transactions in another blockchain, and then returning the output values to bitcoin.
21:36 < gmaxwell> so this is kind of like zero coin, except you could have long chains of transactions hidden under the proof.
21:40 < gmaxwell> e.g. I could pay 1 BTC to alice, under plus an anti-reply timestamper oracle which prevents replaying an ID number but is otherwise blind to the txn. And then alice could pay to bob (and get timestamped). and bob could pay to charley.  And then charlie could take this transcript (the ecdsa validation and the timestamps that prove no double spends), run
the SCIP prover on the transcript,  and recover the bitcoin.
21:42 < gmaxwell> It's zero knoweldge (the transcript is aux input), so the public doesn't learn anything about the chain of transactions... and also has the benefit of compressing a potentially long transaction history into a single result.
21:48 < gmaxwell> or you could replace the timestamper oracle with SPV proof on another blockchain. Your bitcoin becomes a colored litecoin satoshi, you make a bunch of plain litecoin transactions, and then assemble a bunch of litcoin SPV proofs, and a number of additional headers, prove it, and the bitcoin reemerges in bitcoin.
21:49 < gmaxwell> (e.g. what some people have proposed doing for cross chain transactions, but compressing all that data under SCIP to avoid sticking hundreds of kilobytes of data into the global blockchain)
21:50 < gmaxwell> So whereas ZC creates scaling concerns in exchange for improved fungibility, this thing solves scaling concerns and improves fungibility as a side effect.
21:54 < gmaxwell> One challenge is that the upper limit of input size and computation for SCIP must be established when computing the verifcation key. So the colored coin thing would be a bit weird because you could only go so many hops before you could no longer recover the coin.
23:15 < jgarzik> petertodd, The first SIN software has appeared,
23:15 < jgarzik> https://github.com/gasteve/node-libcoin
23:15 < jgarzik> SIN.js makes a bitcoin-address-like thingy, according to protocol spec
23:15 < jgarzik> SINKey.js generates an EC key for use w/ SIN
23:16 < jgarzik> This, therefore, is the original SIN,
23:16 < jgarzik> jgarzik@pum:~/node_modules/libcoin$ node sin-test.js
23:16 < jgarzik> { created: 1376709207,
23:16 < jgarzik>   priv: 'bc65f94b4142be3c6c0b02b33dab3775a829fc1f60e484e7d4ea64e2f421cdc4',
23:16 < jgarzik>   pub: '029381bcb36358e58842431981a01742d494970a245c8f5c77874bbbde8fb25a9b',
23:16 < jgarzik>   sin: 'je9eFspuTC29yhUqGqzEYwWmVTJRS9nWEkA' }
--- Log closed Sat Aug 17 00:00:08 2013
--- Log opened Sat Aug 17 00:00:08 2013
01:14 < jgarzik> or, perhaps, after some shed-painting,
01:14 < jgarzik>  { created: 1376715876,
01:14 < jgarzik>         priv: 'db25473a599ad99db89616da536be066ea58825a6cd9b17e90b70b824e0daea6',
01:14 < jgarzik>         pub: '0346891919f18000be1c9aae381b93870f7dcf807c4f581e2b64dcd547342f70b8',
01:14 < jgarzik>         sin: 'Tf86BqNWrnyn117U7N7Vc1sAUfKc2esd4z3' },
01:15 < jgarzik> petertodd, changed the base58-encoded prefix to 0x0F
01:39 < jgarzik> https://en.bitcoin.it/wiki/Identity_protocol_v1
21:17 < realazthat> mmm cool
21:17 < realazthat> I am still working on TinyRam backend for LLVM
21:17 < realazthat> making an LLVM backend is annoyingly hard
21:17 < realazthat> even though TinyRam is simple
--- Log closed Sun Aug 18 00:00:14 2013
--- Log opened Sun Aug 18 00:00:14 2013
23:15 < amiller> i ran into ben laurie finally
00:31 < realazthat> 2. how many competitors will split the money with you? A: only way to know is to look at the current power directed at this problem
00:31 < realazthat> ie. look at the power beforehand
00:32 < realazthat> gmaxwell's idea is implemented some version of this type of market will happen
00:32 < realazthat> they might use some other incentive, a more stable/predicted one than I suggested
00:32 < amiller> okay so
00:32 < amiller> how do you look at the power directed
00:32 < realazthat> regardless of mining ideas
00:32 < amiller> this is a big thing i'm interested in with bitcoin
00:32 < amiller> is more realtime info about how hash power is  allocated
00:32 < realazthat> you look at the last time this program was offered as a job,
00:33 < amiller> right now you get one sample every 10 minutes
00:33 < realazthat> and you see how many people split the money
00:33 < amiller> are the programs offered according to a fixed schedule
00:33 < amiller> that could help sure
00:33 < realazthat> lets say .. yes
00:33 < amiller> okay
00:33 < amiller> the program could always be split into smaller parts
00:33 < amiller> and those parts would be individually payable
00:33 < amiller> the finer grain you split it the more reliable the estimates are
00:33 < amiller> same with bitcoin mining, it's why people join pools
00:33 < realazthat> yes
00:34 < amiller> the only reason not to split it super fine grain is because of communication overhead
00:34 < realazthat> oh well wrt pools, I had some ideas of trying to support pools as a first class citizen
00:34 < amiller> but other than that the finer you make it the more painless it is for everyone involved
00:34 < realazthat> yeah
00:35 < realazthat> a better solution to making multiple workers do the same job maybe
00:35 < realazthat> hmmm
00:36 < realazthat> ok what about a legit lottery
00:36 < realazthat> this would cloud the chain with a ton of txs perhaps
00:36 < realazthat> but lets go with this a sec
00:36 < amiller> sure
00:36 < realazthat> in order to take a job,
00:36 < realazthat> you have to give a certain amount of btc
00:36 < realazthat> to the pool
00:36 < realazthat> lol mixing a lot of concepts here
00:37 < realazthat> ok
00:37 < realazthat> lets also fix jobs to a T
00:37 < realazthat> so that we know the size at an interval
00:37 < realazthat> and everything happens in intervals
00:38 < realazthat> ok so the only reason to actually have "mining" in such a market,
00:38 < realazthat> is to introduce new coins
00:38 < realazthat> because,
00:38 < realazthat> you can really do away with winning coins
00:39 < realazthat> and just have the winner of the mining lottery (not this new lottery) mint the new block in exchange for the tx fees; and he is chosen by lottery of workers
00:39 < realazthat> mmm so let me think
00:39 < realazthat> ok, so here goes
00:39 < realazthat> lets redo this, forget this lottery concept
00:40 < realazthat> 1. units of work are offered
00:40 < realazthat> 2. workers choose their units of work and complete them
00:40 < realazthat> 1.a assume all the units take ~10 mins or less
00:42 < realazthat> 3. worker results in an answer R + sig(R,P)
00:42 < realazthat> if H(sig(R,P) + R + B) < difficulty, then the worker wins
00:42 < realazthat> and mints the coins
00:43 < realazthat> in addition
00:43 < realazthat> all those who worked get half the winnings
00:43 < realazthat> split among them all
00:43 < realazthat> now only issue is, bluff posts of work
00:43 < realazthat> it needs to cost to post work
00:46 < realazthat> so that is easily solvable I think
00:47 < realazthat> workers who finish ontime split the post for their program at the end of the block; if they completed on before the winner
00:47 < realazthat> so it is a bit risky
00:47 < realazthat> you automatically get more money than regular bitcoin chain
00:47 < realazthat> because all work is paid for ... but only if you finish the work before the lottery winner
00:48 < realazthat> otherwise you hung out dry
00:48 < realazthat> so its a race to finish fast
00:48 < realazthat> which is good
00:49 < realazthat> this all assumes that all the programs are very strictly time bound
00:49 < realazthat> and all must take that long to run
00:49 < realazthat> upper and lower limit
00:49 < realazthat> this could be hard
00:49 < realazthat> I would like to think of adjustment that doesn't require all the different programs to be on interval, in sync
00:52 < realazthat> mmmk I should add this to my doc
00:52 < realazthat> these good ideas
00:52 < realazthat> prolly some big holes still
01:18 < amiller> eh i don't think any of that made much sense
01:18 < amiller> will look again tomorrow :o
01:18 < realazthat> lolk
01:18 < realazthat> I'll try to write up a doc
01:18 < realazthat> and make it public
12:17 < realazthat> mmm amiller, you were saying that it is good to be increment/very small jobs, ie. playing the lottery very often
12:18 < realazthat> why is that an advantage?
12:19 < amiller> because otherwise there's more uncertainty about how much you'll earn for any amount of work
12:20 < petertodd> SCIP idea: use it to prove to "SPV" clients for a proof-of-sacrifice based key-value map that a given view of history is in fact the one with the highest total sacrifice
12:21 < petertodd> If I understand things correctly, this is basically an extension of the idea of using SCIP to generate checkpoint hashes and prove they are correct.
12:22 < petertodd> Probably impractical given how SCIP is going to need a crowdfunded buy of, like, half of Amazon EC2, but it's an interesting concept none the less.
12:35 < realazthat> amiller: mm true indeed; I guess my idea for PoW would have to totally change the dynamics of the system, relying on the compute-market to drive computation/incentive
12:37 < realazthat> petertodd: mmm I don't totally understand the point of sacrifice lol
12:37 < realazthat> I wasn't following the key-value map ideas
12:37 < realazthat> in the chan
12:37 < realazthat> but I'll put in my list
12:38 < realazthat> but I understand what you mean about application of SCIP here
12:39 < realazthat> "probably impractical" - do you mean 'cause SCIP is probably practically slow?
12:39 < amiller> meh, we'll crowdsource the construction of scip proofs via the PoW
12:40 < realazthat> mmm but can u trust that
12:40 < realazthat> er
12:40 < realazthat> i mean, can you trust a 3rd party construction
12:41 < realazthat> anyway, eli confirmed that it might be possible to bring down the construction time via bootstrapping
12:41 < petertodd> realazthat: It's an alternative to proof-of-work basically
12:41 < petertodd> amiller: Sure, but this is an example where you'll want a lot of these proofs.
12:41 < amiller> well they build on each other actually
12:41 < petertodd> Ah, interesting, that may be good enough then.
12:42 < petertodd> I saw the SCIP talk in San Jose, but I don't pretend to understand much of it.
12:42 < amiller> so each block contains a proof that the previous block is valid, and given the validity of the previous block, we have an incremental proof that the current block is valid too
12:42 < realazthat> mmm I don't understand the math obviously lol
12:42 < realazthat> but I think I understand how it would work/ how to use it
12:42 < amiller> i might be overinterpreting it but i think that is really similar to the proof-carrying-data idea in the bootstrapping paper
12:43 < realazthat> mmm
12:43 < amiller> i actually don't think any of eli's stuff itself is so interesting, relative to the recursive SNARK paper
12:43 < realazthat> the way I posed it to eli,
12:43 < petertodd> amiller: I think that would work in this case. Basically you'd want to write a program that shows from block n to m the delta changes in the key:value map were whatever.
12:43 < amiller> right
12:43 < amiller> really eli's contributions are a) a ton of practical improvements which is great and b) you can simulate 'ram' by using merkle trees
12:44 < realazthat> mmm
12:44 < amiller> but at this point we are already used to working out the merkle trees ourselves
12:44 < amiller> or at least we don't assume we have 'ram', we assume we have k-v stores like leveldb
12:44 < realazthat> the practical is important though; because the recursive and bootstrapping stuff seems external to the "base" SNARK implementation
12:44 < realazthat> they can use any implementation, no?
12:44 < amiller> that's true yeah
12:44 < amiller> it's SNARK + blockchains and merkle trees basically
12:44 < realazthat> so I assume that eli would work on that next
12:45 < petertodd> huh, is there a laymans description of what a SNARK is somewhere?
12:45 < realazthat> no, the bootstrapping improvement can possibly be applied generically
12:45 < realazthat> petertodd: he describes it in the talk
12:45 < realazthat> which one did you watch
12:45 < realazthat> there are two of them
12:45 < realazthat> one is very easy
12:45 < petertodd> realazthat: the san jose one
12:45 < petertodd> haven't watched the more in-depth one he did at stanford yet
12:46 < realazthat> mmm yeah
12:46 < realazthat> that was the easy one
12:46 < realazthat> er
12:47 < realazthat> the san jose one was easy to understand IMO
12:47 < realazthat> its really simple, as a user
12:47 < petertodd> yeah, even I understood it :P
12:47 < petertodd> it turned SCIP into a blackbox you could reason about, like hash functions
12:47 < realazthat> right
12:47 < realazthat> exactly
12:48 < amiller> well SNARK is SCIP it's not really any different
12:48 < realazthat> Alice has a program P, you create an SCIP proof for it, give it to Bob, he runs P, and produces a sig(P), and result
12:48 < amiller> the difference i think is that SCIP is about RAM computations (using merkle trees) and SNARK is just about circuits
12:48 < amiller> SCIP is also his name for the whole practical project which includes a gcc compiler
12:49 < amiller> SNARK is a blackbox
12:49 < realazthat> a compiler and a vm
12:27 < jtimon> I thought that maybe the payer could provide the proofs necessary for the SPV recipient to validate them only looking at the current Txin set
12:28 < jtimon> so the "only first txin goes into the txin set" validation, which is the only validation done, could be enough
12:28 < jtimon> it is very possible that I'm misunderstanding something
12:29 < petertodd> right, but remember in that scheme a step back isn't verified by anyone
12:29 < petertodd> OTOH with scip...
12:29 < jtimon> sorry what was otoh?
12:30 < fagmuffinz> gmaxwell, you're full of nuggets
12:30 < petertodd> I mean, with SCIP you can prove the previous history of the txout followed the rules without providing it
12:30 < jtimon> on the other hand, ok
12:31 < jtimon> so you could actually have spv nodes with this minimized central validation
12:32 < jtimon> the main problem I see is that the TXI set grows forever
12:32 < jtimon> by "central" I meant in-chain
12:33 < jtimon> this minimized in-chain validation
12:34 < jtimon> if I understand correctly, miners only receive inputs and validate the following:
12:34 < jtimon> if it is already in TXI, do nothing, otherwise, insert in the TXI tree
12:35 < jtimon> is that right?
12:42 < fagmuffinz> Can you guys get me up to speed on hashcash?
12:42 < fagmuffinz> I'm taking it this is kind of the gauntlet for ideas
12:45 < fagmuffinz> I'm moving through Zerocoin's paper right now
12:46 < petertodd> jtimon: right, that the txin set grows forever is a problem that I need to solve in some clever fashion :)
12:46 < petertodd> jtimon: after all, I mainly wrote that as a "hey! if we do this as yet undiscussed thing we get a system with different properties!"
12:47 < jtimon> Ihehe
12:47 < jtimon> I'm not sure I understand the structure of the commited inputs though
12:47 < _ingsoc> fagmuffinz: Which one?
12:47 < fagmuffinz> http://zerocoin.org/media/pdf/ZerocoinOakland.pdf
12:48 < jtimon> miners receive independent inputs with tx_hash, output_id and another hash?
12:48 < _ingsoc> Ah, right.
12:48 < fagmuffinz> Figuring out the mechanism still
12:48 < petertodd> jtimon: well, it's indexed by the txout:n being spent, and miners store the scriptSig + rest of tx hash basically
12:51 < fagmuffinz> Digital commitments
12:51 < jtimon> so the final hash lets you identify which inputs go in the same transaction, no?
12:51 < fagmuffinz> Things I haven't heard of
12:52 < fagmuffinz> I've written a simulation of Shor's circuit
12:52 < fagmuffinz> Haven't heard of this
12:54 < petertodd> jtimon: right, so it's still a totally committed set of hashes, but miners only are ensuring that the chain can't be changed, not what's in the tx's themselves
12:54 < petertodd> jtimon: and until a txout gets spent, it has no affect on the blockchain at all and no-one but the tx holder knows it exists in any faashion
12:55 < jtimon> yes, yes, just wanted to make sure I understood the structure
12:55 < petertodd> you do, I think :P
12:56 < fagmuffinz> And it's time to spend some more time with zero-knowledge proofs
12:56 < jtimon> so what about this for the evergrowing TXI-set...
12:57 < jtimon> in the TXI tree that is hashed each block
12:58 < jtimon> when you add a new input, you also store a refHeight with the block number in which the input appeared in the chain
12:58 < jtimon> when the refHeight + X = current block height
12:59 < jtimon> that input has to be removed from the TXI data structure
12:59 < jtimon> basically, inputs only stay in the chain for X blocks
12:59 < jtimon> that could be 100,000,000 blocks, but it's still better than ad infinitum
13:00 < jtimon> holders just have to move their funds from time to time
13:01 < jtimon> hmmh, but you only answered half of the fee question...why miners mine in this protocol?
13:05 < petertodd> jtimon: heh, I don't know all the answeres yet :)
13:06 < petertodd> jtimon: but I gotta go - I'm at the darkwallet conf right now
13:06 < jtimon> ok, have fun
14:06 < maaku> jtimon: the better approach is to construct the TXI tree in such a way that no one needs (random access to) the whole structure
14:07 < maaku> then it doesn't matter if it grows forever
14:08 < warren> anyone know how long bitcointalk has been down?
14:08 < maaku> not more than an hour or two since I was just there
14:12 < jtimon> maaku, when a miner gets an input, he needs to check wether the input has already been published or not
14:13 < maaku> jtimon: yes, and the creator of the transaction could provide proof-of-not-inclusion along with the transaction
14:13 < jtimon> I don't know how can you construct the TXI tree the way you propose and still satisfy that validation rule
14:13 < maaku> so long as they maintain those proofs, the miner doesn't have to
14:13 < maaku> BUT, they do need random access to initialize the proofs for their as-yet unspent outputs when the create the transaction
14:14 < maaku> but they wouldn't if you use a merkle-mountain range
14:14 < jtimon> I got lost
14:15 < jtimon> how does the payer provide a non-inclusion proof to the miner?
14:15 < maaku> the payer provides for each input a path through the input tree showing that the input does not exist yet
14:16 < maaku> those same paths can be used to insert the input record into the tree, updating the root hash
14:16 < maaku> so the miner only has to store the root hash
14:17 < maaku> and the onus is on the payer to maintain the proofs needed to spend
14:35 < fagmuffinz> I return
14:37 < maaku> the problem, i believe, is that as presented the payer (or recipiant) has no meaningful control over the hash of the new transaction, and therefore the portion of the tree needed  for the proofs related to the new outputs
14:37 < maaku> proof-updatable UTXO trees suffer from the same problem
15:30 < HM2> ah sipa's back
15:30 < HM2> sipa, not retired yet?
15:32 < sipa> retired? :o
15:32 < sipa> maybe when i'm twice my current age or something...
15:32 < sipa> actually, not even
15:32 < Luke-Jr> lol
15:33 < HM2> Oh that's only you're well to do enough to live in to cryogenics :P
15:34 < HM2> sipa, could you remind me of your variable length integer encoding? I've been regoogling and can't come across it
15:34 < Luke-Jr> wtf, does *everyone* have their own varint encoding? :o
15:34 < HM2> Yes, but sipa's is best
15:35 < sipa> HM2: https://github.com/bitcoin/bitcoin/blob/master/src/serialize.h#L242
15:37 < HM2> ah that was it
15:37 < HM2> thanks
15:37 < Luke-Jr> why is it in bitcoind src? :o
15:38 < sipa> the chainstate uses it
15:38 < sipa> ultraprune started out as an experiment to see how small the chainstate could be encoded as
15:38 < Luke-Jr> i c
15:39 < sipa> there are some overkill things in it :)
15:39 < Luke-Jr> looks nice
15:39 < Luke-Jr> often I just abuse UTF-8 <.<
15:39 < Luke-Jr> of course, that's not remotely compact
15:39 < sipa> it is, for numbers with the right distribution :)
15:40 < Luke-Jr> sure, but not compared to yours
15:40 < Luke-Jr> or even protobuf's
15:40 < sipa> mine is for all intent and purposes the same as protobuf
15:40 < sipa> in encoding size
15:40 < sipa> but it's unique
15:40 < sipa> (and a tiny tiny bit smaller)
15:41 < Luke-Jr> oh, so you never use 0xff?
15:41 < Luke-Jr> could extend your range slightly if you did.. ;)
15:41 < sipa> it is optimal
15:41  * Luke-Jr looks at it in more detail
15:41 < sipa> every unique infinite sequence of bytes corresponds to a unique sequence on integers
15:42 < HM2> you'd have to zigzag encode it for signed ints
15:42 < HM2> right?
15:43 < sipa> yup
15:43 < HM2> but that's post/preprocess so not important at all
15:58 < HM2> hmm
15:59 < sipa> i just pushed a change to libsecp256k1 that makes it 1.3x slower :(
16:06 < Luke-Jr> why?
16:07 < HM2> sipa, timing leak?
16:07 < sipa> potential patent
16:08 < Luke-Jr> sipa: old code in #ifdef? :P
16:08 < sipa> yes
16:10 < Emcy_> who gets sued?
16:12 < HM2> #ifdef I_ACCEPT_THE_DISCLAIMER
16:12 < sipa> it's still there, via --use-endomorphism
16:40 < HM2> sipa, the commends on your serialization code are whack
16:40 < HM2> https://github.com/bitcoin/bitcoin/blob/master/src/serialize.h#L260
16:40 < HM2> 128-16511: 2 bytes
16:40 < HM2> then on line 260
16:40 < HM2> 16511: [0x80 0xFF 0x7F]
16:40 < sipa> ha!
16:41 < HM2> i thought the code was broke :|
16:44 < Luke-Jr> sipa: should be --enable-endomorphism :/
16:44 < Luke-Jr> (and will probably *need* to be to autotools it)
21:41 < Mike_B> people are panicking over this directory.io thing, i think it's hilarious :)
22:10 < midnightmagic> Mike_B: Hrm?  directory.io?
22:10 < pigeons> yeah check it out, funny
22:11 < midnightmagic> ok
22:12 < midnightmagic> ha ha ha!
22:13 < midnightmagic> "It took a lot of computing power to generate this database."
22:33 < gmaxwell> Mike_B: lol, link to panic?
22:34  * gmaxwell adds "it doesn't contain compressed keys! so if you use those you're safe!"
22:38 < Mike_B> haha
22:38 < Mike_B> it was mostly irc
22:39 < Mike_B> this guy tried to calm everyone down on reddit, but did it the wrong way: http://www.reddit.com/r/Bitcoin/comments/1ruk0z/dont_panic_directoryio_thing_is_fake/
--- Log closed Mon Dec 02 00:00:25 2013
--- Log opened Mon Dec 02 00:00:25 2013
00:43 < gmaxwell> so for those who haven't been watching, it appears someone may have used cloudflare's special relationship with a certificate authority to compromise even ssl access to bitcointalk.org.
00:44 < gmaxwell> There is a CA which will make a cert for any domainname pointed at a cloudflare IP in DNS and give it to cloudflare. So you get a really fast "change domain name" to "intercept SSL invisibly" escilation.
00:44 < gmaxwell> ISTM it would be pretty easy to reduce the risk of the existing CA infrastrcuture substantially with some help from bitcoin.
00:44 < BlueMatt> lol, wow
00:45 < gmaxwell> We could require that all CA's publish lists of all the certs they issue. And the lists get hash commitments in bitcoin. And then sites hand out certs with a proof that they were in the published list.
22:47 < gmaxwell> petertodd: I don't know that explicitly supporting that makes sense.. simply because you can just have the trusted hardware produce signed message regardless, even without support.
22:47 < petertodd> gmaxwell: I'm not sure either yet - strikes me that doing traces + monotonic counters could be very tricky, but it's worth looking into at least.
22:57 < petertodd> Anyway, I think the interesting part is more that with the model that you build up every part of the language from the forth primatives you make it very, very clear what code is actually being run. Equally, forth is already common in applications, IE spacecraft, where you need relatively bare metal languages with simple frameworks and symantics; note how
with forth it's much easier to get to the level where you trust that the code being run is what you actually wrote than, say, C.
22:57 < petertodd> It's fundementally the same math wise as a tonne of other approaches, but forth makes what is going on very explicit.
22:58 < sipa> petertodd: type this: /script load splitlong.pl
22:58 < petertodd> ok, I typed rm -rf /, but it doesn't seem to be doing much
23:00 < petertodd> Anyway, I think the interesting part is more that with the model that you build up every part of the language from the forth primatives you make it very, very clear what code is actually being run. Equally, forth is already common in applications, IE spacecraft, where you need relatively bare metal languages with simple frameworks and symantics; note how
with forth it's much easier to get to the level where you trust that the ...
23:00 < petertodd> ... code being run is what you actually wrote than, say, C.
23:03 < petertodd> The actual implementation can be some tiny and primitive C kernel with static memory layout. Just be clear what the maximum's are for the variou parts of the stack. Dunno yet what the stack datatype should be, MPI's are nice but there is the subtle issue that it'd be good to have some clear idea of how many operations an operation takes. Of course, really
simple would be 32-bit ints and implement everything higher level in forth.
23:41 < jgarzik> go go Open Firmware
23:41 < jgarzik> the BIOS standard that should have won
23:42 < petertodd> for sure
23:43 < petertodd> With any luck some OpenFirmware TPM modules will become available and I won't actually make to write any code. :P
23:45 < jgarzik> OK
23:45 < jgarzik> Query results:
23:45 < jgarzik> Average block summary size: 8858.34
23:46 < jgarzik> That's block header + (vtx.size() * 32)
23:46 < jgarzik> does not include coinbase average size
23:48 < BlueMatt> ok?
23:49 < jgarzik> That's how big a UDP frame distributing block data would be
23:49 < sipa> you technically also need 1-3 bytes for the number of transactions
23:49 < jgarzik> nod
23:50 < jgarzik> call it 8858 + 4(n_tx) + 512(coinbase)
23:50 < jgarzik> I imagine 8-16 bytes of overhead would sneak in somewhere
23:50 < sipa> never 4
23:50 < BlueMatt> meh, average doesnt matter much since it new blocks are so much bigger than average
23:51 < sipa> 1,3,5 or 7 :)
23:51 < sipa> eh, 1,3,5 or 9
23:51 < sipa> but i doubt any block has over 65535 transactions :D
23:52 < jgarzik> 8858+3+512+16 == 9389 bytes
23:52  * jgarzik wonders how much droppage that would cause, given that it is well over size to be fragmented across WAN
23:53 < jgarzik> To avoid fragmenting, you could only looking at shipping smaller bits of useful data: block header only, small TX's, INV's, addresses perhaps
--- Log closed Fri Mar 29 00:00:11 2013
--- Log opened Fri Mar 29 00:00:11 2013
00:01 < jgarzik> I might just do a wholly separate service, a "UDP beacon"
00:02 < jgarzik> Clients send a simple message, subscribing to block header (block+tx list?) broadcasts over UDP.  Subscription lasts X seconds, after which, it must be renewed with another UDP request to the beacon server.
00:02 < jgarzik> Each block triggers a broadcast.
00:04 < jgarzik> Semi-related: tunneling SCTP over UDP: http://tools.ietf.org/id/draft-ietf-sigtran-sctptunnel-00.txt
00:05 < petertodd> jgarzik: ACK on UDP beacon
00:06 < BlueMatt> jgarzik: sounds like what I would think of udp as
00:18  * jgarzik retweets a bitcoin block header ;p
00:19 < petertodd> THAT'S HOW YOU DEFEAT TYRANNY!!!!!
00:35 < petertodd> jgarzik: re: uint256 for hashes in bitcoinlib, were you just trying to follow the C++ implementation?
00:35 < jgarzik> petertodd: specific code example / source file line#?
00:37 < petertodd> COutPoint is an example, where self.hash is deserialized to an integer and back again
00:39 < jgarzik> petertodd: It is helpful for the few cases where it matters as more than just a binary blob
00:39 < BlueMatt> how mature is libcoinc?
00:39 < jgarzik> petertodd: though TBPH, that was inherited from the original ArtForz mini-node
00:39 < BlueMatt> s/c?/?/
00:40 < petertodd> jgarzik: Yeah, I was going to change that back to plain bytes instances. Bitcoin has a ton of hashes involved and you're doing a lot of copying there.
00:40 < petertodd> jgarzik: Makes it easier to build up transaction too in a natural way.
00:40 < jgarzik> BlueMatt: my libccoin?  Unit tested, not much outside of that.  What it does, should be solid (famous last words).  You are more likely to find some missing pieces here and there.
00:42 < jgarzik> petertodd: oh yeah, it makes it a lot easier to print ;p
00:42 < petertodd> jgarzik: For instance with my code you can now do: CScript([OP_DUP, OP_HASH160, pubkeyhash, OP_EQUALVERIFY, OP_CHECKSIG]) and everything works as expected. You need to convert the hash back to bytes if it's an integer.
00:42 < jgarzik> petertodd: slower, but more pythonic
00:43 < petertodd> jgarzik: I think we've hit an edge case where "pythonic" can mean two different things. :P
00:44 < jgarzik> petertodd: pythonic == elegant python source, regardless of how slow under the hood
00:44  * jgarzik runs
00:45 < petertodd> jgarzik: Heh, well building up a transation the way you can now is IMO a lot more elegant than the previous CScript() thing.
00:45 < BlueMatt> what? is that not an accepted definition?
00:46 < petertodd> BlueMatt: What constitutes 'elegant' isn't clear-cut.
00:47 < jgarzik> petertodd: If you want to change everywhere to byte buffers, how would we test the change to see if anything breaks?
00:47 < jgarzik> :)
00:48 < jgarzik> would need print and comparison helpers (or perhaps just a convert-to-python-long helper)
00:48 < petertodd> jgarzik: Gee, I dunno, it'd be good if we had some unittests... :P
00:48 < petertodd> jgarzik: I did up h2b() and b2h()
00:48 < petertodd> jgarzik: You already have bytes to python integer.
00:58 < jgarzik> petertodd: BTW, seen this? https://github.com/samrushing/caesure
00:58 < jgarzik> petertodd: looks like he's doing some Cython work
00:59 < petertodd> jgarzik: crazy, the re-implementations never stop
00:59 < jgarzik> petertodd: that's actually pretty old
01:00 < jgarzik> petertodd: python-bitcoinlib's key.py came from there via a third party
01:00 < jgarzik> (see header)
01:00 < jgarzik> petertodd: I'm about to add base58 support, and was thinking of stealing it from there
01:00 < petertodd> jgarzik: huh, interesting
01:00 < jgarzik> petertodd: do you know of a better base58 source?
01:01 < jgarzik> https://github.com/samrushing/caesure/blob/master/caesure/proto.pyx#L53
01:01 < petertodd> jgarzik: hmm... no license specified
01:01 < petertodd> oh, wait, no I'm blind
01:01 < gmaxwell> jgarzik: that SCTP draft is dead, this one is very much alive: http://tools.ietf.org/html/draft-ietf-tsvwg-sctp-dtls-encaps  and is already shipped in beta state to many millions of systems (in Chrome and Firefox).
01:01 < petertodd> jgarzik: Probably as good as any.
01:02 < jgarzik> gmaxwell: neat
01:02 < jgarzik> petertodd: groovy
01:03 < gmaxwell> the nice thing about using that draft: (1) you can copy webrtc code for all of it (including nat traversal), (2) you get censorship resistance because you look like webrtc.  ... downside: still connection oriented.
01:07 < petertodd> # having trouble understanding if there is a difference between: CHECKMULTISIG and P2SH. <- not a good sign
01:08 < gmaxwell> Which CTO in charge of technology for a hundred million dollar bitcoin business did that come from?
01:09 < petertodd> gmaxwell: lol, nah it's from yet another bitcoin reimplementation: https://github.com/samrushing/caesure
01:09 < petertodd> (more scary I know)
01:11 < petertodd> "I'm attempting to make this a full node, with tx verification etc...." "Script engine is mostly done. Needs some work on failing constraints like stack size, sig count, etc."
01:12 < petertodd> Oh, and it comes with a "drop-in replacement" for openssl...
01:21 < jgarzik> petertodd: ok, pushed
01:23 < petertodd> jgarzik: cool, lemme add some tests
01:30 < gmaxwell> sipa: oh, supposidly openssl's ECDSA signing adds the message to the randompool before generating the nonce.
01:36 < petertodd> jgarzik: prelims pushed; I'm off for the weekend
06:39 < warren> What's the number of tx's changed that causes a pre-0.8 reorg to fail again?
07:53 < sipa> warren: over 4800 affected txids in a single reorg is risky
07:57 < warren> sipa: the litecoin users finally noticed the reorg risk due to gavin's posting, and I'm thinking about the likelihood of an actual reorg attack succeeding within the next 3 months it will take coblee to upgrade the client as he doesn't think it is urgent.
08:01 < warren> sipa: their typical blocks have *at most* a few dozen tx's, and their standard fees are extremely high, so it would be expensive to artificially jack up the number of tx's in a number of successive blocks.  Then a reorg attack would need amazing luck to generate a valid attack block fast enough after the previous block containing just the right number of tx's.
The part I'm not sure of is the exact circumstances where an attack block would f
08:01 < warren> ail differently for some nodes in a reorg.
13:06 < phantomcircuit> jgarzik, i had to run earlier, in general the constituency has a lot of other issues they are worried about, but the principle matter representatives work towards is more pork for their district, they they also pass some social policy changes then maybe they beat the guy running against them who would also make pork their primary issue
13:06 < phantomcircuit> jgarzik, it's gotten to the point that they dont really need to campaign on it since it's implied
13:08 < phantomcircuit> jgarzik, iirc real estate holding companies like that would mean following sec guidelines that are doubly plus not fun
13:59 < jgarzik> phantomcircuit, not true, if properly arranged :)
14:00 < jgarzik> (RE real estate)
14:00 < jgarzik> Still have annoying investor DD, so far from anonymous, but thankfully no SEC reg
14:01 < phantomcircuit> jgarzik, unless you're transferring title to the investor they would need to be
14:04 < jgarzik> phantomcircuit, nope
14:05 < jgarzik> phantomcircuit, think multiple companies, multiple countries, annoyingly complex ownership structure
14:05 < phantomcircuit> sorry i accidentally some words
14:06 < gmaxwell> 10:59 < cjb> "github: we put the 'central' in 'decentralized revision control system'"
14:06 < phantomcircuit> jgarzik, they would need to be accredited investors and/or you would need to comply with the JOBS act stuff
14:06 < phantomcircuit> gmaxwell, lol
14:07 < phantomcircuit> jgarzik, im sure there are shenanigans you can play with offshore holding companies which they're invested in which in turn hold the domestic company
14:07 < phantomcircuit> thus the investors comply with the offshore rules instead of the domestic rules
14:07 < phantomcircuit> in general schemes like that work until they dont and then they tend to really not work
14:11 < jgarzik> gmaxwell, rofl
14:15  * jgarzik ambushes the channel with a new term, beta-testing it: http://imgur.com/P2G7670
14:16 < jgarzik> My thesis, after watching economists and computer scientists grossly misunderstand bitcoin, even after looking at it a while
14:17 < jgarzik> To understand why bitcoin works (or how it might fail), you must evaluate any thesis according to each of the three legs of the Satoshi Triangle:  economics, game theory and software engineering.  Most academics fail to take a holistic approach, and in doing so, wind up failing to understand why their "bitcoin is broken!" argument falls over.
14:18 < jgarzik> Really Smart People(tm) keep missing major facets of bitcoin, when they do their own research
14:18 < jgarzik> and thinking
14:19 < gmaxwell> I very much agree with your point. Invoking satoshi more makes me a bit sad. I think we do better without the satoshi mysticism in general, and people fixating on satoshi weakens us. </tangent>
14:20 < gmaxwell> I don't have any better names for the facets, not sure I'd choose that exact set of labels.
14:38 < jgarzik> gmaxwell, Modesty prevents me from calling it 'garzik triangle', and 'bitcoin triangle' seems rather boring.
14:38 < jgarzik> gmaxwell, IMO these are key facets that Satoshi figured out, so I thought it fair
14:38 < jgarzik> computer scientists are calling bitcoin tech "Nakamoto block chain" for example
14:43 < petertodd> gmaxwell: We should pay the NSA to come up with undeniable proof that Satoshi was a crack-addled alcoholic. Then again, Toronto's mayor is still in office...
14:43 < gmaxwell> "I was too drunk to know I was inventing a decenteralized cryptocurrency."
14:44 < petertodd> lol
14:46 < phantomcircuit> lol
14:47 < sipa> "I was trying to come up with this absurdly complex pyramid scheme..."
14:47 < gmaxwell> "I'm not sure if I succeeded or failed"
14:47 < amiller> i'm not sure what you mean is the difference between economics and game theory
14:49 < sipa> amiller: atire
14:49 < jgarzik> I agree that economic incentives and game theory motivations are quite intertwined
14:49 < jgarzik> But from the PoV of a classically trained economist, who barely knows computers and prints out his email, I think the distinction matters
14:49 < amiller> swap one or the other for distributed systems & cryptography and i'd like it
14:50 < jgarzik> (1) Economics and game theory, (2) software engineering, (3) distributed systems & crypto ?
14:50 < amiller> sounds right to me
14:50 < petertodd> jgarzik: you forgot (4) sociology/political science
14:51 < adam3us> need a bitcoin.it wiki page
14:51 < jgarzik> petertodd, too meta
14:52 < jgarzik> want to avoid politics and ideology.  depending on your political bent, views range from "bitcoin is OBVIOUSLY political" to "keep your politics away from my bitcoin"
14:52 < petertodd> jgarzik: well you are talking to a guy whose most recent bitcoin-dev list post was a short near-future sci-fi post-modern narrative
14:52 < jgarzik> best not to go there
14:52 < jgarzik> P.S. I argue it is impossible to be post-modern
14:52 < petertodd> See, seriously speaking where politics comes into it is the nature of changing the system itself; something that hasn't been deeply explored yet.
14:53 < petertodd> jgarzik: heh, my art school teachers would have argued the exact opposite
14:53 < amiller> it's post-impossible to be modern?
14:54 < petertodd> amiller: lol
14:54 < petertodd> amiller: You're recognition of the concept of modernity dooms you to forever be a post-modern man.
14:56 < jgarzik> petertodd, Yeah, but that's in art school, where they know nothing of engineering constraints imposed by reality.  ;p
14:57 < jgarzik> OK
14:57 < jgarzik> Revised: http://imgur.com/S4dTQOG
14:58 < petertodd> jgarzik: at least they don't pretend otherwise :P I quit industrial design after a year that included me having to argue a design for a "eco-friendly" lamp was physically impossible; couldn't get my teacher to understand the relevance of E_k = mgh...
15:00 < petertodd> heh, I like how software engineering != distributed systems, good
15:05 < phantomcircuit> petertodd, but but it's eco friendly!
15:07 < jgarzik> petertodd, to me "engineering" is the grubby parts of making things work, outside the world in which theoreticians exist
15:07 < jgarzik> some attacks are valid in theory, but just not practical for engineering reasons to annoying to detail
15:08 < petertodd> To me an engineer is just a theoretician who analyzes non-spherical cows too.
15:10 < maaku> petertodd: that's one approach to engineering. it's not always the best though
15:11 < petertodd> heh, ah, but see, the moment you assume a non-spherical cow, you very quickly either adopt good engineering practices, or give up and make the cow spherical again.
15:11 < petertodd> (or design bridges that fall down...)
15:19 < phantomcircuit> petertodd, brb genetically engineering a spherical cow
15:20 < petertodd> phantomcircuit: spoken like a true engineer!
15:23 < jgarzik> Any problem is solvable given sufficient time to debug.
15:29 < phantomcircuit> jgarzik, or the ability to modify the problems contraints
15:29 < phantomcircuit> constraints*
15:30 < jgarzik> phantomcircuit, I'm an engineer.  I am allowed to tell management that reality is interfering with their artificial, theoretical constraints.
15:30 < phantomcircuit> hehe
15:34 < phantomcircuit> is the disable wallet patch in master?
15:35 < jgarzik> phantomcircuit, yes
15:35 < jgarzik> wumpus pushed it over the finish line, while I was off dealing with family stuff
15:35 < maaku> phantomcircuit: while you're at it, make me a cuboid cow. easier to stack.
15:36 < midnightmagic> jgarzik: Yes, people do often misapprehend the nature of the scaling issues bitcoin has. https://twitter.com/midmagic/status/241845808201334784
15:36 < phantomcircuit> maaku, try japan they already make cuboid watermelons
15:36 < phantomcircuit> although something tells me a cow would object to being kept in a plastic box
15:36 < midnightmagic> "because it has to broadcast transactions, it's untenable"
15:36 < midnightmagic> `_`
15:37 < phantomcircuit> midnightmagic, "i have no idea what a gossip protocol is"
15:39 < midnightmagic> phantomcircuit: She's a tor dev. :(
15:40 < phantomcircuit> that is deliciously ironic
15:40 < sipa> midnightmagic: who?
15:41 < sipa> ah
15:42 < midnightmagic> sipa: The person who told me namecoin was useless as a distributed dns lookup because tx are broadcast thus hand-wavey "quadratic scaling problem".
15:42 < midnightmagic> maybe I'm misinterpreting.
15:43 < phantomcircuit> midnightmagic, she's missing that peers keep track of what they've told other peers about
15:43 < phantomcircuit> the communication protocol is basically O(n * m) for n = messages and m = peers
15:44 < phantomcircuit> but the actual chain storage is linear with transactions
15:44 < phantomcircuit> if you naively assume that every peer tells every other peer about everything
15:44 < phantomcircuit> then it is horrible
15:46 < midnightmagic> phantomcircuit: But the cost of doing those broadcasts successfully is significant (or it was before Vince screwed us all) so growth does not cause strictly quadratic growth in network communications overhead anyway, even leaving the blockchain itself out of it (which is ultimately very much more prunable than bitcoin's.)
15:47 < phantomcircuit> midnightmagic, the broadcasts should be fairly cheap with an inventory/getdata setup
15:47 < phantomcircuit> optimally each peer receives 8 inv messages, sends 1 getdata, and received 1 data block
15:52 < gmaxwell> midnightmagic: One reason people assume quadratic communication is because they're not aware of the surprising result that expander graphs can have log radius while having constant degree. E.g. nodes can have some small _constant_ number of connections per node, but the distance to any other node can remain log in the number of nodes. So they start thinking
every node has to be fully connected to every other node.
16:04 < warren> hmm, is the floating fee stuff happening for 0.9?
16:14 < ebfull> ya warren
23:38 < jgarzik> warren: I paid BTC, and got a refund months later
23:45 < gmaxwell> warren: guy sold a successful fpga product, though it seems mostly on outsourced tech. Announced an asic product. Became very secretive.. Began making obviously booze induced postings. imploded as all preorder holders lost confidence. started returning funds, very slowly.
23:46 < warren> wow
23:47 < gmaxwell> some people think he was attempting honest business and got in over his head and became unhinged. Others think that he got scammed by someone he was outsourcing to. Other people think that it was all just a scam... ask for coin, if bitcoin value goes up 'fail' and return a fraction of it.
23:48 < gmaxwell> people who think that last one are probably the source of the question to Jeff.
--- Log closed Wed Apr 03 00:00:17 2013
--- Log opened Wed Apr 03 00:00:17 2013
03:28 < warren> jgarzik: my brain just connected dots ... you're mining the avalon through tor for the botnet study thing?
04:53 < realazthat> would there be a use for an online bitcoin-script simulator?
09:51 < jgarzik> warren: not through tor, no
14:45 < amiller> i'd like playing with an online bitcoin-script simulator realazthat
14:45 < amiller> bah
--- Log opened Wed Apr 03 22:22:42 2013
--- Log opened Wed Apr 03 22:41:42 2013
--- Log closed Thu Apr 04 00:00:11 2013
--- Log opened Thu Apr 04 00:00:11 2013
00:03 < jgarzik> petertodd: I wonder if @blockheaders has room for a #bitcoin hashtag?
00:32 < warren> A random walk student walked up to me just now and said, "I heard you have bitcoins.  Do you have any to sell?"
00:32 < warren> These are the same people who can't keep their computers secure from viruses.
00:32 < warren> sigh
00:33 < warren> wow
00:33 < warren> random brain macro activated while typing that
00:33 < warren> I'm tired.
00:37 < jgarzik> warren: we get end user support questions all the time.  the "I lost my bitcoins, how do I recover them?" ones are the worst.
00:38 < jgarzik> s/worst/most heartbreaking/
01:10 < petertodd> jgarzik: it's now much improved
01:12 < nanotube> warren: random walk student eh? they sound like fun. :)
01:37  * jgarzik grabs globalsin.com, for his identity network thingy
01:38 < amiller> so a random walks students walks up randomly to me and says...
01:38 < amiller> all the best jokes begin this way
01:49 < gmaxwell> Do you go to brown?
01:50 < gmaxwell> (I thought you said the student was brownian?  ... badumpcha)
03:26 < warren> nanotube: I've been making those weird brain macro mistakes for a few days now.  Something odd is going on.
03:30 < gmaxwell> warren: welcome to being old
10:01 < BlueMatt> gmaxwell: does one have to be old for that? Im pretty sure I do it all the time too
10:08 < petertodd> BlueMatt: just old enough
11:24 < realazthat> sipa: ping?
12:20 < realazthat> hey is it ok for me to re-ask my project proposal idea in this channel
12:20 < realazthat> bitcoin-dev is quite noisy
12:20 < realazthat> and it got lost
12:20 < realazthat> (I want some dev feedback before I start)
12:56 < realazthat> sipa: so I been thinking for another project (or extension of this one) and someone gave me this idea, to make a bitcoin "client" that would use the RPC interface, but use a local wallet. thus, you can "federate" the blockchain to a trusted central bitcoind. would this be useful?
12:56 < sipa> realazthat: yes, but i believe the RPC interface is completely inappropriate for that
12:57 < sipa> in fact, the P2P protocol is perfect for that, as there are already clients out there that manage wallets without storing the blockchain :D
12:58 < realazthat> why is the RPC interface innapropriate?
13:00 < sipa> how will you know which coins you have to spend? iterate all transactions in all blocks?
13:02 < realazthat> erm
13:02 < realazthat> hmm
13:02  * realazthat thinks
13:04 < realazthat> so there is no way to retreive the balance of an output hmm
13:05 < sipa> no
13:05 < sipa> and doing that would require an even more extensive index
13:06 < sipa> while scanning the blockchain for interesting transactions is already possible via the p2p protocol, very efficiently
13:06 < sipa> without the server requiring an index
13:06 < realazthat> ah
13:06 < realazthat> but can that be trusted?
13:06 < sipa> and even better, it even doesn't require trusting the server, as authentication is built into the protocol
13:07 < sipa> and yet better: it already exists
13:07 < sipa> and works
13:07 < realazthat> yeah but that takes away my project idea!
13:07 < realazthat> :P
13:07 < realazthat> not better!
13:07 < sipa> (download bitxoin wallet for android or electrum)
13:12 < sipa> also, the model you propose (fully indexed by address server, with light clients querying balances) also exists already (though via an own protocol): electrum
13:12 < sipa> so... sorry!
13:14 < realazthat> lol
14:08 < warren> crap.  The Slashdot summary on the DDoS attacks and instawallet is extremely misleading.'
14:10 < gmaxwell> warren: you expect otherwise? How else are the editors to buy cheap coins? :P
14:13 < warren> gmaxwell: I'm impressed how unaffected the market is despite the alarmist news
14:15 < sipa> they're used to it by now :p
14:16 < gmaxwell> as sipa says.
14:17 < sipa> half of slashdot is "just shut the fuck about bitcoin", and the rest are fans who ignore bad news :p
14:18 < gmaxwell> This can't be healthy. :P
15:46 < BlueMatt> sipa: thats been going on for a while
17:37 < warren> What was the decision about the irc seed?  Revive the network?  Leave it disabled?  Remove the code?
17:42 < BlueMatt> remove code
17:42 < BlueMatt> I dont think anyone even bothered emailing the guy who runs it
17:49 < warren> BlueMatt: remove irc code completely or just turn it off?
17:49 < gmaxwell> warren: it's been turned off for years now.
17:49 < warren> for testnet too?
17:50 < gmaxwell> nah, we left it on for testnet. this takes it out completely.
17:50 < gmaxwell> why are you asking here instead of reading the pull?
17:50 < warren> oh,
17:50  * warren looks
17:54 < warren> thanks, I only searched the open pulls, not closed
18:33 < warren> Haha, the LTC instawallet was destroyed too.
18:38 < gmaxwell> destroyed?
18:42 < warren> gmaxwell: it isn't clear what happened.  I'm guessing someone figured out how to access all the addresses like the BTC instawallet.
20:40 < weex> google indexed something afaik
21:04 < warren> Wow.  in the last 12 hours BFL downgraded the speed of the advertised ASIC's and doubled the price.
21:08 < gmaxwell> I understand their phone has been ringing off the hook
21:10 < warren> Last week Josh committed to sending additional units to existing orders to satisfy hash rates that customers paid for.
21:12 < sipa> afaik, the change is only for new orders?
21:14 < warren> sipa: They would have a major backlash if they changed past orders especially after Josh made that commitment in public last week.
21:16 < sipa> well, then what's the problem?
21:17 < warren> Just surprising that it happened.
22:33 < nanotube> got links?
--- Log closed Fri Apr 05 00:00:12 2013
--- Log opened Fri Apr 05 00:00:12 2013
04:03 < warren> sipa: I lucked out, I bought one only hours before the price change.
04:03 < warren> I have no idea what I will receive or when.
04:03 < warren> whatever happens happens
04:04 < sipa> well, you know
04:04 < sipa> perhaps you receive it before the subsidy runs out in 2140 :p
04:04 < gmaxwell> lol
04:05 < gmaxwell> sipa: when you're in town you can look at my avalons. :P
04:09 < warren> I bought it because I figured out that Paypal's Bill Me Later would let me borrow the entire purchase price for 6 months with zero interest, zero payments.
04:11 < warren> (I'm aware those promos are meant to ensnare people who can't pay it off.)
04:14 < gmaxwell> there is often a lot of fine print too.
04:17 < warren> I had friends who borrowed $200k on credit card 0% 1-year promos and collected 4-5% bank interest during the year.  Seemed like too much effort for the risk of screwing up.
04:18 < gmaxwell> it's usually also the case that they only offer those promos on purchases and not cash advances, so there is no (easy) way to convert the credit to interest.
04:19 < warren> oh, back then they allowed it, it was the credit bubble
04:19 < gmaxwell> yea, as explained by "4-5% bank interest"
04:19 < warren> only way to get 4-5% interest was a CD
04:20 < warren> who knew at the time none of those CD's were at risk because the taxpayer would bail them all out ...
04:21 < sipa> gmaxwell: will do!
04:28 < warren> gmaxwell: I was most amused when I realized that, that Paypal would let me money to help defend its greatest long-term threat.
17:54 < warren> https://bitcointalk.org/index.php?topic=168251.0  Looks like one of the alt coins had an accidental hardfork
18:01 < nanotube> what's with all these altchains coming out of the woodwork.... heh
18:02 < warren> dunno
19:03 < gmaxwell> nanotube: I am hans and this is franz and we are here ...
20:33 < gmaxwell> People are buying $coin right now under the "what if" basis, so there is a ton of incentive to spin up and endless series of additional coins.
20:42 < nanotube> so, seems like a problem that will solve itself. :P
20:42 < nanotube> in fact, why don't we just come up with 100-some different coins, so people will see the ridiculousness of the enterprise. :P
21:04 < warren> gmaxwell: it is unfortunate that mtgox is getting in on the act
21:04 < gmaxwell> I was told that was an april fools day thing and not actually serious.
21:07 < nanotube> i was told it wasn't....
21:09 < nanotube> in response to "are you considering ltc trading or is that just a cooked rumor?" mtux said "eventually"
21:26 < amiller> bitcoin is pure network effect
21:27 < amiller> normally you see things that are network effect + lock in mechanisms
21:28 < amiller> so it's refreshing to have something that's just network effect alone
21:30 < amiller> but still it's _just_ network effect
18:32 < sipa> the problem is that centralized systems are superior in pretty much every technical way
18:32 < sipa> apart from required trust
18:35 < amiller> maybe the bitcoin community will end up developing an offensive capability that basically compromises centralized systems quickly to make it apparent that they're vulnerable
18:35 < gmaxwell> amiller: Pretty much, I think.  I mind this less when they haven't adopted a story that requires them to store data in bitcoin.
18:36 < amiller> well we have to figure out how to a) make them pay for their utxo usage over time and b) also charge people for archive access to old blocks
18:36 < gmaxwell> charge for archive access to old blocks kind of undermines the bitcoin security model. :(
18:37 < gmaxwell> You can't determine if your on the longest valid chain without inspecting the historical chain, and we're an anonyous system which new people should be able to join
18:37 < amiller> well you can bittorrent it, just takes a while
18:37 < amiller> it's already pretty expensive in a batch
18:37 < gavinandresen> Hey wizards: I need to recruit a couple of people to help review technical-focused Foundation grant proposals.  Anybody have a little bandwidth to help? (I don't want to be Grant Gatekeeper)
18:43 < petertodd> Oh, there are tech-focused ones?
18:44 < gavinandresen> petertodd: sure, I think you proposed one first round.
18:44 < gmaxwell> gavinandresen: Being gatekeeper stinks!
18:45 < gmaxwell> "Emperor of broken dreams" has a much better ring to it.
18:45 < petertodd> gavinandresen: oh, tpm hardware? that probably should be taken off the list as it'd duplicate other peoples efforts
18:47 < gavinandresen> that's one of the reasons I want to get a couple more people involved in review; I can't possibly keep track of everything happening, and more people means more "don't fund that, Jehosephat announced a similar project last week..."
18:47 < petertodd> agreed
18:47 < gavinandresen> to be clear: the Foundation Board are the ultimate gatekeepers who decide how much money to grant.
18:48 < gmaxwell> I'm willing to review things (and I suppose am at least somewhat likely to notice overlapping efforts), esp. with the point that its really someone else in the buck-stops-here position.
18:49 < gavinandresen> gmaxwell: great!
18:50 < amiller> i'm volunteering to review too, i like having excuses to dredge through the forums looking for related work
18:50 < gavinandresen> gmaxwell: you going to submit a dust-buster grant proposal this time around?  No impact on review, you'd just abstain from reviewing your own proposal....
18:51 < gmaxwell> hurrah.
18:52 < gmaxwell> Thanks for the reminder.
19:47 < jgarzik> gavinandresen, I'm willing to help, too
19:47 < jgarzik> gavinandresen, just never responded to your email asking
19:48 < gavinandresen> jgarzik: no worries
--- Log closed Thu Sep 19 00:00:55 2013
--- Log opened Thu Sep 19 00:00:55 2013
02:35 < midnightmagic> gavinandresen: You might want to supply your nick:pass as the server pass for freenode, you're flapping with your real connection details in bigpond.
02:36 < midnightmagic> gavinandresen: Also, I wouldn't mind helping review proposals so long as my voice isn't the only one that counts.
02:41 < Luke-Jr> gavinandresen: I can take a look
12:28 < warren> huh.  I thought Bitcoin Foundation didn't do grants for core dev.  Is this new?
12:38 < jgarzik> warren, since Day One, BF has been interested in helping core dev
12:38 < jgarzik> warren, One of the first goals was always to pay Gavin's salary.
12:39 < jgarzik> warren, Side projects included getting some hosting for bitcoincore.org
12:39 < gmaxwell> And BF has provided e.g. hosting for the pulltester robot and some other assorted stuff.
12:39 < gmaxwell> The proposals stuff for review, I assume are mostly not "core dev"
12:39 < warren> what is at bitcoincore.org hosting?
12:40 < jgarzik> There has been an indicated willingness to fund various side projects I've proposed, like having nodes sitting around collecting metrics about the network.  -ENOTIME on my side for that stuff, not BF's fault.
12:41 < jgarzik> warren, random stuff we find useful to stick on a server.  Mostly Gavin uses it right now, but as gmaxwell said, pull tester and other things
12:41 < jgarzik> There was even resources allocated for a permanent testnet node, as I requested, then never did anything with :(
12:41 < gmaxwell> speaking of metrics, jcorgan has expressed an interest on doing some integrated metrics code as a way to get involved in development. We should encourage this. He does good work elsewhere.
12:41  * jgarzik needs minions
12:41 < jgarzik> +1
12:50 < warren> Earlier gavin mentioned the lack of a security bug bounty program from the BF was largely from the lack of anyone to run it.
12:51 < warren> It was suggested that a volunteer do it.
12:51 < warren> however the average volunteer isn't privy to security issues, and maybe you don't want them to receive the responsible disclosures
12:52  * gmaxwell is skeptical of the value of security bug bounties
12:53 < jgarzik> security bug bounties and assassination markets sometimes share similar economic incentives
12:53  * jgarzik runs
12:53 < gmaxwell> "I can remotely make nodes kinda slow" is not some kind of catagorically worse bug than "OSX users frequently corrupt their database" but one is "security". "meh"
12:54 < warren> I could be wrong, but perhaps Google is keeping drama low and saving money in the long-term by responsible disclosures from their bug bounties.
12:56 < gmaxwell> It's just distorting to give bounties on "security" bugs as uniquely important compared to other bugs.
12:56 < gmaxwell> "omg my private keys were lost by this wallet corruption" is infinitely more important than "some lame dos attack made nodes run slow"
12:58 < gmaxwell> The kind of security bugs that do deserve bounties are so rare as to be unobservable... and any bounty for it would be insultingly low compared to exploiting it.. or alternatively, exploiting it would just destroy bitcoin and wouldn't be profitable in any case. ::shrugs::
12:58 < warren> Non-profits including the FSF, EFF, Amnesty International, Wikimedia Foundation (and too numerous others) use CiviCRM to automate management of membership.  FSF Executive Director John Sullivan really wants somebody to implement a plugin for CiviCRM that relies on Free Software for many of these orgs to be able to automate acceptance of Bitcoin payments.
It is currently weird that they accept Paypal but not Bitcoin with that AGPL code.
12:58 < warren> (another example)
12:59 < gmaxwell> warren: sounds like something that could use a grant proposal, indeed.
12:59 < warren> I'm not proposing it because I'm too busy.
12:59 < jgarzik> I know that feeling :)
12:59 < gmaxwell> another point as to why bounties aren't so helpful...
13:00 < jgarzik> warren, RE CiviCRM, interesting.  BitGive might benefit from that info.
13:00 < gmaxwell> though perhaps they could be helpful for pulling in more technical people who don't have any bitcoin at all now.
13:00 < warren> jgarzik: indeed.
13:00 < gmaxwell> E.g. a few coins bounty might be worth more than a few hundred dollars to some developer with a passing interest in this bitcoin stuff but no bitcoins.
13:01 < warren> indeed
13:03 < warren> that was fast, found someone who wants to write the grant proposal
13:04 < warren> is it too late to submit?
13:06 < jgarzik> ask the Internet that question :)
13:07 < jgarzik> reddit r bitcointalk had a thread talking about 3q grant props
13:07 < sipa> there's this website
13:07 < sipa> where you can search for stuff on the internet!
13:07 < warren> how do I find that website?
13:07  * warren is lacking sleep
13:08 < sipa> http://bit.ly/157cUBZ
13:54 < HM> Bitmit is awful
13:54 < HM> can't even signup
13:55 < gmaxwell> it wanted my home address and stuff... I'm kinda uneasy giving that to a bitcoin website.
13:56 < HM> i tried disposable email addresses but they have them all blocked
13:56 < HM> fair enough, switch to my real one
13:56 < HM> still doesn't work. just refreshes
13:56 < HM> It's a shame really, Silk Road has a really good user experience
--- Log closed Fri Sep 20 00:00:58 2013
--- Log opened Fri Sep 20 00:00:58 2013
00:19 < warren> jgarzik: regarding CiviCRM, johns said he might have got students at Stanford to agree to do it, but if that falls through one of the grant submissions is the task as defined by johns.
00:21 < warren> jgarzik: one dev looked into CiviCRM and found a mess of poor or lacking documentation and broken examples.  I think he submitted only the Free Software part for the grant, and by the time he finishes that it should be easy for him to write separate Bitpay and Coinbase modules.
08:03 < HM> lol "Homeless, unemployed, and surviving on Bitcoins". Wired sure can write a headline
08:04 < HM> I think the picture features the entire dev team ? ;)
14:22 < jgarzik> It would be annoying as hell, but the first autonomous agent will likely be a beggar-bot
14:22 < jgarzik> "I'm the first autonomous agent, give me bitcoins or I die"
14:22 < gmaxwell> at least it would be true.
14:23 < gmaxwell> it could be a little more "fit" than that... perhaps like one of those bitcoin gems where the high bidder gets some free advertising.
14:23 < MoALTz> "i'll work your product into my conversations for bitcoins"
16:25 < HM> Bitfetch -> nice implementation, corrupts downloads
16:28 < amiller> i found a minor bug in this proof of work paper http://eprints.qut.edu.au/40036/6/40036-full-revised.pdf
16:28 < amiller> it doesn't really matter i guess
16:28 < amiller> but there are a bunch of nice things about his definition of puzzles and i want to import those
16:29 < amiller> but they're too strong, "correctness" says that there's some amount of time you can run such that you find a solution with probability 1
16:29 < amiller> and that's not the case with hashcash style puzzles (e.g., bitcoin)
01:05 < petertodd> (for the basic reasons Luke was getting at...)
01:06 < zooko> So Bitcoin-proper fits into this model in this way, IIUC: who gets to decide? Anyone who knows a certain ecdsa private key. What sorts of values can they put in? Only highly constrained values -- transactions.
01:07 < zooko> Oh, and a third question: what form can the key take? A highly constrained form -- txouts.
01:07 < petertodd> Sure, but the point is once you create the basic mapping, you can start applying rules to it and what not.
01:07 < petertodd> The fundemental thing is to have the set-once key-value mapping!
01:07 < zooko> Okay, so what policy do you want from your basic mapping?
01:07 < petertodd> But this is the thing, so how would you do a basic key-value mapping on top of Bitcoin?
01:07 < zooko> By "policy" I mean who gets to set which keys.
01:07  * zooko thinks about that.
01:09 < zooko> How *I* would do it is that I would implement set-multiple-times key-value mapping on top of Bitcoin.
01:09 < petertodd> No-no, how would you do the set-once key value mapping? (and it's ok if both key and value are limited to 20 bytes each)
01:09 < zooko> The policy of "who gets to decide" is that anyone who knows a certain private ecdsa signingkey can issue a "set" operation.
01:10 < zooko> Are you saying you'd *prefer* set-once instead of set-many? Or that you think the former would be easier to implement directly on top of Bitcoin?
01:10 < zooko> BTW, my Tahoe-LAFS system is an example of a distributed set-many k-v system...
01:10 < petertodd> No, this is an exercise, tell me how you would implement the former.
01:10 < zooko> Okay, to implement set-once, I would choose the policy to be that anyone who knows a certain secret can issue the set-once for a certain key.
01:11 < zooko> This is Ross Anderson's "Guy Fawkes Protocol".
01:11 < zooko> Whenever you use your set-once, you set the value to a tuple of (value1, key2).
01:11 < petertodd> Ok, so how would that be encoded into an actual transaction?
01:11 < zooko> Oh, well that didn't answer how to *implement* it...
01:11 < zooko> Okay now this is the hard part for me.
01:11  * zooko thinks.
01:11 < petertodd> Yes, I'm big on implementing stuff, er, big on talking about implementing stuff...
01:12 < zooko> I'm not clear on all the details of the transaction format.
01:12 < zooko> I
01:12 < petertodd> Do you know what a scriptSig and scriptPubKey are?
01:13 < zooko> 'm particularly uncertain about the script opcodes and which ones are not disabled...
01:13 < zooko> Um, scriptSig and scriptPubKey are of that class of things that I *have* momentarily understood more than once in the past.
01:13 < petertodd> Read the thing about scripts/transactiosn on the wiki until you understand - you won't understand zookeyv without understanding them.
01:13 < zooko> But I think I need a refresher.
01:13 < zooko> Which thing?
01:14 < petertodd> https://en.bitcoin.it/wiki/Script#Scripts
01:14 < petertodd> and https://en.bitcoin.it/wiki/Transaction
01:14 < zooko> Will do!
01:14 < zooko> Thanks for the good conversatio.
01:14 < petertodd> np
20:38 < amiller> timestamping isn't inherently enough
20:38 < amiller> for any useful protocol
20:38 < amiller> it's also not enough to assign an ordering to a set of objects determine the order of them
20:39 < amiller> suppose I tell you, here are transactions A, B, D, E, and F
20:39 < amiller> (suppose you agree that the order that they were timestamped in corresponds to the ordinary lexical ordering)
20:40 < amiller> do you see the problem that you might be concerned about the omission of 'C'
20:40 < amiller> suppose later i say also there was C
20:40 < amiller> so actually the valid ordering of events is really A B C D E F
20:40 < amiller> well that didn't contradict the first ordering
20:46 < amiller> a good sign you're going down the wrong track is if you start with "timestamping" as an end in itself, it's more important to consider an entire protocol in which an irrevocable decision is made based on the presence of timestamping evidence, i don't know that i have any in mind
20:46 < amiller> maybe a (admittedly contrived) example is patent law
20:47 < amiller> prior art invalidates a patent, and prior art is basically a timestamp evidence argument
20:47 < gmaxwell> no it's not.
20:47 < gmaxwell> prior art requires _public pratice_, a timestamp is not terribly helpful to you... unless it's, say, a newspaper timestamping itself.. though if your invention is described in a newspaper no one cares about the timestamp.
20:48 < amiller> but just being 'able' to present prior art isn't an adequate system, a lot of prior art goes missed, and so there are some systems in place to try to encourage digging up the prior art through like crowdsourcing (i'll find the nice link in a minute)
20:53 < amiller> so the problem with high compression timestamping
20:53 < amiller> for example just putting a hash of some data in a big ol' merkle tree with tons of other data
20:54 < amiller> and only the root hash is in a public place
20:55 < amiller> is that you can't be sure at any time that some earlier data won't be revealed and preempt whatever you think is the correct order
20:56 < amiller> so if at any finite time you make some irrevocable decision, it's not just based on the timestamp order but also on the order in which they are revealed / circulated
20:56 < amiller> or to give an other example, you could convince people of two separate histories by selectively revealing preimages of timestamped data on a common chain
--- Log closed Sat Jun 01 00:00:54 2013
--- Log opened Sat Jun 01 00:00:54 2013
11:51 < amiller> gmaxwell, here's the thing that's a little tricky about eli ben sasson's stuff
11:51 < amiller> there's a preprocessing phase that has to be as large as the time-bound on the number of steps of the computation
11:51 < amiller> so if there are 200,000 blocks
11:52 < amiller> then you have to do 200,000 steps of preprocessing to compile the verifier basically
11:52 < amiller> the one time cost of preprocessing the checker isn't any easier than a one-time step of preprocessing the whole blockchain
11:53 < gmaxwell> amiller: Eli's reponse to that was to suggest to break it and cascade it.
11:53 < amiller> there's like other possible tradeoffs like maybe you only use SCIP to do a smaller chunk
11:53 < amiller> yeah
11:53 < amiller> maybe we can have blockchain voting on what's the hash of a valid SCIP program?
11:54 < gmaxwell> (I talked to him specifically about that...)  Maybe, his thinking was like "well duh you'd just fix it into the system" ... kinda defeats the point though. :P
11:54 < amiller> awesome quote from his video "i don't know who the central authorities in bitcoin are, but they can do the preprocessing"
11:57 < gmaxwell> supposedly they know how to solve the poly in steps ACSP compile time part, and just have the engineering of building it to go.
11:57 < amiller> do you mean they can get *less* than linear compile time?
11:57 < amiller> someone else told me that too and i couldn't find the citation
11:59 < gmaxwell> amiller: yea, they say they can get to poly in just the length of the program for the compile on the verifier.. I believe this is the subject of their upcomming paper.
13:48 < petertodd> amiller: re: timestamping that's why the zookeyv key-value system I've been talking relies on you being able to determine if someone *could have* created a key-value associated timestamped earlier with a higher sacrifice than the one you just did
13:48 < amiller> sounds a bit like zookeeper :p
13:48 < amiller> which is also basically a distributed consensus kv store
13:48 < petertodd> Or zucchini
13:49 < petertodd> Oh, apache ZooKeeper? Interesting
13:49 < amiller> i don't think i follow the 'sacrifice' reasoning very well, or at least there's some reason it doesn't sit well with me
13:49 < petertodd> What part are you not following?
13:49 < petertodd> (I need a diagram really...)
13:49 < amiller> but as long as you have a *could have* determination then i'm basically ok with the protocol w.r.t. the timestamp thing
13:50 < amiller> well what's the simplest sacrifice protocol to discuss as an example
13:50 < amiller> like fidelity bonds?
13:50 < petertodd> Yeah, and because sacrifices build upon one other, the could have determination doesn't have to be too expensive.
13:50 < petertodd> fidelity bonds turned into a terrible bit of concept confusion... fidelity bonds are an abstract idea, the sacrifice methods are the important thing
13:50 < petertodd> Like announce-commit sacrifices, or anyone-can-spend coinbase txouts.
13:51 < petertodd> Or just sending coins to unspendable outputs...
13:51 < amiller> so what security property do you get from a sacrifice
13:52 < amiller> what kind of decision am i going to make based on the presence of a sacrifice where i won't make that decision if i don't see the sacrifice
13:52 < petertodd> Well, in a PoW blockchain the state of the blockchain is determined by total work right? So in a PoS blockchain the state of the blockchain is determined by total sacrifice.
13:53 < amiller> yeah and to the best i can intuit, the security of the blockchain has to do with an assumption that an attacker has a bounded budget
13:53 < petertodd> Yup, which is true for proof-of-work and proof-of-sacrifice fundementally. (the latter is just transferrable proof-of-work after all)
13:53 < amiller> and the (rational) miners receive as payment (the price of their rewards) an amount exactly equal to the computational costs of mining
13:54 < petertodd> Yup. Now a proof-of-sacrifice blockchain intended to work as a currency probably is infeasible, but as a namecoin replacement it makes sense.
13:55 < amiller> i don't see why it should be different if the security statement is the same... but anyway go on
13:55 < amiller> so if we assume bitcoin *is* the money and namecoin is the blockchain of discussion
02:21 < petertodd> ah, too bad, also the blacklisting RPC needs a way to unblacklist. (unless I missed something when I looked at it)
02:21 < warren> it does
02:21 < warren> it adds tothe blacklist and you can remove
02:21 < warren> he even added the missing lock that I found
02:21 < warren> just it fails to disconnect anything you ban
02:23 < petertodd> huh, how do you remove the blacklist? I never figured that out
02:24 < warren> petertodd: expiration to zero
02:24 < warren> petertodd: the PR says how
02:27 < petertodd> expiration? where is that mentioned? I totally missed that
02:27 < warren> I haven't looked at it in a while
02:27 < warren> the patch just doesn't work at all
02:27 < petertodd> too bad, we should have something like it anyway
02:28 < warren> yeah, if only we had software engineers capable of fixing things
02:29 < warren> volunteers usually only fix the fun things
02:29 < petertodd> gmaxwell: lol, my girlfriend just pointed out that the song is "Bizzare Love Triangle", and there's two girls and one boy in the protocol :P
02:29 < petertodd> gmaxwell: she's more impressed with your quote than my protocol!
02:30 < petertodd> warren: ha, so very true... (see log)
02:31 < warren> i'm calling this Bitcoin OMG
02:31 < petertodd> better name than next-test
02:31 < warren> meant to be stable, fun, and including things that should be in Bitcoin proper but isn't fully proven yet
02:31 < gmaxwell> petertodd: hahah yes, thats why I chose to emit the lyrics when I did. Because all this alice and carol and bob and ones cheating the other but they have this non-public arrangement and soooo.
02:35 < petertodd> heh, ah, it's just too perfect
02:35 < warren> https://github.com/wtogami/bitcoin/commits/btc-0.8.5-omg
02:35 < warren> it seems to work!
02:36 < warren> Disable Wallet, Coin Control, Watch Only, processgetdata and a million other things tested in Litecoin for months
02:42 < warren> hmm, should I include secp256k1 in this?
02:42 < warren> hmm....
02:43 < petertodd> warren: tsk tsk, I don't see any git signatures proving that branch is really yours :P
02:45 < warren> petertodd: fine ... how do I verify them?
02:45 < petertodd> warren: git log --show-signature
02:45  * petertodd needs to figure out how to make that the default
02:45 < warren> petertodd: you have a working gitian setup?
02:46 < warren> petertodd: I want to do gitian.sigs for OMG
02:46 < petertodd> warren: nope :( there's been progress on non-VM-based gitian lately?
02:46 < warren> I'm testing watchonly with DPR's coins now
02:46 < warren> petertodd: some, michagogo was working on it
02:46 < petertodd> my bios is buggy apparently
02:46 < petertodd> ha, nice
02:46 < warren> not sure if it is in 0.9 yet
02:46 < petertodd> yeah, I gotta get that working properly
02:47 < warren> I committed something to 0.9 that gets rid of wine during the win32 build
02:47 < petertodd> personally I always compile from source though, so it's git's integrity that I'm interested in
02:49 < warren> if I disable mining is secp256k1 safe enough?
02:50 < petertodd> sure given this is an OMG
02:50 < petertodd> heck, I mine on git master myself, so I shouldn't talk
02:50 < warren> I'll wait for sipa's feedback on that
02:51 < warren> hm, better not risk it
02:51 < warren> this is meant to be usable for Coinpunk
02:51 < petertodd> yeah, don't need to go too far...
02:53 < warren> petertodd: https://togami.com/~warren/archive/2013/my-bitcoin-wallet.png
02:53 < petertodd> lol
02:54 < petertodd> if it can do correct horse I'll be more impressed though
03:59 < warren> ooh
03:59 < warren> forgot to add leveldb-1.13
08:39 < warren> jgarzik: https://bitcointalk.org/index.php?topic=320695
08:40 < warren> jgarzik: yet another bitcoin mac build with leveldb related improvements, would be interesting to see if it fixes the mac corruption, you had people at your office affected?
08:47 < sipa> warren: for a secp256k1 build, i'd like to disable both wallet and mining
08:47 < sipa> in that case the worst that can happen is you yourself being forked off
08:52 < TD> sipa: does libsecp256k1 work on ARM?
08:52 < sipa> i've been told it does, but i haven't tried
08:52 < sipa> it may be slow
08:53 < sipa> i believe cfields tried it on Debian/ARM
08:53 < TD> slow in what sense?
08:53 < TD> slow as in not any faster than openssl, or ... ?
08:53 < sipa> yes
08:54 < sipa> of course i don't expect it to be as fast on a mobile as on an i7 :)
08:54 < TD> naturally. i don't think it's possible to be slower than interpreted Bouncy Castle on ARM though
08:54 < sipa> :D
08:54 < TD> you'd have to insert sleep statements into the inner loop to be slower than that
09:53 < petertodd> paper analyzing mixing services and similar things: https://www.wi.uni-muenster.de/sites/default/files/public/department/itsecurity/mbc13/mbc13-moeser-paper.pdf
13:50 < gmaxwell> man, I wish the script OP code values had bits in them to signal how many objects they push and pop from the stack.. would have made softforking forwards compatibility a lot easier.
13:51 < petertodd> good point
13:58 < gmaxwell> (though you end up with the arm instruction set (32 bit instructions) pretty quickly if you're not careful. :P )
13:58 < petertodd> no worries, just run blocks through bzip2...
14:00 < gmaxwell> petertodd: you did see that I responded to TD pointing out that p2sh is larger and that has an impact on long term storage with a "sufficiently good blockchain compression"?
14:02 < petertodd> gmaxwell: maybe?
14:03 < petertodd> https://bitcointalk.org/index.php?topic=320331.msg3429302#msg3429302
14:03 < petertodd> that's a good point
14:04 < petertodd> OTOH it is bigger in terms of blockchain data, and we all know how much TD cares about maximizing the transaction rate and a fixed block size :P
14:06 < petertodd> (biger vs. pay-to-pubkey)
14:08 < TD> i think with compression of the storage (and maybe in a future protocol version, transmission) it's down to a few bytes difference either way, right?
14:08 < TD> so not worth worrying about in either direction
14:09 < petertodd> good to hear
14:09 < petertodd> p2sh certainely could be a good thing for the payment protocol re: standardization if we're going to keep IsStandard()
14:09 < gmaxwell> TD: You can't compress a never spent txout.  I dunno if it's worth worrying about, but I'm still much more comfortable with larger scriptsigs than scriptpubkeys.
14:10 < TD> it'd be nice to get rid of the IsStandard checks one day, especially if script became more powerful
14:11 < petertodd> TD: I think jdillon's opcode whitelisting suggestion for P2SH scriptPubKeys has merit for a short-term solution
14:12 < petertodd> TD: though it's interesting how IsStandard() is currently important for mutability too...
15:00 < gmaxwell> petertodd: http://pastebin.com/EsmJarxU < diagramed out the teleportation protocol.
15:32 < warren> sipa: secp256k1 works on litecoin ARM
15:34 < sipa> warren: nice to know
21:05 < amiller> this mixing transaction thing is nuts
21:06 < amiller> i'm helping write this paper about the rationale for third party bitcoin mixing services
21:06 < amiller> it's simpler than zerocoin, which i still kind of like the best
21:07 < amiller> we keep nearly getting undermined by simpler better tech though, like coinjoin would be better if not for the DoS and apparent infeasibility of an honest server
21:08 < amiller> but now this hashlock mix is just as good in every way, and better specifically in that it prevents the server from running away with the funds
21:09 < amiller> we've sort of gone through great lengths so far by just whitewashing the problem and saying "well servers will want to maintain their great reputations and future income therefore they'll never actually steal any funds if users can prove it happened"
21:09 < amiller> which IMO sucks and is not even justified
21:09 < amiller> anyway this simplifies it
21:14  * amiller tries to think of some third cool trick to achieve with hashlocked tx
21:14 < amiller> abstractly, hashlocking lets you bind two transactions into an atomic pair
21:14 < amiller> either both get through or neither
21:14 < amiller> with tiernolan's crosschain exchange, the two txes aren't even on the same chain
21:15 < amiller> with gmaxwell's hashlocked mix, only the mixer knows the correspondence between the two in the ordinary case
21:16 < amiller> what other reason could you have to want to join two separate transactions?
21:17 < maaku> amiller: why do you need an honest server for coinjoin?
21:17 < amiller> maaku, because there's no public publishing system (like freenet or w/e) that gives you much defense against one person trivially jamming the whole tx by not singing
21:17 < amiller> signing*
21:18 < amiller> it's a DoS disaster
21:18 < amiller> a dosaster
21:18 < amiller> (trademark pending)
21:18  * amiller registers dosaster.com
21:18 < maaku> ok by "DoS and apparent infeasibility of an honest server" you made it sound like something else
21:18 < amiller> oh
21:19 < amiller> i mean that even an honest server can't do much to prevent it other than check bonds or something
21:19 < amiller> it's a hopeless game for the honest server, sort of like the standard "escrow" on bitmit or silkraod
21:19 < amiller> good for comforting users but not actually capable of resolving an actual dilemma
21:20 < maaku> it's not hopeless; DoS can be mitigated
21:20 < maaku> but granted it's not easy either
21:22 < amiller> it's not so much that dos can be mitigated, but that in most practical scenarios no one is trying that hard so you can get away with not mitigating it
21:22 < amiller> which is why, for example, bitmessage is currently functioning
22:01 < amiller> ugh, so i need a way to make a coin flip automatically go to the winner
22:11 < amiller> i wish the stupid splice operations weren't all disabled :/
22:47 < warren> petertodd: crap.  the combination of coin control and watch only snuck in some really strange coin selection bugs
17:47 < michagogo|cloud> okay, it's 12:47 am
17:47 < michagogo|cloud> goodnight.
17:47 < warren> michagogo|cloud: you must be on the opposite side of the planet from me
17:47 < michagogo|cloud> UTC+2
17:47 < michagogo|cloud> (Israel)
17:48 < michagogo|cloud> warren: Hawaii, right?
17:48 < cfields> great, i think my macbook hdd is about to take a dump
17:48 < warren> yes, UTC-10
17:53 < gavinandresen> warren: RE: app store: maybe when we're 1.0. And have a user-friendly "you are out of date; upgrade now?".  And start in SPV mode. And have a reasonable customer support system.
17:54 < gavinandresen> warren: I think it makes more sense for a company to comercialize Bitcoin-Qt, and give professional support, etc etc etc.
17:54 < warren> bitcointroll isn't a reasonable customer support system? =)
17:54 < warren> joking
17:54 < warren> gavinandresen: to do that wouldn't they need to pay for qt?
17:55 < petertodd> warren: red hat model
17:55 < phantomcircuit> it's not that expensive...
17:55 < gavinandresen> yes, red hat model.
17:56 < petertodd> warren: though in the case of bitcoin, I think there's a lot of stuff about theft that we're not considering... it may be the case that the only model that works for anything over a small businesses re: liability is actually bitbanks - you gotta trust someone, might as well trust someone whose business is trust.
17:56 < petertodd> warren: I sure wouldn't want to be distributing binaries as a business for instance with a support contract without some long discussions with the lawyers first.
17:57 < gmaxwell> warren: where is the bounty link?
17:58 < phantomcircuit> petertodd, "not fit for purpose, any purpose"
17:58 < warren> https://bitcointalk.org/index.php?topic=337294.0
17:58 < petertodd> phantomcircuit: "We're the premier company in the Executive Desk Toys that happen to also be turnkey Bitcoin nodes business!"
17:58 < warren> I suppose we can't get away with a perpetual beta when Bitcoin hits $1 trillion.
17:58 < warren> That is unless a loaf of bread is $10k at that time, then maybe.
17:59 < phantomcircuit> warren, it's a beta until there are no known issues
17:59 < gmaxwell> "Novelty nodes"
17:59 < phantomcircuit> shrug
18:00 < phantomcircuit> im gonna order a bunch of flash drives with the blockchain + bitcoin-qt loaded on them
18:00 < warren> someone donated 0.5 BTC
18:00 < petertodd> warren: tl;dr: people are going to lose shitloads of money, over and over again. and maybe Thompson's "Reflections on Trusting Trust" will be common knowledge.
18:00 < phantomcircuit> and include a nice little script to start with -loadblocks
18:00 < warren> petertodd: the massive centralized thefts seem to happen a lot
18:01 < petertodd> warren: indeed, and more to the point, it's impossible to know how many are insiders.
18:01 < warren> Don't worry, Coin Validation to the rescue.
18:01 < warren> forgot the smiley on that
18:01 < phantomcircuit> warren, the issue is people keep trusting people nobody really knows
18:01 < petertodd> warren: but we're also starting to see thefts due to hacked software - anything that auto-updates is scary.
18:01 < phantomcircuit> people suck at trust
18:02 < warren> You mean TradeFortress isn't trustworthy?
18:02 < phantomcircuit> aahahh
18:02 < phantomcircuit> oh god
18:03 < warren> both him and Ukto came into #bitcoin-dev screaming for help with wallet issues
18:03 < gmaxwell> warren: you mean people didn't know he wasn't trustworthy?
18:03 < phantomcircuit> gmaxwell, amazingly that message was apparently not received by everybody
18:03 < petertodd> warren: My views on those things is I'm likely to lose whatever I have in them eventually, but I also like the privacy. So I've lost money on instawallet, inputs.io, and will eventually lose $100 or so on EasyWallet.
18:03 < warren> it's a little sad that we can't recommend that people can't use bitcoind's wallet for a service provider
18:03 < phantomcircuit> largely because he basically bribed a bunch of people to write positive fluff stories
18:04 < warren> my english is failing,I need more sleep.
18:04 < phantomcircuit> warren, well if there is a 0.8.6 release with my wallet hashing code then it will be totally
18:04 < phantomcircuit> you just need to have enough ram for all of the transactions in the wallet
18:05 < warren> phantomcircuit: was that merged into master yet?
18:05 < phantomcircuit> i have a testnet wallet with like 90k transactions that's only 400 MB on disk
18:05 < phantomcircuit> probably less in memory
18:05 < petertodd> warren: ha, yeah, that satoshi didn't use type1 deterministic wallets should convince anyone he was a shitty programmer.
18:05 < phantomcircuit> warren, yeah it was
18:05 < warren> phantomcircuit: we have at least two DoS patches that could be a 0.8.6
18:05 < phantomcircuit> warren, hmm?
18:05 < phantomcircuit> ones that haven't been merged yet?
18:05 < warren> phantomcircuit: yes
18:05 < phantomcircuit> warren, you have a pr?
18:06 < warren> phantomcircuit: which PR's were the wallet performance commits?
18:06 < warren> phantomcircuit: you really want me to tell the public which are DoS fixes?
18:06 < phantomcircuit> i guess not
18:06 < phantomcircuit> lol
18:08 < phantomcircuit> https://github.com/bitcoin/bitcoin/pull/2950
18:08 < warren> that the only one?
18:08 < warren> I thought there were like four
18:08 < gavinandresen> I'm dragging my feet on 0.8.6 because I keep hoping somebody figures out the leveldb corruption issue
.  Time to give up on that, I think.
18:09 < warren> gavinandresen: my 0.8.5++ branch is super well tested
18:09 < gavinandresen> warren: famous last words!
18:09 < warren> gavinandresen: the leveldb bounty was only posted recently, let's wait a bit longer?
18:10 < petertodd> gavinandresen: release 0.8.6 with macos disabled, followed by 0.8.7 with it enabled once leveldb is fixed - good statement re: maintenance doesn't happen by magic
18:11 < gavinandresen> petertodd: good idea.
18:11 < phantomcircuit> warren, there are other ones that haven't been merged
18:11 < gavinandresen> warren: link to your 0.8.5++ branch?
18:11 < phantomcircuit> i fixed the fractal complexity IsConfirmed function
18:12 < warren> gavinandresen: https://bitcointalk.org/index.php?topic=320695.0
18:12 < warren> gavinandresen: not suggesting shipping all of this crap of course
18:12 < warren> phantomcircuit: should I add your wallet thing to OMG?
18:13 < gavinandresen> mmm, definitely not. 0.8.6 will be critical-bug-fix-only
18:13 < warren> gavinandresen: OMG is whatever I think is good enough for non-mining nodes
18:14 < warren> gavinandresen: some of the patches here are appropriate for 0.8.6
18:14 < gavinandresen> warren: email me a list
18:15 < warren> gavinandresen: tonight
18:16 < warren> gavinandresen: seriously going to skip mac in a release?
18:17 < petertodd> warren: there's important fixes that would go in 0.8.6, why hold them back for a small minority?
18:17 < warren> are they a small minority?
18:18 < warren> and are the fixes important?
18:18 < petertodd> warren: last I checked on one of my nodes the supermajority of nodes had ip addresses that were definitely VPS services
18:18 < warren> petertodd: all at digitalocean? =)
18:18 < sipa> note that there aren't even bitcoind releases for OSX
18:18 < petertodd> warren: lol, nah, this was before that
18:19 < gavinandresen> warren: sure, when the bug is fixed we can release a mac version then. I don't like shipping known-seriously-buggy software.
18:19 < phantomcircuit> gavinandresen, well currently all the osx releases are known to be buggy
18:19 < gavinandresen> I don't like taking things away from people even more....
18:19 < nOgAnOo> hi phantom <3
18:19 < phantomcircuit> would it not be better to fix some things even if that cant be fixed yet?
18:19 < nOgAnOo> I love you.
18:19 < warren> gavinandresen: while I tested these patches against 0.8, my 0.8 is really a hybrid of 0.9, so I make no guarantees about these backports being correct against plain 0.8.5
18:20 < phantomcircuit> nOgAnOo, lol ok
18:20 < phantomcircuit> nOgAnOo, ohh hello
18:20 < phantomcircuit> i know who you areeee
18:20 < sipa> ehm
18:20 < sipa> get a room
18:20 < petertodd> warren: why not point osx users to your OMG branch then?
18:20 < sipa> s/room/channel/
18:20 < nOgAnOo> I remember your handle.. but I'm stoned.
18:21 < petertodd> "Wizards don't use drugs."
18:21 < phantomcircuit> lol
18:21 < nOgAnOo> *laffter*
18:21 < nOgAnOo> I hauled 5 truckloads of compost today
18:21 < nOgAnOo> shoveled by hand
18:21 < petertodd>  /ignore nOgAnOo
18:22 < warren> gavinandresen: the elephant in the room here: many of us really think NODE_BLOOM should be added as a safety fallback.	If we're doing 0.8.6 for the purpose of protecting the network with <those other DoS mitigations> I strongly suggest we include NODE_BLOOM too.  Having it disabled by default but available as an option would allow the world to recover
quickly without a software update.
18:22 < warren> petertodd: OMG branch isn't fixed for mac either
18:22 < petertodd> warren: you really had to bring that up?
18:22 < warren> petertodd: is it productive to continue to not talk about it?
18:23 < petertodd> warren: IMO we've pushed the cost of the attack just high enough that it's a bit hard to exploit, which gives us breathing room; NODE_BLOOM in that context is not critical.
18:23 < warren> gavinandresen: given inertia of defaults we're not under the risk of people turning it off en masse.
18:23 < petertodd> warren: IE, it's a "policy" decision, and calling it a solution to DoS attacks isn't the way to talk about it.
18:24 < warren> petertodd: sure it isn't a solution
18:24 < petertodd> warren: hence, leave it out of 0.8.6 and let people continue to think about it on their own terms
18:24 < warren> petertodd: neither is anything else we have
18:24 < petertodd> warren: yes, but we're at the point where a bored hacker can't cause us damage we can't recover from.
20:33 < gmaxwell> does it have to do the whole hash? :P
20:33 < sipa> i think being able to find 32 bits of it is not significantly easier
20:34 < sipa> well, even 1 bit
20:34 < gmaxwell> well I meant the whole function.
20:34 < sipa> you mean just a single compression function?
20:34 < gmaxwell> making a mechnical computer to compute one round wouldn't be that terrible.
20:35 < brisque> wouldn't be very impressive though
20:41 < Emcy> people make stuff like that in minecraft
20:41 < Emcy> it probably counts as emulation, but you can see the signal travelling in the 'data lines' so its close enough
20:41 < gmaxwell> I think we're not exposing people to enough really awesome ideas such that they think spending their time making ALUs in minecraft is a good way to have fun. :P
20:41 < Emcy> i think someone made a full 16 bit FLU+ALU+registers and etc out of blocks
20:42 < Emcy> how is that not fun
20:43 < brisque> fairly time consuming for the result
20:46 < Emcy> either ALUs or this http://www.youtube.com/watch?v=afcudstM9zA
20:46 < Emcy> also fairly time consuming
20:46 < brisque> gmaxwell: \o/ https://pay.reddit.com/r/Bitcoin/comments/1wfbjn/get_your_coins_out_right_away_alleged_weakness/
20:50 < brisque> gmaxwell: oh, and a bigger one https://pay.reddit.com/r/Bitcoin/comments/1wf5qb/possible_warning_btc_addresses_with_known_public/
20:55 < andytoshi> EnronIsHere helpfully explains "In cryptography, there is always a shortcut. Often very difficult to find but it's always there somewhere. That point really can not be stressed enough.
20:57 < andytoshi> i assume by "cannot be stressed enough" he means that his stressing program won't halt.... but he has no clue why since he doesn't believe in nonhalting programs :)
21:06 < Emcy> "stressing program wont halt"
21:06 < Emcy> life.exe
21:17 < brisque> andytoshi: this is a nice explanation too https://bitcointalk.org/index.php?topic=437220.msg4809894#msg4809894
21:17 < andytoshi> ohh thx brisque i was wondering wth a "rendezvous point" was
21:18 < brisque> basically his precomputed keys, heh.
21:45 < brisque> I'm sure everybody has seen the person joining #bitcoin and spamming obscenities at the OPs. they're all listed on bitnodes.io as having been seen running a node at some point.
21:45 < brisque> is somebody seriously running a bitcoin-related botnet and spamming the channel with it?
21:50 < brisque> oh, actually. they're shared VPN addresses rather than a botnet. that's comforting.
22:11 < super3> is Luke-Jr around? i'm just about done with proof-of-pizz
22:11 < super3> proof-of-pizza*
22:46 < Luke-Jr> we should all plan to plan out proof-of-steak at the Texas conference
22:47 < Luke-Jr> and announce it right at the end of the month
22:47 < Luke-Jr> maybe late by a day
22:47 < justanotheruser> Luke-Jr: have you heard of cyruscoin?
22:47 < Luke-Jr> no
22:47 < justanotheruser> It's based on proof of twerk
22:49 < tacotime_> I'll be at the Texas conference, but I can't get behind proof-of-steak because I'm a pescetarian. :/
22:50 < Luke-Jr> tacotime_: surely there is a seafood steak?
22:52 < tacotime_> I could do a salmon steak, I suppose. :D
22:53 < tacotime_> https://bitcointalk.org/index.php?topic=421842.msg4800547#msg4800547
22:53 < tacotime_> He actually cracked a brainwallet privkey, heh.
22:53 < Luke-Jr> not hard, brainwallets are stupidly insecure
22:55 < brisque> tacotime_: brain wallet? it was probably created with his "weak key generator", which only generates keys of which he has the rainbow tables for.
22:56 < super3> ha ha. cyruscoin thats a new one
22:56 < tacotime_> Heh.
22:58 < super3> once its a little closer to the confrence ill find a good steakhouse(with some non-meat options too) and we can all go there
22:58 < super3> perhaps we can even pre plan and have them accept Bitcoin
--- Log closed Wed Jan 29 00:00:07 2014
--- Log opened Wed Jan 29 00:00:07 2014
00:37 < helo> where in tx?
04:41 < gmaxwell> http://xkcd.com/1323/ < tehehe
04:46 < _ingsoc> gmaxwell: Care to make a single statement on Ethereum? For the press!
04:46 < _ingsoc> (I'm kidding about the press)
04:47 < gmaxwell> meh.
04:48 < _ingsoc> Hahaha. I thought so much.
04:48 < gmaxwell> I'm happy to hear someone is exploring something different, really disappointed to see another group asking for millions of dollars for a bill of goods. The code posted so far is unimpressive.
04:48 < _ingsoc> What makes the code unimpressive?
04:49 < gmaxwell> I also think the goal is actively stupid, but in the hierarchy of goodness good > stupid > redundant; something that sounds foolish to me may turn out to be good ultimately (esp after some iteration to fix flaws the first couple times it gets knocked down and everyone gets robbed :P )
04:50 < gmaxwell> There isn't (wasn't? it's been two weeks since I looked) much of anything there, I mostly looked at the script stuff, and it was clearly being done by someone with no expirence programming a stack machine.
04:50 < _ingsoc> Heh. People will go crazy if it flops.
04:50 < _ingsoc> Interesting.
04:51 < _ingsoc> The C++ code?
04:51 < gmaxwell> I looked at both the go and the c++ code.
04:51 < _ingsoc> Ah.
04:51 < _ingsoc> Know much about vbuterin?
04:52 < gmaxwell> ("technically turing complete, yes, but so is subtract-and-branch-if-less-than-or-equal-zero.")
04:52 < gmaxwell> I've met him, seems like a nice guy, relatively quiet. I don't know him well.
04:53 < _ingsoc> It'll be interesting to see what happens in this space. Sounds better than Mastercoin at least. xD
04:53 < gmaxwell> I've been unimpressed at times with some of his writing on technical subjects, but addressing a general audience is difficult so that might not really mean much of anything.
04:53 < _ingsoc> True.
04:53 < gmaxwell> _ingsoc: I'm not sure how to distinguish it. I mean, mastercoin could _be_ this effectively. Thats one of the 'upsides' of basically selling a sheet of paper with promises.
04:54 < gmaxwell> It could become embodied in some way which is very technically different than the initial proposal.
04:54 < _ingsoc> Something about how Mastercoin is managed that makes me cringe.
04:54 < _ingsoc> Maybe if the ideas were in the right hands, I don't know. But so far it's sounded like a nightmare.
04:54 < _ingsoc> From a project management perspective.
04:54 < gmaxwell> well, I have the same cringe on the etherum goal to raise 36 million dollars, which is just insane in my opinion.
04:55 < _ingsoc> That's a bit of a misconception. They put the hard cap at 30k Bitcoin.
04:55 < _ingsoc> They were worried a whale would come and swallow up the sale.
04:55 < _ingsoc> They just need 500 BTC.
04:56 < _ingsoc> But claim to have transparent expenditure plans up to that point.
04:56 < nsh> why not... demonstrate something is viable before getting ludicrous and unnecessary capitalization?
04:56 < nsh> is that naive? i am not a business person
04:56 < _ingsoc> nsh: Ask all of Silicon Valley?
04:56 < gmaxwell> nsh: It's not naive. It's basic ethical behavior.
04:56 < _ingsoc> Agreed.
04:56 < _ingsoc> Problem is people need to eat I guess.
04:56 < gmaxwell> Especially for something which doesn't have infrastructural requirements for that sort of funding.
04:57  * nsh nods
04:57 < _ingsoc> Their Github is supposed to be evidence of work.
04:57 < _ingsoc> Some might agree it's that, others may disagree.
04:57 < gmaxwell> _ingsoc: my living expenses are about 30k/yr and I live in one of the most expensive places to live in the world. How many people need to eat?
04:57 < _ingsoc> 22.
04:57 < _ingsoc> Well, I don't know what the proportions are.
04:57 < _ingsoc> But 4 founders.
04:58 < _ingsoc> Any prior Invictus involvement makes me nervous. Won't lie about that.
04:59 < gmaxwell> really it sounds like they're outsourcing all the risk, and I think thats not reasonable for initial development and it misaligns motives, but there is no need for me to be judgemental
 people can decide if they'd like to fund it.
04:59 < _ingsoc> That's been the sentiment it seems.
04:59 < gmaxwell> And yea, well I was trying to not make any negative comments about the people.
04:59 < _ingsoc> Same.
05:00 < gmaxwell> and as I said, stupid > redundant. I'd rather have newer attempts even with dumb funding models, than more stuff that just copies the bitcoin codebase and changes ~nothing more than the name.
05:01 < nsh> the wheel of progress is oiled with the grease of fleece :)
05:01 < gmaxwell> (maybe we'll learn something; though I'm skeptical: basically no one uses the powerful scripting in bitcoin, the hard parts are UI and user education and such)
05:03 < gmaxwell> I'd like to see some of these things fail in novel ways. Etherium losing all its non-miner validators will be very interesting. I'm sad that none of the altcoins have uncapped the block size. (No "SuperScalableCoin", AFAIK).
05:04 < grazs> HaikuCoin, you must embedd a unique haiku poem to every transaction
05:06 < gmaxwell> grazs: you've seen my covenant thread?  the kind of thing is possible in the form of fungibility loss if you have insufficiently constrained script. :P
05:08 < grazs> gmaxwell: no, please share :)
05:09 < grazs> btw, nice collection of alt-ideas in the wiki. it's been a nice topic of conversation among my colleagues
05:09 < gmaxwell> grazs: it's kinda old now, there is probably a bunch of things I'd add if I updated it.
05:09 < gmaxwell> grazs: https://bitcointalk.org/index.php?topic=278122.0
05:11 < grazs> gmaxwell: I live for bad ideas, will read this at lunch!
05:13 < gmaxwell> (then general concept has positive uses too, but most _random_ ways of using that particular expressive power are really bad)
13:37 < gmaxwell> May be of interest to some here: https://lists.torproject.org/pipermail/tor-dev/2014-January/006146.html "Key revocation in Next Generation Hidden Services"
13:47 < petertodd> maaku: NO! the magic CC script can be written such that it itself checks the transaction recursively, which means that all you have to do is check that the CC script would see the current "tip" transaction as valid one step back
13:47 < maaku> oh yes i see how that would work
13:48 < maaku> you lose SPV compatability though
13:48 < petertodd> maaku: no you don't! SPV compat is still there because you only need to check one step back to know the whole chain is valid
13:48 < petertodd> maaku: remember, the magic CC script can only exist in the scriptSig if the previous tx included the magic CC script in the scriptSig, all the way to the genesis condition
13:48 < gwern> huh. induction in real life.
13:48 < petertodd> gwern: yes
13:49 < maaku> only if the coins become unspendable if they were invalidly constructed
13:50 < petertodd> maaku: no, the coins are always spendable, but you can't spend them with a transaction scriptSig that matches the CC script checker
13:50 < petertodd> maaku: IE, you can get the coins back under all circumstances, you just can't make them colored fraudulently
13:51 < maaku> petertodd: ok, walk me through this. I create a transaction marking all the outputs as 'blue' with a CC script prefix
13:51 < gmaxwell> you make the script only allow you to assign it if it was used previously or if some birth criteria is met.
13:52 < petertodd> maaku: *no*, you make a transaction that in the scriptSig includes the CC validity script
13:52 < gmaxwell> E.g. this color coin scrpit can be applied if the parent txout is txid:vout  or if the parent script had this script on it.
13:52 < petertodd> maaku: now, if you are the genesis tx, you have a separate code-path that checks a signature or that the txin is something specific or whatever
13:52 < gmaxwell> you use the first rule to give birth to the colored coin and then the rest can only be children of it.
13:52 < petertodd> gmaxwell: can only be children of it *or* not colored
13:52 < gmaxwell> or not colored, indeed.
13:53 < gmaxwell> don't want it to be viral.
13:54 < petertodd> yup
13:54 < maaku> ok how do you restrict which outputs are colored?
13:54 < adam3us> gwern, petertodd: i am not sure how important sequential memory hard is Lerner says "must not allow easy parallelization
13:55 < petertodd> maaku: the restriction is that you can't make the CC script execute unless the transaction only creates valid CC outputs
13:55 < adam3us> gwern, petertodd: however mining is inherently massively parallelizable by intent and necessity; what does it matter if its micro parallelizable as well as macro-parallelizable
13:55 < petertodd> maaku: but you can still spend the outputs, it just means the outputs aren't colored
13:56 < petertodd> adam3us: the difference is that micro-paralelization has different characteristics due to how memory works; the idea is that if you use some block of ram sequentially *at the scale of PoW mining hardware* that forces you to implement it in ways that looks like commodity hardware
13:57 < maaku> petertodd: so the outputs are still tagged?
13:57 < petertodd> adam3us: the problem is this isn't a hard-and-fast rule - it's not that his argument is invalid, just that he needs to analyze it much more carefully than that
13:58 < petertodd> maaku: well, one way to do it would be to rely on the txout index, so you might commit to what values spends of the various txouts are allowed to have in some merkle tree without actually evaluating the txout scriptPubKeys directly
13:58 < adam3us> petertodd: well if it was really sequentially accessed its cacheable and address calc pipelineable.  seems more like scrypt's romix component with random access is more pausible.
13:59 < maaku> petertodd: btw, have you considered looking at how modern commodity hardware is difficient, and focusing on proof of work that would improve the situation if commoditized?
13:59 < petertodd> maaku: basically the scriptSig contains: <merkle root of allowed output CC values> <CC verification script>
14:00 < petertodd> maaku: that's what SHA256 does, *if* ASIC mfg capacity is available, then a really simple PoW like sha256 is ideal because your startup costs to make a miner ASIC are low
14:00 < petertodd> adam3us: sequential != cachable
14:00 < maaku> petertodd: oh, i mean things like highly interconnected cores, greater memory bandwidth, etc.
14:01 < petertodd> adam3us: for real-world memory sequential is faster however, due to the fact that real-world ram talks to cpu's on a bank level, among many other considerations
14:02 < adam3us> maaku: i like the parallela chips.  many risc cores on a chip.  like a gpu but without the custom graphics stuff and without SIMD
14:02 < petertodd> maaku: well, see the problem with stuff like that is what is available as commodity changes over time; you have to target some architecture with a very high chance of existing in the future
14:02 < maaku> adam3us: like Cell and APU
14:02 < adam3us> petertodd: right.  sequential access is faster on existing hardware because they optimie for it
14:03 < petertodd> adam3us: not so much because they optimize for it, but because it's the only possible way to build the hardware
14:03 < petertodd> adam3us: I mean, you could optimize for something else, but the limitations of silicon strongly suggest bank-accessed designs
14:03 < maaku> petertodd: no that's my point - you target something which you would like to become available, because it is beneficial for other purposes (e.g. those are things I would like for commodity supercomputers)
14:03 < maaku> or rather, things which are available now but in limited quantities
14:04 < petertodd> adam3us: similarly you need designs where the cpu<->mem interface happens in packets because high-speed parallel busses are impossible to make
14:04 < maaku> and let the market push industry further in that direction
14:04 < petertodd> maaku: oh, I see, yeah, but that's a very risky strategy that's just as likely to lead to some ASIC that's overly optimized and useless for any real-world thing
14:05 < petertodd> maaku: for instance, PoW mining can tolerate way higher error rates than almost any other application
14:06 < adam3us> maaku: so one hypothesis is to use halting problem logic to search for instruction sequences and what state they put some memory into or something like that of an open risc cpu design.  if people want to make those fast thats a public good.  however typically there is going tobe something that can be stripped to avanage to mae them faster/more energe
efficient as miners..  but yes its an interesting direction.
14:08 < adam3us> maaku: basically the lesson i draw is a) hardware wins; b) a lot of software people dont now much about highly optimized custom hw design nor the limiting factors
14:09 < petertodd> adam3us: hence why I think we're a lot more likely to come up with PoW that is FPGA-soft rather than FPGA-hard
14:11 < adam3us> in some way of thinking re jtimon argument yesterday about energy efficiency, asic hashcash-sha256^2 could be argued to be more energy efficient than gpu-hard. so other than the centralization issues coming from hw manuf barrier to entry perhaps thats not so bad.  (ie the more profitable mining is above investment the more likely it is to be energy efficient)
14:11 < petertodd> adam3us: meh, I like to beat on nature
14:13 < adam3us> the other obvious approach is to change the PoW periodically, or put dozens of building blocks into it and change the way they are connected to define new mining variants.  have % of reward allocated to different PoW params, and adjust the difficulty of each param-set to match the % target.
14:13 < jtimon> adam3us I guess jgarzik just convinced me here http://www.coindesk.com/bitcoin-developer-jeff-garzik-on-altcoins-asics-and-bitcoin-usability/
14:13 < jtimon> sorry afk for some time
14:14 < petertodd> jtimon: ugh... that's really ill-informed
14:14 < petertodd> jtimon: god-damn software engineers :p
14:14 < adam3us> u note how sergio lerner posted that mem hard pow with todays date.  he seems to be a bit secretive and then reveal things when pushed.  he still didnt reveal his claimed coin anonymity
14:15 < petertodd> adam3us: one thing that worries me about "change the pow constantly" schemes is they can turn the "ASIC-hard" problem into a secret *software* problem
14:16 < petertodd> adam3us: IE, if I'm a FPGA mfg and I put my experts onto the problem of making meta FPGA programming code to target the PoW most efficiently every day
14:16 < petertodd> adam3us: that industry has enough secrets that it'd be a winner-take-all situation potentially
14:21 < petertodd> Oh, here's a nice proof-of-existence: suppose you have a scrypt-like sequential-hard PoW function. Now, they kinda suck because to verify them you need a ton of RAM and a lot of CPU power right? However, you can also make a SCIP/ZK-SNARK style proof of the pow solution and verify that instead.
14:21 < petertodd> Thus we know you can make sequential-hard PoW with fast verification.
14:22 < petertodd> Of course, there's the real-world problem where the SNARK proof-creation is a better PoW than the scrypt... :)
14:22 < petertodd> maaku: ^ though that might be a useful way to optimize SNARK proof-creation of course...
14:22 < petertodd> (I think gmaxwell? suggested basically that for SCIP stuff?)
14:25 < adam3us> petertodd: yes.  my supposition would be the hw people would make fpgas with reconfigurable buses etc between the lumpy modules tht can be rewired the same as the sw.  "hw wins" etc
14:25 < gmaxwell> though even though snark validation is fast it's still slower than SHA256 by a fair margin. (see vntinyram paper for state of the art numbers on the verification of the ggpr stuff... but anything else is not going to be much faster)
20:31 < shesek> (browserify compiles code with nodejs module system to a single js file with all the dependencies)
20:34 < arbart> shesek: thank you very much!
20:34 < shesek> arbart, you welcome
20:35 < shesek> I've been using it quite heavily myself for bitrated, so feel free to ping me if you need any help
20:48 < arbart> shesek: thanks, its not unlikely I'll have to take you up on that offer :)
20:48 < shesek> cool, I'll be glad to help if I can :)
20:52 < shesek> you can also check the code at https://github.com/shesek/bitrated/ to see some examples of using it (its written in coffeescript, though) and how the browserify compilation step works (bin/build-static.sh, or server/assets.coffee for a nodejs server that compiles on-the-fly)
20:53 < jgarzik> shesek, RE bitcoinjs-lib, BitPay's fork of bitcoinjs-server (the node.js fork) is the most maintained
20:53 < jgarzik> in case you are on server, rather than client/browser
20:53 < jgarzik> https://github.com/bitpay/bitcore
20:54 < shesek> oh really? that's great to know, last time I looked at bitcoinjs-server it seemed completely unusable :\
20:54 < shesek> I ended up using bitcoind with a thin nodejs layer to serve the public api
20:54 < jgarzik> shesek, creaky and old.  both bitcoinjs-lib and bitcoinjs-server were 2 years old. no p2sh, no multisig, ...
20:55 < jgarzik> shesek, we need all that, so we picked up maint on the node.js stuff
20:55 < jgarzik> shesek, _most_ is compatible with the browser, but there are a few replacements still needed
20:56 < shesek> have you looked into vbutertin work on bitcoinjs-lib? he got it to a pretty stable state, added new features, and made it compatible as a nodejs modules
20:57 < jgarzik> yes
20:57 < jgarzik> it wasn't complete enough when we looked at it
20:57 < jgarzik> at the time, coinpunk was in bitpay's office, hacking out code to run in browser
20:59 < shesek> oh, cool, I didn't know coinpunk was related to you
20:59 < shesek> you just gave them some work space, or is coinpunk a bitpay project?
20:59 < jgarzik> he worked for us briefly
21:00 < arbart> What's the node.js stuff for? accessing the blockchain?
21:01 < shesek> that, and for handling keys/addresses/transactions/signatures server-side
21:02 < arbart> No current alternative if I want browswer js to parse the blockchain for what I'm doing?
21:03 < shesek> how would that work? you would load the entire blockchain client side?
21:03 < shesek> the client-side libraries allows you to create keys/addresses, construct/sign transactions and all that
21:04 < shesek> communicating with the Bitcoin network/blockchain requires running something on the server that's capable of doing that
21:04 < shesek> I ended up writing https://github.com/shesek/bitcoin-webapi that exposes some minimal APIs that I needed (loading unspent inputs and broadcasting transactions) on top of bitcoind with sipa's #2802
21:04 < shesek> (address index with searchrawtransaction, https://github.com/bitcoin/bitcoin/pull/2802)
21:10 < arbart> Ok, I understand then. Your coffee script stuff looks pretty cool actually.
21:11 < shesek> its a nifty little language that can give some people a serious productivity boost, but its not for everyone :)
21:12 < shesek> bitrated's source is still a bit messy, but its somewhat organized and commented, so it should give you a good start
--- Log closed Fri Jan 24 00:00:55 2014
--- Log opened Fri Jan 24 00:00:55 2014
12:58 < imsaguy> All you people don't get bitcoin.
12:59 < gmaxwell> 0_o
12:59 < _ingsoc> xD
12:59 < _ingsoc> Okay then.
12:59 < amiller> thanks
13:15 < midnightmagic> He's mocking me because I told him most people in #bitcoin* probably don't understand bitcoin.
13:16 < gmaxwell> ah
13:17 < tacotime_> we're way more knowledgeable over here in wizards
13:18 < tacotime_> what's a blockchain?
13:18 < amiller> i just met yet a few more unexpected people who are pursuing bitcoin research
13:18 < amiller> especially a pretty famous programming-languages person who apparently is about to publish a type-theory altcoin proposal
13:19 < nsh> yay
13:19  * nsh premines some functorcoins
13:19 < amiller> LOL
13:20 < amiller> it was weird, he was explaining the linear type system that it will use
13:20 < amiller> i said, cool, do you have any particular motivating example in mind
13:20 < amiller> he was like no not at all.
13:20 < gmaxwell> hahaha
13:20 < gmaxwell> <foo> but in a cryptocurrency.
13:21 < amiller> "welcome. you'll fit right in here."
13:21 < tacotime_> the screaming robot of cryptocurrencies.
13:21 < tacotime_> hahaha
13:22 < nsh> Linear type systems are the internal language of closed symmetric monoidal categories, much in the same way that simply typed lambda calculus is the language of Cartesian closed categories. More precisely, one may construct functors between the category of linear type systems and the category of closed symmetric monoidal categories.[7]
13:22 < nsh> -- http://en.wikipedia.org/wiki/Substructural_type_system#Linear_type_systems
13:22 < nsh> should be fun...
13:23 < amiller> linear logic is good for modeling resources
13:24 < amiller> for example from one quarter, you can derive two dimes and a nickel
13:24 < amiller> also from one quarter, you can derive five nickels
13:24 < amiller> but that doesn't mean you can take a quarter and derive six nickels and two dimes
13:24 < nsh> kinda like typing with accountancy baked in
13:24 < tacotime_> Hmm.
13:24 < amiller> you could probably express all the conservation rules about no inflation etc using linear logic (though i think it would be overkill)
13:25 < tacotime_> What's the real world application?
13:25 < amiller> well take ethereum scripts for example
13:25 < amiller> maybe you'd like to be able to typecheck them and prove they don't leak value somehow
13:25 < tacotime_> Ah
13:28 < tacotime_> So like proof-carrying code?
13:29 < amiller> i think so (but i'm really not sure)
13:29 < gmaxwell> amiller: I don't know why that really matters inside a cryptocurrency. We shouldn't have code in a cryptocurrency, we should have wittnesses for code other people ran.
13:30 < amiller> i told him about snarks and pinocchiocoin, he knew about pcp proofs
13:31 < gmaxwell> You can think of that stuff just as a performance optimization.
13:31 < amiller> then sure
13:32 < amiller> so when the witnesses about code that other people ran, are about values that are of global importance, like a monetary supply, then applying this sort of conservation logic would be relevant
13:32 < gmaxwell> Well, sure I think it's good to create things using tools for soundness, but there isn't any reason to leave them in inside the witness.
13:33 < tacotime_> You can provide withness for executed code without executing the code yourself to verify it?
13:33 < gmaxwell> type data is precisely the sort of thing you can omit in a witness when extracting it from an execution trace, even before you go the route of converting the execution trace into a snark.
13:34 < tacotime_> I'm unfamiliar with a lot of this "proofs" stuff used for ZRC etc
13:34 < gmaxwell> tacotime_: Yes, thats what a snark is, a proof that code was fairthfully executed which is logarithmic in the length of the exeuction (or smaller, with cryptographic assumptions they can be constant size in the security parameter)
13:34 < tacotime_> Ah, I see.
13:35 < andytoshi> tacotime_: thank you for acting incredulous about that. i wish more people here would explicitly mention how mind-boggling this is :P
13:36 < nsh> once you accept the existence of voodoo magic, it's a relatively trivial corollary
13:36 < gmaxwell> PCP theorem proves that any execution in NP is provable with arbitrary soundness compactly, though PCP doesn't directly give a pratical way to go about doing it.
13:37 < tacotime_> Hahaha.  Well, I never used to hang out here so a lot of this stuff is novel to me.	I only sat around bitcointalk and the issues over there regarding what they want in altchains is apparently very different.
13:38 < tacotime_> *are
13:38 < andytoshi> gmaxwell: is there a nice paper summarizing the pcp theorem's history and proof? wiki sorta says "it's smeared over 30 years of history, good luck friend"
13:38 < amiller> this stuff is at the front of theoretical cryptography, it should be novel to pretty everyone, it's pretty exciting we have a reason to discuss it at all (which is why even the cryptographers working on it are like, oh this is practical, it's even relevant for bitcoin)
13:38 < amiller> andytoshi, hah.
13:38 < amiller> http://courses.cs.washington.edu/courses/cse533/05au/pcp-history.pdf
13:38 < tacotime_> Thanks
13:39 < gmaxwell> Well I don't think proving in zero knoweldge is _that_ remarkable, that the proofs can be sublinear in size is somewhat remarkable.
13:40 < andytoshi> amiller: thanks!  gmaxwell: the sublinearity is weird, it feels like skirting P=NP in the same way as quantum entanglement skirts "can't send signals faster than time"
13:40 < nsh> hehmm
13:40 < andytoshi> that is, there is no actual violation, but it seems like -something- in the platonic realm must be violating it
13:40 < amiller> https://eprint.iacr.org/2012/215.pdf this is the big theoretical result that made SNARKs a hot topic
13:41 < amiller> it's underlying TinyRAM and Pinocchio etc
13:41 < amiller> some of its paragraphs are possible to read...
13:41 < nsh> andytoshi, i had similar intuitive feelings, but hadn't made that analogy. thanks
13:41 < gmaxwell> Thats the GGPR'12 paper. Meh. well, it's not the only thing that made it a hot topic.
13:42 < amiller> hrm, what's the best thing preceding it?
13:42 < gmaxwell> andytoshi: well it can be useful to think about what you give up in both cases.  SNARKS in sublinear size 'only' have computational soundness.
13:42 < amiller> proofs for muggles maybe
13:43 < amiller> no proofs for muggles is interactive
16:07 < adam3us> nsh: or a 1/100th difficulty.	with the objective to make pools less critical for more people.
16:08 < nsh> hmmm
16:09 < adam3us> nsh: tends to mean the block chain gets spammed with lots of little-pows, the interblock interval will be much lower (and he proposed to use GHOST (hashing non conflicting orphans) to support 1min eg interval without orphan loss))
16:10 < nsh> i'll take your word for it :)
16:11 < adam3us> amiller, nsh: but my more immediate issue was why would a pool with a reasonable chance of getting a full size reward (1-conf) bother to accept say 0.9 reward rather than just orphaning the 0.1 reward.  maybe amiller can explain how he thought that would work when he's online
16:12  * nsh nods
16:12 < amiller> well the same you build on other people's blocks rather than undermining them
16:12 < amiller> same reason*
16:13 < amiller> i mean, you can get the full size reward by building on the 0.1 block too
16:13 < adam3us> amiller: well in that case its because you are scared that someone will build on the other block and you'll get orphaned
16:13 < amiller> yes
16:13 < adam3us> amiller: oh i see, got it.  no new incentive to orphan
16:15 < sipa> i'm not sure the discreteness of increments to the total work is irrelevant
16:15 < adam3us> amiller: you also said you thought you'd have to use GHOST if i recll
16:15 < adam3us> amiller: to combat the faster variable-sized block interval that may result
16:15 < amiller> sipa, the way i say it now is that it seems okay as long as there is a bound on the min difficulty and max diffiuclty
16:16 < adam3us> sipa:	i think its utility is it reduces the need to pool.  you can more likely direct mine.
16:16 < amiller> the problem with too low difficulty is DoS and waste, and the problem with max difficulty is that malicious-not-profit-motivated attackers can revert long amounts of history with nonneglible probability
16:16 < amiller> but it's okay if there are two parameters clamping this space...
16:17 < amiller> (i'm still trying to figure out how to prove something about the case where there are no bounds/parameters but i haven't gotten anywhere)
16:17 < adam3us> amiller: do you know how GHOST proposes reward works i the adopted non-conflicting orphans in a give block?
16:17 < amiller> ghost proposes no rewards i believe
16:17 < amiller> i think it might not hurt to just include the rewards
16:17 < amiller> i'm not sure thouhg.
16:18 < adam3us> amiller: i think there would need to be some incentive to adopt orphans?
16:19 < amiller> yeah, i don't have any good answer for how that should work
16:23 < adam3us> amiller: eg you get 10% of the reward on top of each orphan you adopt, or something like that. (Bearing in mind rate of reward distribution can be tuned to match current however its done)
16:23 < maaku> adam3us: what do you mean by adopt? GHOST doesn't have anything like that (or need it)
16:24 < adam3us> amiller: i thought ghost works by referencing multiple predecessors in a given block, so that the adopted orphans are considered in the weighting of which block is voted as correct
16:24 < amiller> i get nauseous everytime there appears to be another parameter to adjust to reward/discourage some behavior like orphan vs building
16:24 < amiller> if i can state what the desired behavior is supposed to be and what the options are the right approach is to solve for what is incentive compatible or something like that, but that never seems to work out :/
16:24 < nsh> amiller, works for the standard model...
16:25 < maaku> adam3us: no, ghost is just a new algorithm for selecting best block, taking into account stale blocks you might have seen
16:25 < adam3us> amiller: yes.	well in my own design exploration i always come back so far to the current design is best.  i found something like ghost but decided its complex to limited benefit.
16:25 < nsh> all we need is like 30-60 finely-tweaked otherwise-inexplicable parameters
16:25 < maaku> adam3us: it's a local algorithm, not consensus based
16:25 < adam3us> maaku: oh, seems i misunderstood it!
16:26 < sipa> maaku: what do you mean by local?
16:26 < nsh> (then we "explain" it by resource to a anthropic blockchain landscape)
16:26 < adam3us> maaku: so which is the best block in ghost?
16:26 < nsh> *recourse
16:26 < adam3us> amiller: yeah i think game-theory and self-interest are security-fragile.
16:27 < maaku> adam3us: at each step, choose the branch with the most total work, including stales
16:27 < amiller> but, we now have a more specific guiding goal
16:27 < sipa> maaku: right, but that can change over time
16:27 < amiller> getting whatever people want or can get from p2pool within the main game itself....
16:28 < maaku> sipa: yes, but with a stable outcome
16:29 < adam3us> maaku: wait but orphans arise because of simultaneous publication, so what does ghost mean, you switch to a later announced block if it is heavier? how is weight determined?
16:29 < adam3us> maaku: (I mean you switch to mining on)
16:31 < maaku> adam3us: start with the genesis block as best. sum the aggregate work built off of each branch you know of - including stales - and choose the one with most total work
16:32 < maaku> if two branches have the same weight, then you use some other factor (like say when you heard about it)
16:33 < maaku> but yes, maybe one has more stales and therefore more weight
16:33 < maaku> another way of saying this is choose the branch that you have more evidence of hashpower commitement to
16:33 < maaku> because, in the long run, it's the branch more likely to pull ahead
16:33 < qwertyoruiop> maaku: so basically, 51% easier.
16:33 < maaku> qwertyoruiop: ?
16:34 < qwertyoruiop> the biggest pool can have more luck at double spending
16:34 < maaku> qwertyoruiop: no. not unless they are already >50%
16:35 < qwertyoruiop> you'd be making it easier for < 50% attackers trying to doublespend.
16:35 < maaku> qwertyoruiop: no i'd be harder
16:36 < maaku> because if the attacker has <50%, then he would have less evidence of work on his chain
16:37 < maaku> so people *wouldn't* switch to it, even if he managed to pull ahead by getting lucky
16:37 < adam3us> maaku: so do you think its really true that this makes the orphans useful enough to count as productively used and so to support reducing the block interval to 1min (with higher orphan rates) as they propose?
16:38 < maaku> he'd have to surpass not just the linear work of the honest chain, but all the stales too
16:38 < adam3us> maaku: doesn the orphan still get no reward and so give advantge to better latency connected miners?
16:38 < qwertyoruiop> what would exactly the point of adopting orphans be?
16:38 < maaku> adam3us: stales not orphans, and there's no reason to decrease the interblock time
16:39 < maaku> it gets you no practical advantage with a *huge* hit to SPV users
16:39 < adam3us> maaku: well i know no need, but i thought that was one of their claimed reasons and advantages for the approach?
16:39 < maaku> they misunderstand the tradeoffs involved
16:39 < maaku> but yes, that is what they are proposing
16:40 < adam3us> qwertyoruiop: maaku is explaining there is no orphan adoption in ghost
16:40 < maaku> GHOST lets you approach closer to the limits of what given bandwidth and latency assumptions allow
16:40 < maaku> closer that stock bitcoin at least
16:40 < adam3us> maaku: but that seems to create centralization risks if there is no reward for stales
16:40 < adam3us> maaku: (latency centralization)
16:41 < maaku> adam3us: bitcoin protocol is not the place to correct that
16:41 < maaku> do something like p2pool does
16:42 < maaku> adam3us: GHOST lets us increase the block size more, or decrease the block interval lower
16:42 < maaku> they mistakenly advocate shorter block times when in fact larger block sizes are more likely
16:43 < maaku> so for a given centralization tradeoff let's say 100MB blocks is possible with stock bitcoin; GHOST will let us get to 120MB for that same tradeoff
16:43 < maaku> (i'm making up numbers)
16:44 < maaku> regarding reward, i don't know if p2pool actually does this now, but there's no reason it couldn't merge share chains
16:44 < maaku> (forrestv ^^)
16:45 < justanotheruser> So here is how I want to score how likely it is someone is being a "greedy miner". First measure how often 1,2,3... block orphans occur. Combined with the hashing power of a pool I should be able to calculate what the odds are that there are N+1 blocks replacing their competitors orphans N blocks. If the odds of it happening are 1/X, then they get
X added to their score. Keeping track of a weekly score should be able to ind
16:45 < justanotheruser> s/Analiese/anomalies
16:46 < adam3us> maaku: "it gets you no practical advantage with a *huge* hit to SPV users" "they misunderstand the tradeoffs involved" what was that in relation to?
16:46 < maaku> justanotheruser: or, you could simply point a miner at their pool and see if they're building of non-public work
16:46 < maaku> adam3us: advocating smaller interblock times (bad) vs. increasing the block size (good)
16:47 < maaku> smaller interblock times get you nothing unless you can get under a second
16:47 < maaku> which is impossible
16:47 < maaku> so actually, we want the *largest* acceptable interblock time
16:47 < maaku> since that minimizes strain on SPV devices
16:48 < justanotheruser> maaku: wow, that is a lot easier
16:48 < justanotheruser> maaku: except they might be doing this attack using cex.io
16:49 < adam3us> maaku: strain in terms of keeping up withthe hash chain and/or number of bloom queries if they are constained to a block?
16:49 < maaku> justanotheruser: correct, hosted miners are far worse than pools
12:08 < sipa> petertodd: that means the int64 amounts should overflow at some point?
12:08 < petertodd> (pity it'll probably be removed in a hard fork...)
12:09 < petertodd> sipa: what amounts though? there's no "total coins" amount in the consensus code
12:09 < jtimon_> petertodd: I think what sipa means is that you could cause overflows at some point
12:09 < petertodd> sipa: I think the tx code is probably safe because of MAX_MONEY (which the doge team apparently thought was what set the max amount of money)
12:10 < sipa> petertodd: right, i mean more that MAX_MONEY may at some point in the future become uselessly low
12:10 < petertodd> jtimon_: sure, but if no consensus critical code is affected they're ok, and anyway, checked again and it's not 5% inflation, but a linear coin # increase, so it'll take awhile
12:10 < sipa> oh
12:10 < sipa> boring :)
12:11 < petertodd> sipa: well, saying "inflation" was bad of me, so I think they're ok
12:11 < jtimon_> it's monetary inflation
12:11 < jtimon_> not necessarily price inflation
12:11 < petertodd> jtimon_: yup, just not numerical inflation :P
12:11 < sipa> yeah, it's money inflation not price inflation
12:11 < sipa> not what i meant
12:11 < sipa> just that linear increase and not exponential is boring
12:12 < petertodd> sipa: yeah, well, time to make expocoin...
12:12 < petertodd> sipa: e-coin!
12:12 < sipa> exp(coin)
12:12 < petertodd> e^coin!
12:12 < sipa> actually, it's O(coin) - the inflation is proportional to the amount in circulation
12:12 < jtimon_> most people believe freicoin and expocoin are equivalent
12:12 < sipa> jtimon_: aren't they (apart from psychology) ?
12:13 < petertodd> sipa: heh, well, why not e^coin! with ! as factorial...
12:13 < jtimon_> people forked our diff filter, but nobody forked our demurrage
12:13 < petertodd> jtimon_: I think it's a marketing problem; I would have called it "a shared coin security fund"
12:14 < jtimon_> sipa: we believe they influence intrest differently ie: price inflation just rises nominal interest, demurrage makes REAL intereset fall
12:14 < jtimon_> https://www.community-exchange.org/docs/Gesell/en/neo/part5/7.htm
12:15 < sipa> right, but that's just a psychological difference, no?
12:15 < jtimon_> "Hausse-Premium" is usually known as "inflation premium"
12:15 < sipa> the % of coins you own doesn't change
12:15  * petertodd can't believe he just read "support for KYC regulatory compliance" in comic sans
12:15 < jtimon_> sipa think of loans
12:15 < jtimon_> and real capital
12:16 < sipa> jtimon_: define on top of your client a layer that shows every amount as ($VALUE / $TOTAL_IN_CIRCULATION)
12:16 < sipa> jtimon_: expocoin and freicoin do become equivalent then, no?
12:16 < sipa> (honest question, i don't know enough about freicoin)
12:18 < jtimon_> well, not exactly at the low level (don't have refHeights) but yes, I guess economically would be the same if everybody uses the freicoin unit instead of the expocoin one
12:19 < petertodd> sipa, jtimon_: lost coins makes expocoin and freicoin act differently
12:19 < jtimon_> petertodd yes, that's true too
12:20 < sipa> petertodd: how so?
12:20 < jtimon_> freicoin recycles lost coins
12:20 < sipa> how do you detect lost coins?
12:20 < jtimon_> you don't detect them, you destroy all coins and reissue them
12:21 < sipa> i don't understand
12:21 < jtimon_> freicoin is constantly destroying coins, lost wallets or not, and then re-issuing through the miners
12:21 < sipa> i may misunderstand some implementation issues on freicoin
12:21 < jtimon_> we explain it as "demurrage fees go to miners" to simplify
12:21 < petertodd> sipa: demurrage affects you regardless of what other coins are availalble, expocoin just introduces more coins into the economy
12:22 < petertodd> sipa: the result is roughly the same, but the exact amount of economic inflaton can differ in practice
12:22 < petertodd> sipa: never mind that demurrage has other implications, such as how it affects things like colored coins
12:26 < jtimon_> sipa these are probably the more relevant commits https://github.com/freicoin/freicoin/commit/4025098c05c351d72c8a0916ec6010e821d288d6
12:26 < jtimon_> https://github.com/freicoin/freicoin/commit/cee818350d857029e0e7148fece35646d479aea1
12:56 < gmaxwell> This is the puzzle I thought some people here might enjoy: http://web.mit.edu/puzzle/www/2014/puzzle/puzzle_with_answer_cronin/  (don't click solution unless you want to be spoiled)   Yes, it's supposted to say that its solved, the theme of this section is that puzzles were written backwards, where you got a 'solution' first and had to derrive the title.
13:09 < nsh> gmaxwell, is the title supposed to be a question that leads to the answer 'CRONIN'?
13:12 < petertodd> nsh: 'round here we'd ask 'Find N such that H(n)=<garbage>' and would have been clever to bruteforce the nonce rather than the PoW solution.
13:13 < nsh> hmm
13:14 < gmaxwell> nsh: well kinda, actually the title is a single word.
13:16  * nsh muses
13:16 < gmaxwell> nsh: make you click the card in the page.
13:18 < nsh> well, cheshire nyan is fun, but i'm still confused :/
13:21 < gmaxwell> You have to go deeper.
13:21 < nsh> oka y:)
13:22 < nsh> yay, loads of hex
14:39 < maaku> sipa: inflation moves slowly through the economy giving preferential benefit to those near its source when prices are sticky
14:40 < maaku> and love the O(coin) name
15:16 < maaku> suggestion to jgarzik: crowd-fund in dogecoins your cubesat project. you can send it on L-50 which is taking 50 units to the moon
15:16 < maaku> I think you can drum up enough support to actually send a dogecoin node to the moon (and put a bitcoin node on there too, of course)
15:18 < jgarzik> heh
15:19 < nsh> that would probably work
15:19 < nsh> i wanna send something to the moon
15:20 < nsh> (a robot that tracks down and destroys the american flag)
15:20 < nsh> ((joke. there's no american flag))
15:22 < nsh> maaku, what is this L-50?
15:22 < maaku> jgarzik: i'm serious : http://www.lunarcubes.com/
15:22 < nsh> ah ty
15:23 < nsh> is there a definite launch planned?
15:23 < maaku> nsh: V-50 is a 50-unit housing module attached to centaur upper stages, which go through Earth-Moon L4/L5 on their way out of cislunar space
15:24 < maaku> L-50 is a project to buy one of these to send cubes to the moon
15:24 < nsh> ah, i see
15:24 < maaku> there's also plans to use them for Mars exploration, but that requires a relay spacecraft
15:25 < BigBitz> Heh, cool quiz, gmaxwell :) or puzzle, whatever. :)
15:25 < nsh> would it be feasible to book passage on a regular comsat launch for that? or would it require a special trajectory?
15:25 < maaku> (once you're at Earth-Moon or Earth-Sun lagrange points, it's basically downhill to anywhere in the inner solar system, with the right orbit)
15:25  * nsh nods
15:26 < maaku> nsh: the Centaur stages are what take comsats to GEO, then for satallite safety reasons they use their latent fuel to eject themselves from cislunar space
15:26 < nsh> oooh
15:26 < nsh> that's convenient
15:26 < maaku> so every. single. launch. of a GEO bird sends a centaur stage (or equiv) through one of these trajectories
15:27  * nsh crosses out all his ambitions and replaces with "write code that ends up orbiting moon"
15:27 < nsh> :)
15:49  * petertodd crosses out all his ambitions and replaces them with "write code that exploits code orbiting the moon"
15:51 < maaku> that you coudl do now...
15:52 < brisque> working on software on the moon would be awful. imagine the cost of getting somebody to go there and power cycle your server because you killed the wrong process.
16:00 < CodeShark> keep someone there at all times just in case
16:03 < CodeShark> the most annoying thing about working on software on the moon would be the latency
16:04 < brisque> probably get better latency to the moon than on a 3G connection, it's not all that far away
16:04 < CodeShark> a quarter of a million miles
16:04 < brisque> little over a second then?
16:05 < CodeShark> in each direction, yes
16:05 < brisque> just use a client with local echo, it'd be just as usable a SSH over GPRS
16:08 < jgarzik> maaku, not implying you were not being serious.  just fun :)  dogecoin has a lot of cute marketing, like the bobsled thing.
16:10 < CodeShark> SSH over GPRS is usable? hell, anything over GPRS is usable?
16:12 < brisque> http://mosh.mit.edu/
16:12 < brisque> I used a phone with a GPRS connection for a few years, it was incredibly painful.
16:19 < CodeShark> many of us did
20:25 < adam3us1> letstalkbitcoin tech interview :) (never like sound of own voice, cringe)
20:27 < adam3us1> (committed tx, fungibility, coinjoin, homomorphic values, centralization, 1-way peg... its long and tech heavy)
21:03 < nsh> let stalk = bitcoin;
21:09 < andytoshi> am i correct that the site requires flash to listen?
21:11 < andytoshi> nope, youtube-dl handles the soundcloud URL correctly: https://w.soundcloud.com/player/?url=http://api.soundcloud.com/tracks/130711534
21:22 < gmaxwell> I dunno if y'all have been paying attention, but the gridseed ltc asics are claiming that they'll do 60KH/s for a power consumption of 0.44 watts. This is an improvement relative to gpus very similar to what bitcoin asics had relative to gpus.
21:23 < brisque> gmaxwell: we'll see, I ordered one just out of curiosity.
21:25 < brisque> gmaxwell: they're apparently very unstable, from what I've read.
21:25 < brisque> I still don't get why they paired an scrypt core with a very inefficient sha256d one though.
21:25 < gmaxwell> What I'm hearing is that the dual sha256/scrypt mode is flaky.
21:26 < brisque> mm, same.
21:26 < gmaxwell> brisque: why do you think it's inefficient? it's ~2W/GH for sha256 which is about as good as it gets on 55nm.
14:20 < maaku> <gmaxwell> why does this pow wanking keep going on here? I can't imagine a less interesting subject. <--- thank you :)
14:21 < adam3us> justanotheruser: selfish mining is the result that a pool with over 33% power can gain more than 33% of the wins/reward by intelligently delaying publication of the blocks it wins
14:22 < justanotheruser> adam3us: and with 25% you can do this too?
14:22 < c0rw1n> is there a pool that takes over 33% of the network regularly?
14:22 < adam3us> justanotheruser: the cost is someone might win while it does that, but the advantage is if it gets a length 2 private chain, it has an advantage that no one else knows the chain
14:23 < adam3us> c0rw1n: its been the case lots of the time, even right now ghash has 34% (i though they said publicly they had 40% recently)
14:23 < gmaxwell> it is sort of interesting that ghash has a lot of orphans, people had been assuming its because their hardware has severe latency problems, but that might not be the only issue.
14:24 < adam3us> justanotheruser: with 25% you can still get an advantage presuming you can succeed to race publication of other winners via good connectivity
14:24 < jtimon> gmaxwell are you suggesting that ghash selfmines and that's why it gets more orphans?
14:24 < adam3us> jtimon: its plausible	that would be the side effect
14:24 < justanotheruser> adam3us: So what percentage of blocks can you get given you have N% of the network? Is there a formula?
14:24 < c0rw1n> i parsed it as "that, or they're doing something wrong with their connetivity"
14:25 < c0rw1n> justanotheruser yeah there is a formula. in involves the variance
14:25 < gmaxwell> jtimon: someone should crunch the data and see if it supports that theory.
14:25 < adam3us> justanotheruser: they have a graph in their paper, its not fully modeling some real-world effects, but its interesting and should work
14:25 < justanotheruser> link?
14:25 < jtimon> so you could as well call "selfish mining", "block relay time optimization"
14:26 < gmaxwell> I have noticed an increase in depth 2 orphaning, so if so I don't think they're doing it successfully.
14:26 < jtimon> how will that destroy bitcoin?
14:26 < justanotheruser> gmaxwell: Is it possible to determine that? Like would you have to look at their orphans vs their 2-in-a-row blocks?
14:26 < adam3us> justanotheruser: selfish-mining http://arxiv.org/pdf/1311.0243v2.pdf
14:26 < justanotheruser> thanks
14:27 < jtimon> I guess we would need to estimate their real block distribution latency to calculate the time they hold their blocks?
14:27 < jtimon> I don't know, network topology...too hard of a problem for me
14:27 < gmaxwell> justanotheruser: just stats on orphaning at varrious depths for different parties would be suggestive. (e.g. I think you'd get a higher rate of 1-orphan for the selfish miner and a higher rate of >1 orphan for all others than expected)
14:29 < justanotheruser> gmaxwell: So if there is one fork that has 3 orphans and the main chain has 4 GHash blocks in their place, that might suggest this attack is taking place?
14:29 < gmaxwell> Yes.
14:29 < c0rw1n> that may be a symptom if i got it right
14:29 < jtimon> would consecutive blocks for parties be significant?
14:29 < gmaxwell> jtimon: happens naturally.
14:30 < jtimon> I mean, count how many times they mine 2 in a row, 3 in a row, etc
14:30 < gmaxwell> more than you'd expect based on their hashrate would be interesting.
14:30 < gmaxwell> but the data is perhaps too undersampled to say with confidence.
14:30 < gmaxwell> long reorgs are more surprising.
14:31 < adam3us> gmaxwell: its hard to force the point, because they could hide their reward claims (change their reward address, announce via multiple IP#s)
14:31 < gmaxwell> sure though thats detectable for people mining on them.
14:32 < adam3us> gmaxwell: yeah but most users dont know when their home hosted asic wins so they are not auditing, and their individual chance to be the source of the winning block is very low
14:32 < gmaxwell> adam3us: you don't even have to see the winning block, since you can tell if you were working on the same transaction set as a specific wining block (e.g. differs only in extranonce)
14:33 < jtimon> undersampled data? mhmmhm, so maybe coblee's story is not as solid as I thought... ;p https://bitcointalk.org/index.php?topic=143659.0
14:33 < maaku> hrm.. Luke-Jr it might be nice if bfgminer collected statistics on how often and for how long it sees work based on previous blocks that are not publicly known
14:34 < c0rw1n> *click* that's interesting
14:34 < gmaxwell> maaku: how would it know public?
14:34 < c0rw1n> it could blockchain the mining stats?
14:35 < gmaxwell> "blockchain the mining stats"
14:35 < maaku> gmaxwell: either from local bitcoind or by asking Eliguis
14:35  * gmaxwell zot
14:35 < sipa> c0rw1n: i hope you're kidding
14:35  * sipa gets his hammer; c0rw1n looks like a nail
14:35 < gmaxwell> maaku: I guess it can poll all configured pools and log when their prevs are different.
14:35 < c0rw1n> 'k i'll shut up if i'm not this smart enough to talk :$
14:36 < gmaxwell> maaku: It's odd that miners don't equal loadbalance pools almost at all, since that minimizes variance.
14:36 < adam3us> gmaxwell: well they could hide the most recent block by handing different blocks with same parent block (assuming GBT was not used)
14:36 < gmaxwell> but I guess thats because they count on pools for monitoring/stats (doh)
14:37 < jtimon> "assuming GBT was not used"
14:38 < maaku> adam3us: that's why you have the miners report, because the pool could just partition your selfish-miner-alert-system off and feed you old GBT replies
14:40 < jtimon> what makes more expensive for pools to mine  gbt/p2pool, bandwidth ?
14:41 < adam3us> maaku: selfish pool spot checking in mining client.  not a bad feature.
14:42 < jtimon> maaku I don't get it wouldn't you detect selfish mining on your pool with p2pool/gbt alone ?
14:45 < jtimon> in p2pool concretely, could the pool operator find the block without the rest of the pool noticing?
14:46 < adam3us> jtimon: isnt p2pool p2p so there is no (central) operator so everyone learns everything?
14:47 < jtimon> adam3us I don't know much about pooling in general, but I think that there's an operator who connects all the miners and can collect fees
14:49 < adam3us> jtimon: usually but in the case of p2pool its more clever, its p2p and each per is directly paid out in proportion to their p2p broadcast share history in the coinbase transaction (i think)
14:49 < gmaxwell> adam3us: thats right.
14:50 < gmaxwell> there is no operator it just works like bitcoin itself does to get a payout consensus.
14:54 < jtimon> so selfish mining is not possible with p2pool? what about gbt?
15:08 < jtimon> well, probably better here, maaku no answer from the concatenative people, no?
15:09 < maaku> no, not yet
15:11 < maaku> jtimon: I did email one concatenative researcher who was working on relevant stuff
15:11 < maaku> hopefully I'll hear back at least from him
15:16 < nsh> what's this in reference to, maaku/jtimon?
15:18 < jtimon> in relation to the latests merklized turing complete scripting language
15:18 < jtimon> discussions
15:18 < nsh> ah
15:19 < maaku> nsh: replacing bitcoin script with a turing-complete concatenative language a la Joy, Cat
15:19 < jtimon> maaku emailed a group inciting them to help us design it and become bitcoin scripting language experts, hehe
15:20  * nsh has not read much about concatenative programming languages, if anything at all
15:20 < jtimon> also now in #concatenative but doesn't seem a very active channel
15:20 < maaku> nsh: well, bitcoin script is a concatenative language
15:20 < maaku> just not a very expressive one
15:20 < nsh> mm
15:20 < maaku> basically anything Forth-derived, like postscript
15:20 < maaku> stack based languages
15:21 < jtimon> nsh, maaku gave us these links the other day http://evincarofautumn.blogspot.com.es/2012/02/why-concatenative-programming-matters.html http://www.kevinalbrecht.com/code/joy-mirror/j01tut.html
15:21 < nsh> oh, thanks
15:21 < nsh> former already open in tab :)
15:22 < jtimon> hehe, still I have them in the tab too, only started reading the first one
15:22 < maaku> i like that the first link goes over arithmetic expressions ... it's honest :)
15:24 < maaku> f x y z = y^2 + x^2 - |y| = drop dup dup
15:24 < maaku> yuck... but as an intermediate "high level assembly" representation it has its advantages
15:27 < sipa> in ast: -(+(*($2,$2),*($3,$3)),abs($2))
16:00 < adam3us> gmaxwell: btw speaking of mid-term asic-hard futility for any given algorithm (to any useful extent), which i agree as a prediction - seems vitalik is going for it anyway http://www.reddit.com/r/ethereum/comments/1vh94e/dagger_updates/
16:00 < adam3us> gmaxwell: "We have made a preliminary decision that we likely will fund a contest, similar to that used to develop AES and SHA3, to determine the best ASIC-proof (ie. going beyond just "memory hard" as a heuristic) mining algorithm"
16:03 < adam3us> (this is a reaction to the criticism of vitalik's coelho merkle hash PoW based "dagger" PoW, by sergio lerner who in reaction i guess published his own previously unpublished sequential memory hard hash)
16:05 < adam3us> anyway back to bitcoin useful thoughts... amiller was proposing a few days ago to have variable difficulty blocks so that the confirmation could be eg 1.5 or 1.1, with a 1 conf followed by a 0.5 conf etc. i was thinking that is going to be vulnerable to incentive to-not-orphan issues
16:06 < nsh> what do fractional confirmations mean?
16:06 < adam3us> btw you can (and i did this in hashcash-1 (but not in hashcash-0)) indicate the share size intended simply by including the share size in the hash, and the actual share size = min(actual size,target size)
16:07 < adam3us> nsh: so it means you are allowed to submit eg a 1/2 difficulty PoW for a 1/2 reward (12.5 coins)
22:10 < amiller> the mining provider generates his own keypair, and promises the user that anything won with a partiuclar public key will be transferred to him later
22:10 < gmaxwell> so in the simplified version I just suggested there is no keypair in the block.
22:10 < amiller> ah okay
22:11 < amiller> still it's easy for the service provider to make an equivalent promise
22:11 < gmaxwell> No.
22:11 < amiller> the service provider can create a sentinel tranasction or something
22:11 < gmaxwell> We should come to one mind for this.
22:11 < amiller> and say that the reward from any block mined containing a transaction like that should be given to the client
22:11 < amiller> that's a simple enforceable contract
22:11 < gmaxwell> I think you're stuck in thinking about solving it one way, and I have another direction that might be helpful for you. You can solve this by trying to make it so the provider can be non-faithful but as you note that sucks, so instead make it so the client can be non-faitful.
22:12 < gmaxwell> You make a block. It doesn't specify who it pays to.	When you find a block you announce "I found block XYZ and stake my claim for the key Spain."  The network accepts this, and when block XYZ finally shows up they'll only accept it when its paying spain.
22:12 < gmaxwell> (this is a toy version of the idea, I think it needs to be stronger)
22:13 < gmaxwell> now lets say you want to buy hashing power from people. You start paying them.. but every time they find a block, they keep it for themselves (and then go get a new identity)
22:14 < gmaxwell> since block finds are rare, this makes it uneconomical to buy outsourced hashpower.
22:14 < amiller> i can attack this by showing you a stronger contract.
22:14 < amiller> i don't just pay them for shares they're working on a block
22:14 < amiller> i pay them for shares that they're working on a block that has a watermark in it so that i know that even if they rededicate the block arbitrarily, they can't remove the watermark so i can still prove i was entitled to the reward
22:15 < gmaxwell> amiller: but the network has a rule that doesn't give a shit about your watermark: after all, outsourcing is an existential risk to the network.
22:15 < gmaxwell> You can detect that the user screwed you, sure. But their identities are cheap esp since a single user may only find a block once a year.
22:15 < amiller> yes but i don't think it makes sense to rule out any other form of contract enforcement
22:16 < gmaxwell> I suppose so, only outsource to people who give you the note to their home....
22:17 < amiller> so the way to prevent any form of contract enforcement is to make the trapdoor invisible
22:17 < gmaxwell> though I do wonder if we could make agreements like that generally unenforcable. (but we start delving into sociology and law and not crypto there. e.g. if the rules of the system expressly forbid its participants from outsourcing, any such contract would be legally unenforcable... so you'd only be left with kneecap busting security, which doesn't scale well)
22:17 < amiller> it shouldn't be externally discernible whether the trapdoor was used or not
22:21 < gmaxwell> so can you go back and tell me about the threat model we're trying to solve with outsourcing here? I think the interesting one is that I pay remote computing agents to mine malicious chains, and they prove to me that they're working on it. I think that one is actually unsolvable.
22:22 < gmaxwell> If our concern is just that outsourcing lets people do POW without even being able to tell that the work is malicious or not, then thats solved by UTXO hard work. They can tell. They might not care.. but they can tell.
22:23 < amiller> ok let me back up and clarify
22:23 < amiller> the threat model is outsourcing, we're trying to solve that by coming up with an anti-outsourcing PoW+reward scheme
22:23 < amiller> by outsourcing i mean
22:24 < amiller> a client that would otherwise choose to mine by paying $x per month for some probability distribution of rewards (not just expected value, more likely a lottery with somewhat high variance)
22:24 < amiller> instead takes an equal or better deal from a mining service provider
22:24 < gmaxwell> Why is this a threat?  I don't think we at all care about people pooling their payments, except that it lays the groundwork for the other two kinds of outsourcing I enumerated just now?
22:25 < amiller> if people can pool their payments then it's plausible that the rational trend is for one big mining datacenter
22:25 < amiller> which is an existential risk
22:25 < amiller> even if the mining datacenter can't do malicious attacks without anyone noticing, it's still a more central point of failure
22:26 < gmaxwell> if they are only pooling their payments but they still independantly check the validity and can not outsource that, then what is the threat?
22:26 < amiller> because taking over that datacenter (even if it causes alarms to sound) is easier than taking over a million gpus in homes
22:27 < gmaxwell> If they know (or could _costlessly_ know but choose to ignore it) the work is moronic or evil but are complicit then thats isomorphic to the users being complicit.
22:27 < gmaxwell> amiller: why would the data center have any control at all about anything important?
22:27 < gmaxwell> oh dear are you not aware of coinbase-only pooling?
22:27 < amiller> because it is in physical possession of the mining apparatus
22:27 < amiller> this is like the opposite of pooled mining btw
22:28 < gmaxwell> I know it is and I actually think you're confused now. :( or I'm confused. I'd like to fix this.
22:28 < gmaxwell> amiller: huh? no. utxo hard work prevents the datacenter from having the mining apparatus.
22:28 < amiller> no i don't think it does....
22:29 < amiller> but yeah definitely lets get on the same page before going back into the difficult stuff
22:29 < gmaxwell> lets imagine an alternative world where the mining is "Validation hard": the inner loop of the POW is doing all the work required to validate recent blocks and requires the user to have all the recent block data in order to pratically mine.
22:30 < gmaxwell> (ignore the details on how this is accomplished)
22:30 < amiller> sure
22:30 < amiller> that makes it less appealing to outsource *validation*
22:30 < gmaxwell> Now miners don't like the unstable payments...
22:31 < gmaxwell> so instead they have a deal with aggregators where they attempt to mine blocks that pays according to the aggregators instructions. The block is otherwise generated by themselves according to their own validation (which they have to do anyways as part of the pow)
22:31 < amiller> (this is standard pooled mining so far)
22:31 < gmaxwell> It's not.
22:31 < gmaxwell> they send the aggergator near miss solutions, and the aggregators use that to update their own records on who should gets paid what.
22:32 < gmaxwell> It's coinbase-only mining, which I think you're not familar with yet because it's not deployed yet. :) (well p2pool is a superset of it)
22:33 < gmaxwell> This differs from pooled mining in that the aggregator is not the source of the content of the blocks, and the miners can't be tricked into mining a cheating block without their knoweldge.
22:33 < amiller> okay fair enough, i guess that's not standard pooled mining
22:33 < amiller> it is basically p2pool though
22:33 < gmaxwell> because they only get the place(s) where the funds go from the aggregator.. the rest they invent on their own.
22:33 < gmaxwell> Yes, kinda p2pool makes the aggregator a distributed consensus. Though in what I'm describing it could just be a single person.
22:34 < gmaxwell> (p2pool has payout scheme flexibility limitations because the distributed consensus is inefficient and can also not maintain a bank account)
22:34 < amiller> ok
22:34 < gmaxwell> In any case, so where is the the risk in what I'm describing?
22:34 < amiller> there's none, that's not the outsourcing threat model
22:34 < amiller> that's A-OK, pooled mining is fine
22:34 < amiller> GPUMAX is the threat model
22:35 < gmaxwell> okay, so lets say that we take that model and say a GPU max shows up
22:35 < gmaxwell> He says, I'll pay you 110% to work on this mystery work.
22:35 < amiller> oh, crap
22:35 < amiller> i think i misunderstand gpumax :o
22:36 < gmaxwell> ah, were you thinking that GPUMAX was "cloud mining" where gpumax had the miners?
22:36 < amiller> yeah, exactly
22:36 < amiller> even ASICs aren't the problem because the asics are mostly easy to distributed in small packages
22:36 < amiller> "cloud mining" is definitely the threat i'm talking about
22:36 < gmaxwell> If so
 I think thats a seperat thing which is worth solving!  I'd call that the "hosted mining" problem.
22:36 < amiller> hosted mining, ok
22:37 < amiller> because by economy of scale, it's conceivable that there's some ASIC set up that's cheaper if all the asics are in one big data center, so it's cheaper to buy a share of a hosted asic mining operation than to buy and care for your own asic
22:37 < gmaxwell> OKAY great. whew. Well thats also kind of an emerging threat now too... gpumax and things like it seem to be dead but there are a bunch of hosted mining things cropping up.
22:37 < amiller> name a couple?
22:37 < amiller> i guess i can search for "hosted mining"
22:37 < gmaxwell> ASICMINER for one.
22:38 < gmaxwell> They sell hardware too, but mostly only because of some .. uh. Non-technical mechenisms.
22:38 < amiller> okay, so.... anti-hosted-mining
22:38 < gmaxwell> Yes perhaps .. though this is far from clear: low level waste heat is better distributed.   but it's a risk simply because the labor of maintaining mining has some scaling, and there are lots of people who are super lazy and just want to pay and get goin.
22:39 < gmaxwell> coin.
22:39 < amiller> it's difficult because nothing stops someone from hosting their own separate lottery
00:56 < Diablo-D3> oh hai Graet
00:56 < Graet> asicminer was 3 x 800gh ish miners
00:56 < Graet> hey Diablo-D3 :)
00:56 < Diablo-D3> gmaxwell: yeah, I meant, the other people speculate
00:56 < Graet> using the bitfountaun name a sthey state in thread :)
00:56 < warren> If you have that kind of hash power, why use a public pool?
00:56 < Diablo-D3> gmaxwell: thye only have the parts for 15, and they're doing a lot of physical work in the DC to prepare it for the rest
00:57 < warren> It seems the public users + public visibility would make the pool less reliable for the big miners.
00:57 < Graet> warren, for a private company it "makes them more accountable"
00:57 < Diablo-D3> yeah
00:57 < Diablo-D3> its about accountability
00:57 < Graet> + no issues with softwarte bitcionds etc
00:57 < Diablo-D3> you cant 51% attack even if you control all the hashpower int he world
00:57 < Diablo-D3> because you dont control the actual mining, just the hardware
00:57 < warren> oh.
00:57 < Diablo-D3> someone else is setting up your mining attempts
00:58 <@gmaxwell> Diablo-D3: ... thats throughly confused. god no wonder freidcat is indifferent to concerns if you're his biggest shareholder.
00:58 < warren> So physical security of the mining operator is the weak link.
00:58 < Diablo-D3> gmaxwell: no, you want to say they can switch to solo mining and fuck people
00:58 < Diablo-D3> friedcat is only fucking himself if he does that
00:59 <@gmaxwell> Diablo-D3: that actually _reduces_ security, because either the pool being compromised _or_ the farm being compromised is sufficent to attack
 and the farm being compromised is always sufficient.
00:59 < Diablo-D3> gmaxwell: yes, but thats why Im against monolithic pools
00:59 <@gmaxwell> It's not about friedcat. geesh. Why are people so freeking broken about security.
00:59 < Diablo-D3> which is a different problem
00:59 < Diablo-D3> Im 100% pro p2pool
00:59 <@gmaxwell> Friedcat gets hacked, friedat gets kidnapped, etc. Friedcat himself isn't a concern except that he's a point of failure.
01:00 < Diablo-D3> gmaxwell: no, I agree there
01:00 < warren> I gave up on p2pool yesterday.  It breaks far too often.  I tried for over a month to fix it.  I'll get back to fixing it later.
01:00 < Diablo-D3> thats also a different problem
01:00 < Graet> bottom line, if it worked better and was easier to use there would be no monolithic pools
01:00 < Diablo-D3> we're discussing 51% itself alone
01:00 <@gmaxwell> warren: breaks?
01:00 < Diablo-D3> dont get me wrong, those are important concerns
01:00 < Diablo-D3> but it has nothing to do with 51%
01:00 < jgarzik> I got a lot of stales, but never broke p2pool
01:00 < Diablo-D3> warren: p2pool has never broken for me
01:01 < Diablo-D3> and I follow p2pool from git
01:01 < warren> jgarzik: yeah, lots of stales, but htat isn't what I'm referring to.
01:01 < Diablo-D3> warren: the stale problem was avalon's cgminer build is broken
01:01 < Diablo-D3> forrest fixed it on his side, but wants avalon to still update their cgminer build
01:01 < Diablo-D3> con already fixed the problem upstream
01:02 <@gmaxwell> luke has been basically begging to get on an avalon box in order to get bfgminer working.
01:02 < Graet> p2pool has less than 1% of the network for a reason, and it has nothing to do with asics
01:02 < Diablo-D3> gmaxwell: yeah, but that wont fix it
01:02 <@gmaxwell> he was told he'd be able to get on the foundation one for development, but apparently he's just getting evasion now.
01:02 < Diablo-D3> Graet: yes, its because theres no advertising
01:02 < Diablo-D3> Graet: the thing is all the important people use it
01:02 < Diablo-D3> which is more important than anything else
01:02 < Graet> anyway i'm going for a nap so i can be awake to do more bitcoind updates when i should be asleep
01:02 < Diablo-D3> gmaxwell: luke is a dick sometimes, I dont know why
01:03 < warren> It's stratum implementation has some bug in communicating the pseudoshare target difficulty, I am uncertain if it is related, but it causes random tracebacks within stratum.py.
01:03 < Graet> lol Diablo-D3 p2pool fanbois spam it all through the forums, the devs tell ppl to mine there if they want to mine... like i said before <Graet> bottom line, if it worked better and was easier to use there would be no monolithic pools
01:03 < Diablo-D3> warren: thats the bug
01:03 < Diablo-D3> Graet: people are lazy, thats why they have monolithic pools
01:04 < Diablo-D3> I mean, fuck, people pay fees to pools
01:04 < Diablo-D3> what the hell is that shit
01:04 < Graet> yeah coz the hardware and time it takes to run a pool is free too?
01:04 < Diablo-D3> installing p2pool costs no money
01:04 < Graet> asking miners for donations owesnt work, i tried.....
01:04 < Diablo-D3> installing p2pool costs no money
01:04 < Graet> still comes back to ease of use
01:04 < warren> If you have more p2pool peers, it slows down the time between receiving a share and new work to miners.
01:04 < Diablo-D3> p2pool is extremely easy to use
01:05 < Graet> its not easy for most people to use
01:05 < Diablo-D3> warren: not entirely true.
01:05 <@gmaxwell> warren: and?
01:05 < Graet> apparentlyu not, the network share shows that
01:05 < warren> sorry, that's a really minor problem, it doesn't hurt the block finding, only your personal shares.
01:05 < Diablo-D3> warren: miner to p2pool is still completely local
01:05 <@gmaxwell> warren: we've gone over this, the miners queue work. This doesn't cause a loss of work.
01:05 <@gmaxwell> warren: right, and it's something thats roughly equal for most users.
01:05 < Diablo-D3> the only problem I see with p2pool is that its python
01:05 < warren> Graet: yes, p2pool's biggest problems is it doesn't explain itself to users well enough.
01:06 < Diablo-D3> Ill agree with that
01:06 < Diablo-D3> the docs suck
01:06 < Diablo-D3> but its STILL easy to use
01:06 <@gmaxwell> It's not extremely easy to use and can probably never be.
01:06 < warren> gmaxwell: It seems if you are unlucky, you can get stuck with tons of orphans despite unlimited bandwidth.  I've been measuring things and fiddling it for weeks.
01:06 < Diablo-D3> gmaxwell: I dunno, all you have to do is enable bitcoind's rpc, and then start run_p2poo.py
01:06 < Graet> so it will never be hugs, and wyou will have to live with monlithic pools
01:06 <@gmaxwell> It could certantly be easier... but its even _less_ monetizable than other pooling things, while being harder to make easy.
01:06 < Graet> huge*
01:07 < warren> gmaxwell: part of that is because the p2pool client connects forever to nodes no matter how good or bad they are.
01:07 < Diablo-D3> warren: well, thats because p2pool doesnt use enough async networking magic
01:07 <@gmaxwell> Graet: seems likely asic deployments are going to change the threshold for easy of use some.
01:07 < Diablo-D3> which is largely because its python
01:07 < Diablo-D3> and I already said we'd be better off if it was C
01:08 <@gmaxwell> Graet: after all, 20 minutes installing software isn't a big deal vs thousands of dollars in specialized hardware.
01:08 <@gmaxwell> though it certantly is vs a couple GPUs.
01:08 < warren> The underlying design of p2pool is brilliant.  It is just a little fragile in its current implementation.
01:08 < Graet> indeed gmaxwell , interesting times ahead on many fronts
01:08 <@gmaxwell> but yea, who knows.
01:08 < Diablo-D3> I should look and see if I can clone p2pool
01:08 < Graet> will be interesting to see how the hashrate settles out once a decent number of asic are out
01:08 <@gmaxwell> well, and when the new wave of DOS attacks begin. :P
01:08 < warren> Getting "lucky" to be connected to the good p2pool peers and you can have > 100% efficiency easy for weeks in a row.
01:08 < Graet> and that
01:09 < Diablo-D3> warren: yeah but I regularly do
01:09 < Diablo-D3> I never see p2pool efficiency below 100%
01:09 < Diablo-D3> Shares: 59 total (6 orphaned, 1 dead) Efficiency: 114.6%
01:09 < warren> Diablo-D3: that limits adoption though, because people get frustrated and quit, partly because the docs suck and they don't understand it.
01:09 <@gmaxwell> Diablo-D3: where is the rest of the line?
01:09 < Diablo-D3> gmaxwell: thats from the web ui
01:10 <@gmaxwell> in any case 59 isn't much of a sample.
01:10 < Diablo-D3> I asked forrest to add the whole line to the web ui but he hasnt yet
01:10 < warren> Diablo-D3: the "people get frustrated and quit" part makes more people quit because variance is too high and they don't understand probability.
01:10 < Diablo-D3> warren: thats their problem, really
01:11 <@gmaxwell> warren: well also because of unfortunate things like calling p2pool stales "stales"
01:11 < Diablo-D3> monolithic pools have the same issue really
01:11 < warren> shit
01:11 < Diablo-D3> wb warren
01:11 <@gmaxwell> warren: well also because of unfortunate things like calling p2pool stales "stales"
01:11 < Diablo-D3> monolithic pools have the same issue really
01:11 < warren> sorry, wrong button
01:11 < warren> gmaxwell: yeah, if the UI and docs were better it would scare fewer people away
01:11 < warren> gmaxwell: plus it needs to mix up the peer connections more often
01:12 <@gmaxwell> warren: I never noticed any issues with that, but I had a very well established node.
01:12 < warren> gmaxwell: once you get locked into a network of good peers, you're golden.  you crowd out less well connected peers by orphaning them more often.
01:12 <@gmaxwell> My initial node started when p2pool was <10GH and I more than doubled it myself.
01:12 <@gmaxwell> and p2pool prefers older nodes to connect to.
01:12 < warren> That's what I'm seeing on LTC.  It might be because there are much fewer nodes there.
01:13 <@gmaxwell> plus I had established private peering with 2 of the other larger p2pool users.
01:13 < warren> At first I was getting > 110% efficiency for weeks.  Then my network of nodes got very unlucky together.
01:13 < Diablo-D3> gmaxwell: explain something to me
05:55 < deantrade> It can happen.  You are assuming that the market purchasing power of one thing verses another stays constent
05:56 < jtimon> no, I'm not assuming that
05:56 < jtimon> let me rephrase
05:56 < jtimon> the more factories that produce a given good, the less each one of them yields
05:57 < jtimon> sorry, I'll come back in a minute
05:58 < deantrade> The more of something you have, the less market value each additional thing will have.
06:01 < deantrade> Q: Why does Freicoin use demurrage? I'm worried that my coins will just fade away.
06:01 < deantrade> A: Worried? It's a good thing. If the amount of money  was stable, people would prefer saving it as opposed to spending it.	This would decrease the quantity of money circulated, which in turn  would act against the main purpose of money - a medium of exchange. With  demurrage in place, you should think about money as it's meant to be,  not as a storage medium of wealth.
06:03 < jtimon> not a verygood answer, I agree
06:03 < deantrade> Invalid...  even in bitcoin, even if the value goes up over time, if a person has lots of it, he may still want to trade some of them in exchange for other things he wants more.  Just because money is becoming more valuable over time, this has no effect on whether it is suitable for trade.  Suitability for day to day trading is more just about
security/transaction fee/speed of transaction.
06:03 < jtimon> but let me explain you Gesell's theory on interest
06:04 < jtimon> you agree that capital accumulation leads to lower real capital yields, no?
06:04 < jtimon> that in turn leads to lower prices of consuming goods
06:04 < deantrade> Only if the capital is just a copy of the previous capital.	But if the capital is an improvement over existing, then no.
06:05 < jtimon> the owners of the "old" capital have to compete with the owners of the "improved capital"
06:05 < deantrade> But I would agree that goods can generally be made cheeper if more capital/durable goods exist and are suitable for the particular goods to be produced efficiently.
06:06 < jtimon> exactly, capital yields are profits, and as such they should drop with competition
06:06 < jtimon> innovation can drive profits higher, but only temporarely
06:07 < jtimon> unless of course the state limits capital production somehow, creating rents
06:07 < jtimon> rents are profits that are somehow protected from competition
06:08 < jtimon> when capital yields are low
06:08 < deantrade> I wouldn't use that as the definition of "rent" normally, but for this conversation I will follow with your definition
06:08 < jtimon> ok
06:09 < deantrade> Err I would rather say "creating higher rent than a free market would have"
06:09 < jtimon>  to be more specific
06:09 < jtimon> http://en.wikipedia.org/wiki/Economic_rent
06:10 < jtimon> so what causes monetary cycles according to Gesell
06:10 < jtimon> ?
06:10 < jtimon> 1) competition drives real capital yields low
06:11 < jtimon> 2) savers start preferring to just hoard their money instead of lending at low rates
06:12 < jtimon> 3) that reduces monetary velocity, which causes price deflation, which further encourages hoarding vs lending (positive feedback loop, notsustainable for long)
06:12 < jtimon> 4) after enough capital destruction (maybe just by lack of mainteniance)
06:13 < jtimon> yields go up again and investment resumes, stopping capital and employment destruction
06:13 < jtimon> how this problem has tried to be solved?
06:14 < deantrade> I'm not sure where the problem is.  You say there is "capital and emplyment destruction"?  How?
06:14 < deantrade> How is someone hoarding gold/money bad for anyone?
06:15 < jtimon> keynesians have confused the real problem (basic interest/liquidity premium) with the symptom (deflation)
06:15 < jtimon> lack of investment causes capital destruction and therefore employment destruction
06:15 < deantrade> If Bill Gates made a billion dollars by creating everyone computers and trading for dollars, and then burried/permanently destroyed the dollars, then everyone else but Bill Gates would have made out well.
06:16 < jtimon> when you close a factory it will start to deteriorate
06:16 < jtimon> price delfation discourages investment (assuming monetary monopoly)
06:18 < deantrade> "Price deflation discourages investment" -> only when investments are not worthwhile despite the increasing purchase power of the entity with the savings.
06:18 < jtimon> no, always
06:19 < jtimon> think of any investment example
06:19 < jtimon> let's say a factory that will yield 5% of its nominal value
06:20 < jtimon> will you invest in that factory?
06:20 < jtimon> a) with 0% price inflation
06:20 < jtimon> b with 10% price deflation
06:21 < jtimon> with 10% price deflation you're better of keeping the "abstract wealth" money represents rather than investing in real wealth
06:21 < jtimon> keynesians have tried to "solve deflation" by replacing real savers with newly created money
06:21 < deantrade> Ok, agreed, but I'm still not seeing what the problem is.
06:22 < jtimon> the problem is capital yields should naturally tend to zero, but that's impossible with nominally everlasting money
06:22 < deantrade> If there are people who have needs, and they want to work for their goal attainments, then they will do that.  Whats to stop them?
06:23 < deantrade> "he problem is capital yields should naturally tend to zero" Should?  Do they?  And if they do, then how is this a problem?
06:23 < jtimon> the worker needs capital just like capital needs workers to operate it
06:23 < deantrade> Worker works, makes wage, then has capital.
06:23 < jtimon> money is not real capital, money is just a symbol of value
06:24 < deantrade> Money is real capital.
06:24 < deantrade> Money has market value.  Money is durable.
06:24 < jtimon> what can you build with money (without exchanging it for another thing)?
06:24 < jtimon> some monies are durable
06:25 < jtimon> beef has market value too, but it's not capital
06:25 < deantrade> I can build a pile of coins to swim in like scrooge mcduck
06:25 < jtimon> it's a consuming good
06:25 < jtimon> money is not a cosnuming good neither
06:25 < jtimon> you can build a swiming pool with some monies
06:26 < jtimon> you can't swim on bitcoin can you?
06:26 < deantrade> ok, then I don't really care what you use as a definition of "Capital"...  and your statment "money is not real capital, money is just a symbol of value" doesn't really mean anything to me.
06:26 < warren> this is getting absurd
06:26 < warren> NMC is at $5
06:26 < deantrade> I can put bitcoin on flash drives, and swim in flash drives.
06:27 < jtimon> that's what makes money capital, really?
06:27 < jtimon> by real capital I just mean producing goods
06:27 < jtimon> money is not a producing good not a consuming good
06:27 < jtimon> nor
06:28 < jtimon> it's just an implicit agreement between their users that facilitates trade
06:28 < deantrade> Here's what I'd use instead of your word "capital": resource.  Resource for attaining goals of individual humans.  Each human has a set of resources which are under his control.  He is continually "using" them as they are under his control.
06:28 < jtimon> but my concept is far more specific
06:28 < jtimon> consuming goods and raw materials are resources too
06:29 < deantrade> By him "using" them in whatever way he desires, it helps him attain his goals.
06:29 < jtimon> work is another resource
06:29 < deantrade> Work is not a resource.
06:29 < jtimon> how not?
06:29 < deantrade> Having an employee who can do work is a potential resource.	But the work is not a resource, only the product of the work is a resource.
06:30 < jtimon> ok, then your employees are resources, whatever
06:30 < deantrade> Owning a house for example, living in the house, continually brings market value to the owner.
06:30 < jtimon> my point is that "producing goods" are a very concrete type of resource
06:31 < jtimon> a house is real capital
06:31 < jtimon> you can rent it'
06:31 < deantrade> Uh, you can rent any object really.
06:32 < jtimon> well, living in a house is a consuming good, produced by the house, the producing good
06:33 < jtimon> and houses have a capital yield that comes from that
06:33 < jtimon> if interest rates are at 5%
06:34 < deantrade> And the money in your pocket is "producing" one value by giving you confidence/ability that you will be able to use it to trade at a future time for something else.
06:36 < deantrade> But lets say you can't think of anything you want in the future.  You just have needs now to fulfill.  Then you'd trade the money now, no matter the interest rate.
06:38 < deantrade> A well I donno why I was arguing with him.
06:39 < jtimon> sorry, deantrade, electricity went down
06:40 < deantrade> Noproblemo
06:41 < jtimon> what's the last thing you received?
06:42 < deantrade> If savers hoard, then the market value of the money goes up.  If they stop increasing their reserves, then the market value of money stabalizes.
06:43 < deantrade> I guess I just don't see what the problem is with savers saving.
06:43 < jtimon> the problem is not with savers saving but with savers hoarding
06:44 < deantrade> k, "hoarding".  What is wrong with "hoarding"?
06:44 < jtimon> if they lend or reinvest their savings in something real like they do when interests are high there's no problem
06:45 < jtimon> you're influencing the price of money, and you're getting a free insurance against uncertainty
06:45 < jtimon> that's a positive externality inherent in "durable money" and it is paid for by others
06:46 < jtimon> what neo-keynesians do is replace savers with newly printed money
06:46 < jtimon> manipulating interest rates
06:46 < deantrade> If you have money as savings, then that means you already did work to create something real in order to attain the money.  Then if you go to spend the money, you don't create, you only exchange.
06:46 < jtimon> but that's not sustainable
00:26 < maaku> has the zerocash paper made its way around yet?
00:33 < warren> it was renamed?
00:33 < maaku> he said on twitter that's what they're calling zerocoin 2.0
00:33 < maaku> matt green
00:33 < maaku> also are there any generally known limitations of TinyRAM?
00:33 < maaku> i know there was some discussion of this a while back on -wizards, but I can't find it in my logs
00:39 < maaku> ugh there's no rotate opcode in TinyRAM...
01:34 < gmaxwell> maaku: if you want something efficient, best not to use TinyRAM. TinyRAM has the benefit of being general, but
01:36 < gmaxwell> It would be interesting to evaluate all the well studied cryptographic hashes and see which would result in the most efficient quadratic span program proofs.
01:37 < gmaxwell> sha2 is probably mixed, the additionas are super cheap as QSPs but the circular rotations probably are not.
01:51 < maaku> gmaxwell: i'm looking for something general
01:52 < maaku> is there a better architecture than TinyRAM?
01:52 < gmaxwell> maaku: in any case, what tinyram is optimized for is the size of the QSP circuit that implements the tinyram validator, since thats the primary consideration in proving time and memory consumption.
01:54 < gmaxwell> they give a bunch of figures in one of their papers for compiling varrious programs to tineram, the cycle overhead from its limitations isn't so bad on most of the things they characterized.
01:55 < gmaxwell> directly designing your algorithim at the circuit level will probably always produce a much more efficient (proving time wise, at least) result...
01:56 < maaku> gmaxwell: i'm curiuos about replacing/augmenting the bitcoin scripting language with tinyram
01:57 < gmaxwell> right, well if that were done the part inside bitcoin wouldn't be tinyram, it would just be a proof validator.
01:58 < gmaxwell> wrt replacing script with tinyram, it would probably be prudent to add to tinyram a number of opcodes like sha256 or at least sha256_round
01:59 < maaku> yes
01:59 < maaku> i found it strange how some basic opcodes were missing from tinyram, like rot, and was wondering if that was a fundamental crypto limitation, or just an oddity
02:00 < gmaxwell> what might be interesting is to add asm {} blocks to a compiler for tinyram that could just let you include a circuit description directly.
02:01 < gmaxwell> maaku: no they intentionally left things out that weren't needed to get a basically good high performance implementation and which were either redundant or required larger validation circuits.
02:01 < maaku> if i went forward on this, iwould probably look at extending tinyram to be the MIPS-I isa, plus some crypto accelerator primitives
02:01 < maaku> hrm
02:02 < maaku> ok so this is really just infrastructure anyway, right? the fundamental "machine code" is the circuit
02:02 < maaku> which tinyram compiles down to
02:04 < gmaxwell> well not quite, the way it works is that there is a circuit they've already designed which verifies transcripts of tinyram execution, which is generic and can be reused for multiple instances (important because the keys needed to prove and veryify the circuit are not tiny).
02:04 < gmaxwell> (I guess that would get in the way of asm {} blocks...)
02:05 < gmaxwell> of course you could have arbritary circuits, but thats a fair amount more data you need to communicate.
02:05 < gmaxwell> vs if everyone uses the same tinyram circuit, then your proof is just a small number of field elements and the hash of the program being run.
02:07 < gmaxwell> (the validator is really validating a stament of the form  "The signer knows a transcript with a program of hash(x) and inputs of hash(y) and unspecified private inputs, is a valid transacript of tinyram execution which returns true."
02:07 < gmaxwell> )
02:08 < gmaxwell> which is how they're able to make validation time quasi linear in the length of the program... the time it takes to hash the program and its inputs is linear, and the rest is just proportional to the security level.
02:08 < gmaxwell> (well not just quasi linear, it's linear in the length of the program plus some security dependant constant)
02:10 < gmaxwell> I think the verifying keys for tinyram are on the order of tens (hundreds?) of kilobytes... but if everything is tinyram the verifying keys are just part of the system, all bitcoin would have to send is a hash of the script being run.
02:11 < maaku> so it doesn't really matter how complex then the extended-tinyram instruction set is, so long as the verifying keys are small enough to fit in a client (no more than a few megabytes, say)
02:15 < gmaxwell> well it doesn't matter for the verifier. It may matter greatly for the prover.
02:16 < maaku> ah, right
02:16 < gmaxwell> the performance figures in the scip paper were fast enough that it was feasable but not so fast that you could go sticking in a factor of 2 and not seriously degrade the usefulness of it.
02:17 < maaku> and the performance of the prover scales with the size of the validator key not the subsets of the circuit actualy used, right?
02:19 < gmaxwell> not sure,.. well actually some parts of the prover should scale well if parts of the circuit aren't used, but there are some parts (which I think all have log() scaling which wouldn't) ... but I don't know how it would work out pratically. These would be questions for Eli and team (Iddo may know). I haven't thought at all about extensions.
02:20 < gmaxwell> I think their main goal was to demonstrate feasability for general programs. So it made sense to be pretty ruthless in what they had in tinyram.
02:27 < maaku> yes, and as an engineer I'm wondering why "feasibility for general programs" dpesm
02:28 < maaku> doesn't equate to a general-purpose ISA used in a real general-purpose computer
02:28 < maaku> of which MIPS-I is about as simple as you can find
02:28 < maaku> plus a minimal set of crypto opcoce extensions, of course
02:29 < maaku> I'll look at the code first
02:29 < maaku> i really need to understand this better
02:41 < EasyAt> Hey guys, anyone know of a stragne attack.  I've been doing TXs and occasionally as soon as I send I receive about .0001 from a random address
02:41 < EasyAt> It's indeterministic
02:45 < wumpus> they sometimes send dust to addresses in the block chain, it's not an "attack" as such although if you spend the dust it can be correlated to other addresses, so it may help them discover a bit more information about how addresses are related
02:45 < wumpus> you could use this to remove the dust https://github.com/petertodd/dust-b-gone/
02:47 < EasyAt> Hm, so what does me receive dust do.  All they are doing is signing an output to a pubkey of mine.  What am I actually leaking?
02:47 < EasyAt> Oooh, because when I send I'll send their dusts and they can corrolate too addresses?
02:47 < wumpus> nothing, unless you spend it together with some other input
02:47 < EasyAt> s/twoo/many
02:47 < wumpus> yes
02:47 < maaku> yes, to whatever other addresses you use in the spend
02:47 < EasyAt> interesting.  Do you think it is specifically against me?
02:48 < wumpus> I don't think so
02:49 < EasyAt> Has there been any analysis on this... analysis or whatever you call this
02:50 < wumpus> but it's (among other reasons) why implementing schemes such as coinjoin is important
02:50 < EasyAt> Clever way to keep track.  I wonder if it's for transactions over a certain amount.  Maybe aligned with another currency's value
02:51 < EasyAt> wumpus: Agreed, an dI sign everything with an unconnected cold, unwritable boot drive
02:51 < EasyAt> But, It is a bit worriesom.  With the jdillon thing now I am quite paranoid
02:52 < EasyAt> I wonder if he had coins taken :\
03:03 < joecool> fucking dandan sends me dust all the time
03:04 < joecool> just because he's a little wanker
03:05 < EasyAt> dust doesn't do anything, though
03:05 < EasyAt> Except leak information, apparently
03:05 < joecool> or annoy the receiver
03:06 < EasyAt> The UTXO set is static at any given point in time, correct?  At the smallest inrement of time?	There is no question unless there is a current fork war(or whatever you call it)
03:11 < EasyAt> While no transaction is taking palce
03:13 < phantomcircuit> EasyAt, it's those idiot researchers trying to tag wallets with small payments
03:23 < michagogo|cloud> EasyAt: given a certain blockchain, yes, the UTXO set is deterministic
03:25 < midnightmagic> EasyAt: Spam from blockchain.info too. Check out the tx in b.i and see if there's a message there. If there is, it's just spamdust. dust-b-gone removes it. Or at least helps remove it.
03:25 < midnightmagic> And likely not douchebags trying to track.
03:36 < EasyAt> I'm not trying to be paranoid, but I was reading the other day that someone notcied ~70% of theire connections being filled by essentially junk nodes that didn't forward blocks or do anything.  And some of the main devs postulated that it might be a tracking or minging attack
03:36 < EasyAt> I'm curious if they could be correlated
03:38 < EasyAt> Erm, not mining blocks but an attack from some unknown mining pool
04:25 < maaku> EasyAt: these were connections from an academic institution in switzerland
04:25 < EasyAt> Kinda of intrusive. Bugs me. reminds me to send Txs through tor
04:25 < maaku> it's probably just a poorly configured tracking nodes
04:26 < maaku> well i got news for you: the majority of nodes are not useful
04:26 < maaku> and it's been that way for a while
04:27 < EasyAt> Why do you say that? Don' they at least verify and forward?
04:27 < EasyAt> Or you mean most nodes are light?
04:28 < maaku> no
04:28 < maaku> most nodes are light, dns seeders, tracking nodes, who-know-what
04:28 < maaku> i shouldn't say most nodes
04:28 < maaku> most connections is what i meant
04:29 < petertodd> maaku: depends a lot on where you're node is - my ec2 nodes got nearly 100% full-node connections. Supposedly this has something to do with clustering
14:55 < michagogo|cloud> But there aren't any "Received getdata for block x" lines
15:53 < gnrldsray> Anyone from/interested in Ethereum here?
16:04 < shesek> I think its a one man project by vbuterin at this stage, and he doesn't hang on IRC afaik
16:05 < shesek> it does seems interesting to me from a first look
19:07 < gnrldsray> Thanks shesek
19:50 < tacotime> hey iddo.
20:13 < Emcy> jgarzik is there anything particularly different about the latest boostrap.dat?
20:14 < Emcy> byte offset or anything
22:20 < jgarzik> Emcy, shouldn't be
22:20 < jgarzik> Emcy, the file format receives appended data, leaving the leading 70% untouched
22:21 < jgarzik> shesek, I think Vitalik is getting some funding, though he does seem the chief designer
22:22 < Ursium> jgarzik: he's defo working with Charles Hoskinson
22:23 < Ursium> he mentioned 5 team members on reddit
22:23 < Ursium> and fundraiser is 26th Jan, ann at the bitcoin miami conference
22:23 < jgarzik> ugh
22:23 < jgarzik> CH not my favorite person in the world
22:23  * jgarzik will be in Miami
22:24 < Ursium> well that's just my view, based on the white paper and some references charles made on the forums.
22:25 < Ursium> what do you think of the idea though - turing complete , GHOST , etc?
22:27 < Emcy> jgarzik strange, my client seemed to have a problem seeing the previous torrent once the new one had finished
22:28 < Emcy> rechecking it have 56% or something, and then rechecking the 13gb one gave incomplete even though the filesize was 13gb.
22:28 < Emcy> perhaps ill just seed the most recent and be done with it
22:28 < jgarzik> Emcy, yes, that's what you should do.	Seeding an old torrent is entirely pointless.
22:29 < Emcy> well, there were still a lot of peers on it
22:29 < Emcy> still uploading well. Good 200 on the new torrent already though so
22:30 < Emcy> I tend to drop a note in the comments about a new torrent for whom it may concern, since thats something people with linux clients cant do
22:31 < Luke-Jr> fwiw, Vitalik recently told me there are 10-20 people now
22:32 < Luke-Jr> Emcy: more like something BitTorrent doesn't support <.<
22:33 < Emcy> youre right the comments and rating system is utorrent specific
22:33 < Emcy> btdigg picks up on it though, which is nice
22:34 < Emcy> they should standardise it
23:01 < gmaxwell> Yea, I didn't respond to their inquiries because it was CH.
23:25 < tacotime_> There are at least 3-4 people hacking the github repository for ethereum right now
23:26 < tacotime_> Doing turing complete (basically turning the transactions into executable code) is both neat and kind of scary at the same time
23:31 < tacotime_> I'm debating whether or not I should go to miami or wait for the texas conference
--- Log closed Mon Jan 13 00:00:40 2014
--- Log opened Mon Jan 13 00:00:40 2014
--- Day changed Mon Jan 13 2014
00:35 < Luke-Jr> my wife and I will probably both be in Miami
01:23 < amiller> turing complete sucks as a catchphrase/soundbyte/feature
01:23 < amiller> it's a total red herring
01:23 < amiller> all sorts of interesting/expressive languages are not turing complete
01:24 < amiller> and even a turing complete language would be useless if it's not hooked up correctly to txouts and etc
01:24 < amiller> it's neither sufficient nor necessary for what anyone actually wants with a modified transaction script
01:24 < amiller> try to build a sponsored chess game, as a thought experiment
01:24 < amiller> or a poker game
01:24 < Luke-Jr> amiller: dunno, turing complete *might* make it possible to get at anything
01:24 < gmaxwell> well besides any computer with finite memory is not technically turing complete. :P
01:25 < amiller> you don't need turing complete for any of that, and also turing complete doesn't automatically make those work
01:25 < gmaxwell> Luke-Jr: but if the chess game program is so huge that you can't realistically use it... no real point.
01:25 < Luke-Jr> sure
01:25 < amiller> you could trivially make bitcoin-script turing complete by adding opeval or whatever, and it still wouldnt' solve that problem
01:25 < Luke-Jr> but I mean, to get at txout info, you *could* just confirm the transaction is part of a block etc
01:26 < amiller> that's pretty complicated, but i guess
01:26 < gmaxwell> sure and you could do that in script if substr and cat hadn't been disabled.. and without being turing complete.
01:27 < gmaxwell> and if you replaced script with, say, 8 bit AVR instructions you could do it as well, but the transaction would be so big as to be unusable.
01:29 < gmaxwell> though I looked at their codebase, and uh.. it's implementing basically bitcoin script
 with a bignum as the basic type
 with and added instruction pointer and jmp instruction.	Seems like someone has never worked with forth, the result is kinda unholy looking.
05:05 < gmaxwell> petertodd: you did realize why you can't encrypt your stealth addresses, right?
05:06 < gmaxwell> petertodd: (because if you do, then someone with the candidate stealth address can test if any stealth payment on the chain is connected to that one by decrypting the nonce and testing if its a valid point)
05:09 < TD> elligator?
05:10 < gmaxwell> TD: alas for this it needs to be bitcoin compatible public key, and the elegator mapping cannot work for our curve.
05:10 < gmaxwell> (can't work for curves where the x term is 0)
05:11 < TD> you can do elligator for curve25519 however, so if we switch to supporting ed25519 signatures in future, it might become workable
05:34 < nsh> gmaxwell, is it not possible in principle to have an elligator-like mapping to uniform strings from the bitcoin curve points?
05:35 < gmaxwell> nsh: the points are enumerable so it's possible to map... an efficient one? I don't know of one for our curve.
05:35 < gmaxwell> There are other ways to make bitcoin points statistically uniform.
05:35 < nsh> hmm
05:36 < gmaxwell> E.g. take your point and randomly choose a x value between it and the prior valid point... then have the reciver do the reverse process... its just a little computationally expensive.
05:36 < nsh> do curve25519/ed25519 have extra structure that facilitates efficient mapping?
05:36 < gmaxwell> Yes.
05:36 < nsh> ok
05:37 < TD> every value is a valid point, or something like that
05:39  * nsh rereads petertodd's proposal thread
05:39 < gmaxwell> well the elegator mapping achieves that. Raw curve25519 x values are only about half valid like ours. The elegator mapping isn't totally trivial either, but its not as slow as "test points until you get a valid one"
05:40 < gmaxwell> (also the elegator mapping doesn't work for all points, just a really large number of them, so you have to generate ed25519 points with that in mind if you're going to use it, which is a little annoying)
05:40 < TD> i think it's spelled "elligator"
05:40 < TD> i remember this, because i know a cryptographer called elli
05:41 < nsh> 50% of ed25519 points don't have elligator mappings iirc
05:56 < gmaxwell> http://lightspeedindia.wordpress.com/2014/01/13/bitcoin-2014-top-10-predictions/
05:57 < gmaxwell> 7. The use of Bitcoin will evolve beyond
05:57 < gmaxwell> The underlying Bitcoin protocol makes itself applicable beyond the use cases of
. The Bitcoin foundation took a huge step in allowing meta data to be included in the blockchain.
05:57 < sipa> note that they at least say "meta data" and not "data"
05:58 < gmaxwell> Fair. hah. they link to https://www.secondmarket.com/education/landing/bitcoin-ecosystem  ... someone should make a version of that without survivorship bias that includes all the companies that vanished with everyone's money. :P
05:59 < Ursium> Morning! (if you're in the UK and went to be late like me :)) - What do you guys think of Ethereum?
08:23 < justanotheruser> What do you guys think of
08:40 < tacotime_> This question again haha
08:41 < tacotime_> Usually it boils down to "is including executable code in txs a good idea", but there are interesting things about it, it's moving quickly, and it looks to be very well funded.
10:20 < Ursium> tacotime_: but the fundraiser hasn't taken place yet
10:20 < Ursium> oh do you mean 'it will be well funded' ok .
10:21 < tacotime_> Ursium: There are 3+ devs hacking it right now, they have to be getting money to eat from somewhere I'd guess.  Plus the folks behind mastercoin seem to be involved.
10:22 < Ursium> tacotime_: source on the master coin link? (not questionning it's true, just curious as i'm following this very closely). As for money to eat vitalik is part of kryptokit and I don't believe he works for free :)
10:42 < petertodd> gmaxwell: ?
10:42 < petertodd> gmaxwell: what do you mean by "decrypting the nonce"?
11:34 < gmaxwell> petertodd: you suggested in your message that the nonce could be encrypted with H(stealth address)
12:11 < petertodd> gmaxwell: oh that, yeah, of course they can do that. The encryption only helps against someone who doesn't know the stealth address - that's why I said it's a minor protection
12:12 < petertodd> gmaxwell: The point of doing so is only as a incremental improvement so that all OP_RETURN uses looks semi-similar.
12:13 < petertodd> gmaxwell: oh, wait, I get your point... yeah, that's a problem
12:13 < petertodd> gmaxwell: right, and your thinking re: other ECC styles is just so that the decryption with an incorrect key should always lead to a valid - if not correct - pubkey
12:25 < adam3us> gmaxwell, petertodd: but wait u are saying c=H(eP)=H(dQ) and what encrypt r=R.x?   so r'=E_c(r) so that there is no key recovery on the signure.  hmm i am confused what are you encrypting and why?
12:28 < adam3us> gmaxwell, petertodd: or are u talking about this two point version with two inputs, Q=dG and Q2=d2G where Q2 is used only for screenin by an untrusted party and presumably the thing is a scripthash sig so the screener cant spend?
22:20 < phantomcircuit> since at 500ms there are some people who wont be able to connect to others
22:20 < gmaxwell> phantomcircuit: with it too high you can quite seriously go hours without getting a connection up.
22:20  * BlueMatt ponders the ethicacy of running a crash-pre-0.8.4 script on the network with the goal of getting better stable-node connection
22:20 < phantomcircuit> gmaxwell, sure i remember, i am the one who originally fixed this
22:20 < BlueMatt> or maybe I should just set dnsseed to require 0.8.5
22:20 < gmaxwell> BlueMatt: it would probably partition the network right now.
22:21 < phantomcircuit> i actually was originally asking for a smaller timeout
22:21 < BlueMatt> gmaxwell: yes, thats why you start it slow
22:21 < gmaxwell> (to crash the pre 0.8.4 nodes)
22:21 < phantomcircuit> but i now disagree with myself
22:21 < BlueMatt> so no one else can partition the network by doing it
22:21 < gmaxwell> phantomcircuit: if we had multithreaded connections it would be reasonable to have one running with long timeouts while another ran with short timeouts.
22:22 < phantomcircuit> gmaxwell, we could do that right now actually
22:22 < gmaxwell> I know.
22:22 < phantomcircuit> i'll write a patch to do that after i finish everything else i have to do
22:22 < phantomcircuit> so... never
22:22 < gmaxwell> Right.
22:22  * BlueMatt sets his dnsseed to require 0.8.5
22:22 < BlueMatt> any objections?
22:23 < gmaxwell> I think there are too few nodes.
22:24 < gmaxwell> did you see how many there were? I counted before and there were only a few hundred, you're risking overloading them.
22:24 < BlueMatt> shit
22:24 < gmaxwell> and wrt partitioning the dnsseed stuff mostly controls spv nodes, but since they don't relay they don't help prevent partitioning.
22:24 < BlueMatt> we need auto-update
22:24 < gmaxwell> No we don't.
22:24 < BlueMatt> update-bugging
22:25 < gmaxwell> We made a conscious decision to not use alerts the last several releases. We could use an alert, which we did for 0.8.1
22:25 < BlueMatt> whatever, we need something to tell users "YOURE FUCKED UP HERE, UPDATE"
22:25 < gmaxwell> I'm not really happy with the quality of 0.8.5 (obviously, it's better than 0.8.1...) :(
22:25 < gmaxwell> e.g. software is still basically unusable for many OSX users.
22:26 < BlueMatt> thats largely fixed on 0.9, no?
22:26 < gmaxwell> No.
22:26 < BlueMatt> awww, well I guess I was dreaming :(
22:26 < gmaxwell> There are more fixes than in 0.8.5 but not enough apparently.
22:26 < gmaxwell> If it had been confirmed they worked I'd have backported and we could have done a 0.8.6.
22:26 < gmaxwell> But it sounds like they're not enough.
22:27 < BlueMatt> damn
22:27 < gmaxwell> We also have crash bugs reported on windows that we can't reproduce but seem to be a fair number of people.
22:27 < gmaxwell> And on some debian systems they can't sync the chain due to some signature validation issue.
22:28 < BlueMatt> soo...qa is fucked atm?
22:31 < warren> https://github.com/litecoin-project/litecoin/pull/80 <--- regarding encouraging people to upgrade
22:32 < warren> probably not a good idea, but we're doing it
22:32 < BlueMatt> ewwww
22:32 < BlueMatt> but, yea
22:33 < warren> https://github.com/litecoin-project/bitcoinomg/commits/bitcoin-omg-0.8 <---- here's the bitcoin 0.8 that I personally use
22:34 < warren> it's pretty much litecoin 0.8 without litecoin
22:56 < Luke-Jr> gmaxwell: I probably already have them backported for 0.8.6
22:59 < amiller> http://apps01.mywebapps.net/ajp/bc/g2.png
23:00 < amiller> measured connectivity of the network
23:00 < Luke-Jr> gmaxwell: I could go ahead and do a rc.. quite a few bugfixes.. not sure it's worth it as long as there's outstanding stuff though
23:02 < warren> Luke-Jr: where is your tree?
23:03 < Luke-Jr> warren: the stable tree is on gitorious.org/bitcoin/bitcoind-stable
23:03 < Luke-Jr> my personal repo is on gitorious and github separately
23:05 < warren> 404
23:07 < Luke-Jr> odd, I just saw it O.o
23:08 < Luke-Jr> weird
23:08 < Luke-Jr> there's some kind of invisible character on the end of what I pasted here
23:08 < Luke-Jr> gitorious.org/bitcoin/bitcoind-stable
23:13 < BlueMatt> amiller: fun, any theories on what those well-connected nodes or node clusters are?
23:13 < amiller> i think they're bitcoin-roulette
23:13 < amiller> i don't really know though, we're looking into that now
--- Log closed Fri Nov 01 00:00:21 2013
--- Log opened Fri Nov 01 00:00:21 2013
00:04 < warren> amiller: what are the groupings, IP address?
00:04 < amiller> no, mutual connectivity
00:07 < Luke-Jr> amiller: pools?
00:07 < Luke-Jr> how'd you make a map anyway?
00:29 < warren> <gmaxwell> e.g. software is still basically unusable for many OSX users.
00:29 < warren> gmaxwell: what makes it unusable?
00:33 < BlueMatt> leveldb instabilities
00:33 < warren> beyond the two fsync patches and leveldb 1.13?
00:34 < BlueMatt> <gmaxwell> There are more fixes than in 0.8.5 but not enough apparently.
00:34 < BlueMatt> <gmaxwell> If it had been confirmed they worked I'd have backported and we could have done a 0.8.6.
00:36 < warren> the 2nd fsync patch we confirmed wasn't enough
00:36 < warren> I have builds of both patches and leveldb 1.13 out now
00:36 < warren> no reports yet
00:36 < warren> nobody near me is able to reproduce the bug
00:36 < BlueMatt> so you're saying we should do another 0.8.X soon...
00:37 < warren> BlueMatt: only if it's confirmed to fix it, whch we don't know.
00:37 < Luke-Jr> ^
00:37 < BlueMatt> warren: you just said no one has yet been able to reproduce a semi-reproduceable bug with the latest patches, no?
00:37 < BlueMatt> at least that gives confidence that we should release builds to get more testing
00:38 < warren> BlueMatt: I mean nobody near me is able to reproduce the original problem, so I cna't get htem to test the builds that might fix it.
00:38 < Luke-Jr> BlueMatt: I think he means we don't know anyone who could ever reproduce it
00:38 < BlueMatt> (even if that just means telling people to try this alpha build)
00:38 < BlueMatt> ahh, ok
00:38 < warren> BlueMatt: I have been releasing builds
00:38 < warren> both litecoin and bitcoin users are complaining about this
00:38 < BlueMatt> for some reason I thought it was reproduceable by some set of people
00:38 < Luke-Jr> BlueMatt: it is, but nobody we know
00:38 < Luke-Jr> lol
00:38 < warren> jgarzik's office mate, toffoo on github and two litecoin users who fail to respond.
00:39 < BlueMatt> Luke-Jr: well why are those people not on speed dial?
00:39 < Luke-Jr> warren: jgarzik's office mate should try it?
00:39 < warren> I have no idea who they are.
00:39 < BlueMatt> warren: ahh, well why is jgarzik not reporting back...
00:39 < warren> BlueMatt: he's quite busy lately
00:41 < Luke-Jr> .. why did someone make be32toh return a non-uint32_t type? :/
08:32 < warren> gmaxwell: BlueMatt: https://bitcointalk.org/index.php?topic=320695.msg3456344#msg3456344
08:32 < warren> includes both fsync patches and leveldb-1.13
09:28 < Luke-Jr> warren: Bitcoin OMG seems redundant?
09:28 < Luke-Jr> or I guess not since it's based on a stable release instead of git
09:36 < jgarzik> Luke-Jr, sounds a bit like bitcoin-next
09:45 < petertodd> BlueMatt: I kicked testnet-seed into submission, although it seems sipa's seeder code returns DNS results that still screw up some resolvers.
09:48 < Luke-Jr> jgarzik: well, bitcoin-next only includes ACK'd stuff; sounds like next-test, except that it's based on a stable version instead of latest git
10:18 < adam3us> seems like warren took the bitcoin fedora to bitcoin rhel/centos discussion and went for it :)
10:21 < adam3us> petertodd, gmaxwell, amiller: btw yesterday discussion about one-show signature (its a credential/ecash concept but works ofr ECDSA eg as : addr = H(r=kG,Q) then being only allowed to use the r in the addr)
10:23 < adam3us> petertodd, gmaxwell, amiller: with PoS, which seems like a potentially useful extra sybil defence, the miner has a PoS voting incentive to have all his balance on one coin; as that defines his PoS vote multiplier (reference to the txout), in that way single-show sig could be quite a discouragement
10:24 < adam3us> petertodd, gmaxwell, amiller: (recalling to reuse r=kG implies reusing k which reveals private key d if you sign two different messages via simultaneous equation, so users have an incentive to hunt for double-spends so they can race to cash them)
13:06 < BlueMatt> petertodd: fun...this is why mine are served off bind :)
14:10 < petertodd> BlueMatt: yeah, I'm thinking that's probably a better idea overall :(
15:03 < gmaxwell> petertodd: is it just AAAA records breaking them?
15:07 < petertodd> gmaxwell: doubt it, I've tried without AAAA and it still doesn't work
15:08 < petertodd> gmaxwell: go and complain about gavin's obvious security hole: https://github.com/bitcoin/bitcoin/pull/3185
15:08 < petertodd> (he allows anything in the reject message, even newlines! so you can fake a log entry)
15:16 < BlueMatt> petertodd: doesnt dig still complain about extra padding bytes or something?
15:17 < petertodd> BlueMatt: I haven't looked deeply, but yeah, it complains about something
15:32 < jrmithdobbs> can someone tell me what I'm missing to get this example to actually work? I'm using 7.6.3 and aeson 6.2.1: http://hackage.haskell.org/package/aeson-0.6.2.1/docs/Data-Aeson.html#g:5
15:32 < jrmithdobbs> erm wrong chan
15:32 < phantomcircuit> jrmithdobbs, yes you're using haskell
15:32 < jrmithdobbs> haskell is p awesome ;p
15:33 < phantomcircuit> petertodd, the maximum message size is 1MB
15:34 < petertodd> phantomcircuit: pretty sure it was 32MiB... 1MB would be problematic given blocks can be 1MB
15:35 < petertodd> aww... gavin fixed it :( I was going to have so much fun writing that the genesis block got re-orged into people's logs :(
15:35 < phantomcircuit> petertodd, im pretty sure it's 1MB
15:36 < petertodd> phantomcircuit: heh, how much do you want to bet?
01:14 < Diablo-D3> why does p2pool actually use a chain for shares?
01:14 < warren> gmaxwell: yeah, with some minor hacking and node cooperation you can have an edge over ordinary p2pool nodes
01:14 <@gmaxwell> because there needs to be a consensus on which users should be paid.
01:14 < Diablo-D3> yeah, but shares are like tx in  bitcoin
01:14 < warren> Diablo-D3: the share chain is a difficult to fake way of distributing the payouts to be generated on a random bitcoind elsewhere.
01:15 <@gmaxwell> no, they're not
 to create a share you have to agree with all the other p2pool nodes what the shares before that one were.
01:15 < Diablo-D3> hrm
01:15 <@gmaxwell> (so they agree you're paying the right amount)
01:15 < Diablo-D3> gmaxwell: so how can we have multiple heads on the chain?
01:15 <@gmaxwell> Now
 the sharechain doesn't have to be linear.
01:15 <@gmaxwell> Diablo-D3: same way you can have multiple forks in bitcoin
01:15 <@gmaxwell> but they're more likely due to the fast time between shares.
01:15 < Diablo-D3> yeah but bitcoin only recgonizes one fork
01:15 <@gmaxwell> Diablo-D3: well bitcoin sees more than one fork... it just doesn't tell you about it.
01:16 <@gmaxwell> p2pool does.
01:16 <@gmaxwell> but it only extends one fork.
01:16 < Diablo-D3> well wait
01:16 < warren> Another issue that we see with lots of small p2pool users is quasi-dust payouts.
01:16 < Diablo-D3> what stops me from putting my shares on multiple forks
01:16 < Diablo-D3> warren: thats an issue with pool mining in general
01:16 <@gmaxwell> warren: thats a litecoin specific problem mostly- the minimum payout size was an intentional parameter of the system
01:16 < warren> Diablo-D3: most pools can optimize that by setting a higher withdrawal threshold
01:17 <@gmaxwell> p2pool payouts can't go smaller than one share per miner...
01:17 < Diablo-D3> warren: yeah, but then you have to hope the pool owner doesnt fuck people
01:17 <@gmaxwell> warren: basically no pools except eligius do the forced thresholding thing, dumb.. but ::shrugs::
01:18 <@gmaxwell> warren: basically the reason the number of shares in the sharechain is what it is .. is partially to control the size of the smallest payouts.
01:18 < warren> understood
01:18 <@gmaxwell> maybe forrest picked bad parameters,
 but it is controlled.
01:18 < Diablo-D3> gmaxwell: so what stops me from putting my shares on multiple chain heads?
01:19 < warren> It seems appropriate for BTC, (although the block expected time being close to 24 hour scares people now)
01:19 <@gmaxwell> down side is there is a variance tradeoff, but thats also true for other pools.. if you can only get paid X often that similar to mining with higher variance.
01:19 <@gmaxwell> Diablo-D3: because your share commits to its prior share, same as bitcoin.
01:19 < Diablo-D3> gmaxwell: how exactly?
01:19 < Diablo-D3> a garbage tx in the block's tx list?
01:19 <@gmaxwell> Diablo-D3: the funny p2pool output is effectively the hash of the prior share in the chain you're extending.
01:20 <@gmaxwell> yes.
01:20 < warren> gmaxwell: the folks who are on the losing side of efficiency are psychologically scared away from p2pool, especially when they can get stuck there for a long time.  That can be improved a bit by adding a little randomness to peer connections.
01:20 <@gmaxwell> warren: dunno about that, it's unclear to me what is causing that.
01:20 < Diablo-D3> hrm
01:20 < warren> gmaxwell: I've been on both sides of that, it felt great on the winning side. =)
01:20 < Diablo-D3> gmaxwell: I need to look into how p2pool works
01:21 < Diablo-D3> maybe it can be efficiently rewritten
01:21 <@gmaxwell> but I also have not seen many people remark on that. I don't think they understand that stale!=payout and efficiency==payout since thats opposite normal pool parlance.
01:21 < warren> needs different names.
01:21 < Diablo-D3> gmaxwell: well, efficiency should really be based on actual network efficiency
01:22 < Diablo-D3> like, count the dead heads as already known inefficiency
01:22 <@gmaxwell> "Charm" and "Beauty"
01:22 < warren> jgarzik: btw, conman says the Avalon hardware design is such that 1.4 seconds is the minimum work return latency.  Do you know if this is true?
01:22 < jgarzik> <shrug>
01:22 < warren> jgarzik: if true, that's why your reject rate would be high on p2pool.
01:22 < Diablo-D3> gmaxwell: beauty is not a quark flavor
01:23 < Diablo-D3> charm, strange, top, bottom
01:23 <@gmaxwell> Diablo-D3: right, its a p2pool stat.
01:24 < Diablo-D3> and then strawberry
01:24 < jgarzik> warren: p2pool also saw a metric _ton_ of duplicates, absent a manual change to increase the difficulty
01:24 < warren> New names and better docs would help.  It also needs to break the temporary efficiency collusion that scares new users away.
01:24 < warren> jgarzik: the /<bignumber> change?
01:24 < Diablo-D3> gmaxwell: how is p2pool building blocks with bullshit tx?
01:24 < warren> jgarzik: part of that might be its broken difficulty handling.  it is broken in different ways in stratum and getwork.
01:26 < warren> If we want p2pool to succeed, it needs a few key improvements to keep people from quitting in frustration like they do now.
01:26 < Diablo-D3> well
01:26 < Diablo-D3> a rewrite in C would be nice
01:26 < Diablo-D3> I should look into that
01:26  * jgarzik would prefer p2pool
01:26 < jgarzik> if it worked
01:26 <@gmaxwell> warren: 1 BTC bet says that there is no brokeness in p2pool getwork difficulty handling and that you're full of it
01:27 < Diablo-D3> I agree with gmaxwell
01:27 < Diablo-D3> jgarzik: you still have me on ignore?
01:27 <@gmaxwell> jgarzik: it's probably not going to work until someone who gives a shit about it is hacking on miner software for it.
01:28 <@gmaxwell> Conman only cares if someone pays him.
01:28 <@gmaxwell> or trolls him
01:28 < warren> The difference between stratum/getwork might be a scrypt-only problem.  There is the separate problem where it fails to tell the miner the correct pseudoshare target and is correlated with tracebacks.
01:28 < warren> I am uncertain if the "fails to tell the miner the correct pseudoshare target" is causing the tracebacks.
01:28 < jgarzik> Diablo-D3: what happens if I say no? :)
01:29 < Diablo-D3> then.. I
01:29 < jgarzik> hehe
01:29 < Diablo-D3> jgarzik: I was going to say, if p2pool was written in C it might be small enough to run on the avalon
01:29 <@gmaxwell> warren: did forrest reenable the non-constant targets?
01:29 < warren> gmaxwell: not sure
01:30 < jgarzik> Diablo-D3: true...
01:30 <@gmaxwell> Diablo-D3: not likely.. the sharechain management uses a lot of memory somewhat fundimentally. (well, a lot for the hardware in avalon)
01:30 < warren> Diablo-D3: gmaxwell: do you see any "hash > target" errors in your log?
01:30 < Diablo-D3> warren: lemme look
01:30 < Diablo-D3> gmaxwell: still, it'd be faster than pythonese
01:30 < warren> Diablo-D3: p2pool BTC would regularly use > 500MB RAM here.
01:30 < jgarzik> more than 32MB?  hrm
01:30 < jgarzik> warren: in python sure ;p
01:31 <@gmaxwell> arguable people trying to run p2pool nodes and bitcoin nodes on hardware like that is somethat of a moral hazard. It creates an installed base invested in severely and unreasonably underpowered hardware who would resist sane improvements to the network that increase resource consumption.
01:31 < Diablo-D3> warren: thats because forrest is caching decoded shit
01:31 < Diablo-D3> and he shouldnt be
01:31 < Diablo-D3> he should switch to a faster language
01:31 < warren> decoded shit?
01:31 < warren> is what?
01:31 < Diablo-D3> p2pool sharechain tx related stuff
01:31 <@gmaxwell> well perhaps not more than 32 MB (go go generational GC) but IIRC thats _all_ the avalon has, 32mb.
01:31 < Diablo-D3> gmaxwell: but yeah
01:31 < Diablo-D3> 32 is too little
01:31 < Diablo-D3> 64 might be too little
01:31 < Diablo-D3> and you'd still need an external bitcoind
01:32 < Diablo-D3> because that sure as hell aint fitting on there
01:32 <@gmaxwell> warren: right out the door with no leaking python's gc method pretty much instantly results in 2x memory usage.
01:32 < Diablo-D3> but still, a fast sane C p2pool might be nice
01:32 < warren> gmaxwell: it seems we still have some kind of peer connection related twisted leakage
01:33 < warren> Diablo-D3: if it happens, I'd like to work on the peer selection code, I already been experimenting with that a lot in p2pool.
01:33 < Diablo-D3> warren: the literal phrase "hash > target" is not in my log
01:33 < warren> Diablo-D3: it's pretty rare for BTC, not sure why.
01:33 < warren> Diablo-D3: no tracebacks about "JSON" anywhere?
01:34 < Diablo-D3> there might be tracebacks, but thats because I should just quit merged mining
01:34 < Diablo-D3> it doesnt like merged mining with p2pool for some reason
01:34 < Diablo-D3> er
01:34 < Diablo-D3> with devcoin I mean
01:34 <@gmaxwell> thats due to devcoin not responding, god knows why
01:35 < Diablo-D3> is namecoin dead now?
01:35 < warren> Diablo-D3: it seems that way, but somehow its exchange value is up 3x
01:35 <@gmaxwell> "it's only /mostly/ dead"
01:36 < Diablo-D3> I still have not managed to solo mine a block on that yet in months
01:36 <@gmaxwell> fwiw:
01:36 <@gmaxwell> 22:36 < xiangfu> gmaxwell: we can configure it to <1 second. but we may lose some nonce. but I never test < 1 second.
01:37 < warren> interesting
01:37 <@gmaxwell> Diablo-D3: any idea what the latency of responding to a longpoll a typical gpu is at high intensity?
01:38 < Diablo-D3> gmaxwell: depends
01:38 < Diablo-D3> in DM I can do -f 1
01:38 < Diablo-D3> and its 1 second
01:38 < Diablo-D3> -f 1 is also an insane waste
01:38 < warren> Funny thing about that.  On high intensity here with identical configs, I have 5% DOA in Linux and ~1% in Windows.  Fiddled with it a lot.  Can't get Linux to do better.
01:38 < Diablo-D3> you turn -f up (using divisors of 60) until you get full speed
18:51 < gmaxwell> If not for the need to have a fast database as part of the validation logic I'd argue that you could do a lot about extracting all the validation logic into some code which could simply be used (and machine translated to other languages even).
18:51 < jgarzik> code -- organized like a book for easy reading
18:51 < gmaxwell> Right. What matters is the behavior. Any spec accurate enough to be complete should be _technically_ executable, though we may lack a compiler for it if the choice of langage is poor (e.g. english)
18:52 < gmaxwell> (of course any complete spec in english wouldn't really be in english, it would be in some domain specific english which has formally defined out the ambiguity.)
18:53 < HM3> lolcat
18:54 < gmaxwell> E.g. if not for the database, I'd totally be tempted to say "here is your spec, it's in literate C with ACSL annotations for proving correctness. If you want a python node, you compile the code to mips assembly and use a tiny MIPS emulator to run the spec" :P  but this becomes lame the larger the normative part is.
18:54 < sipa> can i hazh block?
18:54 < gmaxwell> HM3: https://en.wikipedia.org/wiki/LOLCODE
18:54 < HM3> lol
18:54 < sipa> kthxbye
18:55 < HM3> the lolcode logo is a block shaped cat
18:55 < HM3> it's an omen i tell you
18:56 < HM3> and CATena is italian for chain
19:10 < HM3> I'm on the hunt for a new personal project
19:12 < HM3> all out of ideas though, it's a time of year thing i think
19:38 < gmaxwell> petertodd: fwiw, https://bitcointalk.org/index.php?topic=310323.msg3332919
19:43 < jgarzik> two coins I would actually like to see:  theorycoin, and notarycoin
19:43 < jgarzik> the former for "what bitcoin would be, if written from scratch" and the latter being a smart property / data timestamping chain
19:44 < jgarzik> if the latter were merge-mined and commonly used, could take some pressure off main chain data timestamping
19:49 < sipa> theorysipacoin: merkleized abstract syntax tree script, script+txid-indexed utxo set as state, transaction destinations specified as H(script) while in-chain H(H(script)), no malleability in signatures, pubkey recovery for small inputs, payment-protocol only (p2p is just for broadcasting to miners), txouts state the size/cpu limitations of the script that will
spend them, tx fees go into a to-be-mined pool which is only partially paid out in...
19:49 < sipa> each block
19:50 < HM3> i'd add a better name to that list
19:50 < HM3> :P
19:50 < sipa> (none of these are original ideas, btw)
20:10 < gmaxwell> I was joking that it should be called scamcoin in order to discourage use. But then someone went and created an altcoin called scamcoin.
20:10 < gmaxwell> And people are using it.
20:10 < gmaxwell> So... Well. I'm worthless apparently. :P
20:13 < HM3> hobocoin
20:21 < warren> did they buy scamcoin.org?
20:22 < gmaxwell> hell if I know? Do you think they could buy it with scamcoins?
20:23 < HM3> namecoins :P
20:26 < jgarzik> outflank them.  get scamcoin.us, scamcoin.eu, scamcoin.asia, scamcoin.africa, ...
20:26 < warren> yeah, because if you bought all *coin*.* domains, that'll stop future clones.
20:27 < gmaxwell> "our scamcoin 1000x more scam. Using only pure unadulterated conjectural cryptography!"
20:27 < warren> nevermind the coins that exist only as forum threads.
20:27 < warren> the client download is stored in 5,000 avatars uploaded to bitcointalk
20:28 < warren> they are unable to upgrade their client now due to the bitcointalk lockdown
20:28 < HM3> .io are where all the cool people are these days
20:28 < sipa> .io?
20:28 < warren> EIE.io was sadly taken.
20:28 < HM3> http://techslides.com/io-domains-in-alexa-top-1-million/
20:54 < warren> jgarzik: how did you learn about the china visa thing?
20:59 < amiller> gmaxwell,
20:59 < amiller> on your storage hard scheme
20:59 < amiller> isn't it roughly the same as fabien coelho's nearly-constant verification merkle tree?
20:59 < amiller> the premise of that is that you generate all the leaves of a merkle tree
20:59 < amiller> then the root
21:00 < amiller> then you use the hash of the root as an index to select a particular index
21:00 < amiller> your proof is the branch from the root to a few of the leaves
21:00 < amiller> the only difference is that you're recommending using predefined data at each leaf rather than some prf
21:00 < amiller> and the way you've described it there's interaction (which is fine)
21:01 < amiller> rather than noninteractively using the root hash to choose the branch to squery
21:01 < gmaxwell> The goal isn't achieved without interaction.
21:01 < amiller> i'm not sure why not but it's orthogonal in any case
21:01 < gmaxwell> You could indeed use fiat-shamir to make a kind of non-interactive proof out of it, but thats really orthogonal.
21:02 < gmaxwell> (and the non-interactive portion really would not be useful. Since you could just perform it once and then delete the data, and then again and again and have 100,000 connections)
21:05 < amiller> i really like the idea overall
21:05 < amiller> the use of pow for eaxctly this purpose (preventing connection DoS) is known as client puzzles and is one of the most common proposed uses for pow but no one actually has used it (other than captcha, arguably)
21:05 < gmaxwell> Do you see what I'm saying here about not being able to make it non-interactive?  We want a proof of "integral storage" e.g. not storage for a moment, but for the whole time you're connected.
21:06 < amiller> well yeah so the recipient periodically has to interact no matter what
21:06 < gmaxwell> e.g. you use a finite resource (storage) but only so long as you're connected, and then you get it back.
21:06 < amiller> it's about preventing precomputing basically
21:06 < gmaxwell> yea, but thats really cheap.. one disk lookup periodically.
21:06 < amiller> or you could use the blockchain
21:07 < amiller> make each challenge depend on the newest blocks
21:07 < gmaxwell> You could do partial non-interactive by basically doing a kind of signature of knoweldge using it.
21:07 < gmaxwell> Right, or just any message you send.
21:07 < amiller> sure
21:07 < amiller> we agree here
21:07 < gmaxwell> You send a message H(message) that tells you the challenge.
21:07 < gmaxwell> and it proves you have this big table sitting around just for that peer, and you're not multiplexing a zillion peers.
21:07 < amiller> i really think there's a deep solution using PoW to baiscally replace IP based routing even
21:08 < gmaxwell> I think this idea is really simple and easily implemented too, I have no idea why it took me so long to come up with it.
21:09 < amiller> how do you tune it
21:12 < gmaxwell> well, I think it likely has a pretty wide range of acceptable parameters. e.g. I don't think 1GB is that burdensome even on a smartphone (new ones now have 32 gb storage, I think?) and yet 1TB connect to 1000 peers sounds like a ton. even  1TB for 8192 peers (128MBytes per connection) sounds like a fairly effective deterrent.
21:12 < gmaxwell> An obvious way is to just keep the N most costly POSs subject to some threshold, and just tell peers how much storage they need in order to make the cut.
21:13 < HM3> my phone has 8 GB of space, my laptop has 8 TB connected to it right now
21:13 < HM3> 1 GB on the phone is not cool
21:13 < gmaxwell> HM3: add a microsd card.
21:13 < HM3> no slot damnit
21:14 < gmaxwell> well, in any case, As I said, "new ones".  I think the parameters generally work out okay. You could certantly do 128MBytes, right?
21:14 < HM3> i guess
21:15 < HM3> is this a proof to ensure people are using fullnodes?
21:15 < HM3> tx history
21:15 < gmaxwell> No.
21:16 < gmaxwell> It's not. Go read the post. Its to make it harder for an attacker to be able to DOS the whole network as soon as they're able to DOS just one node.
21:19 < gmaxwell> sipa: http://bitcoin.sipa.be/speed-lin-2k.png  < ready to rerange your charts again? :P
21:20 < HM3> "ifficulty"
21:21 < gmaxwell> amiller: I can't really think of an application for the fully non-interactive version of this.. like "I had a bunch of storage once" seems kinda odd. :P
21:26 < HM3> 2 petahash/s
21:55 < jgarzik> warren, US State Dept website
22:35 < nanotube> what's the china visa thing?
22:35 < nanotube> gmaxwell: wouldn't the server also have to store the entire 1gb, for each of the clients it's using the PoS scheme for?
22:37 < HM3> damn Lamport invented Paxos as well
22:42 < gmaxwell> nanotube: nope.
22:42 < gmaxwell> nanotube: the function allows efficient random access by index, but not by vale.
22:42 < gmaxwell> er value.
22:44 < jgarzik> nanotube, longtime desire to visit China
22:44 < jgarzik> nanotube, been studying Mandarin off and on for a couple years, studying its history for longer
22:44 < gmaxwell> e.g. say the tree is 32 levels high (so 4 billion outputs, or maybe 50Gbytes). The server pickes index 0 to challenge the client to provide. It then just has to compute 32 hash operations (H() take left H() take left H() take left...) and then it knows the value at index 0.  Then it asks the client to provide the index for that value.
22:45 < nanotube> jgarzik: ah cool. hf! i was in china for a week once, in shanghai. still don't speak a lick of chinese.
22:45 < jgarzik> nanotube, hoping to catch a meetup in Hong Kong or mainland, or even better, flash the "core dev" badge and get invited to a speaking event somewhere in PRC
22:45 < nanotube> gmaxwell: aaah i see. it asks for index by value, not value by index.
22:45 < gmaxwell> so because of the tree structure H() is efficient without storage in one direction.. but running it backwards requires storage to be efficient.
22:45 < gmaxwell> nanotube: yup.
22:46 < nanotube> in that case... carry on. :)
22:46 < gmaxwell> nanotube: well, I still dunno that anyone would want to use it! but I now haz a construct.
22:46  * nanotube missed that part in reading your post >_<
22:47 < HM3> gmaxwell, clever
14:43 < jtimon> gmaxwell: hehe, I doubt the #python nice people will config qtile for me
14:43 < andytoshi> michagogo|cloud: oh, right, i forgot the server needed to support it
14:44 < andytoshi> one moment, i'll put it up..
14:44 < michagogo|cloud> andytoshi: There doesn't seem to be a %appdata%/cjclient
14:44 < gmaxwell> "Classified. Classified, classified classified classified classified classified classified. Classified classified classified classified. Classified classified classified, classified classified classified classified; Classified.
14:44 < gmaxwell> "
14:44 < jtimon> funny video introducing qtile http://www.youtube.com/watch?v=r_8om4dsEmw
14:44 < nsh> gmaxwell, something like that aye
14:45 < andytoshi> michagogo|cloud: is it listing your coins correctly?
14:45 < gmaxwell> jtimon: this is why you have to use xmonad. The programmers in other languages have actual applications for their skills. Whereas with haskell the only thing they have to do is configure xmonad for people.
14:45 < michagogo|cloud> andytoshi: I don't have a mainnet client open yet
14:45 < andytoshi> oh, my cjclient/ dir is using  c:/users/apoelstra/Local Settings/Application Data/cjclient
14:45 < michagogo|cloud> Ah, looks like the copy finished
14:45 < michagogo|cloud> one moment
14:45 < andytoshi> i don't think that Local Settings/ should be there
14:45 < jtimon> gmaxwell: loool
14:45 < michagogo|cloud> andytoshi: XP?
14:46 < andytoshi> michagogo|cloud: wine
14:46 < michagogo|cloud> WineXP?
14:46 < andytoshi> uh, i dunno
14:46 < michagogo|cloud> Or even earlier?
14:46 < andytoshi> yeah, winecfg says XP
14:46 < michagogo|cloud> I know Wine lets you choose which version of Windows to pretend to be
14:46 < michagogo|cloud> And I know that Application\ Data is pre-Vista
14:47 < andytoshi> ok, i'll figure out the glib function to get %APPDATA%..
14:47 < andytoshi> bitcoin is in %APPDATA%/Bitcoin yes?
14:47 < michagogo|cloud> Indeed
14:47 < michagogo|cloud> (C:\Users\Micha\AppData\Roaming)
14:49 < michagogo|cloud> ;;blocks
14:49 < gribble> 280495
14:50 < michagogo|cloud> andytoshi: oh, btw, it's not showing my coins
14:50 < andytoshi> michagogo|cloud: yeah, it's looking for Bitcoin/ in the wrong place
14:50 < michagogo|cloud> Ah, I see
14:50 < michagogo|cloud> https://www.irccloud.com/pastebin/u9B6Gp0X
14:51 < michagogo|cloud> andytoshi: Ah, I see. Specifically, it's using %localappdata%
14:51 < michagogo|cloud> I guess it doesn't plant its folder unless it manages to find Bitcoin/?
14:52 < andytoshi> michagogo|cloud: it doesn't plant its folder unless something changes, yeah
14:55 < jgarzik> adam3us, gmaxwell: current bootstrap.dat @ block 279,000 is 14222116865 bytes
14:57 < michagogo|cloud> Hmm, I wonder how hard it would be to change linearize.py to allow it to be given an existing bootstrap.dat and have it detect the latest block in there
14:57 < jtimon> maaku, what were you thinking on getting from factor to add to joy ?
14:57 < sipa> ;;blocks
14:57 < gribble> 280495
14:58 < michagogo|cloud> (so you can point it at an older bootstrap, and say "bring this up to 279,000")
14:58 < michagogo|cloud> Oh, wait, this is the wrong channel :S
14:58 < jtimon> or nothing concrete?
14:59 < jtimon> I'm thinking that joy should be easy to merklize, no?
15:08 < andytoshi> michagogo|cloud: ok, i have refreshed the windows download to use %APPDATA% properly (and fixed the keep-on-top thing)
15:11 < michagogo|cloud> Hey, there're my coins
15:11 < andytoshi> :D
15:12 < michagogo|cloud> andytoshi: Wait, so all this does is shuffle your coins around in your wallet?
15:12 < andytoshi> michagogo|cloud: yeah, it doesn't do spends right now
15:12 < andytoshi> i'm not sure how best to UI that
15:12 < michagogo|cloud> Imitate the Bitcoin-Qt UI?
15:13 < michagogo|cloud> andytoshi: Not working
15:13 < michagogo|cloud> Syncing with joiner, session ID unknown
15:13 < michagogo|cloud> Join server: error setting certificate verify locations:
15:13 < michagogo|cloud>   CAfile: /usr/i686-w64-mingw32/sys-root/mingw/etc/pki/tls/certs/ca-bundle.crt
15:13 < michagogo|cloud>   CApath: none
15:13 < andytoshi> weeird
15:13 < andytoshi> what if you delete the libcurl DLL?
15:14 < michagogo|cloud> The program can't start because libcurl-4.dll is missing from your computer. Try reinstalling the program to fix this problem.
15:15 < andytoshi> <.< ok, i'll look into this
15:15 < andytoshi> thx
15:15 < michagogo|cloud> np
15:34 < andytoshi> michagogo|cloud: ok, i have stolen some DLLs from msysgit, can you try redownloading?
15:35  * michagogo|cloud scrolls up a bunch
15:44  * michagogo|cloud slaps explorer.exe around a bit with a large trout
15:45  * sipa suggests installing an operating system
15:45 < michagogo|cloud> sipa: Hmm?
15:46 < sipa> nevermind, silly joke :)
15:47 < andytoshi> sipa: lol, be thankful that somebody on this channel has a normal system to test with
15:47 < michagogo|cloud> andytoshi: You messed up again
15:47 < andytoshi> michagogo|cloud: what now?
15:47 < michagogo|cloud> Same message as when I renamed libcurl
15:47 < michagogo|cloud> Except that it's complaining about libcrypto.dll being missing
15:47 < sipa> andytoshi: true that
15:47 < andytoshi> michagogo|cloud: oops :} i forgot to put that one in the zip
15:48 < michagogo|cloud> (and it is, indeed, missing)
15:48 < andytoshi> ..no i didn't .. it disappeared
15:49 < andytoshi> michagogo|cloud: sorry about that, fixed, can you redownload?
15:50  * michagogo|cloud puts http://download.wpsoftware.net/bitcoin/cj-windows.zip at the bottom of the buffer
15:50 < nsh> could you statically link these libs, andytoshi?
15:51 < maaku> michagogo|cloud: not hard i would think, just scan backwards to find the last block
15:51 < andytoshi> nsh: probably, but i'd have the same problems as i do with bundling DLLs, plus the usual problems (no upgradability, etc) of static linking, plus potentially bad linking issues
15:52 < michagogo|cloud> ;;cjs
15:52 < gribble> Coinjoin Status: There is no currently open session. Visit https://www.wpsoftware.net/coinjoin/ or http://xnpjsvp7crbzlj3w.onion/ to start one.
15:52  * nsh nods
15:52 < michagogo|cloud> andytoshi: nope
15:52 < michagogo|cloud> Syncing with joiner, session ID unknown
15:52 < michagogo|cloud> Join server: SSL certificate problem, verify that the CA cert is OK. Details:
15:52 < michagogo|cloud> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
15:54 < maaku> jtimon: nothing concrete - just pointing out that Joy is a pure, simple academic language
15:54 < maaku> which is very good for a consensus system
15:55 < maaku> but in my experience, there is usually a handful of select hacks which offend purists but greatly simplify real world usage
15:55 < maaku> and Factor is a practical language of the Forth tradition, so we should look at that to see if there's anything to borrow
15:55 < michagogo|cloud> andytoshi: I g2g to sleep now
15:55 < nsh> maaku, any good examples of Joy in use? (that i might find accessible)
15:55 < michagogo|cloud> (or at least to bed...)
15:55 < andytoshi> michagogo|cloud: ok, thanks for testing
15:55 < michagogo|cloud> Good luck.
15:56 < nsh> 'night
15:56 < maaku> and yes, Joy - or any concatinative language - should be trivial to Merklize
15:56 < michagogo|cloud> I may be able to test more of future days
15:56 < michagogo|cloud> on*
15:59 < maaku> nsh: any kind of covenant
16:00 < maaku> e.g. i issue MarkBTC which is an IOU with 1% interest, but attach a covenant allowing my to buy it back at any time for principle + interest
16:01 < petertodd> http://www.reddit.com/r/Bitcoin/comments/1v7ayg/revolution_in_bitcoin_privacy_stealth_addresses/ <- getting good feedback on stealth addrs on reddit
16:05  * nsh nods, opens tabs
16:06 < maaku> more generally, my musing on this started from trying to Etherium within the context of just changing bitcoin's scripting system
16:08 < nsh> to <verb?> Etherium?
16:10 < maaku> heh, to do what is trying to be done with Etherium within a (minimally extended) bitcoin
16:11 < maaku> e.g. turing-complete financial contracts
16:11 < maaku> coin covenants, etc.
16:12 < maaku> for example, with a couple of script extensions and re-enabled opcodes, petertodd could make mastercoin fully validating and spv-safe
16:12 < maaku> (using covenants)
16:13 < nsh> interesting
16:13 < nsh> any notes or discussion online?
16:14 < maaku> this is an idea only 12 hours old :P
16:15 < nsh> ah, cool :)
16:15 < gmaxwell> maaku: at least you won't end up in the sad situation of having created a stack based language without roll or rotate.
16:15 < petertodd> maaku: actually months old - I proposed it for fidelity bonded bank stuff ages ago
16:15 < maaku> gmaxwell: :\
16:16 < maaku> petertodd: yeah i figured you'd been working on this, based on our conversation
16:16 < maaku> petertodd: did that involve quines? I thought that part was new
16:17 < petertodd> maaku: nah, it needed quines too, and actually credit may go to gmaxwell come to think of it - I'd have to check my IRC logs
16:17 < maaku> ah i'll go read those threads then
16:17 < nsh> ooo quines
16:17 < maaku> nsh: that's how the covenant workss
16:17 < nsh> oh, fascinating
16:18 < petertodd> maaku: I *think* most of it was private conversation actually - wizards didn't exist back then
16:18 < nsh> can you(s) elaborate?
16:18 < petertodd> maaku: (this was almost a year ago now)
16:18 < gmaxwell> Yea, well, my 'invention' in the covenant thread is that you could produce a quine SNARK transaction, which is slightly surprising since you don't know the validation key for a snark until you've finished the circuit.
16:18 < maaku> mandate (some of) the outputs to have the same conditionals
16:18 < gmaxwell> Without the snark there are dumb ways to accomplish it.
16:19 < gmaxwell> With the snark it sounds impossible if you don't think about it from the right perspective.
16:19 < nsh> hmm
16:19 < maaku> /dumb/boring/
23:42 < cfields> could be because it was a 32bit image
23:43 < cfields> it hit about 3.4 gits and was 100% full
23:43 < cfields> *gigs
23:46 < maaku> Luke-Jr: you can use cgroups to set limits on lxc boxen
23:47 < Luke-Jr> sure, I just didn't see why gitian would do that
23:48 < cfields> no matter, i just split qt out
--- Log closed Sat Nov 23 00:00:01 2013
--- Log opened Sat Nov 23 00:00:01 2013
00:32 < Luke-Jr> nOgAnOo: stop trolling and maybe you won't get banned
00:32 < Luke-Jr> I'm pretty sure that was the 2nd time (at least) you started talking nonsense about centralised IPs
00:33 < Luke-Jr> nope
00:33 < Luke-Jr> the only thing centralised in Bitcoin today is 1) full node code development, and 2) mining pools
00:33 < Luke-Jr> by deciding to download a new version and installing it
00:34 < Luke-Jr> nOgAnOo: feel free to help improve the quality and adoption of other full nodes
00:37 < Luke-Jr> this is all off-topic here
00:39 < Luke-Jr> nOgAnOo: unbanned in #bitcoin, just don't do that again..
00:42 < amiller> ripple will be the next world currency
00:42 < amiller> once the people who actually run "ripple" finish fucking it all up
00:43 < amiller> credit networks are the right economic model
01:56 < maaku> haha
01:56 < maaku> amiller: we're continuing the dream
01:56 < maaku> it just won't be called Ripple(tm)
01:57 < maaku> which sucks, because that was a great name
02:07 < petertodd> maaku: wave
02:13 < petertodd> maaku: "surf the wave", "ten times more rad", "a fresh new breeze in payment something or anothers"
02:14 < maaku> hmm that's not bad
02:14 < petertodd> lol, I know, scary...
02:15 < petertodd> my other ideas were "Epidemic" and "Highly Infectious Crypto-Currency Disease"
02:20 < wumpus> did this suddenly become #bitcoin-religion ? :p
02:21 < Luke-Jr> no, and that's #eligius
02:21 < Luke-Jr> <.<
02:21 < petertodd> lol
02:21 < wumpus> hehe
02:21 < wumpus> so if people get banned in #bitcoin they go off to see the wizards here, interesting
02:21  * petertodd is gonna start a pool that puts quotes from Richard Dawkins in the coinbase.
02:22 < Luke-Jr> I coulda sworn I'd written a ucs2_to_utf8 function.. where did it go? :<
02:22  * Luke-Jr puts petertodd on Eligius's quote-setting banlist
02:22 < petertodd> ooh, I can set quotes? nice!
02:22 < Luke-Jr> (which is now length==1)
02:23 < Luke-Jr> actually, I guess I can't stop you if you use GBT XD
02:23 < petertodd> heh
02:23 < petertodd> oh, so with GBT can I mine blocks that contain rick-rolls...
02:24 < gmaxwell> dear lord, not freeking dawkins.
02:25 < Luke-Jr> petertodd: -.-
02:25 < wumpus> people will be studying the block chain in 1000 years as an eh curious cultural artifact, more like wtf were people thinking
02:25 < warren> wumpus: SD loss return spam might be worth something then.
02:26 < petertodd> ha
02:27 < petertodd> latest non-std tx was "Knowledge itself is power." - pff
02:27 < wumpus> warren: maybe they'll abscribe the completely irrational gambling to some weird pagan ritual
02:28 < warren> wumpus: I dunno, technology advances but human nature doesn't change.
02:28 < gmaxwell> "apparent rituals we do not understand"
02:28 < petertodd> wumpus: "Here we see an intriguing example of ritual sacrifice among our math-worshipping..."
02:28 < gmaxwell> warren: who says the observers are human?
02:28 < warren> hahhaah
02:29 < gmaxwell> Indeed "ritual sacrifice"!
02:29 < petertodd> gmaxwell: makes sense - who really thought the bets were human...
02:34 < petertodd> gmaxwell: b7f58538f198c35e313fd173e1c3f89b2f6bedeb671c1292a7fec909498e897b
13:07 < michagogo|cloud> 09:23:07 <Luke-Jr> actually, I guess I can't stop you if you use GBT XD
13:07 < michagogo|cloud> Well, can't you refuse to acknowledge quotes that you don't provide as valid shares?
13:08 < michagogo|cloud> ;;later tell cfields If you need gitian testing, let me know -- I've got a raring VM set up with gitian and LXC that I'd be happy to use to help out
13:08 < michagogo|cloud> oh, no gribble
13:08  * michagogo|cloud prepends /msg gribble
15:29 < amiller> jgarzik, you want to weigh in on if ebfull has satisfied the requirements for the bounty you posted?
15:29 < amiller> https://bitcointalk.org/index.php?topic=326559.0
18:15 < Luke-Jr> michagogo|cloud: you *could*, but GBT wouldn't be usable for ASICs with that limitation
22:17 < cfields> michagogo|cloud: thanks, but i got it with precise
--- Log closed Sun Nov 24 00:00:03 2013
--- Log opened Sun Nov 24 00:00:03 2013
03:20 < michagogo|cloud> cfields: have you tested with an LXC of precise with a rating host?
03:21 < michagogo|cloud> Luke-Jr: why not?
03:27 < cfields> michagogo|cloud: that's what i'm using now, yes
03:29 < michagogo|cloud> cfields: ah, okay
04:12 < Luke-Jr> michagogo|cloud: because without the ability to append data, it'll only produce a single block header (4 Gh)
04:30 < Luke-Jr> UGH, Electrum added a "send from" nonsense
04:33 < Luke-Jr> sigh, he doesn't even understand why there's a problem
04:34 < Luke-Jr> amazing how easy it is to write broken wallet software
04:35 < Emcy> send from is intuitive though
04:35 < Emcy> wrong but intuitive
04:38 < michagogo|cloud> uh.
04:38 < michagogo|cloud> seriously?
04:38 < michagogo|cloud> o_O
04:38 < michagogo|cloud> Luke-Jr: Well, I guess you could allow appending data but reject appended data that was another quote if you really wanted to :-P
04:38 < Emcy> 'from' is an abstraction of whats really going on that probably works for how most poeple are sending bitcoins right now
04:39 < Emcy> until they try to use it as a return path or something
04:39 < michagogo|cloud> Emcy: Right. And that happens all the time.
04:40 < Emcy> yeah well there are a LOT of bad practises going on in bitcoin that are going to cause major problems in future and could prove intractible with time
04:41 < Emcy> thats what happens when your little experiment project gets used in production for billions worth of value whether you like it or not
05:22 < sipa> yup
07:45 < warren> https://bitcointalk.org/index.php?topic=343901.0
07:45 < warren> "Bitcoin core Qt maintainer"
07:45 < warren> John Smith
07:45 < warren> never seen that name before
07:45 < sipa> warren: that's wumpus aka laanwj
07:46 < warren> hah
07:46 < sipa> he has always used that name on the forum, afaik
07:46 < wumpus> yes
07:51 < wumpus> I'd like to change it to wumpus but it's no longer possible to do it yourself and I don't feel like bothering admins and such, also becase I don't really like the forum much and don't intend to spend too much time there
08:20 < michagogo|cloud> wumpus: well, you could put that in your signature...
08:26 < gmaxwell> wumpus: just send theymos a message, it would take you like two seconds. :)
08:27 < gmaxwell> okay, 10 seconds since you might want to pgp sign it. :)
08:28 < warren> gmaxwell: I already did
08:29 < Emcy> i read about the name change thing
08:30 < Emcy> fwiw i support changing it to Bitcoin Core. It might go some way to explaining to people what the satishi client actually does that all the others dont, and why its caning the hell out of thier computer when the others dont
08:31 < wumpus> yes, agreed, it needs to change name, it's less important what name
08:31 < warren> split the consensus part from the wallet...
08:31 < Emcy> well like i said bitcoin core is about as explanitory as you can get whilst keeping it a title and not a synopsis
08:32 < Emcy> also people like cores and stuff, it sounds cool. And people like to be in the centre of things
08:32 < wumpus> warren: that's what we're working on (with nowallet mode and such)
08:33 < wumpus> would be nice to have the code in different directories as well
08:33 < michagogo|cloud> Hmm, I was going to write a post on bct to try and recruit gitian builders
08:34 < michagogo|cloud> I guess I never got around to it
08:34 < michagogo|cloud> Hmm, now that I think about it I'm not sure what I'd say in such a post
08:35  * michagogo|cloud is not very good at writing
08:45 < petertodd> wumpus: I asked to s/retep/Peter Todd/ on the forum and theymos changed it literally within about 45 seconds
08:46 < warren> how recently?
08:46 < petertodd> warren: like 5 hours ago
08:48 < warren> I wonder if "warren" is taken
08:48 < warren> probably
08:49 < wumpus> petertodd: nice
09:36 < TD> it seems you can't set forum photos anymore either
09:36 < TD> i tried a few weeks ago and it just ignored me
09:36 < TD> it blows my mind that theymos is sitting on such a huge pile of bitcoins and does absolutely zip with it
09:37 < pigeons> yes i also treid a few days /weeks ago to set the photo and it idnt work
09:38 < gmaxwell> The photo stuff is disabled because it was custom code that was potentially vulnerable.
09:39 < gmaxwell> A bunch of stuff was disabled after the compromise was discovered and its been gradually getting re-enabled.
09:39 < gmaxwell> (a bunch of it is moderator tools, so the progress may not be generally visible to all users)
09:57 < michagogo|cloud> TD: what do you mean?
09:58 < TD> mean by what?
09:58 < michagogo|cloud> Your most recent message
09:59 < TD> a long time ago theymos asked for a lot of donations in order to raise money for writing a new forum, or making major upgrades
10:00 < TD> he got thousands of coins
10:01 < petertodd> enough money to hire a team of bitcoin people away from their dayjobs...
13:06 < michagogo|cloud> o_O
13:06 < michagogo|cloud> ...thousands?
13:06 < michagogo|cloud> That's a seriously huge bounty...
13:07 < michagogo|cloud> I suspect there are people who would be happy to write an entire forum system from scratch if it meant becoming a multimillionaire.
13:07 < TD> well, as the value went up it seems he lost interest in developing new forum software
13:08 < gmaxwell> The forum funds are used for more than just software though, e.g. moderators get paid a bit, it pays for hosting (which is non-trivial, as the bct forum is a highly trafficed site and gets DOS attacked a lot)
Mined by AntPool sc0
16:12 < HM2> But i don't think there's an integer multiple requirement on the cipher block size vs the arbitrary domain you want
16:12 < HM2> if that was the case, this entire paper would be useless
16:12 < HM2> the point is to produce a pseudorandom permutation of say, 1 to 10^16 for generating card numbers or such
16:13 < HM2> if you need a cipher that has a multiple of 10^16 as the block size, then you mauy as well start from scratch and use that
16:13 < HM2> it'd be a chicken and egg problem
16:13 < HM2> but maybe you're right, it might be a risk
16:13 < HM2> perhaps the paper only means to imply "good enough" with good primitives
16:15 < sipa> I HAVE NEVER CLAIMED THERE WAS A RISK
16:15 < sipa> that's why i apologize for bringing it up
16:15 < sipa> i just said it's not a perfect shuffle
16:15 <@gmaxwell> he's only saying that the permutations are not equalprobable. This is not ideal. It many not matter in any given application.
16:16 < HM2> sorry sipa, i didn't mean to get things heated
16:16 < sipa> no, i'm sorry!
16:16 <@gmaxwell> sipa: I went through the same thing a week ago with someone (HM2?) on random number selection for some fool lottery.
16:16 < HM2> not me?
16:17 < HM2> unless I've forgotten
16:17 <@gmaxwell> In that case they wanted to generate uniform random 'winners' for the lottery with H()%users.
16:17 < HM2> definitely not me
16:17 <@gmaxwell> in any case, it also ended in tears.
16:18 < HM2> A modulus would definitely cause issues with sizes that weren't factors
16:18 <@gmaxwell> where I basically made the same point sipa made, and they responded like you did here. And then I set their dog on fire.
16:19 < HM2> but this method just maps 2 arbitrary sets and uses the mapping to select a permutation of one set. if the # of mappings mod the number of permutations is 0, then there should be no bias from that alone
16:19 <@gmaxwell> HM2: it's the same issue, but its easier to see where the non-uniformity from % shows up without having to enumerate all the possible keys first.
16:19 < sipa> HM2: absolutely true, but not the point i was making :)
16:19 < HM2> sipa: but i think it's always the case that there's an integer ratio
16:20 < sipa> HM2: yes
16:20 < sipa> that's correct
16:20 < sipa> 22:09:10 < sipa> HM2: sure, if you take a uniformly random permutation function from 2^N -> 2^N, apply it to the numbers 0..I, and  then sort these numbers, you get a uniformly random permutation
16:20 < HM2> hmm
16:20 < sipa> HM2: put otherwise, you have the set S of _all_ function 2^N -> 2^N
16:20 < sipa> you pick one uniformly random from that set
16:21 < sipa> apply that function to the numbers 0..I
16:21 < sipa> sort these numbers
16:21 < HM2> right, yeah I'm sory of with you now
16:21 < sipa> and return the list of 0..I sorted according to that function
16:21 < HM2> *sort
16:21 < sipa> then yes, you have a perfect shuffle
16:22 < sipa> sorry, the set of all permutations 2^N -> 2^N
16:22 < sipa> i don't think it holds for the set of all functions, as may get collisions
16:23 < sipa> and that is what the method in that paper approximates
16:23 < HM2> right, but you don't get collisions in a symmetric block cipher, otherwise they're pretty useless.
16:23 < sipa> indeed
16:23 < sipa> instead of picking a random permution, you pick a random key and use that with a block cipher
16:23 < HM2> right
16:23 < sipa> that will not give you a random permutation, but it will be indistinguishable from one
16:23 < sipa> which is what matters for security
16:23 < HM2> right
16:24 < HM2> it's the "integer multiple" thing that threw me here
16:24 < sipa> well, that's the point
16:24 < HM2> because that's not true, even in the papers own example
16:24 < sipa> that is the reason why it can't be a random permutation
16:24 < sipa> because you started off with a biased set of functions to choose from
16:26 < sipa> just to be clear: i'm not talking about applying the permutation (=block cipher) to the numbers and then sorting
16:26 < sipa> that is absolutely perfect
16:26 < HM2> anyway, this algorithm also sucks because you need O(n) memory and to perform O(n) block cipher encrypt operations
16:26 < sipa> it's the fact that a block cipher with a random key is NOT a random permutation
16:26 < HM2> the paper discusses 2 other algorithms, which I think I best not mention lol
16:27 < HM2> thanks for discussing it with me anyway sipa
16:27 < HM2> you always make me think
16:27 < sipa> :)
16:30 < HM2> On a lighter note, I'm not sure if the FPE wikipedia page has been copied from this paper
16:31 < HM2> Seems to have the same structure
16:31 < HM2> Hopefully not the other way around
17:04 < HM2> chilling for a while now sipa i see some more of your points
17:06 < HM2> a lot of the problem is just the insane amount of entropy in a random shuffle
17:08 < HM2> the old phrase about there being more permutations in a deck of cards than there are atoms in the universe
18:32 < HM2> It seems the Thorp shuffle variant of Feistel ciphering has been proven fairly secure with block ciphers (under standard assumptions) for small domain encryption
18:33 < HM2> It's very intuitive and easy to visualise as well
18:42 < HM2> it reminds me a lot of double-and-add in EC point multiplication
18:42 < HM2> the thorp shuffle that is
18:55 <@gmaxwell> Thorp shuffle sounds like a butterfly network.
18:56 <@gmaxwell> I don't see how it can give uniform permutations in a small (e.g. log N) number of steps though.
18:56 <@gmaxwell> Is there a proof that it does?
18:57 < sipa> link?
18:58 <@gmaxwell> I'm probably looking at the thing that hm2 is looking at: www.cs.ucdavis.edu/~rogaway/papers/thorp.pdf
19:00 <@gmaxwell> (And it sounds like a butterfly network
 the kind of topology you use for logN implementations of sorting networks and FFTs)
19:26 < HM2> yeah that's it gmaxwell
19:32 < HM2> I'll have to relookup butterfly networks
19:34 < HM2> Feistel Ciphering looks like it can be applied to elliptic curves. So presumably you could permutate aG to bG using a key, k, and use the same key on the private key (bidirectionally)
19:35 < HM2> I'm not sure how that'd ever be useful though
19:35 < HM2> (one of the papers mentioned EC domains, i'm not just musing)
19:38 < HM2> I guess that's kind of what the hierarchical wallet proposal does, the chain code being the key
19:38 < HM2> except you can only go one way
19:39 < HM2> you can't go from a child public key to a parent key if you know the chaincode
19:40 < HM2> well, unless someone was saying the other day, your permutate all 'i'
19:40 < HM2> so i guess it's more or less the same
19:47 < HM2> the nice properties of ECs seem to make any applications of permutating points kinda pointless
23:37 < amiller> i really like cache oblivious data structures
23:37 < amiller> they all look like fractals
23:38 < amiller> http://www.cs.au.dk/~gerth/papers/alcomft-tr-02-136.pdf
23:38 < amiller> funnel heap is my favourite
--- Log closed Fri Apr 26 00:00:42 2013
--- Log opened Fri Apr 26 00:00:42 2013
--- Log closed Sat Apr 27 00:00:45 2013
--- Log opened Sun Apr 28 00:00:47 2013
16:05 < DrChill> Hello all
16:05 < DrChill> Should I run the github version of bitcoind on a production server?
16:06 < DrChill> Or should I use another download?
16:29 < BlueMatt> umm...waay wrong channel
16:29 < BlueMatt> probably #bitcoin
--- Log closed Mon Apr 29 00:00:49 2013
--- Log opened Mon Apr 29 00:00:49 2013
--- Log closed Mon Apr 29 14:01:23 2013
--- Log opened Mon Apr 29 14:01:38 2013
--- Log closed Tue Apr 30 00:00:52 2013
--- Log opened Tue Apr 30 00:00:52 2013
14:37 < warren> gmaxwell: https://github.com/bitcoin/bitcoin/pull/2577
14:38 < warren> I'm surprised that this is actually being considered.
14:39 <@gmaxwell> Why?
14:39 < warren> Pleasant surprised.
14:39 < warren> argh... can't type today
14:40 < warren> It seemed that folks weren't willing to consider this earlier.
--- Log closed Wed May 01 00:00:55 2013
--- Log opened Wed May 01 00:00:55 2013
--- Log closed Thu May 02 00:00:57 2013
--- Log opened Thu May 02 00:00:57 2013
22:37 < jrmithdobbs> gmaxwell: ;p
--- Log closed Fri May 03 00:00:00 2013
--- Log opened Fri May 03 00:00:00 2013
19:06 < sipa> when i publish benchmarks for libsecp256k1, i think i should use the unit MiB blockchain/s
19:06 < sipa> currently 3.7 on my laptop :p
19:06 < jgarzik> ;p
19:06 < jgarzik> sipa: that's the secret behind gettings testers for your stuff: give people a number on which they may compete
23:10 <@gmaxwell> sipa: should be in megabits.
23:10 <@gmaxwell> 31mbit/sec is pretty impressive! It would move most non-commercial users back to being bandwidth limited.
--- Log closed Sat May 04 00:00:03 2013
--- Log opened Sat May 04 00:00:03 2013
00:19 < amiller> the requirements for super duper moon math blockchain verification are weird
00:19 < amiller> let me try to interpret some of them for you here.
00:20 < amiller> the basic thing is that we only know how to do constant-time-verification for boolean circuit programs
00:20 < amiller> a boolean circuit program is a really restricted form of program
00:20 < amiller> it's like C but with all the loops unrolled
00:20 < amiller> everything get done instantaneously in one enormous step
00:21 < amiller> youd have to have bounded size inputs
00:21 < amiller> if you assume that my authenticated data structure merkle UTXO thing works
00:21 < amiller> and there's a bound of M on the number of outstanding elements at any given time
00:22 < amiller> then to check N operations (lets just say N blocks) it will take O(N log M) hashes to validate a bunch of blocks
00:22 < amiller> to validate N blocks i men
00:22 < amiller> okay so where the moon math comes in
00:23 < amiller> is that i can take a single setup phase to construct a big ol' circuit that does one huge chunk of validating N blocks and this takes me O(N log M) to prepare
00:24 < amiller> think of it as spending O(N log M) effort to compile a "big-ol'-program-that-validates-N-blocks" circuit
21:30 < amiller> the scarcity isn't "enforced by a mathematical algorithm"
21:31 < amiller> it's maintained just as long as everyone's swarm behavior is to prefer to stick to one big clump and struggle in the biggest one
21:38 < warren> nanotube: ah, one avalon owner caused the difficulty to escalate, he then bailed out so the remaining miners would take 2-3 hours to the next block.
21:38  * warren wonders why all of the sha256 alt's aren't killed that way, if you want to discourage scams
21:39 < gmaxwell> because almost no one who actually cares about scams thinks that it's right to attack thinks like that to discourage them.
21:39 < gmaxwell> The closest you got was luke shutting down CLC at block .. ~3.  (Someone took a prerelease of bitcoin's p2sh functionality and released it as AMAZING-NEW-CRYPTOCOIN with a premine and an exchange support on the first block)
21:39 < gmaxwell> But it was mergedmined so it was easy for luke to just mine it and exclude all other mining.
21:39 < gmaxwell> until people gave up on it.
21:39 < gmaxwell> But this was _highly_ controversial and basically earned him months of DOS attacks.
21:39 < warren> I was wondering why Eligius is so small.
21:39 < warren> Some of the recent coins use sha256 but are not merge mineable (by design?).  So instead of allowing merge miners to contribute to its protection, they can be obliterated by a single Avalon owner who opts out of Bitcoin for a short while.  People who want the alt coin to survive can't, or would need to divert lucrative ASIC's away from Bitcoin to do so.
21:39 < warren> Doing so however excludes all the other miners, then people quit.
21:39 < gmaxwell> eligius is something like 3% of the network hashrate, not that small
 but it has an interface only a developer could love
 and a lot of people think that the low fees are a signal that its bad.
21:39 < warren> "but it has an interface only a developer could love" and p2pool manages to be even less friendly =)
21:40 < gmaxwell> they're generally pretty similar wrt other than p2pool taking more effort to setup. Eligius lots most of it's biggest miners to p2pool when p2pool really took off.
21:40 < gmaxwell> (e.g. myself, midnightmagic, uukgoblin)
21:40 < gmaxwell> s/lots/lost/
21:40 < warren> I see.
21:42 < warren> oh boy.  btc-e just added two more alts.
21:45 < gmaxwell> amiller: well thats true of anything, I mean, I can start printing out bits of green paper that say $1 Gmaxllors and say that my alternative reduced the scarcity of the dollar, but the distinction matters because of 'clumping' on the one.
21:46 < gmaxwell> the irony here is that something like an LTC eclipsing btc would be its own doing, since the logical next question is "well, when is ltc going to get eclipsed by a very similar clone" :P
21:46 < amiller> there's more to the solution space, once this line of reasoning opens up though
21:48 < amiller> merged mining and validate-other-blockchain-scripts and other puzzle variants can affect the relations between competing groups
21:48 < amiller> those are like the 'plus extra lock-in mechanisms'
21:49 < warren> I've come to the conclusion that Litecoin is redundant and they need to change their hash in the future.  I will push code there, stuff like experimental fee calculation.
21:50 < amiller> ripple is still the only financial model that makes any sense in the super long term
21:53 < warren> The alts are absolutely insane.  Litecoin's website is mysteriously down now.  There isn't any actual non-speculation activity, and yet it is over $3/coin.  This makes no sense.
21:54 < gmaxwell> $3? lol.
21:55 < warren> gmaxwell: it was $5 on April 1st.  NVC is $3.71.  PPC $2.39
21:55 < gmaxwell> warren: I think I made about 40 BTC selling oodlegazillion ltc about 9 months ago. Was quite happy with that.
21:55 < gmaxwell> warren: well whats the actual volume of the orderbook on these things? ... last trade isn't the best metric of that.
21:55 < nanotube> hehe shoulda held on...
21:56 < amiller> do we have a better way of estimating real market cap rather than just multiplying last price
21:56 < warren> gmaxwell: PPC trading began only like an hour ago
21:56 < amiller> like just adding up the public order books aren't that compelling either
21:56 < gmaxwell> warren: ppc has been trading for a long time
 maybe not on that exchange.
21:56 < warren> oh
21:57 < gmaxwell> I had 250,000 PPC at one point. I mined something like 80% of the initial three days. :P
21:57 < warren> amiller: you could do a vwap maybe
21:57 < gmaxwell> warren: if its one coin bouncing back and forth... what does that mean? I trade 1 coin with myself a million times at $10000/coin... :P
21:57 < warren> hah
21:58 < gmaxwell> I think I sold 200,000 PPC for like 10BTC. ... and I probably have a few thousand left, in fact.
21:58 < warren> gmaxwell: I suppose if the exchange fees are negligible compared to the value you are trying to establish as a psychological anchor
21:58 < gmaxwell> Guess I should go find it.
21:59 < warren> Litecoin has had no releases in 10 months, its website is down, speculators don't care.
22:00 < gmaxwell> PPC has every block cryptographically signed by its mysterous developer
 which is the only thing that has saved it from a bunch of attack. Speculators don't care.
22:01 < warren> signed for what purpose?
22:01 < gmaxwell> Considering that you could probably create a cryptocoin which was powered by security provided from cat pictures and hope ... plus signed blocks. :P
22:01 < gmaxwell> warren: basically they added a transaction type that just inserts a checkpoint into the checkpoint list. And they checkpoint every block... so there can be no consensus failure: the consensus is whatever dear-leader says it is. :P
22:02 < warren> HAHAHA
22:03 < gmaxwell> "sudoku cents"
22:03 < warren> Bitcoin's mysterious leader can only scare people with alerts, not choose which chain is real.
22:04 < gmaxwell> The alerts can even be disabled with an alert.
22:04 < warren> gmaxwell: oh, that litecoin "obsolete" please upgrade error message has been going on ever since.  Official response is "ignore it, wait for 0.8.1"
22:04 < gmaxwell> LOL
22:05 < gmaxwell> "URGENT: Alert key compromised, upgrade required"
22:05 < gmaxwell> so even if the alert key is compromised anyone with it can trigger that instead.
22:05 < nanotube> "warning, bitcoin being superceded by $newcoin. advise to switch asap"
22:05 < warren> "URGENT: Ignore alert key compromised messages.  It is an error because we didn't do any releases for 9 months.  Everything is fine."
22:06 < gmaxwell> lol
22:06 < gmaxwell> nanotube: the compromised message is hardcoded and supercedes any other message.
22:06 < nanotube> heh ic
22:07 < warren> Then the new release is to have an entirely new alert key?
22:07 < gmaxwell> Thats the idea.
22:08 < warren> hah, PPC dropped 80% from that moment I looked at it
22:08 < gmaxwell> heisencoin
22:08 < gmaxwell> the price can not be both observed and traded at
22:09 < warren> well, that paid for the BFL at least ...
22:09  * warren wanders off.
22:13 < warren> gmaxwell: http://www.cryptocoincharts.info/period-charts.php?period=1-year&resolution=day&pair=ppc-btc&market=vircurex
22:13 < gmaxwell> warren: it's not profit until its in your wallet...
22:39 < warren> Perhaps Terracoin should add testnet's difficulty failsafe.
22:39 < warren> (They can't screw up more than they are now.)
--- Log closed Sat Apr 06 00:00:14 2013
--- Log opened Sat Apr 06 00:00:14 2013
00:37 < nanotube> http://blockchain.info/address/871a40e5e61b96b6171f1b435788082edadda7a8 <- fun blockchain spam.
00:39 < gmaxwell> oh god.
00:39 < gmaxwell> 11MakeSureToVisitEtchABLockZAVq9D 0.00000001 BTC
00:39 < gmaxwell> 11DotComXXXXXXXXXXXXXXXXXXXadFTXV 0.00000001 BTC
00:40 < gmaxwell> right ... see how much we really need to lower fees? :-/
00:41 < nanotube> etchablock.com seems to be defunct though
00:41 < nanotube> latest transaction in 2011
00:42 < nanotube> they wouldn't spend those .0005s at today's prices. :)
00:43 < gmaxwell> ah, I'd missed the dates.
15:58 < HM> you know
15:58 < HM> if the RPC mechanism ever needed improving, the way Wayland does it is pretty slick
15:59 < HM> generates thin inline headers for each function call for both clients and servers, corresponding server and client libraries are ~40KB a piece
15:59 < HM> no extra dependencies
15:59 < HM> introspectable
16:02 < HM> oh actually has a dependency on libffi for dispatch (meh, tiny 30KB lib)
16:08 < gmaxwell> wayland needs to handle data at rates thousands of times greater than bitcoin... pretty different motivations and security considerations.
16:16 < HM> it doesn't really
16:17 < HM> the odd key press event, most of the time it just sits there idle
16:18 < HM> once you start adding payment notification events to bitcoin you're going to need a better IPC interface imo
16:18 < HM> s/when/if/
16:18 < gmaxwell> uh. we do have payment notifications.
16:20 < HM> where is that?
16:20 < gmaxwell> e.g. walletnotify.
16:21 < gmaxwell> (which I think is horrible and should die, but thats another matter)
16:21 < gmaxwell> I think the 0mq patch seemed reasonable.
16:21 < HM> 0mq is tricky for RPC
16:22 < HM> you will need separate sockets for notifications and REQ/REP
16:23 < HM> I haven't seen the patch however, where does it live?
16:24 < HM> ah found it
16:25 < HM> ah it's a python front end to the json rpc interface
16:25 < HM> or is that a test
16:25 < HM> hmm
16:26 < HM> it's SUB only anyway
16:26 < gmaxwell> HM: no, jesus, go look at pull requests and actually read it. It doesn't do much right now, but it seems like a reasonable way to do notifications.
16:28 < HM> I'm looking at pull 2415
16:29 < gmaxwell> Which is not at all a python front end to the json rpc interface.
16:30 < gmaxwell> It links bitcoin against the 0mq libraries and allows it to publish notifications for transactions and blocks.
16:31 < HM> yep, wrapping the existing json rpc code
00:04 < warren> One of those "stock exchanges" has options and margin borrowing backed by the arbitrary "securities" (mostly "bonds") in the exchange, but they added LTC recently.
00:04 < warren> Deposit 1 LTC, you get one share.
00:04 <@gmaxwell> I guess one problem is that if you blow up litecoin, people won't be able to move their litecoin to the exchanges to sell it until litecoin is fixed again.
00:05 < warren> the money in the exchange is rather large now, and can cause a perception of a crash.  That and Litecoin's lack of devs and uncoordinated miners means they can't fix this.
00:05 <@gmaxwell> well, if it's mpex I think history suggests that MP will renig on contracts to protect his own hide when he's on the losing side of a trade... so I guess you have to factor in the counterparty risk on such things.
00:05 < warren> they won't even realize a fork happened until 100+ blocks later
00:06 < warren> it isn't mpex
00:06 <@gmaxwell> in any case, yea, viable shorting produces the missing piece for attacking it: an economic incentive.
00:08 < warren> It seemed like Luke-Jr tried to attack Litecoin earlier for lulz.
00:09 <@gmaxwell> I don't believe thats the case?
00:10 <@gmaxwell> you have to be really careful in reading alt currency posts.. there are a lot of real idiots posting. They hate luke (for multiple reasons, including the fact that luke keeps calling their currencies scams).
00:11 < warren> Oh, Luke mentiond it himself.
00:11 <@gmaxwell> link?
00:11 < warren> hmm
00:11 <@gmaxwell> The only thing that luke 'attacked' that I'm aware of was "CLC" and his attack pretty much consisted of mining all the coins so no one else could. :P
00:12 < warren> It wasn't in -dev, and this was like 2-3 weeks ago.
00:12 <@gmaxwell> (this was a cryptocurrency which basically was created by taking an early version of the P2SH stuff in bitcoin while it was in development, adding a huge premine, paying btc-e to list it on the exchange, and announcing it as a huge advance over bitcoin.)
00:12 < warren> He was responding derisively about Litecoin (as usual), then pointed out a CVE, then lamented that coblee patched it too fast.
00:13 < warren> CLC?
00:13 < warren> sounds like novacoin
00:13 <@gmaxwell> "new scam same as old scam"
00:13  * jgarzik wonders if there is a nice list of all these
00:13 < jgarzik> i.e. alt-coins, and their problems ;p
00:13 <@gmaxwell> jgarzik: I asked that in #bitcoin-dev earlier todayish.
00:14 < jgarzik> need to troll MPOE-PR into writing one
00:14 < warren> I don't understand MPOE-PR's agenda.
00:14 < warren> on the forum
00:15 <@gmaxwell> 13:15 <+gmaxwell> gavinandresen: that page is kind of distorting because it
00:15 <@gmaxwell> doesn't list all the failed ones.
00:15 <@gmaxwell> 13:15 <+gmaxwell> gigitrix: e.g. where is WEEDS and BEERCOIN and LiquidCoin
00:15 <@gmaxwell> warren: current bets is that MPOE-PR is MP though that only explains a little.
00:20 <@gmaxwell> jgarzik: only a few have had informative failures. LQC == time between block matters,  CLC == merged mining is not a pancea (/paying exchanges to list you pisses people off!),  SLC1.0 == 'stupid fee rules make you vulnerable to spam attacks'
00:22 <@gmaxwell> doublec would probably be a good resource, considering hes run a bunch of these things and gotten ripped off by the big reorg attack on i?coin.
00:22 <@gmaxwell> https://en.bitcoin.it/wiki/List_of_alternative_cryptocurrencies
00:25 < jgarzik> MP's blog had a quite excellent list of bitcoin scams to date.  A bit unfair at times, but for the most part accurate and exhaustive
00:26 < Diablo-D3> yeah, mp still considers DMC a scam
00:26 < Diablo-D3> although we're quickly approaching breaking even again
00:31 < warren> DMC?
00:32 < jgarzik> DMC seemed more like lack of competence, than a scam.  But hey, it has ASICMINER shares, so might still come out ok.
00:40 < warren> LQC == time between block matters ... I can only guess what happened.
00:41 < Diablo-D3> heh, jgarzik is stil ltrolling
00:41 < Diablo-D3> warren: DMC was a company I started that was trying to focus on high density computing in data centers built for the task
00:42 < warren> Diablo-D3: and it turned into an ETF that holds ASICMINER?
00:42 < Diablo-D3> warren: well, not quite
00:42 < Diablo-D3> warren: part of the plan was to also mine
00:42 < Diablo-D3> ergo the M in DMC
00:43 < warren> Do you also sell gull wing cars?
00:43 < Diablo-D3> we didn't have enough money to afford the DC, so I was buying mining power through other ways
00:43 < Diablo-D3> so we could pay dividends early on to get more investments
00:43 < Diablo-D3> problem is nefario lied about how he was vetting companies listed on his exchange
00:44 < Diablo-D3> DMC pulled out a lot of its money before the mining market on GLBSE crashed and ended up making a profit
00:44 < Diablo-D3> nefaro then tried to remove me as CEO of the company (which
 well, it just doesn't make any sense, legal or otherwise) and left it up to a shareholder vote
00:45 < Diablo-D3> majority of eligible shares voted, majority voted in favor of me
00:45 < Diablo-D3> and then shortly after nefario closed down GLBSE
00:45 < warren> It seems that investments in mining is only profitable under two conditions: 1) Mine while the coin value is perceived to be depressed, trusting that you can sell all the coins later at a high price.  2) Sell the shovels.
00:45 < warren> Any other investment is sure to have diminishing returns.
00:45 < Diablo-D3> warren: yes, and thats why a lot of money was invested into asicminer
00:45 < Diablo-D3> they sell the shovels
00:45 <@gmaxwell> warren: lots of people made money selling random land to mine on too. :)
00:45 < warren> hahaha
00:46 < Diablo-D3> warren: DMC bought the majority of the 1000 shares at the original 0.10, and the rest under 0.15
00:46 < warren> Diablo-D3: nice
00:46 < warren> how long ago was that?
00:46 < Diablo-D3> theres no reason to believe it wont go past 1 BTC per share
00:46 < Diablo-D3> during the original IPO
00:46 < Diablo-D3> asicminer IPOed on GLBSE
00:46 < warren> I wasn't around back then, I have no idea.
00:46 < Diablo-D3> it hasn't been put back on a new exchange yet
00:46 < Diablo-D3> DMC has relisted since, however
00:47 <@gmaxwell> Diablo-D3: so you're not deathly afraid of asicminer having >50% of the hashpower under one roof throughly undermining confidence in bitcoin if it becomes widely known that one guy with a gun (/court order) could throughly hose things up?
00:47 < Diablo-D3> gmaxwell: no, its not a problem for now
00:48 < warren> huh?  asicminer has >50% now?
00:48 < Diablo-D3> gmaxwell: I think 2 more dividend payments and we've gotten back our original money anyhow
00:48 < Diablo-D3> gmaxwell: and they're doing weekly payments
00:48 <@gmaxwell> How so? by the reported numbers asicminer is >50% already.
00:48 <@gmaxwell> Diablo-D3: uh yea, but if this undermines confidence in bitcoin all your retured payments lose value.
00:48 < warren> Diablo-D3: you were damned lucky to have chose the asic company that mined first.  Good job.
00:48 <@gmaxwell> so they can still screw you even after paying you back
00:49 < Diablo-D3> gmaxwell: well, now that avalon units are arriving
00:49 < Diablo-D3> they cant get 51% yet
00:49 < Diablo-D3> and batch 2 and 3 of avalon will prevent 51% later on
00:49 <@gmaxwell> all the avalon units only add up to about 19TH/s.
00:50 < Diablo-D3> 300 + 600 + 600 of 68gh each
00:50 < Diablo-D3> ;;calc 1500 * 68 / 1000
00:50 < warren> ASICMINER has how much hashing capacity?
00:50 < Diablo-D3> fuck no gribble
00:50 < Diablo-D3> 102TH
00:50 < warren> oh
00:50 < Diablo-D3> no that was the math
00:50 < Diablo-D3> asicminer has about 5th atm
00:50 < Diablo-D3> they're still installing the rest of the 15, they're only one third done
00:51 < Diablo-D3> by the time all the units are finished at the end of april, they'll have 60TH on hand but not fully installed
00:51 < Diablo-D3> and its all already paid for
00:51 < Diablo-D3> these first two generations are serving as beta units
00:52 < Diablo-D3> like, they undersized a few components on the 15th, which they increased on the second gen
00:52 < Diablo-D3> the second and first gens use identical asics though
00:52 < Diablo-D3> its only the parts on the board thats being upgraded
00:52 < warren> How is that >50%?
00:53 < Diablo-D3> apparently the asics have a lot more overclocking capability than they originally designed for
00:53 < Diablo-D3> warren: well
00:53 < Diablo-D3> before asics
00:53 < Diablo-D3> we only had 25th
00:53 < Diablo-D3> if asicminer was the only one, 60th is waaaaaaay past 51%
00:53 < warren> It seems that Avalon is coming online, and BFL is close enough to beat late-April 60TH.
00:54 < Diablo-D3> pre asic 25 + avalon's first 300 units is 45th
00:54 < Diablo-D3> so even with 60th, its just barely past 51%
00:54 <@gmaxwell> Diablo-D3: I was told asicminer had ~27TH/s up now. very few avalon units have been recieved, I'd estimate asic miner at about 70% based on that.
00:54 < Diablo-D3> the other 1200 mashes that
00:54 < Diablo-D3> gmaxwell: not 27
00:54 < Diablo-D3> gmaxwell: they only have the parts for 15
00:54 < Diablo-D3> and not all of it is up yet
00:55 < jgarzik> Where is ASICMINER physically located?
00:55 < Diablo-D3> jgarzik: not sure where the DC is
00:55 < jgarzik> I saw friedcat(sp?) post that they had a layer of physical security in their building
00:55 <@gmaxwell> Diablo-D3: well, thats not what they're telling some people at least.
00:55 < Diablo-D3> gmaxwell: I only listen to friedcat's official posts
00:55 < Diablo-D3> the rest of its speculation
00:55 <@gmaxwell> but perhaps the numbers I saw were somewhat forward looking.
00:55 <@gmaxwell> Diablo-D3: I think I can trust friedcat to not speculate. :P
00:55 < Diablo-D3> like people were saying that huge ozcoin miner was asicminer
00:56 < Diablo-D3> its not, its some huge avalon customer
00:56 < Graet> yes, i been saying that
12:06  * andytoshi quietly adds this to the tor-like payment protocol in his "if i had an alt" document
12:22  * sipa should also start such a document
12:30 < gmaxwell> @#$*(@*#$(@* why isn't there a @#*(*$@(#* augmented PAKE that doesn't add a communication round?!@#
12:32 < sipa> PAKE?
12:36 < gmaxwell> Password authenticated key exchange.
12:38 < petertodd> BlueMatt: re -wizards meetup, I'm in
12:39 < andytoshi> gmaxwell: regarding our calculation last night about the number of input/output partitions we have to brute-force through .. i was badly wrong about the partition numbers giving an estimate
12:39 < andytoshi> http://oeis.org/A000110
12:40 < andytoshi> (number of partitions of a set of labelled element, which grow exponentially)
12:42 < andytoshi> so we need to be more intelligent to compute the entropy we want
12:45 < andytoshi> petertodd: do you recognize this as some well-known matching problem?:
12:45 < andytoshi> http://download.wpsoftware.net/bitcoin/coinjoin.pdf
13:11 < petertodd> andytoshi: nope, I could however write a paper talking about it in terms of post-modern art critique...
13:11  * petertodd is a fine arts grad
13:12 < warren> does mastercoin know this? =)
13:12 < petertodd> warren: probably
13:13 < petertodd> warren:though their	process for hiring me consisted of me talking to one of their people on the phone for an hour...
13:37 < andytoshi> what is also interesting, is that in the join a0350aa856b77edeaa08ae9df5047855d487c40490d11713461d200ea70b09c6, there is roughly 0.005 btc going to (presumably) the donation output, so this output mucks up the naive plausible join analysis
13:38 < andytoshi> by doing exactly the funny business you suggested
13:39 < andytoshi> s/you/gmaxwell
13:49 < andytoshi> OK, rosemary thinks that the 'find maximal number of plausible participants' is NP-hard
13:49 < andytoshi> it reduces to the partition problem
13:50 < petertodd> andytoshi: is that np-hard per tx, or for whole tx graphs?
13:51 < andytoshi> np-hard per tx :(
13:51 < petertodd> andytoshi: maybe that's better? tx's have limits on how big they are...
13:51 < petertodd> andytoshi: remember that two-party-mixes are most likely to be what people actually use
13:52 < andytoshi> petertodd: well, the example we are using is http://blockexplorer.com/tx/a0350aa856b77edeaa08ae9df5047855d487c40490d11713461d200ea70b09c6 which is probably intractable
13:53 < andytoshi> and there are actually only 3 people in there
13:53 < petertodd> andytoshi: that's still a much bigger tx than the expected everyday two-party-mix case
13:54 < andytoshi> yeah, but if you only need one of them to hide a drug deal, you're golden
13:55 < petertodd> sure, point is, I'd be very interested to see algorithms giving some plausible answers for how much privacy even the simple two-party-mixes are adding, and it sounds like the computation required to do that shouldn't be ridiculous
13:57 < andytoshi> petertodd: well, rosemary's reduction involves constructing a 2-party mix corresponding to a given multiset .. if you can determine that it might be a 2-party mix, then you've solved the partition problem for that multiset
13:57 < andytoshi> determine whether it could be a 2-party mix*
13:58 < andytoshi> though as you say, maybe this is OK because the number of inputs and outputs is small
13:59 < andytoshi> but 'only 2 people' does not let us slip into P
13:59 < petertodd> exactly, even if it's some crazy n^n algorithm, the n is small
14:00 < petertodd> from a usability point of view we have to assume that naive two-party mixes are what is going to be most popular
14:27 < sipa> who/what is rosemary?
14:32 < andytoshi> :P i was wondering if somebody would ask that..
14:33 < andytoshi> rosemary is my girlfriend, she is not so into bitcoin
14:33 < andytoshi> but her degree was largely CS, so i badger her with a lot of these questions
14:33 < sipa> she does seem into complexity analysis :)
14:33 < andytoshi> mmhmm :)
14:52  * maaku would love to read andytoshi and sipa's "if i had analt" documents
14:52 < maaku> BlueMatt: wizards meetup, where are you thinking?
14:52  * sipa guesses it will be too far for europeans
14:53 < warren> do it in Hawaii
14:53 < sipa> even further :(
14:54 < petertodd> pity there isn't an island in the atlantic ocean...
14:54 < andytoshi> maaku: right now i don't have any of the cool stuff (agressive pruning, utxo commits, etc) written down, because i haven't taken the time to make those decisions
14:55 < warren> petertodd: Iceland!
14:55 < maaku> petertodd is a renaissance man. where'd you do your fine arts?
14:55 < maaku> yeah iceland. or the azores
14:55 < sipa> Iceland is very cool8
14:55 < sipa> cold, even
14:56 < petertodd> heh, iceland it is!
14:56 < warren> we can enjoy puffin meat
14:56 < petertodd> maaku: http://www.ocadu.ca/
14:56 < petertodd> warren: and go aroudn taking beautiful phtoos
15:04 < maaku> heh, you got my wife excited about a trip to iceland now
15:05 < sipa> warren: puffin is nice!
15:05 < andytoshi> oh, that's right, petertodd said he was a -canadian-, not a mathematician
15:06 < andytoshi> that's why i asked you about the matching problem :P
15:06 < petertodd> andytoshi: minor typo, the keys are like right next to each other
15:07 < sipa> someone read too much bash.org
15:07 < maaku> maybe we can get Cloud Hashing to host it
15:07 < petertodd> sipa: +1
15:07 < maaku> i don't think they're in reykjavik though
15:08 < warren> how much of the world's hashing will be in iceland...
15:09 < maaku> arctic air and geothermal power...
15:09 < petertodd> warren: I was just doing the math on if my parents could heat their house profitably with bitcoin mining...
15:09 < sipa> if you can heat your house at acceptable cost using electricity, you certainly can when using mining hardware instead
15:09 < sipa> except: noise, hardware cost
15:10  * maaku is waiting for an HVAC insert to replace heating coils with bare ASICs
15:11 < petertodd> sipa: problem is we're really talking about hashing not mining
15:11 < sipa> unsure what distinction you mean
15:11 < petertodd> maaku: I'm waiting for silicon that can run at > 100degC
15:11 < sipa> petertodd: GPUs!
15:12 < petertodd> sipa: it doesn't buy us a damn thing with regard to decentralization
15:12 < warren> decentralized hashing means nothing if cex.io
15:12 < petertodd> warren: yup
15:17 < petertodd> sipa: so fwiw fuel oil is about 1/3rd of the cost of electrical heat up here, and electricity is $0.3/kwh - what's interesting is that the more northern communities tend to have electricity costs similar to fuel oil heating costs because it's all diesel generators anyway
15:17 < petertodd> sipa: here in yellowknife though they have (expensive) hydro-electricity from a small damn a little further north
15:18 < petertodd> *dam
15:27 < maaku> petertodd: you're in yellowknife?
15:27 < maaku> that is far north
15:27 < maaku> i was watching a special the other day about the mining and prospecting boom up there
15:28 < maaku> (old school mining)
15:29 < maaku> I grew up on a steady diet of Jack London. In another life I'd probably be up there myself.
15:42 < petertodd> maaku: yeah, visiting the parents, they moved up there 9 years ago
15:43 < petertodd> maaku: there's two former gold mines within city limits here, and tens of millions of tones of water soluable arsenic trioxide left over from one of them...
15:43 < maaku> ugh
15:45 < petertodd> yup, plan is to freeze it in place to be par of the permafrost; there's a small river that runs directly over the caverns the stuff is stored in, and god knows what global warming will do
15:46 < petertodd> *part
15:47 < petertodd> I love to use it as an example of how the safety of nuclear waste disposal is overblown: at least nuclear waste becomes safer over time, that arsenic will be toxic forever
16:02 < BlueMatt> petertodd: nice
16:02 < BlueMatt> maaku/sipa: looking at north carolina (east coast) as there will likely be a mini-btc-conf there around that timeframe (hence why I was suggesting it)
16:03 < BlueMatt> and if someone doesnt want to pay the flights, its possible they can commit to giving a quick talk and getting that covered
16:03 < BlueMatt> sipa: at least its not as far as mtv :p
16:05 < petertodd> BlueMatt: lots of nice caves in that area :P
16:06 < sipa> BlueMatt: yeah. but finding a reason to visit mtv is easy :)
16:07 < BlueMatt> true
16:07 < BlueMatt> sipa: still, it only costs like 1-2 BTC these days...
16:08 < petertodd> BlueMatt: not all of us are satoshi :P
16:08 < sipa> damn, that really sounds cheap...
16:08  * BlueMatt bought a laptop for 2 btc a few weeks ago because it sounded too cheap
16:08 < sipa> i recently topped up my mobile account using btc
16:08 < sipa> in .be
16:09 < sipa> i wanted to add just 10 eur, and accidentally added 25 eur though...
16:10 < sipa> i really don't have any reference for BTC prices (and i guess nobody does)... but compared to the amount i have (some leftover from mining 2 years ago...) it all sounds like nothing
16:12 < sipa> petertodd. maaku. gmaxwell: what's the latest evolution regarding TXO MMRs?
16:13 < maaku> defer to petertodd & gmaxwell on this
16:13 < petertodd> sipa: doing a writeup for them is on my never-ending todo list...
16:13 < petertodd> sipa: the thinking behind them hasn't changed fwiw
16:15 < sipa> i heard something about splitting it up into... i suppose a non-changing txo part and a changing spentness part?
16:16 < petertodd> sipa: oh, that was my plan from the beginning
16:16 < sipa> i didn't catch that part initially then
16:17 < petertodd> sipa: well the key thing is you want to still provide a zero-trust way for wallets to sync data, so a per-block index still makes a lot of sense
16:18 < petertodd> sipa: main thing is the two ideas are separate really
16:18 < sipa> you mean... still have a merkle UTXO tree too?
16:18 < petertodd> sipa: no, a per-block txo tree sorted by H(scriptPubKey) or similar
16:19 < sipa> ok
13:31 < adam3us> petertodd: i was thinking you could sign them offline and upload them as a batch airgap/usb.  there is some consideration about giving users signed proof that this is your address, users can get to gether or publish those proofs and the servers payment privacy (which they want for commerical sensitivity of eg their trade volume) is blown and provably so,
payment request has the same issue
13:43 < petertodd> adam3us: indeed, but, what it comes down to is all this stuff is better done by leveraging existing systems so UI's can be seemless
13:44 < petertodd> telling users about some "account number" is something that doesn't lead to good understanding in the long run too
13:46 < adam3us> petertodd: yes its not an ideal world.  i am thinking that even low value storage like $10, $100 may not last on windows machines.  people will lose interest if their wallet keeps getting emptied by bitcoin thieving malware, so then you're on to tpms (which dont help much without trusted path IO, and dedicated display) or hardware wallets with display (trezor)
13:48 < petertodd> if bitcoin does anything good for the world it might be to improve computer security...
13:48 < petertodd> anyway, even if windows boxes turn out to be hopeless, CA's have a chance of improving
14:04 < jgarzik_> Relevant dumb question... how happy are people with HD wallets, from a math/crypto standpoint?  We love them, but having this emotional, unreasoned fear of having a lot of mathematically-connected addresses
14:05 < jgarzik_> We wind up coming up with schemes like "new seed per month" + new derived public key seeds for merchants etc.
14:05 < jgarzik_> trying to avoid too much math derivation links, and limit the damage caused by a seed compromise
14:06 < petertodd> jgarzik_: well, I will say apparently the Tor project is adopting the underlying idea for something to do with hidden services; but IANAC...
14:06 < jgarzik_> IANAC -- storing that one for later use
14:07 < HM2> I can't believe the tight git behind that whopping transaction didn't pay a fee for his his cpu cycles ;)
14:16 < warren> where are we on 0.8.6?
14:20 < gmaxwell> jgarzik_: If HMAC-SHA512 is broken in a way and with a severity that makes this matter at all we are fucked on so many different levels that 'related keys' wouldn't be on the radar.  It's also a bit cargocultish: openssl reads from /dev/urandom only on startup... All your keys generated during an execution session are already related by a CSPRNG scheme
not unlike the BIP32 private derivation.
14:20 < phantomcircuit> gmaxwell, weird
14:21 < phantomcircuit> is there any good reason for openssl not to continuously rekey with /dev/urandom
14:22 < gmaxwell> jgarzik_: my personal allowance to paranoia on this front is using a 512 bit state inside the derrivation, which makes it very likely that the keys are indistinguishable from each other without the full state in a information theoretically sound way (e.g. there probably exists some unknown state that would make any two randomly selected keys 'related')
14:22 < gmaxwell> phantomcircuit: just software engineering reasons... esp considering multithreaded programs.
14:23 < jgarzik_> gmaxwell, not claiming it is rational (note the "emotional" qualifier)
14:23 < jgarzik_> Just encountering multiple programmers with the same sentiment
14:23 < gmaxwell> jgarzik_: I know. I hope I added to your ability to discuss it: e.g. that most random generation schemes have hidden relationships.
14:24 < gmaxwell> Non-paranoia based: Key management is a real issue, rotating keys periodically is prudent not for cryptospeculation reasons but just because forward security may reduce exposure.
14:45 < gmaxwell> adam3us: so... in the past I've whined that we have no utxo expiration on the basis of an economic concern:  Eventually lots of coin will be lost and bitcoin will deflate. Thats not bad.  But we don't know how much is lost... and thats potentially bad. E.g. say all but 10 BTC is lost and 1 BTC now buys you a nice planet. etc. This is exacerbated in that
a lost coin can't be upgraded to better crypto, so eventually ecdsa secured coins ...
14:45 < gmaxwell> ... may suddenly become unlost in vast numbers, which might disrupt the economy.
14:45 < gmaxwell> adam3us: if we had committed coins with totally hidden values, wouldn't this be even worse? e.g. we wouldn't even know the value of the coin in circulation?
14:46 < warren> I implemented a hack to test expiration.
14:46 < warren> just to get some numbers of how big the chainstate and memory use would be
14:47 < warren> the existing remove unspendable txo patch only works on reindex, not too useful for getting rid of old TXO
14:49 < warren> gmaxwell: hmm, so MMR to spend old "forgotten" coins wouldn't be any better for the forward security reason
14:51 < gmaxwell> warren: Right, you'd only get increased economic certanty if the coins actually become unspendable.
14:52 < gmaxwell> I don't know how much the certanty matters absent cryptographic breaks. But with breaks its probably pretty concerning, but it could be addressed differently. E.g. when replacement crypto is deployed you add a new rule that after date xyz ecdsa will be unspendable.
14:52 < warren> not just crypto breaks
14:52 < warren> old backups
15:05 < adam3us> gmaxwell, jgarzik: i think HD crypto is fine.	its also very important for backup.
15:06 < adam3us> gmaxwell: committed coins recicrulating in hidden form i guess yes you have no idea what has even moved (unless there is early decommit).  (re estimating proportion of spendable utxo)
15:09 < phantomcircuit> gmaxwell, im guessing that the hmac-sha512 wont be broken for a long time after sha512 is broken
15:09 < phantomcircuit> which should provide for a fairly significant security warning
15:09 < adam3us> gmaxwell, warren: there are people who explored about digital archiving signed info, with like multiple sig algos, time-stamping, re-signing entities.  maybe you can say during a phase out period, which hopefully isnt too sudden you get to replace a ecdsa256 with something else
15:10 < adam3us> phantomcircuit: yes hmac makes limited assumptions even hmac-md5 is non-stupid (where md5 is now a dud)
15:16 < adam3us> erm saw something funny armory online generated an address with 121okABVjfk6QSV1pAZeVZdoU7utpp6jxd but when pasted it views 121okABVjfk6QSV1pAZeVZdoU7utpp6Jxd (capital J) i noticed so put a small sacrificial payment to it
15:30 < adam3us> seems like armory anomaly bc.i thinks its uppercase
16:49 < adam3us> hmm its a font issue some of those linux fonts are dodgy and j looks like J except for one pixel pretty much, doh!
17:40 < jgarzik> adam3us, gmaxwell: thanks (re HD wallets)
18:29 < Luke-Jr> cfields:
18:30 < cfields> Luke-Jr: will a non-gitian dmg suffice, until i can get in touch with devrandom to fix up a few things?
18:30 < cfields> scripts to build it ofc, not just the result
18:33 < Luke-Jr> suffice for what?
18:33 < Luke-Jr> and what needs fixing? :o
18:33 < cfields> deterministic dmg bounty
18:34 < cfields> mainly, need a raring vm
18:34 < cfields> very possible i just don't know enough about gitian to set one up properly
18:34 < Luke-Jr> well, let's see if I can help with that first
18:35 < cfields> when i try to create a raring image, it says its unsupported
18:35 < cfields> (running on native raring)
18:36 < Luke-Jr> what arch?
18:36 < cfields> but i believe the dmg should be deterministic without gitian already
18:36 < Luke-Jr> yes, but gitian deals w/ the signatures :/
18:36 < cfields> native is x86_64. gitian should start there, since that's where i've tested so far
18:37 < cfields> ok, well don't worry about it then, i'll get gitian up first
18:37 < cfields> actually, i'll probably start with precise and just use a ppa for clang
18:38 < Luke-Jr> I mean what arch do we need the image for?
18:39 < cfields> x64 would be closest to what i've been testing with
18:42 < Luke-Jr> amd64 you mean..
18:42 < cfields> we've done this before, can we just skip it this time? :)
18:43 < cfields> yes, amd64
18:43 < Luke-Jr> what version of vmbuilder?
18:43 < cfields> but don't worry about it, precise is probably a saner choice anyway
18:43 < Luke-Jr> cfields: you're aware there is a distinction between x86 and x32? ;)
18:43 < Luke-Jr> precise+PPA is not necessarily saner
18:44 < Luke-Jr> since we're then trusting not just Canonical, but also <random PPA maintainer>
18:44 < Luke-Jr> the ideal solution would be to build a clang deb in a gitian instance
18:45 < Luke-Jr> but not sure if that's practical for you or not
18:47 < cfields> Luke-Jr: well for now, I just want something that works. There are a dozen things that will need to be reworked, I don't want to spend too much time on work that will be thrown out anyway
18:47 < Luke-Jr> ?
18:47 < cfields> just POC stage for now
19:05 < Luke-Jr> cfields: fwiw, raring works after I upgrade vmbuilder
19:05 < Luke-Jr> but I don't know how easy it is to do that on Ubuntu
19:14 < cfields> hmm, interesting
19:14 < cfields> will have a look, thanks
20:23 < midnightmagic> gmaxwell: Hey man, you're not using the account:password IRC server password or something, we saw your host.
20:25 < Luke-Jr> cfields: I maybe spoke too soon - it errored out later
20:26 < gmaxwell> midnightmagic: stupid ircness.
20:26 < midnightmagic> +1
20:30 < K1773R> midnightmagic: you can auth by passing accout:password as server password?
20:38 < cfields> Luke-Jr: same. I'm trying it on precise just for shits. 99% clang is too old there, but it gets me started with gitian
20:43 < phantomcircuit> K1773R, yes
22:03 < warren> Who is going to the Vegas conference?  I arrive in the afternoon of Dec 8th.
22:35 < gmaxwell> Sadly it overlaps with the picture coding symposium, so it seems I can't go.
22:55 < cfields> anyone know where gitian sets the image size limit (lxc) ?
22:55 < cfields> seems i've outgrown mine
23:32 < Luke-Jr> I wasn't aware LXC had limits O.o
04:57 < petertodd> gmaxwell: for sure, what's neat about other card games is you can pull off the same trick without even having a oddly half-empty deck
04:57 < petertodd> gmaxwell: you're use-case is probably more practical though (!)
04:58 <@gmaxwell> well, I've contemplated building a a stack of symmetric secret business cards. e.g. some perferated cards with a secret printed on both halves like a raffle ticket but with more entropy... but its kinda conspicious.
04:58 <@gmaxwell> This card deck thing came from pond, incidentally.
04:59 < maaku> petertodd: well you could do the two-deck trick with a nearly even split, and say it's a brdige deck
04:59 < petertodd> ha, pond is a great application
04:59 < petertodd> maaku: oh, nice!
05:00 <@gmaxwell> maaku: do you have duplicated cards in a bridge deck?
05:00 < maaku> gmaxwell: you have multiple decks iirc, and most players don't bother sorting them back inbetween games
05:01 < maaku> never actually played bridge myself
05:02 <@gmaxwell> the other good thing about the deck is that it requires very little prep, every drugstore in the US has cheap playing cards.
05:02 <@gmaxwell> vs any of my business card shared secret ideas ... involve at least one side doing prepwork that can't easily be done on short notice or on the road.
05:04 < petertodd> ~52-bits is a bit weak, but 32-bits of hardening are pretty easy to obtain to push it back to reasonably secure
05:04 <@gmaxwell> pond wants you to do shared password, time, and the card deck.
05:05 < petertodd> yeah, that should be enough
05:05 <@gmaxwell> and supports one or two card deck modes. two deck is pretty good.
05:05 <@gmaxwell> someone needs to add bitcoin transaction support to pond... as it's effectively a high latency mix network (hurrah)
05:06 <@gmaxwell> (and supports messages up to 16kb)
05:08 <@gmaxwell> and yea, pond uses scrypt kdf on the shared secret... doubt it does 32 bits worth though.
05:13 < petertodd> seems to me that pond + bitmessage-style pow would make a lot of sense
05:15 <@gmaxwell> well pond uses group signatures (pairing crypto, /me ducks adam3us rocks) for antispam. You publish to your sever a group element that basically is a broadcast encryption style public key that anyone on your contact list can sign for.
05:16 <@gmaxwell> You can add more people to it at any time, and the server can't tell which person is sending to you
 just that they're on the list.
05:16 <@gmaxwell> you can also revoke contacts.
05:16 <@gmaxwell> so you don't really need POW to protect the recipents, which are the most bandwidth starved.
05:17 < petertodd> exactly, use pow to bypass the introduction process for things like tx's where you want to be able to send through anyone
05:18 <@gmaxwell> POND is kinda odd, it's sort of half way between email and IM.  There are no public identities in it. The introduction process is the identity.
05:18 < petertodd> or alternatively, pick a random person from your contacts, they pick a random person themselves etc.
05:18 < petertodd> go through a few hops of that and spit it out to the network
05:18 <@gmaxwell> but yea, TXs don't quite fit directly.
05:18 < petertodd> s/person/persons/
05:19 < petertodd> yeah, well pond does leverage tor to let the pure group sig mechanism work - if it was on the opennet you'd want something more like bitmessage for the larger anonymity set
05:20 <@gmaxwell> right. I wonder if my pond brainwallet attempt will introduce me to any random people
05:23 < Emcy> that card deck thing is pretty cool
05:24 < Emcy> pond seems to be the secure comms thing that the real crypto nerds talk about the most
05:25 < Emcy> great for specialised applications like source confidentiality in journalism etc, but it would be a shame if its another thing that can only really be used by the tech proficient
05:26 <@gmaxwell> Emcy: the software is pretty easy to use. .. I don't actually think it's useful for source confidentiality in journalism, at least the way it is today.
05:26 <@gmaxwell> The relationship in pond is completely symetrical. Meaning you can't just advertise a contact address.
05:27 <@gmaxwell> it's an IM like communications model, except it's high latency/async which means it can be resistant to traffic analysis ... lets you recieve messages while offline.
05:28 < Emcy> yes, you have to meet your contact irl first and do somthing like the card split thing. I read (proper) journalists are going back to face-to-face now after the snowden stuff
05:30 < Emcy> they state plainly that pond is not resistant against a GPA though, which i think something like bitmessage actually is or at least could be?
05:32 <@gmaxwell> It's really hard to be GPA immune. Though I don't think anyone believes the NSA is a true GPA is the absolute sense. (A true GPA can see every network link)
05:33 <@gmaxwell> Bitmessage could be GPA immune if you are RX only... but it's not (unless they've redone the protocol in the last two months) because of the stupid key handshaking stuff.
05:35 <@gmaxwell> e.g. no GPA could tell which bitmessage user is recieving which message because you don't _do_ anything to recieve.  unfortunately, instead of putting the @#$@# key in the address, bitmessage requires recieves to transmit their key, so you can't (easily) be a passive reciever in bitmessage.
05:35 < Emcy> NSA putting a tap on all the fibre trunks and looking at packet headers is about the same as tapping every endpoint right? I suppose you d lose some timing resolution
05:36 < petertodd> Emcy: doesn't give you info on customer-to-customer connections within ISPs for instance
05:37 < Emcy> true, but thats not the only thing they do. the ATT room from 2006 for eg
05:38 <@gmaxwell> Right, tapping lots of links is not the same as tapping all links.
05:38 < petertodd> Emcy: the customer-to-customer connection may be just 100ft of ethernet cable in the case of a colo center... or internal to a box at a vps provider
05:38 <@gmaxwell> A true GPA taps all links. NSA is just an approximation of that.
05:39 <@gmaxwell> e.g. there are network links in my house that appear to not have NSA taps on them, thus the NSA is not a GPA. :P
05:39 < CodeShark> you'd be surprized :p
05:39 < Emcy> yes. still too close for comfort and the panopticon effect is on play too
05:40 <@gmaxwell> GPA is just not a good model for what to be secure against. A true gpa doesn't exist, a true gpa is very hard to be secure against... and the model doesn't give a good way to reason about what a near-GPA can do.
05:41 <@gmaxwell> I'm not aware of any scheme which is bidirectional GPA immune... though maybe I can imagine some insanely inefficient thing.
05:43 < petertodd> gmaxwell: timelock crypto works if you assume the GPA has a lifespan less than the delay in getting the message read
05:43 <@gmaxwell> I was thinking about that.. but yea. thats not too helpful. :P
05:44 <@gmaxwell> petertodd: I did come up with a neat bitmessage alternative idea.
05:44 < petertodd> gmaxwell: ?
05:44 <@gmaxwell> Instead of POW, you use ZKP blinded SIN to ratelimit access to the network.
05:44 < petertodd> gmaxwell: oh, we were talking about that at dark wallet
05:44 <@gmaxwell> then someone can only dos the network by paying tons of money to fees.
05:44 <@gmaxwell> win win
05:45 < petertodd> gmaxwell: only sticking point is finding a ZKP implementation...
05:45 <@gmaxwell> do you think this can tolerate the CRS limitation? (that there is some hopefully unknown to anyone randomness that would allow fake proofs)
05:46 <@gmaxwell> probably can
05:46 <@gmaxwell> since it's just a DOS attack
05:46 < petertodd> gmaxwell: sure, I'm a good guy :P
05:46 < Emcy> i think under the circumstances efficiency just cant be expected
05:46 < Emcy> i never needed to skype anyone at 100mbits anyway
05:47 < petertodd> it also doesn't need the zkp to act directly on the transaction - you can find the set of all sacrifices by looking in the blockchain and use a simpler mechanism
05:47 <@gmaxwell> petertodd: oh interesting point. so you could prove membership in a set which extracted with an eye on efficiency of proof.
05:48 < Emcy> but it makes me a sad panda that there are multiple factors all but guaranteeing pervasive private communications are probably a thing of the past now
05:48 < petertodd> gmaxwell: yup, and construct the sacrifice tx such that SPV clients can identify it
05:48 < Emcy> not least the average net users expectations of efficiency and performance
05:49 < petertodd> gmaxwell: gives you a nice anonymity set definition in the sharded bitmessage case: how many $'s worth of BTC does the attacker need to pretend to be the rest of that anonymity set
05:50 < petertodd> gmaxwell: which of course works best if people actually use their sacrifices to send messages at full rate constantly
05:52 <@gmaxwell> I wonder if there would be an interesting way to have users able to pool sacrifices with friends.
05:53 < petertodd> gmaxwell: oh it'd be easy: just share the private key
05:53 <@gmaxwell> e.g. if my friends have sacrifices and aren't transmitting, and I don't mind if they know that I am.. can I borrow their transmit juice without anyone else knowing.
05:53 <@gmaxwell> well yea, but thats a little inelegant. :P
05:53 <@gmaxwell> I suppose if I have a channel with them I could ask them to sign messages for me.
05:54 < petertodd> gmaxwell: right, but you have to come up with a mechanism that allows you to decide they're no longer friends, which requires global state... so you're left with a non-revokable mechanism, or interactive, *or* a mechanism you can use in advance
05:54 < petertodd> IE prepare signed statements valid for some time period that your friends can use in the future, and have the network have some limited memory to remember used proofs
05:55 < petertodd> what's interesting about this is it's a proof for bandwidth usage of the network as a whole - it's ok if half the network passes one version of the message and half the other version
07:48 < adam3us> jtimon: viz what they tried to pull on the lavabit guy, illegal requests for ssl key to ll users, legal threats, cost harrassment etc
07:49 < jtimon> but again, optional privacy removes responsability from the redeemer
07:49 < adam3us> jtimon: i dont think redemption matters so much... just trade it for something else and cash out another way
07:49 < adam3us> jtimon: so long as you have fungibility, sell share for bitcoin, do a bitcoin-otc (in person)
07:50 < jtimon> gmaxwell's argument is that no one will buy it from you if the issuer marks it as non-redeemable
07:50 < adam3us> jtimon: redemption for a share is a fringe event right.  its  new stock issue, or a share buy back... 99.9% of trades are buy/sell for another currency or stock swap, in this case bitcoin
07:51 < adam3us> jtimon: but thats a suicide pact argument.  a judge cant close down the entire share ownership because dpr has 1000 ibm shares with perfect fungibility
07:51 < jtimon> I'm trying to udnerstand the advantage of "full fungibility"
07:52 < adam3us> jtimon: partial fungibilty invites legal and miner policy attacks
07:52 < jtimon> the redemption argument is that with unperfect fungibility they will force issuers to mark some of their assets as non-redeemable
07:53 < adam3us> jtimon: if legal threats become effective, it ruins your immediately settlement.. now everyone has to verify the sellers reputation to guess risk of undone settlement and we're back to square one - thats the current financial system
07:53 < jtimon> that attack doesn't make much sense to me neither because of optional privacy
07:54 < adam3us> jtimon: but if they cant tell which assets to mark as non-redeemable what is that - a haircut % for everyone?
07:54 < adam3us> jtimon: arent you making my argument? if you use the privacy, (chaum blinding) you have full fungibility?
07:54 < jtimon> "tainting" just doesn't make sense to me, maybe because I assume that judges won't be totally crazy...
07:55 < jtimon> a haricut for everyone on what basis?
07:55 < adam3us> jtimon: the lesson from lavabit if anything is that the judge saw the technical argument, and did his best to override it ignoring sanity and privacy rights of unrelated users
07:56 < jtimon> if an state forces issuers in its jurisdiction to do such a stupid thing, all issuers will move to other jurisdictions very fast, as their clients go away
07:56 < adam3us> jtimon: u said the issuer will be forced to mark some assets non-redeemable, if you dont know which user is which you how do you withhold from the target user?
07:56 < adam3us> jtimon: well... you could make that agument about the us in spades, and yet most of the worlds bitcoin companies are there
07:57 < jtimon> maybe I'm too optimistic
07:57 < adam3us> jtimon: also jurisdiction shopping has limits - it just depends how badly they want to attack something
07:57 < jtimon> I think some jurisdictions will get this right and others won't
07:58 < adam3us> jtimon: i don tthink we're necessarily disagreeing, what you are saying is reasonable, but what i (and i think sipa) said is why tempt fate and push the limits of their reasonableness to find out - just use cryptography
07:58 < jtimon> the ones that get it wrong will suffer the economic consequences and maybe reconsider their reactionary positions
07:59 < jtimon> but I don't like chaumian cash because it lacks a lot of features I want
07:59 < adam3us> jtimon: i think real-politic is far uglier and selective extra-legally enforced - nsa blackmail, local favors, backroom deals between respective TLAs etc
07:59 < adam3us> jtimon: use brands it is very flexible
07:59 < jtimon> what?
07:59 < adam3us> jtimon: brands blind credential = blind schnorr extension
08:00 < adam3us> jtimon: you said chaum lacks features, if your features are achievable with blinding, brands is goig to be the answer as it has more features than anything else
08:00 < jtimon> I don't know that, but I highly doubt there's any non-traceable asset that can be traded atomically with, say, 8 other assets transitively
08:01 < jtimon> please, tell me if the following is possible
08:01 < jtimon> Alice wants to pay David, who only accepts CCC as payment
08:01 < adam3us> jtimon: u might be surprised what you can do with it efficiently, and compactly in zero knowledge it can be all EC discrete log like ECDSA
08:01 < jtimon> Alice owns AAA
08:02 < jtimon> there's open orders selling BBBs for AAAs, CCCs for BBBs
08:02 < jtimon> in a single atomic transaction alice sells her AAAs for BBBs, which sells for CCCs which sends to David
08:03 < adam3us> jtimon: so why do you think thats not possible even with chaum?
08:03 < jtimon> is that atomic transaction possible with brands?
08:03 < adam3us> jtimon: the atomic swap relies on smart contract hashlocks and scripts right
08:04 < jtimon> ok, I forgot to mention that AAA, BBB, CCC are accounted for in different servers/chains
08:04 < adam3us> jtimon: i am not sure what the atomic swap model is but it might be possible already with chaum, its still a normal signature
08:04 < adam3us> just sign a smart contract with a sript input and blind chaum sign no and use the existing atomic swap tx?
08:05 < jtimon> maybe I don't understand chaum well enough, but I don't think it is a signature
08:05 < adam3us> jtimon: not natively but you can make it so
08:05 < TD> if anyone wants to talk to me via Pond (pond.imperialviolet.org) then let me know and I'll give you a shared secret
08:05 < adam3us> jtimon: in my credlib library i did that
08:05 < TD> [ob explanation:   pond is forward secure, tor based messaging that scrambles everything against every attacker except someone who can de-anonymize tor)_
08:06 < adam3us> jtimon: the idea is that the thing you get the issuer to blind sign is the hash of your public key, that you will sign with to prove ownership in contracts
08:06 < jtimon> that's not what I read about chaumian cash
08:06 < adam3us> chaum ecash only doesnt do that because its an online protocol so theres no point
08:07 < adam3us> they just sign a structured random number to act as the coin serial umber for double spend protectio
08:07 < adam3us> anyway check it out, its in the credlib library with a demo program
08:07 < jtimon> this is what I read: http://anoncvs.aldigital.co.uk/lucre/theory2.pdf
08:08 < adam3us> oh thats not even chaum thts david wagners blind mac work aroun as implemented by ben laurie
08:08 < adam3us> but the patent expired on chaum so now blind mac is less important
08:08 < jtimon> ok, then everything I said about chaumian cash doesn't apply
08:09 < jtimon> that's the theory OT links to
08:09 < jtimon> ok, time to read about chaumian cash, I thought I knew what it was
08:09 < adam3us> jtimon: but you were right that chaum cash did not use blind certificates, only blind signatures because they assume the issuer and the transaction server are the same, and in fact the only transaction is redemption
08:10 < adam3us> jtimon: its much simpler than wagner's blind mac.
08:10 < jtimon> do you have a quick link?
08:11 < adam3us> jtimon: vs rsa sig   s=m^d mod n verified s^e=?m
08:11 < adam3us> jtimon: blind sig is: -> b^e*m (user sends to server)
08:11 < adam3us> jtimon: server sends (b^e*m)^d back to user
08:12 < adam3us> jtimon: user unblinds and gets normal rsa sig m^d for m server neve saw
08:12 < adam3us> jtimon: because (b^e*m)^d = b*m^d and user divides by b so (b^e*m)^d/b=m^d qed
08:12 < jtimon> so once it shows it to the server, the tx cannot be rolled back?
08:13 < adam3us> jtimon: the server will not be able to correlate the issue message with the deposit message because b is random and choen by the user
08:13 < adam3us> jtimon: the server prevents double spend by accepting m only once it is the coin serial number
08:13 < jtimon> so the server never sees b, no?
08:14 < adam3us> right doesnt see b ever, doesnt see m during issue, sees m during deposit
08:14 < adam3us> jtimon: the server has no idea what it signed, so it doesnt support attributes - eg value/denomination/currency
08:15 < jtimon> the issuer does
08:15 < adam3us> jtimon: they work around that by having a different issuer key for each currency / denomination
08:15 < adam3us> jtimon: yes
08:15 < jtimon> so there's only issuance and deposits, no transfers
08:16 < jtimon> say Alice issues AAA and sends it to Bob
08:16 < adam3us> jtimon: as stated because thats what they wanted
08:16 < jtimon> How does Bob transfer it to Carol?
08:16 < adam3us> jtimon: but instead of m being a coin serial number, it can be the users hash of public key
08:16 < adam3us> then the blind sig is actually a blind certificate, so you can transferaby assert and prove ownership of it
08:17 < jtimon> in bitcoin I can prove ownership of a coin by signing external messages with my private keys
08:17 < adam3us> u know in the 1995 era we had a coloredcoin like idea to color coins without the central banks approval - as it cant tell what its signing it was called a cut-out protocol
08:18 < adam3us> jtimon: right so if you have a blind certificate from teh issuer, you sign a message transfering ownership to another user
08:18 < jtimon> that cannot be conditional to anything else
08:18 < adam3us> jtimon: or asbitcoin geeralize th concept of  signature into a contact script involving the signture
08:19 < jtimon> I cannot "transfer AAA to Bob if and only if Bob transfers BBBs to me"
08:19 < adam3us> jtimon: why not?
08:19 < jtimon> I'm asking, is that possible when AAAs and BBBs are accounted for in different servers ?
08:19 < adam3us> jtimon: if you take whatever you are doing now and replace the signature by the certified blind chaum address signature, doesnt it still work?
08:20 < adam3us> jtimon: i dont know how your atomic swap tx works with two different freimarket servers
08:21 < jtimon> private servers implement additional OPs that can make scripts conditional to events in external chains
08:21 < jtimon> so they rely on traceability
17:55 < midnightmagic> i'm sad warner isn't idling in freenode anymore.
18:39 < petertodd> midnightmagic: what work exactly?
--- Log closed Thu Jul 25 00:00:21 2013
--- Log opened Thu Jul 25 00:00:21 2013
11:51 < jgarzik> petertodd, basic IRC skeleton working, between irssi and a no-channel IRC daemon skeleton
12:26 < petertodd> nice!
12:26 < petertodd> what language?
12:27 < petertodd> and where is the repo?
12:27 < petertodd> once this is working, by definition we *have* to stop using #bitcoin-wizards on freenode...
12:34 < petertodd> relevant: https://www.networkworld.com/news/2013/072513-cybercriminals-increasingly-use-the-tor-272192.html
12:40 < jgarzik> petertodd, JS, private repo ATM, until it has minimal function as a single node, RAM-only IRC server
12:41  * jgarzik wants to create benevolent botnets :)
12:42 < petertodd> ha
12:43 < petertodd> any bonds implemented yet?
12:43 < jgarzik> petertodd, bleh, bikeshedding.  We'll all meet again on #crypto-wizards@af62dc66255d84a26fc269407860e86cc9eacdbca3cb9484932d6f856692fb07
12:43 < jgarzik> petertodd, nah, bonds are boring these days
12:44 < jgarzik> petertodd, SINs have a greater chance of changing the world ;p
12:44 < petertodd> heh, ok, sacrifices I should say
12:44 < jgarzik> petertodd, ah.  About to add support for manually creating SINs via sacrifice to txtool, so I can start testing at least.
12:45 < petertodd> cool, is that with a minimal "make a digest expensive" method?
12:46 < petertodd> I mentioned fidelity bonds on freenet-devel fwiw
12:46 < jgarzik> petertodd, it's what's described at https://en.bitcoin.it/wiki/Identity_protocol_v1#Creating_sacrifice_transactions almost to the letter
12:47 < jgarzik> tangent: I want a different wiki
12:47 < petertodd> ok, which means it's then easy to define a tool that takes <digest>, so we're good
12:47 < petertodd> heh... like a p2p wiki? :P
12:47  * jgarzik runs
12:48 < petertodd> greg and I were talking abotu that ages ago... looks doable, but you need a git-like branch/merge model
12:49 < petertodd> also, speaking of freenet, if you haven't already read up on how they do reputations and anti-spam on Frost and Freenet Messaging System (FMS)
12:51 < jgarzik> my ignorance of freenet is almost willful at this point
12:51 < jgarzik> It just annoys me, for some reason
12:51 < jgarzik> I would rather have a clean reinvention
12:51  * jgarzik , Captain of the Knights of NIH, heads out for breakfast
12:51 < petertodd> well, it is ancient tech in many ways... it was the first opensource project I got involved with, back in highschool
14:24 < amiller> i'm starting to get really excited about SINs.
14:24 < amiller> i still think it's wrong but it's going to be such a step in the right direction and far better than anything else
14:38 < gmaxwell> Worse Is Better.
--- Log closed Fri Jul 26 00:00:23 2013
--- Log opened Fri Jul 26 00:00:23 2013
04:15 < midnightmagic> hah!  FMS does WoT too.
04:15 < midnightmagic> Everything WoT.
09:23 < amiller> FMS?
09:24 < jgarzik> PMS?
09:25 < amiller> RMS.
09:25 < amiller> <midnightmagic> hah!  FMS does WoT too.
09:25 < amiller> <midnightmagic> Everything WoT.
09:26 < gmaxwell> presumably freenet's messageboard stuff
11:10 < nanotube> freenet messaging system, iirc
18:58 < gmaxwell> petertodd: I suppose SCIP does make constructing oracles easier:
18:58 < gmaxwell> you build an oracle that takes in some hash of a SCIP program, the program, some input X, and the proof.
18:59 < gmaxwell> if the proof passes, you do what the instructions in X say.
18:59 < gmaxwell> But the instructions can be really trivial imperative commands, the oracle doesn't need to be turing complete.
18:59 < petertodd> yup
19:09 < petertodd> did you see the thread on oracles on bitcointalk btw?
23:12 < amiller> is there a new thread on oracles
23:12 < amiller> there's a big gap between an SCIP program and an oracle
23:12 < amiller> an SCIP program is just a program it can be publicly verifiable
23:12 < amiller> but people also use "oracle" to mean things that are unverifiable, like whether your grandson is dead yet
23:13 < amiller> i'm really pissed at the munging of these in the pop culture (mostly i just mean TD)
--- Log closed Sat Jul 27 00:00:26 2013
--- Log opened Sat Jul 27 00:00:26 2013
00:43 < zooko`> !
10:47 < jgarzik> IRC daemon skeleton now understands channels and PMs.  What a crappy protocol, IRC.
10:47 < jgarzik> I knew this before, but am freshly reminded.
10:50 < gmaxwell> amiller: Right, I'm just pointing out that using SCIP you can seperate the computation and trust elements of remote oracles. Including the grandson case!
10:51 < gmaxwell> amiller: e.g. if your prior oracle protocol would have been "make a SSL connection to the social security administration and check to see if it says hes dead" you can do that computation under SCIP  and show it to the oracle.  (* well excepting the fact that SSL blows goats)
10:52 < gmaxwell> (*ssl's goat blowing means that you'd actually need to ask the oracle to make the connection, return back a signed copy of the data, then do your HTML processing on that, and return the recept)
10:53 < gmaxwell> In anycase, the notion there being that if the oracle only executes a simple set of procedures, and validates a SCIP proof, it means that it's a lot easier to have confidence that the oracle itself isn't vulnerable.
10:53 < gmaxwell> vs sending arbritary code to the oracle.
10:54 < gmaxwell> It's not exactly the same, since you can't compute on data which is secret to you. On the other hand you can compute on data which is secret to the oracle.
10:55 < gmaxwell> Which may have benefits:  making an oracle super trustworthy is somewhat incompatible with the oracle being immune to censorship. So being able to hide from the oracle what exactly you're doing with it may be productive.
11:53 < HM> jgarzik, IRC protocol isn't that bad. Just lacks modern standardisation, half the networks in existence go beyond the standard
11:56 < HM> Hmm wow, '93. the RFC is newer than I would have guessed :P
14:12 < midnightmagic> irc isn't that bad. it's managed to survive all this time, and in part because the protocol is simple..
14:46 < jgarzik> petertodd, It is still completely useless and uninteresting at the moment, but, https://github.com/jgarzik/dirc
14:46 < jgarzik> still hammering out some empty-channel and echo-echo bugs, but people can connect, create channels, and talk to each other
14:47 < jgarzik> locally
14:47 < jgarzik> zero P2P
14:48  * jgarzik took a shortcut, and auto-generated a bunch of stuff from the RFC text
14:57 < jgarzik> bitcoin-like P2P connections can actually be plugged in rather easily, by re-using the existing node.js bitcoin networking code, which is already quite flexible and programmable.
14:59 < jgarzik> so the steps are: local, single node IRC server -> insecure multi-node via P2P flood-fill -> P2P flood-fill w/ digital signatures/SINs
17:30 < midnightmagic> jgarzik: out of curiosity, why are you starting from scratch?
17:31 < midnightmagic> not that i think you shouldn't, but i'm curious
17:47 < jgarzik> midnightmagic, I hate every ircd implementation I see ;p
17:48 < jgarzik> midnightmagic, it's also fun [re]learning, and nice having the low level IRC code arranged in a manner suited to this P2P/IRC proxying experiment
18:21 < Luke-Jr> jgarzik: it would be nice IMO if there was abstraction so XMPP MUC can be added later ;)
18:25 < jgarzik> Luke-Jr, *puke*  :)
18:26 < Luke-Jr> "?
18:26 < Luke-Jr> you dislike XMPP? >_<
18:26 < jgarzik> Luke-Jr, XML and XMPP are dinosaurs best forgotten, along with SOAP and the rest
18:26 < Luke-Jr> maybe, but nobody has replaced them yet.
18:26 < jgarzik> Luke-Jr, but yes, this will be platform agnostic.  IRC is just an app on top of a base layer.
18:27 < jgarzik> Luke-Jr, replace "IRC:" prefix with "XMPP:" and you're off and running
18:27 < jgarzik> on the p2p side
18:42 < midnightmagic> XMPP is the devil.
19:53 < Luke-Jr> :<
20:21 < HM> XML isn't pleasant to work with
20:21 < HM> but i'd take it over some of the alternatives in some scenarios
20:22 < HM> XML tooling was and is still excellent. validation, transformation etc
20:22  * HM sighs
20:30 < Luke-Jr> I don't like XML much, but XMPP sure beats the alternatives :/
22:06 < midnightmagic> :)
--- Log closed Sun Jul 28 00:00:28 2013
--- Log opened Sun Jul 28 00:00:28 2013
21:30 < petertodd> jgarzik: cool!
21:31 < petertodd> jgarzik: but if you don't add some crypto-coin stuff to it soon I'm going to have to call you a 1337 teenage h@x0r
--- Log closed Mon Jul 29 00:00:31 2013
--- Log opened Mon Jul 29 00:00:31 2013
00:14 < jgarzik> petertodd, hah, I doubt 1337 haxors build test suites
04:16 < petertodd> jgarzik: elite hackers on the other hand...
04:17 < Luke-Jr> he left
04:18 < Luke-Jr> although, I wonder what he considers Metasploit
04:18 < Luke-Jr> sure feels like a test suite to me <.<
04:30 < petertodd> lol
04:32 < gmaxwell> I dunno how you can write anything working in a dynamic language like php, js, or python without having a bunch of tests.
05:39 < sipa> gmaxwell: i really wish python had static types :(
05:40 < sipa> sometimes i work on a program that uses a large framework, which takes half a minute to start up a test instance
05:40 < sipa> only to see "syntax error: ..." for some trivial thing...
05:55 < gmaxwell> sipa: I have had expirences like having a 24 hour computation run hit a syntax error in the @#$#@# code that printed the results.
05:55 < gmaxwell> thats half of what made me stop using python for bulk computation.
05:56 < sipa> loi
06:00 < gmaxwell> e.g. stuff like print "%d %d %d"%(a,b,c,d)
06:30 < petertodd> there are actually static type modules available for python, and they work too, which on the one hand is nifty, on the other hand tells you a lot about how crazy you can get with dynamic types in python...
18:30 < HM> Boost.MPL
18:30 < HM> Kind of awesome, kind of makes me want to strangle squash living things
11:03 < gmaxwell> adam3us1: the pressure to implement fast JITs for this stuff is part of the reason I'm skeptical about people getting the cycle counters right.
11:04 < adam3us1> andytoshi: this is more like OP_FORMATDISK, OP_SENDPRIVATEKEYS
11:06 < adam3us1> gmaxwell: the nice thing about cross chain atomic swap as the main mechanism is its full-node secure (not just spv) and its the market makers who are taking the SPV risk
11:06 < adam3us1> (back on the pegged side-chain again)
11:06 < gmaxwell> in any case, with snarks I think you're just left with people may right scripts which are unsafe in a mean and nasty world, and I'm okay with that. I don't think we can do better without removing all flexibility. Hell, even DSA is not really safe in a mean and nasty world. :)
11:07 < gmaxwell> adam3us1: hm. well atomic chain swaps are not secure against sufficently reorgs with double spends... but they are a 1:1 risk, only the person swapping with you can rip you off.
11:07 < gmaxwell> er sufficiently deep reorgs.
11:08 < gmaxwell> Right the first step of an atomic swap is to multisig escrow coins.  If you suffer a reorg deep enough that the escrowing can be killed on one chain, after the transaction is done on the other, the coins can be clawed back.
11:08 < gmaxwell> it's just not a doomsday risk
11:09 < nsh> so.. i guess OP_DOOMSDAY is completely out the window?
11:09 < adam3us1> gmaxwell: i am not 100% sure, though there is some plausibility, that you can expect to extract secure finance in a distributed version of core wars/redcode, even with user action on input for private keys, private key crypto ops outside of the sandbox, sandboxes for execution.  non-functional statefuul code in a hostile distributed execution environment plus a bit of crypto
11:10 < petertodd> adam3us1: my first question: what is all this going to actually be used for?
11:27 < justanotheruser> hello
11:35 < adam3us1> petertodd: its going to be used say to encourage an explosion of innovation, by making TC code maximally self-extensible.
11:39 < adam3us> petertodd: alternatively a fun experiment in core-wars/redode with $Bns at stake, or exploring the boundaries of human ability to write secure code in a hostile environment & formal provability of security properties of code
11:39 < petertodd> true!
11:39 < petertodd> corewars where you atually lose money if you lose
11:48 < jtimon> very interesting, I hadn't thought about the scripts as a source of consensus-criticial-implementation-consistency bugs
11:48 < jtimon> I'm not sure I understand the corewars attacks though
11:49 < jtimon> say I pay to a p2sh and the script is TC
11:50 < jtimon> the attacker still has to find a script with the same hash, no?
11:50 < jtimon> what am I missing adam3us1 ?
12:21 < jtimon> I guess I don't understand the corewars game itself
12:23 < adam3us> jtimon: corewars i never played either but the idea is to seize control of the cpu or the other guys program.	a game of hostile code vs hostile code
12:24 < jtimon> yeah I understand the general idea, I'm not sure I udnerstand the strategies though
12:26 < jtimon> anyway, apart from gmaxwell's concerns (code scape and script-consensus), what are the potential problems with a TC p2sh ?
12:26 < gmaxwell> I have actually played corewars.
12:27 < gmaxwell> (on an atari ST, I believe)
12:27 < jtimon> the game looks very interesting
12:27 < adam3us> adam3us: if TC extensions can be written by anyone dynamically at any time to the opcode, script lang etc and the TC is persistently statefull i was wondering if an existing op code or smart-contract can convince its author that it cant be later fooled by someone elses state changes, extensions etc.  TC is a lot of complexity.
12:30 < adam3us> jtimon: wait quark has its own PoW?
12:31 < jtimon> TC is all the complexity :) I'm still not sure I understand what you mean though :(
12:31 < jtimon> yes, I think so
12:31 < jtimon> a "basket algorithm"
12:31 < jtimon> some freicoiners pushed for something similar for a while
12:33 < jtimon>  instead of using just one hash function as Bitcoin does, Quark uses six: BLAKE, Blue Midnight Wish, Groestl, JH, Skein and Keccak.
12:33 < adam3us> jtimon: oh maybe i heard of that some mix, yes
12:33 < jtimon> http://bitcoinmagazine.com/8972/quarkcoin-noble-intentions-wrong-approach/
12:37 < jtimon> I don't know adam3us, if you're hashing your own TC script, why would you fool yourself?
12:37 < brisque> https://ghash.io/ghashio_press_release.pdf
12:39 < brisque> 45% private hardware is interesting though, gmaxwell wasn't wrong about the amount of funding selling hardware gave them
12:39 < gmaxwell> "Jeffery Smith"
12:39 < pigeons> Tom Williams
12:40 < jtimon> can't they just p2pool? is 55% p2pool risky?
12:40 < brisque> no.
12:40 < brisque> if ghash.io dumped their load on p2pool they would rocket the share difficulty though.
12:41 < jtimon> I see, it's a question of efficiency
12:41 < brisque> gmaxwell: different name than on their domain at least.
12:41 < gmaxwell> brisque: well it's not that bad because p2pool adapts share difficulty per miner somewhat.
12:42 < brisque> good point.
12:43 < jtimon> Interesting: "Non-standard transactions, such as mentioned above, can not be relayed to
12:43 < jtimon> the blockchain network, however they are still valid, and can be mined
12:43 < jtimon> using the hashing power accumulated on GHash.IO. "
12:44 < adam3us> jtimon: point is if everyone can extend the script language at any time, and write to global, persistent state (presumably with some authorization) are we still as confident that a smart-contract cant be tricked by another persons script or state chagnes.  probably not as sure.  maybe not very sure at all.
12:44 < brisque> jtimon: not much help if there's no publicly known nodes to push to though. eligius has an interface for it.
12:46 < jtimon> adam3us what you mean a persistent state? apart from the utxo itself? Like a global "general purpose in-chain memory" or something?
12:46 < adam3us> jtimon: yes.
12:47 < jtimon> and why is that persistent state needed for?
12:47 < jtimon> I thought we were only assuming TC scripting
13:52 < maaku_> gmaxwell: "p2pool adapts share difficulty per miner" is that true? i thought the current share level was part of p2pool's consensus.
13:52 < gmaxwell> maaku_: there is a minimum share difficulty and a maximum share difficulty (just a multiple of the minimum) which is part of the consensus.
13:53 < gmaxwell> maaku_: but indivigual miners can choose any difficulty in between the two, and the stock software targets getting a certian number (1000? I forget) of shares in the window.
13:54 < maaku_> ah
13:55 < maaku_> re TC complete scripts, is there any known application of this stuff?
13:55 < gmaxwell> The end result is just that the minimum is lower than it would be if everyone used the minimum... and large miners give up a small amount of share variance by default, but it makes the variance much lower for small miners.
13:56 < gmaxwell> maaku_: not really. I mean, if bounds are high enough it expands the space of non-private non-interactive bounty transactions. e.g. "100 BTC to someone who provides the root key to AACS"
14:00 < maaku_> gmaxwell: short of that stuff, which is probably best done with a SNARK verification opcode, it seems like most of the benefits could be had via MAST & loop unrolling
14:01 < gmaxwell> maaku_: yea, personally I don't see a lot of point to turing complete. The lack of privacy really closes a lot of options that would otherwise be interesting.
14:01 < gmaxwell> And a lot of stuff can just be done with simple finite state which could be represented in a fixed script (and, indeed, MAST compressed)
14:03 < gmaxwell> I'm more interested in questions like "How can you encode a boolean satisfaction rule like (x and y) or ((x or y) and 2 of 3 (a,b,c))  most compactly.
14:05 < maaku_> that would be directly useful
14:08 < gmaxwell> Coding those kinds of rules via procedural branching is not terribly compact.
14:08 < midnightmagic> truth-table optimization and karnaugh maps?
14:11 < gmaxwell> The naive way is to encode a truth table, but its exponential in the number of variables.
14:12 < gmaxwell> I suppose that a 32 bit truth table for 5 inputs would still be smaller than any way that script can express the above rule.
14:18 < midnightmagic> oh right.. "like".
14:18 < gmaxwell> hm. perhaps efficient encoding of the satisfaction rules is less interesting than I was thinking. The reason is that when the rules can be reorded so that you can avoid disclosing >1 public key, then you're better off MAST compressing that part of the rule.
14:20 < gmaxwell> e.g. you could have a OP_TABLE that took in 5 bits encoding x,y,a,b,c signatures passing and a 32 bit table value, ... but it would result in a larger script than a procedural one that only disclosed the a,b,c pubkeys if !(x&&y).
14:21 < midnightmagic> truth table optimization and piles of interesting technique for it are covered in digital logic design texts such as .. hrm. I can't find it anymore. Well, mine has this guy with a hat, and in the other side, the picture is inverted and the guy is gone and there's blue sky revealed behind the cutout.
14:23 < nsh> i don't think i've ever remembered a book cover in such detail...
14:23 < gmaxwell> I wonder if there is a efficient way to represent truth tables that are never 'too indifferent'... e.g. wouldn't be better represented by a MAST. My head hurts.
14:23 < nsh> hmm
14:24 < nsh> what's indifference in this context, gmaxwell?
14:25 < gmaxwell> nsh: e.g. in the truth table for (x and y) or ((x or y) and 2 of 3 (a,b,c))	 if x&&y or !x && !y  then it doesn't matter if a,b,c are true.
14:25 < nsh> ah, right
14:26 < gmaxwell> so if you were to make a script that encoded (x and y) or ((x or y) and 2 of 3 (a,b,c)) you would probably want to use a branching script that revealed a,b,c pubkeys if and only if x^y
14:27 < nsh> hmm
20:59 < BlueMatt> petertodd: it doesnt, but it also shouldnt actively seek out nodes it knows arent verifying and ask them for data
20:59 < gmaxwell> BlueMatt: I am concerned that upgrading is now less of an option, since it seems to be socially accepted that SPV or webwallet is all you need. Sort of a moot debate unless it exists.
21:00 < BlueMatt> webwallets we cant really control (but that doesnt cause a decrease in spv:full node ratio, so..meh), but spv clients can upgrade to full nodes if they have the resources
21:00 < petertodd> BlueMatt: I can fire up a thousand fake full nodes on amazon ec2 for not that much money; SPV nodes just don't know. They're much better off passing around block header information as widely as possible to try to detect them being isolated by false full nodes.
21:00 < BlueMatt> and since so may spv wallets are bitcoinj.......
21:01 < petertodd> BlueMatt: There is just *no* case where finding out that there exists a longer set of headers than the one the full nodes you're talking to claim exist will be harmful to you if you can't trust those full nodes.
21:02 < petertodd> BlueMatt: Also, FWIW I *have* done something similar to that: I fired up enough EC2 instances doing the bloom io attack that I saw random nodes all over the network falling behind in consensus. Cost me ~$50 or something IIRC.
21:02 < BlueMatt> petertodd: Im looking at it a different way: if you're an spv node and have X outbound connections you want to make, should you connect to other spv nodes (which not only are non-verifying, but will likely only stay online for some brief period of time)
21:02 < BlueMatt> or would you rather connect to full nodes?
21:03 < petertodd> BlueMatt: If there were infinite full node capacity lying around, then yes, you'd want to connect to full nodes. But there isn't, so it's reasonable to connect to SPV nodes.
21:03 < BlueMatt> and since spv nodes generally also dont listen....
21:03 < petertodd> BlueMatt: Not yet, but they may start to in the future, hence why I mentioned that example in my BIP.
21:06 < petertodd> BlueMatt: I hope you understand that's a *very* different argument than "SPV nodes shouldn't be relaying stuff"
21:06 < BlueMatt> spv nodes relaying headers also doesnt apply in this case since headers arent filtered
21:07 < BlueMatt> (in the BIP, that is)
21:07 < petertodd> BlueMatt: No, but if your relaying headers, there's no reason not to relay blocks too.
21:07 < BlueMatt> petertodd: in the future, sure, but, again, in this case it makes absolutely no sense
21:07 < petertodd> BlueMatt: (modulo bandwidth)
21:07 < petertodd> BlueMatt: "in this case" meaning the situation right now?
21:08 < BlueMatt> as in in the BIP
21:08 < BlueMatt> really, I dont like the NODE_BLOOM bit without thinking hard about how to announce you are a fully verifying node and not an archive node and all that stuff
21:08 < petertodd> BlueMatt: Right, will if it causes enough constination - given it's not why I added that example in the BIP anyway - I'll just re-write it to talk about a hypothetical NODE_BLOCKCHAIN or something where NODE_BLOOM means "filter that information against this filter"
21:09 < BlueMatt> sgtm
21:09 < petertodd> BlueMatt: If anything, NODE_BLOOM and some future NODE_ARCHIVAL_BLOCKS makes a lot of sense due to the differences in what you're trying to optimize for if you're serving up SPV clients vs. you want to serve up archival history efficiently.
21:10 < petertodd> https://github.com/bitcoin/bitcoin/pull/2900#issuecomment-23274616
21:10 < BlueMatt> definitely, and Id kinda like to see all the bits come in one bip, but that probably isnt reasonable to push it through...
21:11 < petertodd> BlueMatt: yeah, I think it's fine to just have a bip saying "here's this NODE_BLOOM bit, it means we're willing to filter stuff"
21:11 < petertodd> Heck, as I said to sipa the other day for now NODE_BLOOM and nothing else is an abstract art piece where you promise you'll filter the nothingness. :P
21:11 < gmaxwell> BlueMatt: we could just someday do a flag overview bip that overviews them and points out their interaction.
21:11 < gmaxwell> hahahahahah
21:12 < BlueMatt> OH GOD
21:12 < BlueMatt> NOOOOOOO
21:12 < gmaxwell> petertodd: "collision free bloom node"
21:13 < petertodd> gmaxwell: "Can nothing collide with itself?"
21:13 < gmaxwell> What is the sound of an empty hash table? Can it be local?
21:14 < petertodd> gmaxwell: We'll have to test for non-compliant implementations that fail to accept filter* requests.
21:15 < warren> petertodd: I'm working on one right now...
21:17 < petertodd> warren: the implementation is all well and nice, but I expect an artists statement to go along with it
--- Log closed Thu Oct 17 00:00:16 2013
--- Log opened Thu Oct 17 00:00:16 2013
13:29 < grau> !seen amiller
13:29 < amiller> present
13:30 < grau> hi, did you recon that bribe is possible with the double spend attack I described?
13:30 < grau> in https://bitcointalk.org/index.php?topic=312801.0
13:31 < gmaxwell> I need to ask theymos to do some html obfscuation of the moderator names
13:31 < gmaxwell> it's impossible for me to search for myself on the forum.
13:32 < grau> amiller: ^^?
13:32 < gmaxwell> easier to search IRC: http://bitcoinstats.com/irc/bitcoin-dev/logs/2012/10/25#l1351169953
13:32 < amiller> grau i don't see how you prevent the bribe frm just being picked up by someone else in a different block
13:33 < amiller> becuase ther's no way to mark a tx as dependent on ehgiht
13:33 < amiller> if a seuqence of tx ending in an anyone-can-pay are valid in one fork
13:33 < amiller> you can just take them all and apply them to any other fork too
13:33 < gmaxwell> amiller: sure there is.. and I explained this to you before.
13:34 < grau> you can only apply it if it is valid there but it is not if it was spent
13:34 < grau> the idea is that the bribing transaction is only valid in its fork since it is a double spend
13:35 < grau> on the original fork
13:35 < amiller> i agree you could use that to fork *away* from the original fork
13:35 < amiller> i guess you couldn't force them to be on your fork though
13:35 < amiller> maybe someone would just work on a different fork with both the blacklisted tx *and* the bribe?
13:35 < grau> not forcing but making it rational to be there
13:35 < gmaxwell> amiller: you can do things like pay for a double spend by spending the output of the double spend into a sequence of anyone can spend transactions with progressive nlocktime.
13:36 < amiller> hmmmm
13:36 < amiller> i see.
13:36 < amiller> i remember now thinking that that didn't work when it began with a coinbase, but you could do it generally
13:37 < amiller> you should go in increasing order though raather than decreasing i think
13:37 < gmaxwell> yea, see the link above I told you this before. (And I believe I have a 2011 post on BCT about it, but @#$@#$ search for myself)
13:37 < grau> what distrubs me is that if bribe is possible then it does not matter if you have majority of mining power just if you pay enough
13:37 < amiller> 1 btc for the first block, 2 for the second block on top, then 4, 8 then done
13:37 < amiller> because
13:37 < gmaxwell> grau: if the majority is "greedy", correct.
13:37 < amiller> you wouldn't want people to start fighting until it was basically already settled
13:37 < gmaxwell> amiller: interesting!
13:38 < amiller> so the reward for participating in the next block should always be larger than all the previous blocks since the bribe started
13:38 < gmaxwell> amiller: my thought was that the first one had the largest marginal value.
13:38 < grau> gmaxwell: miner are greedy
13:39 < amiller> grau, for the moment, miners are just *weird*
13:39 < gmaxwell> grau: they are observably not entirely greedy.
13:39 < gmaxwell> yea, "weird" is more accurate.
13:39 < amiller> they're part greedy, part lazy, part nutso
13:39 < amiller> lazy basically means "honest" for the moment since the reference client is pretty fair
13:40 < gmaxwell> well they're also actually part honest. and greedyness can include not wanting the debase their own coins.
13:40 < amiller> yeah.
13:40 < amiller> they're not exactly myopic, they seem to adhere to some kinds of long term interest along those lines
13:41 < amiller> including the up front investment in hardware...
13:41 < amiller> but.
13:41 < amiller> i'm personally comfortable just modeling them as greedy because i think that is what they'll eventually converge on
13:41 < grau> amiller: exactly as more and more capital involved they converge to greedy
13:42 < amiller> and, potentailly worse for us, short-term greedy
13:42 < gmaxwell> Depends on how you define greedy.
13:42 < gmaxwell> Right.
13:42 < gmaxwell> Long term greedy is less concerning.
13:42 < gmaxwell> Long term greedy will probably not reorg the chain for a bit more fees: doing that makes the earned coins (and your hardware!!!) worthless.
13:42 < gmaxwell> Short term greedy will.
13:43 < gmaxwell> (or if not worthless: worth less)
13:43 < sipa> the problem with long term greedy is that it is much harder to quantize
13:43 < sipa> *quantify
13:44 < amiller> the short term greedy miner sells his btc revenue immediately for whatever other currency he likes, like advance on his electricity bill for example, and thus doesn't really need to be worried about the long term stability
13:45 < grau> I question if the number of blocks needed to be sure of a larger transfer should be reconsidered under the possibility of anonymous bribe.
13:45 < gmaxwell> amiller: but if he owns his hardware, he's not going to be so happy about the long term results... unless he can sell that easily too.
13:45 < gmaxwell> grau: they already should have been reconsidered considering pools with 30%-40% hashpower.
13:45 < gmaxwell> BTCguild ends up with 6 block runs with some regularity.
13:46 < gmaxwell> The problem is that if you start crunching the numbers on this kind of thing you end up with rather big numbers.
15:20 < HM2> but are you saying it'll be biased?
15:21 < sipa> yes
15:21 < HM2> I'm confused about the integer multiple bit, because the actual value and length of the ciphertext is irrelevant, you only care about ordering within the block ciphers domain
15:21 < sipa> not every permutations will have the same probability
15:22 < HM2> Hmm perhaps, but you don't actually have to use a symmetric cipher either
15:22 < sipa> irrelevant
15:22 < HM2> How is generating 10000 SHA-1s going to be biased?
15:23 < HM2> for instance, say your arbitrary domain was over [0,1]
15:23 < HM2> basically you're generating SHA(key,1) and SHA(key,2) and comparing which is the greater
15:23 < sipa> ok
15:23 < HM2> you're saying there's going to be a bias of ordering?
15:23 < sipa> say we're sorting [0,1,2]
15:24 < HM2> no just mapping 0 -> 0 or 1 and 1->other one
15:24 < sipa> and we use SHA(key,n) & 0xF
15:24 < HM2> woah
15:24 < sipa> instead of the full SHA
15:24 < HM2> & 0xF?
15:24 < HM2> no
15:24 < sipa> just to prove my point
15:24 < sipa> it's equally valid for larger keys
15:25 < HM2> hmmm
15:25 < sipa> so you have 8 possible outcomes, ignoring the key
15:25 < HM2> yes
15:25 < sipa> and they have to be distributed over 6 possible permutations
15:25 < sipa> wait, i'm wrong
15:25 < HM2> 8x7x6 permutations
15:26 < HM2> erm
15:26 < HM2> (8x7x6)/(3x2)
15:26 < sipa> yes, and this just happens to be possible :p
15:26 < HM2> lol
15:27 < sipa> the point is that if the input to your algorithm (the key) has not a multiple of the possible resulting permutations, there will always be permutations that are more likely then others
15:27 < sipa> that doesn't mean these are easy to find, or that it's insecure
15:27 < HM2> hmm
15:28 < HM2> I still don't really see that. If you encrypt 10000 distinct values with a symmetric cipher you're going to end up with 10000 distinct ciphertexts, the distribution of those ciphertexts should be pseudorandom
15:29 < sipa> you see it as a function that takes as input a key, and returns a permutation
15:30 < sipa> each key is equally likely as input
15:30 < HM2> this is why i tried to boil it down to a very limited domain
15:30 < HM2> [0,1]
15:30 < sipa> HM2: and i'm not talking about pseudorandom or not
15:30 < sipa> in fact, if it's pseudorandom it can never be a perfect shuffle
15:31 < sipa> as no variance in the output probabilities is incredible unlikely
15:31 < HM2> SHA(key,0) should be < than SHA(key,1) ~50% of the time. so how can ordering those outputs not be a good pseudorandom shuffle?
15:31 < sipa> i am NOT talking about pseudorandom or not!
15:31 < HM2> ok
15:32 < sipa> i'm saying that not every permutation will be equally likely
15:32 < HM2> but a shuffle is a permutation
15:32 < sipa> yes
15:32 < HM2> well the paper says nowt about it
15:32 < sipa> sure
15:33 < sipa> it also doesn't matter if you keys are large enough
15:33 < sipa> which is the case in cryptographic applications anyway
15:33 < sipa> but when people try to make a random shuffle based on just some rand() function, this argument can be used to show that their shuffle is biased
15:34 < HM2> oh sure, shuffling is hard, but i still don't see your multiple problem
15:34 < sipa> if your function has N input possibilities, and M output possibilities
15:35 < sipa> then some outputs will be more likely than others
15:35 < sipa> unless N is a multiple of M
15:35 < HM2> but that's not the case
15:35 < sipa> i mean, if there are 4 inputs and 3 outputs, one output will be the result of 2 inputs, while the others will be the result of 1
15:35 < HM2> right agreed
15:36 < HM2> but you're doing this
15:36 < HM2> [encrypt(K,0), encrypt(K,1), encrypt(K,2),encrypt(K,3)]
15:37 < HM2> sorting the results
15:37 < HM2> it doesn't matter if they're 8 bits long or 1024 bits long
15:37 < HM2> relative to one another they're still randomly ordered
15:37 < sipa> for 8 bits the bias should be detectable
15:37 < sipa> iterate over all 256 input keys, see which output permutations you end up with
15:38 < sipa> and you'll see some are definitely more likely than others
15:38 < HM2> ah sure
15:38 < HM2> but you're talking about biases within the block cipher
15:38 < sipa> no
15:38 < sipa> even if that encrypt function has a perfectly uniform output distribution
15:39 < HM2> OK, so you should be able to replace it with a perfect number generator
15:39 < sipa> because there are 256 inputs, and 24 outputs
15:39 < HM2> let's do it with a perfect RNG that produces 4 different 8 bit numbers
15:40 < sipa> ok
15:40 < HM2> 201, 72, 3, 29
15:40 < sipa> now you've changed the function to take a 256^4 input, though
15:40 < sipa> which will still be biased but much much less so
15:40 < HM2> huh?
15:40 < sipa> you consume 4 8-bit numbers from your environment now
15:40 < HM2> what is the "input"?
15:41 < sipa> the random data you consume is the input now
15:41 < HM2> well we're moddling a block cipher as a RNG
15:41 < HM2> assuming the cipher is perfect
15:41 < sipa> doesn't matter
15:41 < sipa> the specific cipher is known
15:41 < sipa> so you cannot assume independence between the outputs
15:42 < sipa> you look at the set of all functions with 8-bit outputs, and pick one of them in advance
15:42 < sipa> and you know which one this is
15:42 < HM2> I'm still trying to nail down where you think this algorithm is flawed
15:42 < sipa> ok
15:43 < sipa> write me a program that produces a random permutation of [0,1,2,3]
15:43 < HM2> ergh
15:44 < sipa> but it only uses 8 bits of randomness
15:44 < sipa> so you get to call rand() % 256 once
15:44 < sipa> and that's it
15:44 < HM2> i never said you use 8 bits of randomness
15:44 < sipa> the key is 8 bits
15:45 < sipa> 21:37:18 < HM2> it doesn't matter if they're 8 bits long or 1024 bits long
15:45 < HM2> the block size, not the key size
15:46 < sipa> ooooh
15:46 < sipa> that changes things :)
15:46 < HM2> for instance, if you're using SHA-1
15:46 < HM2> you could put the works of shakespeare through it
15:46 < sipa> sure sure
15:46 < HM2> but you're producing 4 x 160 bit numbers
15:46 < HM2> then ordering them
15:46 < sipa> yes, but that's all irrelevant
15:46 < sipa> the question is what the size of your key is
15:47 < HM2> i see
15:47 < sipa> well, not irrelevant of course
15:47 < sipa> but it's not the problem
15:48 < HM2> so what has to be an integer multiple?
15:48 < HM2> the key size or the hash/ciphertext size?
15:49 < sipa> the number of possibilities of the key has to be a multiple of the number of potential outcome permutations
15:49 < HM2> hmm
15:49 < sipa> but i'm not in any way talking about secure or not
15:50 < sipa> random functions are always biased a bit, that doesn't mean they're distinguishable from random
15:51 < sipa> where this does matter is if someone wants to write a function to produce a random permutation of some list
15:51 < HM2> well that's exactly what we're doing
15:51 < sipa> and they do so by assigning a 16-bit (independent) random number with each element
15:51 < sipa> and then sorting the random numbers
15:51 < HM2> sure
15:51 < HM2> that's basically it
15:51 < sipa> and returning the elements in that order
15:51 < warren> sipa: oh hey, just curious how your secp256k1 is going?
15:52 < HM2> I don't see how that produces a bias
15:52 < sipa> HM2: because you're taking 2^(16*N) data as input
15:53 < sipa> and those inputs cannot be possibly evenly divided over N! potential outputs
15:53 < sipa> warren: quite good, but slow :)
15:53 < sipa> (progress is slow, not performance :p)
15:54 < sipa> HM2: in case you use some cryptographic-strength randomizing function in between, you're fine, the bias will be impossible to detect
15:54 < sipa> but if you use small random numbers, the bias may be detectable
15:54 < HM2> the number of inputs isn't 2^(16*N). If you assign 1 value from a 16 bit field to the number 0 then 1 can only be picked from field of 2^16 - 1 values
15:54 < sipa> i did say "independent random number"
15:55 < HM2> right, but that isn't the algorithm this paper is using
15:55 < HM2> it's using a block cipher which means it isn't 2^(N*16) possible mappings
15:55 < sipa> right
15:55 < sipa> but now you've moved the problem to the key
15:56 < HM2> If you have a field of size F and a block size of size N then you have N! / (N - F)! possible mappings
15:57 < HM2> I think?
15:57 < sipa> i'm going to stop discussing; i think you think i mean something i'm not :)
15:58 < sipa> and it's pointless anyway
15:58 < HM2> aww cmon
15:59 < sipa> i shouldn't have brought it up here, it is not a problem in this context
16:01 < HM2> you're assigning 16 bit numbers to [0...4] then you have (2**16)! / (2**16 - 5)! possible mappings afaict, your argument for a bias seems to be that that isn't divisible by 5! but I don't see that that's a problem
16:01 < HM2> although...actually it is divisible by 5!
16:02 < sipa> your keyspace size isn't
16:02 < sipa> if it is many times larger, that doesn't matter
16:03 < HM2> right, 2^16 isn't
16:04 < HM2> but i believe the number of mappings divided by the number of output permutations is always an integer
16:05 < HM2> i'll accept that the inner function will always be imperfect but can't see what the flaw you mention
16:05 < HM2> but i'll stop on about it now anyway, it's an interesting paper
16:05 < sipa> true!
16:06 < HM2> http://www.wolframalpha.com/input/?i=%28%282**n%29%21+%2F+%282**n+-+x%29%21%29+%2F+x%21
16:07 < HM2> ^ i think this shows it'll always be an integer as long as 2^n > x
16:07 < HM2> but i'm not sure
16:09 < sipa> HM2: sure, if you take a uniformly random permutation function from 2^N -> 2^N, apply it to the numbers 0..I, and then sort these numbers, you get a uniformly random permutation
16:09 < sipa> but the point is picking a uniformly random permutation function
16:09 < sipa> if you use a cryptographic primitive there, it will be indistinguishable from one
16:09 < HM2> I don't dispute that
16:10 < sipa> but it won't be one
14:10 <@gmaxwell> yes, I agree that there is a usecase for donation addresses, I think you're trying to expand it to other things and its a very poor fit, and comes only at a unknown loss in privacy. (which was acceptable when the alternative was a totally static address, and is not so acceptable when the alternative is a totally private address)
14:10 < petertodd> gmaxwell: but what's the point of this linkability? they can just as easily say "hey! I gave peter money too!", the master pubkey for a stealth address only lets them prove the funds went to the same wallet
14:10 < petertodd> gmaxwell: pragmaticly speaking the window where it matters, say you were all talking on OTR chat, is pretty small
14:11 <@gmaxwell> petertodd: because you can do things like go around and demand people identify all the stealt payments they made.
14:11 < petertodd> gmaxwell: only if you know who to ask, and again, in BIP32, or hell, individually given out one-time-addresses, the human impacts aren't that different
14:12 <@gmaxwell> In any case you've added an additional payer linkablity of payees which is transferable, ... it seems like a really big vulnerablity to add in cases where you really could have complete privacy.
14:12 < petertodd> gmaxwell: rarely does it matter that someone is alleging I received money at one bitcoin wallet or more than one
14:12 <@gmaxwell> petertodd: in BIP32 you can give reusable addresses which are not linkable between users, if you wish. if they're seperate chains they don't have any data in common.
14:13 <@gmaxwell> petertodd: people make allegations about people being the same person all the time.
14:13 < petertodd> gmaxwell: yes I know, which is why you should use a different stealth address for each of your alts
14:13 <@gmaxwell> even when the parties in question weren't really trying to be one or two identites.
14:14 <@gmaxwell> Bitcoin used well today in the bidirectional communication case creates none of that linkage ever. This is adding a vulnerabity where none exists.
14:15 < petertodd> gmaxwell: but I'm not arguing for the interactive bidirectional case, I'm arguing for the semi-bidirectional case where the communication may or may not ever get through at best
14:15 <@gmaxwell> and it scales like n*m so there is a disincentive to use a new stealth address whereever you can.
14:15 <@gmaxwell> petertodd: all of my complaints are stemming because you started suggesting that this is somehow a _general_ replacement for bloom for spv.
14:15 <@gmaxwell> If its only used where people have nearly one way communication and would have otherwise used a static address I don't have a complaint.
14:16 <@gmaxwell> Other then perhaps you'll never get bitcoinj to implement. :P
14:16 < petertodd> gmaxwell: I'm not saying that! this has nothing to do with SPV other than SPV is why it has optional, and user-defined, filtering to cut down on bandwidth
14:17 < petertodd> gmaxwell: and the prefix filtering business has a lot of things going for it regarding scalability, and I'm advocating that separate to this idea
14:17 < petertodd> gmaxwell: bitcoinj no, darkwallet more likely
14:17 <@gmaxwell> if bitcoinj doesn't implement it no one will use it for donations... since you need to implement it merely to _send_ to it.
14:18 <@gmaxwell> and no one wants a donation address that a non-trivial number of people can't send to.
14:18 <@gmaxwell> (I've gotten so many complaints about CJ bounty being unpaytoable)
14:18 < petertodd> gmaxwell: which gets back to the other nice thing about this: suppose I put one of these stealth addresses as a user id in my PGP key: now the UI of my wallet can very easily let me pay a person, authennticate it all properly so I actually know who I'm paying, yet it works fine regardless of how shoddy the communication between the two people is
14:19 < petertodd> gmaxwell: equally, replace PGP with whatever CA system you want
14:20 < petertodd> gmaxwell: if bitcoinj doesn't do that, whatever - this all came up at the darkwallet hackathon with regard to identity systems that people want so payments to individuals are more secure
14:20 <@gmaxwell> in any case I think you should totally seperate the prefix bait proposal. You can just have extra data in transactions for any scheme you want.
14:21 < petertodd> gmaxwell: yeah, and we kept trying to come up with such schemes, and soon realized we needed some way of essentially including encrypted data to the actual recipient, something this ECDH based scheme does unusually efficiently
14:22 <@gmaxwell> petertodd: well not whatever. payment-to has network effect. This matters. Which means designing a proposal which will be tolerable to many different wallets. Esp as this is not a oneline change like p2sh. You have to generate your output addresses after doing coin selection... and it doesn't work if you have all pay to pubkey coins, or all ECDSA free coins.
14:23 <@gmaxwell> (e.g. if we introduce a new signature system in the future)
14:24 < petertodd> gmaxwell: I know that, fortumately the circumstances where you don't have a ECC pubkey are rare, and part of introducing a new signature scheme may very well be to just do my original proposal of "include an encrypted blob" in the transaction
14:24 < petertodd> gmaxwell: but that's costly for now, so we avoid it
14:24 < petertodd> gmaxwell: we also thought abotu stuff like using bitmessage, but ultimattely every solution that doesn't involve the blockchain is less reliable, often by a lot
14:24 < petertodd> gmaxwell: losing payment is very bad after all...
14:24 < petertodd> *payments
14:25 <@gmaxwell> well you make the exact nature of the current usage more of a suicide pact, it makes all of bitcoin more brittle.
14:25 <@gmaxwell> though this may be avoidable.
14:25 < petertodd> think of it this way: it's an optimization of "encrypted blob"
14:25 <@gmaxwell> For example, if the spec allows you to use an OP_RETURN output for the nonce if there is no other public key in the transaction.
14:25 < petertodd> sure, that's easy to do
14:25 <@gmaxwell> then it's less of a fixation on how things are currently done.
14:25 < petertodd> although breaks coinjoin because we only allow a single op_return
14:26 <@gmaxwell> no, they could all use the same nonce.
14:26 <@gmaxwell> you'd just have to agree on it in a CJ.
14:26 < petertodd> right, which breaks the moment someone needs to upgrade something...
14:26 <@gmaxwell> CJ's already break, since presumably you're going to ask people to only check with the first pubkey in the txn.
14:27 <@gmaxwell> CJ mixer needs to recieve the full stealth address.
14:27 < petertodd> not at all, that's why I expect an actual spec to put a limit on tx size (or more likely # of tx inputs)
14:27 <@gmaxwell> ugh! thats a multiplicative increase in the computational cost, usually for no gain.
14:27 <@gmaxwell> getting less interesting.
14:28 < petertodd> yes well, that's life, the alternative is marking the possible txins with nSequence
14:28 < petertodd> which can easily be an info leak - tells you how many "actual" outputs there are
14:28 <@gmaxwell> yuck.
14:29 <@gmaxwell> or you could just give CJ mixers the stealth address ...
14:29 < petertodd> meh, it's a multiplicative increase that'll never be more than the total number of txins in a block - it's not an exponential thing
14:29 < petertodd> I'm expecting most CJ to be two party mixes anyway
14:30 <@gmaxwell> oh but then you have the problem I was griping about earlier... where people get a transferable proof of who someone was. yuck
14:30 < petertodd> it's reasonable to ask that the relevant txins be placed at the top two slots
14:30 <@gmaxwell> petertodd: huh? what if all txins are relevant?
14:30 <@gmaxwell> and if the reciever isn't guarenteed that its at the top they have to check all of them.
14:31 < petertodd> gmaxwell: then you're back to my point about having some sane limit of total number of txins per tx to check - making it only possible to pay, say, 10 stealth addrs in one tx isn't a big deal
14:32 <@gmaxwell> oh this also totally screws up offline signing.
14:32 <@gmaxwell> because you won't be able to author a transaction without access to the secret.
14:33 < petertodd> gmaxwell: OTOH offline signing that's for multisig is not affected
14:33 < petertodd> use the online secret
14:33 <@gmaxwell> sure but if you're increasing the transaction size, might as well just start adding the nonce to an OP_RETURN or txout.
14:34 <@gmaxwell> And expecting multisig to save this is not compatible with schnorr threshold signing.
14:34 < petertodd> well it needs to be more than just a nonce unfortunately, it has to be encrypted to the recipient
14:36 <@gmaxwell> huh? you need a nonce to do the encryption.
14:36 < petertodd> I mean it's not a short nonce, e.g. for ECDH you need a x byte nonce + a 33 byte emphemeral pubkey
14:36 <@gmaxwell> no you don't.
14:37 <@gmaxwell> you need an ephemeral pubkey.
14:37 < petertodd> oh, actually the pubkey is your nonce...
14:37 <@gmaxwell> right.
14:37 <@gmaxwell> it's not short though it can be safely shared.
14:37 < petertodd> ?
14:37 < petertodd> oh, you mean it's 33 bytes but can be safely shared
14:38 < petertodd> see, my other idea was to use bare multisig destinations for this
14:39 < petertodd> but all that's just details to make it compatible with what we have now, obviously <eph> OP_DROP works too
14:41 < petertodd> anyway, timeline on schnorr is easily years, if it gets implemented, you modify the software to use OP_RETURN or something and bump some version bit in the address format to indicate support, people upgrade over time
14:41 < petertodd> drop support for the old mechanism later
14:41 < petertodd> you can always use the ugly hack of keeping a few txouts of low value for backwards compatibility
14:42 <@gmaxwell> its very ugly. at least if getting the nonce from an op_return is standard supported all the stealth recievers don't need to upgrade their software.
20:12 < gmaxwell> The regulatory point isn't the "exchange" it's the handling usd.
20:13 < Mike_B> i was thinking more about either trading with other cryptocurrencies, or with US "ious" a la ripple or what have you
20:22 < jtimon> Mike_B RippleLab's Ripple is not a very good ripple design (sorry for the redundancy)
20:22 < jtimon> Ryan's two-phase commit was actually scalable
20:22 < jtimon> I extended it to support atomic transactions with bitcoin/freicoin
20:23 < jtimon> and then we merged 2pc ripple with what I previously called "ripplecoin" (basically a ripple implementation on pow)
20:24 < jtimon> but they have several big design flaws even if you change their consensus for SHA256
20:24 < Mike_B> like what?
20:24 < jtimon> I just made a fast enumeration to pigeons this mornging...wait
20:25 < jtimon> they should have never replaced inputs/outputs with accounts
20:25 < jtimon> trust-lines don't have to be in the core, they can be simulated with regular market orders
20:25 < jtimon> and orders don't need to be in the ledger
20:26 < Mike_B> so why does the current setup cause problems
20:26 < Mike_B> like why is it a "flaw"
20:26 < Mike_B> the only problems i know about it come from how consensus claims to be decentralized but it isn't
20:27 < Mike_B> we had a good discussion a while ago about how various network topologies can lead to dishonest nodes winning even if the majority of the network is honest
20:27 < jtimon> having all the open orders in the blockchain requires more validations and bandwith
20:28 < jtimon> yeah, I'm talking about the inner structures, assuming you get their code and replace the consensus with pow
20:28 < gmaxwell> jtimon: is mostly talking about layers of the system I know nothing about. :)
20:28 < Mike_B> ah ok
20:28 < jtimon> instead of inputs and outputs like bitcoin
20:28 < jtimon> an address is actually an account
20:29 < jtimon> and all transactions from a given account must be sequenced qith an ugly seq field
20:29 < jtimon> with
20:29 < Mike_B> wait, so addresses aren't just hashed public keys anymore?
20:29 < jtimon> yes, what is missing is outputs
20:30 < jtimon> they have accounts in a ledger
20:30 < Mike_B> ok i'll have to take a look at it
20:30 < jtimon> there's no utxo
20:30 < Mike_B> yeah that's different than i thought it worked
20:31 < jtimon> tehre's a list of accounts and their balance in "each currency" (by currency meaning a 3 letter code)
20:31 < jtimon> and it's also a bad idea
20:31 < jtimon> imo
20:32 < maaku> Mike_B: i assume you're trying to answer the question "how can we create a Ripple-like system using bitcoin primitives?"
20:32 < Mike_B> jtimon: makes sense, i have to read about it more
20:32 < maaku> we (jtimon and maaku) have addressed this : http://freico.in/freimarkets.pdf
20:32 < Mike_B> maaku: i was attracted to ripple mostly because "consensus" has tx's confirming in a few seconds rather than 10m
20:33 < maaku> er, http://freico.in/docs/freimarkets.pdf
20:33 < Mike_B> but, i'm a bit disillusioned about it now because it has some bad flaws in terms of not being decentralized
20:33 < maaku> ok
20:33 < Mike_B> and i was in a trading channel and people were talking about decentralized exchanges and how they'll be the next big thing
20:33 < maaku> they get that by having a completely centralized transaction processing mechanism
20:33 < jtimon> there was also their negative to properly implement demurrage, ejem, interests
20:34 < Mike_B> but then i realized that making a "decentralized exchange," in which trades execute reasonably quickly, is at least as hard as making a new cryptocurrency that doesn't require blockchain confirmations
20:34 < maaku> yeah freimarkets is an architecture for doing decentralized exchanges using bitcoin protocol, but keeping as much data off the chain as possible
20:34 < jtimon> JoelKatz tried to convince me that it was impossible to have ripple transactions with interest bearing assets
20:34 < jtimon> and I tried to make him read my examples
20:34 < maaku> in fact, in real application we expect most applications to be off chain entirely, on private servers that nevertheless communicate with bitcoin-like messages
20:34 < Mike_B> maaku: how long does it take for a trade to execute?
20:34 < Mike_B> 10 minutes to be confirmed by the network * 6 confirmations?
20:35 < maaku> on-chain, yes, it's like any other transaction
20:35 < jtimon> Mike_B that depnds on the value of the trade
20:35 < maaku> off-chain as fast as the private server can process it
20:35 < Mike_B> yeah so if trades take an hour to execute, it's going to be pretty different from how normal exchanges work
20:35 < jtimon> if you trade 0.01 usd one block may be fine
20:35 < maaku> Mike_B: you're not going to get a decentralized platform like bitcoin to do high frequency trading
20:35 < Mike_B> well fair enough, i'll read it
20:36 < maaku> there are fundamental limitations in play here
20:36 < jtimon> well, actually trades are atomic, so you're not waiting to give something in return like in real payments...the value is irrelevant
20:37 < maaku> for things you need global decentralized concensus on, it'll take time to get global consensus
20:38 < maaku> however you can do things like high frequency micro trades using sequence numbers and transaction replacement
20:38 < Mike_B> yeah i'm trying to see the big picture of that
20:38 < maaku> but you run a serious counter-party risk if you don't wait for confirmations
20:38 < Mike_B> global decentralized consensus
20:38 < Mike_B> you basically are exposing the network to an election
20:39 < Mike_B> and somehow it elects an ordering of events
20:39 < Mike_B> and bitcoin is like using the "random ballot" voting principle
20:39 < jtimon> yeah the chain is a global serializer
20:39 < Mike_B> where 1 share of cpu time = 1 ballot
20:39 < maaku> Mike_B: the thing is for nearly all applications you *don't* need global consensus, particularly when you're talking about trading IOUs or stocks or other assets with an inherent trusted party
20:40 < jtimon> you just can't have p2p dollars
20:40 < jtimon> no matter what mastercoin or bitshares claim ;)
20:40 < maaku> but people instantly jump to "decentralize all the things!" mindset, leading to crazy inefficient orderbook-on-the-blockchain proposals and such
20:40 < Mike_B> haha
20:40 < Mike_B> yeah i was trying to decentralize all the things
20:41 < Mike_B> i think it's a fun academic problem though, at the very least
20:41 < Mike_B> i mean say you have a fleet of starships that are flying around in deep space, and they need to synchronize somehow
20:41 < Mike_B> well, there's no one absolute reference frame that tells you the "correct" ordering of events
20:41 < Mike_B> so the bitcoin approach would be to just pick one guy at random to decide (which is what pow does)
20:41 < Mike_B> i was curious if there were other approaches too
20:42 < Mike_B> consensus seemed promising but that flaw re: a minority of dishonest nodes ruining the network kind of kills it
20:42 < maaku> there are plenty other approaches that could work, but very few that are rooted in fundamental physical laws like proof-of-work is
20:43 < maaku> consensus could probably be made better.. but really it's the ugly child that nobody wants
20:43 < jtimon> hehe, here comes entropy...
20:44 < maaku> heh, i'll let Mike_B figure that one out on his own
20:44 < Mike_B> heh
20:44 < jtimon> in any case, Mike_B whatever the consesnsus mechanism
20:44 < jtimon> all nodes on the p2p netwoek must repeat the same validations
20:45 < jtimon> and you just can't have 10,000 nodes validating nasdaq
20:45 < jtimon> independently
20:45 < maaku> if you want fast transactions, there are ways you can have a centralized serializer without having to trust the central node in any way except availability
20:45 < maaku> see: open-transactions, freimarkets private accounting servers, and others i'm sure
20:46 < jtimon> 2PC ripple
20:46 < maaku> yes, 2PC ripple
20:47 < jtimon> http://archive.ripple-project.org/Protocol/Protocol?from=Protocol.Index
20:47 < jtimon> although that's kind of abandoned
20:47 < maaku> well, we did incorporate it into freimarkets
20:48 < jtimon> yeah
20:48 < jtimon> at least functionally
20:49 < Mike_B> hm ok
20:56 < Mike_B> alright, well thanks for the info
20:56 < Mike_B> i'll look into all that
21:04 < maaku> supposid proof of P=NP : http://arxiv.org/pdf/1208.0954.pdf
21:04 < maaku> dubious of a proof that's only 24 pages long
21:06 < andytoshi> maaku: well, a successful proof could be done with a single reduction, that could be short
21:07 < maaku> well, i mean dubious of a short proof to this problem ;)
21:07 < maaku> i'd expect the nearby inferential space to be completely exhausted by this point
21:10 < gmaxwell> it claims to be constructive.
21:11 < andytoshi> right before sec 2 he outlines the plan
21:11 < andytoshi> i'm having trouble understanding what he's saying..
21:26 < andytoshi> well, it does appear to be constructive, there are explicit algorithm listings everywhere
21:26 < andytoshi> but it is much too elaborate for my poor brain
21:34 < gmaxwell> after it said it was constructed I paged down to the end to see if it had benchmarks for solving some NP problem, even in terms of machine steps... and some boring np problem.
21:34 < gmaxwell> nope.
21:34 < gmaxwell> closed pdf.
21:35 < andytoshi> yeah, he went so far as to claim this was possible
21:36 < andytoshi> very last sentence, "Therefore, the algorithms proposed in the present paper can be used in practice to implement non-deterministic algorithms using deterministic imperative programs.
22:15 < Mike_B> how did this crap get on arxiv.org
22:21 < Mike_B> i'm gonna email the guy and ask him if he can efficiently compute preimages for SHA256 hashes
22:24 < andytoshi> Mike_B: arxiv does not verify or censor anything,
22:24 < Mike_B> andytoshi: to publish something to arxiv you need someone to endorse you
15:23 < jtimon> because there are less computers in the world capable of validating that number of transactions?
15:24 < gmaxwell> jtimon: okay, but then just don't produce a block with 1M transactions.
15:24 < gmaxwell> the snarks mean that the verifiers cost is not related the block size (or at least sublinear, perhaps constant)
15:25 < jtimon> ok, I could only process 100 tx, but then I won't be able to compete with miners that do produce 1M transactions
15:25 < gmaxwell> 'compete'? in any case, to the extent thats true you can still cap blocks
15:26 < jtimon> that was my point
15:26 < jtimon> by compete I mean earning "equivalent fees" as the other miners for the "same" pow
15:27 < nsh> oh, hmm
15:29 < jtimon> so the cap on transactions per block would be to defend p2p-ness against scalability
15:30 < gmaxwell> jtimon: not just that, in bitcoin we need some reason for the fee to be >1e-8 btc. :P
15:31 < jtimon> well, divisibility can be improved
15:31 < gmaxwell> jtimon: but at least such a change would make it so that someone _else_ producing enormous blocks didn't keep non-miners and smaller from validating... so the impact is reduced.
15:31 < gmaxwell> jtimon: that wasn't my point. for the system to be secure we need the pow to be many orders of magnitude more expensive that validation
15:31 < gmaxwell> otherwise the validation is most of the operating cost, and an attacker that just mines a few doublespending txn has an advantage. :)
15:32 < jtimon> oh, I see
15:33 < gmaxwell> an interesting point would be to have a cap only on fee paying txn, but sadly people would pay fees "out of band" :)
15:33 < jtimon> well, there's also demurrage, but now I get your point
15:34 < jtimon> hmm, so there's really no way to cap transactions
15:34 < gmaxwell> jtimon: hm? sure there is
 it can just be part of the proof.
15:34 < jtimon> oh, sure
15:35 < gmaxwell> though "writes to the spent coin list" or something might be a better capacity metric in a system that has been MMR compressed.
15:36 < jtimon> I'm not sure I understand MMR but it's basically a tree structure for the utxo, like mmaaku's but with other properties, no?
15:36 < jtimon> maaku's
15:39 < jtimon> on the inputs-only proposal, I know petertodd wanted "pow fees" for anti-spam, but does anyone know if he had something in mind for miner's rewards?
16:01 < andytoshi> it seems like i missed a very cool conversation about entropy of identifying information..
16:01 < andytoshi> if there are no complaints i'll set up a cronjob to publish logs for this channel
16:01 < andytoshi> andytoshi-logbot has been recording for a few days now, seems to be working..
16:02 < nsh> +1
16:02 < andytoshi> ok, lemme just finish catching up on the logs in secret :}
16:06 < andytoshi> http://download.wpsoftware.net/bitcoin/wizards/
16:07 < Emcy> how many 'official' places does dev discussion happen now
16:07 < Emcy> at least 2 irc hcans i know of, the sourceforge list, the github list
16:08 < Emcy> which one is the 'source of record' as it were, if the aim is transparency
16:10 < andytoshi> is there a github mailing list? it seems like github links you to sourceforge..
16:11 < phantomcircuit> no there isn't
16:11 < phantomcircuit> the mailing list is sourceforge
16:11 < phantomcircuit> the issue tracker is github
16:12 < Emcy> the github threads system seems like you can email in and out of it
16:12 < Emcy> probably wrong to call it a list
--- Log closed Tue Dec 10 00:00:45 2013
--- Log opened Tue Dec 10 00:00:45 2013
07:33 < petertodd> jtimon: re: inputs only, my thinking is for every tx to be accompanied by PoW
07:33 < jtimon> yeah, that solves spam
07:33 < jtimon> but who is going to mine?
07:33 < michagogo|cloud> petertodd: Like bitmessage?
07:36 < petertodd> jtimon: every user - I also want mining to be non-outsourcable and asic hard
07:36 < petertodd> jtimon: also, ponies
07:36 < petertodd> michagogo|cloud: basically yes
07:36 < pigeons> i think if you add unicorn blood it works
07:37 < petertodd> pigeons: or pigeon blood
07:37 < petertodd> asic hard seems like a reasonable goal, though the end result is more likely to be gpu-minable
07:37 < petertodd> or maybe "fpga soft" so to speak
07:41 < jtimon> petertodd, but if users add pow to txs, who adds pow to blocks?
07:45 < petertodd> jtimon: potentially the tx's do - I proposed something very similar to that tx scalability paper for proof-of-sacrifice where you would do tx's as a dag
07:45 < jtimon> so each tx would commit to the same previous block
07:46 < jtimon> what happens when two tx with the same input appear in the same block?
07:46 < jtimon> which one came first
07:46 < jtimon> ?
07:47 < petertodd> jtimon: potentially you do a tie-breaker via pow, or just make the rules that they can't for the dag path to be valid
07:47 < petertodd> my zookeyv proposal was for the latter
07:48 < jtimon> what's dag?
07:48 < petertodd> directed acyclic graph
07:49 < jtimon> ok, I still don't understand what you mean by " just make the rules that they can't for the dag path to be valid"
07:50 < petertodd> ok, so every node in the dag is essentially a path from the genesis block right? well, multiple paths? so define the path as valid only if no input is ever spent twice
07:50 < jtimon> in the first "pow tie-brake" solution...when isa transaction final? how the "time between blocks" is determined?
07:51 < petertodd> I've proposed before that time between blocks be based on some short block interval with eventual merging... IE min PoW for a tx would be some amount
07:52 < petertodd> or, alternatively, group txs together and make a min PoW for the group
07:52 < petertodd> all very in the air because we don't yet understnd the impact of latency on centralization well yet
07:52 < jtimon> yeah ryan fugger and me speculated about pow chains merging but didn't get anywhere
07:53 < petertodd> I'm meaning to write up a reply to those tx paper guys showing why they're probably going to wreck decentralization via bad incentives
07:53 < jtimon> we had chains where a block was basically a transaction and parallel chains could be merged
07:53 < petertodd> yup, very similar ideas
07:54 < jtimon> by we didn't solve how conflicts are resolved
07:54 < petertodd> with proof-of-sacrifice, specially using an embedded consensus system, the logic is really simple, not so simple when latency matters
07:54 < petertodd> *especially
07:54 < jtimon> basically we had only tx_ids, not even inputs
07:55 < jtimon> but we didn't
07:55 < petertodd> ah cool
07:56 < petertodd> I think implementing zookeyv might be a good educational exercise myself - learn more about such blockchain structures without the complexity of latency
07:57 < jtimon> sorry, zookeyv?
07:57 < jtimon> as said, we gave up because we weren't able to properly resolve merges, what do you have in mind?
07:58 < petertodd> jtimon: largest total sacrifice wins is the logic in zookeyv
07:58 < petertodd> as for what it is: key-value consensus system based on sacrificing bitcoins
07:59 < petertodd> very roughly sketched out on -wizards a few months ago
08:00 < jtimon> oh, kind of a replacement for namecoin
08:01 < petertodd> exactly
08:01 < MoALTz> if you include PoW in transactions then make it so that the PoW nonce is NOT included in the signature check. that way SPV clients can have their transactions "hardened" by a 3rd party
08:01 < jtimon> maaku and I were discussing "freiname" the other days, treating names as land
08:01 < petertodd> nice security properties too in some senses, as you know the BTC value of the re-write security
08:01 < petertodd> MoALTz: absolutely
08:02 < jtimon> he started with a gesellian freiland but we ended up with something more similar to Henry George land tax
08:02 < petertodd> MoALTz: although, equally it is worth considering non-outsourcable schemes where PoW reward - whatever it is - can be stolen by whomever mined it
08:02 < jtimon> I think we reached a good incentive strcture for anti-squatting
08:03 < petertodd> jtimon: oh yeah?
08:03 < jtimon> but back to the chain merging, please, tell me when you think you've solved that problem
08:04 < jtimon> yes, and we could implement it with a soft-fork
08:04 < jtimon> on top of bitcoin/freicoin
08:05 < jtimon> I can mail you the discussion log if you're interested in "freiname"
08:05 < petertodd> jtimon: heh, well, first let me get to a part of the world without 1s latency to the US :p
08:05 < petertodd> sure
08:22 < jtimon> sorry, there's many other things in the log, and we also discuss land reform (that may actually help understand the motivation)
08:22 < jtimon> petertodd http://pastebin.com/ZFHG2LvV
08:23  * nsh would like 16 landcoin please
08:23 < jtimon> about the "chain marging problem", do you think you could solve it assuming zero latency for everyone?
08:25 < jtimon> because we failed without even considering network latency
08:25 < jtimon> not in much detail at least
08:26 < jtimon> by the way, I'm not so sure it is a soft-fork since we would need at least a new OP
08:27 < jtimon> we also talk about integrating it better with freimarket's unique tokens, but that's not really necessary
08:27 < jtimon> new OP_CODE
09:42 < gmaxwell> A consequence of inadequate privacy in payment systems: http://i.imgur.com/Obl8xRW.jpg
09:48 < sipa> :o
09:52 < gmaxwell> Aparrently he'd done about a dozen payments to coinbase in about a month, totaling under $10k.  (amusingly, coinbase replicates their high transaction volume bad practices on the ACH side too
 people make many payments because coinbase won't let them hold USD in their coinbase account. I bet this makes them no friends with banks.)
09:56 < warren> gmaxwell: he is a merchant receiving payments?
09:56 < gmaxwell> No he's just some guy that was buying bitcoin using coinbase.
09:56 < gmaxwell> it was all out from him to coinbase
09:56 < warren> and this made his bank nervous...
09:59 < gmaxwell> banks are like persian cats, fluffy and afraid of everything.
18:11 < maaku> ok, the value bitcoin has which is beyond tulips then
18:12 < nsh> what if it's tulips all the way down, madam?
18:12 < maaku> then we're in for a crash to zero
18:12 < maaku> i don't think that's likely
18:12 < nsh> my favourite price :)
18:12 < nsh> no, there is a utility-based floor
18:13 < maaku> and if i introspect and say why it's not likely, it's because bitcoin-the-network has utility
18:13  * nsh nods
18:13 < nsh> and that utility is predicated on a non-zero price
18:13 < maaku> but you remove that utility (by moving 100% off chain to a currency-agnostic platform), then it really is tulips all the way down
18:14 < sipa> who said anything about 100%, and who said currency-agnostic?
18:15 < maaku> show me an off-chain solution which has the same security properties as bitcoin but doesn't require the expensive global consens protocol... and you will have demonstrated bitcoin's replacement
18:16 < sipa> it won't have the same security properties, but bitcoin isn't perfect either
18:16 < maaku> eather off-chain solutions are fundamentally weaker in some way, or they will replace bitcoin by virtue of being less costly and less burdonsome
18:16 < nsh> diversification is generally more useful than replacement
18:16 < sipa> bitcoin in particular is weak regarding privacy
18:16 < nsh> forms of travel have diversified a lot from walking, but none has ever fully replaced walking
18:17 < sipa> maaku: anyway, how do you see bitcoin being scaled up?
18:19 < maaku> sipa: increasing the block size in lock step with scalability improvements, to get a couple orders of magnitude more tps,
18:19 < maaku> and introduction of centralized but otherwise trust-free private accounting servers
18:19 < maaku> whch will handle a lot of traffic with a different security tradeoff
18:19 < sipa> any particular scalability improvements you're thinking of?
18:20 < maaku> but one which is suitable for self-issued assets
18:20 < Emcy> if increasing the TPS via blocksize creates any new points-of-control/regulation.whatever, they WILL be exploited
18:20 < Emcy> its as simple as that
18:20 < Emcy> maybe not even for 20 years, but it will happen
18:21 < maaku> indexes for lite clients, partial-pow for distributing transaction lists, and moving to proof-provided utxo validation
18:22 < maaku> like peter's mmr for example, but you can do almost as well without sacrificing lite clients with more traditional utxo structures
18:22 < sipa> well indexes certainly help light clients, but they certainly don't help performance of full nodes
18:22 < sipa> what is proof-provided utxo validation?
18:22 < maaku> it means updatable proofs are included with transactions
18:23 < maaku> so full nodes require only small constant-space data
18:24 < gmaxwell> maaku: split-mmr doesn't completely avoid screwing lite clients... since they still can't write a proof that their coin isn't spent.
18:24 < maaku> (pushes the maintenance work of validation from the full-node/miner onto the wallet)
18:24 < gmaxwell> (they still need help to write the proof)
18:24 < maaku> gmaxwell: yes but that can be outsourced
18:24 < gmaxwell> yes, agreed.
18:25 < gmaxwell> maaku: the other issue is shipping the proofs increases bandwidth.
18:25 < gmaxwell> though a tradeoff is possible like "don't send me proofs, I have all the data"
18:26 < sipa> sounds like a jehova's witness
18:26 < maaku> heh
20:49 < amiller> damn i don't think there's any way for my tournament idea to work with current bitcoin :/
20:55 < HM2> ok enough of that madhouse. thanks for the info gmaxwell
21:56 < nOgAn0o> Hi, me.
21:58 < Emcy> "Since Bitcoin's security relies primarily on the number of confirmations received instead of on elapsed time, we end up getting irreversibility of transactions with very high probability in far less than 10 minutes.
21:58 < Emcy> is that really true
21:59 < gmaxwell> no, it's not
 it depends on your threat model.
22:00 < Emcy> the part before the comma i mean
22:00 < gmaxwell> no, it's not
 it depends on your threat model.
22:01 < Emcy> so "longer" blocks are statistically a better confirmation of a txn than shorter ones?
22:03 < gmaxwell> Emcy: in some threat models, e.g. where the attacker is going to lease power to do a short reversal time after the first confirmation is basically all that matters... how much work must the attacker do to undo the confirmation.
22:05 < Emcy> right
22:05 < gmaxwell> Figuring out the safty in their revised selection algorithim isn't simple either. e.g. you could have a block with 10 confirms, but its really compeating with another subgroup which is only 1 confirm behind, and maybe its actually ahead but you've just not heard of one of the blocks required to make it win.
22:05 < gmaxwell> Fun attack in that model: "delayed announcement of your own stale blocks"
22:06 < Emcy> i want to try and read and understand enough to work out for myself if its viable or not
22:06 < Emcy> thought the immediate claim of 1 second blox makes me skeptic
22:06 < gmaxwell> well just ignore the actual numbers.
22:07 < gmaxwell> 1 second would give big advantages to consolidations.
22:07 < Emcy> consolidations?
22:08 < gmaxwell> hashing datacenters.
22:08 < gmaxwell> (or pools for that matter)
22:09 < Emcy> oh yes
22:10 < Emcy> its only a couple of times the causal diameter of the earth :/
22:10 < gmaxwell> delayed announcement attack
 you're mining and you find your block stale. but instead of announcing it, you put it aside and hope that later there is less than one block of difference between a fork containing that block and another fork, and if that happens you start mining on it and delay announcing the tiebreaking stale that would let everyone else
know that they'd best be mining on that subgroup, until you've found a block.
22:10 < gmaxwell> Emcy: right.
22:10 < gmaxwell> 1 second is almost certantly too fast... though it would take simulations to tell for sure.
22:11 < gmaxwell> not to mention that pratically all mining hardware today has multisecond latencies.
22:11 < Emcy> tahts why im skeptik...another paper leading with a fantastical claim
22:11 < gmaxwell> p2pool had to increase from 10 second shares to 30 second shares because of slow hardware responses.
22:12 < Emcy> did you see p2pool jumped to 3% power this week. hashpower doubled out of nowhere
22:12 < zooko> Hello, wizards.
22:12 < gmaxwell> also, if you wanted to talk about viable: more viable in the context of bitcoin would be basically makine p2pool a protocol requirement with a rule that new shares can't displace transactions in prior ones.
22:12 < Emcy> feelsgoodman.png
22:13 < gmaxwell> and doing that would avoid breaking the scalablity of lite clients.
22:13 < gmaxwell> (in fact, it would just be a soft fork)
22:13 < Emcy> zooko excuse me sir, im a warlock
22:15 < Emcy> gmaxwell i dont see that happening either. If p2pool gets too big its just back to square one. Unless theres a way to split them in a decentralised way
22:15 < gmaxwell> Emcy: ...
22:15 < gmaxwell> Emcy: ::sigh::
22:15 < gmaxwell> Emcy: what I'm suggesting has nothing to do with p2pool.
22:15 < gmaxwell> Emcy: except using the same technique
22:16 < Emcy> in all but name then?
22:16 < gmaxwell> Emcy: I'm pointing out that you don't have to hardfork bitcoin to have a fast blockchain. We already have a 30 second blockchain, it's called p2pool.
22:16 < Emcy> ah thats true
22:16 < gmaxwell> The only distinctions are that (1) not everyone is forced to use it, (2) it allows later shares to reverse earlier ones
 they don't accumulate.
22:17 < gmaxwell> those could be fixed. In such a world you could still have a p2pool mining that network which was a fraction of the size.
22:17 < gmaxwell> but the two level chain would give you fast confirmations.
22:18 < gmaxwell> also because its two level it wouldn't increase work for lite clients unless they were interested in hearing about fast confirms
22:18 < Emcy> could it work the other way?
22:19 < Emcy> bitcoin could become a subchain for something else
22:19 < gmaxwell> not without changing bitcoin's rules in a hardforking way.
22:20 < Emcy> perhaps 10 minuties was actually too fast for base chain then
22:20 < gmaxwell> Emcy: in any case, thanks, if I bring up that point again I'll be sure to not mention p2pool. :)
22:26 < Emcy> heh so im your litmus test for being able to properly explain your ideas to the masses :)
22:26 < Emcy> if thats how i help bitcoin so be it
22:27 < gmaxwell> hah. well if it confuses you, its going to confuse other people.
22:29 < Emcy> doesnt help ive got a foot inside migraine territory right now
22:29 < Emcy> in fact yeah i better go
22:29 < Emcy> later wizerds
22:34 < gwillen> Hello zooko, fancy seeing you here.
22:52 < zooko> Hello, gwillen.
--- Log closed Sat Dec 07 00:00:38 2013
--- Log opened Sat Dec 07 00:00:38 2013
08:31 < iddo> amiller: gmaxwell: i'm trying to understand regarding DoS by diff-1 orphans at genesis, if we eliminate checkpoints and add to blocks some kind of merkle root committing to the current UTXO (to help lite nodes), how does it mitigate this DoS attack?
08:32 < sipa> there's only a DoS attack possible because of how the current chain-catchup works
08:32 < iddo> hmm
08:33 < sipa> with headers-first synchronization, you can know there is enough PoW on top of a block before actually downloading and processing it
08:34 < iddo> i don't understand, diff-1 PoW blocks are (relatively) easy to generate, what's the rule that will cause you to ignore them instead of bloating your local copy of the blockchain with them?
08:35 < sipa> right, it won't prevent it entirely
08:35 < sipa> but right now, the largest problem is that diff-1 blocks will be downloaded and potentially processed
08:35 < sipa> but with headers-first, you'd only download and process the headers
08:36 < iddo> ahh
08:36 < sipa> until such a chain becomes the actually best total work chain
13:49 < TD> michagogo|cloud: the evidence just in the document needed to get an arrest warrant seems to create an open/shut case.
13:51 < TD> gmaxwell: that .... and prosecutors try to avoid spending time on weak cases. japan has a 99% conviction rate but not the same culture of insane jail sentences
13:52 < TD> UK has 80%
13:53 < TD> anyway home time
13:53 < shesek> michagogo|cloud, if I understand correctly, he did this via a 3rd party company that was marketing to SR users
13:53 < TD> third party guy
13:53 < michagogo|cloud> TD: I was specifically asking about the "sold bitcoins for drugs" part
13:53 < TD> yes
13:54  * michagogo|cloud goes to read
13:54 < TD> shrem knew he was selling bitcoins to a drug dealer on SR, said he knew many times, and explicitly helped the guy avoid bitinstant's partner companies AML controls
13:54 < _ingsoc> TD: Plea deal or jail time?
13:54 < michagogo|cloud> TD: ah
13:54 < michagogo|cloud> BTW, shesek, could you tell me if you're able to access tigerdirect.com?
13:54 < TD> the guy's emails write the case for him. the prosecutor probably doesn't even need to turn up
13:54 < shesek> michagogo|cloud, nope. blocking Israeli IPs?
13:54 < TD> _ingsoc: both?
13:55 < michagogo|cloud> shesek: Would appear so
13:55 < michagogo|cloud> Looks like Germany isn't blocked, while Latvia is
13:55 < shesek> perhaps some poor anti-ddos protection?
13:55  * michagogo|cloud shrugs
13:56 < phantomcircuit> it's internap
13:56 < phantomcircuit> so yeah probably just terrible anti-ddos
13:56 < phantomcircuit> michagogo|cloud, charlie is going to prison for a very very long time
13:57 < michagogo|cloud> internap?
13:57 < phantomcircuit> michagogo|cloud, internap.com
13:57 < shesek> TD, oh, right, guy. I thought Faiella was a company
13:57 < TD> nope. that's his last name
13:58 < phantomcircuit> shesek, he's the guy who was all over sr offering to purchase money packs
13:58 < phantomcircuit> iirc he even had a ridiculous little cartoon king
13:58 < TD> he was getting people to deposit into his personal bank account, even
13:59 < shesek> I never used SR, so I'm not really familiar with that/him
13:59 < gmaxwell> I wonder if he's the guy who OTC downrated me when I punted him from OTC for his moneypak moneylaundering.
13:59 < shesek> o_O his personal bank account? is he stupid?
13:59 < phantomcircuit> TD, afaict faiella legitimately did not believe that he was breaking the law
13:59 < TD> shesek: has anyone who has been involved with SR so far *not* been stupid?
13:59 < phantomcircuit> gmaxwell, he has definitely been on -otc before
13:59 < TD> shesek: i mean, Shrem was supposed to be head of regulatory compliance at BitInstant and was busy telling reporters how he'd only hire people he got stoned with
14:00 < phantomcircuit> shesek, neither have i, but i went through and looked at it out of morbid curiosity
14:00 < TD> phantomcircuit: do read the complaint. they address that. he absolutely knew, and wrote to DPR that he was afraid LE would come for him
14:00 < shesek> TD, I guess consumers are pretty safe - there's too many of them to do anything to any of them
14:00 < TD> they all knew. none of these guys have been idiots
14:00 < phantomcircuit> TD, fiella?
14:00 < michagogo|cloud> Hmm
14:00 < TD> phantomcircuit: yes
14:00 < phantomcircuit> or shrem?
14:00 < TD> phantomcircuit: both
14:00 < michagogo|cloud> Count Three, overt act b
14:00 < gmaxwell> phantomcircuit: fiella, near the end.
14:00 < phantomcircuit> well the question is when
14:01 < michagogo|cloud> Anyone care to guess which service that is? :P
14:01 < gmaxwell> Basically fiella talks to DPR and points out how vulnerable he is.
14:01 < phantomcircuit> i warned charlie that operating in the us was illegal at the same time i shutdown intersango usd trading
14:01 < phantomcircuit> he ignored me obviously
14:01 < TD> shesek: who knows? it's not joe random dealer that worries me, it's that shrem was dealing with businesses who (we think) are legitimate and actually try to follow the law, but the laws are so vaguely written that trying and failing can be punished in the same way as deliberately failing
14:02 < TD> so i'm hoping they don't go after mtgox or the cash processor next (i think i know who that was)
14:02 < TD> given that BitInstant died when their cash processor cut them off for AML violations, hopefully that insulates them
14:02 < gmaxwell> Zipzap.
14:02 < phantomcircuit> TD, the cash processor is pretty clearly zipzap
14:02 < TD> yeah
14:02 < TD> i know. for some reason i didn't want to say it
14:02 < TD> it's not named in the complaint
14:02 < phantomcircuit> zipzap is pretty obviously an unlicensed money transmitter
14:03 < gmaxwell> Obviously the exchange in the complaint is mtgox.
14:03 < TD> yes indeed
14:03 < phantomcircuit> i would be fairly surprised if mtgox is implicated in this in anyway
14:03 < michagogo|cloud> Hm, section 10: is that The Foundation?
14:03 < phantomcircuit> despite bitinstant's claims they were never an agent of mtgox
14:03 < michagogo|cloud> Or some other foundation?
14:03 < phantomcircuit> michagogo|cloud, yes it is
14:03 < shesek> they do need to show intent, I'm not sure how easy that would be... if they did try to follow the law and didn't do anything maliciously, they should be fine
14:03 < phantomcircuit> charlie is a founding member iirc
14:04 < gmaxwell> In any case, its a bit annoying because _legally_ there probably isn't a bright line procedural distinction between what was going on here and what a lot of other things are doing/have done which aren't intentionally trying to facilitate unlawful activity.
14:04 < TD> "vice chair" :(
14:04 < shesek> though... the laws are indeed vaguely written and you never know :-\
14:04 < phantomcircuit> michagogo|cloud, https://bitcoinfoundation.org/about/board
14:04 < TD> the foundation has sucked at cleaning its website of members that were later found to be involved in bad stuff. the logo of inputs.io is still there!
14:04 < michagogo|cloud> Ew
14:04 < phantomcircuit> TD, is it really?
14:04 < TD> gmaxwell: right, there isn't .... it's part of why banks refuse to deal with bitcoin companies
14:05 < michagogo|cloud> Who's the webmaster?
14:05 < gmaxwell> So while we can all look at this and say "Idiots!" the successful prosecution here may lay the groundwork for causing problems for people who weren't doing anyhting that was so obviously problematic.
14:05 < TD> it was, at least
14:05 < _ingsoc> Lol, Mark. I wonder how badly the US wants him too.
14:05 < sipa> TD: guess i haven't followed up so closely, what is inputs.io?
14:05 < phantomcircuit> shesek, the unlicensed operation of a money transmitter is fairly solidly defined, the failure to file an SAR stuff however largely has to do with whether a reasonable person would have found the activity suspicious
14:05 < shesek> TD, I'm not sure how that works, can he simply be removed from it?
14:05 < TD> yep
14:05 < michagogo|cloud> sipa: webwallet specializing in micropayments
14:05 < phantomcircuit> shesek, (or rather whether a reasonable compliance officer would have known)
14:05 < TD> sipa:  a bitbank run by an anonymous dude who vanished with everyones money
14:05 < michagogo|cloud> (off-chain)
14:06 < TD> michagogo|cloud: a new website is being built actually
14:06 < sipa> TD: ah, same old story :)
14:06 < midnightmagic> The knowingly facilitating SR stuff probably is something that will differentiate future *actually* innocent people.
14:06 < phantomcircuit> TD, mybitcoin.com 2.0
14:06 < shesek> TD, there must be some official procedure for removing board members. I'm not sure if its possible to simply delete him from the page :O
14:06 < TD> indee
14:06 < TD> *indeed
14:06 < gmaxwell> Not just that but shortly before inputs.io existed the guy was on the forum selling accounts and stuff, it stank from a long distince away.
14:06 < phantomcircuit> shesek, there is and it can be done within 48 hours
14:06 < midnightmagic> There is a procedure for removing board members who have engaged in criminal activity and it requires a vote from the remaining directors.
14:07 < phantomcircuit> gavinandresen, migggght want to start that
14:07 < midnightmagic> But he's not convicted yet..
14:07 < jgarzik> catching up... URL of criminal complaint?
14:07 < phantomcircuit> midnightmagic, iirc board members can be removed by a vote of 2/3rds
14:07 < midnightmagic> http://www.scribd.com/doc/202555785/United-States-vs-Charles-Shrem-and-Robert-M-Faiella#download
14:08 < midnightmagic> phantomcircuit: I think it requires cause doesn't it?
14:08 < shesek> or a tl;dr: http://www.reddit.com/r/Bitcoin/comments/1wac1t/ceo_of_bitinstant_arrested_for_conspiracy_to/cf048a1
14:08 < shesek> oops
14:09 < _ingsoc> Wtf was he thinking?
14:09 < phantomcircuit> midnightmagic, ah founding members have more rights than normal members
14:09 < phantomcircuit> 5.16(b)
14:09 < TD> michagogo|cloud: though FWIW i get looped in on a lot of foundation stuff, and i have never once seen a reference to Shrem doing anything at all
14:09 < midnightmagic> shesek: The full bylaws (except for possible changes that they've neglected or deliberately refused to release to the github repo) are here: https://github.com/pmlaw/The-Bitcoin-Foundation-Legal-Repo/tree/master/Bylaws
14:09 < shesek> midnightmagic, thanks
14:09 < TD> he may well have been a founding member but he had little impact on the organisation beyond that, i guess
14:10 < gmaxwell> I was surprised to hear that he was in miami, I thought he'd largely dropped off the radar after bitinstant shut down.
14:10 < gmaxwell> esp with people accusing him of theft.
14:10 < phantomcircuit> gmaxwell, yeah he was super busy getting wasted...
14:10 < TD> yeah, i didn't hear anything about him lately either.
14:10 < midnightmagic> lo
14:10 < sipa> gmaxwell: when did it shut down?
14:11 < TD> many months ago
14:11 < TD> when zipzap terminated them
14:11 < gmaxwell> sipa: june 2013ish?
23:20 < gmaxwell> even better, if you're hashpower enough to cause trouble absent 'checkpoint' crud, you mine _two_ of them and then concurrently announce them to half the network each. Goodbye network.
23:20 < gmaxwell> tacotime_: yea, in what tromp__ was suggesting, they'd be worth infinite-ish work. :P
23:22 < tromp__> ic. i shld fix my suggestion. trigger when, not the blockheaderhash, but the whole block hash has 16+	zeroes
23:23 < tromp__> so it has no relation to accumulated difficulty
23:23 < gmaxwell> tromp__: that doesn't change anything relative to the points I made.
23:24 < gmaxwell> also, if it really worked like that, people would mine the whole block hashes instead, as they'd be much easier than normal mining.
23:24 < tromp__> let me educate myself some more on checkpointing procedures...
23:25 < gmaxwell> I reiterate, you really ought to forget that exists at all.
23:25 < tacotime_> I'm out to sleep, night!
23:25 < gmaxwell> Everyhing I've ever seen decribed in that space creates attacks where none existed before, some more serious than others.
23:25 < c0rw1n> good night tacotime_
23:26 < gmaxwell> in particular, most of them create attacks which are most available to high hashpower consolidations, and if none of those exist then there was little to no advantage to be gained by having anything like that to begin with.
23:27 < tromp__> i have no idea what are these checkpoints you're talking about:-)
23:27 < gmaxwell> :)
23:28 < c0rw1n> "these are not the checkpoints you are looking for" ?
--- Log closed Thu Jan 30 00:00:09 2014
--- Log opened Thu Jan 30 00:00:09 2014
14:04 < ZoltanTokay> Bitcoin will raise so much after google will add bitcoin to their wallet.. look they speak live about it... www.thebitcoinsnews.com
14:57 < cymanon> ethereum? risk to high?
15:00 < optimator> it would be nice if all wallets provided a common api for testing. Hook the api up to testnet run through tests, add customer tests (m-n transactions). certified!
15:00 < optimator> *customer=custom
15:10 < phantomcircuit> cymanon, what?
15:17 < cymanon> I don't know ;\ be back later
15:57 < grazs> any recommendations for a cheap fpga kit?
15:58 < maaku> grazs: off-topic
15:59 < maaku> but i would recommend #bitcoin-otc, I'm sure there's plenty of miners getting rid of their gear
15:59 < grazs> i'm sorry
16:00 < grazs> that might actually be a very good idea, thanks!
16:16 < michagogo|cloud> ;;later tell gmaxwell Did you be any chance capture the second day of the ny hearing?
16:16 < gribble> The operation succeeded.
16:16 < michagogo|cloud> by*
16:20 < petertodd> gribble: I hear this is the rasberry pi of FPGA dev kits: http://www.zedboard.org/
16:20 < petertodd> grazs: er, ^
16:23 < grazs> petertodd: thanks a bunch! i got inspired when you guys talked about PoW algorithms
16:24 < grazs> and my job doesn't want to buy us such fine toys
16:27 < petertodd> grazs: yeah, the zedboard is very cheap, and stupidly powerful
17:14 < tromp__> the
17:14 < tromp__> Parallella-16 (Expect to re-open orders in January)
17:14 < tromp__> Parallella-16
17:14 < tromp__> sorry; copy-paste issues
17:14 < tromp__> the Parallella-16 board is similar to the zedboard but only $99 (currently sold out)
17:15 < gmaxwell> tromp__: uh, it's almost entirely unlike the zedboard.
17:15 < gmaxwell> It's not a FPGA.
17:15 < gmaxwell> oh you mean the cpu is a zynq
17:15 < gmaxwell> Sorry, indeed.
17:16 < tromp__> it has both a zynq and an epiphany (16 core cpu)
17:16 < gmaxwell> yea, sorry I thought you were saying the epiphany was like the zedboard. :P
17:17 < gmaxwell> One thing about the zedboards is that they come with the license for the fpga tool. I _believe_ there is a cut down version of the zedboard which is a lot cheaper but doesn't include that license; though indeed not as cheap as $99
17:17 < tromp__> i'm not sure what the ipiphany is good for, but you goota love that zynq
--- Log closed Fri Jan 31 00:00:09 2014
--- Log opened Fri Jan 31 00:00:09 2014
--- Day changed Fri Jan 31 2014
13:18 < midnightmagic> petertodd: I would once upon a time say that the Icarus was a nice alternative with a stronger fpga onboard, but.. I haven't the foggiest where one would even buy an Icarus-but-with-nextgen-fpga on it these days.
13:24 < gmaxwell> the zedboard is actually a lot nicer than the icarus in a lot of ways.
13:25 < gmaxwell> because there is onboard dual arm core with a memory-speed bus between that and the fpga you can create things where only part of the code is in the fpga quite easily.
13:26 < gmaxwell> E.g. one of the guys working on the daala code has our transforms all running on the fpga on the zedboard with only a few weeks work. But if you had to do the whole codec before you could run anything at all it would likely be months and months of work.
13:26 < gmaxwell> though the fpga in question isn't terribly huge, which is a bit unfortunate.
13:28 < gmaxwell> problem with the zedboard is that its not cheap. would be a lot nicer if it were $50.
13:42 < midnightmagic> Yeah, that's why I said "nice" but not necessarily "better" depending on what I was going to do. I guess I don't mind futzing around with raw gate-level logic in the little circuit drawing section of ise so I like the notion of a stronger fpga
13:52 < midnightmagic> I managed to get one of these for free over christmas: http://www.xmos.com/en/startkit just by asking for it. Got it in the mail a few weeks ago, very tiny little board.
14:53  * andytoshi-logbot is logging
14:53 < andytoshi> systemd says irc-logger was running continuously since Sun 2014-01-19 09:39:07 PST <.<
15:25 < tromp> i put a new version of my cuckoo cycle paper on https://github.com/tromp/cuckoo that discusses parallelizability
15:52 < amiller> i'm frustrated, i found a bunch of errors in this line of work i've been following closely and trying to build off of
15:52 < amiller> in the "universally composable" security framework / network model
15:52 < amiller> i'm trying to submit a paper in like a week
15:53 < amiller> basically the best thing for me to do is to just inherit all of those errors for now.
15:53 < amiller> since the whole thing is unrelated to the main points i'm trying to make
15:53 < amiller> </abstract griping>
15:54 < midnightmagic> :-(
15:57 < gmaxwell> Theoretical work that isn't sound, say it aint so!
16:12 < amiller> theory tends to be neither sound nor practical, but can be broad/expansive and is relatively efficient to work on
16:12 < amiller> practical implementations tend to be neither generic nor sound
16:13 < amiller> and formal methods coq-stroking exercises are sound but neither practically useful nor generic
16:13 < maaku> amiller: but practical implementations to tend to work ;)
16:13 < amiller> mostly :)
16:15 < jtimon> tromp the very term "non-parallelizable pow" seems contradictory to me
16:16 < jtimon> oh, he's gone...
16:16 < jtimon> if two miners can try to solve the same block in parallel, how can't the same miner do the  same?
16:17 < jtimon> how can't a single miner do the  same?
16:17 < jtimon> well, I'll tell him to find another term another time...
16:18 < tromp__> i'm back
16:18 < tromp__> different miners will work on difference instances, i.e. different cuckoo graphs
16:19 < jtimon> so what you really mean by "non-parallelizable pow"? is non-parallelizable using a given architecture, no?
16:19 < tromp__> i want a single instance to be hard to parallellize
16:20 < jtimon> hard to parallelize in current GPUs and x86 archs?
16:20 < tromp__> yes, because they limit how many random accesses you can make to main memory in parallel
16:20 < gmaxwell> andytoshi: I'm reading LWN and "Hey, the same thing happened to andytosh...ahh"
16:21 < jtimon> tromp__ what's the point?
16:21 < tromp__> and because path conflicts will reduce the prob. of finding a ccyle
16:22 < tromp__> the point of what?
16:22 < jtimon> the point of "hard to parallelize in current GPUs and x86 archs pow"
16:23 < sipa> sc? rs? ch?
16:24 < tromp__> because being able to have many simultaneous random accesses to  main memory is generally useful
16:24 < jtimon> for bitcoin?
16:25 < tromp__> for general computation
16:25 < jtimon> in other words...what's the problem you see in SHA256 that you're trying to solve with cucko?
16:26 < tromp__> it promotes custom hardware that it not generally useful
16:26 < tromp__> and centralizes mining power
16:26 < maaku> tromp__: no matter how much you try, dedicated hardware will still be faster/more-'hash'-per-watt by some factor
16:26 < jtimon> and cucko-ASICs will be generally useful?
16:26 < maaku> and our experience shows that it will not be long until someone makes an asic
16:26 < maaku> that is not general-purpose
16:27 < tromp__> fast parallal RAM access is more generally useful yes
16:27 < jtimon> tromp__ with or without RAM, it's still specialized hardware
16:28 < jtimon> ASIC != general purpose computer
16:28 < tromp__> cheap better memory interconnects will be commoditizeed
16:29 < tromp__> your intel CPU and your memory chips are also ASICs
16:29 < tromp__> but because they're general purpose they are commoditized
16:29 < jtimon> no, they're general purpose
16:30 < jtimon> asic = application specific
16:30 < andytoshi> gmaxwell: :P i wondered if you'd catch that. (thx for checking the key for me!)
16:30 < tromp__> here's the thing
16:30 < tromp__> to optimize cuckoo, you have to optimize a more general thing: namely parallel random memory access
16:31 < jtimon> cool, but I'm still not able to run emacs on my old cucko-ASIC
16:31 < tromp__> it's still all about memory
16:31 < maaku> tromp__: no, they will just put all the memory and custom circuits on a single die, because that's the most efficient thing to do
16:31 < maaku> you won't get any commoditization of general purpose hardware
16:31 < tromp__> rather than building an asic full of specific computational steps
16:32 < jtimon> so your goal is for asic manufacturers to research random memory access?
16:46 < gmaxwell> again, being confident that the thing is trapdoor and easy-instance free is important and generally hard to achieve.
16:46 < maaku> such as being progress-free, and dependent on the prior block
16:47 < gmaxwell> maaku: there are a lot of stochastic search problems that can be made dependant. Making them easy-instance and trapdoor free is much harder.
16:47 < maaku> yeah
16:47 < jtimon> like I said, I don't think it's an easy problem gridcoin has solved, but I believe an appropiate task will be found
16:49 < gmaxwell> plus, in general, no one wants computing power like this.  It's used very wastefully where it is use. Most of the papers that have come out of folding at home have been "ra ra we can get people to give us computing power, look at the interesting problems we had keeping them busy"  not ... "cancer cured!"
16:49 < jtimon> and by the way, maaku, the FF could buy "proofs of results" with ssomething like https://en.bitcoin.it/wiki/Zero_Knowledge_Contingent_Payment
16:49 < gmaxwell> I think after a decade folding at home got like .. one actual non-CS result out of the thing.
16:49 < Emcy> wow tahts sad
16:49 < Emcy> wtf
16:50 < iddo> gmaxwell: i'm not completely sure that i understand H(seti(H(header)))<TARGET, you should care both about seti() finding some interesting value, and the hash of it being below the target? if you care only about the hash, the seti() value still needs to be something that's easier to verify than to compute, otherwise it's meaningless?
16:50 < gmaxwell> likewise, seti at home was mostly a marketing thing for seti. The work it was doing could have been done far more cheaply with a $50k stack of fpgas.
16:50 < maaku> yeah the class of problems you can solve with @home style distributed computing is really, really small
16:51 < gmaxwell> iddo: the idea there is that it works for anything where solving randomized instance of the problem is useful.
16:51 < Emcy> i did 5000 seti units :(
16:51 < Emcy> on a penitum
16:51 < gmaxwell> iddo: the idea there is that it works for anything where trying many randomized instance of the problem is useful and where testing a single instance is fast.
16:52 < gmaxwell> iddo: the interesting results other than H(problem())<TARGET can be learned as a side effect.
16:52 < maaku> i converted my university's computer labs to run seti@home in the background over a decade ago ... my sense of morality was less developed as a teenager
16:52 < maaku> we were in the top 10 for 3 months :)
16:52 < Emcy> gmaxwell did you see tht thing that turns protein folding into a 3d game
16:53 < gmaxwell> Emcy: yea, foldit
16:53 < gmaxwell> Are you any good at it?
16:53 < Emcy> turns out humans are better at it than computers, with our intuiation and stuff
16:53 < gmaxwell> unlike folding at home, they had useful medical results fairly quickly.
16:53 < Emcy> yeah i should try it again, it ran like shit on my old computer
16:53 < jtimon> I would love to have many people donating their GPUs to run my neural networks playing go during 1000 generations
16:54 < jtimon> or the same NN learning another task
16:54 < Emcy> did you read the wtory about the quake 3 server running bots that someone forgot about for years
16:54 < iddo> gmaxwell: yes, so is there seti() function that's fast to verify the 'interesting' solution?
16:54 < gmaxwell> Emcy: I only used it when it was very new, I was reasonably good at it, but I understand that it's gotten much deeper since the original release; with things like multiplayer problems.
16:54 < Emcy> quake 3 bots have heuristics
16:55 < Emcy> the bots achieved complete peace.......
16:55 < jtimon> Emcy I can build a q3 bot that plays with the same exactly the same inputs you have
16:55 < jtimon> as a human
16:55 < maaku> i have a boinc design to develop and test molecular nanotechnology pathways via evolutionary search
16:55 < maaku> strangely not much money in that though
16:56 < jtimon> and don't tell him anything about time or space, just about good and bad
16:56 < gmaxwell> iddo: e.g. in the actual seti problems, you're running sinusodial analysis on noisy data looking for chirps. it's not terribly hard to generate random insances of the problem, e.g. adding a small amount of additional noise.. and it could be broken down so that it was cheap to run a single instance.
16:56 < Emcy> http://www.huffingtonpost.co.uk/2013/07/01/quake-3-arena-world-peace_n_3529082.html
16:56 < Emcy> welp reinstalling foldit
16:58 < maaku> that's a good description of what seti@home is doing right now ... but alas we've known for 10+ years that it's probably not what seti@home should be doing
16:59 < jtimon> foldit sounds great, I have though about people getting paid to play games while are solving problems without noticing before
16:59 < Emcy> i heard the air force recruited gamers for thier drone program
16:59 < Emcy> does that count
16:59 < maaku> they're basically looking for giant multi-gigawat omnidirectional beacon in space ... with very little reason to think that one would actually be there
17:00 < iddo> so running a single instance means verifying if the random data has the chirps, ok..
17:00 < gmaxwell> jtimon: fold it also merges in computational techniques, as you play you can as the computer to jiggle, which really runs a rather expensive molecular dynamics annealer in the background to help machine assist your solutions.
17:00 < Emcy> you sound enamoured with foldit
17:00 < gmaxwell> Effectively the human does the global search, which is intractable, and the machine does the local search
 which its reasonably good at.
17:00 < jtimon> oh, gmaxwell, I see, you're really donating computing while you play
17:01 < gmaxwell> iddo: right. and getting out some chirp presence indexes.
17:01 < gmaxwell> jtimon: well, indirectly
 the cpu is used to assist your own game.
17:01 < Emcy> i think of setI@home (the original) as a proof of concept really.
17:02 < gmaxwell> well distributed.new des cracking was the proof of concept. :P
17:02 < jtimon> yeah the point was getting people to donate their computing to scientists
17:02 < Emcy> you say they could have just made an asic farm but they were skint, always scrubbing for money
17:03 < maaku> Emcy: they have a very large fpga array they use to collect, preprocess and break up the data
17:03 < iddo> i saw that the creator of scrypt said that litecoin doesn't have enough memory usage: https://twitter.com/shamoons/status/311256158658760704?x
17:03 < Emcy> they used to have to get the data out of the dish by tape from the middle of peurto rico........
17:03 < Emcy> maaku they might now but i dont know about before
17:04 < Emcy> i think their receiver on the dish focus assembly broke once and they had a special donation drive to fix it......
17:04 < jtimon> no we have the masses asking for asic-ressistant algorithms like if GPU-mining was a natural right
17:04 < maaku> iddo: the scrypt parameters of litecoin were set by someone it was later shown was doing GPU-mining from the start
17:05 < iddo> there are problems with bigger memory buffer in scrypt, if it takes say 1 seconds to invoke scrypt() then it will take days to sync the blockchain, also regular PCs maybe have disadvantge in propagating blocks vs ASIC
17:05 < iddo> maaku: artforz? how do you know that he did GPU mining from the start?
17:05 < gmaxwell> iddo: yea, in ltc it makes a _visible_ difference in the sync time... and they have a fancy sse optimized scrypt implementation.
17:05 < Emcy> maaku really? i thought that was never proven
17:05 < jtimon> really maaku? so charlie did kind of premine?
17:05 < iddo> if he did then he should be rich now:)
17:06 < gmaxwell> artforz was rich regardless.
17:06 < gmaxwell> :P
17:06 < gmaxwell> artforz came up with the scrypt implementation that ltc used.
17:06 < maaku> not charles
17:07 < gmaxwell> ironically about a month after having an argument with me in #bitcoin-dev where he successfully convinced me that using scrypt for a pow was stupid.
17:07 < maaku> yeah it was artforz
17:07 < jtimon> lolcust was the first one trying  those kind of things, no?
17:07 < gmaxwell> lolcust made it public.
17:07 < jtimon> geist geld
17:07 < iddo> gmaxwell: what was his argument against scrypt? botnets?
17:07 < maaku> lolcust worked with artforz to make a series of scrypt based coins which were accused of premine, then charles made litecoin
17:07 < gmaxwell> iddo: yes. and performance. and blocking custom hardware was irrelevant. same ones I use today.
17:08 < jtimon> oh, I see, charlie didn't changed artforz's gpu-friendly parameters
17:08 < maaku> yes
17:08 < gmaxwell> it was also pointed out that the parameters were dumb, OTOH, I don't think they realistically could have changed them.
17:08 < gmaxwell> If they made it use more memory it would be a _serious_ performance problem in validation.
17:08 < pigeons> well first charles forked lolcust's tenebrix into fairbrix
17:08 < gmaxwell> it's already arguably one.
17:09 < pigeons> which died of hostile forking
17:09 < maaku> and then a few months later, someone did sergio-like analsysis to show that somebody was running a miner with the equivalent of 100's of cpus from the start
17:09 < Emcy> oh dear
17:09 < pigeons> a few parameters were changed from fairbrix to litecoin like max number of coins
17:09 < maaku> and the parameters provided by artforz were conveniently just big small enough to fit in current generation gpus
17:09 < Emcy> how could a premined coin like litecoin get so big
17:10 < pigeons> well that someone providing the analysis accusing artforz of gpu mining was real solid
17:10 < gmaxwell> maaku: yea, during ltcs early life the difficulty was way too high... basically always a loss over power costs to mine, ... until the public gpu miners were release, and then magically the economics changed.
17:10 < phantomcircuit> gmaxwell, i wonder if artforz chose the parameters specifically such that he could gpu mine while everybody else was cpu mining
15:40 < jtimon> so you have {H(A), H(A->B)}, {H(B), H(B->C)}, {H(C), H(C->D)} in the chain, and until it's all published only the owners can trace it but cannot double-spend, yes, it's not that complicated
15:41 < gmaxwell> adam3us: it is, I described two kinda of scheme it could bind, yours would be another one, sort of in-between the two I described.
15:41 < gmaxwell> (basically replacing the anti-replay-oracle in the first one with a chain)
15:42 < jtimon> I see, what I was missing was the double-spent prevention, but this could definitely work
15:43 < adam3us> jtimon: the motivation was actually miners enforcing policy when they get too powerful
15:44 < jtimon> yeah, I'm subscribed to that thread but I didn't really undesrtand this missing piece until now
15:44 < adam3us> jtimon: as you can see they have no remaining visibility until the coins are long mined, in this system blocking recipients or taint would be hopeless
15:44 < jtimon> this could work with freimarket assets too
15:44 < adam3us> jtimon: so its another taint fix without anonymity
15:44 < amiller> adam3us, there are no patents
15:44 < adam3us> amiller: fantastic
15:44 < amiller> adam3us, there is only one fully open source implementation (pantry) and the others are on their way
15:45 < amiller> i have no idea if scip will be open but pinocchio and pantry definitely will
15:45 < jtimon> so the generic term for them all is spark?
15:45 < amiller> snark
15:45 < adam3us> amiller, gmaxwell, TD: it seems to have immense possibilities.  i think possibly the only downside is its super cutting edge, if they got anything wrong, or someone breaks it n the bicoin scenario it blows up
15:45 < amiller> succinct non-interactive argument of knowledge (it's a generic crypto term, like zero knowledge)
15:46 < gmaxwell> Yea, these are technically arguments of knoweldge not zkp. ... which is a whole source of potential surprises too.
15:47 < gmaxwell> because we assume that there is cryptographic hardness to producing a false argument, but the evidence for the strength of that is somewhat abstract.
15:47 < jtimon> thanks amiller
15:48 < adam3us> jtimon, gmaxwell: while initially motivated by preventing miner policy abuse (even up to 99% centralized power etc) hidden tx (better than commited tx i agree)
15:48 < amiller> gmaxwell, the difference between "argument" and "proof" just means computational not information theoretic
15:48 < adam3us> jtimon, gmaxwell: has interesting privacy aspects also, its temporarily fully anonymous; unfortunatey there seems to be no way, short of scip to privately compact it
15:49 < amiller> most zk proof systems are in fact computionally-sound proofs which is exactly the same as argument
15:49 < jtimon> well, couldn't you present the snark proof in every hidden tx?
15:50 < amiller> snark proof of what?
15:50 < jtimon> amiller of the last hidden tx
15:50 < gmaxwell> amiller: It means the soundness is only computational. A lot of zkp things are sound but zero knoweldge is computational.
15:51 < jtimon> just like with coinwitness, where you present the snark proof on redemption/republishing
15:51 < amiller> it's not clear to me at least what it is you wuld say about the tx in zero knowledge
15:51 < amiller> i think you'd have to refer to a particular blockchain head
15:51 < gmaxwell> amiller:  you would.	"The coin I'm spending was confirmed in this chain"
15:52 < amiller> and how do you prove it hasn't been spent by any subsequent txes in between when it was confirmed and the current head?
15:52 < gmaxwell> amiller: see the coinwitness post.
15:52  * amiller rereads it but has had a hard time grasping it previously
15:53 < jtimon> you would present {H(c), snark(c->b)} ?
15:53 < jtimon> you can't divide the coins with this approach though, no?
15:54 < amiller> i think we should come up with a good notation for ZK.
15:54 < amiller> the crypto community has let us down
15:54 < amiller> there is this weird notation like [f(x) | x] or something that says f(x) is true but x is hidden but it's kind of inflexible
15:54 < adam3us> jtimon i guess you only need scip/snark hop by hop, the miner can validate the scip and see the encrypted inputs validate
15:55 < amiller> gmaxwell, i still don't undersatnd from coinwitness how you avoid replays like that
15:55 < maaku> so without snark, is it possible to use something akin to the hidden txn scheme to replace the chaum blinding double-spend db?
15:55 < amiller> you mention a replay oracle but that seems like just a strawman because it's some trusted other party apparently
15:55 < adam3us> amiller: dont u like the ZkPoK[m]{(a,b),c: a<b ^ SIG(c)} notation ;)
15:55 < gmaxwell> amiller: ...
15:56 < gmaxwell> amiller: A lot of people understood this, I don't think I failed to explain it adequately.
15:56 < jtimon> yes, that's what I'm saying, isn't that part of coinwitness already? or does the snark validation only happen on redemption/republishing?
15:56 < gmaxwell> amiller: First understand that it's not a concrete system on its own.
15:57 < gmaxwell> amiller: What I'm pointing out is that if you have a machine verifyable offchain transaction system {details are up to you}, and SNARK validation in bitcoin,  you can bind the systems that way.
15:57 < jtimon> amiller, what I was missing until know is that miners validate the inputs to prevent double-spending (you have to publish the hash of the input address)
15:57 < jtimon> until now
15:57 < gmaxwell> amiller: I threw out two examples of possible offchain transaction systems, as just examples of how the binding would work.
15:58 < jtimon> amiller what I wasn't able to understand is that " a machine verifyable offchain transaction system" is feasible
15:59 < gmaxwell> amiller: the general idea is you take a coin and pay it to someone who can (in zero knoweldge) provide a transcript showing they own the coin and have decided to emerge it into bitcoin in your selected offchain system.
15:59 < jtimon> even without snark
16:00 < gmaxwell> amiller: then you go off and transact and build up your transacript, and your last payment in that system pays to special terminal address that indicates you're going to reemerge back into bitcoin.
16:00 < gmaxwell> Then you run a SNARK of the transacript validation program over the transacript and get a proof which you present to bitcoin and collect the coin.
16:00 < amiller> gmaxwell, okay i think i understand coinwitness for the purpose you are describing now where you use it to branch out into some other blockchain or oracle-based ledger
16:00 < jtimon> but the transactions aren't really off-chain in this last example, they were just non-public
16:01 < amiller> i guess all that confused me just now is that i was trying to undersatnd it in terms of comitted blind transactions
16:01 < adam3us> maaku: "so without snark, is it possible to use something akin to the hidden txn scheme to replace the chaum blinding double-spend db?
16:01 < adam3us> maaku: without scip or some analogous changes, the utxo cant be compacted
16:02 < gmaxwell> amiller: okay, well, it doesn't have to be some other blockchain or oracle based ledger. It could be a colored coin in bitcoin, for example. Or one of adam3us's blinded things.  It should work for any transaction system which can be reliably verified by a program with maliciously controlled inputs.
16:02 < adam3us> maaku: also its not anonymous as the recipient sees the senders address, but it is encrypted so only people involved see it, which i think is a nice balance
16:02 < maaku> "utxo cant be compacted" <-- what do you mean here?
16:02 < maaku> you mean remove intermediate txns?
16:02 < gmaxwell> making it secure if the {other system} is a chain is a little tricker, you either get 'only' headers security, or you add a public input that locks it to a specific chain.
16:02 < maaku> or the double-spend db?
16:02 < amiller> gmaxwell, okay i think i follow all of that
16:03 < adam3us> maaku: well there isnt really a double spend db anymore as its basically bitcoin tweak
16:03 < gmaxwell> maaku: adam3us's hidden skeem poops commitments all over the place, and you can't clean them up. At least not until they're unhidden.
16:03 < amiller> the only thing i still don't understand is what adam3us's blinded things are
16:03 < amiller> or basically i think i undersatnd them but it has that.... commitment refuse problem
16:03 < maaku> ugh, yeah that's true
16:03 < amiller> commitment garbage*
16:03 < adam3us> maaku: but the utxo is hard because the miners cant tell whats going on
16:04 < gmaxwell> and if you re-emerge them using a SNARK then you can't clean them up even when they're re-emerged. :(
16:04 < adam3us> amiller: thats why it uses mac & encryption so you can prove you have the right key, and the others are garbage
16:04 < maaku> ok what i'm getting at is some way the burden of double-spend prevention can be placed on the recipiant instead of every full node
16:05 < maaku> that's the only thing which keeps me from adding chaum ecash to freimarkets' public chain
16:05 < adam3us> amiller: apart from garbage, you could send just a hash, so it could even be a bandwidth saving (cheaper to drag a payment history than broadcast to everyone)
16:05 < gmaxwell> well if you combine adam3us scheme with petertodd's mmr stuff, then I think you can move the cost onto the reciever.
16:06 < gmaxwell> adam3us: well if you want the emergence to to be small you'll need to have the history encrypted in the transactions themselves as you go.
16:06 < adam3us> gmaxwell: "and if you re-emerge them using a SNARK then you can't clean them up even when they're re-emerged. :(" surely if you reemerge them hop by hop (no hidden form respending) then miners can validate the respend, to the individual but encrypted input tx, and then prune encrypted utxo
16:07 < adam3us> gmaxwell: yes there is no saving unless you never reemerge
01:01 < petertodd> and you know, quite willing to take criticism, and flexible
01:19 < gmaxwell> phantomcircuit: so... seen cointerra's screenshot.
01:19 < gmaxwell> I am boggled.
01:19 < gmaxwell> http://cointerra.com/wp-content/uploads/2014/01/DSC05521.jpg
01:19 < petertodd> that's fast
01:20 < gmaxwell> because it shows it as having submitted 44k shares to eligius... but that address is not in the payout queue, nor has it been paid on the network... and its not in the list of recent miners on eligius.
01:20 < petertodd> oh!
01:22 < gmaxwell> the address is truncated so I can't go straight to the stats, so it's possible that it mined but not enough to be elegible for payout, but not recently enough to be in the 3 hour active list.
01:22 < gmaxwell> petertodd: it's fast, but it's supposted to be 2TH, so not that fast!
01:22 < gmaxwell> http://cointerra.com/engineering-updates-terraminer-iv-hashing-live/
01:23 < petertodd> gmaxwell: what ASIC tech level is it?
01:24 < petertodd> ah 28nm
02:03 < phantomcircuit> gmaxwell, yeah i saw the video before they posted it
02:03 < phantomcircuit> (aren't i so cool)
02:24 < amiller> got thirty cryptocurrencies aint never been released
02:30 < phantomcircuit> gmaxwell, also it's possible they were using an invalid address, iirc eligius treats that as a donation
02:30 < phantomcircuit> Luke-Jr, ?
02:31 < Luke-Jr> I'm not seeing anything so far.
02:31 < Luke-Jr> but this query will probably take a while
02:31 < gmaxwell> Luke-Jr: well its probably not running now or it would be in the top list.
02:31 < phantomcircuit> iirc he has a share log
02:31 < Luke-Jr> looks like the share log goes back a week
02:33 < gmaxwell> ... weird. well there is a date in the screenshot, also a last block
02:34 < gmaxwell> Luke-Jr: http://cointerra.com/engineering-updates-terraminer-iv-hashing-live/ pic at the bottom
02:49 < gmaxwell> phantomcircuit: it looks like with a slightly different case design they could have fit that in 2u without a problem.
02:51 < gmaxwell> e.g. potentially making it longer and turning the radiators flat. and having airflow that went >_____/
02:57 < midnightmagic> bah
02:59 < gmaxwell> midnightmagic: if its any consolation CT is no track to deliver another never-break-even miner. Though perhaps they'll rock the world with their power usage and eventually make it back.
03:32 < gmaxwell> https://bitcointalk.org/index.php?topic=319146.msg4494688#msg4494688	< looks like the othercoin thing is being sold now.
03:32 < gmaxwell> I don't have the pre-reqs or the time. But I do think that such a thing could be a valuable addition to the bitcoin ecosystem.
03:33 < gmaxwell> It's basically the digital version of the cassius coins... but allows the user to safely fill it, and electronic transmission.
03:33 < BlueMatt> nice
03:56 < stonecoldpat> looks nice, my concern is that initially if BTC is $1k - then it will cost $350
04:01 < gmaxwell> stonecoldpat: yea, it's not viable at that price but presumably that will be fixed once it actually exists at scale.
04:03 < stonecoldpat> yeah i hope so, also looking at the video, you start the 'handshake' between devices using SMS, i'm wondering why he chose SMS and it has been a little worried (I dont know why it does yet)
04:05 < _ingsoc> Any idea why the issues 404 after page 100 on Github?
04:06 < _ingsoc> Closed issues.
04:06 < _ingsoc> Works: https://github.com/bitcoin/bitcoin/issues?page=100&state=closed
04:06 < _ingsoc> 404: https://github.com/bitcoin/bitcoin/issues?page=101&state=closed
04:07 < _ingsoc> I figured it's important if anyone wants to look at the history.
04:09 < nsh> there are numbers higher than 100?!?
04:09 < _ingsoc> Yeah. :)
04:09 < nsh> i'll need to revise a lot of models :/
04:09 < _ingsoc> It's concerning because it really needs to be accessible.
04:10  * nsh nods
04:10 < nsh> does it happen on other repositories?
04:10 < _ingsoc> I'm unsure. Let me check.
04:12 < _ingsoc> Yeah, happens on any project when it's 101.
04:12 < _ingsoc> Is there a record of this somewhere, or are all the issues only stored on Github?
04:14 < _ingsoc> If not, it's like erasing history, one page at a time. :D
04:15 < nsh> i'd suspect it's still accessible through git itself
04:15 < nsh> actually, dunno
04:16 < _ingsoc> Not sure how to access issues using git itself.
04:16 < _ingsoc> Everyone should stop working on Bitcoin right now until we figure out how to stop erasing history.
04:19 < wumpus> you could access them one by one through the github API, and make a mirror
04:19 < wumpus> not with git itself as the issues are not part of the repository, only the code changes
04:19 < wumpus> (and commit descriptions in git itself)
04:19 < nsh> ah, right
04:20 < wumpus> so if github goes down we'd lose the discussions that happened on github
04:20 < _ingsoc> That's concerning.
04:20 < wumpus> (which in most cases is no big loss, but I suppose for history's sake you could archive them)
04:21 < _ingsoc> I want to.
04:21 < wumpus> see http://developer.github.com/v3/
04:23 < _ingsoc> Is there a simple way to get a dump?
04:23 < wumpus> I'm sure someone else already wrote a script for that
07:14 < adam3us> 12hr async conversation, caught up, a couple of comments
07:17 < adam3us> covenants/quinine scripts.  I think relating to a payments ability to require transferable restrictions on the  next transaction.  i think this could be policy dangerous due to the virality.  consider a script that requires follow-on script to have an AML id signature, a few regulations on exchanges, and policy.  i understand it allows useful things like
SPV coloring in chain, etc but I think satoshi script is policy safer
07:18 < adam3us> gmaxwell: "So, is there a way with ECDSA, given three messages pick a pubkey,r,s  such that pubkey,r,s is a valid signature of any one of the three messages?" only 2 not 3 i think.
07:19 < adam3us> petertodd: "I think the most fundemental thing I've discovered is the concepts of how mining can be separated into timestamping and proof-of-publication" hmm might've been me that seeded that concept.  or yet-another-rediscovery gmaxwell/petertodd/adam3us (i tend to get there last as i only started catch up 10mo ago)
07:47 < adam3us> petertodd: and i guess timestamp/namespace/bitcoin-ful/bitcoin-spv relation struck me in part because i thought about distributed namespace things (in the OT-like federated but reactive security + public auditability) pre-bitcoin.  and you maybe because you looked at timestamping.
08:23 < jtimon> adam3us: gmaxwell's thread is full of terrible covenants
08:24 < adam3us> jtimon: on bitcoin talk? a cautionary tale of why the virality of covenants can be a risky proposition?
08:24 < jtimon> but is any covenant economically worse than destroying coins (which we allow)?
08:24 < jtimon> I think is "coincovenants: a f** terrible idea" or something similar
08:25 < jtimon> https://bitcointalk.org/index.php?topic=278122.0
08:28 < jtimon> actually, I propose the AML-KYC covenant there
08:29 < jtimon> and I think it can replace our optional "authorizer tokens" in freimarkets
08:29 < jtimon> not sure about the  "issuance tokens" yet, I don't think so
08:32 < adam3us> jtimon: i see that gmaxwell and you share my concern that this is a terrible idea :) this is good.  ethereum will have this problem because its script is TC, as well as stateful and lots of non-amenability to theorem provers, security problems inside the language/scripts, and sandbox interpreter escape.
08:33 < jtimon> but the first really-interesting use case I saw yesterday (again in the context of freimarkets) is a covenant that allows you to always buy back interest bearing assets you issued
08:33 < adam3us> jtimon: a covenant is far worse than destroying bitcoins.  it is viral and so can be used as a lever to change the social contract an meaning of coins against the users wishes.
08:33 < jtimon> say you issue adamBTC at 1% interest but want to buy them back for BTC at 1:1 when you want, not when the lender allows you to
08:34 < jtimon> I'm not worried, by attaching a "bad" covenant you've made your coins unfungible: they're not bitcoins anymore but another asset
08:35 < jtimon> destroying is not strictily "viral" but it's also irreversible
08:35 < jtimon> the effect on the quantity of "pure btc" is the same
09:22 < adam3us> jtimon: destroying coins is relatively harmless systemically.	it reduces 21mil limit, but the divisibility means it just creates some supply contraction.  we cant prevent it really, all we could do is force people to do it in a non-utxo compactable way
09:23 < adam3us> jtimon: the problem with virality is its like coinvalidation, it could virally sweep through the system via centralized policy points and change almost all of the coins semantics.  for a system which aims for user-centric policy choices, that is a big fail.
09:25 < adam3us> jtimon: if a user wanted to make a convenant, thats their choice, the worry is more around centralized points like exchanges, regulated businesses, etc imposing a viral covenant on their users that flows through the system where the user has a choice to lose fungibility or submit to some outside imposed policy against their preference and self-interset
09:29 < jtimon> well, let's use my visacoin example (KYC covenant)
09:29 < jtimon> if I give btc to an exchange and they give me viscoins back, I calll that fraud and never come back
09:30 < jtimon> the main problem would probably be education and smart clients that show a different separated balance for visacoins
09:32 < jtimon> if we solve that, it doesn't matter if 80% of the btc were turned into visacoins: bitcoins are still p2p
09:32 < jtimon> in the case of freicoin is again less to worry about
09:33 < jtimon> both visacoins and freicoins will be destroyed by demurrage, but miners get fresh clean freicoins
17:24 < andytoshi> wait, no, it's exactly as likely as somebody one block behind pulling one block ahead
17:29 < andytoshi> ok, whenever tholenst shows up again i'll mention this .. it would be a cool idea for an alt if you could post collateral against double-spends
17:35 < Taek> could you use the bitcoin script + contracts to create a distributed exchange between multiple cryptocurrencies?
17:35 < maaku> andytoshi: it's possible for an old fork to overtake the main chain
17:36 < andytoshi> for the chain to shrink does a difficulty retarget need to be involved?
17:38 < maaku> to shrink, yes, but it doesn't have to shrink to cause reorg problems
17:38 < maaku> er, n/m
17:38 < maaku> what i was thinking of is really a double-spend
17:39 < andytoshi> maaku: ah, ok
17:39 < maaku> andytoshi: but isn't that what nLockTime is?
17:39 < andytoshi> maaku: nLockTime makes the output 'unreal' until a certain time
17:39 < andytoshi> in the sense that if i make an nLockTime transaction, i can double-spend that
17:40 < andytoshi> what this does is effectively make an nLockTime transaction that gets mined, so it's impossible to double-spend it
17:40 < maaku> ok i see, the restriction is triggered on the spend
17:40 < maaku> you're looking to lock outputs for a certain amount of time
17:41 < andytoshi> exactly, which is why it's a script opcode rather than some property of the transaction
17:50 < Luke-Jr> hmm
17:50 < Luke-Jr> someone should do a scamcoin generator that doesn't need to compile anything
17:50 < Luke-Jr> just find the constants and hack the binaries
17:50 < Luke-Jr> :D
17:58 < Emcy> wow someone put "please consider donating" and address in the torrent comments for bootstrap.dat
17:58 < Emcy> that strikes me as really low for some reason
18:00 < nsh> agreed
18:01 < Emcy> speaking of is it time for a new bootstrap yet?
18:01 < midnightmagic> 13:59 < adam3us> andytoshi: seems like a snowcrash hiro protagonist problem (wealthy by brownie points on the metaverse but penniless in meatspace)
18:01 < midnightmagic> har har.
18:01 < Emcy> this one from august is still seeding pretty good
18:09 < michagogo|cloud> Emcy: personally, I would say an updated bootstrap would not be a bad thing. I think jgarzik maintains it, though, so I'd ask him what he thinks
18:10 < michagogo|cloud> (Though this is a bit ot for here, I think)
18:12 < maaku> iirc he updates it with each new checkpoint
18:12 < maaku> we haven't had a new checkpoint since august
18:14 < michagogo|cloud> maaku: yeah, though it doesn't need to be like that
18:19 < maaku> yeah
18:19 < maaku> regular 3 month or six month updates would be nice
18:46 < petertodd> andytoshi: s/FAIL_IF_BLOCKHEIGHT_LESSTHAN/OP_CHECKLOCKTIME/
18:47 < andytoshi> hmmm
18:48 < andytoshi> are you just renaming this or changing the behavior?
18:48 < petertodd> andytoshi: pointing out how you should implement it :)
18:49 < petertodd> andytoshi: I actually did implement that as an exercise a few months back
18:49 < petertodd> andytoshi: and actually, OP_CHECKLOCKTIMEVERIFY to be exact
18:49 < petertodd> (need that to be a soft-fork nop)
18:49 < andytoshi> petertodd: gotcha
18:50 < gmaxwell> I kinda wish the locktime time of reference was the median of last 11 time rather than the current block.
18:50 < andytoshi> petertodd: you'd then want nLockTime transactions to be standard, and nLockTime ignored unless it appears in script?
18:51 < andytoshi> unless OP_CHECKLOCKTIMEVERIFY appears in script*
18:51 < gmaxwell> andytoshi: the locktime is already ignored when the sequence number is maximal.
18:51 < petertodd> andytoshi: ? no they're two separate things
18:51 < petertodd> andytoshi: OP_CHECKLOCKTIMEVERIFY takes a number on the stack and compares it with the IsFinal() method, failing the tx if false, leaving the number on the stack if true
18:54 < andytoshi> petertodd: i'm not clear -- how do miners know whether they should bother mining a transaction?
18:55 < andytoshi> if you have an nLockTime'd transaction today everyone will ignore it if it doesn't unlock for a long time
18:55 < andytoshi> but what i want is, the script can override the nLockTime in some cases (eg a proof of double-spend is provided)
18:56 < petertodd> andytoshi: ah, I get you, yeah you can do that with CHECKLOCKTIMEVERIFY too, but only in the sense that the transaction can't be mined because the txout it's tryng to spend isn't unlocked yet
19:00 < gmaxwell> andytoshi: trying to have an anti-double-spending bond?
19:00 < andytoshi> gmaxwell: yeah, but it's not working out :P
19:00 < gmaxwell> one problem with those is then how do you prevent the bond from being multiple subscribed?
19:00 < gmaxwell> e.g. I make one 1 btc bond. Then I make 1000 0.5 BTC spends secured against it
19:00 < phantomcircuit> andytoshi, bond for what?
19:02 < justanotheruser> petertodd: Are there any posts or technical details on how sharding the blockchain would work? Would it involve removed anonymity?
19:02 < petertodd> gmaxwell: well, what if we had some kind of global consensus on who was making use of the bond?
19:02  * petertodd ducks
19:02 < andytoshi> phantomcircuit: the idea is, i send you some money -- they rather than having you wait for a confirm, i construct an output (which i own) such that you can just take it if you can prove that i've double-spent you
19:02 < gmaxwell> petertodd: but then you have to wait for that consensus to settle, defeats the purpose.
19:03  * justanotheruser frowns
19:03 < petertodd> gmaxwell: that was the joke :)
19:04 < petertodd> justanotheruser: https://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03307.html is the best writeup I have
19:04 < gmaxwell> I'd say you could trust a broadcast network to tell you about compeating bond usage, except the theif could redeem his own bond.
19:04 < petertodd> justanotheruser: and it's not strictly about sharding, but you can easily see how it could be
19:04 < andytoshi> gmaxwell: that's the problem that just occured to me when i said "it's not working out :P"
19:04 < gmaxwell> (and he's not obligated to tell the broadcast network)
19:05 < petertodd> gmaxwell: hence it needs to be partial redeem, partial destroy
19:05 < justanotheruser> petertodd: thanks
19:05 < gmaxwell> andytoshi: this isn't to say that such bonds might not be useful. E.g. large ones which mostly destroy their funds. (they only pay at all as a reward for making the cheating public)
19:05 < petertodd> justanotheruser: I had another post on bitcointalk somewhere from a few months back
19:06 < gmaxwell> but there needs to be a way to transfer ownership of such bonds.
19:07 < petertodd> gmaxwell: which I solved, but soon realized then you also need a way to prove that proof-of-fraud isn't waiting to be released, which means you need consensus about all such fraud, which means proving fraud needs to be proof-of-publication-based. Fortunately this txout scheme I think works here.
19:07 < petertodd> gmaxwell: e.g. the proof is the txout bond hasn't been spent via fraud proof
19:09 < gmaxwell> right, but how do you allow transfer and not create a race between a transfer and a fraud?
19:10 < petertodd> gmaxwell: you create an intermediate "cooling off" period before a transfer can actually go through
19:10 < gmaxwell> I guess by having two outputs, one for transfer, one for fraud, and fraud can still be published for some time after the transfer before it settles?
19:10 < gmaxwell> yea, makes sense the resulting protocol has a number of steps though, which is unfortunate.
19:12 < petertodd> Yeah, or some multisig scheme with some kind of mutually agreed on cooling off tx - lots ofpossibilities.
19:12 < petertodd> Well, I think the cooling off thing is unavoidable to be fair to people potentially relying on the bond.
19:12 < gmaxwell> anyone honoring the bond needs to know the ... right
19:13 < petertodd> Which also means the bond txout really needs to be able to constrain the txout of the tx spending it. :(
19:13 < gmaxwell> esp if you want to allow the bond to be honored by 'offline' devices.
19:13 < petertodd> yup
19:13 < andytoshi> petertodd: right, and that means that you have to precommit to your output and you lose the 'spend without waiting for confirmations' benefit :(
19:14 < gmaxwell> andytoshi: only if you expect people to get paid from the bond.
19:14 < gmaxwell> andytoshi: the alternative is you give up on that and just set it up so that misbehavior costs the misbehaving party their valuable bond... you don't get paid back but they don't get to keep using the bond.
19:15 < petertodd> gmaxwell: no, you just make some of the reward of proving fraud be paid out, and some destroyed, and make the destroyed amount larger than the payout amount
19:16 < gmaxwell> petertodd: you still can't promise the defrauded person get paid no matter how much the bond pays out
19:16 < andytoshi> sure, but how does this make it possible to use the bond without commiting to the output?
19:17 < andytoshi> ah, because 'overcommitting' is not a thing
19:17 < petertodd> gmaxwell: ah, right
19:17 < gmaxwell> andytoshi: because you're not promising that any particular victim can get paid.
19:17 < gmaxwell> right.
19:17 < gmaxwell> The payment the victim gets is just for the trouble of actually announcing to the world that they got ripped off.
19:17 < petertodd> gah, I should have written this up back when I was thinking about this stuff for fidelity bonded banks...
19:18 < petertodd> gmaxwell: yeah, they're not guaranteed to be made whole, and it's tricky to guarantee the fraudster has a net loss
19:21 < petertodd> unrelated: took a look at the twister twitter blockchain thing, and it's difficulty is 0.002... a single GPU scrypt miner could 51% attack the thing
19:21 < gmaxwell> haha one of my coworkers just asked me about his ntp daemon at home using lots of bandwidth
19:21 < petertodd> whut?
15:54 < adam3us> to do validation later however, you are going to need the preimage (eg validate back to genesis full validation , new full client comes online) and storing data + h(nonce|data) isnt smaller than storing data
15:54 < adam3us> if the data is not necessary for validation however, that'd be a good idea and does not need to be stored, only maybe relevant to people sending/receiving the payent
15:55 < gmaxwell> adam3us: petertodd is talking about more than proving its a hash, he wants to also prove that the public knew the preimage at some time.
15:55 < gmaxwell> The reason that peter wants that because he wants to use bitcoin as a jamming resistant communications channel.
15:56 < adam3us> and you'd do that in 2 phases, commit first, then disclose hash pre-image?
15:56 < gmaxwell> (In order to do things like announce an anyone can spend transaction in order to prove that funds were thrown away.)
15:57 < petertodd> adam3us: Nope, disclose fully first - I'm not assuming censorship.
15:58 < adam3us> doesnt the tx itself prove funds were spent to anyone?
15:58 < adam3us> (the tx is part of the tx history so anyone can verify that)
15:58 < gmaxwell> adam3us: no, because a miner could spend anyone can spend transactions that no one saw before they were in the block.
15:58 < petertodd> adam3us: A miner can mine and spend the funds to themselves in one go.
15:58 < gmaxwell> So he could be paying himself.
15:59 < adam3us> ah ok i remember that discussion from before
16:00 < petertodd> adam3us: It's a tough problem because the miner might even be making a whole bunch of sacrifices at once, so much so that the sum of the value makes throwing away blocks to find a lucky sequence of a few in a row is still profitable.
16:01 < adam3us> so to prevent that you say, a tx is not considered sacrificed, unless it was announced, for some time, and then released, presuming more than one miner contributed you are reasonably confident no individual miners spent it to themselves
16:01 < petertodd> Basically the interval between announce and commit is proof that n blocks * hashes/second * 10 minutes of hashing power integral saw the transaction.
16:01 < petertodd> Hence proof-of-visibility.
16:15 < adam3us> petertodd: ok, and remind me what is the use case for proof of sacrifice; you mentioned pseudonym reputation (misbehave you lose the pseudonym & sacrifice cost) - anything else?
16:21 < petertodd> adam3us: You can use it as an alternative to PoW
16:21 < petertodd> adam3us: Anti-spam, or even constructing a whole blockchain.
16:23 < adam3us> petertodd: in the form discussed in this thread it is a payment to miners, the PoW uses would need a direct mined version?
16:24 < adam3us> petertodd: proof that i worked towards mining bitcoins for the benefit of miners, which may or may not have resulted in actual coins being created .. eg only 1 in 10000 would it succeed because of limited power
16:26 < petertodd> adam3us: What you are describing is proof-of-work towards a sacrifice; proof-of-sacrifice is more general than that.
16:26 < petertodd> adam3us: You don't need hashing power at all to make a sacrifice proof.
16:27 < adam3us> petertodd: correct, but u said could be used as a PoW - giving bitcoins to miners is like a charitable act
16:27 < adam3us> petertodd: i am not sure you can eg back an alt-coin in the PoW of giving bitcoins to miner charity?
16:28 < petertodd> adam3us: No, as an alterative to a PoW
16:28 < petertodd> adam3us: For instance you can make a consensus key-value system where consensus is achieved by looking for the highest sacrifice of Bitcoins rather than largest proof-of-work.
16:29 < adam3us> petertodd: oh ok, for the stated applications of anti-spam, pseudonym reputation; but you also said as a PoW for constructing a block chain?
16:29 < petertodd> adam3us: As a replacement for a PoW
16:30 < adam3us> petertodd: ok, msg crossed
16:30 < petertodd> What's good about sacrifice rather than proof-of-work is that often getting access to hashing power is hard or inconvenient; making it a sacrifice levels the playing field and simplifies things.
16:30 < adam3us> petertodd: however thats like us politics: one $ one vote - the outcome is biased in favor of the rich criminals?
16:31 < amiller> only if they get the $ after ward
16:31 < amiller> one $ one vote is actually pretty reasonable if you force them to pay
16:31 < amiller> i think its the best you can get
16:31 < amiller> sorry only if they don't* get the $ afterward
16:32 < petertodd> adam3us: Meh, it's the best we have in a decentralized digital system.
16:32 < amiller> if it were actually one $ one vote it would drive out all the richest people who enjoy higher gain investments elsewhere
16:32 < adam3us> petertodd: this sounds a bit like your pay to replace idea: the tx with the highest fee (or fee commit) is going to win period
16:33 < petertodd> adam3us: Well yeah, again, it's a decentralized digital system; there are no alternatives.
16:33 < petertodd> adam3us: It's not like we can have a little AI that evaluates original topical poems as the work function.
16:34 < adam3us> wait wait: if the consensus is in terms of which transaction is considered first (like bitcoin), then one $ one vote is not so good eh?  wait for user to accept payment, take goods, outpay their fee to pay to self and override your own previous transaction?
16:34 < petertodd> As always, zero-conf is insecure; wait for sufficient confirmations.
16:35 < Luke-Jr> adam3us: on the other hand, the merchant can screw the scammer by putting 100% of the coins into fee
16:36 < petertodd> (It's interesting to note how proof-of-captcha would be possible if only you could make a captcha whose answer you provably didn't know in advance)
16:36 < Luke-Jr> petertodd: you'd also need to make a captcha that works
16:36 < amiller> one $ one vote is best attainable because if you assume a $ is power incarnate that can purchase anything, which is what money is, then you can literally buy people with it and there isn't really anything that can be done about that
16:36 < petertodd> Luke-Jr: I said possible. :P
16:36 < Luke-Jr> these days I have to try them like 5 times, and the people trying to automate it just hire slaves
16:37 < petertodd> Luke-Jr: Well, slaves is still involving people... actually with a TPM proof-of-captcha would be possible trivially.
16:37 < gmaxwell> yea, I really wish there were some addon that used the commercial captcha solving services. The spammers have driven the captcha prices pretty low.
16:37 < petertodd> gmaxwell: lol!
16:37 < amiller> if you have a tpm then you just use the tpm for all your money and a captcha isn't necessary
16:37 < amiller> you just mean a tpm
16:37 < adam3us> i think the problem with $ for voting is while mining hardware & electricity costs $ also, actual $ is completely elastic supply
16:38 < petertodd> amiller: You might still want proof-of-human though - it might not be a currency we're using this for.
16:38 < adam3us> so it hard to build a fair consensus based on biggest fee wins?
16:38 < petertodd> adam3us: Right, which is why s/$/BTC/...
16:38 < amiller> proof-of-human is nonsense too tbh, what are we gonna do when we have to economize with the hivemind slime mold creatures in space
16:38 < adam3us> yes but i can buy btc for $
16:38 < petertodd> adam3us: No it's trivial for some definition of "fair"
16:39 < petertodd> adam3us: Irrelevant, inflating the $ supply just makes the BTC more expensive.
16:39 < adam3us> petertodd: the other thing is i think the scammer has more incentive to pay stupidly high fees than real users and real merchants, so the scammer always wins
16:41 < gmaxwell> adam3us: as luke pointed out before, if the merchant is aware of that he can 100% fee in response and so the scammer never wins in that world.
16:41 < adam3us> the other thing is bitcoin consensus is not just saying which tx happened first out of a double-spend set, it is also validating transactions add up
16:42 < adam3us> so how would this work: collect a block of txs, validate them, and attach a fee if you care about a tx in there
16:43 < petertodd> adam3us: All this is silly, just don't accept zero-conf and you're fine.
16:43 < petertodd> adam3us: Or trust in the scorched earth policy that makes scamming useless.
16:43 < petertodd> adam3us: There are *so* many ways to double-spend...
16:43 < adam3us> petertodd: ok no zero-conf, still how does it work
16:44 < adam3us> fee is a signature on the fee tx and the block
16:44 < adam3us> and person who pays biggest fee wins? .. that'll preusmably be the guy with the biggest tx ... eg guy who just bought a house
16:45 < petertodd> adam3us: wins what?
16:45 < adam3us> no one accept the fee-signed block to build on unless they agree there are no double spends in it
16:45 < adam3us> (is considered valid vs competing block signatures?)
16:46 < petertodd> Huh? The definition of a block is that there can be no double-spends in it.
16:46 < adam3us> well relative to previous blocks too
16:47 < petertodd> The definition is also that it can't double-spend previous blocks.
16:48 < adam3us> yes and that fact is validated by full nodes is all i mean
16:48 < petertodd> I don't get where you are going with this...
16:50 < adam3us> just thinking aloud seeing where it goes (using Po sacrifice in place of PoW) strangely it seems to sort of work?
16:51 < petertodd> ah, you mean if you had a cryptocurrency whose block ordering was chosen by PoS
16:52 < adam3us> yep
16:53 < adam3us> i think the problem will come with splits: if some part of the network creates conflicting transactions that are not broadcast until later
16:53 < adam3us> the bitcoin resolution protocol no longer works , instead there will be a bidding war to win, rather than a CPU race
16:54 < adam3us> (even after say 3 blocks where some users may have locally accepted the transaction)
19:21 < jtimon> sipa: I get your point, sometimes just trust-less is enough
19:22 < jtimon> maaku: why do you think strong typing would be better? the little I read about joy sounded very good
19:23 < maaku> jtimon: enforced strong typing is less likely to result in consensus bugss
19:23 < jtimon> like if I could even like the language and all
19:24 < petertodd> maaku: are you thinking of including those languages as libraries or what?
19:24 < jtimon> I see
19:24 < jtimon> replacing the current scripting I think
19:24 < maaku> petertodd: currently hypothetical replacements for script
19:24 < sipa> any reason why you'd use a stack-based language, and not something ast-based?
19:25 < sipa> (i've been following about 1% of the discussions here the past weeks, i've certainly missed a lot)
19:25 < jrmithdobbs> rust txn scripts please!
19:25 < jrmithdobbs> ;p
19:25 < petertodd> maaku: right, because I was going to say, I think you're much more likely to avoid consensus bugs by just making the underlying opcodes/interpreter simple - screw what actual language you end up with
19:26 < petertodd> maaku: strong typing means you have types, and types themselves are a bunch of code with potential consensus failures
19:26 < maaku> sipa: it'd be (relatively) easy to transition from script to some other Forth-like language - essentially just write a translator between the two
19:26 < maaku> and it's nice that, like LISP, the syntax is simple enough that you can code directly and don't really need a compiler
19:27 < sipa> you can do the same for an AST like language
19:27 < sipa> well, in one direction at least
19:27 < sipa> and i'm sure it's much closer to the domain we're representing
19:28 < jtimon> maaku wasn't there more reasons to chose a concatennative lang ? http://en.wikipedia.org/wiki/Concatenative_programming_language
19:28 < petertodd> sipa: I think the big question is do you need the self-modifying code that forth makes possible?
19:28 < petertodd> sipa: for quines it's certainely useful
19:28 < sipa> quines? what do you need that for
19:29 < maaku> sipa: covenants
19:29 < sipa> another thing i need to read... :'(
19:29 < petertodd> sipa: IE things like SPV-verifiable colored coins
19:29 < petertodd> sipa: write a script that forces the transaction spending it to have a certain form, propagating the colored coin definition like a virus
19:30 < jtimon> basically, forcing the outputs of the next transaction to have certain code in their scripts
19:30 < jtimon> well, maybe only some of the outputs
19:30 < maaku> and Forth-like languages are really good for this sort of thing, although not required
19:30 < sipa> right
19:31 < maaku> since you basically just have to test the prefix of the output script
19:31 < petertodd> also, merklized abstract syntax tree schemes *are* very forth compatible, even the self-modifying quine versions
19:31 < jtimon> actually petertodd the colored coins example was confusing to me because of regular colored coins and freimarkets
19:31 < petertodd> forth is just symbol tables, and symbol's can just as equally be merkle hashes
19:32 < maaku> petertodd: re simplicity, that's why i'm looking at Joy/Cat. it's basically two dozen or so combinators + builtins
19:32 < maaku> and a syntax that is even simpler than LISP
19:33 < petertodd> maaku: incidentally, keep in mind that as complex as these sharded blockchain ideas are, they can also make these computationally intensive consensus schemes more viable by spreading the computation and space across more miners
19:33 < jrmithdobbs> forth has seemed like the obvious choice since i first saw the script ... first thing to come to mind was "why isn't that forth"
19:33 < petertodd> maaku: syntax has nothing to do with what goes in the chain necessarily... :)
19:34 < petertodd> jrmithdobbs: because satoshi didn't want a complex symbol table!
19:34 < petertodd> jrmithdobbs: script is even *simpler* than forth
19:34 < jrmithdobbs> petertodd: i know
19:34 < jrmithdobbs> petertodd: but forth is such a great fit for this use case ;p
19:34 < maaku> jtimon: yes i don't think the colored coin example is good for explaining the purpose, but IOU with a buy-back option is a good succinct example
19:35 < petertodd> jrmithdobbs: agreed
19:35 < maaku> i don't think satoshi realized that you could prefix an execution counter to the scriptSig to solve most of the turing-complete worries
19:36 < gmaxwell> sipa: petertodd pointed out that you can make colored coins where the network tracks the color for you by using a covenant scriptpubkey that basicially handles the task of making the network track which coin is colored.
19:36 < gmaxwell> maaku: I don't think a counter is sufficient for resolving "worries"
19:36 < petertodd> maaku: I'm sure he did, and thought of additional issues
19:36 < maaku> gmaxwell: i think the DoS preventions I mentioned in the scrollback solves the remaining worries
19:36 < maaku> is there something I'm missing?
19:36 < petertodd> maaku: though then again, counting sigops in un-exectuted scriptPubKeys was a damn stupid idea
19:37 < jrmithdobbs> petertodd: ya i was going to say, i think you're inferring too much credit there
19:37 < jrmithdobbs> s/in/con/
19:37 < petertodd> jrmithdobbs: indeed
19:38 < sipa> i don't think satoshi considered several of his changes (disabling opcodes, limited block size, counting sigops) as hard rules, just temporary anti-dos measures
19:38 < petertodd> maaku: the DoS preventions work even better when you do per-tx PoW schemes
19:38 < gmaxwell> maaku: engineering ones, like operation counting bugs creeping in when people implement faster execution engines, or sandbox escape when people implement faster execution engines.
19:39 < jtimon> petertodd how don't you hardcode the per-tx pow?
19:39 < petertodd> gmaxwell: the latter problem isn't specific to execution counters, heck, even the former isn't totally
19:39 < jrmithdobbs> gmaxwell: or emulating some other form of state/etc through some other trickery that would hurt everyone's head
19:39 < petertodd> jtimon: why would it be hardcoded?
19:39 < jrmithdobbs> gmaxwell: those are the really scarey ones imho
19:39 < maaku> gmaxwell: yes, well that's why I'd prefer a simple language with a minimal number of primitives and implementation complexity ...
19:39 < gmaxwell> petertodd: no but IP counting is actually much harder when you've implemented a tracing JIT.
19:40 < maaku> i think you could implement Joy/Cat with the same or less lines of code as current bitcoin script
19:40 < gmaxwell> (A significant fraction of all code execution bugs in firefox have been in the JITs)
19:40 < jtimon> patertodd is just the simplest scheme that comes to mind, just want to know what you had in yours, what's your diff filter?
19:40 < petertodd> gmaxwell: well, that's an argument against sophisticated scripting in general too...
19:40 < jtimon> /pater/peter
19:40 < gmaxwell> maaku: right but when people actually use it there will be a lot of pressure to replace it with a JIT. And a lot of room for bugs resulting in sandbox escapes and instruction counting glitches.
19:41 < petertodd> jtimon: well, *absolutely* simpliest is to say a block has a single tx in it :)
19:41 < gmaxwell> petertodd: it is, indeed. but a JIT for a non-turing complete language is FAR easier to make safe. Esp since it can work with dumb template matching much of the time.
19:42 < jtimon> I thought it was per-tx pow apart from block pow, the thing I'm more confortable with are "optional pow fees"
19:43 < petertodd> gmaxwell: that's nice, but it all comes down to "is programming scripts easy enough and fast enough to be practical?" especially when we're talking things like covenants
19:43 < jrmithdobbs> gmaxwell: is replacing the script being seriously considered or just a toy conversation?
19:43 < petertodd> jtimon: I think it makes most sense when the only pow is in tx's, although exactly what that'd look like is an interesting question
19:44 < sipa> jrmithdobbs: even gavin has mentioned it (though i'm sure he's thinking about much less exotic changes)
19:44 < maaku> jrmithdobbs: jtimon and I are seriously considering it in the context of trying it out on an altchain (freicoin)
19:45 < petertodd> maaku: and it's on my list of things that I need to research for MSC
19:45 < gmaxwell> jrmithdobbs: most of this is speculative conversation. The thing I'd want to replace it with isn't yet realistic to deploy.
19:45 < maaku> although given all the other more important stuff on our plate, it's still a very hypothetical conversation
19:45 < jrmithdobbs> gmaxwell: which is?
19:46 < jtimon> with covenants we could replace we could replace some freimarkets stuff and already have a use case that was actually a missing piece for p2p lending
19:46 < petertodd> maaku: well, for me it's a top priority
19:46 < sipa> if i was asked today to write a script language for bitcoin, i think it'd be an AST with slightly lower level crypto operations than bitcoin has now
19:46 < gmaxwell> using some form of ZK-SNARK instead of doing fancy things directly. (I'd still be in favor of improving things generally, e.g. M-AST)
19:46 < petertodd> sipa: mostly agree there, what's interesting is what types of data would that script have access too?
19:47 < sipa> i don't think byte arrays as data type is such a bad idea
19:48 < jtimon> gmaxwell sipa will an AST really be simpler for script coders?
19:48 < gmaxwell> (since I don't think it ever would make sense to use a SNARK to accomplish a 'simple'  (X and Y) or ((X or Y) and 2of3(Q,R,Z)).
19:48 < jrmithdobbs> jtimon: huh? of course it would
19:48 < maaku> gmaxwell: the SNARK would still have a language it understands though, right? (e.g. tinyram)
19:49 < gmaxwell> maaku: no. What I'd do is just implement a generic snark validation, and providing the snark verification key in the transaction.
01:39 < warren> (scrypt.  diablo was fine)
01:39 <@gmaxwell> I know it's never especially fast, but I'm thinking more like 100ms.
01:39 < Diablo-D3> intensity in cgminer and shit is the opposite
01:39 < Diablo-D3> -f 1 is higher than -f 60
01:39 <@gmaxwell> stupid driver/gpu turnaround sucks.
01:39 < Diablo-D3> gmaxwell: 100ms? no
01:39 < Diablo-D3> if you're using -f 60 in DM its 16.6ms
01:39 < Diablo-D3> I use -f 120 to preserve desktop performance, so its 8ms
01:40 <@gmaxwell> I suppose this might be a reason to implement share merging.
01:40 < Diablo-D3> gmaxwell: well
01:40 < warren> gmaxwell: what is that?
01:40 < Diablo-D3> thats why I was asking about multiple heads
01:40 < Diablo-D3> warren: more bullshit tx in the block that say "hey remember my share on that other chain? thats mine too"
01:41 <@gmaxwell> warren: say you have multiple ties for the last share on the same best chain you are mining. You make a new share that has all of those shares as parents. You are incentivized to do this because your chain is longer by including them.
01:41 <@gmaxwell> warren: this hides the latency.
01:41 <@gmaxwell> Too much latency hiding is bad because then p2pool would overpay overly latent miners.
01:41 < Diablo-D3> gmaxwell: well wait, why do it that way and not my way
01:42 <@gmaxwell> Diablo-D3: the history much be unique.
01:42 < warren> either of these ways would multiply the amount of p2p traffic
01:42 < Diablo-D3> yeah, but it makes dead chains merged into the main chain
01:42 <@gmaxwell> Diablo-D3: otherwise you mine a long chain that only pays you.. then you merge it in....
01:42 < Diablo-D3> warren: no it wouldnt
01:42 < jgarzik> Woah!
01:42 < jgarzik> A halpost
01:42 < Diablo-D3> gmaxwell: yeah, and then that means nothing
01:42 < jgarzik> https://bitcointalk.org/index.php?topic=154290.0
01:43 <@gmaxwell> warren: no because the difficulty control algorithim still counts the extra shares.
01:43 < warren> ooh, ok.
01:43 < Diablo-D3> jgarzik: woah, ahvent seen him for awhile
01:43 <@gmaxwell> warren: so the difficulty just goes up and the total number of shares stays the same.
01:43 < Diablo-D3> gmaxwell: yeah, but difficulty would count shares in my system
01:43 <@gmaxwell> 22:42 <@gmaxwell> Diablo-D3: otherwise you mine a long chain that only pays you.. then you merge it in....
01:43 < Diablo-D3> gmaxwell: yeah and that doesnt DO anything
01:43 <@gmaxwell> ...
01:43 <@gmaxwell> die
01:43 < Diablo-D3> it just means you get paid a lot for the next few blocks
01:44 < Diablo-D3> for work you already have and are credited for
01:44 <@gmaxwell> FOR WORK YOU WERE SELFISHLY DOING ONLY FOR YOURSELF.
01:44 < warren> gmaxwell: hmm, that's pretty good.
01:44 < Diablo-D3> gmaxwell: not really
01:44 <@gmaxwell> GOD THIS IS NOT ROCKET SCIENCE DIE DIE DIE
01:44 < Diablo-D3> you cant ...
01:44 < Diablo-D3> oh
01:44 <@gmaxwell> :P
01:44 < Diablo-D3> gmaxwell: was your guy withholding bitcoin blocks too?
01:44 < Diablo-D3> because thats a dick move
01:45 <@gmaxwell> Diablo-D3: he's only trying to mine blocks that pay him so p2pool should not credit him.
01:45 < Diablo-D3> thats bad
01:45 < Diablo-D3> because I just realized
01:45 <@gmaxwell> You never want to pay people who were mining a different history than you.
01:45 < Diablo-D3> lets say I hack my p2pool variant to do that
01:45 < Diablo-D3> I mine myself until I get 25btc in credit
01:45 <@gmaxwell> Diablo-D3: if you do its no problem, other p2pool miners will not pay you.
01:45 < Diablo-D3> then merge my chain
01:45 < Diablo-D3> every time I dont get a block
01:45 <@gmaxwell> Right. Thats why your idea was a nonstarter.
01:45 < Diablo-D3> but if I DO ge ta block
01:46 < Diablo-D3> I get to keep the 25btc
01:46 < Diablo-D3> and I obviously had less than 25btc in credit at that point
01:46 < Diablo-D3> gmaxwell: could have a maximum length of merging
01:46 < Diablo-D3> you merge a share, but it ignores further merges
01:46 <@gmaxwell> yes, which was why I suggested 1. :P thats sufficient to hide ~10 seconds of latency.
01:46 <@gmaxwell> Hide more than that and you overpay latent miners.
01:46 < warren> how much should it hide?
01:47 < Diablo-D3> gmaxwell: yeah, then your and my technique are identical
01:47 <@gmaxwell> warren: it's a tradeoff with overpaying people who are late enough that it impacts bitcoin returns.
01:47 < Diablo-D3> gmaxwell: and this could be done automatically, ALWAYS name your previous share
01:47 < Diablo-D3> gmaxwell: even if its in your chain
01:47 < warren> I haven't had shell access to remote nodes, so I haven't been able to measure typical share propagation latency.
01:48 < Diablo-D3> and use a bloom filter or whatever to select for uniqueness when paying
01:48 < warren> On my own nodes I sometimes see gaps of 40 seconds during those unlucky times when good peers don't like me.
01:48 < Diablo-D3> gmaxwell: this could be used for main chain signaling too
01:48 < Diablo-D3> gmaxwell: like "ignore all shares on that chain because it just merged into ours"
01:48 < Diablo-D3> so dead heads are trimmed early
01:50 < warren> I wasted a lot of time fiddling with p2pool when I don't own hashing hardware.
01:50 < Diablo-D3> warren: you were port forwarding p2pool's port, right?
01:50 < warren> Diablo-D3: no
01:50 < Diablo-D3> warren: you really should
01:50 < Diablo-D3> p2pool sorta punishes you for that
01:51 < warren> Diablo-D3: oh wait, not port forwarding per se, I have a IPv4 address.
01:51 < Diablo-D3> yeah so?
01:51 < warren> Diablo-D3: it punishes you?  where in the code?
01:51 < Diablo-D3> not in the code
01:51 < Diablo-D3> you're just limiting your ability to connect to other nodes
01:51 < Diablo-D3> there are good nodes behind NAT without their ports forwarded
01:52 < Diablo-D3> so you cant connect to them, they can only connect to you
01:52 < Diablo-D3> and if you dont have your port forwarded, they cant connect to you
01:52 < warren> Diablo-D3: oh.  that.  I know.  Sometimes I have 5 nodes running.
01:52 < warren> Diablo-D3: I found the good nodes who don't port forward and blocked incoming connections from nodes that were measured as consistently bad for 24 hours.
01:53 < warren> Diablo-D3: you can make it a little better by manually trimming useless peers so your connections try others
01:54 <@gmaxwell> I wonder if p2pool share delivery would actually be a serious application for network coding.
01:54 < Diablo-D3> gmaxwell: I think so
01:54 < Diablo-D3> but Im going to have to think about this problem for awhile
01:54 <@gmaxwell> Diablo-D3: do you even know what network coding is?
01:54 < Diablo-D3> gmaxwell: I think you're talking about a different kind
01:55 <@gmaxwell> https://en.wikipedia.org/wiki/Network_coding#Random_network_coding
01:55 < Diablo-D3> gmaxwell: I was thinking in the utorrent bandwidth flooding protection sense
01:56 < Diablo-D3> https://en.wikipedia.org/wiki/Avalanche_filesystem
01:56 < Diablo-D3> THAT looks interesting
01:57 < egecko> except for that whole part about microsoft being involved
01:57 < warren> Diablo-D3: I have code to automatically trim bad peers, and move the good peers to the front of a queue, both with a random bias.
01:57 < Diablo-D3> egecko: yeah, but ideas exist to be stolen
01:57 < warren> I'm not certain this would be good for all clients though.  It may exacerbate the good peer collusion.
01:57 < Diablo-D3> warren: I would have done that anyways based on latency of response
01:57  * jgarzik grins
01:57 < jgarzik> warren: You are wholly and completely sucked into bitcoin algorithm cool-ness at this point, aren't you?  :)
01:58 < warren> jgarzik: =(
01:58 < Diablo-D3> lol
01:58 < Diablo-D3> gmaxwell: well, I think an optimum network would prioritize peers that have the farthest latency
01:58 < Diablo-D3> gmaxwell: before nearest
01:59 < Diablo-D3> so its less likely for you to have chain forks
01:59 < warren> Diablo-D3: it's hard to enforce that though
01:59 < Diablo-D3> warren: enforcing isnt the issue
01:59 < Diablo-D3> detecting it is
01:59 < warren> how the heck would you detect that?
01:59 < Diablo-D3> the utorrent method work similarly
01:59 < Diablo-D3> warren: ping as part of the protocol
01:59 < warren> ping *is* part of this protocol, I think.
01:59 < warren> TCP ping
02:00 < Diablo-D3> utorrent's bandwidth auto-sizing thing works like this
02:00 < Diablo-D3> you're over UDP
02:00 < Diablo-D3> if you start getting high packet loss overall, throttle back
02:00 < Diablo-D3> if peers are taking absurd times to respond, throttle back
02:01 < Diablo-D3> utorrent selects to prioritize peers that have less latency (which implies closer and more bandwidth)
02:01 < Diablo-D3> my way would do all of that, but select for FARTHEST peers
02:01 < warren> gmaxwell: I mainly gave up on p2pool for now because I need to finish my thesis and I couldn't figure out what the hell is wrong with stratum.
02:01 < Diablo-D3> and to throttle back, I just repeat shares to less peers
02:01 < Diablo-D3> warren: 2 bytes is whats wrong with stratum
02:02 < Diablo-D3> warren: and its an upstream bug in cgminer which was already fixed
02:02 < warren> huh?  I've been using cgminer git.
02:03 < warren> Diablo-D3: which commit?
02:03 < Diablo-D3> warren: dunno
02:03 < Diablo-D3> forrest fixed it in p2pool until avalon gets their shit together
02:03 < warren> Diablo-D3: how long ago?
02:04 < warren> Diablo-D3: i've been using git of both cgminer and p2pool
02:04 < Diablo-D3> huh not sure
02:05 < Diablo-D3> I swear I saw the commit for it
02:05 < Diablo-D3> but its not in my copy of the repo and my repo is up to date
02:05 < Diablo-D3> warren: ask forrest
02:05 < warren> Diablo-D3: as of a week ago, forrest and conman were blaming each other for this.
02:06 < Diablo-D3> they had differing intepretations of the spec
02:06 < Diablo-D3> con expected 4 bytes for the stratum nonce, forrest was sending 2
15:52 < BlueMatt> but make the connection logic such that you only connect to "that" network if you are bootstrapping
15:53 < petertodd> BlueMatt: I don't think any of them had heard of me before actually, they were just listening to the tradeoffs between bandwidth and decentralization and anonymity, like it or not, you can't mine large blocks anonymously, that's just life
15:53 < BlueMatt> um...no?
15:53 < BlueMatt> thats just not true
15:53 < gmaxwell> BlueMatt: yea, thats not crazy I suppose.. but really that can just be the same p2p network and differentiation with service bits.
15:53 < petertodd> BlueMatt: so how are you going to do that?
15:53 < BlueMatt> you cant mine at all without serious cash, and with that you can mine anonymously...
15:54 < petertodd> BlueMatt: that's completely wrong and you know it, the cheapest ASIC miners are just a few hundred dollars of investment
15:54 < BlueMatt> gmaxwell: well getting connected would be tricky...
15:54 < petertodd> BlueMatt: and $/GH scales linearly, with slightly better MH for lower $'s
15:55 < BlueMatt> petertodd: and the cheapest of asics will do absolutely nothing within a year
15:55 < petertodd> BlueMatt: and after a year, the cheapest asics will still be cheap!
15:55 < petertodd> BlueMatt: that's just how silicon mfg works
15:55 < BlueMatt> and do nothing...
15:55 < BlueMatt> yes, as long as it is cheap and available it will be worthless for reasonable mining
15:56 < gmaxwell> BlueMatt: whats reasonable mean? I mean, my office is full of people who gpu mine... quite profitably now at the moment.
15:56 < petertodd> BlueMatt: individually they do nothing, thousands of them together make for a huge and extremely difficult to censor chunk of hashing power
15:56 < BlueMatt> gmaxwell: yes, because supply is...impoxxible
15:56 < BlueMatt> oh, you said gpu
15:56 < gmaxwell> Of GPUS?!?!?!
15:56 < BlueMatt> meh, whatever
15:56 < gmaxwell> right!
15:57 < gmaxwell> Your discussion feels like a tangent in any case. I think you'd disagree less if you had a nice conversation instead of a debate. :)
15:57 < petertodd> ASIC supply *will* be reasonable in the future, it's just IC mfg, you might as well assume Intel CPU's will be impossible to get because they're hard to make
15:57 < gmaxwell> petertodd: bluematt argues that so long as mining is very proftably supply will tend to zero because people will snaft them up.
15:57 < BlueMatt> petertodd: and even if it is, bandwidth continues to increase
15:58 < BlueMatt> petertodd: I do not argue that we shouldn't increase block size to 10GB/10 minutes
15:58 < BlueMatt> petertodd: but that video drastically overstates the consequences
15:58 < petertodd> Huh? That's crazy. So what if "supply" tends to zero, the question is what is the barrier to entry to buy.
15:59 < petertodd> The barrier to entry is one ASIC chip, and $/GH scales very nicely
15:59 < gmaxwell> I think debating supply is silly however... because very distributed small scale mining is still fine. It doesn't really matter how much each person earns so long as they do it.
15:59 < gmaxwell> so forget that argument.
15:59 < petertodd> gmaxwell: +1
15:59 < gmaxwell> and realize that BlueMatt and you actually argree. (see his last comment)
15:59 < gmaxwell> you just perhaps disagree on the number and how you determine it.
15:59 < petertodd> Right, but small scale *hashing* is useless, only small scale *mining* matters.
16:00 < gmaxwell> Fortunately we have a plan of attack to convert more small scale hashing into small scale mining.
16:00 < gmaxwell> (one which sounds very viable, and now has a bunch of people basically on board for it)
16:01 < petertodd> Yup, but the plan fails if you raise the blocksize above what people can process, which is all the more reason to do it as fast as possible.
16:01 < BlueMatt> petertodd: me being upset with that page has nothing to do with your fundamental argument, Im just incredibly pissed that you would do such a video that so far overstates the consequences of a few mb increase
16:02 < zooko> gmaxwell: quick pointer to that plan for small-scale-mining?
16:02 < petertodd> Well, that you assume the video was talking about a few mb increase is a big problem. It was talking about what happens to Bitcoin if we go the on-chain route for everything, and in the long run as Bitcoin scales to the whole world.
16:02 < BlueMatt> its clearly designed as a simple scare video
16:03 < zooko> Hey, do you folks mind if I invite Adam Back to this channel?
16:03 < petertodd> zooko: yes, he's smarter than me :P
16:03  * zooko laughs.
16:03 < zooko> me too
16:03 < BlueMatt> petertodd: then you are very confused about how that video actually came across
16:04 < gmaxwell> The channel is not technical a secret. Just not promoted to keep the noise down. Invite anyone who would find the conversation interesting.
16:04 < zooko> gmaxwell: cool
16:04 < BlueMatt> petertodd: also, the idea that you want people to start standing up and emailing pools and everything to get them to publicly post that they "disagree with any blockchain increase" is just not cool
16:05 < petertodd> BlueMatt: Alright, look at it this way, if Bitcoin gets to the point where we need 1GB blocks soon, do you think what the video says makes sense?
16:05 < warren> petertodd: curious, the text doesn't mention spam or dust at all?
16:05 < petertodd> BlueMatt: In the next few years disagreeing with any blockchain increase makes sense because tech just won't have changed much.
16:05 < gmaxwell> zooko: The plan is to integrate modern mining support with bitcoind... provide some good UI that makes it interesting.. AND provide a mode where user configured pools provide only the coinbase transaction, but the local node provides everything else. This way the pool pools only the payouts, not the network consensus. (there are a bunch of details, but
this is the high level goal)
16:05 < BlueMatt> petertodd: wait, WAT?
16:05 < petertodd> warren: Oh in the site? Yeah, I need to add that stuff.
16:06 < zooko> gmaxwell: huh, interesting!
16:06 < BlueMatt> petertodd: the tech is chaining (as in power to process stuff and bandwidth availability)
16:06 < zooko> gmaxwell: I very much value decentralizing mining.
16:06 < petertodd> BlueMatt: My train of thought it mining must be possible anonymously and on a small scale, and I know damn well that it'd take at least 5 more years until anonymous bandwidth availability is even close to improving enough to consider an increase.
16:06 < BlueMatt> petertodd: and there is no question that by the point we have /that/ many txn something will have to go off-chain
16:06 < gmaxwell> BlueMatt: The answer you should make to petertodd is to _demonstrate_ the tech can handle whatever block sizes you think it should.. keep in mind that until a few months ago we couldn't handle >500k safely and didn't even know it. :( So regardless of your views, doing that will be super useful.
16:07 < petertodd> BlueMatt: Anonymous bandwidth availability has *very* little to do with tech and everything to do with politics.
16:07 < BlueMatt> gmaxwell: because I have time for that?
16:07 < BlueMatt> oh god
16:07 < gmaxwell> BlueMatt: I didn't mean you personally at least not right now.
16:07 < sipa> i'm getting complaimts from a pool operator that GBT is taking 10s since very recently
16:07 < BlueMatt> petertodd: its not a question of being able to mine over tor
16:07 < BlueMatt> you wont ever be able to do that reasonably
16:08 < gmaxwell> sipa: yea, its due to correct horse stapler battery spatular nunchuck
16:08 < BlueMatt> sipa: Ive hear that a lot
16:08 < gmaxwell> sipa: the workaround is to run 0.8.2 for obvious reasons.
16:08 < petertodd> BlueMatt: And not being able to do that is unacceptable.
16:08 < BlueMatt> petertodd: no, its the ability to mine from wherever over your connection in $RANDOM_COUNTRY
16:08 < BlueMatt> you cant mine over tor now
16:08 < gmaxwell> petertodd: you guys should stop arguing and look at the points you agree over. There is substantial agreement.
16:08 < BlueMatt> and you wont ever be able to
16:08 < BlueMatt> get over it
16:08 < gmaxwell> BlueMatt: I have mined many blocks over tor in the last month.
16:08 < gmaxwell> I have, in fact, yet to have an orphan.
16:08 < petertodd> sipa: Another correct horse tx got mined.
16:09 < BlueMatt> if I /need/ to mine anonymously, Ill go to uganda and set up shop there
16:09 < petertodd> gmaxwell: You gotta add "mined over tor" to your coinbase...
16:09 < gmaxwell> petertodd: convince someone else to first. :(
16:09 < petertodd> BlueMatt: I've told people about those options, and they see that as unacceptable.
16:09 < BlueMatt> the ability to mine over tor is /definately/ not something we need to protect
16:09 < petertodd> gmaxwell: lol, true
16:09 < gmaxwell> In any case, I think that the tor argument is kinda a tangent
 or at least it's not my own priority.
16:10 < BlueMatt> the ability of any random user to mine /is/
16:10 < gmaxwell> I agree with bluematt there mostly, besides that difference is probably just some small constant factor in scale.
16:10 < BlueMatt> if we want to make sure users can mine over tor, why are we not working to ensure users can mine over dial up?
16:10 < petertodd> BlueMatt: Look, fundementally you are happy with a less secure to censorship Bitcoin than I am. That's why it's a political, not technical, argument. We both agree on the technical aspects here, just on what the political implictions are.
16:10 < BlueMatt> because there are a lot of people in repressive gov'ts who only have that
16:11 < BlueMatt> btw, tor isnt secure against censorship...
16:11 < gmaxwell> BlueMatt: because dialup is not a necessary condition of a repressive government, forcing people to dialup has a lot of coolateral damage.
16:11 < BlueMatt> its been done quite a bit...
16:11 < gmaxwell> collateral*
08:02 < warren> sipa: (I'm assuming the one-block attack from a hostile miner, as I suspect that's the easiest/cheapest attack to do. I could be wrong.)
12:13 < realazthat> hey fellas
12:13 < realazthat> any ideas for a bitcoin-based project?
12:14 < sipa> write a python script that implements blockexplorer-like website, by using bitcoind RPCs
12:14 < realazthat> heh I just wrote a python blockchain parser
12:15 < realazthat> is the API powerful enough to do that?
12:15 < sipa> not for address-based lookups
12:15 < sipa> but for pretty much everything, yes
12:15 < sipa> if you enable txindex
12:15 < realazthat> doesn't blockexplorer use a patch or somesuch
12:15 < sipa> blockexplorer was written when bitcoind was version 0.3.17 or so
12:16 < realazthat> ok
12:16 < realazthat> this sounds like a doable project
12:16 < realazthat> how useful would it be?
12:17 < sipa> i think a lot of people currently depend on blockexplorer-like sites for trivial queries that their own bitcoind could do
12:17 < sipa> but using the RPC interface isn't particularly user-friendly
12:18 < realazthat> so this would be a locally run site
12:18 < realazthat> ?
12:19 < sipa> yeah
12:19 < sipa> i'd very much like to see something like that in bitcoin's contrib/ directory
12:19 < realazthat> any ideas for a python website framework lib or somesuch to use
12:20 < realazthat> or to make it on raw sockets
12:20 < sipa> i don't know enough python for that, but for example p2pool has a very nice built-in stats page
12:20 < sipa> no idea how it's implemented though
12:20 < realazthat> ok, I'll do some research
12:21 < sipa> thanks!
13:01 < realazthat> ok so I think I wanna use something simplistic
13:01 < realazthat> not a whole framework
13:02 < realazthat> something like http://code.activestate.com/recipes/577047-bible-verse-quiz-servletpy/
13:03 < realazthat> I'll get started
13:04 < sipa> realazthat: awesome1
13:04 < sipa> realazthat: awesome!
13:04 < sipa> poke me if you need help
13:05 < realazthat> it will take some time, I need to get a bitcoind up and running
13:59 < realazthat> sipa: should I be using python-bitcoinrpc
14:02 < sipa> realazthat: i don't care :)
14:50 < HM> sipa: is "txindex" accepted in bitcoin.conf as well?
14:50 < HM> or anyone
14:50 < HM> txindex=1
14:55 < sipa> yes
14:56 < HM> i'm starting a fresh daemon, i don't want to download twice or rebuild
14:56 < HM> so just -daemon -txindex=1
14:56 < HM> or txindex=1 in .conf
14:56 < sipa> indeed
14:56 < sipa> or -txindex
14:57 < HM> cheers
15:04 < realazthat> oh cool I'll put it there
15:05 < realazthat> does bitcoind respond to rpc calls if its still downloading the chain?
15:07 < HM> seems to real
15:10 < realazthat> kk
15:13 < sipa> realazthat: there is no difference between downloading the chain and not
15:13 < sipa> as you're always trying to catch up
15:14 < realazthat> yeah i figured that; was just running into an error
15:14 < realazthat> turns out it was a 401 unauthorized
15:14 < sipa> some calls are disabled when the client is sure it's nit done yet
15:14 < realazthat> the rpc lib didn't print anything though, it just errored
15:17 < realazthat> ok rpc is working
15:20 < HM> realazthat: you working on a web frontend?
15:20 < realazthat> yeah
15:21 < realazthat> block-explorer-like
15:21 < realazthat> but focused on locally run
15:29 < HM> that's not a bad idea generally
17:24 < realazthat> sipa: ok, gonna be afk for ~24 hrs
--- Log closed Sat Mar 30 00:00:12 2013
--- Log opened Sat Mar 30 00:00:12 2013
09:51 < HM> there's a discrepency in the rpc implementation
09:51 < HM> HTTP not authorized returns HTTP/1.0
09:51 < HM> all the requests are HTTP/1.1
09:51 < HM> not that it really matters, since it's not a real http server
09:52 < HM> fixable though
20:45 < jrmithdobbs> why wont startcom issue me a cert with STOPUSINGTHEFUCKINGCNFORVALIDATION as the cn and proper subjectAltNames set?
20:45 < jrmithdobbs> damn it
20:46 < jrmithdobbs> wanted to try and break stuff using the public pki but need a ca who follows the letter and not the spirit ;p
23:37 < realazthat> sipa: ping
23:38 < sipa> pong
23:39 < realazthat> is there somewhere I can set this up so you can see the results
23:39 < realazthat> like a machine with bitcoind
23:39 < realazthat> (I'm just starting on the actual display of data)
23:43 < sipa> realazthat: post a screenshot? :)
23:43 < realazthat> well its just simple data for now
23:43 < realazthat> what features of blockexplorer do you want me to replicate
23:44 < realazthat> for now I started with the "Most recently mined blocks in the bitcoin block chain" table
23:44 < sipa> i think a block-view that lists transactions, and a transaction-view that shows inputs/outputs of a transaction would be nice
23:45 < realazthat> ok, I'll continue with that
23:48 < sipa> a block-view that needs to request all inputs of all transactions would be quite slow i think, so maybe have that optional
23:49 < realazthat> well it can link to them
23:49 < realazthat> hmm, I'll see how slow it is
23:49 < realazthat> it is indeed slow to do many requests atm, because I am dumping the i/o
23:50 < realazthat> but if I stop that, I'll see how fast/slow it is
23:50 < realazthat> if its a local bitcoind, it might not be so slow
23:50 < realazthat> if it isn't local, then yeah its prolly gonna be slow
23:50 < realazthat> I have my bitcoind running on a lan atm
23:51 < sipa> right, but to compute for example the fee of a transaction, you need its inputs
23:52 < realazthat> ah
23:52 < realazthat> so that multiplies the amount of things you need by a lot
23:53 < sipa> yes, that's why i'd suggest not computing that by default for a block
23:53 < sipa> but for example have a button "show fees and inputs"
23:53 < sipa> that fetches the expensive version
23:53 < realazthat> yeah ok, I'll see
23:53 < realazthat> lots of design wiggle room here, and I'm not 100% sure of the rpc API yet
23:54 < sipa> hmm?
23:54 < realazthat> for example,
23:54 < realazthat> I could cache that in a db
23:54 < sipa> i wouldn't do that; at least not initially
23:54 < realazthat> or, delay that field in the table, and have it fetched
23:54 < realazthat> yeah, I am trying to KISS
23:55 < realazthat> so if its hard, for now I'll just leave it out
23:55 < realazthat> wrt API, for example, I don't know how to compute block size
23:55 < realazthat> which is listed in the blockchain.info's table for last k blocks
23:56 < sipa> i wouldn't mind adding that to the getblock RPC call, if it isn't there already
23:56 < realazthat> also, did you notice, block 228851 took > 1hr to compute >OO<
23:56 < realazthat> is that common?
23:56 < sipa> yes
23:56 < realazthat> ok, a lottery with a lot of deviation :D
23:56 < sipa> standard deviation is 10 minutes
23:56 < sipa> but it's not normally distributed
23:57 < realazthat> ok
23:57 < realazthat> also, I am not gonna work on making it fancy at all for now
23:57 < realazthat> no CSS etc.
23:57 < sipa> ACK
23:57 < realazthat> just basically tables of data
--- Log closed Sun Mar 31 00:00:13 2013
--- Log opened Sun Mar 31 00:00:13 2013
00:08 < realazthat> sipa: are the block indices used by the API zero-based?
00:08 < realazthat> such that getblockcount() returns top index +1
00:10 < BlueMatt> isnt this more appropriate for #bitcoin-dev or #bitcoin ?
00:10 < sipa> yeah
00:10 < realazthat> er sorry
01:39 < realazthat> sipa: nvm I think I see a size field
06:38 < realazthat> sipa: ping
06:38 < realazthat> dunno what hours you keep haha
06:39 < realazthat> its 0630 here
06:39 < sipa> don't ask
06:40 < realazthat> lol same
06:40 < realazthat> ok I think I have something to show
06:40 < realazthat> shall I just put the code on github
06:40 < realazthat> and you can check it out yourself
14:53 < jgarzik> Random bitcoin wizards question:
14:54 < jgarzik> Is there any way to have a single bitcoin address, which may receive bitcoins, that is then _guaranteed_ to be divided up and distributed to a pre-specified list of bitcoin addresses?
14:55 < jgarzik> ie. the simple example is "donate to developer group"
14:55 < jgarzik> Clearly you can pay to a single P2SH hash...
14:56 < jgarzik> But what would a redeem script look like... that _split_ the funds?
14:56 < jgarzik> "Any-of-N may redeem" is easy, because the redeemer gets 100% of the funds.
14:56 < jgarzik> But it seems outside the scope/ability of bitcoin to split to the funds
14:56 < gmaxwell> Only e.g. by having a trusted (e.g. TPM) oracle that controls the private key.  Alternatively, you could make it a multisig of those people and then they have to agree on the split.
14:57 < jgarzik> Yeah, the best solution I could think of was a bot
14:57 < gmaxwell> But yea, script can't control output values.
14:57 < jgarzik> but not within plain ole bitcoin
14:57 < jgarzik> I need to research US state laws
14:58 < gmaxwell> if we had another address type we could specify an address that encoded N addresses to sendmany to, I suppose.
14:58 < jgarzik> I bet I could find a US state where an escrow bot would be legal
14:58 < jgarzik> nod, something like that
14:58 < gmaxwell> well, as I said, the bot could just be a TPM oracle
 it might not even know what bitcoin is.
14:59 < sipa> how about a payment request for such a sendmany?
14:59 < gmaxwell> If the bot is something like: trusted computing enviroment, you send it a script, it generates per-script private keys based on the hash of the script.. then it runs the script.  you could send it a script that teaches it how to sign transactions but only if they have the right outputs.
15:00 < gmaxwell> The operator of this thing wouldn't even know it was being used for 'escrow payments'. It's just generic infrastructure.
15:02 < gmaxwell> speaking of that, we got a 10 BTC donation to developers a while back that we should do something with.
15:02 < gmaxwell> (sent to a p2sh of our public keys)
15:24 < jrmithdobbs> dude
18:21 < adam3us> amiller: maybe you could do something with p2sh - if that gives you a way to hash a random value and a 0 or 1 bool
18:28 < warren> cfields: perhaps its time to submit the osx cross gitian as a PR?  Mark it "DO NOT COMMIT" at first.  More visibility for review?
18:29 < warren> cfields: although please add the equivalent of https://github.com/bitcoin/bitcoin/pull/3191
18:30 < gmaxwell> Note that gavin has had corruption on a newer toolchain, but very rarely. So perhaps _yet another bug_
18:31 < warren> gmaxwell: with the memory barrier patch?
18:31 < gmaxwell> warren: I am relatively confident that the issue in question doesn't exist in a sufficiently new toolchain.
18:32 < cfields> warren: i got the mac icon fixed...
18:32 < cfields> is it possible that's a regression since .8 branch?
18:32 < warren> cfields: possible, my Bitcoin 0.8 branch has stuff from master
18:32 < Ryan52> maaku, phantomcircuit: no, I just didn't realize moving to 8192 bits was a thing so soon.
18:33 < Ryan52> perhaps obselete for new keys? or not even?
18:33 < warren> Ryan52: you need to edit the gnupg source and rebuild to be able to generate 8192 bit keys
18:34 < cfields> warren: http://pastebin.com/raw.php?i=DdNtY5ia
18:34 < sipa> what is moving to 8192 bits?
18:34 < Ryan52> warren: oh, wow, so you are just super future-proofed.
18:34 < Ryan52> sipa: gpg keys
18:34 < cfields> yea, that's a regression from the qt5 commit
18:34 < sipa> why not to ECC? :(
18:35 < warren> Ryan52: not really.  xkcd 538 is much easier.
18:35 < sipa> but with 8192 bit RSA, even xkcd 538 will be obsolete!
18:36 < warren> The cost of xkcd 538 cracking is constant at any bit length.
18:36 < warren> O(1)
18:36 < Ryan52> heh
--- Log closed Wed Nov 27 00:00:07 2013
--- Log opened Wed Nov 27 00:00:07 2013
--- Day changed Wed Nov 27 2013
01:19 < warren> http://www.pcworld.com/article/2067400/link-between-satoshi-bitcoin-account-and-the-silk-road-dissolves.html
01:19 < warren> jgarzik was quoted.
02:32 < phantomcircuit> 2013-11-27 07:24:42 ProcessMessages(ping, 0 bytes) : Exception 'CDataStream::read() : end of data' caught, normally caused by a message being shorter than its stated length
02:32 < phantomcircuit> 2013-11-27 07:24:42 ProcessMessage(ping, 0 bytes) FAILED
02:32 < phantomcircuit> what the dicks
02:32 < warren> phantomcircuit: there's an entire thread on this
02:33 < warren> phantomcircuit: I found one way to do that by accident too
02:35 < phantomcircuit> well anyways
02:35 < phantomcircuit> this servers connection slots are 100% used
02:35 < phantomcircuit> im going to restart with maxconnections=512
02:35 < warren> phantomcircuit: huh?  legit peers?
02:36 < warren> phantomcircuit: wait
02:36 < warren> phantomcircuit: what version of the client?
02:37 < phantomcircuit> master/HEAD
02:37 < phantomcircuit> appear to be legit peers
02:37 < warren> phantomcircuit: https://github.com/litecoin-project/bitcoinomg/commits/0.8.5-OMG5   Use this bitcoin branch.  Among other things it has some of the useful debug.log print stuff from master that tells you more information about peers in real-time.
02:37 < warren> oh
02:37 < warren> nm
02:52 < midnightmagic> Nice quote, Shamir: In his email, Shamir said Bitcoin enthusiasts do not like analyses that do "not fully support their beliefs." He also took a swipe at the media.
02:52 < midnightmagic> What an utter, utter jerk.
02:54 < phantomcircuit> lol seriously
02:54 < phantomcircuit> what a retard
03:26 < gmaxwell> Yes, we do not like analyses which do not support our belief in objective reality.
03:48 < BlueMatt> midnightmagic: coming from the guy who originally did an analysis of the "chain html"?
03:49 < BlueMatt> to be fair, no one likes analyses which do not support their own belief in reality...some are willing to accept them, others are fox news
04:07 < sipa> i'm sure the bitcoin community is full of people that don't analyses that don't support their beliefs
04:08 < sipa> still doesn't mean you should go make claims that are trivially falsifiable with a google search
04:08 < gmaxwell> hah, yes indeed its true in a very empty sense. :) I've lamented the groupthink downvotes I get on reddit. :P
04:09 < warren> BlueMatt: to be fair, it's easy to believe whoever pays your paycheck
04:13 < gmaxwell> even when you think you're trying not to. :(
04:14 < warren> Just create an environment where a 24 hour news network and all your friends agree with you.
04:18 < BlueMatt> gmaxwell: human nature. it sucks.
04:18 < BlueMatt> warren: to be fair, i never said all the people there actually agree, just that they say things...
04:19 < warren> BlueMatt: I know, I was joking.
04:48 < Emcy> still complaining about that paper?
05:08 < _ingsoc> I didn't know about this place.
05:09 < mappum> one mention and 5 people join
05:09 < _ingsoc> xD
05:17 < mappum> gmaxwell: you were saying it's an issue that my PoW is outsourceable, i'm not sure that's actually a problem
05:17 < mappum> as long as the miner can serve the data when requested it's not broken
05:18 < mappum> and what is bad about cloud mining?
05:18 < gmaxwell> mappum: because it means there will only just be one copy of the data in the world at some big pool and thats it.
05:18 < warren> gmaxwell: I was really hoping more people wouldn't join here.
05:19 < petertodd> warren: we should fidelity-bond admission
05:19 < warren> or at least require showing a wizard diploma
05:20 < mappum> Hogwarts class of '11 here
05:20 < gmaxwell> warren: yea, well. It's people flooding #bitcoin-dev with talk about Proof-of-foo functions.
05:21 < gmaxwell> it's material for this channel, though indeed I like it quite in here too. :)
05:21 < petertodd> warren: proof-of-wizard
05:21 < warren> I read that as proof-of-poo
05:21 < warren> and that would have been better
05:21 < gmaxwell> mappum: in any case if you don't think thats a problem then ... maybe it's not.
05:21 < gmaxwell> though if your goal is to achieve good distribution of your data, then I'm afraid you may fail.
05:22 < swulf--> I have a solution I'll try to put up tonight that helps with distribution of data and separates miner/storage requirements
05:23 < swulf--> I have a strategy (I hope) that will incentivize as many people as possible to try and complete to claim the storage for data
05:23 < swulf--> compete*
05:23 < mappum> well part of this is a DHT, and if the work hash included the miner's DHT ID hash, i think it might fix it
05:25 < swulf--> I think a DHT of sorts is a requirement for any service like this
05:25 < gmaxwell> -EWANKDETECTED
05:25 < swulf--> gmaxwell: Yes, my apologies. But I am thoroghly excited about it;)
05:26 < mappum> me too :)
05:26 < warren> If you mention DHT your wizard license is automatically revoked.
05:26 < gmaxwell> nah not you.. sorry, like, I've developed a pratice of reflexively ignoring anyone who says DHT. It's usually invoked by people who encounter a problem they don't understand and it really means "magical distributed thingy". Like early physicists invoking god when they encountered something they couldn't explain.
05:27 < Emcy> dht is a great technology thoighh
05:27 < swulf--> I specifically mention using a kademlia network, where hashes of pubkeys are used as node-ids in the network and used to locate and store data.
05:27 < mappum> so you're saying they are magic... that means i'm a wizard?
05:27 < petertodd> mappum: around here wizards understand how their spells work
05:28 < mappum> i understand DHTs well enough
05:28 < petertodd> mappum: then you would know they don't hold up well to attack
05:28 < swulf--> petertodd: why?
05:28 < swulf--> distributed networks are all prone to attacks
05:29 < petertodd> swulf--: yes, which is the beauty of bitcoin systems where you ask very, very, little of the network
05:29 < mappum> i would think it holds up to attacks a lot more than anything that isn't distributed
05:29 < swulf--> petertodd: agreed. but I think in a paid-for kademlia net, you can sign messages saying you have a right to retrieve data.. should alleviate some DoS.
05:30 < mappum> so you mean attackers using a lot of resources? the thing i was talking about that would use that would be fine against that since it requires fees
05:30 < petertodd> mappum: you can play all kinds of games with DHT's, for instance manipulating hashes to cause biases in the key distribution
05:30 < petertodd> mappum: or sybil attacking part of the keyspace and then deleting the data
05:32 < petertodd> mappum: doesn't mean you can't fix this stuff, but in our experience people promoting DHT's don't realize the issues
05:32 < adam3us> kind of surprised at shamir - the guy is a crypto genius, to get suckered into co-authoring such a paper with unsupported claims.  about the best they could've said is the 'data doesnt disprove' until the guy stepped forward and provided more data that did disprove!
05:32 < mappum> good point, i'll have to think about that
05:33 < adam3us> dht's usuall have extremely poor even non-hostile user characteristics, dht in a byzantine threat environment with real money on the line
05:33 < petertodd> adam3us: "suckered" depends on how much money he got...
05:35 < adam3us> yeah generally i heard he's a nice guy - i mean his profile is like rivest, but he doesnt even charge a fraction of what he could for review work.  he's done a ton of cutting edge crypto stuff, in many areas of it. secret sharing, fiat shamir transform, differential cryptanalysis the publication list is huge and usually cutting eduge
05:35 < gmaxwell> yea, dht's basically appear to be unworkable in an adversarial enviroment.
05:36 < petertodd> adam3us: he could be simply naive, or not as sharp as he used to be
05:36 < mappum> don't they hold up well in BitTorrent?
05:36 < gmaxwell> petertodd: you are just young enough that the fact that intellect declines with age doesn't scare you shitless yet.
15:18 < petertodd> in practice for user acceptance you probably want to usually send it in the same or follow-up tx - we can't make this stuff have barriers to usage
15:19 < petertodd> also note that you can't guarantee two separate txs will get mined in any particular order other than by waiting, which users hate...
15:20 < petertodd> and more generally, re-orgs have some nasty traps with this - you probably want to rescan starting at least a dozen blocks behind when you learn of a new chaincode
15:21 < petertodd> I also have my suspicions that for wallets with a lot of keys the original scheme of a straight 1/n-th anonymity set might actually be more scalable - if you end up with 500 incoming payments, all from different people, now you've really got to scan for 500 chain codes + some number of extras; gets ugly quick
15:22 <@gmaxwell> adam3us: yea, but that address was used mostly for computation bragging, not convenience... I don't use it for convenience... but I don't disagree with the argument and even repeated it above.
15:22 < petertodd> this chaincode stuff has a lot of state too on the wallet side...
15:22 <@gmaxwell> I agree having more private one way addresses is good, but the question is how to prevnet them from being generally awful to implement.
15:23 < petertodd> gmaxwell: well keep in mind the comparisons to bitcoin: we're using the blockchain as a communications channel, and you have an anonymity set of some fixed % of all traffic.
15:23 <@gmaxwell> oh you went on to say the same stuff, agreed.
15:23 < petertodd> *comparisons to bitmessage
15:24 < petertodd> see, one thing that might help is if you use the op-return ephemeral key as the selector as well, and then communicate a totally random nonce with that to generate a totally random address
15:25 < petertodd> even without fancy chaincodes, and putting the payment in the same tx, with coinjoin you've achived a lot of your goal of non-linkability via that anonymity set
15:25 < petertodd> not all of it, but a lot
15:26 < petertodd> that does imply we have indexes of op-return scriptPubKeys on a per-block basis, but I have no objection to that
15:40 <@gmaxwell> andytoshi: so when is your coinjoiner going to go back on mainnet?
15:43 < andytoshi> gmaxwell: as soon as i get a SSL cert
15:43 < andytoshi> by end of day today, i didn't realize there was any demand :}
15:44 < andytoshi> actually, i can put it on mainnet now.. it'd just be non-https
15:44 <@gmaxwell> andytoshi: ah, yea, I'd like to try to get some people around #bitcoin-otc doing a weekly organized coinjoin
15:45 < andytoshi> cool, it's just sync'ing now
15:45 <@gmaxwell> andytoshi: as far as the cert goes.. startssl... if you have any problems lemme know and I'll help out.
15:45 < andytoshi> there was a power outage 36 hours ago
15:45 < andytoshi> cool, thx
15:52 < andytoshi> ok, i think in 15 minutes it'll switch to mainnet
15:52 < andytoshi> we'll be able to tell because the donation address will switch over
16:08 < michagogo|cloud> andytoshi: Will it also be tor-accessible?
16:08 < michagogo|cloud> (hidden service, I mean)
16:13 < andytoshi> michagogo|cloud: yeah, i'll set that up
16:14 < andytoshi> the whole testing.wpsoftware.net domain used to be a hidden service actually..i think i didn't set that up when i replaced the server last year tho
16:18 < HM2> i hate ASN1 with a passion
16:34 < kinlo> andytoshi: what's the url for your coinjoiner?
16:35 < andytoshi> http://testing.wpsoftware.net/coinjoin/
16:35 < andytoshi> it says testnet but it is not anymore
16:38 < adam3us> petertodd: "ommunicating a BIP32 chaincode is you make it so the 1/n-th anonymity set only applies to the fact that one of these exchanges was setup at all with a given recipient" yes well that just reveals someone anonymous setup  a payment association (chain code) to the identified recipient; doesnt say who did it.
16:48 < CodeShark> cool, andytoshi
16:49 < CodeShark> lol - 1ForFeesAndDonationsSpendHer
16:50 < CodeShark> I tried
16:50 < andytoshi> :P damn checksum..
16:59 < michagogo|cloud> andytoshi: s/Spend/Send/
16:59 < CodeShark> does it support multisignature transactions, andy?
16:59 < michagogo|cloud> one solution
17:00 < andytoshi> CodeShark: pretty sure, yes, it just validates it with bitcoind and my own coinjoin software
17:00 < andytoshi> and both of those are fine with it
17:00 < andytoshi> but to the best of my knowledge nobody has tested it
17:01 < CodeShark> I just did :)
17:01 < CodeShark> well, I submitted one
17:01 < andytoshi> oh, cool, i'll through a tx in then to join you
17:05 < andytoshi> done
17:05 < andytoshi> thx gmaxwell for the 'force inputs to match outputs' idea, i almost screwed myself
17:05 < andytoshi> and donated too much to my own joiner..
17:06 < CodeShark> so now we wait for 10 minutes?
17:07 < andytoshi> yup
17:07 < andytoshi> i can speed it up by prodding around in the db, but i'd probably fat-finger it, sorry
17:08 < CodeShark> presumably if we had higher volume we could reduce the wait time :)
17:08 < andytoshi> yeah
17:08 < andytoshi> idk if we'll get higher volume, maaku for example is developing a joiner that does automatic negotiation, so users don't have to be fiddling with rawtx's
17:09 < andytoshi> but i suppose i could write a client for my thing too
17:09 < CodeShark> I'm speaking theoretically, of course - this specific implementation needn't be the one that ends up taking off
17:10 < CodeShark> has anyone figured out a solution that doesn't require a server?
17:14 < CodeShark> is there any cryptographic transform that is invertible and commutative?
17:15 < CodeShark> so that ABA^(-1)B^(-1) = Identity?
17:16 < CodeShark> and applying A and A^(-1) requires knowledge of a secret
17:17 < CodeShark> ok, time's up
17:17 < andytoshi> CodeShark: ok, there is a donation to 1ForFeesAndDonationsSpendHerdtWbWy still in there <.<
17:17 < andytoshi> sorry, i'll fix that..
17:17 < CodeShark> hehe
17:18 < CodeShark> we can donate 0.000025 to the vacuum of space :)
17:20 < CodeShark> hmm, we're donating 0.00005 to the vacuum of space, it looks like
17:21 < andytoshi> yeah, it adds all donations to the same output
17:21 < CodeShark> hmm and the scriptSigs have been cleared completely
17:21 < CodeShark> that breaks my multisigner :p
17:21 < andytoshi> yeah, it drops everything when it's merging unsigned transactions
17:21 < andytoshi> really?
17:21 < andytoshi> hmm
17:22 < andytoshi> so, the way it tells when all the signatures have come in is that none of the scriptsigs are blank anymore
17:22 < CodeShark> hmmm - my multisigner cannot, in general, know whether it can sign any transactions unless the public keys are available
17:23 < CodeShark> also, it uses placeholders for signatures so different signers can add signatures
17:23 < CodeShark> I just use a 0-length signature to indicate "unsigned"
17:24 < CodeShark> but keep the keys/redeemscripts
17:26 < CodeShark> the reason for this is that different signing nodes could participate without having to know anything about how the p2sh addresses were generated
17:28 < CodeShark> if you can replace the scriptSig of my input with what I had originally submitted, I'll sign it:)
17:28 < CodeShark> I guess I could replace it on my end
17:29 < andytoshi> well, i've gotta fix the donation address thing
17:30 < andytoshi> then i'll think about what to do about scriptsigs...my assumption was that anything in there was just noise
17:30 < andytoshi> since if somebody had signed something, the signature would be invalid after joining
17:31 < CodeShark> inputs in general contain more than just signatures - it would be nice to have a separate field in the input just for signatures rather than just pushing them on a stack
17:31 < CodeShark> this is especially true for p2sh transactions
17:31 < andytoshi> yeah, bad assumption on my part
17:36 <@gmaxwell> petertodd: instead of using the signer's public key, perhaps use his r value (as its the x corrid for k*G). This has an advantage of working for more transaction types, and also if the sender is reusing addresses it wouldn't case reuse for payments to the same thing.
17:40 < andytoshi> CodeShark: this is a weird bug, it is failing to read the last byte of the address when it calculates the scriptpubkey of the donation address
17:41 < andytoshi> so the length is wrong and i'm also missing a byte
17:41 < andytoshi> but the logic looks correct and it worked with testnet <.<
17:42 < phantomcircuit> so it occurs to me that the behavior of IsConfirmed is already broken
17:42 < phantomcircuit> and simply removing the unconfirmed dependency checking is probably optimal
17:44 < andytoshi> oh, i see, i'm popping an entire byte to remove the version field .. but i guess that's not right .. i need to look up what i'm doing with these addresses
17:48 < CodeShark> so nobody has an answer for my earlier question? is there a cryptographic transform that has an inverse and is commutative such that ABA^(-1)B^(-1) = identity? gmaxwell? petertodd? :)
17:49 < CodeShark> I guess exponentiation...
17:49 < andytoshi> i think what you're asking describes blind signature schemes
17:49 < CodeShark> yeah :)
17:50 < CodeShark> so yeah, I suppose we can use exponentiation, where the inverses here are modulo phi(field modulus)
17:50 < andytoshi> so, the wiki article on that has an example using RSA, and there is an entry on matthew green's blog about ecc
17:50 < andytoshi> http://blog.cryptographyengineering.com/p/note-on-blind-signature-schemes.html
17:50 <@gmaxwell> CodeShark: just addition in EC groups works. (with the modular inverse to undo)
17:51 < CodeShark> right
17:54 < adam3us> andytoshi: there is an ec schnorr blind sig also
17:54 < adam3us> andytoshi: but no ecdsa one.  there is a horrendously complex dsa one.
17:54 < CodeShark> so the only part remaining to solve for decentralized coinjoin is peer discovery
19:08 < phantomcircuit> i've come to the point that i want to use raw transactions to effectively get a two phase commit
19:08 < gmaxwell> phantomcircuit: seperate the sign from the send and make it in the database before you send?
19:08 < phantomcircuit> currently what im doing is setting the transfer to processing, calling sendtoaddress and updating with the transaction result
19:09 < phantomcircuit> however if there is a failure after sendtoaddress but before the request is updated
19:09 < phantomcircuit> then i have to manually go in and fix it
19:09 < phantomcircuit> so my question is
19:09 < phantomcircuit> is there a way to get bitcoind to do the output selection
19:09 < gmaxwell> right, so you want a sendmany that returns a raw transaction?  then you can call sign on it, write it to your database.. then send it?
19:09 < phantomcircuit> gmaxwell, yeah
19:10 < phantomcircuit> well except im using sendtoaddress since there's very rarely transactions that can be grouped
19:10 < gmaxwell> yea but you can sendmany with just one output.
19:10 < phantomcircuit> yeah
19:10 < gmaxwell> I would have done that already except we @#$@# call signing inside the coin selection innerloop. Which is retarded. If you feel like fixing that, the rpc would be really easy to write.
19:11 < gmaxwell> Though I think it should just be a sendmanyraw or a flag to sendmany that lets it output the raw txn.
19:11 < nanotube> midnightmagic: scrollback in this channel. :)
19:12 < phantomcircuit> gmaxwell, well the returned tx would optimally be signed already
19:12 < jrmithdobbs> gmaxwell: that rommixmc thing is interesting and similar to my "fix" for scrypt that i haven't had time to work on since last i talked to you about it, haha
19:12 < midnightmagic> nanotube: thanks man
19:12 < phantomcircuit> signed but not committed to the wallet.dat database yet
19:12 < jrmithdobbs> gmaxwell: that is a very cool solution
19:13 < gmaxwell> phantomcircuit: for your usage, but not signing it is more general. What if your online wallet was locked.. and your unlocked wallet was not "online" ? e.g. just rs232 connected box or something.
19:13 < phantomcircuit> gmaxwell, ah
19:13 < phantomcircuit> yeah i guess that's true
19:13 < gmaxwell> phantomcircuit: the cost of not signing it is that you have to make another rpc roundtrip, pretty mild cost.
19:14 < phantomcircuit> well the primary cost is that i have to fix the coinselection stuff
19:14 < jrmithdobbs> gmaxwell: catenta still doesn't address the dependency on sha2 for the first obsfucation though unless i'm missing something =/
19:14 < phantomcircuit> where as right now i could probably add a flag to sendmany to not broadcast/save to the wallet
19:15 < nanotube> midnightmagic: starting about 2200 my time on sep 8. :)
19:15 < jrmithdobbs> gmaxwell: sorry, responding to something from like 2 days ago :)
19:15 < gmaxwell> yep. The problem isn't fundimentally hard. The signature will only have four possible sizes: compress, uncompressed, p2pubkey compressed, p2pubkey uncompressed,  (assuming that you just aproximate the size by rounding up.
19:15 < gmaxwell> jrmithdobbs: yea its fine I knew what you were responding to.
19:16 < gmaxwell> jrmithdobbs: I thought the recommendation on catenta was just use sha3 all ove.r
19:16 < jrmithdobbs> gmaxwell: their splitting of client/server work is very much in the same line of thinking i was going down, makes me wish I had time to go back to that before the PHC deadline cause that's nice confirmation i was on to something ;p
19:16 < Luke-Jr> jrmithdobbs: you have a "fix" for scrypt?
19:17 < jrmithdobbs> Luke-Jr: i have a set of improvements i've been toying about with for almost a year now, yes
19:17 < Luke-Jr> jrmithdobbs: does it make it a viable POW?
19:17 < jrmithdobbs> part of it was trying to address the cache timing attack the cantena guys address, in fact
19:17 < gmaxwell> and I was pointing catenta out to jrmithdobbs because I knew that he was concerned with some of the things it addresses.
19:18 < jrmithdobbs> gmaxwell: i don't see how sha3 is all that much better suited other than we don't know it's issues yet =/
19:18 < jrmithdobbs> i mean it's obviously better than using sha3 for the task
19:18 < jrmithdobbs> but ...
19:18 < jrmithdobbs> err better than using sha2*
19:18 < gmaxwell> jrmithdobbs: really any function is suited. Nothing busted in the last 20 years has been busted so much to harm its usage as a kdf.
19:18 < gmaxwell> (any cryptogrphic hash)
19:19 < jrmithdobbs> gmaxwell: that's true, md5 is still usable for that in most scenarios
19:19 < jrmithdobbs> not recomended, but realistically, it's usable
19:19 < gmaxwell> s/most/all/ really. md4 would be fine too.  Better to use something better... but.
19:20 < jrmithdobbs> gmaxwell: if you have access to enough key samples for some reason md4/5 could be problematic, no?
19:20 < gmaxwell> I don't think so, not after you've iterated them thosands of times.
19:20 < jrmithdobbs> but yes, anyways, i'll conceed your point ;p
19:20 < phantomcircuit> i love that most CA root certs are md2
19:20 < jrmithdobbs> that line of thinking just makes me feel dirty
19:21 < jrmithdobbs> because it reeks of situations like with the  people with "credibility" telling people to revert to 20-year-old-known-broken-to-statistical-analysis ciphers for a half a decade so the nsa can log all our traffic =/
19:21 < gmaxwell> I'm really excited about the asymetric memoryhard trapdoor proof of work I came up with this morning.. though I worry the validation will be too slow.
19:21 < jrmithdobbs> (fuckin rc4)
19:21 < gmaxwell> yea... wtf well.. ssl is a cluter@#$@ in general.
19:22 < jrmithdobbs> anyways, back to work
19:22 < jrmithdobbs> gmaxwell: i'm gonna read over that a few more times, there's good work there (catenta)
19:23 < phantomcircuit> damn
19:23 < jrmithdobbs> nice to see someone besides the scrypt guy looking at the problem. not enough people are
19:23 < phantomcircuit> my 2TB external hdd is full
19:23 < phantomcircuit> >.>
19:23 < gmaxwell> now the problem with catenta is that it's new. :(
19:23 < jrmithdobbs> gmaxwell: it's not though
19:23 < jrmithdobbs> gmaxwell: it's a modified rommix with a different hash
19:23 < gmaxwell> scrypt was finally getting old enough to get people to accept it, and now we have a new version.
19:23 < gmaxwell> I know.
19:24 < jrmithdobbs> true
19:24 < gmaxwell> I did read the paper. I love it. Its a big improvement IMO.
19:24 < jrmithdobbs> and scrypt wasn't "new" either
19:24 < jrmithdobbs> it was old stuff applied in a novel way
19:24 < phantomcircuit> that's new
19:24 < phantomcircuit> :)
19:24 < jrmithdobbs> scrypt was really just modernized bcrypt with more long term thinknig and a better cipher behind it, if you look at it
19:25 < jrmithdobbs> the basic construction isn't very novel (it's cool, don't get me wrong ;p)
19:25 < gmaxwell> well no, the romix idea was novel. Also catenta still doesn't go quite far enough.
19:25 < gmaxwell> e.g. it doesn't make optimal use of the memory hierarchy.
19:25 < jrmithdobbs> it also still reveals too much to the authenticating party imho
19:26 < jrmithdobbs> but that's a bigger problem
19:26 < jrmithdobbs> (I don't think the authenticating party should ever have the hash)
19:26 < gmaxwell> ideally such a function would achieve optimal speed only if you has a given ratio of adder speed to l2 cache speed to memory speed.
19:27 < jrmithdobbs> and once you start needing to think about that portability kind of goes out the window for the simple solutions
19:27 < jrmithdobbs> but isn't optimized portable code an oxymoron?
19:28 < jrmithdobbs> gmaxwell: also why do they recomend keccak and not blake2? if you're trying to avoid cache timing issues isn't reusing salsacore as much as you can one of the best things you can do?
19:29 < jrmithdobbs> if it's all re-referencing the same damned code the code doesn't get kicked out of cache, after all
19:29 < jrmithdobbs> or at least, it's harder to forcibly evict
19:30 < gmaxwell> it doesn't mater if its kicked out of cache, the access pattern is not data dependant.
19:34 < jrmithdobbs> oh bleh, that's right it's timing on the data access not code segments, i'm going to run instead of saying stupid shit on the internet in my prednisone fueled mania
19:34 < jrmithdobbs> ;p
19:34 < jrmithdobbs> and by run
19:34 < jrmithdobbs> i mean physically
19:47 < phantomcircuit> i just realized something
19:47 < phantomcircuit> i can just copy this desktops hdd into a vm
19:47 < phantomcircuit> derp
19:48 < phantomcircuit> obvious solution is obvious
19:48 < phantomcircuit> sorry totally off topic
20:23 < nanotube> anyone care to test if my bitcoind hidden service is visible? gb5ypqt63du3wfhn.onion
20:31 < gmaxwell> 2013-09-11 00:26:20 receive version message: version 70001, blocks=257216, us=5yljdotwhmx65nlk.onion:8333, them=gb5ypqt63du3wfhn.onion:8333, peer=127.0.0.1:58807
20:31 < gmaxwell> so you're working and sending out the right address in your version message.
20:32 < nanotube> cool. :)
20:32 < nanotube> i have your node in addnode
20:33 < nanotube> my guess is it isn't currently possible, but it probably should - to set connection limits separately for tor and non-tor.
20:33 < nanotube> to ensure an active tor-nontor bridge
20:33 < nanotube> otherwise given the relative paucity of tor nodes, it could be that all slots can be eaten up by nontor nodes and you lose the tor bridge
20:33 < nanotube> ?
20:33 < jrmithdobbs> nanotube: it's possible in that you can give a list of known nodes as -connect/-seed nodes
20:34 < jrmithdobbs> so long as all of them in your list don't drop at once ...
20:34 < nanotube> right, but let's say tor hiccups and you lose all tor connections, slots fill up...
20:34 < nanotube> then tor comes back up but you're cut fof.
20:34 < nanotube> off
20:34 < phantomcircuit> nanotube, connect reserves the slot for outbound connections
18:28 < phantomcircuit> bitch is crazyyyy
18:29 < MC1984> are you amused or harassed
18:29 < gmaxwell> phantomcircuit: you should tell her that you paid her but {pick a victim} took the money.
18:29 < phantomcircuit> MC1984, mostly amused
18:29 < phantomcircuit> if she continues im going to call the police and have her deported
18:30 < MC1984> all goof fun then
18:30 < phantomcircuit> she's a uk national on a fiance visa
18:30 < phantomcircuit> if she has any negative contact with the police she is immediately deported
18:30 < phantomcircuit> but that would just make her even more angry
18:30 < MC1984> what if something got lost between britcoin>intersango or somthing
18:30 < phantomcircuit> so tradeoffs in life
18:30 < phantomcircuit> MC1984, im pretty sure i have all the bank records
18:31 < MC1984> invite her to sue then
18:31 < phantomcircuit> MC1984, god i dont want to actually deal with that shit
18:31 < phantomcircuit> but yeah i think that's what i have to do
18:31 < MC1984> can you countersue in the uk
18:32 < phantomcircuit> MC1984, she's in like florida or georgia or something
18:32 < phantomcircuit> so yeah i could pretty much ruin her
18:32 < phantomcircuit> but really who wants to ruin a crazy lady who would then have nothing better to do than direct even more crazy at you
18:32 < MC1984> well
18:32 < MC1984> fair warning and all that
18:33 < gmaxwell> MC1984: if she gets deported back to the UK she'll likely have even more free time to bug him.
18:34 < MC1984> tru
18:36 < Emcy> oh nice
18:36 < phantomcircuit> gmaxwell, exactly
18:36 < Emcy> just grouped this nick
18:36 < Emcy> henceforth i am Emcy
18:36 < phantomcircuit> actually at this point she's probably gone past the point of harassment and is well within terroristic threats
18:36 < phantomcircuit> which would mean jail time
18:36 < phantomcircuit> but she'd still be crazy
18:36 < phantomcircuit> just even more angry
18:38 < gmaxwell> there should be a service that you can hire that redirects the crazy people to be mad at them, or better, ficticious persons they create just for that purpose.
18:38 < Emcy> terroristic rly
18:38 < Emcy> anyone seen the complaint letter generator thing?
18:38 < phantomcircuit> Emcy, it's a deceptive term us lawenforcement uses to mean threatening to commit a crime against someone
18:38 < Emcy> had a few people on forums with that
18:39 < phantomcircuit> gmaxwell, that's actually a really good idea
18:39 < Emcy> well still, dont perpetuate it
18:39 < Emcy> its one of the worst things to happen in the last 10 or 15 years
18:40 < phantomcircuit> Emcy, sure except in this case she is literally threatening to kill me
18:41 < Emcy> well yeah but is that legit terrifying
18:42 < Emcy>  like, what happend to just threats of harm
18:42 < Emcy> over here you have all the rights in the world when dealing with police, unless he "suspects you of terroristic activity", and then youre his pet for the next while
18:42 < phantomcircuit> Emcy, i have literally thought about what i would do if she broke into my house and tried to kill me
18:42 < Emcy> its not right
18:43 < phantomcircuit> so yes
18:43 < phantomcircuit> yes it is
18:43 < Emcy> get a gun?
18:43 < phantomcircuit> i've moved
18:43 < phantomcircuit> cant find me now
18:44 < adam3us> https://twitter.com/adam3us/status/401492797846335488
18:44 < adam3us> @DataTranslator seems like PR distinction: Coin Validation is trying to fan viral run on fungibility by businesses.  But *they* dont police.
18:45 < phantomcircuit> that's a large part of why she's mostly just annoying
18:46 < gmaxwell> phantomcircuit: you still in the bay area?
18:46 < phantomcircuit> gmaxwell, nope
18:46 < phantomcircuit> i moved to a loverly place where i can carry a concealed firearm 24/7
18:46 < phantomcircuit> and will be doing so shortly
18:48 < Emcy> you handled weapons before?
18:49 < phantomcircuit> Emcy, nope
18:49 < adam3us> man we've so got to fix fungibility
18:49 < phantomcircuit> have a ccw course scheduled and will tell them it's not a joke
18:49 < adam3us> & talk some sense into Yifo & Coin Validation
18:50 < phantomcircuit> adam3us, no
18:50 < phantomcircuit> just leave them alone
18:50 < phantomcircuit> the more  you talk about them the more credibility you give them
18:51 < adam3us> phantomcircuit: do you think they realize how dangerous to fungibility and bitcoin continued existence that they are doing is? i mean they dont actually want to kill it or they have no business to validate
18:51 < phantomcircuit> adam3us, my first guess would be yes
18:51 < sipa> look at it this way: if business believe what they're selling is useful, cryptocurrencies like bitcoin have probably little chance of surviving (at least in its original fungible spirit)
18:52 < phantomcircuit> and they're just being dicks
18:52 < Emcy> meanwhile in britain
18:52 < Emcy> breadknives come with an 18+ warning
18:52 < adam3us> phantomcircuit: or maybe they do know and Gifu is just the tech sucker/grunt in a bigger scheme
18:52 < phantomcircuit> Emcy, yeah well if you fucks would stop stabbing each other...
18:52 < sipa> but if we're just ignoring them, i think the chance of them just silently being forgotten increases
18:52 < gmaxwell> Yea, I don't see any reason to debate with them... we should just moot them.
18:52 < Emcy> phantomcircuit thats mostly london
18:52 < gmaxwell> arguing with them gives them credability.
18:52 < phantomcircuit> Emcy, lol i was kidding
18:53 < gmaxwell> if no one responded a lot of people would just think "bitcoin is anonymous so what you're suggesting can't work!"
18:53 < adam3us> have to educate bitcoin biz people i bet there are enough of them who dont understand the fungibility risks
18:53 < sipa> adam3us: agree there
18:53 < gmaxwell> then again, yifu ahs probably ripped off enough miners at this point to fund this effort for a long time. :(
18:53 < Emcy> well i would not want my countrymen to have firearms any way. It would be a mostly accidental bloodbath
18:54 < sipa> adam3us: but doing it as a reaction to the co-invalidation thing is not the right signal
18:54 < adam3us> gmaxwell: i think its more likely this mellon trust fund guy thats funding the gig
18:54 < kill\switch> Which one does the PR videos on weusecoins?  I forget the nick, he's on IRC
18:54 < phantomcircuit> gmaxwell, i dont even know what he did
18:54 < sipa> kill\switch: justmoon made that site, a long time ago, before he was at opencoin
18:54 < phantomcircuit> i dont think he did the videos though
18:54 < kill\switch> I think a PR video series about fungibility basics would go far to making the case for 'normal' people
18:54 < phantomcircuit> he paid someone to do it
18:55 < sipa> yes, there was a crowdfunding for the video
18:55 < jrmithdobbs> the weusecoins guy? ya he paid someone
18:55 < adam3us> kill\switch: hat sounds like a good idea
18:55 < jrmithdobbs> it was like the only bounty that ever actually got paid i think
18:55 < jrmithdobbs> ha
18:55 < sipa> and the wallet.dat file was subsequently lost...
18:55 < gmaxwell> sipa: and the video only used like half of the raised funds, and the rest were lost.
18:56 < jrmithdobbs> ya that too
18:56 < gmaxwell> I think they lost over 5000 btc if I was remembering correctly.
18:56 < sipa> IIRC it was something like 7k BTC
18:56 < jrmithdobbs> nah it was 5000 usd
18:56 < gmaxwell> if you average our opinions ... :P
18:57 < sipa> https://bitcointalk.org/index.php?topic=83794.0#post_toc_19
18:57 < sipa> 7000 BTC
18:58 < phantomcircuit> aahah
18:59 < phantomcircuit> man i forgot how much btc was taken in mybitcoin
18:59 < phantomcircuit> 78k
19:02 < sipa> cdecker lost 9k BTC? :o
19:02 < sipa> i never knew
19:03 < gmaxwell> Its interesting that it lists the mooncoin thing and not the reorg attacks on mooncoin, cdouble's exchange, etc.
19:04 < gmaxwell> (several exchanges were attacked with reorgs and timewarps on altcoins used to empty their orderbooks and walk with bitcoins around that time)
19:04 < gmaxwell> bitscalper lol
19:04 < gmaxwell> that was funny.
19:05 < gmaxwell> the story there is incomplete. the site was woefully insecure, some speculated it was intentionally so to cover up for it being a scam.
19:08 < gmaxwell> " The thief is still unknown at this point, but the theft has supposedly been entirely returned" .. facepalm
19:09 < gmaxwell> whomever wrote this was far too kind
19:10 < sipa> where do you read that?
19:10 < sipa> Victim: Users of Bitscalper
19:10 < sipa> Status: MiningBuddy (bitcointalk.org user) attempted to reorganize bitscalper, but failed. No coins have been returned at all.
19:10 < sipa> ah bitcoinica
19:10 < gmaxwell> in that thread.
19:12 < gmaxwell> in the bitcoinica final theft the funds went through several places all provable linked to Zhou. Finally ending up in an exchange account owned by zhou on another exchange. Which were frozen when the tried to withdraw them.  Then magically zhou realized the theif must be a mysterious friend of his and 'brokered' a deal that the funds would be returned if
the investigation was ended.
19:13 < gmaxwell> but we have no idea who the theif was...
19:13 < gmaxwell> :P
19:18 < Emcy> its impressive for a 14 year old
--- Log closed Sat Nov 16 00:00:52 2013
--- Log opened Sat Nov 16 00:00:52 2013
00:43 < midnightmagic> I thought he was 17.
00:44 < midnightmagic> Anyway his family was/is privileged.
00:46 < gmaxwell> I always assumed he wasn't actually that young, but it was instead just the friendly disreputability layered on to prevent people from noticing the deeper rot.
03:24 < adam3us> gmaxwell: morning: dreaming about EdDSA - i think it should work for split key etc.  djb et al have only placed restrictions on d as d is random k with  a few bits 0d.  So then d1G+d2G=dG where d1+d2=d nod n
03:25 < adam3us> gmaxwell: futher the compression of R has to be optional - you can decompress it so thats just wire compression unrelated to the sig scheme
12:17 < HM_> (rather than "scalar" point multiplication)
12:17 < HM_> mind boggles. g1 x g2 x g3
12:20 < HM_> so I*[g1]^x in the notation i'm looking at would be X_Coord_of(PointMul(x, g1)) mod n, multiplied by I
12:20 < HM_> in EC terms
12:31 < HM_> I guess as long as it's commutative and has the mathematical properties you want, it doesn't matter how you encode a point
15:25 < gmaxwell> This might be of some idle amusement:
15:25 < gmaxwell> 12:21 < mjg59> How much real money would it cost for me to be able to back up 10GB of content into the bitcoin block chain?
15:25 < gmaxwell> 12:22 < mjg59> I'm looking to have cheap replicated backups
15:26 < gmaxwell> (mjg59 is Matthew Garrett, well known linux person who now works at https://www.nebula.com/ )
15:27 < amiller_> lol
15:28 < petertodd> nice
15:29 < petertodd> tell him ~$1000 to $10,000
15:30 < gmaxwell> petertodd: thats not realistic.
15:31 < gmaxwell> It would take 70 days of full blocks to do it. It would be blocked long before then.
15:31 < petertodd> I never said how long
15:31 < gmaxwell> And so you'd need to factor in the cost of paying someone to work around the block or buying astroturfing to prevent the blocking.
15:31 < petertodd> Those are, IIRC, the numbers for a mechanism that's tricky to block.
15:32 < gmaxwell> ah, well, then that would take a long time indeed.
15:32 < petertodd> yeah, takes forever, but in theory it's doable
15:33 < petertodd> more likely by the time your 10% done you'll find that fee competition is an issue
15:33 < petertodd> simply because other people get the "bright idea"
16:09 < jgarzik> would be an excellent faq / blog post
16:09 < jgarzik> answering that question, both time and cost
16:10 < petertodd> yeah, and stress that if people start actually doing that, the cost is going to go way, way up
17:12 < amiller_> is there a good way of slowing down the tx processing time
17:12 < amiller_> like making a costly to validate transaction using only standard tx
17:12 < amiller_> the best i can think of is just to have a bunch of txinputs in separate transactions and try to hurt the leveldb but it's hard to imagine it taking very long
17:13 < amiller_> or to have only one invalid transaction signature and hopefully it's the last one validated
17:17 < gmaxwell> CHECKSIG CHECKSIG CHECKSIG CHECKSIG CHECKSIG CHECKSIG CHECKSIG CHECKSIG CHECKSIG
17:17 < gmaxwell> but we deal with that.
17:17 < jgarzik> heh
17:22 < amiller_> that's not a standard tx is it?
17:23 < amiller_> and how is that dealt with
17:23 < amiller_> "// Support up to x-of-3 multisig txns as standard"
17:30 < gmaxwell> the maximum number of checksig operations per block is limited... and anyone accepting non-standard txn should hopefully be smart about not letting a single txn use up their quota.
17:37 < jgarzik> that level is smart is absent in mining right now
17:38 < gmaxwell> yea, but so is accepting non-standard txn generally.
18:37 < amiller_> i'm not interested in per block so much as for mempool
18:38 < gmaxwell> Protected by IsStandard
--- Log closed Tue Jun 25 00:00:15 2013
--- Log opened Tue Jun 25 00:00:15 2013
--- Log closed Wed Jun 26 00:00:18 2013
--- Log opened Wed Jun 26 00:00:18 2013
--- Log closed Thu Jun 27 00:00:21 2013
--- Log opened Thu Jun 27 00:00:21 2013
--- Log closed Thu Jun 27 03:30:08 2013
--- Log opened Thu Jun 27 03:30:26 2013
--- Log closed Thu Jun 27 17:55:35 2013
--- Log opened Thu Jun 27 17:56:18 2013
22:51  * jgarzik sends a draft of the decentralized identity sacrifice protocol off to petertodd
23:20  * jgarzik also tries to figure out some semi-decentralized method of conducting an ebay auction, where buyers bid ever-increasing amounts with proven funds
23:28 < petertodd> #2 sounds really similar to the fee auction process you know...
23:28 < petertodd> but we don't have the ability (yet) to lock a txout in any way which makes a in-Bitcoin port tough
23:29 < Luke-Jr> sounds easy enough?
23:30 < Luke-Jr> the seller can just publish an output which is used as an input to bids
23:30 < Luke-Jr> bidders sign transactions consuming it
23:30 < Luke-Jr> seller only signs the one winner
23:31 < petertodd> you mean a multisig output?
23:33 < petertodd> ah, I see, the output is to ensure only one tx, IE bid, can go through, simple enough
23:35 < Luke-Jr> yep
23:35 < gmaxwell> on the subject of random crypto protocols, I came up with one so that a movie renting place could rent you a single movie while learning nothing about which of the movies they loan is the one you picked.
23:36 < gmaxwell> (I came up with it on the spot when I was explaining to someone how funny crypto things like you make trustless protocols for things that model relationships people want to have
 and they suggested keeping your movie preferences private as an example)
23:37 < Luke-Jr> haha, that's the opposite direction rental businesses want to go I think :P
23:38 < gmaxwell> (You encrypt all the movies and give them to them; you also encrypt all the movie keys with homomorphic encryption and give them all the E(Renter_key,K)s. They pick the movie they want and compute E(rentee_key,E(Renter_key,K)) for the movie they want and then ask you to decrypt it.)
23:38 < gmaxwell> (and you only decrypt one key for them)
23:39 < realazthat> you can still eavesdrop which they download though
23:39 < petertodd> jgarzik: re decen identity: you seem like you have a protocol that doesn't create a strong proof after the fact that the sacrifice was genuine
23:39 < realazthat> unless they download all of them
23:39 < petertodd> jgarzik: it's almost but not quite a proper announce-commit
23:40 < realazthat> erm
23:40 < realazthat> I was thinking of a similar scheme
23:40 < realazthat> nvm
23:41 < realazthat> in ur case you stated they get them all
23:41 < gmaxwell> realazthat: yes, they get them all. I do not know of a way to do a _efficient_ oblivious database where the reader and writer are different parties.
23:42 < petertodd> Luke-Jr: nah, gmaxwell's protocol still works for that: just give people the *option* of using this fancy feature, if they do, they're almost certainely renting Enemy of the State
23:42 < petertodd> realazthat: use a DHT
23:42 < gmaxwell> Luke-Jr: well part of my point is that one of the reasons businesses go the route of watching everything is that it's easiest to do that, and "impossible" for a superior business partner to prove that they aren't.
23:43 < Luke-Jr> gmaxwell: it's also useful information
23:43 < gmaxwell> Except with cryptographic protocols a superior business partner can actually prove that they're not, and perhaps benefit from their superiority.
23:43 < Luke-Jr> gmaxwell: I often wish someone did some analysis of anime preferences, and recommended me ones I'm likely to enjoy
23:43 < gmaxwell> (Privacy is like the worst lemon market that there ever was)
23:43 < realazthat> lol
23:44 < gmaxwell> Luke-Jr: sure. I use movielens for things like that. But there is no need to force you into analysis which: doesn't benefit you, which loses more than it strictly needs to etc...
23:44 < gmaxwell> (http://movielens.umn.edu/login)
23:45 < Luke-Jr> gmaxwell: without enough sample data, it won't work
23:45 < gmaxwell> e.g. nothing would stop you from also submitting your movie preferences to another party
 perhaps behind a pseudonym
  even automatically. So then no one learns more than they need to
 and the party learning movie preferences is actually providing you with a useful service.
23:46 < gmaxwell> vs the renter doing it, and which they may just be selling the data to someone who wants to make a list of people with varrious politics in order to oppress or what have you.
23:56 < Luke-Jr> gmaxwell: I can't even find 5 movies I've seen -.-
23:56 < gmaxwell> hah
23:57 < gmaxwell> on movie lens?
23:57 < gmaxwell> "You've rated 371 movies." .. and there are a bunch I've seen but haven't rated because I don't remember them well enough to give them a rating.
23:58 < petertodd> needs a new rating: "Didn't rate; probably sucks"
23:58 < gmaxwell> I emailed them and pointed out that in the netflix data that saw vs not-saw actually had most of the predictive power.
23:59 < gmaxwell> (and suggested they add a "dunno; but I saw it")
23:59 < gmaxwell> but they didn't respond. :(
23:59 < gmaxwell> A "I made a conscious decision not to watch this" would be interesting too, I expect.
23:59 < petertodd> heh, maybe that's already mostly what their algorithm actually is...
--- Log closed Fri Jun 28 00:00:31 2013
--- Log opened Fri Jun 28 00:00:31 2013
--- Day changed Fri Jun 28 2013
00:00 < gmaxwell> petertodd: I expect it actually is
 I mean, thats basically what a linear SVM trained on the netflix prize data produces: a model that predicts what you'll like based on what you've seen regardless of your rating.
00:00 < Luke-Jr> gmaxwell: yeah
00:01 < gmaxwell> but sadly the fact that it forces you to rate means that people provide less data than they could.
00:01 < Luke-Jr> still stick at 4 movies x.x
00:01 < Luke-Jr> wtf, they have Q: The Winged Serpent, but not the Tron sequel?
00:02 < gmaxwell> E.g. right now it suggests that I watch "Legend" which is like ... from the mid 80s. I've seen it and assume I didn't hate it, but I can't usefully rate it.
00:02 < gmaxwell> they have the tron sequel
00:02 < gmaxwell> http://movielens.umn.edu/movieDetail?movieId=82461
00:02 < Luke-Jr> the initial entry needs a search >.>
00:04 < Luke-Jr> grr
00:04 < Luke-Jr> the search from that page won't work until I find 15 either
00:05 < gmaxwell> turn off exclude movies without predictions?
00:06 < Luke-Jr> no, it's the "MovieLens needs at least 15 ratings from you to generate predictions for you." screen
00:06 < Luke-Jr> grr, I missed Short Circuit
00:08 < gmaxwell> I've seen a bunch of good weird movies because of movie lens.
00:08 < jgarzik> petertodd, how so?
00:08 < Luke-Jr> Live Nude Girls (1995) lolwut
20:35 < phantomcircuit> gwillen, no no, he's saying that not only does it not flush
20:35 < phantomcircuit> but it DROPS the dirty pages
20:35 < gwillen> right
20:35 < gwillen> yeah, sorry, I mean, not flushing but keeping things pending would be okay
20:35 < gwillen> but dropping them is really odd
20:35 < phantomcircuit> yeah that sounds strongly like a bug in os x
20:35 < phantomcircuit> which is what i've assumed all along
20:36 < gwillen> well, evidently posix doesn't require it to do anything useful
20:36 < phantomcircuit> apple gaming the fuck out of benchmarks basically
20:36 < cfields> yea, the spec doesn't say it needs to flush. in fact, one of the docs explicitly says you need to msync() for that
20:36 < cfields> s/spec/bsd docs/
20:36 < phantomcircuit> right
20:36 < phantomcircuit> if im reading this right, he's saying that not only do they not flush, they also drop the dirty pages entirely
20:37 < phantomcircuit> like they have a separate page cache for mmap than from normal file io or something bizarre
20:40 < phantomcircuit> my guess is that there is some small pool of memory in the mmap subsystem which is used to buffer changes to the page cache that is dropped when munmap is called
20:41 < cfields> imo that's not the case...
20:42 < cfields> my theory was that there's a quick write, then a quick read. The read comes from an fd on osx rather than mmapping. So the last write may not be on-disk yet, since it's still showing the zeroed region
20:43 < phantomcircuit> hmm maybe
20:47 < warren> "His victory speech"
20:47 < warren> heh
20:50 < midnightmagic> cfields: You're talking about this from msync(2)?: Filesystem operations on a file that is mapped for shared modifications are unpredictable except after an msync(). ?
20:50 < cfields> yea
20:50 < phantomcircuit> actually thinking about it iirc you can only get like 50k write() syscalls/second
20:51 < phantomcircuit> so i can see how that would be a limiting factor
20:51 < phantomcircuit> except leveldb is single threaded so an inmemory buffer with a timer should work well enough
20:51 < phantomcircuit> er i mean no it's not
20:52 < phantomcircuit> but a thread with the end of the journal that gets flushed when it's a certain size or after it's 500ms old or something
20:52 < midnightmagic> phantomcircuit: the better alternative to to use scatter/gather and iovec structs
20:52 < cfields> hmm, wait a sec
20:53 < midnightmagic> then individual syscall overhead is reduced (ideally) and the structs can sometimes be utilized by underlying storage subsystems to speed up their own writes.
20:53 < phantomcircuit> midnightmagic, sure but that's not going to be obviously platform independent :)
20:53 < gmaxwell> gwillen: cc-*-4.0 has extended the patent badness into all creative commons licenses now, fwiw.
20:53 < midnightmagic> dirty internal page caches when flushed to disk in multiples shouldn't be done with plain write()s
20:53 < phantomcircuit> (which is the fundamental issue here)
20:54 < gmaxwell> gwillen: thank universities for that one, mostly.
20:54 < midnightmagic> phantomcircuit: huh?  why isn't it portable?
20:54 < midnightmagic> we only care about bsd/linux/windows/osx right?
20:54 < gwillen> gmaxwell: all the 4.0 ones appear to say is 'Patent and trademark rights are not licensed under this Public License.'
20:54 < cfields> https://github.com/bitcoin/bitcoin/blob/master/src/leveldb/util/env_posix.cc#L357
20:54 < gwillen> gmaxwell: which is a weaker statement even than cc0
20:55 < gwillen> gmaxwell: and which doesn't seem like much of a statement at all
20:55 < cfields> a call to Sync() flushes the fd to disk, before msync has been called
20:55 < phantomcircuit> cfields, so basically that's backwards
20:55 < cfields> and on osx, we've forced that flush to be a really hard flush, too :)
20:56 < gmaxwell> gwillen: yes, thats the narrowest crafting that they could get through. It's still fatally bad.
20:56 < gwillen> gmaxwell: I'm really not sure I agree.
20:56 < phantomcircuit> midnightmagic, oh i see you mean the libc ones
20:56 < phantomcircuit> hmm
20:56 < gwillen> gmaxwell: There's no reason to believe that not having it would cause patent or trademark rights to be licensed.
20:56 < cfields> phantomcircuit: hmm, it sure looks that way to me
20:56 < phantomcircuit> yeah i guess that should be very portable
20:56 < gwillen> gmaxwell: It should be more or less a no-op.
20:57 < gmaxwell> gwillen: the legal minds (e.g. Eben Moglen) believe that the BSD license contains an _implied_ patent license because it permits you to use/copy the work which would otherwise require a patent license.
20:57 < gmaxwell> gwillen: there is no ambiguity, if you recieve a work under cc-by-sa-4.0 there is no implied patent license.
20:57 < gwillen> gmaxwell: Nobody's going to rely on an implied patent license
20:57 < gwillen> not on purpose, anyway
20:57 < gmaxwell> gwillen: millions of people depend on an implied patent license.
20:57 < phantomcircuit> tbh leveldb is kind of a mess
20:57 < midnightmagic> phantomcircuit: The structs can be passed to the lower-level, it takes a single syscall (usually) and there's a huge win. I've been advocating for scatter writes using iovecs internally here for like a decade but nobody listens to me and I'm too stubborn to write it for them.
20:57 < phantomcircuit> it seems like it would be easier to write a BitcoinKVDB
20:58 < gwillen> gmaxwell: also, CC is rarely used for code
20:58 < gmaxwell> gwillen: quallcom and and apple are basically filing a new patent against llvm/claim per week each. Your only ability to use clang at all is an implied patent license.
20:58 < gwillen> gmaxwell: patent licenses are not likely to be important on documentation or literature
20:58 < phantomcircuit> inb4NIHs
20:58 < midnightmagic> what the heck is NIHs ?
20:58 < gmaxwell> gwillen: indeed, which is a saving grace, though a narrow one. They are not too infrequently used for scientific publications.
20:59 < gmaxwell> gwillen: and yea, the implied patent license sucks. I look forward to seeing you try to convince all the patent carrying packages you use that are bsd licensed to adopt the apache license.
20:59 < gmaxwell> s/llvm/claim/llvm/clang/
21:00 < gwillen> gmaxwell: I dunno, I kind of handwave the whole issue with "all software ever written violates multiple patents anyway"
21:00 < gwillen> "therefore whether you get sued is not about what you write, but about who you piss off"
21:01 < gwillen> I hope the courts wipe out the whole software patent sector and we get to stop worrying about it
21:01 < gmaxwell> gwillen: true, though the magnitude of it is worse when its patents are owned by the same people writing the software (little ambiguity that the patents apply), and they're known vexatious litigants.
21:02 < gwillen> me nods
21:02  * gwillen nods*
21:02 < cfields> midnightmagic: which set of man pages did you pull that msync(2) from?
21:02 < gmaxwell> gwillen: it's all squishy in any case,
 which is why an implied license is helpful,  the ambiguity makes litigation less likely, etc.
21:03 < gmaxwell> gwillen: so it's unfortunate to lose the ability to argue that maybe there is one.
21:03  * gwillen nods
21:04 < phantomcircuit> midnightmagic, not invented here syndrom
21:04 < phantomcircuit> e
21:19 < midnightmagic> cfields: NetBSD
21:20 < midnightmagic> cfields: Anytime there's a question like that, just assume NetBSD.
21:20 < cfields> heh
21:35 < gmaxwell> cfields: wrt mmap and leveldb...
21:35 < gmaxwell> cfields: I was pretty sure that 32 bit builds of leveldb do not use mmap.
21:35 < cfields> gmaxwell: for reading
21:35 < cfields> for writing they do
21:36 < gmaxwell> ah, interesting! okay.
21:36 < cfields> that's why i was bugging gavin about whether he could repro on his 64bit builds or not
21:37 < warren> cfields: we have three reports of no avoiding corruption with the mem barrier thing with people who had corruption on every run prior, weird coincidence?
21:37 < warren> s/no//
21:38 < cfields> gmaxwell: please check me, though. Anyone who's known me for a while knows that I typically go through ~3 rounds of sure-thing fixes before finding the real one :)
21:38 < gmaxwell> cfields: no, you're right I see that too now.
21:39 < cfields> warren: i still think the mem-barrier patch should go in upstream. But that was an indirection to us at best.
21:39 < cfields> warren: if it really fixed something for someone, i'd be really curious to know specifics
21:40 < warren> it's hard enough to get these people to respond
21:41 < gmaxwell> the mem barrier change is clearly right but uh. so it would be good to know why its fixing things if it indeed is.
21:42 < gmaxwell> Perhaps we should buy one of the machines that reproduces this so easily? (I dunno why we didn't do this before the bounties)
21:43 < phantomcircuit> gmaxwell, that was my suggestion last week
21:44 < phantomcircuit> but really who is going to want to sell us their laptop
21:44 < warren> do we know why many users can't reproduce the problem at all?
21:44 < phantomcircuit> warren, the race is a very close one probably
21:44 < phantomcircuit> it might be easier to write a stress test actually
21:45 < cfields> gmaxwell: i have one
21:46 < cfields> gmaxwell: rather, i borrowed one from a friend. and i was nice enough to upgrade her to 10.9 :p
21:46 < cfields> though, i was still never able to reproduce it
21:47 < gmaxwell> yea, what I was saying is that there are people who claim it always or at least frequently fails for them. Theirs is the computer you want. :)
21:47 < cfields> not without adding some sleeps in code, anyway
21:47 < gmaxwell> well the sleeps is a good idea in any case.
21:47 < warren> it happens on every run of bitcoin-qt for coblee
21:48 < cfields> warren: that's got to be a different issue i'd think
21:48 < warren> for him the mem barrier patch made bitcoin-qt usable
16:19 < petertodd> sipa: my main thinking is that wallet software wants to be able to sync transactions, rather than just funds. this also ties into a paper I'm writing on privacy issues and blockchain data
16:29 < sipa> petertodd: not sure i'm following the big picture anymore
19:28 < maaku> petertodd sipa: two separate indices under consideration here right?
19:29 < maaku> the TXO MMR which is an append/update structure whose hash root is committed to the coinbase
19:30 < maaku> you append each new output, and update a spent-bit for each input
19:30 < maaku> and a separate, per-block tree of outputs indexed by TXO, right?
19:35 < gmaxwell> At some point I'd convinced myself that it made sense to have seperate append only and insert only datastructures, though I don't know why. Obviously managing an append only one is much easier.
19:40 < maaku> oh i guess it can be the same structure as actual insertion/append order within a block doesn't matter
19:42 < maaku> gmaxwell: for double-spend validation I still think an updatable trie structure is best
19:42 < maaku> but lately I've been thinking about a MMO-like structure for the scriptPubKey index
20:05 < gmaxwell> justanotheruser: So perhaps its possible to construct a precisely brittle cryptosystem and paired signature system such that I encrypt data using keys plus some additional data which I give you, such that knoweldge of _any_ signature with the key is enough to decrypt the data.
20:05 < gmaxwell> but not enough to forge signatures.
20:06 < nsh> i really want to see more of a sketch of how this would work, and elaborations on the intractability of adaptive difficulty
20:06 < nsh> or at least some clearer idea of to achieveable precision in likely decryption window
20:06 < nsh> *the
20:07 < gmaxwell> DSA like schemes can be constructed so that they leak a linear relationship between the the private key and the message. So the trickyness would be figuring out how to leak just enough that the encryption is revealed but not forgery.
20:07 < nsh> (re: POW which turns the distributed computation into ticking for timelock encryption)
20:07 < nsh> right
20:07 < gmaxwell> nsh: yea, I dunno, it's a very vague sketch. I was happy that something like it sounded possible because it just seemed to me to be the most realistic way of having non-trustbased timelock encryption I'd ever heard or thought of.
20:08 < justanotheruser> I wish this was possible with bitcoin because this altcoin would only be valuable for secret keeping meaning the only exchanges would be between miners and secret sharers
20:08 < justanotheruser> and speculator
20:08 < justanotheruser> s
20:08 < gmaxwell> But the obvious ways to go about bilding it are super ugly.
20:08 < nsh> mmm
20:09 < gmaxwell> justanotheruser: Well, as I said before a two phase protocol could make it possible to pay for it in bitcoin.  The advantage of the alt thing is just that the pow would be "useful".
20:09 < gmaxwell> E.g. lets not go building a bunch of things that require people to needlessly burn energy when we can instead just build one. :P
20:11 < justanotheruser> gmaxwell: So you're saying the secret miners would be securing the network in this altcoin, while they wouldn't be in bitcoin?
20:11 < justanotheruser> I mean you're saying that's your concenr
20:12 < gmaxwell> justanotheruser: right. The idea on the altcoin page is that you have a cryptocurrency who's POW has a side effect of yielding previously unknown private keys for public keys which were set way in advance.
20:12 < gmaxwell> which IMO is way more useful than that primecoin crap. :P
20:14 < gmaxwell> My example of using DLP cracking is lame because DLP cracking is super-not-progress-free. You get a quadratic speedup from being stateful... but there are a LOT of different cryptosystems out there. I would be really surprised if something weren't reasonably sutiable.	But even ignoring that details like handling difficulty seem hard to get right.
20:14 < justanotheruser> gmaxwell: Is there a use for primecoins PoW? No one has been able to explain who wants Cunningham chains
20:15 < gmaxwell> No. There is no use as far as I can tell, except abstract numbertheory navel gazing.
20:15 < gmaxwell> of course, insight comes from unexpected places at times.
20:16 < gmaxwell> plus, I _suspect_ that PoW might be the _only_ really viable way to have truly secure timelock encryption.
20:16  * nsh nods
20:16 < gmaxwell> just because the timelock usage alone could never really fund enough processing power to make it secure.
20:17 < justanotheruser> The problem I see is your secret being worth 3 times as much as the secret rewards meaning your secret is found 4 times as fast as it should have been.
20:17 < gmaxwell> well thats part of the reason I propose encrypting with all intermediate keys.
20:18 < gmaxwell> so the comparison is not one blocks reward, its all rewards between here and now.
20:21 < justanotheruser> hm
20:21 < justanotheruser> gmaxwell: Do you consider any altcoins useful other than namecoin?
20:21 < gmaxwell> You could also strengthen a decenteralized timelock with distributed timelocks.
20:22 < nsh> hmm
20:22 < gmaxwell> justanotheruser: not really so far, mostly they've done absolutely nothing interesting. The few that aren't just copied of the bitcoin code with a few lines changed are mostly either pure marketing and vaporware or are trivially insecure rubbish.
20:23 < andytoshi> i bet a way to find cunningham chains quickly would also yield some useful number-theory results
20:23 < andytoshi> so primecoin will become useful exactly when it's destroyed :)
20:23 < gmaxwell> E.g. To decrypt this message you need all the blocks between now and 2016 and 6 of 10 timelock servers OR all the blocks between now and 2017.
20:24 < justanotheruser> gmaxwell: how do you handle an increasing network power?
20:24 < maaku> justanotheruser: one of many unsolved problems here
20:24 < gmaxwell> hm? no I proposed a solution, but its kludgy.
20:25 < justanotheruser> Or is this the centralized distributed solution with the servers verifying the block time
20:26 < maaku> gmaxwell: it's not on your alt page...
20:26 < maaku> you've got a mechanism for scaling reward
20:26 < justanotheruser> maaku: "POW which turns the distributed computation into ticking for timelock encryption"
20:26 < maaku> but say I want to encrypt something to 2016. how do I know how far to go?
20:27 < gmaxwell> justanotheruser: I suggested running multiple problems.  Say your problems are just H("timelock is great"||x||y) = pubkey.   and x and y start at 0.	When a solution for a given problem is found, y is incremented.
20:27 < maaku> justanotheruser: i'm talking about difficulty adjustment specifically
20:27 < gmaxwell> If difficulty is too low then to solve a block you start requiring work on x=0 and x=1 ... if it's still too low you require work on x=0 and x=1 and x=2
20:27 < maaku> gmaxwell: ah, i misunderstood. so you break each key into multiple problems?
20:27 < justanotheruser> maaku: your concern is it being found faster with higher network hashpower?
20:28 < gmaxwell> and so basically instead of solving one timelock sequence you solve 1 to n time lock sequences, with n depending on difficulty.
20:29 < gmaxwell> you can encrypt your message with as many of the sequences are you believe will exist in the future, but there is some risk if the difficulty is too low that the network is not solving the sequence you need.
20:29 < justanotheruser> gmaxwell: That involves centralization right?
20:29 < gmaxwell> wtf
20:29 < gmaxwell> no
20:29 < gmaxwell> sorry, I'm just confused as to where you'd get that idea! :P
20:29 < justanotheruser> I was confused by "and 6 of 10 timelock servers"
20:30 < gmaxwell> justanotheruser: oh I thought you were talking about me explaining how difficulty adjustment works.
20:30 < gmaxwell> that was just a comment on 17:21 < gmaxwell> You could also strengthen a decenteralized timelock with distributed timelocks.
20:30 < gmaxwell> and yes, its not decenteralized.
20:30 < justanotheruser> I see
20:31 < gmaxwell> But, e.g. decenteralized + distributed OR lots-more-decenteralized  doesn't seem too bad to me.
20:31 < maaku> justanotheruser: my concern is that you cannot predict which keys to use to encrypt something such that it won't be release until day X in the future
20:32 < justanotheruser> I don't see how 6 of 10 timelock servers verifying blockchain length to release a secret is different from them verifying the data
20:32 < gmaxwell> maaku: well you can in my example, you just encrypt using x=0 y={0..expected time in the future}
20:32 < gmaxwell> justanotheruser: huh? there is no verifying the blockchain at all.
20:32 < justanotheruser> brb
20:33 < maaku> gmaxwell: but then in the future when people have asic ecdsa crackers for this, difficulty will require each block to iterate x=0..(some very large amount)
20:33 < maaku> but it could just as easily be built to do x=0 y=(0.. some large amount)
20:34 < andytoshi> maaku: presumably they'd not do this, prefering to get the block reward
20:34 < gmaxwell> maaku: yes, correct. Though if they did that they'd not get the block reward.
20:34 < andytoshi> i don't think this is safe against an asic explosion
20:34 < maaku> so they give up 1 block reward in order to destroy entirely the utility of the timelock encryption
20:35 < gmaxwell> maaku: No, because you have the option of also using the higher Xs... but it puts a tradeoff over the risk that the network may not tick for all the work you need in the future.
20:36 < gmaxwell> basically, to use it with perfect security requires you to predict the future difficulty. But it can be constructed so that if you fail to guess right all is not lost.
20:36 < maaku> Which means you might as well just make the network tick with a single appended value, so you guarantee all keys are moved through
13:58 < jgarzik> meh.  TD's argumentation can be compelling, but json-rpc is more compelling.  JSON Just Works in python and JS, and matches nicely with their native data structures.	protobufs are great for avoiding manual marshalling code drudgery, type checking and other utility, but the hurdles for end users are slightly higher
13:58 < jgarzik> both JS and python handle json without additional downloads, compiles, package installs
13:58 < jgarzik> the downside is
13:59 < jgarzik> no type checking, binary stuff passed as hex, ridiculously strict parsing
13:59 < gmaxwell> Yep. you can write it with a text editor. Like HTTP. It's not pretty but its "accessible"
13:59 < jgarzik> debuggable
14:00 < Luke-Jr> someone should make a protobuf editor
14:00 < Luke-Jr> :P
14:01 < Luke-Jr> then the only problem is that it needs a schema
14:01 < Luke-Jr> but that's mostly unavoidable
14:01 < Luke-Jr> even EBML needs schemas I think
14:03 < jgarzik> Manually written marshalling code is certainly drudgery and bug-prone
14:04 < gmaxwell> Luke-Jr: it does, well, you're free to not define them and make everything an informal adhoc mess (largely whats happened in mkv)
14:04 < jgarzik> I bet somebody somewhere has already done work on JS or python code generation, to eliminate some of that headache
14:05  * Luke-Jr hates how protobuf generates code currently
14:05 < jgarzik> unfortunately the bitcoin world seems to be the largest consumer of JSON-RPC
14:05 < Luke-Jr> with Python at least, it should be more than possible to automatically parse protobuf from a .proto direclty
14:05 < jgarzik> I look around for json-rpc libs in $language, and inevitably find the author a bitcoiner
14:06 < jgarzik> compiling a foo.proto file into json-rpc type-checking code would be nice
14:06 < jgarzik> and optimal
14:07 < jgarzik> (not protobufs data definition strictly; obviously details would change for JSON)
14:12 < Luke-Jr> we really should have hijacked some bits from nVersion for the block nonce..
14:13 < Luke-Jr> with the speeds 28nm are going to do
14:13 < gmaxwell> Luke-Jr: pft nonsense. people should be building miners that can update their work faster than once per 30 seconds.. what a mess.
14:14 < Luke-Jr> gmaxwell: it's already once per second for a single bitfury chip
14:14 < Luke-Jr> and 28nm chips to 600 Gh alone
14:14 < Luke-Jr> do*
14:15 < gmaxwell> Luke-Jr: yea, and? random desktop cpu should be able to do 500,000 roots per second or something loopy like that.
14:15 < Luke-Jr> (or maybe it was 300 Gh, but not important)
14:15 < Luke-Jr> gmaxwell: with up to potentially 1 MB coinbases? :p
14:15 < Luke-Jr> and 10+ MB blocks?
14:15 < gmaxwell> Luke-Jr: yea well, do the p2pool style extranonce.
14:16 < gmaxwell> Luke-Jr: 10mb blocks is irrelevant.
14:16 < Luke-Jr> today.
14:16 < Luke-Jr> do you really want non-scalable mining chips?
14:16 < gmaxwell> No, I mean its forever irrelevant
14:16 < Luke-Jr> explain
14:17 < gmaxwell> log2.. it takes 21 sha256s to compute the root for a 1GByte block.
14:17 < gmaxwell> (assuming 500 byte transactions)
14:18 < gmaxwell> 30 for a 1 TB block.
14:18 < gmaxwell> the coinbase is a bigger issue, but as I mentioned you can do what p2pool does.
14:18 < gmaxwell> OP_RETURN output in the last transaction and do midstate compression.
14:18 < gmaxwell> er OP_RETURN in the last output
14:20 < Luke-Jr> yeah
14:20 < Luke-Jr> but that's with a host generating the work
14:20 < Luke-Jr> if these ASICs get any faster, they will have to generate work internally
14:20 < gmaxwell> I wish the hash tree geometry were different... that coinbases forked off at the top.. I wish that transactions themselves were hash trees, so that you could update one part without the rest, but we've got what we've got. If I were to hard fork, I wouldn't worry about header nonce. We have scarcely few bits in the header.. stealing one for nonce would
would do little good but might hurt a lot if we ever need more than a flag there.
14:21 < gmaxwell> Luke-Jr: they can do the same thing that the host does on a little FPGA.
14:21 < gmaxwell> (no need to take the risk of fabricating it directly)
14:22 < Luke-Jr> hmm, so use part of the ASIC die for a FPGA?
14:22 < Luke-Jr> is that R&D-cheap?
14:23 < gmaxwell> Luke-Jr: nah, you just use a seperate fpga which then serves as your MCU (they make fpgas that have small cpus fixed on them, alternatively you just load a cpu onto it)
14:24 < gmaxwell> Seriously, these people are making _tens of millions of dollars_ and yes solving these challenges will take a little work. Tough. Thats business. The nonce already gives them a 4 billion to one work reduction, two or four times that if you're willing to steal a couple of timestamp bits.
14:25 < gmaxwell> Meanwhile taking too long before updating the hashroot is bad for the network, it increases orphaning.
14:25 < gmaxwell> Luke-Jr: any idea why the bitfurry stuff has high stales on p2pool?
14:25 < gmaxwell> Its worse than avalon.
14:25 < Luke-Jr> gmaxwell: I'm afraid they'll gladly make crappy non-scalable chips to get it out the door sooner with more profit :/
14:26 < Luke-Jr> gmaxwell: because the bitfury code people are using sucks?
14:26 < gmaxwell> (I can't say that I'm complaining much, I think I'm now at 105% efficiency with my avalons
14:27 < Luke-Jr> I've been basically rewriting it entirely for BFGMiner
14:27 < gmaxwell> (though part of that 105% is the asicminer things ... lol .. can't longpoll)
14:28 < Luke-Jr> bitfury can't longpoll either
14:28 < Luke-Jr> the chip itself
14:28 < Luke-Jr> I think asicminer's chip can longpoll
14:28 < Luke-Jr> (the USB ones in fact seem to work for doing that)
14:30 < Luke-Jr> bitfury's chip CAN return results in realtime (no waiting until the end like BFL)
15:57 < jgarzik> gmaxwell, petertodd: Bruce S says "thanks" for the collision-reward forum link I sent him
19:10 < sipa> jgarzik: THE bruce schneier?
19:11 < sipa> Bruce Schneier can recite pi. Backwards.
19:11 < Luke-Jr> in tonal?
19:12 < sipa> Obviously.
19:13 < Luke-Jr> :D
19:13 < sipa> he's probably to come up with two number systems in which the digit expansion is identical
19:13 < sipa> +able
19:19 < gmaxwell> it's easier to do it backwards in tonal.
19:19 < gmaxwell> (really)
19:20 < Luke-Jr> gmaxwell: easier
 maybe if it were even possible!
19:21 < sipa> ba kwards is impossible
19:21 < gmaxwell> Luke-Jr: On the basis of http://en.wikipedia.org/wiki/BBP_formula
19:21 < sipa> but in tonal (well, anything binary or power thereof) there is an efficient algorithm to compute arbitrary digits
19:22 < Luke-Jr> gmaxwell: but the end/!
19:23 < sipa> it's just slightly less impossible
19:23 < sipa> but still impossible really
19:24 < gmaxwell> It's still deeply weird that there is random access to pi. :)
19:55 < nanotube> lol didn't know that - that's awesome
22:32 < petertodd> jgarzik: awesome, forward me the email
23:31 < amiller> okay i solved bitcoin, it's no problem
23:31 < amiller> gmaxwell, i've been stressing out about this anti outsourcing puzzle but it is way simpler than i thought
23:32 < amiller> the trick is that you should not reveal the actual puzzle solution
23:32 < amiller> but a zero knowledge proof that you know a proof of work solution
23:33 < amiller> that's all there is to it really, but i should clarify that it should reveal *nothing* else about the solution, for example you should not reveal that the solution contains a commit to valid transctions or anything like that
23:34 < amiller> if you want to commit some transactions into a block, you must bind those *after* you find the solution,
23:34 < amiller> otherwise there is a 'watermarking attack' that makes hosted mining feasible
--- Log closed Sat Sep 14 00:00:36 2013
--- Log opened Sat Sep 14 00:00:36 2013
00:56 < gmaxwell> amiller: so I've been swimming in all sorts of psycho things that one way signatures enable.
00:57 < amiller> gmaxwell, word, what else have you come up with?
00:57 < amiller> one way aggregatable
00:58 < gmaxwell> amiller: I dunno if you saw me mention it, but it greatly reduces the problems of miners making more by reorging out other miners blocks instead of moving forward in a world driven by fees.
00:59 < gmaxwell> because if the fees are taken from a block using a aggregate signature you couldn't learn any more transactions from a competitors block.
01:00 < amiller> i read all your posts in that thread
01:00 < gmaxwell> well, I'd commented in here some too.
01:00 < amiller> is your idea basically that miners who receive transactions
01:00 < amiller> will merge all the transactions before broadcasting them
01:00 < amiller> so that other miners can't take them piecemeal and make easier blocks?
01:01 < gmaxwell> Right. Well they can take them, but the miners fee output will already be added and they can't remove it.
01:01 < amiller> one thing i vaguely think is the same as this but i haven't thought hard about is
01:01 < amiller> oh
01:01 < amiller> oh cool so they add their own personal fee explicitly
01:01 < amiller> okay so
01:01 < gmaxwell> yes. relayers could too.
01:01 < amiller> this is an implementation of bitcoins and red balloons basically
01:01 < gmaxwell> yes.
01:01 < gmaxwell> but it's efficient.
01:02 < gmaxwell> the signatures are smaller than ours. (only one G1 group element per transaction for the keys, and one G1 element for the aggregate signature)
01:02 < gmaxwell> and so if the paring has high k you get adequate security with just 160-256 bit G1 elements.
01:05 < amiller> that doesn't effect verification time but transmission cost sure
01:05 < amiller> you still have to transmit the expanded public keys
01:06 < gmaxwell> In any case yes, it makes red balloons scalable (so long as you don't mind one pairing operation per transaction), and it also means that even the miners themselves have the red balloons property.
18:50 < theymos> Even an amateur programmer has some chance of finding it if they try hard enough.
18:50 < Emcy> so just an equation of eyeballs
18:50 < petertodd> It's a lot less likely for me to find the bug than a total outsider; for one thing I don't have a Mac...
18:51 < Emcy> virtualise one?
18:51 < petertodd> Emcy: the bug is likely to do with hardware IMO
18:51 < Emcy> anyone had the bug on mavericks yet
18:52 < warren> petertodd: i doubt it is hardware, it's probably something stupid in their OS
18:52 < warren> Emcy: yes, 10.8 and 10.9
18:52 < warren> no reports with 10.7, but that might just be no users
18:52 < warren> Emcy: and some users never have the bug ever
18:52 < petertodd> warren: see, if it's fsync() I figure it's likely OS stupidity + hardware
18:53 < petertodd> warren: especially given it's not easily repeate
18:53 < petertodd> *repeated
18:53 < sipa> the weirdest report is the "uncorruption"
18:53 < sipa> where a restart fixed a corrupted database
18:54 < warren> I have a hunch for the why it effects some users but not others
18:54 < sipa> which really sounds like an OS cavhe level issue
18:54 < warren> I need a mavericks machine to try it
18:54 < warren> my only mac is Litecoin's "build server"
18:54 < warren> (an old macbook with a shattered screen in a data center)
18:55 < warren> runs 10.6.8 to match Gavin's build environment for releases
18:56 < Emcy> so you just ship then stuff like that and theyll put it in a rack for you?
18:56 < warren> Emcy: people owe me big favors
19:00 < warren> theymos: sigh, it's hard to get dev things to be voted up
19:01 < theymos> It's doing pretty well.
19:01 < warren> it is?
19:01 < warren> will 8 votes get it on the front page?
19:02 < theymos> It has several votes more than its neighbors in /new. It might eventually make the front page.
19:14 < petertodd> warren: best time to get a story upvoted is to post it in the early morning in the US
19:19 < petertodd> sipa: see, what you need is an algorithm where you take the longest block header chain, and make downloading the next block to extend your block chain towards that best header tip have the highest QoS. Of course, normal networking practice is completely unable to do that. :(
19:20 < petertodd> sipa: which makes me think just fetching roughly simultaneously is by far the simpliest, and provided block interval >> block fetch + validate time it'll be alright even if not ideal
19:20 < petertodd> sipa: doesn't really look to me like we can optimize this one without risking ugly edge cases.
19:21 < warren> theymos: inappropriate to temporarily sticky something like that?
19:21 < adam3us> petertodd: what about making it so you dont know the block hash until you get the block
19:21 < petertodd> adam3us: we're talking about a scenario where block headers are distributed separately from blocks
19:21 < theymos> warren: Yeah, I think so. Stickies are really only for super-emergencies IMO.
19:21 < adam3us> petertodd: yes so then dont do that :)
19:22 < warren> theymos: screwing over all mac users for months seems like a slow motion train wreck...
19:22 < sipa> petertodd: agreed
19:22 < petertodd> adam3us: it's for sipa's headers first code - maybe what it does suggest is that the headers first be only allowed to be used for the initial block download...
19:23 < petertodd> IE, if you receive a header on a header, you just ignore it.
19:23 < adam3us> sipa: the aim is to reduce propagation delay?
19:23 < warren> theymos: likely holding back bitcoin, as well as weakening the network.   we've had a drop in listening nodes.
19:23 < petertodd> adam3us: make initial block download (and catching up) faster
19:23 < sipa> adam3us: that wasn't the original intent
19:24 < sipa> the nicest advantage imho is not needing chwckpoints anymore
19:24 < petertodd> adam3us: also, for pruning where not everyone has all blocks
19:24 < petertodd> yeah, !checkpoints is good too
19:24 < sipa> but also harder to break
19:24 < sipa> and simplifying parallel block download
19:25 < sipa> petertodd: my former attempt used the rule that block download was only delayed in case we know we're not yet caught up
19:25 < adam3us> sipa, petertodd: if there is an attack with current blocks, maybe dont do it for the most recent 6
19:25 < petertodd> sipa: btw, you realize that in this circumstance, you actually still want *a* checkpoint, but in the form of "we know that there exists a block header at height foo with total work bar, therefore don't accept anything worse than that"
19:26 < sipa> yup
19:27 < petertodd> sipa: makes sense. The code right now basically downloads all blocks that extend tip simultaneously IIRC.
19:27 < gmaxwell> petertodd: yes, but it could be a pure difficulty "checkpoint"
19:27 < petertodd> gmaxwell: oh right, it is total work and nothing else
19:27 < sipa> there's also a "fill memory with silly low-difficupty headers" attack
19:27 < sipa> which checkpoints are still useful for
19:28 < petertodd> sipa: or commit-and-choose
19:28 < petertodd> *interactive commit and choose
19:28 < gmaxwell> sipa: I still think at some point we should do the worlds safest hardfork and increase the minimum difficulty to a million or something.
19:29 < warren> what for?
19:31 < petertodd> heh, well the fastest the difficulty can drop to 1 again is 104 weeks...
19:32 < petertodd> 30 weeks to 1 million
19:32 < gmaxwell> warren: because it makes avoiding a bunch of stupid dos attacks easier.
19:33 < sipa> petertodd: i get 51 days
19:33 < gmaxwell> and its indistinguishable unless difficulty somehow falls to that, ... which it couldn't do without leaving the network insecure in any case.
19:33 < sipa> ugh
19:33 < sipa> never mind
19:33 < petertodd> sipa: diff_now/4^(2*4*weeks) == diff_future
19:34 < petertodd> sipa: don't forget the *4
19:34 < sipa> never mind, i assumed it could drop a factor 4 every 3.5 days rather than 8 weeks
19:34 < petertodd> sipa: er, I mean (weeks/(2*4))
19:34 < petertodd> sipa: lol
19:35 < sipa> the fasteat it could get from 1 to today's diff, is 51 days
19:35 < warren> gmaxwell: would testnet remain as is?
19:35 < gmaxwell> warren: sure.
19:36 < gmaxwell> It's not a serious proposal right now, but I think we should do something like that someday.
19:36 < gmaxwell> perhaps after the hashrate stablizes again.
19:36 < warren> will that ever happen?
19:36 < gmaxwell> it should
19:39 < petertodd> gmaxwell: definitely be a reasonable thing for a SPV implementation to do
19:45 < warren> Luke-Jr: ping
19:56 < warren> Luke-Jr: you earlier mentioned 25 BTC were donated toward the deterministic linux -> mac cross compile goal.  Is that still available?	cfields now has time to focus on that.
20:13 < Luke-Jr> warren: if that's what I said before, then it should be, yes
21:41 < warren> I'm not sure why people downvoted the bounty thread.
22:01 < Luke-Jr> warren: trolls will downvote anything
22:01 < Luke-Jr> reddit seems to be nearly as bad as BCT
22:59 < Emcy> Luke-Jr what weird character is your bot using
22:59 < Luke-Jr> Emcy: which one do you consider weird?
22:59 < Emcy> some of the numbers in the tbc section are fucked up
22:59 < Emcy> is it just me
22:59 < warren> Emcy: it's just you.
22:59 < Luke-Jr> Emcy: do you have a tonal font?
23:00 < Luke-Jr> TBC only makes sense with tonal fonts
23:00 < Emcy> troll level elevated
23:01 < Emcy> http://imgur.com/eyGmhsx
23:01 < Emcy> supposed to be just numbers right
23:03 < Luke-Jr> http://luke.dashjr.org/tmp/screenshots/snapshot113.png
23:04 < Emcy> are you serious
23:05 < Emcy> what are those characters supposed to be
23:05 < Emcy> gah tonal strikes again
23:06 < Luke-Jr> http://books.google.com/books?id=aNYGAAAAYAAJ&pg=PA15#v=onepage&q&f=false
23:08 < Emcy> thats mental. someone actually made a font for it
23:08 < Emcy> surely most people cant even see them though
23:09 < Luke-Jr> there are multiple fonts with tonal support
23:09 < Luke-Jr> http://eligius.st/~gateway/products/block-erupter-sapphire
23:10 < Luke-Jr> webpages can use webfonts to solve lack of widespread font support at least :D
23:11 < Emcy> what the hell is an effect
23:12 < Luke-Jr> http://books.google.com/books?id=aNYGAAAAYAAJ&pg=PA38#v=onepage&q&f=false
23:15 < wizkid057> ?!
23:16 < Emcy> hopefully they can define a kilogramme from some sort of fundamental constant someday soon
23:17 < Emcy> then we can put all this stuff to bed once and for all
23:17 < Luke-Jr> Emcy: pfft, SI is lame
23:18 < Emcy> it may or may not be but it works
23:18 < Emcy> christ its only been 45 odd years since they decimalised money
23:19 < Emcy> ive got a a couple of shillings and tuppences in a draw somewhere......
23:19 < warren> Luke-Jr: we're still willing to make tonal default in Litecoin if you join us.
23:19 < Emcy> next up, decimal time (somehow)
23:20 < Emcy> well that probably wont happen since its based of radians for a good reason
23:20 < Luke-Jr> warren: REALLY?
23:20 < phantomcircuit> Luke-Jr, i think he's just messing with you
23:20 < Luke-Jr> Emcy: SI tried decimal time originally
23:20 < warren> phantomcircuit: maybe
23:20 < Luke-Jr> Emcy: even with all their force and threats, they couldn't make people adopt that
23:20 < Emcy> whose force and threats
23:20 < Luke-Jr> Emcy: that's how SI got adopted at all
23:21 < Emcy> did the empire spread it?
23:21 < Luke-Jr> go read up about the "metric martyrs"
23:21 < Luke-Jr> people who were put in jail for refusing to adopt it
23:21 < Luke-Jr> I think there are still some today even
23:22 < Emcy> hm
23:22 < Luke-Jr> SI has never been adopted by free choice
23:23 < Emcy> https://en.wikipedia.org/wiki/Swatch_Internet_Time
23:25  * Luke-Jr sticks with good old tonal time
23:25 < Emcy> the EU mumbled something about banning the pint from sale in the UK once. There was a good upforious shitstorm about that.
05:52 < Luke-Jr> I saw my clock, saw the time, assumed I must have been hacked and my clock screwed with, finished locking down, and then realised.. it really *is* almost time for people to wake up
05:52 < Luke-Jr> x.x
05:53 < Luke-Jr> guess I should go to bed
06:06 < Emcy> does sunlight burn you?
06:07 < Emcy> does me, somewhat. My eyes.
07:26 < michagogo|cloud> 01:00:11 <phantomcircuit> im gonna order a bunch of flash drives with the blockchain + bitcoin-qt loaded on them
07:26 < michagogo|cloud> 01:00:25 <phantomcircuit> and include a nice little script to start with -loadblocks
07:26 < michagogo|cloud> Erm, why -loadblocks? Just call the file bootstrap.dat and shove it in the datadir.
09:03 < TD>  there is now a #bitcoinj IRC channel
12:07 < BlueMatt> hmmm...strange spike in the number of nodes which are coming back to dnsseed with a block count too low to be included...any guesses?
12:08 < BlueMatt> I say spike, I mean restarted on a different server and now getting a serious count for LOW_BLOCK_COUNT, which I havent seen very much in the past
12:09 < gmaxwell> BlueMatt: just new nodes being brought up.
12:09 < BlueMatt> ahhh, seems reasonable
12:09 < BlueMatt> lets see how many convert to GOOD
12:15 < TD> BlueMatt: see here: http://getaddr.bitnodes.io/chart/nodes/?category=v
12:15 < TD> huge spike lately. not sure what's going on there. but presumably related to the press cycle
12:15 < TD> i hope the people running bitcoin-qt understand what they're getting in for ....
12:41 < phantomcircuit> TD, im not sure that's accurate
12:41 < phantomcircuit> TD, that number is based on the number of connections to the nodes controlled by bitnodes.io
12:41 < phantomcircuit> it's entirely possible that someone is just fucking witht hem
13:02 < petertodd> phantomcircuit: bandwidth usage on my EC2 node went to 100%, so I turned it off given that costs money...
13:03 < petertodd> phantomcircuit: obviously a lot of new nodes coming up
13:03 < phantomcircuit> heh
13:41 < cfields> so ehm, is anyone else noticing a bunch of unreachable websites today?
13:42 < cfields> probably just local, but i can't get to a bunch of sites I need for dev today :\
13:43 < cfields> http://www.downforeveryoneorjustme.com/packages.ubuntu.com
13:44 < cfields> http://www.downforeveryoneorjustme.com/trac.macports.org
13:44 < cfields> so.. not just me
13:52 < BlueMatt> TD[away]/gmaxwell: yea, I see +- 1/3 of all nodes that are connectable have LOW_BLOCK_COUNT
13:52 < gmaxwell> thats about right.
13:52 < gmaxwell> actually a bit low, ... must mean they're catching up.
13:52 < gmaxwell> (I'm saying it's right on the basis of the bitnodes.io growth)
13:53 < gmaxwell> went from about 5000 to about 11000.
13:53 < BlueMatt> yea, could also be that the seeder is still bootstrapping and the newest nodes may not have propagated as far in addr messages
13:53 < BlueMatt> though that seems unlikely, I'd have to reread the addr code
14:00 < phantomcircuit> uhh
14:00 < phantomcircuit> i have a node with 70 open connections
14:01 < gmaxwell> warren: I guess IsStandard is enforced on litecoin?
14:01 < phantomcircuit> im pretty sure i started this yesterday too
14:01 < phantomcircuit> yeah i did
14:01 < phantomcircuit> that's probably not good
14:02 < gmaxwell> warren: I was contemplating setting up a coinswap based decenteralized bitcoin/ltc trade script. but it will need hash and sig locked transactions made IsStandard on both chains.
14:03 < petertodd> gmaxwell: namecoin doesn't enforce IsStandard
14:04 < gmaxwell> petertodd: namecoin doen't have the raw transactions api, so a bunch more coding. :(
14:07 < petertodd> gmaxwell: yeah, if you're not using a library like python-bitcoinlib that's an issue
14:08 < gmaxwell> even to use that, I'd have to make it fully support namecoin, .. vs in bitcoind I can getrawtransaction to do all the block exploring needed to confirm the txn went through.
14:09 < petertodd> gmaxwell: well, the block structure is the same, so provided you can get raw blocks you'd be good
14:09 < petertodd> gmaxwell: heck, read them direclty off the blockdata file
14:09 < gmaxwell> petertodd: hm, I would have assumed the MM would goof that up.
14:09 < petertodd> gmaxwell: true, I've never actuallly looked into how that works... probably not hard to deal with though
14:10 < petertodd> gmaxwell: or... trade BTC and testnet BTC :P
14:10 < gmaxwell> I could ... hah jinx
14:10 < gmaxwell> well.. hm. it's not isstandard in bitcoin yet either.
14:11 < petertodd> gmaxwell: sure, but eligius
14:11 < petertodd> no other coin has a miner like that
14:11 < wizkid057> what'd I do now? :P
14:11 < petertodd> wizkid057: you've been useful
14:12 < gmaxwell> you'll mine non-standard txn.
14:12 < wizkid057> gmaxwell: namecoin-qt has the *rawtransaction RPC stuff
14:12 < phantomcircuit> wizkid057, is there a namecoin version that actually works?
14:12 < wizkid057> phantomcircuit: seems so, I compiled the latest namecoin-qt and it seems to work fine
14:14 < wizkid057> if you mean that actually works as far as fixing that bug that totally breaks what makes namecoin namecoin, then I dont think so.  Not until the hard fork at block 150k
14:14 < petertodd> wizkid057: didn't they implement it as a soft-fork?
14:15 < petertodd> wizkid057: not that it's terribly relevant given no-one actually uses namecoin almost...
14:15 < wizkid057> petertodd: I think the now to hardfork at 150k fix is in place which is a soft fork of sorts
14:15 < gmaxwell> I think it must be a hardfork, as they're fixing the stolen names.
14:15 < wizkid057> but needs a hard fork to fix
14:15 < wizkid057> since someone could mine a block with an exploiting txn til then
14:16 < petertodd> gmaxwell: ah, yeah you're right
14:16 < wizkid057> gmaxwell: how are they doing that, actually? I didnt read enough into it
14:16 < wizkid057> i know they're blocking the exploit with the hardfork, but I didnt know about fixing the damage
14:18 < petertodd> wizkid057: yeah, just blocking would be a softfork, fixing is the hardfork
14:18 < gmaxwell> I can only guess they'll reindex the chain and ignore the invalid spends.
14:24 < midnightmagic> I use namecoin. :)
14:25 < midnightmagic> The current fix ignores bad outputs which are still legal. The hardfork will correct it so the bad outputs aren't allowed in the blockchain anymore.
14:25 < midnightmagic> But namecoin is ultimately prunable, so, we can just put it off.
14:26 < midnightmagic> The exploiting txn can be mined but it is ignored. That's why d/wav doesn't have "ha ha I stole your domain in it" right now.
14:28 < midnightmagic> I guess as long as people are there to fix it, and the issue is corrected, even with a hardfork, it turns out killing a coin isn't just a question of releasing an exploit.
14:30 < sipa> is namecoin prunable? i always heard it wasn't
14:36 < petertodd> sipa: nope
14:36 < midnightmagic> There's lots of dead-end data and expired names which are prunable.
14:37 < midnightmagic> Coins are actually destroyed in the process of registering names.
14:37 < petertodd> Well, I should clarify, I mean usefully prunable w/ non-full-node proof; you're right I'm not using my terms correctly.
14:38 < petertodd> bbl
14:38 < gmaxwell> midnightmagic: does that mean it will someday run out of coins and be unusuable?
14:38 < midnightmagic> gmaxwell: Yep.
14:38 < midnightmagic> gmaxwell: Procrastination saves us from worrying about that.
14:39 < midnightmagic> well. that and the stupid cheap names that that dork vince left us with.
14:39 < midnightmagic> (term used affectionately)
14:40 < gmaxwell> midnightmagic: I dunno if you noticed but nmc surged on btc-e for some reason.
14:42 < midnightmagic> i didn't notice, I don't sell my names. I calculated how long I have before I can't maintain my own name registrations anymore and selling them it out of the question.
14:42 < midnightmagic> er.. *coins
14:48 < phantomcircuit> gmaxwell, against BTC or against USD?
14:48 < phantomcircuit> they have both markets
14:48 < gmaxwell> phantomcircuit: both.
14:48 < phantomcircuit> i've actually seen it before that there was an arbitrage opportunity between the three all on btc-e
14:48 < phantomcircuit> which is bizarre
14:49 < jtimon> I thought the registering destruction of coins ended after some time...
15:37 < midnightmagic> jtimon: No, names will never be free. Only some things.
15:38 < jtimon> I'm not saying that names will be free, but I thought at some point you just paid to miners instead of destroying the coins
15:40 < jtimon> http://dot-bit.org/FAQ#How_much_does_it_cost_to_register_a_domain_.28a.k.a._a_name.29.3F
15:43 < jtimon> hmm, name_new appears to cost 0.01 NMC at any block height...
16:09 < midnightmagic> jtimon: Lemme double-check. Something went free lately..
16:10 < gmaxwell> first update
16:21 < midnightmagic> My mistake. Sorry about that. Looks like GetNetworkFee() is free now. I keep forgetting that. I don't think we're destroying coins anymore.
16:22 < midnightmagic> We're past this point: if ((nHeight >> 13) >= 60) { return 0; }
16:24 < midnightmagic> jtimon: So all that's left is paying miners, you are correct.
16:24  * midnightmagic gets there eventually.
16:25 < jtimon> thanks for checking it midnightmagic
16:52 < warren> gmaxwell: IsStandard is the same as bitcoin 0.8.5 except we disabled IsDust
16:53 < warren> wow.  bitcoin-qt.exe worked in wine on mac too.
17:07 < sipa> warren: you should test whether it also causes corruption :p
17:13 < Luke-Jr> anyone here with some free time? :x
17:18 < sipa> unlikely!
17:18 < jgarzik> :)
17:18 < K1773R> Luke-Jr: is there a faucet for free time or can it be mined?
17:20 < jgarzik> The only way to create new free time, bending the space-time continuum, is to stumble across an enormous distraction when multiple separate deadlines are looming.
17:20 < jgarzik> like a bear in a lambourghini
17:21 < warren> sipa: it doesn't corrupt with native mac on 10.6.8 AFAICT
17:22 < K1773R> jgarzik: lol
12:50 < realazthat> its actually sig(P,R), with R being the result
12:50 < petertodd> ah, as in SCIP is the project that gives you the tools to easily write SNARK circuits?
12:50 < realazthat> programs
12:50 < petertodd> hiding it all behind a VM model?
12:50 < realazthat> yeah
12:50 < realazthat> yes
12:51 < realazthat> the circuits would be huge though; it is programs
12:51 < realazthat> but they are time bound
12:51 < petertodd> whereas for Bitcoin stuff, it may be worth it to figure out an optimal SNARK circuit directly? (at the cost of maintainability)
12:51 < realazthat> mmm I dunno about that
12:51 < realazthat> er
12:52 < realazthat> emphasis on circuit? or emphasis on optimal, ie custom VM assembly
12:52 < realazthat> yes, to latter
12:52 < realazthat> dunno about former
12:52 < petertodd> I see, circuit is just way too low-level then. So the stuff about merkle trees, basically you'd just extend that vm with some operations that act on them directly, closer to the underlying SNARK model?
12:53 < realazthat> gmaxwell was saying that the compiler is great for bootstrapping a program to tinyram (name of the vm/virtual architecture), but you'd hand-code it for best results
12:53 < realazthat> I dunno
12:53 < realazthat> no, I think you can still use it in a blackbox manner
12:53 < realazthat> on the merkle trees
12:53 < realazthat> I can give an example
12:53 < petertodd> I'm interested
12:53 < realazthat> I had this idea, I proposed it to eli, he responded that it was called "bootstrapping" and was in another paper
12:53 < realazthat> so, one huge problem
12:54 < realazthat> is that although it is succinct, Alice must take T(P) time to generate/compile the program
12:54 < realazthat> which is pretty dumb for verifying a blockchain
12:54 < petertodd> T(P) == polynominal time?
12:54 < realazthat> because, Alice wants Bob to verify the blockchain, so she must spend T(P) time to generate the program and then Bob runs it in T(P) time
12:54 < realazthat> time of program
12:55 < realazthat> P is program
12:55 < realazthat> sorry
12:55 < realazthat> so the program P runs in T(P) time
12:55 < realazthat> Alice must take T(P) time to generate/compile the program
12:55 < realazthat> this is undesirable
12:55 < petertodd> ah I see, so Alice is spending as much time compiling the program as it would take to run basically?
12:55 < realazthat> right
12:55 < realazthat> so there are several easy solutions
12:55 < realazthat> you can do it once
12:55 < realazthat> and it can be reused
12:56 < realazthat> by everyone
12:56 < realazthat> so my idea was, to do it so that it does a sqrt(|B|) of the blockchain (B == blockchain)
12:56 < realazthat> then alice spends sqrt(T(P)) to generate P'
12:56 < realazthat> P' runs on a sqrt(|B|) of the blockchain
12:56 < realazthat> and,
12:56 < realazthat> Bob runs P' sqrt(|B|) times
12:57 < realazthat> so that is essentially called bootstrapping
12:57 < petertodd> what do you mean by "does a sqrt(|B|)" of the blockchain?
12:57 < realazthat> it can be possibly be done generically to any P
12:57 < realazthat> petertodd: lets say there are 100 blocks
12:57 < realazthat> P will verify 0-24
12:57 < realazthat> er
12:58 < realazthat> P' will do that rather
12:58 < realazthat> or
12:58 < realazthat> 0-10
12:58 < realazthat> w/e
12:58 < realazthat> it breaks it down
12:58 < realazthat> and Bob runs P' 10 times
12:58 < realazthat> and covers the whole chain
12:58 < realazthat> now Bob can return all the sigs
12:58 < realazthat> and input/outputs
12:58 < petertodd> right, so we've distributed the problem across multiple people
12:58 < realazthat> and thus P' is chained into P
12:58 < realazthat> well thats also possible
12:59 < realazthat> but now I am thinking just one person
12:59 < realazthat> alice and bob
12:59 < realazthat> bob will verify the blockchain in 10 sized peices
12:59 < realazthat> then return all the sigs, inputs, outputs
12:59 < realazthat> which can be verified
12:59 < realazthat> ie.
12:59 < realazthat> P'(10,20) will verify everything from 10 to 20
13:00 < petertodd> ok, so basically because the program takes polynominal time to run, you're best off running it on a smaller dataset?
13:00 < realazthat> no
13:00 < realazthat> the reason you are better running it on a smaller dataset
13:00 < realazthat> is because the T(P) sent to Bob takes T(P) time to generate
13:00 < realazthat> now alice only needs to spend sqrt(T(P)) time to generate it
13:01 < realazthat> yet it still takes Bob ~ T(P) time to run (by breaking it down and running it on separate peices)
13:01 < petertodd> oh, I see now, so generating the *program* has taken us less time
13:01 < realazthat> yep
13:01 < petertodd> now I get it
13:01 < realazthat> additionally
13:01 < petertodd> so it's a time/proof-size trade-off basically
13:01 < realazthat> we can remove more tradeoff
13:01 < realazthat> instead of sending the many sigs back to alice
13:01 < realazthat> she can send over a sig-verification function
13:02 < realazthat> and ask *Bob* to run the verification
13:02 < realazthat> and just get proof that the verification runs
13:02 < petertodd> yup, and return a sig proving he did so honestly
13:02 < realazthat> so now there is not a lot of communication
13:02 < realazthat> so,
13:02 < realazthat> I told you all this
13:02 < realazthat> because now you can start understanding how it would work with merkle trees
13:02 < realazthat> its very similar I think
13:02 < petertodd> right, that's totally a merkle tree
13:03 < realazthat> you just need to verify the merkle tree works
13:03 < realazthat> not that I understand the applications of that all that well
13:03 < petertodd> interesting
13:03 < realazthat> but anyway, it is improvable upon what eli is doing now; possibly in a blackbox manner
13:03 < realazthat> this is my q to eli
13:03 < realazthat> Q: Why can't a simple 1-level recursion reduce Alice's required generation time? That is, Alice verifies a verification function was run on chained runs of a smaller task, which sum up to P? I think this can get the generation time to sqrt(T(P)). And possibly lower, if it is done with more levels of recursion.
13:03 < petertodd> and my understanding is they'll be able to make the protocol non-interactive with zero-trust in the future? IE right now my understanding is Alice needs to generate the program herself because the person doing so can cheat
13:04 < realazthat> eli: Good idea, this is known as "bootstrapping" but getting it right is far from trivial. There are a few works on the topic, such as by Paul Valiant (titled "incrementally verifiable computation"), and by Chiesa and Tromer (called "Proof carrying data and heresay arguments") and more recently by them+Bitansky, cannetti, titled  Recursive composition
and bootstrapping for SNARKS and proof-carrying data.
13:04 < realazthat> mmm I know stage 1 has several undesirable properties
13:04 < realazthat> stage 2 is the sweet spot, except for alice's generation time
13:05 < petertodd> right, although, in that case alice can be the person offering up the proof right?
13:05 < realazthat> I don't remember all the undesirable properties of stage 1
13:05 < petertodd> like, I'd want you to be able to publish a proof, and I guess the program to verify that proof, showing the sacrifices were valid and formed a proper chian
13:06 < petertodd> running that proof will need to be done relatively frequently
13:06 < realazthat> ah yeah, you can basically verify anything on someone elses computer, without revealing anything with this
13:06 < realazthat> so it has many many possible applications
13:06 < petertodd> yeah, although in this case, none of the data is secret, it's just too bulk to pass around
13:06 < realazthat> yes
13:06 < realazthat> two uses
13:06 < realazthat> SNARK has a use even if it is slow on large computation
13:06 < realazthat> that it is a zero knowledge proof
13:07 < realazthat> but SCIP makes it somewhat reachably practical to do it for offloading work
13:07 < petertodd> yeah, the latter is probably more useful to bitcoin in general
13:07 < realazthat> yes
13:07 < gmaxwell> I think the offloading work cases are a bit dreaming right now.
13:07 < realazthat> hehe
13:07 < realazthat> well PoW doesn't really need it to be fast
13:08 < realazthat> so for that "offloading" it is ok
13:08 < petertodd> not many applications can trade-off a million bucks of EC2 time for less bandiwdth...
13:08 < realazthat> but for some computing-market, or chain validation, then yes
13:08 < petertodd> oh... so make the SCIP computation the PoW... nice
13:08 < realazthat> yes, maybe :D
13:08 < realazthat> you can use any program this way
13:08 < realazthat> like ... something useful
13:09 < petertodd> that has so many levels of magic stacked up.... I don't think I'd trust it...
13:09 < petertodd> but it's a nice dream
13:09 < realazthat> lol
13:09 < realazthat> well if it can be done, someone's gotta do it
13:09 < realazthat> and it is just too cool
13:09 < petertodd> Always a bad thing when the security of your system depends on brand-new technology staying slow...
13:09 < realazthat> not to do :D
13:09 < gmaxwell> realazthat: verifying the pow does need to be fast... as its our hashcash anti-DOS tech. :)
13:09 < realazthat> petertodd: nah, it can be adjusted
13:09 < realazthat> mmm
13:09 < petertodd> realazthat: yes, but only if the technique to make it blazingly fast is public
13:10 < realazthat> gmaxwell: yes, thats a constants/practical matter
13:10  * realazthat so wants to get hands on codes now
13:10 < petertodd> heh, maybe it's best I don't get that code so I actually get some real work done
13:10 < realazthat> lol
13:11 < realazthat> Is there a guarantee that there is no way to generate a signature if a correct answer is otherwise found in a quicker manner than running `P`, the original program, via running `Q` instead?
13:11 < realazthat> (asked to eli)
21:05 < amiller> and if we figure out how to make fees that encourage good behavior of the utxo, then you might as well figure out how to do it for arbitrary indexes
21:05 < petertodd> I'd suggest writing some example tx's to get a feel for what makes sense - I posted one to bitcoin-dev recently actually
21:06 < amiller> just think of the whole thing as a pay-per-use key-value-store and it's a little simpler imo.
21:06 < petertodd> well, sounds like you're getting away from something that's arguably bitcoin
21:06 < petertodd> at least my opcode ideas just feel like new opcodes
21:08 < amiller> sure, i'm just saying why not include an op_fetchfalue(keylen,key) that takes basically an arbitrary string
21:09 < amiller> then you can have blockhash:restofthekey and utxo:restofthekey as special cases of just one opcode
21:09 < amiller> maybe op_rangesearch lets you automatically sweep txes or something
21:09 < petertodd> ah right - think about how you'd encode this stuff though, we want efficiency for common cases
21:09 < amiller> well you could optimistically cache at the client support keys
21:09 < amiller> if it all goes in a leveldb it hardly makes a difference
21:10 < amiller> by 'support keys' i mean likely-to-be-used-standard prefixes
21:10 < petertodd> sounds like a worst-base-avg-case-best-case attack waiting to happen
21:10 < amiller> wat
21:10 < amiller> rephrase?
21:11 < petertodd> IE, caching anything makes the worse-case different than avg and best cases
21:11 < petertodd> for security having everything the same speed is much preferable in a consensus system like bitcoin; performance can break consensus
21:12 < amiller> ok well your leveldb already caches utxos so that's present anyway
21:12 < petertodd> sure, which IMO is kinda scary
21:12 < amiller> nothing about using one opcode and key prefixes really changes that
21:12 < petertodd> hmm...
21:12 < amiller> i think you're stuck with that anyway which is one reason to think in terms of the more general case
21:12 < petertodd> well, in any case, write up an example tx for arguments sake
21:12 < amiller> k
21:13 < petertodd> amiller: here is one I did http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg02602.html
21:13 < amiller> i think i currently have two items on my "Write an example tx script or shut up" stack
21:13 < petertodd> ha
21:13 < petertodd> it was written as a semi-joke, although jdillon pointed out it actually worked, cheeky bastard
21:17 < amiller> ahh that's really cool
21:17 < amiller> you basically implement merkle tree traversal using the stack script
21:17 < petertodd> yes!
21:18 < petertodd> although read jdillon's reply, turns out it's not needed at all
21:18 < amiller> it has dup and hash and concatenate so it's actually straightforward to do that despite barely having support for anything else
21:18 < petertodd> crazy isn't it?
21:18 < amiller> yeah.
21:18 < petertodd> like, if we hadn't removed those damn opcodes, you actually could do a bunch of nifty stuff...
21:19 < amiller> yeah
21:20 < petertodd> speaking of, I figured out how you could have used codeseparator to delegate tx signing after the fact
21:20 < amiller> i wonder if traversing hash graphs in code was a main example underlying this script language actually
21:20 < petertodd> well, almost...
21:20 < petertodd> could very well be, on the other hand, could also just be satoshi quickly added a bunch of froth opcodes at the last minute figuring "why not?"
21:22 < amiller> we could probably implement an updateable tree/trie over this pretty easily
21:23 < petertodd> oh yeah?
21:23 < amiller> yeah updates aren't any harder than what you've written
21:23 < amiller> you just rehash on the way back up
21:23 < amiller> when you get back up to the top, you have a new root digest
21:23 < amiller> if you have enough reflection capability that you can place the new root digest in the txout
21:24 < amiller> you can basically make a bitcoin-script-quine
21:24 < amiller> like you could spend a txout with restrictions on how it could be spent later that way by making it propagate its own scripthash basically too
21:24 < petertodd> ah right, as in how I'm controlling the next script
21:24 < petertodd> I was going to reply to jdillon that a nice scheme would be to just have an index, and update it with +1 for each subsequent spend
21:25 < amiller> let me try to undersatnd how you refer to txin and txout in the current tx
21:26 < amiller> GET-TXOUT-SCRIPT and GET-TXOUT-VALUE basically hm
21:26 < petertodd> yeah, semi place-holders there
21:26 < amiller> and GET-THIS-SCRIPT for that matter
21:26 < amiller> well hm.
21:26 < petertodd> I mainly wanted to get the use-case down, and explore what uses for that, before commiting to what it would actually be
21:27 < amiller> so if you have EVAL
21:27 < amiller> unforutnately i think you almost-unvaoidably have an infinite loop
21:27 < amiller> however if you just take a hash of the GET-TXOUT-SCRIPT without executing it it's probably ok
21:28 < amiller> do you think you'd support, like, iterating over all the txouts?
21:28 < amiller> your example references exactly the 0th one
21:28 < petertodd> Ah, I was talking about relative addressing though
21:28 < amiller> oh i see
21:28 < petertodd> I'm not even sure how to do iteration properly, or if we want to do it at all - people do like static eval.
21:29 < amiller> yeah.
21:30  * amiller stops worrying and learns to love the stack machine
21:30 < amiller> you know stacks might be the right shape of that computing model i desire
21:31 < amiller> stacks themselves are easy to merkleize and compose
21:31 < petertodd> yeah
21:31 < petertodd> oh, did I ever show you my merkle mountain range idea? IMO the most intuitive way to do an incremental merkle tree
21:31 < amiller> there's this theoretical programming language called Call-By-Push-Value lambda calculus that has stack semantics but i haven't understood it too well
21:31 < amiller> petertodd, yeah we chatted about that a bit, i have a similar idea
21:32 < petertodd> ah good, glad to see it's something people come up with naturally
21:32 < petertodd> It's pretty similar to merkle skip lists in many ways, but it's just so simple and easy to describe compared to it.
21:32 < amiller> i think the last time we mentioned it i tried to convince you it leads to a really efficient work-sampling procedure for spv clients
21:32 < petertodd> yeah
21:32 < amiller> you only need to look at the peaks of the mountain range
21:33 < amiller> the high quality information is up there with the snowflakes
21:33 < petertodd> that's one version, my one was actually more the random sampling version
21:33 < petertodd> remember there's nothing inherently special about mountain range peaks, except in the summation version
21:33 < amiller> petertodd, yeah there's nothing special about the selection condition actually being zeros
21:33 < amiller> they're equivalent
21:34 < petertodd> ah, I think you're talking about something different then
21:34 < amiller> maybe.
21:34 < petertodd> merkle mountain ranges was just the way of essentially combining multiple perfect merkle trees into one commitment
21:34 < petertodd> as the number of root digests grows, the trees merge
--- Log closed Fri Aug 02 00:00:44 2013
--- Log opened Fri Aug 02 00:00:44 2013
--- Log closed Sat Aug 03 00:00:47 2013
--- Log opened Sat Aug 03 00:00:47 2013
--- Log closed Sun Aug 04 00:00:52 2013
--- Log opened Sun Aug 04 00:00:52 2013
--- Log closed Mon Aug 05 00:00:56 2013
--- Log opened Mon Aug 05 00:00:56 2013
--- Log closed Tue Aug 06 00:00:01 2013
--- Log opened Tue Aug 06 00:00:01 2013
--- Log closed Wed Aug 07 00:00:07 2013
--- Log opened Wed Aug 07 00:00:07 2013
17:17 < amiller> i think i'm narrowing in on a composition rule for bitcoin
17:17 < amiller> this is basically an all new idea
17:18 < amiller> the most exciting part is that it seems to be an approach for having smaller networks that are secure in a different way, that compose to form a larger global network like bitcoin
17:18 < amiller> by "secure in a different way", I mean in particular secure against a *distant* attacker
17:19 < amiller> bitcoin's security model is the special case at the global extreme, where the attacker is assumed to be bounded only in power, but not bounded in proximity
17:21 < amiller> suppose you have a small local subnetwork
17:21 < amiller> and your attacker, e..g, lukedashjr, is far more powerful than you, but further away
17:22 < amiller> it's feasible you can achieve some notion of security, in otherwise the same setting as bitcoin (no PKI or trusted administrator etc)
17:23 < amiller> the approach is basically to have a best-chain-selection rule that includes *total interaction* and not just *total work*
17:24 < amiller> the massive remote mining farm can out-compute you, but it can't "out-interact" you
--- Log closed Wed Aug 07 17:25:40 2013
--- Log opened Wed Aug 07 17:25:44 2013
17:30 < gmaxwell> amiller: hm. this is starting to sound vaguely like how the darknet DHTs (cjdns, freenet) achieve security against sybils.
17:32 < gmaxwell> (a computationally unbounded attacker can produce identifiers whereever they want in keyspace to pollute the keyspace, but that only lets them blackhole nodes near them on the darknet topology)
17:34 < amiller> i don't think i understand what "on the darknet topology" means
17:34 < amiller> i think i understand cjdns pretty well, better than i understand freenet, but i could have easily just disregarded this approach to sybil defense if i wasn't looking for it
17:35 < amiller> is the darknet topology formed using latency somehow, or by friendnetting?
17:36 < gmaxwell> friendnetting.
17:36 < amiller> ahh.
17:36 < amiller> ok
17:37 < amiller> well what i'm talking about today is not friendnet, it's basically the same setting as bitcoin where you just have a general broadcast diffuser thing and no idea who's around you
09:10 < brisque> not long in both directions, probably about 30 seconds before being touchable/untouchable
09:11 < michagogo|cloud> I wish I hadn't lost my infrared thermometer
09:12 < brisque> one of those things that I've always wanted, but never had a reasonable excuse to purchase
09:12 < brisque> a FLIR camera would be optimal, one of the cheaper ones flashed with the $8000 ones firmare.
09:14 < michagogo|cloud> brisque: I don't actually remember buying it
09:15 < michagogo|cloud> I think it was in a bag of stuff that my family had ordered online to be delivered to my grandparents in the US, since they were coming to visit us
09:16 < brisque> michagogo|cloud: I swear I've never bought kitchen towels either, but there they are.
09:17 < michagogo|cloud> Nobody knew who it was for, so we ended up just asking "who wants it?"
09:23 < brisque> michagogo|cloud: contact thermometer says 61
, but it's probably higher
09:24 < michagogo|cloud>
09:24 < brisque> yes.
09:26 < brisque> seems to top out at 68
 (154F), but I don't know how accurate that is.
10:16 < michagogo|cloud> brisque: Still got your BE pointed at it?
10:16 < michagogo|cloud> I just got back
10:17 < michagogo|cloud> Just started mine going
10:33 < brisque> michagogo|cloud: one sec.
10:35 < brisque> michagogo|cloud: heh, you're actually orphaning my blocks I think. my latency to the MagicCoin server is extremely high.
10:35 < michagogo|cloud> "the MagicCoin server"?
10:36 < brisque> well, my node is on a VPS quite far from my block eruptor
10:37 < brisque> 50% of my work is being orphaned before the RPC server can catch up. I suppose that's why very high frequency altcoins have troubles.
10:41 < adam3us> brisque: OMG what have we done:D... u know someone sent me an interesting psychology article which seems to indicate that the more trouble users have achieving their objective (novice or I suppose technical also) the more they ascribe value and feel involved with the result
10:42 < adam3us> brisque: so in fact an altcoin (from coingen) may actually achieve a higher market cap by putting misleading, conflicting instructions and crufty command line, no UX, crashy softwre with gotchas etc so then the users have to work hard on a forum to get the thing to work period.
10:43 < brisque> adam3us: presumably there's a limit to that, a sweet spot where it's difficult enough to be rewarding to the user to get it set up, but not so difficult as to be above the heads of the target user
10:43 < adam3us> brisque: then they feel a big sense of accomplishment once they get it to actually mine foobarcoins and will be reluctant to sell for low prices i guess, and maybe they build a sense of community while they are battling the poor instructions
10:43 < adam3us> brisque: probably :)
10:44 < brisque> michagogo and I bonded by simultaneously burning fingers on moderately dangerous ASIC hardware.
10:44 < michagogo|cloud> brisque: Uh?
10:44 < brisque> michagogo|cloud: havent burnt yourself on yours yet?
10:45 < michagogo|cloud> Nope
10:45 < michagogo|cloud> Haven't touched it since plugging it in
10:45 < brisque> you're lucker than I.
10:45 < michagogo|cloud> heh
10:45 < michagogo|cloud> Also, I think I'm not orphaning *all* of your blocks
10:45 < michagogo|cloud> One just got rejected, according to bfgminer
10:45 < brisque> adam3us: that is interesting though, there's a lot of psychology going on with altcoins that I find fascinating
10:46 < brisque> michagogo|cloud: certainly, but you end up with a significantly higher proportion of hashrate due to the way I've got my network setup. we'd be even if not for my latent RPC connection.
10:46 < michagogo|cloud> Right, probably
10:47 < adam3us> brisque: dogecoin and shitcoin ... whatever you do - the users STILL mine the heck out of it!	call it pyramid coin or scam coin, or dont mine this coin, i bet they'll still mine it
10:47 < michagogo|cloud> A:76 R:13
10:47 < brisque> A: 41 R: 22
10:47 < michagogo|cloud> brisque: Have you got reorgs in your debug.log, then?
10:47 < brisque> adam3us: because there's the mentality that something has got to make them rich, I suppose.
10:48 < michagogo|cloud> Balance: 2850.00 MGC
10:48 < michagogo|cloud> Immature: 3950.00 MGC
10:48 < brisque> michagogo|cloud: no, what's happening is you're outstripping me and then the getwork submission gets rejected due to the latency
10:49 < michagogo|cloud> brisque: So how come it's not A:13 R:76?
10:49 < brisque> if we were both mining with 0 latency then we'd get reorganisations presumably
10:49 < michagogo|cloud> or something?
10:49 < brisque> couldn't tell you, I'm going on my best assumptions given what I'm seeing (rejects but little if any reorganisations)
10:50 < adam3us> brisque: seems likely the motivation for almost everything except bitcoin itself which languished at < 1c value for years.  there are some coins with interesting features and actual thought.  but even amongst those its often accompanied by a mass premine or other demonstration of unsustainable greed that probably would kill the coin / share.
10:50 < michagogo|cloud> brisque: oh, of course
10:50 < michagogo|cloud> wait, no
10:50 < michagogo|cloud> nvm
10:51 < brisque> I also seem to be wasting work, my BE will get two results in a second and only one will make it into a returned block. it never got the time to get the work for the next block.
10:51 < michagogo|cloud> Interesting
10:52 < brisque> adam3us: it's possible that there's interesting thought in there, but it's outweighed by the number of people just flooding useless coins with creative names and marketing.
10:53 < adam3us> brisque: yes thats why the coingen idea is so interesting (and entertaining)... maybe it'll squelch the silly coins and leave room for actual innovation.
10:56 < brisque> adam3us: I guess we will see how it plays out. the comments on the little-too-soon post on reddit.com seems to imply that there's demand but they don't want to pay $200 for it, implying that they would like to for less cost.
10:56 < adam3us> brisque: i would say do it for $0.
10:56 < adam3us> brisque: the whole point is to get lots of alt-coins.	make money by giving them a free listing on an alt-to-alt exchange.
10:56 < jgarzik> adam3us, RE "i bet they'll still mine it" -- some people who consider themselves wizards (note: they typically aren't) run bots that auto-switch across any new coin that appears, scam or not.  "scamcoin1" and "scamcoin2" are just two more entries in a bot's working list.  And In Theory(tm), the bots will notice when profitability is possible, or not.
10:57 < brisque> adam3us: I'd personally make it a small barrier, then you've proved somebody has 0.01BTC of faith in the system or whatever the value will be.
10:58 < brisque> adam3us: helps bluematt cover his server bills too, I imagine compiling lots of altcoin binaries gets boring for it after a period.
10:59 < adam3us> brisque: yeah, 0.01btc or even .001btc ought to do it.
10:59 < adam3us> brisque: you probably have to do some kind of anti-DoS or someone will script it.
11:00 < brisque> nobody would script something you have to pay for.
11:01 < adam3us> brisque: yes thats my point.  well they might if they figure their bot can script, then mine, flip on the included alt-alt exchange and repeat :)  but thats ok if it covers server bills
11:01 < brisque> I'm sure $10 a coin would be worthwhile for bluematt to churn out
11:02 < adam3us> brisque: its just cpu for some minutes.  probably with a bit of tweaking it could be incrementally compiled -- diffs isolated
11:04 < michagogo|cloud> It's not very useful in its current form
11:04 < michagogo|cloud> It kinda needs more in the way of options
11:04 < brisque> I'm sure he'll get to it.
11:05 < michagogo|cloud> brisque: I think you're getting a bunch
11:05 < michagogo|cloud> My immature balance is hovering around 3000-3500
11:05 < brisque> 14k coins matured, heh
11:06 < michagogo|cloud> If I were getting all the blocks, it'd be 5000 flat
11:06 < michagogo|cloud> or maybe 6000
11:06 < adam3us> michagogo|cloud: yeah i think it needs a premine amount choice, block interval, retarget interval, inflation/deflation choices
11:06 < brisque> I'm sure he'll be happy to add features for additional fees
11:06 < michagogo|cloud> adam3us: premine?
11:06 < adam3us> michagogo|cloud: maybe a hard fork option (like protoshares did)
11:07 < michagogo|cloud> Just mine a bunch before you release it
11:07 < brisque> michagogo|cloud: it's the hip altcoin thing. a bit of mining before the public release to make sure the owner gets rich.
11:07 < adam3us> michagogo|cloud: yeah u know mirror the choices made by various alt-coins.  some of them are hugely premined, it saves electricity
11:07 < michagogo|cloud> (also, it probably needs an option to keep it private, or at least unlisted)
11:07 < adam3us> brisque: yes but for some reason even quite large premines dont seem to discourage miners much :)
11:08 < adam3us> brisque: apparently 100% proof of stake doesnt seem to deter people either (nxt?) dont think they thought that through at all
11:09 < adam3us> brisque: oooh and exodus model.  need an exodus model.  but on an alt chain, cant spam the bitcoin block chain.  i think nxt has that also (there was 21 btc sent to the exodus address with 100% proof of stake model!)
11:09 < adam3us> brisque: apparently solidcoin was a gold mine of interesting params, though I missed that fun :)
11:09 < brisque> you're thinking too detailed. this is quite a simple premise with no thought was involved.
11:13 < amiller> it's fun to see a crisis of participation in this new world, rather than non-participation :o
11:15 < brisque> michagogo|cloud: it's been fun making magic with you, but my VPS is about to be destroyed.
11:15 < michagogo|cloud> Why?
11:16 < brisque> I've had my fun, I don't see any use in keeping the instance any longer
11:16 < michagogo|cloud> oh
11:16 < michagogo|cloud> I misunderstood you
11:22 < TD> they exert pressure in the right direction, but someone still has to do all the work to create an actually better situation :)
11:23 < gmaxwell> the concern with things like the nseq in my mind isn't the incentives so much as the vulnerability of it
 like betcoin taking unconfimred payments.
11:24 < TD> we lack tools, documentation and experience to help business do risk analysis. but over time i expect risk analysis to play a bigger and bigger role in bitcoin
11:24 < TD> like, where the block chain becomes a very strong signal that is nonetheless blended with others
11:24 < TD> betcoin took a bet and lost
11:25 < gmaxwell> sure, 99.99% of the time it'll be great. But in that remaining 0.01% ... watch out.  Attacks aren't random though, at least when non-trivial amountes are involved a probablistic approach doesn't always work well.
11:25 < jtimon> TD: "the value of their money" you assume miners are always at the same time btc speculators, they can just sell them
11:25 < TD> businesses all have to do crazy risk analyses today to accept existing forms of payments, it's not really an alien concept for them. so we'll see. next dice site will have to weigh up the prospect of being double spent, at least until/unless the mining situation improves
11:25 < TD> jtimon: for how much?
11:26 < TD> jtimon: all miners are speculators to some degree because they have amortised costs
11:26 < jtimon> like saying "bitcoin can't work because miners have incentive to merge together and then do 51% attacks to double spend" <--
11:26 < jtimon> no, it works because it's easier and more long term for them to just make money out of honest mining
11:26 < gmaxwell> of course if you're able to trust the payer... why even bother with fancy protocols. "Pay me what you owe eventually."
11:26 < TD> jtimon: in theory a miner who has paid off all his hardware and has no electricity/ongoing costs wouldn't care what the price is indeed. but i guess that won't be true for a long time
11:26 < TD> well that's what in practice we do already with unconfirmed transactions.
11:27 < TD> the block chain has a sweet spot where it's really useful and appropriate. other times it's not so helpful
11:29 < TD> though i'm kinda looking forward to the day that people are dropping nitrogen-cooled ASIC farms into the middle of the desert with a solar farm next door
11:30 < jtimon> well, don't want to take my description as assuptions, just wanted to pointed out that you're assuming to much about miners but...
11:30 < jtimon> when you compare capital, say a pub, a building and a mining rig
11:31 < TD> we don't know if i'm assuming too much or not because we never got a chance to try. the feature was disabled due to DoS/surface area risks a long time ago.
11:31 < TD> perhaps one day we'll get a chance. in the absence of a killer app for the feature though, it's a bit hard to justify right now
11:31 < jtimon> you compare them by capital yield, doesn't matter if you're doing it with your own money or with borrowed money
11:31 < jtimon> if it's your money you don't have more incentiveto accept low yields
11:32 < jtimon> you could lend/invest more profitably somewhere else
11:33 < jtimon> TD: I mean you're assuming too much about miners by assuming they keep the btc for more than 100 blocks
11:33 < TD> my assumption is really just that they care about the price
11:33 < TD> which is pretty basic, yes
11:35 < jtimon> my assumption (another simplification of reality) is that they care about yields and only indirectly about price, I don't know about their preffered unit of account, tend to asume is fiat
11:35 < jtimon> anyway, they won't destroy bitcoin by taking the higher fee when receiving double-spends
11:35 < jtimon> with or without seq
11:36 < jtimon> and if seq relies on that, well, then it is not very secure
11:36 < TD> of course they would
11:36 < TD> that would be the absolute worst thing miners could do
11:37 < TD> no unconfirmed transactions? watch the price collapse
11:37 < jtimon> why?
11:37 < TD> many miners would never make back their ASIC investments then
11:37 < jtimon> mhmm
11:38 < jtimon> what satoshi proposed for "unconfirmed transactions" were services that contracted with pools to connect directly with them I think
11:38 < jtimon> it's in the snack machine thread I think
11:39 < TD> no
11:39 < jtimon> killerstorm also says that the high "frequency tunel" use case doesn't need seq
11:39 < TD> in the snack machine thread he pointed out merely that the cost of double spending would be higher than the value of the snack
11:39 < TD> and that it could listen for double spends on the network anyway
11:40 < TD> it doesn't need tx replacement as long as the micropayment channel flows in one way direction
11:40 < TD> if you want more flexible arrangements it does.
11:40 < TD> fortunately for many interesting applications, one direction is enough
11:41 < jtimon> TD https://bitcointalk.org/index.php?topic=423.msg3867#msg3867
11:41 < jtimon> "No, the vending machine talks to a big service provider (aka payment processor) that provides this service to many merchants.	Think something like a credit card processor with a new job.  They would have many well connected network nodes."
11:41 < TD> any node can do that. pools didn't even exist back then
11:42 < TD> so he obviously wasn't talking about contracting with pools
11:42 < TD> :)
11:42 < jtimon> correct he didn't said pools, just well connected
11:42 < TD> once double spend relaying is done, you won't even need to be very well connected
11:42 < TD> so this is not really a big deal
11:42 < jtimon> maybehe was thinking about mining farms?
11:43 < jtimon> "double spend relaying" I'm not sure that's really secure
11:43 < TD> he said what he was thinking of - a service provider that performed the job of watching for double spends
11:43 < TD> why not?
11:43 < jtimon> if it was secure we wouldn't need PoW
11:43 < TD> i think you're confused
11:44 < TD> double spend alerts tell you that there has been a double spend. it does not tell you which spend will win.
11:44 < jtimon> oh, sorry
11:44 < jtimon> I thought it was some of those proposals to "prvent double spending"
11:45 < jtimon> I think there's even a paper about that
11:45 < TD> no, i said "double spend relaying"
11:45 < jtimon> sorry again
11:45 < TD> np
11:46 < adam3us> so about (2-way) pegged side-chains again.  the security insulation from not accepting more coins than moved, is good.  but i think to avoid eg fractional reserve building up in the side-chain, i think the SPV proof needs history back to the coin migration?
11:47 < jtimon> TD I still think future miners will just mine the highest fee transaction (even with double spend relay)
11:47 < TD> *shrug* and i think you're wrong. guess we're done :-)
11:48 < jtimon> adam3us: preventing fractional reserve? I must have missed something about the proposal...
11:48 < jtimon> TD hehe, yes, well we can detail how each other see the future
11:48 < adam3us> jtimon: well that is not part of the proposal, i'm thinking of the min requirements to prevent it happening.  the code in the side chain is subject to change
11:49 < jtimon> TD I think instant transactions won't be in-chain because in-chain transactions will be expensive
11:49 < jtimon> TD in-chain will be used for debt settlement mostly
11:49 < adam3us> jtimon: that assumes we cant make it scale quite a bit more.
11:49 < TD> these conversations are all years old
11:49 < TD> tbh i'm tired of them
11:49 < TD> back in 2010 it was interesting
11:50 < adam3us> petertodd: is the man to wind up for game-theory arguments.
11:51 < jtimon> adam3us I think we can make it scale it more, just not enough to process all the world's transactions
11:51 < jtimon> adam3us which I also predict will be many more in the future
11:51 < adam3us> jtimon: i am not sure. maybe pegged side chains offer another flexibility.
11:53 < jtimon> adam3us: still if each node processes the whole world transactions, there won't be many full nodes
11:53 < jtimon> or miners
11:53 < adam3us> jtimon: think multiple side-chains, maybe shard the transaction set
11:53 < petertodd> jtimon: the scalability future will be in blockchains that are sharded, and it's feasible to "process the worlds transactions" with such structures
11:54 < jtimon> we advocate for private chains, though the most promising scalability improvements can only come from more data being directly exchanged between parties without toughing the chain
11:55 < jtimon> petertood: yeah something like sharding could make me wrong, but I'm unconvinced that's feasible for now
11:55 < jtimon> not that I don't think about that myself
11:55 < petertodd> jtimon: I disagree there, off-chian is a nice safe way to get better scalability, but I think the best is to reduce the consensus "size" required
11:55 < TD> it's already done: alt coins
11:56 < petertodd> indeed it is, what's interesting is how to better integrate multiple chians into a cohesive whole
11:56 < jtimon> TD altcoins are very wasteful the way they are right now, they're just highly subsidized by seignoriage greed and stupidity
11:57 < TD> the p2p chain-trade thing would seem to be the best way. not that anyone is really exploring it properly
11:57 < TD> jtimon: so they take some of the stupid-load off the bitcoin chain. win :-)
11:57 < petertodd> jtimon: though also I see *no* reason to think you can get fast, let alone instant, consensus requried for retail payments
11:57 < jtimon> just adding more altcoins doesn't scale, not even with merged mining, miners still need to process everything
11:58 < TD> jtimon: what i was thinking is that the world could shard into eurocoins, americoins, or by subject (bitcoins for the internet, corpcoins for big corporate payments, etc)
11:58 < TD> jtimon: then you'd have exchange rates between them. but that's painful.
11:58 < TD> easier to scale the tech, i suspect
16:04 < amiller> the simplest way to implement fwd validation i think is to have new opcodes like OP_PUSH_TXOUTS that load the txouts from the transaction-currently-undergoing-validation into the validation stack
16:05 < amiller> and OP_PUSH_TXIN i guess too
20:57 < jgarzik> fork success!  bitcoind starts up and shuts down a new process, complete with pipe RPC.  Of course, just a skeleton that does nothing useful at all.  But it forks!
20:57 < jgarzik> RPC (IPC?) has one command at the moment, BCE_SHUTDOWN_REQ
21:26 < gmaxwell> lol
21:28 < HM> jgarzik: you're working on a new RPC implementation?
22:12 < jgarzik> HM: no, adding fork() separation between the network code and "everything else" (RPC/wallet)
22:12 < warren> nice!
22:13 < HM> jgarzik: eh? but won't the 2 forks need to communicate via their own RPC mechanism?
22:13 < jgarzik> HM: well, ok, I guess you can call that a new RPC implementation.  But it's not a public RPC interface, but a private, inter-process communication interface.
22:14 < HM> right
22:14 < HM> you could make use of network namespaces as well
22:14 < HM> put the main process in to its own network namespace so it can't talk to the outside world
22:14 < HM> interesting little project anyway, cool beans
22:15 < jgarzik> the "everything else" process (wallet/GUI/JSON-RPC) is the master process, and the "blockchain engine" is a sub-process of that main process.
22:15 < HM> right
22:15 < jgarzik> blockchain engine manages the P2P network code, and the blockchain dataset
22:15 < jgarzik> BCE might be chroot-able, as well as enabling things like network namespaces
22:18 < sipa> discussion idea: peer rotation; this is something gmaxwell and I have been discussion a long time ago, and the idea is this: instead of always maintaining 8 outbound connections, after timeout N, start attempting creating a 9th connection anyway, and when it works, disconnect one of the existing one. This should make the network much more dynamic and less
deterministic, and more quickly crawl through existing peers. For selecting the peer to...
22:18 < sipa> disconnect, the idea is to aim for an "exponential distribution of connection times", so have some connections that live very shortly, and some that live for very long. Some simulations have shown that giving each outbound peer a chance proportional to its connection_time^(-0.8) would approximately achieve that nicely, ideally combined with some health metrics
per-peer as modified to prevent disconnecting the peer that relays most blocks...
22:18 < sipa> first, for example
22:19 < HM> sounds sensible
22:20 < HM> jgarzik: i think the RPC mechanism needs overhauling. process separation would potentially make way for an RPC v2. I've already been toying with a proxy for Apache Thrift that layers over the existing HTTP JSON RPC
22:21 < sipa> the problem is that RPC does interaction with multiple fundamentally different components
22:21 < sipa> it does interaction with the blockchain, the network, and the wallet
22:21 < sipa> while ideally, each of those would have a single interface that can be used for both interaction with humans and with other components
22:22 < HM> well, Thrift just got service multiplexing committed to git
22:22 < HM> and it supports about a dozen languages
22:23 < HM> the drag for a lot of these marshalling formats though is that  bitcoin inherently deals with a lot of custom binary data
22:23 < jgarzik> sipa: indeed
22:24 < jgarzik> sipa: a big part of my task here is "drilling holes" -- creating internal IPC calls from RPC server into the blockchain process, and back again
22:24 < jgarzik> sipa: e.g. getconnectioncount, for a simple example
--- Log closed Mon Apr 01 00:00:15 2013
--- Log opened Mon Apr 01 00:00:15 2013
14:08 < amiller> ok i've roughly worked out the missing part of my authenticated data structure library
14:08 < amiller> the key thing is a type system for algorithms/queries
14:09 < amiller> and a rule for deriving the security claim from the type
14:10 < amiller> the minimal type codes to include are one for normal types, one for 'authenticated' types, and an arrow type combinator
14:11 < amiller> so like   insert :: Term (Base Int --> Auth Tree --> Auth Tree)
18:32 < petertodd> away
--- Log closed Mon Apr 01 19:40:52 2013
--- Log opened Mon Apr 01 19:41:09 2013
23:34 < jgarzik> re FinCEN and IRC bots...  https://bitcointalk.org/index.php?topic=158138.msg1718975#msg1718975
23:34 < jgarzik> I wonder if it could be as easy as registering with FinCEN, and proactively looking for suspicious activity
23:35 < jgarzik> with an IRC bot doing micropayments, ideally you could figure out ways to limit large flows, split into small chunks
23:41 < petertodd> Interesting. Sounds like there isn't anything directly saying anonymity can't be baked it, AKA chaum.
23:42 < petertodd> Of course, that can change in an instant...
23:43 < petertodd> The bit about "mining as a business" is worrying though. Sounds like they could argue the miner should be verifying suspicious transactions they mine.
23:47 < jgarzik> petertodd: perhaps; it read like the poster's speculation more than FinCEN opinion, to me
23:48 < jgarzik> and it looks like US state of New Mexico does not require a money transmitter license
23:48  * jgarzik wonders about NM escrow laws
23:51 < petertodd> of course, worrying about local laws may prove fatal if it turns out your customers weren't local
23:59 < jgarzik> As a US citizen I would mainly worry about myself complying with local law.  Customers are expected to comply with their jurisdiction's laws.  I'd make a good faith effort to limit accounts to tiny amounts, file suspicious activity reports if any is seen, and shut down activity if it seems suspicious.
--- Log closed Tue Apr 02 00:00:16 2013
--- Log opened Tue Apr 02 00:00:16 2013
00:02 < petertodd> Yeah, hopefully... At least it does make it likely that I could safely, say, sell remote attestation capable hardware security modules. If being a money transmitter might be legal, selling some fancy hardware that doesn't even have the software to transmit money should be too.
00:03 < jgarzik> Being a money transmitter is definitely legal.  You just have to jump through the hoops.  ;p
00:03 < petertodd> Heh, well, Canada's MintChip thing looks totally serious...
01:12 < jgarzik> hmmm.  I wonder how to route cgminer transparently over Tor
01:13 < gmaxwell> making all accounts require an instant refund address so the service could be trivially shut down might help.
01:14 < warren> some exchanges have that
01:14 < warren> and mining pools
01:14 < jgarzik> ah, excellent.  socks4 proxy option in cgminer.
01:16 < gmaxwell> superior to multibit. :P
06:32 < warren> sipa: nice to see C-ify done.  unfrotunately past sprint break now.  I will be crushed with school until April 29th then I'm free
06:33 < warren> sipa: if you aren't totally done by then, it would be helpful if you could add to the TODO list what you would like the full openssl replacement API's to look like.
08:14 < lumos> amiller, http://steve-yegge.blogspot.co.uk/2010/12/haskell-researchers-announce-discovery.html
09:56 < sipa> warren: :)
09:56 < sipa> warren: i hope by then, that won't be needed anymore
15:39 < jgarzik> "because you might be interested" disclosure...   renting out my Avalon to ucsd.edu botnet researchers.  miner -> ucsd getwork proxy -> botnet "black" mining pool.  exMULTI is contracting with ucsd, clearing their legal dept etc.
15:39 < jgarzik> (exMULTI is my one-person microbiz for all things bitcoin)
15:40 < jgarzik> for expected-daily-BTC plus 1%
15:47 < amiller> lol, cool.
15:48 < amiller> i don't see how the mining power helps them do anything with botnets
15:48 < amiller> oh i see
15:49 < amiller> there must be some bitcoin mining equivalent of the "affiliate marketing program managers" for spam
15:49 < amiller> that they want to study
15:50 < amiller> but with spam, the affiliate marketing program provides extra service like dealing with the supply and shipping, but its' comparably straightforward to just run your own mining op... i guess not if you include cashing out the money
22:53 < warren> I suppose this happens every month ... in the last two days, somebody forked bitcoin-0.8.1 and launched a new coin that just used string replace on everything.
22:53 < warren> Then somebody did the same for litecoin-0.6.3
22:55 < sipa> which name?
22:56 < warren> https://bitcointalk.org/index.php?topic=164569.0  sha256 fork of 0.8.1.  https://github.com/bryan-mills/bytecoin
22:56 < warren> I'm guessing a single avalon could crush it in a few minutes
22:58 < jgarzik> warren: did they change genesis block and pchMessageStart, I hope?
22:58 < warren> I didn't look deep enough
22:58 < jgarzik> we should put a "if making your own coin, change these things AT LEAST" doc in bitcoin repo
22:58 < gmaxwell> they did, thats about all they changed.
22:58 < warren> I'm guessing this could be merge mined if anyone cared.  want to ruin their day?
23:01 < warren> gmaxwell: http://radon.gdries.nl:6327/static/
23:03 < warren> If that p2pool readout is accurate, almost the entire coin is this p2pool node.
23:03 < gmaxwell> warren: you can't merge mine something that isn't designed for it.
23:05 < warren> this p2pool looks doctored to give fake numbers
23:10 < jgarzik> Trivia:  bASIC guy emailed me, asking for personal advice on the following subject:  if you paid X BTC (worth $Y) for a device, MUST the refund be X BTC (now worth $Y * 10)?
23:10 < jgarzik> completely random.  never corresponded with him personally before, even during bASIC purchase process.
23:27 < gmaxwell> poor guy. He's been slowly refunding people $Y worth... which is an amount decreasing by the day.
23:29 < warren> what happened with bASIC?  I wasn't around.
23:38 < jgarzik> warren: dunno the inner workings.  He took pre-orders, then the project failed.  Long pause, CC refunds, long pause, BTC refunds trickling out.
04:56 < BlueMatt> gmaxwell: implementation detail: do you require the side-chain be merged-mined?
04:56 < justanotheruser> BlueMatt: seems like that would be ideal
04:56 < TD> good evening guys
04:56 < gmaxwell> BlueMatt: I don't think bitcoin should require that, though it would probably be pretty darn prudent.
04:57 < BlueMatt> hi TD
04:57 < gmaxwell> BlueMatt: at least my thought is really "just add enough so that bitcoin can verify a sutiable proof, and then you can build anything out of that which you can make fit"
04:57 < gmaxwell> HI
04:57 < sipa> TD: timezone deficiency?
04:57 < TD> evening for them. morning for us :)
04:58 < gmaxwell> BlueMatt: so while it might be _wise_ to merge mine it, and perhaps there are some optional strenghtening things that could be done, I don't think it would make sense to require it.
04:58 < sipa> ah, right
04:58 < BlueMatt> gmaxwell: makes sense
04:58 < TD> lol
04:58 < TD> "Since we're generating the points randomly, I'm going to ignore the first condition because it happens far less frequently than malfunctions in the CPU instructions that I might use to detect it."
04:58 < TD> i think i'm going to remember this excuse for ignoring edge cases, for the future :)
04:58 < sipa> link?
04:58 < TD> https://www.imperialviolet.org/
04:59 < TD> agl talking about implementing elligator for curve25519
04:59 < gmaxwell> e.g. ideally the pubkey could specify the proof geometry required with enough flexibility that you could merge in something rather throughly unlike bitcoin.
04:59 < justanotheruser> sipa: seem into producing acronyms...
05:00 < gmaxwell> BlueMatt: though annoyingly some of the already existing altcoins can't have compact spv-like proofs. :(
05:00 < justanotheruser> gmaxwell: scryptcoins?
05:00 < TD> how did they manage that?
05:01 < TD> justanotheruser: no, scrypt based coins still use sha256 for the merkle tree
05:01 < BlueMatt> gmaxwell: meh, I dont care about current altcoins that do dumb things, I want to enable actual innovation, not knob twiddling
05:01 < TD> says the guy behind coingen.io :)
05:01 < justanotheruser> TD: but how do you verify the PoW without including scrypt into bitcoin or implementing scrypt in a bitcoin script?
05:02 < BlueMatt> TD: yes, hopefully it will saturate the market with knob twiddling and people will get bored of it
05:02 < gmaxwell> TD: well PPC's proof of stake stuff appears to need a (mostly) unpruned blockchain history to validate. And a primecoin headers look like they're a couple kilobytes and need primality testing?!
05:03 < TD> gmaxwell: surely even in proof of stake, transactions are in blocks and arranged into a merkle tree though?
05:03 < TD> or you mean you can't just download headers at all
05:03 < gmaxwell> TD: you need to prove it hasn't been spent.
05:04 < gmaxwell> well they have no getheaders p2p messages either, but thats an aside. :P
05:05 < gmaxwell> basically at least as PPC is now, I don't think you can extract a compact proof that a header is valid. maybe you can get close enough by extracting the transactions and assuming they weren't subsiquently spent, but I dunno, since there is no POW on those blocks attacking is cheap. I honestly haven't thought about it much.
05:06 < gmaxwell> at a minimum it's complicated.
05:07 < sipa> maybe we should write a "if you're going to create an altcoin, think about:" document
05:08 < BlueMatt> sipa: yea, think about: "2-way pegged value"
05:08 < sipa> listing some of the easy-if-we-knew-it-at-the-start ideas like p2sh only, or simplifying script, or having amounts in the signature hash
05:08 < sipa> and concerns like compact proofs
05:09 < sipa> oh and maybe explain the reason for block times being slow
05:10 < gmaxwell> sipa: dunno that it would help, couldn't hurt. I say I don't know because of how they've responded when encountering problems.
05:11 < BlueMatt> for current-gen alts, its sure to make no difference
05:12 < gmaxwell> (e.g. the general response has been to do something even dumber)
05:12 < BlueMatt> for people making real alts (maybe, though I'm very unconfident) coingen will help
05:14 < gmaxwell> e.g. feathercoin had instability and attacks in due to some of their parameter choices, their response was to pay the ppcoin person to license "advanced checkpointing" from ppc (developer broadcast "checkpoints").
05:15 < Taek42> are people licensing cryptocurrency ideas now?
05:16 < _ingsoc_> BlueMatt: Lol.
05:16 < gmaxwell> thats the only incident of it that I'm aware of.
05:16 < TD> i never liked p2sh only as an idea.
05:16 < gmaxwell> unless you count coingen.io
05:17 < gmaxwell> It's certantly something I'd do when starting from scratch. Opinions may differ.
05:17 < TD> ethereum might evolve into an interesting alt
05:17 < TD> gmaxwell: well, it'd rule out things like OP_RETURN tagged outputs and the like, which people have found uses for.
05:18 < gmaxwell> TD: yea, the ethereum warez site agent is totally going to be popular. :P
05:18 < TD> is that actually on their website?
05:19 < gmaxwell> TD: no reason that it would preclude having a no index flag (or really just a seperate field in transactions for aux data).
05:19 < gmaxwell> TD: no, I was kidding, but it seemed to follow naturally from the description of it I read. :P
05:19 < TD> you saw payfile, right? :)
05:19 < sipa> what is ethereum?
05:19 < gmaxwell> TD: you couldn't tell for sure though
05:20 < TD> gmaxwell: that's true. you could extend the tx format at the same time.
05:20 < gmaxwell> sipa: vitalik altcoin based on turing complete script.
05:20 < gmaxwell> doesn't exist yet as far as I know.
05:20 < sipa> ah
05:20 < gmaxwell> a bunch of the design decisions wouldn't be ones I would have made but. ::shrugs::
05:21 < gmaxwell> sipa: in particular it's supposted to support being able to upload code into the network which the network runs triggered by events e.g. independantly of transactions, which can do things like create transactions.
05:21 < sipa> ewww
05:21 < TD> hah
05:21 < gmaxwell> and a handwave at fees to pay for it, without any consideration of the incentives around that.
05:22 < gmaxwell> Yea, my response too. But at least its different.
05:22 < TD> right. hence me thinking it's the most interesting alt, even if i also think it's unlikely to work
05:22 < TD> but we'll see
05:22 < gmaxwell> be nice or I'll suggest they name one of their currency units after you.
05:22 < nsh> nobody talks about Dr Frankenstein advanced the field of medicine
05:22 < nsh> +how
05:23 < gmaxwell> http://demotivators.despair.com/demotivational/mistakesdemotivator.jpg
05:23 < TD> the guardian did a nice article on alt coins. i banged the drum about how they demonstrate the fundamentally democratic nature of crytocurrencies
05:24 < TD> so coingen and other joke alts are not entirely useless. they educate people about the tech and more importantly, make BlueMatt a lot of money
05:24  * nsh smiles
05:24 < gmaxwell> Sadly alt's don't work too well as education on what not to do, just like invent your own blockcipher usually doesn't
 because they usually don't reach the point where they justify a serious attack, but oh well.
05:24 < TD> well, that's education of developers. i'm thinking of education of users. showing how bitcoin developers are not simply the new central bankers
05:25 < TD> http://www.theguardian.com/technology/2014/jan/07/bitcoin-me-how-to-make-your-own-digital-currency
05:25 < gmaxwell> TD: hey, I strongly promoted that idea. I'm all for it.  I also suggested it to people who wanted to "fight" altcoins as the fair and ethical way to do so... "we think these things are pointless, well it's not fair to stop them, but lets reduce the friction that makes making a pointless altcoin profitable."
05:26 < gmaxwell> TD: did you see the fallout from the launch of the 'conya' coin? (or however its spelled?)
05:26 < gmaxwell> coinye
05:27 < warren> gmaxwell: I'm guessing ICANN procedure to get the domain taken away will be tried next
05:27 < gmaxwell> yea probably.
05:27 < gmaxwell> did you see they were having zillion block reorgs?
05:28 < sipa> who?
05:29 < TD> i saw that kanye's lawyer was trademark-whacking them. lol.
05:29 < gmaxwell> coinye coin.	another purpusfully dumb coin, but it started out with about 1/1000th of the initial difficulty it should have had.
05:29 < TD> and the anonymous authors response was basically to wave two fingers at them and say they'll bump up the release date
05:29 < gmaxwell> (they basically released a password to unlock the software at some time with enormous hype)
05:30 < sipa> eh?
05:31 < warren> if they were anonymous devs, with people unable to examine the software before the launch of mining, they could have included a trojan to steal <real coins>
05:31 < warren> lots of idiots would rush in
05:31 < gmaxwell> and now pools that lost the reorg wars have shuttered and people are angry that they're not getting paid.
05:31 < warren> and they would cash out in an unexpected way
05:31 < Taek42> warren sounds like something worth trying
05:32 < BlueMatt> warren: I'm honestly surprised we haven't seen more of that
05:32 < gmaxwell> it was only released a couple hours ago and has like 5000 blocks.
05:32 < gmaxwell> BlueMatt: esp now that some of these exchanges will happly add brand new coins.
05:35 < gmaxwell> is it just me or is bc.i switching to USD every time other people follow a link to it?
05:36 < sipa> experienced that as well
05:40 < michagogo|cloud> gmaxwell: not just you
05:54 < warren> BlueMatt: to avoid that someone could release all the code except for the genesis
05:54 < gmaxwell> I believe thats how ltc was launched.
05:55 < gmaxwell> https://bitcointalk.org/index.php?topic=404888.0 < fwiw, I posted asking about bc.i's switching
06:06 < TD> sigh. we need to beat some rationality into the fees market
06:19 < warren> TD: the way we rolled out 20x lower fees might be feasible (albeit very dumb)
01:49 < petertodd> the storage providers will look at the sum of potential earnings, and buy enough storage to take advantage.
01:49 < petertodd> yes, you can pay more to make it more likely the providers will bother.
01:50 < petertodd> (the real issue: who knows what the btc/GiB ratio will be)
01:50 < amiller> i think it's going to turn out to be even more of a challenge when defining what the retrieval costs are supposd to be
01:50 < amiller> i really like this one extreme example, Amazon glacire
01:51 < amiller> https://aws.amazon.com/glacier/
01:51 < petertodd> retrieval costs don't need to be defined, that ones actually a bidding process you realize
01:51 < petertodd> I've got ~300GiB there
01:52 < petertodd> big spender I know
01:52 < amiller> have you ever retrieved it
01:52 < petertodd> not all of it
01:52 < amiller> heh, do you ever probe it with PoR's effectively
01:52 < petertodd> I know the fees are crazy if you want it fast
01:52 < petertodd> lol
01:53 < petertodd> I rely on others to do that for me :P
01:58 < amiller> so
01:58 < amiller> in the case of bitcoin, you rely on mining nodes to do full validation
01:59 < amiller> an individual SPV client may only care about checking the total amount of work, which basically makes it expensive to overwhelm with effort, whether it's valid data or not
02:00 < amiller> for a complicated transaction of mine i think i should only expect the whole global network to do something like SPV style validation before deciding to release my funds
02:00 < amiller> although i would probably be interested in doing the more complete validation
02:00 < amiller> or i dunno hiring a smaller number of people to do this validation at lower cost, but not globally
02:00 < amiller> do i get anything by having a larger network do cursory SPV validation
02:00 < amiller> vs only having a small network do full validation?
02:01 < amiller> with merge mining, there is no validation
02:01 < amiller> from the big network to the smaller one i mean
02:03 < amiller> i think the important thing about SPV validation is that work that passes SPV can't also be repurposed to achieve anything else
02:03 < petertodd> why have all that complexity? why not focus on ways to make the transactions small as much as possible?
02:03 < petertodd> only do fancy stuff when you get desparate, and that fancy stuff can happen in a different chain dedicated to it with correct incentives, releasing funds via oracle or something
02:04 < petertodd> look how for the data storage example the proofs actually aren't all that bad
02:05 < amiller> oracles are just another fancy name for TTP
02:05 < amiller> in any case...
02:05 < amiller> well the fancy stuff happening in a dedicated chain
02:05 < amiller> correct incentives.. what do you mean?
02:06 < amiller> that's kind of what i have in mind
02:06 < petertodd> who knows?
02:06 < amiller> that's why this is a compositionality thing
02:06 < amiller> how can i use the Big Network's safety and stable money, as an incentive in my celebration-of-random-strings altchain
02:06 < petertodd> now, what I want you do to, is write down a quick summary of how op_blockhash and op_blockheight helps you in this goal, so we can get an idea of the uses for new opcodes and start figuring out what is worth implementing
02:07 < petertodd> because you have Yet Another Example of a cool and useful thing we can do
02:07 < amiller> i want to be able to define SPV validation for another chain!
02:08 < amiller> i'll need hashes for consuming merkle tree proofs
02:08 < amiller> and... really none of that requires anything else i guess
02:08 < petertodd> Ok, so write up an example script.
02:08 < amiller> hm
02:08 < amiller> Ok.
02:08 < petertodd> Sounds like you just need OP_CAT, OP_SUBSTR and what not.
02:09 < petertodd> See, I've got a soft-forkable mechanism in mind where we can gradualy enable more stuff as we prove we haven't screwed up.
02:09 < petertodd> And I'm thinking MAST support should be #1
02:10 < amiller> interesting
02:11 < petertodd> MAST is actually pretty simple too: just make OP_IF and OP_ELSE take a digest, rather than opcodes, if the branch isn't executed, and use that digest in the calculation of the tree
02:11 < petertodd> It'll look kinda like P2SH really
02:12 < petertodd> If bitcoin isn't interested, worth asking litecoin.
02:13 < amiller> what about breaking a computation into parts
02:13 < amiller> so it could be spread over multiple tx
02:13 < amiller> that's unnecssary complexity nvm
02:13 < petertodd> That would be complex, and incompatible with how Bitcoin scripting usually works.
02:13 < petertodd> KISS
02:14 < petertodd> *Another* thing I want to do, like soon, is add "debugging" support to scripts to trace the state they take, which is similar code.
02:15 < petertodd> example: http://webbtc.com/script/31d3fb6b4af93525e04e9d97690cffdd292ca554791cfadd34af76ecbb9bdf29:0
02:15 < amiller> hm
02:15 < amiller> i could probably just model bitcoin's stack language in ocaml and use my compiler hack directly as a reference design
02:15 < petertodd> that's using bitcoin-ruby, which is broken - very much worth adding this to bitcoin itself for debugging/pedalogical reasons
02:16 < petertodd> *pedagogical
02:16 < amiller> that's slick, thanks for link
02:16 < petertodd> heck, testing too: make hashes of those execution traces and store them in the unittests
02:16 < petertodd> frankly if anything changes, it's almost certainely a bug
11:59 < jgarzik> petertodd, amiller: anybody given any thought to identity (SINs) + file sharing?  Trying to figure out if a decentralized Amazon S3 could ever be possible
11:59 < jgarzik> i.e. where data hosting entities can come and go, and be compensated for their work.  users can come and go, and pay for storage.
12:00 < jgarzik> data hosting has two layers, as zooko and Tahoe-LAFS well know, low level storage and upper level accounting.
12:00 < jgarzik> accounting/indexing
12:04  * jgarzik always thought of Tahoe-LAFS as cumbersome to build but doable -- but the HARD part is figuring out economic/game theory incentives to make such a system self-supporting
12:04 < amiller> mojonation was supposed to be that
12:04 < amiller> tahoe-lafs is a much reduced scale
12:04 < amiller> so hm.
12:05 < amiller> my observation though is if you have accounting that works, you probably don't even need SINs...
12:11 < jgarzik> possibly true
12:11 < jgarzik> I was thinking that SINs form a nexus around which you can build a positive reputation
12:13 < jgarzik> users need to provably pay for their download.  providers need to provably get paid for providing a download.  difficult if not impossible without proxying through third party verification
12:13 < jgarzik> (or so it seems to me)
12:18 < jgarzik> and these might be semi-trusted proxies, that audit each others' work and build a reputation
12:19 < jgarzik> perhaps users and providers follow a protocol that sends a request to A and B, yet provably expects the response to be delivered by C
12:20 < jgarzik> that gives other providers an awareness of requests going through the system, setting expectations for delivery by C
12:50 < jgarzik> switching topics,
12:50 < jgarzik> petertodd, still not totally happy with anyone-can-spend
12:51 < jgarzik> petertodd, lacking a bitcoind mod, the rational behavior is to send two transactions, the required anyone-can-spend and also a new tx spending that
12:51 < jgarzik> certainly the announce gives others the /chance/ to spend
12:52 < jgarzik> but in the initial stages of any such system, the identities will be cost-free
15:30 < petertodd> jgarzik: Did you see the discusstion between amiller and myself about proving you have some data as a way of incentivising storage?
15:30 < petertodd> jgarzik: anyone-can-spend *only* works if it's timelocked in any case, so with announce-commit it's actually three transactions.
15:31 < petertodd> jgarzik: Adding auto-spend support to the mempool in bitcoin upstream is easy - I wouldn't get hung up on that.
15:34 < petertodd> jgarzik: People already have huge wallets watching for coins being spent to tens of thousands of addresses they've done dictionaries for re: brainwallets.
15:36 < petertodd> jgarzik: For instance "jgarzik"=1KCvSPxjaJdVQtzP15bJgBXXDbrBxCNhj7, and "petertodd"=16VpZwEfw2PCwf4dZEBNeXpKgFPdbiUnf, and a 50mBTC payment to both got spent within about a second.
15:37 < petertodd> jgarzik: Provided spending a anyone-can-spend is standard, I don't think we have an issue at all.
15:39 < petertodd> Reminds me: we should consider a transaction input standard in AreInputsStandard() if a empty scriptSig, or scriptSig=OP_TRUE, is able to spend it in any case.
15:56 < petertodd> Also, that's a rational for anyone-can-spend too IMO: you don't need to be a miner to have an incentive to setup the infrastructure to claim it.
15:57 < petertodd> (especially with an anyone-can-spend based on OP_CHECKMULTISIG where it's already a standard tx)
16:09 < jgarzik> petertodd, I'm just concerned about initial bootstrapping.  After the system is running, it's fine.
16:11 < petertodd> Well, if anyone can spend is useful from a technical point of view, then why not use the OP_CHECKMULTISIG version?
16:11 < petertodd> Also, add scriptPubKey=<digest> to your OP_RETURN <data> pull-req.
16:12 < petertodd> (with <digest>!=0)
16:34 < petertodd> Keep in mind that for something like IRC, where a heck of a lot of proofs might need to be stored, you really want to keep the proof size small for the sacrifice. Eventually anyone-can-spend will need as little as a SHA256 midstate + <digest> + value + nLockTime and the merkle path. It's even better if you allow people to use the coinbase version, and
proof-of-work coinbase version. (latter where you mine a share that would have been worth xBTC)
17:54 < midnightmagic> petertodd: zooko et al were doing a lot of work in that regard not so long ago.
23:34 < realazthat> the sha() must take a few additional params to prove it was started in a recent block, and so can't be reused again and again
23:34 < realazthat> etc.
23:34 < realazthat> there are lots of other issues as well
23:34 < realazthat> I have some of them listed on a page
23:37 < amiller> the work market idea really appeals to me but i don't understand the details
23:37 < amiller> i'd like to read about that
23:37 < realazthat> mmm
23:37 < realazthat> lemme see if I can find gmaxwell's BIP
23:38 < amiller> i think we havea pretty coarse idea about what it takes economically for schemes like this to make any sense
23:38 < amiller> it's real hard to empirically test them
23:39 < realazthat> well the work market could work on the current bitcoin network first I think
23:39 < realazthat> but I don't think people would appreciate deprecating mining :P
23:39 < realazthat> mmm
23:39 < realazthat> yeah
23:43  * amiller waits for cool links
23:47 < realazthat> https://en.bitcoin.it/wiki/BIP_0013 << I *think* this is it
23:47 < realazthat> and maybe 16
23:47 < realazthat> gmaxwell: ding ding
23:48 < realazthat> basically, something that would integrate SCIP into bitcoin, and only pay out to someone who ran a program, and can give a valid response + signature
23:48 < realazthat> ie. scip signature
23:48 < realazthat> which is PoW
23:55 < realazthat> funny, I can't find where gmaxwell linked it to me in my logs :/
23:57 < realazthat> aha
23:57 < realazthat> got it
23:57 < realazthat> https://en.bitcoin.it/wiki/User:Gmaxwell/why_hash_locked
23:57 < realazthat> amiller: ^^
23:58 < realazthat> he is using it for the zero-knowledge aspect
23:58 < realazthat> but it could also be used for PoW in the same way as SCIP can be used for both
23:58 < realazthat> I think
23:59 < realazthat> dunno why I thought it was a BIP
--- Log closed Mon Jun 03 00:00:00 2013
--- Log opened Mon Jun 03 00:00:00 2013
00:05 < amiller> PoW is a loaded term
00:05 < amiller> i don't think what you're talkinga bout is meaningful as  pow
00:05 < amiller> or at least not for mining
00:06 < realazthat> mmm SCIP can do PoW
00:06 < realazthat> look, I'll quote a Q/A from eli
00:07 < realazthat> Q: Is there a guarantee that there is no way to generate a signature if a correct answer is otherwise found in a quicker manner than running P, the original program, via running Q instead?
00:07 < realazthat> Eli: Yes, the only way (assuming you cannot break crypto) is to run P, not Q.
00:08 < realazthat> anyway, this isn't for mining
00:09 < realazthat> 1st, is a work market
00:09 < amiller> if it's not for mining it's fine
00:09 < amiller> i think mining doesn't actually use PoW
00:09 < amiller> but something else
00:09 < realazthat> this could be done right now, in the bitcoin chain with this extension
00:09 < realazthat> mmm
00:09 < realazthat> I dunno then
00:09 < realazthat> I am proposing another method of mining, I don't know if it is sound
00:09 < amiller> i've been working on this a lot
00:09 < realazthat> it would obviously have to be in another chain
00:10 < amiller> basically the work should be incremental
00:10 < amiller> like suppose you were going to put out a bid for work
00:10 < amiller> like a bid for having a gazebo built for your house
00:10 < amiller> and you tell the contractors
00:10 < amiller> both of you start working
00:10 < amiller> it should take you about a month
00:10 < amiller> and whichever one of you finishes first gets paid, the loser gets nothing
00:11 < amiller> the fact that bitcoin is *not* even based on PoW at all means its okay
00:11 < amiller> because each incremental unit of work is so small compared to the latency
00:11 < amiller> that the loss due to duplicated work is pretty low
00:12 < realazthat> mm
00:12 < amiller> now if you break a large computation up into tiny pieces
00:12 < amiller> such that you can get *partial payment for partial work*
00:12 < amiller> then we're back on track
00:12 < realazthat> yes, well I was thinking of something like,
00:12 < amiller> which is in fact exactly what those bootstrap recursive snark things seem to be about
00:12 < amiller> which is really really promising then
00:12 < realazthat> a magic protein folding algorithm, which would take in an IV
00:13 < realazthat> and each worker can do his own part of the work-space
00:13 < realazthat> so the workitself would be tiny peices even
00:13 < realazthat> well
00:13 < realazthat> just different peices
00:14 < realazthat> each worker does a different part of the workspace, say by using some uniquely his as the IV
00:14 < amiller> it's a dos problem if you try to pay people for every single hash they compute
00:14 < realazthat> mmno I am not trying to solve that problem
00:14 < realazthat> the work would still take a long time
00:14 < amiller> so the nice thing about lotteries is that they add some uncertainty and indivisibility but you get a good improvement in communication costs
00:14 < amiller> ok
00:14 < realazthat> just it wouldn't be duplicate
00:15 < amiller> and they can be paid even if they're done in parallel
00:15 < realazthat> but its a good problem you pose
00:15 < amiller> that would mean you'd need a block dag sort of thing
00:15 < amiller> that can merge work
00:15 < realazthat> yeah but reserving payment so its not a race; thats a problem
00:15 < amiller> yeah
00:15 < amiller> it might be possible thouhg
00:15 < amiller> it's an interesting idea
00:15 < realazthat> well with gmaxwell's proposal,
00:15 < realazthat> it would almost surely result in some sort of market
00:16 < realazthat> the mining could be built on top of this, by forcing (via mining protocol) the worker to include H(B) into his IV
00:16 < realazthat> and then you can verify the output against the input
00:16 < realazthat> and you know he started at a certain time
00:16 < realazthat> so you cannot save up work
00:17 < realazthat> and, you would win by chance among all the workers
00:17 < realazthat> now, you can weight it somehow (chances of winning) to make it fair
00:17 < realazthat> ie. long jobs have a higher hash-number-limit
00:17 < realazthat> so the difficulty is less
00:18 < realazthat> so, if H(sig(P)) < basedifficulty+T(P)
00:18 < realazthat> then you win
00:18 < realazthat> and get to mine the block in addition to claiming your payment
00:18 < realazthat> T(P) can be proven
00:19 < realazthat> via the sig
00:19 < realazthat> to be correct
00:19 < amiller> well it stucks if you start late then you have no incentive to participate at all
00:19 < amiller> that's another thing that's better about the tiny increment work
00:19 < realazthat> well you always have incentive because of the normal money
00:19 < amiller> you can always join a pickup game at any time
00:19 < realazthat> the lottery is just a side benefit
00:19 < amiller> okay well then just no incentive with the new thing
00:19 < amiller> uh
00:19 < realazthat> most people won't expect to win the lottery
00:19 < amiller> so you can reserve money before acutally completing the work?
00:20 < amiller> what happens if you just don't complete the work?
00:20 < realazthat> oh so thats a good question
00:20 < realazthat> yes, good problem that remains
00:20 < realazthat> I need to think about that
00:20 < realazthat> mmm
00:20 < realazthat> here is what you can do
00:20 < realazthat> one of several things
00:21 < realazthat> the work job is given like this:
00:21 < realazthat> run P(iv), T(P) is the time bound (it is known/given) in instructions, you must complete it by block Y, or you lose; all those that give it by block Y split the coins
00:22 < realazthat> so you can precalculate if you can complete it ontime
00:22 < realazthat> usually
00:22 < realazthat> if you do, you are guaranteed something
00:22 < realazthat> perhaps this will be too unstable
00:22 < realazthat> but I bet the market would adapt
00:22 < realazthat> make sense?
00:27 < amiller> i don't think the market would adapt i think it would be a pretty bad market
00:27 < amiller> the bitcoin mining market is actually super well behaved
00:27 < amiller> the problem is that i think it would be very difficult to tell what chance you had of winning
00:27 < amiller> also a lot of work would still be duplicated likely
00:28 < amiller> with bitcoin mining because everyone is playing the same game, it's really easy to calculate exactly how much you shoudl win *on expectation*
00:28 < amiller> and by joining pools (which maybe could be made endogenous built-in to bitcoin) you can calculate exactly how much you're going to win real accurate
00:29 < amiller> here if you're the only one working on the puzzle then you'll get the whole thing, if someone else works on it you'll get much much less
00:29 < amiller> and you don't even get a reward for being the first to finish
00:29 < amiller> um
00:29 < amiller> i'm not sure how to fix it but maybe we can at least state clearly what the goals should be here?
00:29 < amiller> the decision to do the work should be rational
00:30 < amiller> meaning before you decide to do the work, you should be able to calculate accurately how much money you will get as a function of the decision to do the work or not do the work
00:30 < realazthat> right that would be very hard
00:30 < realazthat> it depends on the type of job
00:30 < amiller> or if it's probabilistic you should be able to calculate what the distribution is of getting paid
00:30 < realazthat> and how many others are willing to do it
00:30 < amiller> again this is a nice thing that bitcoin mining definitely has
00:30 < amiller> and it's obviously important! because that's a lot of how people bitcoin mine
00:30 < realazthat> yeah, so basically you would try to calculate it this way:
00:30 < amiller> they figure out their hash rate and what they earn and try to figure out how cheap they need power etc
00:30 < realazthat> 1. do you have enough power to solve this ontime?
00:30 < realazthat> if yes,
20:48 < zooko> Another way of putting that is that the problem of storage of utxos would eventually impose a limit on smaller-ganularity payments.
20:49 < zooko> What's 200 GB? If every satoshi were a utxo, then it would take only 200 GB to store it all?
20:49 < zooko> That sounds way too small.
20:49 < gmaxwell> Though 200gbytes isn't some horrible unattainable value... basically even if there is no long term problem (not clear!) there can still be a short term one with the system becoming costly to operate faster than it becomes valuable to use.
20:50 < gmaxwell> zooko: no, the chain can't grow faster than ~50gbytes/yr due to the maximum blocksize. So every satoshi couldn't be a seperate utxo yet.
20:51 < zooko> gmaxwell: ok.
20:51 < zooko> Thanks.
20:51 < zooko> Time for dinner with my kids, then hopefully I'll get back on IRC...
--- Log closed Fri May 10 22:00:20 2013
--- Log opened Fri May 10 22:00:33 2013
--- Log closed Sat May 11 00:00:43 2013
--- Log opened Sat May 11 00:00:43 2013
--- Log closed Sat May 11 16:39:28 2013
--- Log opened Sat May 11 16:39:45 2013
--- Log closed Sat May 11 19:43:41 2013
--- Log opened Sat May 11 19:43:54 2013
--- Log closed Sun May 12 00:00:46 2013
--- Log opened Sun May 12 00:00:46 2013
14:50 < HM2> http://cppquiz.org/
14:50 < HM2> fun little test for you bitcoin devs, since bitcoind is written in C++ ;)
15:07 < HM2> question 15 is nice
15:15 < HM2> (15 in the url)
16:07 < jrmithdobbs> hmmmm... the 1.2 hiera cli util doesn't seem to hono :merge_strategy: deeper when using -a and -h
16:07 < jrmithdobbs> completely wrong channel
--- Log closed Mon May 13 00:00:48 2013
--- Log opened Mon May 13 00:00:48 2013
04:30 < amiller> http://arxiv.org/pdf/cs.LO/0312015.pdf
04:30 < amiller> With the advent of global computing there are an increasing variety of situations
04:30 < amiller> where one would need to be able to obtain formal bounds on resource usage by
04:30 < amiller> programs: for instance before running code originating from untrusted source or
04:30 < amiller> in settings where memory or time is constrained, like in embedded systems or
04:30 < amiller> synchronous systems
04:30 < amiller> this is a paper called Soft lambda-calculus: a language for
04:30 < amiller> polynomial time computation
--- Log closed Mon May 13 10:34:56 2013
--- Log opened Mon May 13 10:35:12 2013
--- Log closed Mon May 13 13:35:04 2013
--- Log opened Mon May 13 13:35:20 2013
--- Log closed Tue May 14 00:00:51 2013
--- Log opened Tue May 14 00:00:51 2013
--- Log closed Wed May 15 00:00:53 2013
--- Log opened Wed May 15 00:00:53 2013
--- Log closed Thu May 16 00:00:56 2013
--- Log opened Thu May 16 00:00:56 2013
15:04 < jrmithdobbs> can puppet take json instead of yaml from a classifier?
15:05 < jrmithdobbs> erm wrong channel
--- Log closed Fri May 17 00:00:58 2013
--- Log opened Fri May 17 00:00:58 2013
17:30 < HM_> Heh
17:31 < HM_> I'm not sure why anyone want want to break 128bit ECC when you could break 112bit 3-DES and compromise so many traditional financial systems
--- Log closed Sat May 18 00:00:01 2013
--- Log opened Sat May 18 00:00:01 2013
14:22 < zooko> This conference is awesome.
14:27 < zooko> Is gmaxwell not at Bitcoin2013?
14:27 < BlueMatt> yes, he is
14:27 < zooko> Thanks.
14:27 < zooko> Are you?
14:27 < BlueMatt> no
14:27 < BlueMatt> :9
14:27 < BlueMatt> (
14:30 < zooko> Bummer.
15:06 < amiller> :]
--- Log closed Sun May 19 00:00:04 2013
--- Log opened Sun May 19 00:00:04 2013
03:23 < warren> sipa: I have a litecoin wallet last touched by 0.6.  With secp256k1 0.8.x reports the wallet is corrupt.  I am trying to reproduce this with bitcoin.
03:23 < warren> 0.8.x without secp256k1 works fine with that wallet
03:24 < warren> init message: Loading wallet...
03:24 < warren> Error reading wallet database: CPrivKey corrupt
03:24 < warren> Error reading wallet database: CPrivKey corrupt
03:24 < warren> Error loading wallet.dat: Wallet corrupted
03:27 < warren> It's entirely likely this is my fault.
03:47 < warren> I'll report back if I manage to isolate it to a particular key or reproduce it on bitcoin.
05:47 < warren> Yeah, it seems fine with fresh wallet.dat's.
07:30 < wumpus> I don't think you should ask sipa questions about litecoin
07:36 < wumpus> oh it's about his secp library, never mind
09:48 < sipa> warren: i recently fixed a bug involving incorrect privkey serialization
15:26 < warren> sipa: I'm using your latest code
15:30 < sipa> that's remarkable
15:30 < sipa> let me check whether i committed it
15:30 < warren> oh?
15:31 < warren> https://github.com/sipa/secp256k1/commits/master
15:31 < sipa> looks good
15:32 < warren> When I build 0.8.x with openssl it loads the 0.6 wallet just fine.  I'll add some print statements and figure out what's going on.
15:35 < warren> heading out for shopping, bbl
16:01 < sipa> warren: it may be related to compressed keys?
16:01 < zooko> Hi sipa!
16:01 < sipa> hi zooko!
16:01 < zooko> I think I saw you entering the Bitcoin Foundation.
16:02 < zooko> Um, meeting, I mean.
16:02 < sipa> i'm there right now
16:08 < warren> sipa: did 0.6 support compressed keys?
16:09 < sipa> warren: yes
16:10 < warren> When I'm back I'll see if I can reproduce this from bitcoin-0.6 -> bitcoin-0.8.x
16:10 < warren> If that fails, are you interested to see my code and wallet.dat?
--- Log closed Mon May 20 00:00:06 2013
--- Log opened Mon May 20 00:00:06 2013
01:42 < warren> sipa: would you be interested in an affected wallet.dat?
02:09 < warren> the keys are all compressed.  I'm digging through code.
07:50 < warren> petertodd: where is your site about the 1MB block limit again?
13:42 < gmaxwell> eek how did I forget to rejoin.
13:44 < gmaxwell> For those who weren't at the Bitcoin conference
  Eli Ben-Sasson presented on his computational integrity work. This is that stuff we'd talked a little about in here that converts arbitrary programs (in ansi C) into zero knoweldge proofs, allowing you to run them on secret data and produce compact and quickly validated 'signatures' over the output that
proves the program was executed faithfully.
13:46 < gmaxwell> Importantly, I got some more performance details from him. ... sounds like the proving (signing) cost is on the order of  n * 900 * log(n) where n is operations in the computation.
13:47 < gmaxwell> The validation is some constant times the length of the compiled program. Right now their compiler has a n*poly log n cost like proving however, but they know how to fix that.
13:48 < realazthat> gmaxwell: mmm reminds me of this https://hcrypt.com/
13:48 < gmaxwell> Sounds like the scalablity ends up memory limited in their actual implementation right now.. To get an idea, each asm opcode produces something like 1500 constraints, and they've used their system successfully on programs of 30 million constraints or so on 'desktop hardware'.
13:48 < realazthat> related I mean
13:48 < realazthat> but cool
13:49 < realazthat> is there a link to this stuff online somewhere?
13:49 < gmaxwell> realazthat: it's in that same general family of techniques... but whats important is that the cost is polynomal. This is actually (nearly-) pratical  for a lot more stuff.
13:49 < gmaxwell> realazthat: Their paper should be published in a few days.
13:49 < realazthat> cool
13:49 < gmaxwell> There is, however, a video
 https://www.youtube.com/watch?v=CjUNj8ow6UE
13:49 < realazthat> ah nice
13:50 < gmaxwell> The thing I'd like to use it for is this: https://en.bitcoin.it/wiki/User:Gmaxwell/why_hash_locked
13:53 < realazthat> mm that is cool; I wonder how applicable these use cases actually are though
13:53 < realazthat> what greater application I mean
13:54 < gmaxwell> There are more powerful ideas for it... for example, you could use these techniques to produce checkpoints that can't cheat.  If you replaced script validation with the validator for it, you could make transactions depend on complex C code
 but these things are currently infeasable just because of the computational cost. But because the techniques are
poly cost, we can hope that even if they only get a bit better, that computers getting
13:55 < gmaxwell> realazthat: Well, I can give some examples for why hash locked, but I don't like them much. The problem is that things like constests for beautiful pictures or whatever can normally just be solved via escrow, we don't really need zero trust in most pratical cases.
13:55 < realazthat> well I can imagine something like crazy financial instruments can come out based on bitcoin using all these hard-to-apply features
13:56 < gmaxwell> The best example I can give you is:  "We anonymous parties will pay 100 BTC for some anonymous party to leak Foo DRM's uber-secret master key"
 can't use escrow because thats a point of attack.
13:56 < realazthat> haha
13:56 < HM_> and then the proof would be some C code that validated the DRM key
13:57 < realazthat> I was thinking/dreaming of putting a bounty on satoshi signing something
13:57 < gmaxwell> yes, you could create some fancy contracts ... but I think the interesting applications of that require the validation _inside_ the bitcoin protocol. Wherease the DRM example works with my wiki page above: totally external to bitcoin.
13:57 < gmaxwell> (And so the fact that the proof is @#$@# expensive is irrelevant, so long as you can compute them on conventional hardware in a few hours)
13:57 < realazthat> does satoshi have a public gpg key or something?
13:57 < realazthat> (so my dream would make sense)
13:58 < gmaxwell> realazthat: kinda. He has a gpg key that many people will vouch for, but there is actually very little public evidence that it's actually his.
13:58 < realazthat> ah ok
13:58 < gmaxwell> he could, however, signmessage with the genesis key.
13:58 < realazthat> haha great idea
13:58 < gmaxwell> (if he still has it)
13:59 < realazthat> I imagine one day ppl will try to track bitcoins through the chain to identify him :P
22:39 < gmaxwell> Fact of the matter is that we use analogies to understand thing by approximation. But there is no need that the (best) analogies need to be physically intutive, in fact basically all of higher mathmatics is about manipulating abstractions which are in no way physically intutive.
22:40 < petertodd> gmaxwell: also equally insane if you postulate an insecure signature algorithm that can be broken with 2^64 work
22:41 < petertodd> gmaxwell: I'll add to my wizards list that if you successfully got through a hard first year calc/analysis course with emphasis on proofs you're going to understand crypto-currencies much better
22:42 < gmaxwell> well, either that or it broke you completely and you're unable to reason without a pile of symbology in front of you.
22:43 < petertodd> heh
22:45 < petertodd> gmaxwell: probably a good thing I failed second year calc - the alternative was to be broken by it
22:46 < andytoshi> petertodd: second year calc is crap, it has no business being in a math degree
22:47 < petertodd> andytoshi: what did you do in second year calc?
22:47 < andytoshi> petertodd: half a dozen methods for computing second-year-calc integrals, and something about taylor series i think
22:48 < andytoshi> standard calc 2 fare, "here are some algorithms, run them by hand without ever checking hypotheses, hundreds of times"
22:48 < petertodd> huh, we did taylor in first year; second year was all about multi-variable versions of first year stuff, as well as a bunch of set theory stuff
22:48 < andytoshi> mathematical analysis was probably more difficult, but made far far more sense and was better motivated
22:49 < gmaxwell> I like that they don't even bother teaching people the chain rule in basic undergrad calculus anymore apparently.
22:49 < andytoshi> (analysis is when i switched into math honours and decided to take my degree seriously .. and also where i met my girlfriend :P)
22:49 < petertodd> gmaxwell: wtf?
22:50 < petertodd> andytoshi: typical, impressing a girl...
22:50 < andytoshi> gmaxwell: they do at UTexas at least ..
22:50 < gmaxwell> andytoshi: whew. okay perhaps I was just talking to idiots then.
22:51 < andytoshi> petertodd: that's pretty-much it, a bit ironic that now i'm in grad school 2500km away from her
22:52 < andytoshi> gmaxwell: i'd guess so, first-year calc only has 3-4 derivative rules plus a collection of limit stuff, there isn't much room to trim
22:52 < petertodd> gmaxwell: this is the second year calc curriculum that I took: Sequences and series. Uniform convergence. Convergence of integrals. Elements of topology in R2 and R3. Differential and integral calculus of vector valued functions of a vector variable, with emphasis on vectors in two and three dimensional euclidean space. Extremal problems, Lagrange multipliers,
line and surface integrals, vector analysis, Stokes theorem, Fourier series, ...
22:52 < petertodd> ... calculus of variations.
22:52 < andytoshi> well, UT has room to trim, there's a ton of theoretical stuff that doesn't connect properly, so the course feels very rushed and confused
22:52 < andytoshi> petertodd: holy shit
22:53 < gmaxwell> andytoshi: I think this is because they don't teach differentation in algebra classes, but instead just teach people a bunch of rules which actually are differentiation, but don't explain why they work?
22:53 < petertodd> gmaxwell: first year was this: A theoretical course in calculus; emphasizing proofs and techniques, as well as geometric and physical understanding. Trigonometric identities. Limits and continuity; least upper bounds, intermediate and extreme value theorems. Derivatives, mean value and inverse function theorems. Integrals; fundamental theorem; elementary
transcendental functions. Taylors theorem; sequences and series; uniform convergence and ...
22:53 < petertodd> ... power series
22:54 < petertodd> gmaxwell: well, almost, they changed the curriculum around and moved more of what I was taking into the harder class (that's the harder classes current description)
22:54 < andytoshi> gmaxwell: i think that's right, i explain to my classes what they are actually doing, and they (a) appreciate it and (b) act like they were completely unaware of it before
22:54 < petertodd>		     instead just teach people a bunch of rules which actually are differentiation, but don't
22:54 < petertodd> andytoshi: heh, I don't feel so bad failing it then :)
22:55 < petertodd> andytoshi: the hard version of second year is this: Topology of Rn; compactness, functions and continuity, extreme value theorem. Derivatives; inverse and implicit function theorems, maxima and minima, Lagrange multipliers. Integrals; Fubinis theorem, partitions of unity, change of variables. Differential forms. Manifolds in Rn; integration on manifolds;
Stokes theorem for differential forms and classical versions.
22:55 < andytoshi> petertodd: that's a serious calc sequence, what you listed was calc 1/2/3/4, two analysis classes, a variational calc class, and a bit of a third analysis class
22:55 < andytoshi> not that my school was terribly difficult, i spent the latter half of my undergraduate doing reading courses with professors instead of the standard sequence..
22:56 < petertodd> andytoshi: ha, lovely, and I did that after like six years doing a fine arts degree
22:56 < petertodd> andytoshi: that's UofT fwiw
22:56 < andytoshi> petertodd: wow, good to know then
22:56  * nessence wonders how many UT folks are @ cointerra
22:57 < andytoshi> i was told that grad students who go there teld to be unhappy, that the profs don't pay attention to them..maybe this is why
22:58 < petertodd> andytoshi: interesting - the teachers in first year weren't very good, and second year downright atrocious. You literally had TA's who were too shy to speak to students and spend the whole class facing the chalk board mumbling.
22:58 < jcrubino> petertodd: your my hero now with your calc story
22:59 < petertodd> jcrubino: lol
22:59 < andytoshi> petertodd: fwiw, at SFU we had very slow sequences as i described, then a serious problem with fourth-year students who had no knowledge of mathematics, but we had to give them degrees since we'd led them on for three years, and they'd be incomprehensibly stupid
22:59 < petertodd> andytoshi: ha! nah, uoft just fails people instead :P
23:00 < petertodd> andytoshi: first year calc we quite literally had about 90% of the class drop out
23:00 < andytoshi> yeah, that's an extreme workload especially if the teachers are all crap
23:00 < andytoshi> it'd be almost reasonable with excellent professors and TAs
23:01 < petertodd> yup, and a heck of a shock coming from art school - see, at art schools even the best in the field often take teaching jobs to earn some more money... I suspect with math it's a lot harder to attract talent on a budget
23:02 < andytoshi> yeah, generally there are rich schools who get ~2-400 applicants per year and get to choose -- then there are the rest who have perpetually open positions but terrible offers
23:02 < andytoshi> (UTexas is in the former, they accepted 30/400 applicants last semester o.O)
23:03 < petertodd> ha, uoft has 50k students
23:03 < petertodd> heck, they have more teachers then my previous school had students
23:03 < andytoshi> yes, it is very irritating when they make half the grad department TA calculus <.<
23:04 < petertodd> ugh, and it seems that uoft actually takes their better TAs and teachers and has them teach the easier math classes aimed at the non-math students
23:04 < andytoshi> 16k math students, 8k in the calculus sequences in any given semester, which means around 80 calc TAs i guess
23:05 < andytoshi> ( UTexas has similar total numbers to UofT i think)
23:05 < petertodd> probably about right
23:05 < andytoshi> petertodd: ugh, that's terrible
23:07 < petertodd> andytoshi: heh, well I still managed to learn enough from it to have some hope of learning more math :)
23:09 < andytoshi> very true, i was suprised to hear you (and gmaxwell) have so little formal math education
23:09 < andytoshi> i guess i don't really either, i have the papers but the upper-division part of my degree was almost entirely reading courses
23:10 < petertodd> gmaxwell is way ahead of me with math you know
23:10 < andytoshi> and i did a grad course in QFT, i had a fun time explaining to the physics chair who i was and what i was doing there :P
23:11 < gmaxwell> I don't know anything, but seeing as how I don't know anything I am also not afraid of anything.
23:11 < petertodd> decentralized consensus systems are probably the only "theoretical" branch of crypto I'll ever have a hope of coming up with new ideas in - notice how even my intuition for things like how ECC signatures work is relatively shakey
23:12 < petertodd> andytoshi: lol, quantum anything just sounds scary, and relatively useless :P
23:12 < andytoshi> petertodd: i did not notice that, your blockchain/MMR stuff is so advanced that i assumed you were a math/cs genius :P
23:13 < andytoshi> petertodd: quantum field theory is -very- shakey, it was a great course to learn what physicists are up to but i knew i didn't want to deal with it after that
23:13 < andytoshi> scott aaronson has somewhat changed my mind on that point tho, to the extend that he calls what he does "physics"
23:14 < gmaxwell> everything understandable to more than a few people is understandable to almost everyone if approached from the right perspective.
23:15 < petertodd> gmaxwell: +1
23:15 < andytoshi> gmaxwell: that's my feeling, i've managed to explain SNARKs on a conceptual level to people who haven't had any experience with crypto
23:15 < andytoshi> they have to let me talk for two hours about cryptography, though, so maybe i'm filtering people..
23:15 < petertodd> andytoshi: lol, I keep on thinking "what the fuck symbol am I supposed to use for foo?"
23:15 < petertodd> andytoshi: every time I try to write anything vaguely resembling a paper
20:42 < maaku> andytoshi: coinjoin can be used to hide from your employer as they can no longer be sure which outputs are yours, or coinswap which lets you swap identities with some other coin
20:46 < maaku> TD: i'm assuming that you can actually realistically determine the owner of a key from network analysis with better than random probability, even if it's a use-once key
20:47 < TD> i am not convinced that assumption is valid
20:47 < TD> it should *not* be valid at least, if addresses are not reused and merge avoidance is done
20:48 < maaku> if merge avoidance is done by every other node i transact with
20:48 < maaku> i don't like outsourcing my privacy to those i transact with
20:51 < TD> coinjoin requires outsourcing as well, in effect. you have to hope that there are enough others available at the time who have a sufficient amount they wish to mix that you get reasonable deniability
20:51 < TD> otherwise you end up with implausible deniability only
20:52 < maaku> TD: the scenarios I've considered for coinjoin mixing involve doing it in the background, yielding outputs that are made availble to the spendable balance
20:53 < maaku> coinjoin-as-payment is just an added bonus that obscures the fact that a payment is even occuring
20:53 < maaku> the quality of the mix doesn't matter so much then
23:08 < phantomcircuit> lol
23:08 < phantomcircuit> i just finished reading mikes entire blog post
23:08 < phantomcircuit> intersango hot wallet already sort of does that
--- Log closed Thu Dec 12 00:00:49 2013
--- Log opened Thu Dec 12 00:00:49 2013
07:47 < nsh> bit into a discussion in #bitcoin regarding whether or not it would be possible to spoof p2pool mining with a centralized (e.g. miner cluster) resource, in some hypothetical case where p2pool mining was better rewarded to incentivize decentralization
07:47 < nsh> i thought initially you could demontrate the sharechain of p2pool and that would guard against spoofing, but now i'm not sure it couldn't be simulated with minimal overhear
07:47 < nsh> *overhead
07:48 < nsh> thoughts?
07:49  * nsh considers reading some papers on collusion resistence models
07:51 < nsh> i suspect they all require some kind of fine-grained synchrony or something equally tricky
12:54 < andytoshi> i haven't read past the abstract and authors, but this is probably an interesting paper
12:54 < andytoshi> http://arxiv.org/abs/1312.3230
12:54 < andytoshi> "how to deal with malleability in the current bitcoin system"
12:57 < nsh> what's malleability?
12:58 < sipa> being able to modify a transaction, without knowing the private key, and without invalidating it
12:58 < andytoshi> nsh: any part of the transaction which is hashed but not signed, you can change (even after signing) to get a valid transaction
12:59 < nsh> oh
12:59 < andytoshi> and this messes up a lot of the contract stuff, since you're supposed to have chains of unconfirmed transactions
12:59 < nsh> yeah, that could be a problem
12:59 < andytoshi> and changing a hash breaks the chain
13:00 < andytoshi> nice, the paper's only 6 pages
13:03  * maaku cringes every time he sees "BitCoin" in an academic paper
13:03  * TD used to write it like that
13:04 < MoALTz> maaku: why?
13:04 < maaku> Bitcoin is not camel-case
13:05 < MoALTz> maaku: could be worse. could have scrapped blockexplorer for the blockchain info.
13:05 < maaku> Journalists I forgive.. at least they're writing about Bitcoin
13:05 < maaku> But someone who is purportedly researching the core bitcoin protocol should know better
13:05 < maaku> heh, that's true
13:06 < andytoshi> i think it may be deliberate, to express their out-of-touch-ness with the real world
13:06 < maaku> "BitCoin is a chain of linked HTML5 documents...."
13:06 < andytoshi> "read our paper, we're all in the same ivory tower"
13:08 < MoALTz> when i skimmed over the zerocoin paper i noticed that they had a careless mistake (saying that 1 BTC is 10^9 satoshis)
13:19 < sipa> maaku: blockexplorer.com was HTML5? :o
13:19 < maaku> heh, true
13:21 < nsh> maybe we can delegate bitcoin security to timbl's html drm working group in future versions
13:36 < TD> haha
13:41 < Emcy> is timbl really his hacker name?
13:41 < Emcy> its pretty good
13:43 < France> (apparently, at some point i group "France" to my nick on freenode then completely forgot about it)
14:08 < gmaxwell> http://www.ssi.gouv.fr/en/the-anssi/events/revocation-of-an-igc-a-branch-808.html < I wonder why they didn't disclose whos certificates they made.
14:09 < gmaxwell> Anyone know if it's public?  (I know at least some of what they made certs for but I'm not sure if I was supposted to repeat it)
14:09 < gmaxwell> oh googling reveals that it is public.
14:09 < gmaxwell> They minted google certs. http://googleonlinesecurity.blogspot.de/2013/12/further-improving-digital-certificate.html?m=1
14:13 < TD> presumably they minted many certs and it's just that google detected it
14:13 < TD> whereas others didn't
14:24 < nsh> aye, google only caught it because of their cert pinning in chrome
14:24 < nsh> i suspect they were mitming * for some govt employees somewhere
14:43 < gmaxwell> Tehe: "Open source: the software is still terrible but now it is your fault too."
14:49 < nsh> :)
14:52 < sipa> well... we do reply with "file a bug report" or "fixes welcome" when people complain :)
16:54 < BlueMatt> ;;seen TD
16:54 < BlueMatt> nanotube: where is gribble when you need it?
16:55 < BlueMatt> yay, manual gribble
16:55 < BlueMatt> what timezone is 12:59, though
16:55 < gmaxwell> Pacific.
16:55 < gmaxwell> (because I IRC from a host in Oregon)
16:55 < nanotube> there he is. :)
16:56 < gmaxwell> and because people other than me have a crazy practice of setting up hosts with timezones other than utc.
16:56 < sipa> iirc, TD is in pacific timezone as well :)
16:57 < gmaxwell> I saw him on saturday.
16:57 < BlueMatt> sipa: yes, hence why he should be awake and irc-ing (what else would he be doing?) :p
16:57 < gmaxwell> so did BlueMatt
16:57 < sipa> ha, cool
16:58 < sipa> i'm syncing from scratch on leveldb 1.15
16:58 < sipa> it's horrible, so many orphans and duplicate blocks
16:59 < sipa> i think i'm downloading every block 5 times, and keeping hundreds in RAM...
16:59 < BlueMatt> bitcoind's sync algorithm is soooo good...
16:59 < gmaxwell> what changed? it wasn't _that_ bad before. Is this just due to increased blocksize?  IIRC I only found a 2x (I think? do you remember?) overhead.
17:06 < sipa> gmaxwell: not an actual measurement, just impression
17:07 < sipa> also, i'm only at block 213000
17:45 < Emcy> so you get orphan warnings while downloading deeply buried blocks because the block downloading code is a bit silly?
17:46 < MoALTz> i found 31 orphans in my blk*.dat files
17:48 < Luke-Jr> someone I spoke with recently was looking for 2009-era stale block.. anyone got any? :P
17:48 < Luke-Jr> MoALTz: you mean stale, not orphan. orphan blocks never get written to risk
17:48 < Luke-Jr> to disk*
17:49 < MoALTz> ah yes
17:49 < MoALTz> although i did look out for true orphans in my code too (although there were none, as those lists were empty after i loaded the files)
17:50 < Emcy> whats a stale block?
17:53 < Luke-Jr> Emcy: one that didn't get accepted in the main chain, long-term
17:53 < BlueMatt> Emcy: #bitcoin
17:56 < Emcy> dont bitcoin me
17:56 < Emcy> ive just never once heard of a stale block
17:57 < Luke-Jr> Emcy: it's what happens when a miner finds a block, but the block is lost due to a race
--- Log closed Fri Dec 13 00:00:51 2013
--- Log opened Fri Dec 13 00:00:51 2013
03:44 < epscy> does anyone know if 0.8.6 has the address index patch?
03:46 < sipa> hell no
03:55 < epscy> sipa: is the address index controversial?
03:56 < epscy> I thought it was going to be included in the next release
03:57 < sipa> unless someone brings it up to date, no
03:57 < sipa> and i,m no fan of it myself
03:57 < sipa> see the (closed) pull request for why
04:00 < epscy> thanks i will check it out later
04:02 < sipa> https://github.com/bitcoin/bitcoin/pull/2802
04:04 < wumpus> depending on the use case, you might use the watch-only pull which is more up to date: https://github.com/bitcoin/bitcoin/pull/3383
04:04 < sipa> wumpus: regarding watch-only, i agree having a way to query spendable vs unspendable balance
04:04 < wumpus> sipa: yep, I'm going to work on that
04:05 < sipa> (it applies equally to locked outputs)
04:08 < wumpus> indeed
04:11 < wumpus> unspendable unconfirmed, spendable confirmed, unspendable confirmed,, and spendable unconfirmed... hmm
04:15 < sipa> combinatorial explosion
04:16 < sipa> how about two booleans to be passed to getbalance
04:16 < sipa> in the gui maybe:
04:16 < wumpus> yes, well in this case one boolean passed to GetBalance and GetUnconfirmedBalance
04:16 < sipa> Balance: X (+ Y unspendable)
04:16 < wumpus> but yeah explaining it to the user is most difficult
04:17 < wumpus> ah that would work
04:17 < sipa> only shown if Y is nonzero
04:17 < wumpus> right
17:05 < gmaxwell> adam3us: if that wasn't a birthday search I'd assume that it would be 000000 or something and not two random looking ones. :)
17:06 < adam3us> gmaxwell: (referring to post on openpgp list for others context) yeah i didnt look at it, its easy to steer RSA v2 based keyids because they are the lsb of the RSA modulus however the v3 ones are teh lsb of the fingerprint
17:08 < adam3us> gmaxwell: i presume this is a v3 fingerprint so it would represent either a preimage attack of 2^64 on an RSA key (each RSA key being moderately expensive to compute) or a birthday attack on them (using a fair bit of ram or a tmto and more compute) and probably tossing aside security to make prime reuse and generation faster
17:08 < gmaxwell> adam3us: there is metadata like a timestamp in the fingerprint
17:08 < gmaxwell> so it's not hard to grind.
17:08 < adam3us> ah thats a bit of a defect :)
06:53 < Mike_B> so what you could do is just have it level off at some fixed reward per block
06:53 < Mike_B> so the inflation rate is basically a constantly decreasing percentage that never reaches 0%
06:53 < gmaxwell> yes but if there is a bunch of deflation then that number is too high and you're back to the dyson sphere.
06:53 < jtimon> yes, the problem we fear in freicoin is "over-mining" not "under-reward"
06:54 < jtimon> dyson sphere?
06:54 < gmaxwell> jtimon: https://en.wikipedia.org/wiki/Dyson_sphere
06:54 < jtimon> anyway gmaxwell, I don't think you need a control loop on the reward, it can be constant
06:55 < gmaxwell> I don't think any constant value is "safe" (in that it can't over-reward)
06:55 < jtimon> og, I see, starships
06:56 < jtimon> I claim that any value is safe in that it cannot under-reward
06:56 < gmaxwell> you can't know the value of a coin within the system, so whatever you set it to perhaps its way too much.. and if we're not smart enough to abandon the currency we do crazy things. :)
06:56 < jtimon> so we share the same concern
06:56 < Mike_B> gmaxwell: if overrewarding occurs then it balances itself out rather quickly as those new coins enter circulation
06:56 < jtimon> Mike_B the supply is constant
06:57 < jtimon> I'm using freicoin as example
06:57 < gmaxwell> 4am. too late to think. goodnight
06:57 < jtimon> constant supply, constant demurrage that goes to miners
06:57 < Mike_B> jtimon: the system i've been describing is one where supply always increasing, with block reward eventually leveling off at some fixed value (like say
1 or whatever) rather than to 0
06:57 < Mike_B> night gmaxwell
06:57 < jtimon> gmaxwell goodnight
06:58 < Mike_B> so the rate of inflation approaches 0 while the money supply approaches infinity
06:58 < jtimon> you can build a mining-reward-equivalent to freicoin with inflation, it's called expocoin
06:58 < jtimon> your system is timecoin
06:59 < jtimon> constant supply, but since the total supply is ever-growing you're paying proportionally less to miners each year
06:59 < Mike_B> what do you mean by "supply" here
06:59 < Mike_B> the total money supply?
06:59 < jtimon> 21 millions
06:59 < jtimon> yeah
07:00 < Mike_B> so what do you mean by the supply being constant yet ever-growing
07:00 < jtimon> the supply ever-growing, the reward constant
07:00 < jtimon> thus the rewardis always being reduced in proportion to total supply
07:00 < jtimon> the reward is the subsidy forminers
07:01 < Mike_B> ok right
07:01 < Mike_B> yeah that's what i was saying
07:01 < Mike_B> you're saying that's what - expocoin, freicoin, or timecoin?
07:01 < Mike_B> i'm not familiar with all these altcoins
07:01 < jtimon> timecoin
07:01 < Mike_B> the only one i know is freicoin
07:01 < jtimon> only freicoin exisists
07:01 < fagmuffinz> ;;ident fagmuffinz
07:01 < jtimon> the others are only theoretical
07:01 < jtimon> what you're saying is timecoin
07:02 < jtimon> and agaisnt it I previously said:
07:02 < jtimon> Mike_B gmaxwell infinite precision to have perpetual reward doesn't make much sense, will an anual reward of 0.00000000000000001% of the supply really make any difference?
07:03 < Mike_B> jtimon: the answer to that question is yes, because as gmaxwell said, coins are always getting taken out of circulation
07:03 < Mike_B> so it should oscillate or something
07:03 < Mike_B> the actual circulating money supply is less than the supply on paper because of lost private keys
07:04 < jtimon> but coins will be lost at a "fixed" rate, say 2% or 1%
07:04 < jtimon> your reward is proportionally decreasing
07:05 < Mike_B> what's the objection to that
07:05 < jtimon> unless the rate at which people lose coins constantly and forever also drecreases proportionally
07:05 < jtimon> the reward will become meaningless
07:06 < Mike_B> not if there's something nuts like 2% deflation per year it won't
07:06 < jtimon> let me think this again
07:06 < Mike_B> that's like 33% of the money supply being lost over 20 years
07:07 < Mike_B> so what happens is then, suddenly this
1 block reward becomes extremely valuable
07:07 < Mike_B> you overreward miners
07:07 < Mike_B> that was gmaxwell's objection
07:07 < Mike_B> but, my counter-argument is that if that happens, then this huge reward eventually enters circulation, causing inflation to counter the deflation
07:07 < Mike_B> so it evens out
07:08 < jtimon> in our example we have perpetual constant reward 1 per block
07:08 < Mike_B> yes
07:08 < jtimon> and people loss money at 2% of the total supply right?
07:09 < Mike_B> yeah, some fixed percentage per year
07:09 < Mike_B> so you have exponential decay and linear growth
07:09 < jtimon> ok, I need a cigarrete while I think about it, I'll be back in some minutes
07:16 < jtimon> so firt year the nominal supplygrows 365
07:16 < jtimon> but the real supply is 2% less
07:16 < jtimon> due to lost coins
07:17 < Mike_B> right
07:17 < jtimon> the number of lost coins starts below 365, but it grows over time
07:17 < Mike_B> right
07:18 < jtimon> at some point the total lost coins per year equals the new 365 created
07:18 < jtimon> and now the question is
07:18 < jtimon> the % of lost coins is from the total supply or the real supply
07:18 < Mike_B> real supply
07:19 < jtimon> if the former, you're right
07:19 < jtimon> since you have chosen real supply
07:19 < jtimon> at that point the real supply stabilizes forever
07:20 < jtimon> so timecoin ends up being reward-equivalent to freicoin too
07:20 < jtimon> but the reward is paid from unpredictable lost coins instead of constant demurrage
07:20 < Mike_B> wait, what was i right about if i said total supply?
07:20 < jtimon> I never thought about this in this way
07:20 < Mike_B> my goal was just that real supply stabilizes forever
07:21 < Mike_B> and miners are always rewarded
07:21 < jtimon> ok, if you had chosen total supply instead of real, gmaxwell would be right
07:22 < jtimon> if you don't take lost coins into account, you need expocoin or freicoin to achieve your goal
07:22 < jtimon> well, with expocoin you don't have constant supply
07:24 < jtimon> well, gmaxwell's objection can also apply to this (and freicoin) but in a less catastrophic way
07:24 < jtimon> I guess
07:25 < jtimon> what if 2% (or whatever rate people lose coins at) is too much subsidy?
07:25 < Mike_B> jtimon: it couldn't be total supply
07:25 < jtimon> mining won't grow like a cancer but still
07:25 < Mike_B> if 2% of the total supply is lost every year then in 50 years you have nothing left
07:26 < jtimon> will be always more miningthan needed
07:26 < jtimon> 1) if you reduce proportionally you always have somthing left
07:26 < Mike_B> i don't understand the total supply scenario
07:27 < Mike_B> if you lose 2% of the "on-paper" amount of bitcoins every year, you run out of bitcoins completely in 50 years and everyone has 0
07:27 < jtimon> 2) in both cases (timecoin and freicoin) you're introducing new coins at a constant rate
07:27 < jtimon> 50 years with what divisibility?
07:28 < jtimon> if coins are infintely devisible you never get out of them
07:29 < jtimon> so now that we've stalished that the supply will stabilize
07:30 < Mike_B> ok well i don't get the total supply thing but let's assume i mean real supply
07:30 < jtimon> in the case of timecoin not the total (on-paper) supply but the real supply will, in freicoin both
07:30 < jtimon> total supply = real supply + lost coins
07:30 < Mike_B> yeah, so just real supply
07:30 < jtimon> in timecoin
07:30 < jtimon> you end up with a fixed real supply
07:31 < jtimon> an equilibrium real supply
07:31 < jtimon> and you're giving miners 2% of that supply every year
07:31 < Mike_B> so the thing i'm describing is basically bitcoin but where the
50 block reward never halves. that's exactly what timecoin is?
07:31 < jtimon> what if 2% of the real supply is too much security?
07:31 < jtimon> Mike_B yes, that's timecoin
07:32 < Mike_B> and freicoin is what again?
07:32 < Mike_B> it's inflation + a wealth tax?
07:32 < jtimon> freicoin is 5% demurrage
07:32 < jtimon> demurrage is not a welath tax
07:32 < jtimon> is a fee for parking in the middle of the road
07:33 < jtimon> but economics apart
07:33 < jtimon> 5% demurrage and a reward that ends up constant
07:34 < jtimon> resulting in an equilibrium 100 millions supply
07:34 < Mike_B> but the idea of demurrage is just that it takes some percent out of everyone's wallet every so often, right?
07:34 < Mike_B> let me look up the numbers so i'm not so uninformed
07:34 < jtimon> yes 2^-20% of each output per block, to be exact
07:34 < Mike_B> 20%??
07:35 < jtimon> no 2^(-20)
07:35 < Mike_B> oh oh oh, ok
07:35 < jtimon> that results in 4.89 % anual or something close
07:36 < Mike_B> so what's the point of demurrage vs inflation if the economic impact is exactly the same?
07:36 < jtimon> the effect on interests rates is different
07:36 < jtimon> the effect on miners is equivalent
07:37 < Mike_B> does freicoin have a fixed supply?
07:37 < jtimon> well, inflation is also uglier than demurrage in my opinion since it's kind of hidden
07:37 < gmaxwell> demurrage @#$@#$@s up accounting.
07:37 < jtimon> not yet, but yes, 100 Million
07:38 < jtimon> gmaxwell, yeah, just like interest rates
07:38 < Mike_B> jtimon: so you get all of the properties of inflation except debt still deflates???
07:38 < jtimon> accountants have to account
07:38 < gmaxwell> easier to ignore by convention because it doesn't make your bookkeeping not add up.
07:39 < Mike_B> it seems to me that the net economic impact of demurrage = inflation + debt deflation
07:39 < Mike_B> which is like a double whammy
07:39 < Mike_B> but maybe i just don't understand
07:39 < jtimon> it's not that hard to accont
07:39 < jtimon> you just have to put a timestamp with every amount in your books
07:39 < Mike_B> jtimon: can you confirm that my understanding about debt deflation above is correct?
18:07 < gmaxwell> Then again, hashcash has not really been widely adopted. So, ::shrugs::
18:07 < gmaxwell> part of this, I suspect is that seperation problem: often attackers are more willing to use resources than honest users.
18:09 < comboy> Alanius: got to some nice papers through this link you gave me, thanks a lot
18:12 < Alanius> :)
20:33 < Ketamine_> Just getting into the game, anything greatly appreciated. Pweeese.
20:33 < Ketamine_> Cryptsy: 912e35c2dc1316cd9eea19e31768ff27f20fddef
20:33 < Ketamine_> BTC: 1MHPQCbkJ6uyD2kpZveNpXdjG396duaYVw
20:33 < Ketamine_> LTC: LNtbFxtr1gEpPnvubT314HNSX2zAFpa37X
20:33 < Ketamine_> DOGE: DJ1NXr9WLv2Wqda4mCTW5K71NRaUrNVdDX
20:33 < Ketamine_> PP: o24@usa.com
--- Log closed Sun Jan 26 00:00:59 2014
--- Log opened Sun Jan 26 00:00:59 2014
04:20 < jtimon> yo
04:21 < jtimon> yolandi
04:21 < jtimon> ninja
08:35 < azariah4> stumbled over the ethereum white-paper, interesting stuff
08:35 < c0rw1n> it was elusive about some technical details last time i checked
08:36 < azariah4> what do you think about its turing-complete "scripts" ?
08:36 < c0rw1n> that's the thing. there's a very good reason bitcoin script isn't turing-complete
08:36 < qwertyoruiop> c0rw1n++
08:37 < c0rw1n> and the ethereum paper didn't say how they solved it
08:37 < c0rw1n> (last time i checked)
08:38 < brisque> there's something about the transaction fee being charged for the number of operations a script takes.
08:39 < Ursium> my understanding (and I'm going to walk on eggshells here) is that they solved it by limiting the opscode to the strick miminum, meaning it won't be possible to build anything that could lead to disaster
08:39 < c0rw1n> i think if you could get fees on the computing of turing-complete scripts, you could mine on that
08:39 < Ursium> operations are expensive, and the instruction set very limited
08:39 < brisque> logically every single node has to execute the scripts, so they can't be particularly complicated.
08:40 < c0rw1n> um not necessarily
08:40 < c0rw1n> you could zkp the running of scripts
08:40 < azariah4> talk about a new type of incentive for optimization, hehe, not for cycles or mem but for fees on a blockchain
08:41 < brisque> bitcoin already restricts it's scripts just by virtue of their size. bigger transaction leads to more fees.
08:42 < brisque> c0rw1n: maybe I've missed something, but wouldn't nodes need to know the output of a transaction to conclude if a block is valid or invalid?
08:44 < c0rw1n> the output yes
08:46 < brisque> how would you get there without executing it?
08:48 < sipa> give a zkp of the evaluation
08:48 < azariah4> seems ethereum scripts will require a fee for every 16 instructions
08:48 < c0rw1n> which is a way to go about that
08:48 < Ursium> azariah4: a fee per step AFTER 16 more like ;)
08:49 < azariah4> Ursium: oh right!
08:50 < adam3us1> there is a thread about turing complete on bct https://bitcointalk.org/index.php?topic=431513.0
08:50 < azariah4> ah, seems the fee structure is more complicated
08:51 < azariah4> 1x fee for each instruction after the first 16, but crypto operations cost 20x fee each
08:51 < adam3us1> anyone have gmaxwell grey goo bct url?  (bad implications of covenants)
08:51 < azariah4> and different logic for storage
08:51 < sipa> how do they enforce fees? at the consensus level, or local policy?
08:51 < azariah4> adam3us1: thanks for the link
08:52 < adam3us1> ah got it https://bitcointalk.org/index.php?topic=278122.0 gmaxwell on how you get grey goo from even the simplest one opcode mistake on current bitcoin (never mind TC byte code stateful, looping, full generic)
08:53 < adam3us1> sipa: i think fees are enforced by all validators executing them, but only financially benefit successful miners
08:54 < sipa> adam3us1: how is the exchange rate set?
08:54 < adam3us1> note its balance based and a script "owns" and defends value, and can originate transactions from its logic and balance with no input transaction
08:54 < adam3us1> sipa: its an alt with it own mining race :) vitaliks own personal one.  i asked him in person if he's gone to the dark side, and he smiled and chuckled as an answer :)
08:55 < sipa> i know that
08:55 < azariah4> sipa: "The coefficients will be revised as more hard data on the relative computational cost of each operation becomes available."
08:55 < azariah4> they mention two ideas in the current version of the paper
08:55 < sipa> but i'm asking at what level the fee structure is enforced
08:55 < adam3us1> sipa: exchange u mean ^^ variable cost of exec
08:56 < sipa> bitcoin only does it as a policy, as you cannot fix the cost of fees in the consensus rules
08:56 < adam3us1> sipa: i thnk the enforcement stems from miners.  the miners define thecorrect interpretation and execution of the script.  and their execution is defined in part by the interpreter cycles from the fees
08:56 < sipa> miners have the same validation as other nodes
08:56 < adam3us1> sipa: oooh.  now i get yu.
08:57 < adam3us1> sipa: i was thinking that they just set an arbitrary baked per cycle fee, but that doesnt work in a floating value coin
08:57 < sipa> and the only way paying for validation can work economically, is when validation work is limited per block as a consensus rule
08:57 < sipa> as miners have in incentive to fill up whatever is allowed in a block (they are paid, the rest isn't)
08:58 < azariah4> adam3us1: they mention setting it partly based on difficulty, which is one measure of the value of the coin
08:58 < adam3us1> sipa: gmaxwell was pointing out that if there is even one instruction diff in interpretation it could lead to a hard fork so haing that fee be dynamic / loose could be undesirable
09:02 < adam3us1> sipa: i was also wondering like what if the cycles (for all contracts in block) go above the CPU resources of some nodes, so they cant keep up with validation.
09:02 < adam3us1> sipa: maybe thats what you were saying "only way paying for validation can work economically, is when validation work is limited per block as a consensus rule"
09:02 < sipa> adam3us1: that is why full nodes need to demand a network rule that limits it
09:03 < sipa> otherwise they are voting themself out of the electorate
09:10 < adam3us1> sipa: so if the maximum cycles are voted on via some rolling avg by consensus, that cant be an integer or someone will put maxint in there? so then what a proof cpu resources in the interval?  then maybe someone uses a compute farm to jack up the max cycles.  so then a non-parallelizable Pow?  then someone uses dozens of liquid cooled 5ghz boxes (or
nitrogen 6ghz).  there is a financial motive to exclude
09:11 < sipa> adam3us1: define 'voted'; who votes?
09:11 < adam3us1> sipa: maybe they put a human chosen cap at some comfortable level for avg desktop/ultrabook hw
09:11 < adam3us1> sipa: miners, by putting their pref for max cycles as a field in coinbase?  (i am trying to understand how this policy and rate could be set)
09:12 < sipa> no, not miners!
09:12 < sipa> miners are the ones who have the incentive to raise the limits
09:12 < sipa> it's the rest of the nodes that need the limit exactly to keep miners in check
09:13 < adam3us1> sipa: to exclude other miner yes.  but there is no non sybil voting without pow itself, and miners concentrate and buil asic for any and all pow  long term
09:13 < sipa> to exclude other miners, or just to maximize their own fee income
09:14 < sipa> it's non-mining nodes that need to demand rules which prevent that
09:14 < adam3us1> sipa: by being the only cloud miner with fast cpu to even execute and collect fees
09:15 < adam3us1> sipa: so eg then non-miners have a default sanity limit somthing simple for a 1ghz machine to keep up with
09:15 < sipa> well, that is what bitcoin has: a 1 MB limit on blocks, and a 20k sigop limit in it
09:15 < sipa> which means you have a guaranteed way of being able to keep up
09:15 < adam3us1> sipa: yes i was think its analogous to limit.  but n this case if its over
09:16 < adam3us1> sipa: then some nodes woud reject it as too many cycles by policy?
09:16 < sipa> not policy, this needs to be a consensus rule
09:16 < adam3us1> sipa: but how do u reach consensus without hash power...
09:16 < sipa> by fixing it
09:16 < sipa> in the rules, at the start of the system
09:17 < adam3us1> sipa: ok yes then so like some max ins / block target interval that a 1ghz machine can easily keep up with
09:17 < sipa> and do a hard fork if there is wide consensus (among humans using the system) that it can be changed
09:17 < sipa> i don't believe it is a problem you can solve technically inside the consensus system
09:17 < azariah4> one issue is that how efficient hardware can compute the ethereum "script" language may not relate to how efficient it can hash the blocks
09:18 < azariah4> so it might not be possible to have a consensus rule which is based on making the fee multiple inversely proportional to square root of hashing difficulty, as they mention
09:18 < adam3us1> sipa: yes.  another issue fairness between competing scripts. these contracts are like programs that run whenever an instrument of a given type are transacted.
09:19 < adam3us1> the contract program has persistent state and can react to user transactions invoking it and originate transactions fro the script code
09:20 < adam3us1> drawing on script managed funds, or user supplied inputs.
09:25 < azariah4> the potential for grey goo is very interesting
09:27 < adam3us1> azariah4: i am (pure speculation) assuming its why there is no extrospection (ie ability for the script to lexically examine the script of the output address to enforce terms on it)  i think gmaxwell called that a covenant in the link above
09:28 < adam3us1> azariah4: (in existing bitcoin script)
09:30 < adam3us1> azariah4: i think extrospection or covenants are potentially dangerous because they could spread virally through the coins.
12:21 < amiller> the ddos behavior to implement seems straightforward to describe too
12:22 < andytoshi> do we have a simulator yet? there was some serious bounty..
12:22 < amiller> so what i'd expect is that the ordinary algorithm gets horribly overloaded by easy ddos
12:22 < amiller> we have a simulator that i think is lovely and i'm pissed because kjj doesn't want to pay it and no one else has chimed in
12:22 < amiller> https://bitcointalk.org/index.php?topic=326559.0
12:23 < iddo> pay it?
12:23 < amiller> call the bounty claimed
12:23 < amiller> kjj first posted the bounty i mean
12:23 < iddo> ahh
13:28 < _ingsoc> Chicago has given up. :(
13:29 < sipa> ?
13:47 < avivz78> hi :-)
13:51 < _ingsoc> sipa: -!- Chicago [~Chicago@2001:558:6033:ff:4450:74c5:b55:35d3] has quit [Quit: Leaving]
13:51 < _ingsoc> It was a lame joke.
13:59 < andytoshi> sigh, i bought in at 1050, was gonna just hold indefinitely
14:00  * andytoshi takes a 20% bath
14:03 < andytoshi> sorry, wrong channel
14:36 < Emcy> enjoy your haircut andytoshi
14:52 < warren> perhaps this channel should require login too
14:52 < warren> -dev has improved
14:53 < Emcy> just keep it on the dl
14:54 < warren> Emcy: too late for that
14:55 < Emcy> well ive never told anyone.......
14:55 < Emcy> never knew if this room was supposed to be quiet
14:55 < warren> quiet isn't the goal.  relevant is.
14:57 < Emcy> i thought this was the place where we do some blu sky thinking, generate some thought showers and synergise dem paradigms
14:57 < maaku> Emcy: you tell people privately, when you think it'd benefit the channel for them to be here
14:59 < maaku> am I blind or does this new paper not actually address any of the scalability concerns which necessitate a long interblock time?
15:02 < andytoshi> maaku: its premise appears to be that long interblock times are needed to prevent permanent forks due to the block rate being faster than the network speed
15:02 < andytoshi> and they fix that specific problem by using the forks to determine which block to mine on
15:03 < maaku> so ignorance, it seems
15:03 < maaku> someone should invite them here
15:04 < andytoshi> might be worthwhile, there was a conversation a bit earlier where gmaxwell pointed out a simple dos attack
15:04 < andytoshi> and it seemed to me that any attempt to fix it short of just throwing out the whole idea, would cause forks to happen
15:06 < maaku> there's all sorts of DoS vulnerabilities and bad incentive structures that emerge when you lower the interblock time to 1 second
15:07 < maaku> doesn't stop "most-work chain of the most-work tree" being a possibly good heuristic though
15:07 < maaku> but as usual with academic papers, there are claims blown way out of proportion :(
15:08 < andytoshi> well, it does because if you don't factor in depth then you can DOS people by sending them millions of low-difficulty blocks at some early point in the tree
15:08 < andytoshi> and they have to keep them around, just in case they wind up totalling more than the "real" chain
15:08 < andytoshi> maaku: yeah, and the forum posts are absurd
15:11 < maaku> andytoshi: no, they don't have to keep them around because there doesn't have to be global consensus on the forks
15:11 < maaku> they just decide locally how many they want to keep around
15:12 < maaku> and garbage remove the rest
15:12 < andytoshi> but then you've got different nodes making different decisions about what's garbage, and they'll wind up with permanently divergent views of the blockchain
15:13 < maaku> permanently? no
15:13 < maaku> temporarily, yes, but it's no different than when a fork occurs now, and nodes stay on the most recently heard block
15:14 < andytoshi> here all forks are involved in the decision as to what is the definitive chain
15:14 < maaku> yes, and eventually the chain with the most hash power behind it will overcome all those itsy bitsy forks
15:15 < maaku> this new GHOST agorithm just makes nodes a little bit more sticky to the forks which have been surpassed but nevertheless appear to have more work going into them
15:15 < andytoshi> ok, but until then, the DOS'd node needs to keep all the forks around
15:15 < maaku> why?
15:16 < andytoshi> because the node doesn't know that the chain with the most hashpower will overcome the forks
15:16 < andytoshi> or if it does, that it'll continue to overcome
15:16 < maaku> so what?
15:16 < andytoshi> so how does it decide what's garbage and what's not?
15:16 < maaku> all forks are garbage
15:17 < maaku> this is just a mechanism for using the information represented by those forks to more smartly choose the fork that is more likely to win
15:17 < andytoshi> then what happens when the node gets confused about what's the longest chain? then the main chain is decided to be garbage and the node never gets back on trakc
15:17 < maaku> but if you end up being wrong, it'll end up being because there was more power behind a different fork, and you will self-correct
15:18 < andytoshi> if you're using information from the forks, you need to hold the forks
15:18 < andytoshi> if you're using information from the forks, and you are picking-and-choosing which ones to keep, you will make decisions differently from other nodes
15:18 < maaku> *and that is not a problem*
15:18 < andytoshi> and if you keep them all, you get DOS'd, if you keep none of them, you have bitcoin
15:18 < maaku> you already make decisions differently from other nodes
15:19 < maaku> when you receive an orphan block, you choose the block you already have
15:19 < maaku> that's based on local knowledge, namely the arrival times of the two blocks
15:19 < maaku> which are different from node to node
15:19 < andytoshi> yes
15:19 < maaku> this is no different than when a GHOST protocol node chooses which orphan forks to keep around for
15:20 < maaku> you can't get permanently stuck on a fork because you have a few orphans lying around
15:20 < maaku> not unless someone is using more nethash than the entire network to create those orphans
15:20 < maaku> in which case this is another instance of the 51% attack
15:20 < andytoshi> the problem is that you don't know if somebody has more nethash than the entire network
15:21 < maaku> andytoshi: again, so what. that describes bitcoin currently
15:22 < andytoshi> in bitcoin currently if i start spamming you with orphans, you can ignore them until i send you one containing a higher POW than your current best chain
15:22 < maaku> <andytoshi> the problem is that you don't know if somebody has more nethash than the entire network
15:22 < maaku> ^^ that's nothing more than the majority-nethash attacker scenario
15:22 < andytoshi> whereas here you might be receiving orphans from many parties, none of whom individually have enough POW to overcome the main chain
15:23 < maaku> which already trivially defeats bitcoin
15:23 < avivz78> mmmm Hi guys
15:23 < avivz78> seems like you're talking about our paper?
15:23 < maaku> yes
15:23 < andytoshi> hi avivz78, yes
15:23 < avivz78> (was away at another window)
15:23 < avivz78> I'd be happy to respond / discuss
15:24 < avivz78> can someone explain to me how bitcoin proposes to handle low difficulty ddos attacks?
15:24 < andytoshi> my concern is that because you're using entire subtrees to determine the best chain, and spam subtrees can be created to be very large (e.g. by spamming many low-difficulty blocks at the same height), this exposes the network to dos attacks
15:25 < maaku> avivz78: I think it's a great idea, albeit derivative of unpublished work that's been thrown around here. You've gone further than anyone in formalizing it though.
15:25 < andytoshi> partially, the checkpointing mechanism
15:25 < avivz78> As I see it, bitcoin has to handle this too
15:25 < maaku> avivz78: can you explain "low difficulty ddos attacks" (there's more than one thing you could be referring to)
15:26 < andytoshi> well, it is hard to create enormous fraudulent individual chains
15:26 < avivz78> \msg avivz78 mmm
15:26 < avivz78> nope
15:27 < avivz78> I'm on a web client not sure I can privatemessage
15:27 < avivz78> andy - isn't it just as hard to create large fraudulent trees?
15:27 < _ingsoc> azariah4: Can we contact you via e-mail?
15:28 < andytoshi> avivz78: not quite, because you can avoid difficulty increases by staying at low depth
15:29 < maaku> avivz78: yes it is just as hard, that's what I was trying to tell andytoshi
15:29 < maaku> andytoshi: most-work, not longest
15:29 < andytoshi> yes, i understand that
15:33 < andytoshi> what i'm saying is that as long as there are low-diff blocks coming in, you don't know how big the tree is going to grow to, so you have to keep them all around
15:33 < andytoshi> but i'm not clear on how bitcoin solves this problem
15:33 < andytoshi> aside from checkpointing, which is a kluge
15:34 < andytoshi> so i guess, i tentatively cede my point
15:34 < andytoshi> sorry guys :}
15:34 < avivz78> I think these are all the same issue basically. I'd certainly like to learn a bit more about this as well.
15:36 < maaku> avivz78: my larger concern is the public perception. this new algorithm helps alleviate some of the pressure of shorter interblock times, but that has approximately nothing to do with transaction volume
15:37 < maaku> which has more to do with validation and propogration times
15:38 < avivz78> both have the same effect
15:39 < avivz78> larger blocks imply more propagation time, imply more orphans
15:39 < avivz78> higher block rates imply more orphans too
15:39 < avivz78> We make the connection in the paper
15:39 < avivz78> most of the first half of the paper is about scalability alone. GHOST comes in at section 8
15:39 < Emcy> 1 second blocks?
15:40 < maaku> no, larger blocks come with efficiencies that aren't seen with smaller, more frequent blocks
15:42 < avivz78> like what?
15:42 < avivz78> (besides the headers)
15:42 < maaku> batch validation
15:55 < petertodd> adam3us: for professional contexts, non-repudation+encryption is what's generally needed, as well as logging, and key recovery...
15:55 < petertodd> adam3us: (or at least, what they have to claim is needed!)
15:56 < gmaxwell> adam3us: wrt the link. One detail is that is that if Alice signs the symmetric key it proves that alice communicated using that symmetric key.  If instead you have a construction where you do an Alice.Bob ECDH, with no signing, then Bob can't prove that alice ever send a message at all... which is slightly stronger.
15:56 < petertodd> adam3us: see, repudation + timestamping could be a interesting mix legally, as the timestamp will often be non-repudation evidence, yet it's something anyone can apply
15:57 < gmaxwell> petertodd: sure, the world is complicated, but the crypto should never make you _worse_ off.
15:57 < gmaxwell> and generally adding non-repudiation where you didn't think it was there and didn't want it at least theoretically makes you worse off.
15:58 < petertodd> gmaxwell: right, but that's not a consideration when a company decides whether or not they want to pay PGP-corp a bunch of money - they want to tout their better security, and in corporate environments you usually (publicly) want non-repudation
15:58 < gmaxwell> Oh and fwiw, as far as the logs on my computer are concerned, you're all underground drug dealers. I forge logs locally when I'm bored. Sorry.
15:58 < petertodd> gmaxwell: heh, I timestamp mine
15:58 < petertodd> gmaxwell: (it's a pain in the ass constantly having to make forged ones though)
15:58 < Emcy> thanks greg
15:59 < adam3us> gmaxwell: yes.  that sounds better.
15:59 < petertodd> Anyway, there's room for both, so I support the new PGP "private-sign" option that I'm sure someone will implement Real Soon. :)
16:00 < gmaxwell> yea, I am certantly a fan of non-repudiation existing. Heck, I used it 24 hours ago... we use it for software releases. It's useful.. just not usually what we want for email.
16:01 < petertodd> gmaxwell: and I used encrypted and signed non-repudation for the ltc security audit, and some other still-private stuff like it
16:02 < gmaxwell> I also think non-repuidation should almost always be coupled with timestamping just as a norm. Otherwise you can repudiate too easily by 'losing' control of your private key, thats harder if you have timestamps.
16:02 < adam3us> gmaxwell: it seems like a ringsig in effect. saw you said ring sig above so probably you said that.  colin plumb had another one involving xor and rsa keys with same effect.
16:03 < petertodd> gmaxwell: indeed - I probably have the only crypto authenticatable copy of jdillon's emails for instance, and to prove the timestamps would take some munging around in git and some privacy exposure due to how git works internally
16:04 < petertodd> Anyway, main sticking point there for me personally do implement that is there's no decent OpenPGP libraries out there, other than Bouncy Castle, and I know nothing about Java.
16:09 < tromp__> have any of you read up on the Cuckoo Cycle PoW?
16:09 < nsh> (on the subject of crypto and legality: i'll be violating a (UK law) RIPA s.49 order 'requiring' disclosure of decryption keys on Friday midday under penalty of two years imprisonment, in theory.)
16:09 < petertodd> tromp__: it's not asic hard at all
16:09 < petertodd> nsh: ?
16:09 < tromp__> how wld an asic get a speedup?
16:10 < petertodd> tromp__: you're asking the wrong question - we don't care about speedups, we care about cheaper running/overall costs
16:10 < nsh> petertodd, just some... silliness -- but it will probably lead to some interesting courtroom arguments somewhere down the line, if they choose to push it
16:11 < nsh> ( https://en.wikipedia.org/wiki/Key_disclosure_law#United_Kingdom )
16:11 < petertodd> nsh: huh, is the case public?
16:12 < nsh> the UK case isn't public as i haven't been charged, but some idiots in virginia have charged me. if you google "nsh indictment" there's a couple of pdfs on justice.gov
16:12 < nsh> (i can't talk about allegations, etc.)
16:13 < tromp__> i don't see how an asic wld run much cheaper. it would need to have GBs of memory
16:13 < petertodd> nsh: ha, good luck
16:13 < petertodd> tromp__: again, you're asking the wrong question. What drives running costs?
16:14 < tromp__> cost of RAM
16:14 < nsh> thanks :)
16:14 < petertodd> tromp__: no, power
16:14 < tromp__> no, not for a latency constrained pow
16:14 < petertodd> tromp__: cuckoo is parallelizable
16:14 < nsh> tromp__, you have to think about scaling as a function of the amount of work you want to do. eventually it's always power
16:14 < nsh> as the other costs don't scale with work
16:14 < tromp__> it's not parallellizable
16:15 < tromp__> read the paper to see how it detects cycles
16:15 < petertodd> tromp__: physically speaking memory has lots of long wires all over the die, and since cuckoo is parallelizable your best implementation will shorten those wires with special-purpose "routers" the pass around incomplete cuckoo attempts between those memory cells until it finds a cycle that works
16:16 < petertodd> tromp__: I have read that paper, either you make cuckoo not efficiently verifiable, or you make it parallelizable
16:16 < tromp__> it's trivially verifiable, and not parallellizable
16:16 < petertodd> tromp__: thing is that architecture is totally custom, yet will reduce power because driving a short wire is uses less energy than a long one
16:16 < petertodd> tromp__: look, just saying that doesn't make it true
16:17 < tromp__> how would you parallellilze it?
16:17 < petertodd> tromp__: simple, use the same block of memory and have multiple attempts at finding a cycle go on at once
16:18 < tromp__> you cannot do that. all the memory must be used for a single attempt
16:18 < petertodd> tromp__: get a pad of grid paper out and draw a big block of memory, and think what happens on each step of the cycle, and quite literally how to physically get that information to the part of the memory for the next step in the cycle
16:18 < petertodd> tromp__: either you use all the memory for an attempt, and it's not efficiently verifiable, or you don't, and it's aprallelizable
16:18 < tromp__> you have not understood the paper
16:19 < petertodd> tromp__: ok, explain to me what you think happens
16:19 < tromp__> 1st of all, its trivially verifiable because you jsut generate the 42 edges and check they form a cycle
16:20 < tromp__> this is what my verify.c does
16:20 < petertodd> tromp__: ok, so lets get into detail: what does generating those edges mean exactly?
16:20  * nsh (is silently auditing this conversation)
16:20 < tromp__> compute hash(header||nonce)) and extract the two endpoints from it
16:20 < petertodd> nsh: for quality I hope
16:21 < petertodd> tromp__: right, and how much data does that need?
16:21 < tromp__> header and 42 nonces
16:21 < nsh> (my edification mostly, not really qualified to assess the quality except through my own lens, darkly)
16:22 < petertodd> tromp__: right, how does the verifier know the nonces are valid? because they form a cycle right?
16:22 < tromp__> because the corresponding edges form a cycle
16:22 < petertodd> tromp__: exactly
16:23 < petertodd> tromp__: ok, so lets look at how you find those edges: map a given edge location to a address in memory associated with a nonce, and keep searching until you find a cycle right?
16:23 < tromp__> not at all
16:23 < petertodd> tromp__: ok, so explain to me
16:23 < tromp__> you maintain the directed cuckoo graph
16:24 < petertodd> tromp__: yes, and where is that graph stored?
16:24 < petertodd> tromp__: (and how?)
16:24 < tromp__> in a huge array
16:24 < tacotime_> Is this anything like hamhash?
16:24 < tromp__> 32 bits per node
16:25 < petertodd> tromp__: ok, so addr:nonce?
16:25 < petertodd> tromp__: (32-bit nonce)?
16:25 < tromp__> no; nonces are not stored
16:25 < tacotime_> http://jones.math.unibas.ch/~massierer/theses/massierer-hons.pdf
16:25 < tromp__> they're forgotten to save memory
16:25 < petertodd> tromp__: ok, so what is in that array?
16:25 < tromp__> only the directed cuckoo graph is maintained
16:25 < petertodd> tromp__: but lets get into detail, what is in that array?
16:26 < tromp__> pls read the latest write-up, it has some expanded sections from the first writeup
16:26 < tromp__> ok the array has N0+N1 slots
16:26 < tromp__> cuckoo[i] points to the alternate slot that a key could occupy
16:26 < petertodd> tromp__: the writeup at eprint.iacr.org/2014/059.pdf?
16:26 < tromp__> yes
16:27 < petertodd> tromp__: right, that's the one I read
16:27 < tacotime_> Thanks.
16:27 < tromp__> if a nonce generates edge (i,j), then you have to end up setting either cuckoo[i] = j, or cuckoo[j] = i
16:27 < petertodd> tromp__: yeah
16:28 < tromp__> but the algo also checks if this edge is forming a cycle
16:28 < petertodd> tromp__: so my point is, you keep modifying that array until the path through it forms a cycle
16:28 < petertodd> tromp__: or, you keep guessing new nonces until it does
16:29 < tromp__> but when you dont form a cycle, you still need to reverse a path fromeither i or j to the endpoint
16:29 < petertodd> what do you mean by "reverse a path"?
16:29 < tromp__> reverse the direction of each edge on the path
16:30 < tromp__> which corresponds to each key displacing the next n cuckoo hashing
16:30 < tromp__> n->in
16:30 < petertodd> tromp__: how does the PoW verifier know that I did that? IE why does reversing it matter?
16:30 < tromp__> the verifier doesnt care HOW you found the cycle
16:31 < tromp__> it just happens that cuckoo hashing is the seemingly most efficient way to find cycles
16:31 < petertodd> tromp__: exactly, so I assume this reversing thing must have a performance advantage
16:31 < tromp__> you need to reverse in order to be able to store the edge (i,j)
13:37 < gmaxwell> The press is actually really poor at this whole investigation thing, so it's actually pretty easy to send them off on a tangent
13:38 < gmaxwell> there are a couple other "is xxx satoshi?" questions that come up only from actually thoughtful people, and I always quitely advise them that such suggestions could only bring unhappyness to their targets.
13:40 < gigavps> amiller wow, crazy find
13:40 < amiller> it's pretty clearly unrelated
13:41  * nsh nods
13:41 < maaku> to someone who knows japanese, the names are not actually very related at all
13:41 < amiller> it's not even a proper anagram, it's missing a T
13:42 < pigeons> stop ruining my news story with facts
13:43 < gmaxwell> amiller: I like the OWAS paper posted to the forum with the awesome japanese sounding anagram name on it.
13:48 < maaku> "satoshi nakamoto" is something like "wisdom/cleverness middle/core-truth"
13:48 < maaku> so obviously a pseudonym given what we know of him/her/them
13:49 < maaku> whereas naoshi sakamoto has meaning related to honest intent & sloping hills
13:51 < maaku> only one kanji is shared, and not a very meaningful one
14:08 < jtimon> what kanji, maaku?
14:10 < jtimon> by the way, talking about eastern culture? Do any of you like chess? Go is older and better
14:10 < jtimon> machines still get humilliated by humans at go
14:11 < jtimon> I had a plan to fix that...but then I discovered bitcoin
14:12 < jtimon> neural networks trained by genentic algorithms will beat go pros
14:13 < jtimon> but programmers are still using monte-carlo
14:13 < jtimon> sorry guy for speaking alone...
14:23 < maaku> jtimon: the "moto", which means book, but in this context something more like truth
14:23 < maaku> jtimon: the problem with go is combinatorial explosion
14:24 < maaku> an evolutionary neural network approach alone won't solve that problem
14:31 < maaku> you'd need some sort of hiearchical planner that uses heuristics that could be genetically evolved
15:10 < jtimon> maau a neural network is normally trained with a training set with inputs and desired outputs
15:10 < jtimon> maaku
15:10 < jtimon> there's no expert that can feed that training set because of combinatorial explosion
15:11 < jtimon> but genetic algorithms can explore any space
15:12 < jtimon> it's just a matter of time
15:12 < jtimon> and well/
15:12 < jtimon> ...
15:12 < jtimon> the adversary
15:13 < jtimon> you could start with any montecarlo machine and when you beat it start using also your own individuals as benchmark
15:14 < jtimon> what kanji is moto and means book?
15:30 < maaku> well the search space is too big, even for a genetic algorithm
15:31 < maaku> which is why you'd need some sort of layering heuristic architecture (the hierarchical planner), which the evolutionary genetic search and then optimize
15:31 < maaku> hold on i don't have kanji input on this vm
15:33 < maaku> it's only "moto" in names though
15:33 < maaku> it's typically read "hon"
15:35 < Lifeofcray> go is for chumps
15:37 < jtimon> no, no planer, that won't work for go
15:38 < jtimon> Lifeofcray have you played?
15:38 < jtimon> genetic algorithms have all the eternity to play
15:39 < jtimon> and improve
15:39 < jtimon> humans have to eat and sleep
15:39 < maaku> jtimon: why's that? (be warned, this was the subject of my uncle's Ph.D thesis, so I know it pretty well)
15:39 < maaku> the planner i mean
15:39 < jtimon> well, there's like thre phases in go
15:40 < jtimon> initiation middle and ending
15:40 < jtimon> in the finishing deep blue would be good
15:41 < jtimon> in the other two phases humans train their intuition
15:41 < jtimon> what they study
15:41 < jtimon> are general patterns and heuristics
15:41 < pigeons> yeah i'm learning go, its fun
15:41 < gmaxwell> I like connect-6
15:41 < jtimon> but when you study them the're isolated, not in the middle of a real game
15:42 < jtimon> planers are based on expertise, that sucks
15:42 < jtimon> specially for go
15:43 < jtimon> what's your uncle's thesis?
15:58 < andytoshi> is there a list somewhere of the incentive problems in bitcoin?
15:58 < andytoshi> eg no incentive to IBD or relay transactions
15:59 < gmaxwell> except there are incentives, just not inside the system.
 as evidence by the fact that people do do these things today.
16:00 < gmaxwell> maybe not _enough_, but thats a more subtle question.
16:39 < andytoshi> it occurs to me that if block relaying was not getting done, it would be a good candidate for probabilistic payments
16:39 < andytoshi> and there is no reason that wolud need to be built into the network
16:41 < petertodd> gpg-agent --daemon --enable-ssh-support --use-standard-socket --write-env-file /home/pete/.gpg-agent-info
16:41 < petertodd> gah, thinkpads have shit design...
16:42 < petertodd> who puts keys such that brushing the edge of the laptop presses them?
18:41 < midnightmagic> petertodd: Acer does that too. It's incredibly irritating, because some of the buttons are pure touch and it's not clear they're actually buttons.
18:42 < midnightmagic> "If you touch your hand over here, the dvd drive pops out and the whole machine turns into a media desktop."
18:42 < midnightmagic> "Unfortunately you have to touch your hand here to type.. so.. "
21:17 < phantomcircuit> gmaxwell, who is it that wrote bitrated.com ?
21:17 < phantomcircuit> they might want to put a note on the "Offer Arbitration" page that it's illegal to offer those services to people in CA/Idaho
22:41 < andytoshi> phantomcircuit: it is shesek
22:41 < phantomcircuit> i noticed he says it's not escrow
22:42 < phantomcircuit> so technically it might not be illegal in ca/idaho
22:42 < phantomcircuit> but that's a question for a lawyer
22:42 < phantomcircuit> (an expensive one)
22:50 < andytoshi> yeah, it's a really neat question actually
22:50 < andytoshi> legally
22:50 < andytoshi> it would probably be precedent-setting if it went to court under escrow laws
23:00 < phantomcircuit> andytoshi, the closest analogy i can think of would be a trust account held by an attorney in which m of n parties can authorize a transfer
23:01 < phantomcircuit> attorneys (hilariously) ignore escrow laws in ca which as far as i can tell is totally illegal
23:01 < andytoshi> if an actual account existed i can see that being an escrow..
23:01 < andytoshi> interesting
23:01 < phantomcircuit> when i've brought it up i got a very handwaivey response that amounted to "that's different"
23:01 < andytoshi> no kidding
23:03 < phantomcircuit> maybe i'll try it on someone who doesn't do trust accounts anymore due to them being a pain in his ass
--- Log closed Wed Dec 04 00:00:30 2013
--- Log opened Wed Dec 04 00:00:30 2013
00:25 < amiller> omfg i think i finally get the key trick in this paper
00:25 < amiller> gmaxwell, you know how we've been stuck trying to actually do iddo's protocol
00:26 < amiller> because you can't do math on more than 4 byte numbers
00:26 < amiller> and you need to draw more than 4 bytes of randomness to actually get any security?
00:26 < amiller> they get around this in a clever way we totally missed.....   you actually take the SIZE of a string as a choice within a really small range
00:27 < amiller> in other words, each party picks their own number, 0, 1, or 2.... and for which ever number they choose, cal it i, then they choose a random string of 20+i bytes
00:27 < amiller> and hash thath
00:28 < amiller> i'm pissed we didn't come up with that.
00:30 < amiller> aldfaslkdjfaklj
05:14 < Mike_B> hey gmaxwell
05:15 < Mike_B> has there ever been anything published about the behaviors of various money supplies under different circumstances (mining reward halves every x years vs mining reward never halves vs demurrage vs etc)
05:15 < Mike_B> and also factoring things like expected loss of coins
05:15 < Mike_B> i just got in a discussion with keenanpepper in a different channel and it's an interesting thing to analyze
05:17 < Mike_B> i think it works out to basically the convolution of an accumulation function (with a delta function every time new money is created) and a "retention function" (something like u(t)*d^-t where u(t) is a step function and d is a real 0<d<1 specifying decay)
05:17 < Mike_B> i dunno if this is all well-known or whatever
05:17  * Mike_B is totally new to the scene
05:18 < Mike_B> props to keenan for figuring out how to deal with some of the diff eq problems that arise
07:56 < petertodd> amiller: stupidly clever 'eh?
07:57 < petertodd> amiller: I'm really impressed by that trick
08:27 < nsh> hmm?
08:27 < nsh> what trick, petertodd?
08:28 < gmaxwell> petertodd: apparently someone else figured it out, mike linked to a txn using it.
08:29 < gmaxwell> I'm surprised I hadn't noticed the txn before, it's a mess of opcodes used nowhere else on the network.
08:29 < gmaxwell> nsh: how to do a gambling transaction
08:29 < nsh> between two parties? like iddo's committed coin-toss?
08:31 < gmaxwell> right.
08:31  * nsh nods
08:33 < nsh> i wonder if you can use this mutual-deposit-recovery process to create de-facto socially/economically guaranteed timelock encryption
08:33 < nsh> (in the process of everyone recovering their locked funds they reveal the partial information required to decrypt something)
08:33 < gmaxwell> phantomcircuit: shesek has legal advice that says its not an escrow. Who knows.
08:57 < iddo> gmaxwell: i think that my first coin toss protocol doesn't work, and only Adam's improved protocol works, because it said that Alice creates txn that takes equal amount of coins from Alice and Bob as input, so when Bob signs the refund txn for it, he only sees the hash, so Alice can cheat by getting Bob to sign refund that spends all the coins to her address?
08:58 < iddo> or maybe i'm missing something regarding the hash of a transaction?
08:58 < iddo> Adam's protocol works for sure, because it's a refund for coins that belong only to Alice
Mined by AntPool bj8*p&Q Uw
23:05 < realazthat> well, I'll keep the Q&As I have answers to
23:05 < realazthat> and post them somewhere
23:05 < realazthat> I have some additional Q&As to ask
23:06 < realazthat> so these are the options: 1. make a Q&A time in #bitcoin-dev, 2. direct eli to the ML 3. start a forum thread, direct him to join
23:07 < realazthat> additionally, start a projects/applications list
23:07 < amiller> i say start with the projects/applications list
23:07 < realazthat> eli himself is interested in such a list :D
23:07 < realazthat> such ideas are golden
23:07 < amiller> he wouldn't be able to prepare one himself though, i doubt he's familiar enough with bitcoin jargon or bitcoins needs
23:08 < amiller> from my point of view the big whammy is to validate the whole blockchain all in one snap he seems to get that too
23:08 < realazthat> well, I meant a general SCIP applications list, but yeah, it has a lot to do with a network like bitcoin
23:08 < amiller> but there are also other cool applications that i think gmaxwell understands the best
23:08 < realazthat> mmm gmaxwell has a BIP on that
23:08 < realazthat> to make spend-outs to things that can verify the done a program
23:08 < realazthat> they*
23:09 < realazthat> also, it becomes possible, possibly, to make a bitcoin-like currency that does arbitrary useful work
23:09 < amiller> so i think he's highly unlikely to be able to devote any engineering attention to telling us what applications are helpful for bitcoin and especially not understanding how to implement them in bitcoin
23:09 < realazthat> and even trades in useful work for currency
23:09 < amiller> for that matter i'm not even sure how to make progress in bitcoin with researchy ideas
23:09 < realazthat> right
23:09 < amiller> although that's the topic of this here channel
23:09 < amiller> you can't just say hey we're gonna put this in bitcoin
23:09 < realazthat> when I addressed him, it was wrt applications in general
23:09 < amiller> but it also is shit to say it's just an altcoin
23:10 < amiller> so the question is always what's a good way to go about building proofs of concept that are interesting because they're relevant to bitcoin and may in some wacky future be meaningful to bitcoin and so it's worth trying them out and keeping this community informed about them
23:10 < realazthat> well I'd love to see some of this directly in bitcoin, ie. mining via useful work, but its huge changes
23:11 < realazthat> but gmaxwell's BIP can be done
23:11 < realazthat> also, blockchain verification can be done
23:11 < realazthat> but PoC is always good :D
23:12 < amiller> zerocoin was pretty successful right people enjoyed it
23:12 < amiller> that was just a simple fork of bitcoin that had some bare minimum implementation of the cryptosauce and it validated a few thousand blocks and such
23:12 < realazthat> mmm cool
23:12 < amiller> so it's like similar in spirit to bitcoin, it's not like "launched" as an altcoin with a bunch of bullshit marketing and trying to get people to buy it
23:12 < realazthat> ah yeah
23:12 < realazthat> I have negative views of the altcoins
23:13 < realazthat> except namecoin
23:13 < amiller> right.
23:13 < realazthat> because it actually has a use
23:13 < amiller> so what would be nice is if we can support resaerchers creating arbitary little forks
23:13 < amiller> perhaps we could help them maintain testnets
23:13 < realazthat> mmm I may try doing that soon
23:13 < amiller> and help them present them to the bitcoin community which is full of very interested people etc
23:13 < realazthat> but I've not touched bitcoin code yet
23:13 < realazthat> only RPC
23:13 < amiller> i created a fork of bitcoin for a class
23:14 < amiller> i mean to write up what i did and put it on the forum actually
23:14 < amiller> like thirty undergrads in networking had to implement bitcoin clients as their final project using the cbitcoin lbirary
23:14 < realazthat> mmm is there a fund for finding exploits in bitcoin, like Google has?
23:14 < amiller> i mean they mostly sucked like they are just learning how to use sockets
23:14 < amiller> hm i don't know explicitly about a bitcoin security bounty...
23:14 < amiller> i woulnd't be surprised if bitcoin foundation would be willing to fund something like that
23:14 < amiller> i think it would be nice if bitcoin foundation could be talked into supporting research coins
23:15 < amiller> so zerocoin isn't code released yet
23:15 < amiller> and it doesn't have a running public testnet or tools or anything like that
23:15 < realazthat> yeah I read their site a few days back
23:15 < amiller> but when they're ready to release it it would be awesome if that kind of sets the standard
23:15 < realazthat> can't say I understood how it works
23:15 < amiller> maybe we can look at what they do and ask ourselves what we could do to make it easier for future researchers to do similar proof of concepts or also what they could do differently to make the proof of concept more meaningufl?
23:16 < amiller> i think things like the testnet in a box are remarkably helpful
23:17 < realazthat> definitely would be useful to easily fork bitcoin and research/hack on it
23:17 < amiller> it *is* pretty easy to fork it i guess it's less easy to... i dunno test whether something is actually good or viable?
23:18 < realazthat> yeah you need several nodes prolly
23:18 < amiller> like a good standard benchmark might be to populate it with a bunch of transactions resembling the existing blockchain and measure how long validation takes or something
23:18 < amiller> i'm trying to think of what zerocoin ran into
23:18 < realazthat> mmm bitcoin should have some sort of testing framework down to a tee
23:18 < realazthat> doesn't it?
23:18 < amiller> becuase they add a seriously attractive feature (truly unlinkable transactions) but the cost is pretty high for validation which means it's totally not going to work in practice yet but how can we show that empirically
23:19 < amiller> no bitcoin has an enormous *testing* bottleneck
23:19 < realazthat> ah because afraid to put new things in, big consequences, hard to test
23:19 < realazthat> I joined the -testing ML
23:19 < realazthat> I read an email or two
23:20 < realazthat> yeah I don't envy the responsibility haha
23:20 < realazthat> someone messes up .. significant part of bitcoin network goes nuts
23:21 < realazthat> mmm well
23:21 < realazthat> if SCIP comes out soon, maybe I'll try to do some stuff with it, fork bitcoin, etc.
23:22 < realazthat> but I certainly am not experienced enough to even know what to consider a good test haha
23:22 < amiller> i think SCIP is likely really oversold and is oging to have to go through several iterations of "resaerch prototype" phase before anything practical comes out of it
23:22 < amiller> but it will still be really exciting to go throuhg that process and we should be doing it as aggresively as possible
23:23 < realazthat> well ...
23:23 < realazthat> he did say "stages" himself
23:23 < amiller> including summarizing what's possible for everyone interested
23:23 < realazthat> I am just over-excited about starting to play with it even with suboptimal code
23:24 < realazthat> amiller: mmm I would be curious if making PoW use SCIP, would this help improve SCIPs code by people wanting to do the work faster
23:25 < realazthat> huge incentive hehe
23:25 < realazthat> also huge incentive to keep it quiet though, but still
23:25 < amiller> how od you mean
23:25 < amiller> i have a few ideas of how to combine SCIP with pow
23:26 < realazthat> well SCIP can directly be used as PoW; it guarantees someone ran program P
23:26 < realazthat> so if you make a researchcoin/altcoin with that as mining,
23:26 < realazthat> or,
23:27 < realazthat> you use gmaxwell's BIP to post incentives to complete a particular task for payment
23:27 < realazthat> then peoeple will be running intensive SCIPs for coins
23:27 < realazthat> and SCIP is basically a slow VM
23:27 < realazthat> with relatively high constants
23:28 < realazthat> and room for code improvement
23:28 < realazthat> thus, there would be huge coin insentive to hack on the SCIP code and improve it
23:28 < amiller> we don't really want PoW though :)
23:28 < amiller> because
23:28 < amiller> suppose we could have a really long proof of work
23:28 < amiller> such that as soon as you finished it you were surely going to be a winner
23:28 < amiller> except that
23:29 < amiller> as soon as anyone else finishes faster
23:29 < amiller> you have to discard all your computatoin and start over again!
23:29 < realazthat> ah well you mean for mining
23:29 < amiller> it's really important that the actual work (e.g., just computing a single hash) is really small
23:29 < amiller> yeah
23:29 < amiller> that's what i mean
23:29 < realazthat> ok so thats part of what I mean by significant changes
23:29 < realazthat> so here is my idea(s) on that
23:30 < realazthat> imagine a network that is primarily focuses on trading compute time for work
23:30 < realazthat> using gmaxwell's BIP
23:30 < realazthat> so you can make money by doing work
23:30 < realazthat> nvm mining
23:30 < realazthat> the lottery could be slightly different
23:31 < realazthat> it could be played among all workers
23:31 < realazthat> and you take sha(sig(P)), and have to test that against the upper-limit-number
23:31 < realazthat> so you can't really control that
23:31 < realazthat> and you aren't really mining
23:31 < realazthat> you are trading work for coin
23:31 < realazthat> + a chance to win a lottery
23:32 < realazthat> the guy who wins gets additional coin and mints the block
23:32 < realazthat> so everyone is trading work
23:32 < realazthat> thats the main thing
23:32 < realazthat> its a huge work market
23:32 < realazthat> am I making any sense?
23:33 < realazthat> ofc I miss out a few details
15:49 < zooko> amiller_: I want off-line transaction. You and I meet on the dark side of the moon, and I give you something, and you can't communicate with anyone else, but you're satisfied that I've enriched you, so you give me a crate full of valuable ores and we part.
15:49 < zooko> gmaxwell: yeah.
15:49 < zooko> amiller_: but I hadn't thought through the threat of the PUF-manufacturer making duplicable/duplicate PUFs...
15:50 < gmaxwell> zooko: of course, if you're on the dark side of the moon, amiller can't tell if you're broke or not either (and if he knew you weren't he could tell you).  :P  hard to be satisified that you've been encriched through an IOU from a throwaway identity. :P
15:50 < zooko> Is that threat considered by the PUF literature?
15:50 < zooko> gmaxwell: sorry, I was starting a second stream of conversation there.
15:50 < amiller_> no the PUF threat model begins after the secure manufacturing process
15:50 < zooko> The "deaf and blind spender" is the one I was talking about with you, and the "what's the use of PUFs" was the dark side of the moon.
15:50 < zooko> amiller_: oh darn.
15:51 < amiller_> fwiw i think a rational wallet should attempt double spends autoamtically at all times
15:51 < zooko> amiller_: haha! Good point.
15:51 < amiller_> and insist on innocence blaming something something distributed keys etc for the discrepeancy
15:51 < zooko> I agree that would be a civic-minded thing to do.
15:52 < zooko> vulnerability to DoS, inefficient cheat-detection, these are like garbage cluttering up our fair city.
15:52 < zooko> Don't contribute to the worsening problem by refraining from attempting double-spends!
15:53 < zooko> amiller_: well, do you believe in a PUF that you can be sure the manufacturer of it didn't manufacture any duplicates?
15:53 < zooko> How about a program to make PUFs on your home 3D printer?
15:54 < amiller_> i believe in affordable PUFs yes and that they're probably awesome for small / subjective networks if not the big global ones
15:54 < amiller_> for example i construct a PUF and mail it to you
15:55 < zooko> I want to know that not only the person who handed me the PUF as we floated in the lee of the moon
15:55 < zooko> but also that nobody in history, can have generated an identical PUF.
15:55 < zooko> And it only has to be worth as much as a box of valuable ores.
15:56 < amiller_> ok so i print a few PUFs for you and your friends, now you and your friends go to mars and you can still safely transact using the PUFs, no communication back to me required
15:56 < amiller_> and when we synch up again after the long eclipse, we can still all trust those pufs
15:57 < amiller_> so yes i think pufs are swell (pun), it's just still a trusted-originator scenario
15:57 < zooko> I have the feeling you might know of a way to use PUFs for some kind of computation that I don't know of.
15:58 < zooko> So you make some PUFs for me and my friends.
15:58 < zooko> What is the "trust-origination" part?
15:58 < zooko> Is it that we can't be sure you didn't make duplicates, or retained the ability to do so?
15:58 < amiller_> you had to be sure i actually made a PUF
15:58  * zooko thinks.
15:59 < amiller_> suppose i make a PUF and a non-PUF at the exact same time
15:59 < amiller_> i give you one of them.
15:59 < amiller_> you cannot tell whether i gave you the puf or the non-puf
15:59 < amiller_> but if i gave you the non-puf then everything is totally insecure
15:59 < zooko> I see.
15:59 < zooko> Darn.
16:01 < warren> hmm, 0.8.1 -> 0.8.2 changes the minimum fee from 0.0005 to 0.0001?  Users could upgrade to 0.8.2 quickly, but how do they know it is safe to begin using the lower fees?
16:06 < gmaxwell> warren: the new fees relay already, so its safe as soon a one large miner applies the new criteria.
16:07 < warren> So users can reduce fees, at the risk of delays, as usual.
16:08 < warren> I hope the dust relay protection makes a difference.  IMHO ~5k satoshi's was too small a threshold.
16:08 < gmaxwell> it's also not a "minimum fee" gah. it's important to speak clearly about this. It is the base fee per kilobyte.
16:08 < warren> ah, sorry.
16:09 < gmaxwell> warren: any higher would have had SD paying people to attack the change.
16:09 < gmaxwell> (directly or indirectly)
16:10 < gmaxwell> (and also wouldn't have been so obviously harmless: you would have had to make a value judgement about SD's business practices)
16:10 < warren> I might have missed this, how does it handle if change would fall below that threshold?
16:11 < gmaxwell> same way it always has, converts it to fees. Keep in mind, we've long had that behavior.
16:12 < gmaxwell> because change <0.01 results in not qualifying as a free transaction, thus a fee of 0.0005 BTC.
16:12 < gmaxwell> so when your change was less than 0.0005 it instead turned it into fee.
16:12 < warren> ah
16:12 < warren> good
16:27 < warren> FYI on those silly alt coins.  A few weeks ago "Feathercoin" started, clone of Litecoin, identical in every way except 200 subsidy per block instead of 50.  It went straight onto multiple exchanges and began a massive bubble, at one point it was 5 x more profitable to mine FTC and sell for BTC than to mine BTC directly.  Difficulty skyrocketed.  For the past
few days their difficulty has been stuck at this level, with more and more miners qu
16:27 < warren> itting the estimated time to target is getting longer every day.  Now their dev is talking about hardforking for faster retargeting, like Terracoin's "innovation".
16:29 < warren> It's frightening to see how many miners jump on the latest bandwagon, over and over again.
16:30 < RedEmerald> agreed
16:30 < zooko> Oh hi there, RedEmerald.
16:30 < RedEmerald> howdy
16:33 < zooko> Happy to find out that Adam Back is going to bitcoin2013.
16:37 < RedEmerald> i wish i had the time for that
16:37 < RedEmerald> too many conventions planned for this year already
20:09 < amiller_> <gmaxwell> amiller_: and as has been said before, I think it's too big of an economic change to be anything but a non-starter in bitcoin. Perhaps we'll get an ECDSA break that lets us make old utxo unspendable... but who knows.
20:09 < amiller_> zooko, ^^
20:10 < amiller_> i guess i understand the point about the big economic change thing but i'm not sure where to go from there
20:10 < amiller_> maybe just prepare the solution in case there's an ecdsa break like you said?
20:11 < amiller_> or consider it as a thing so we don't have to delete any old coins that are grandfathered in...
20:13 < amiller_> a good argument is that at some point the ad hoc solutions to inflating utxo will be worse than the parking meter approach which is straightforward and reasonable and *not demurrage*
20:21 < gmaxwell> even with a break, what evidence I'm seeing so far is that people still will oppose making old outputs unspendable. I don't know if this is just a sampling error from the lolbertarians in the bitcoin community or what. But I do think thats the best chance.
20:22 < gmaxwell> people were agressively calling the no-create-dust changes recently theft.
20:23 < amiller_> well right now they are expecting free rent forever and that's obviously an unsustainable business
20:23 < amiller_> unless they're squatters
20:24 < amiller_> i mean i know it's not you that disagrees with me here you're just explaining to me what the consensus seems to be
20:25 < gmaxwell> well, it's not clear how unsustainable it is.. the utxo set can't grow faster than the blockchain. Soooo under the current network rules ....
20:25 < gmaxwell> even if you ignore that, with current granularity, if we deny 0 value outputs, the maximum utxo size is about 45 PB which is clearly not infinite.
20:26 < gmaxwell> if you're a member of the church of infinite-exponential-improvement-of-technology 45 petabytes sometime in the far future sounds pretty good.
20:26 < gmaxwell> (but there is a reason I describe that as a religion...)
20:27 < RedEmerald> i dont think 45 PB is outside the realm of possibility for a home computer
20:28 < RedEmerald> theres some cool storage tech being worked on that makes for some really dense storage
20:30 < zooko> Hi, amiller_.
20:38 < zooko> Was the no-create-dust patch motivated by utxo storage being an unfunded externality?
20:39 < warren> zooko: that has been one of the motivations for months now.
20:41 < gmaxwell> there are a bunch of motivations, thats one of them but probably the least short term significant right now.
20:43 < warren> I did like the ideas of eventually expiring tiny uxto's if they fail to pay rent.
20:44 < zooko> gmaxwell: but, you're saying that motivation may be unfounded?
20:45 < zooko> I.e., a proliferation of utxos may be not too costly, even though it is an externality?
20:45 < gmaxwell> zooko: at what timescale?
20:45 < zooko> I guess that would imply that there is some limit on it, possibly just a natural limit on people *wanting* to make utxos?
20:45 < zooko> gmaxwell: well, I don't know.
20:45 < zooko> I thought you were saying maybe the current rules would be sustainable.
20:46 < gmaxwell> we have to worry about all timescales. ... if you assume continued acceleration of technology and us not allowing zero value txo, then its not an issue in a sufficiently long timescale because the number of possible non-zero value utxo is finite.
20:47 < gmaxwell> zooko: "There are levels of survival we are prepared to accept" ... right now it can grow about 50gbytes/year.
20:47 < zooko> Uh, what?
20:47 < zooko> Oh, if every satoshi is its own utxo. I see.
20:47 < gmaxwell> Right 21e14 utxo.
20:48 < gmaxwell> If the utxo set were already its maximum size, e.g. about 200gbytes... then I think its very likely bitcoin would fail: that kind of cost to run a full node would not be justified by usefulness and significance of bitcoin.
22:47 < gmaxwell> they could do other things to make it right. Their COGS on these devices should be very low. They _should_ be able to afford to double everyones order, for example.. which is what cointerra did for their december orders.
22:47 < gmaxwell> but god knows, maybe their had a failed spin.
22:48 < gmaxwell> s/their/they/
22:49 < brisque> that market is fascinating really. we have BFL, Avalon, Hashfast and Bitfury all acting quite strangely for companies
22:49 < brisque> I can't fathom what's going on with Bitfury and ghash.io. by the looks of things they own most of the network with their own hardware.
22:51 < brisque> frustratingly there's very little information about what ghash.io actually is, and what Bitfury is doing behind the scenes with it
22:59 < gmaxwell> the old "miners will avoid violating the security assumptions for fear of making their coins worthless" argument turns out to fail because its possible to violate the assumptions and keep them secret, and people are willing to gamble that no one will notice or care if the security assumptions are violated.
23:03 < brisque> easy enough to hide your hashrate with a fake pool anyway or by replicating coinbases.
23:03 < brisque> do you like Luke would notice if I mined a block with Eligius.st's coinbase?
23:05 < brisque> back to the point, I don't think anybody would notice or care in a wider sense if Bitfury took a larger potion of the network. as it stands his portion is absolutely massive, and has some real world attacks under it's belt.. yet there's nothing really that anybody can do about it.
23:07 < gmaxwell> well, for one, they could stop giving him _more_ hashpower. :P
23:07 < gmaxwell> best estimatimates still have 1/2 to 1/3 of ghash.io's hashpower is third party.
23:08 < phantomcircuit> brisque, bitfury supplies cex.io which uses ghash.io
23:08 < gmaxwell> they could also stop buying more insanely priced chips from him, since every chip you buy from him pays for him to put 10x more than that chip onto his own farm.
23:08 < phantomcircuit> they're actually different people
23:08 < phantomcircuit> but since they're all ukrainians with weird names nobody can tell
23:09 < gmaxwell> phantomcircuit: I don't believe they are. They claim to be, but evidence I've seen suggests it's one person with a couple employees.
23:09 < phantomcircuit> gmaxwell, it's definitely different people
23:09 < phantomcircuit> they are obviously very close though
23:10 < nessence> are dzminercoop guys legit?
23:15 < CodeShark> gmaxwell: https://github.com/CodeShark/bips/blob/master/bip-n1.mediawiki
23:17 < gmaxwell> CodeShark: you realize that partially signed transactions are already implemented by bitcoin-qt, bitrated, brainwallet, and a half dozen other things, right?
23:18 < CodeShark> is there a standard?
23:19 < CodeShark> many "partially signed transaction" implementations I've seen just blank out entire input scripts
23:19 < CodeShark> which makes some of the use cases I'm considering impossible
23:20 < gmaxwell> A defacto one at least. I'm not sure what you mean by "entire input scripts"
23:20 < CodeShark> as in the entire input script is blanked
23:20 < maaku> CodeShark: what use cases are you considering?
23:21 < maaku> or rather, what do you need to do?
23:21 < CodeShark> maaku: the main thing for me right now is supporting p2sh
23:22 < CodeShark> especially in cases where the signing devices don't know anything about the scripts a priori
23:22 < CodeShark> they just need to know whether they can sign and if they sign what the implications are
23:24 < CodeShark> IMO, the signatures should have been kept as a separate list structure in the txin
23:24 < CodeShark> rather than making them part of the script :p
23:24 < CodeShark> but that's another story
23:24 < CodeShark> an account management app keeps track of script pairs (txinscript/txoutscript)
23:25 < CodeShark> the txinscript just have placeholders for signatures
23:25 < CodeShark> the signing devices just keep keychains
23:25 < CodeShark> they don't even need to know about the scripts a priori at all
23:26 < CodeShark> this will allow a good separation between account management/inbound payment processing tools (a.k.a. watch-only wallets) and signing devices
23:26 < maaku> CodeShark: why is scriptSig connected to p2sh?
23:26 < maaku> don't they figure that out by looking at the scriptPubKey?
23:27 < CodeShark> no
23:27 < CodeShark> the scriptPubKey for a p2sh only holds a hash of the script
23:27 < CodeShark> which is useless to anyone who doesn't already know the script
23:27 < maaku> ok so you're partially constructing the p2sh scriptSig
23:28 < maaku> (a) wallets probably already know the scripts (but I can imagine cases where they do not)
23:28 < maaku> (b) pass it out-of-band
23:28 < CodeShark> yes
23:28 < CodeShark> I like the p2sh approach generally - it's the recipient's responsibility to know how to claim the output
23:29 < CodeShark> the sender doesn't really care
23:33 < CodeShark> I mean, there could be conceivable cases where the sender cares - but not for the use cases under consideration here
23:33 < gmaxwell>  ... https://bitcointalk.org/index.php?topic=392166.0  < KNC miner botnet.
23:36 < CodeShark> the out-of-band stuff is the principal motivation, maaku - I'm trying to develop a signing request protocol
might turn out to be a natural extension of the payment protocol
23:36 < CodeShark> a "generalized" payment protocol, so to speak
23:37 < CodeShark> which works for multisigs, coinjoin, internal company policy, merchants, and several other use cases
23:37 < phantomcircuit> gmaxwell, he's just brute forcing the passwords for web exposed boxes
23:37 < phantomcircuit> it's comical anybody has web exposed boxes at all
23:37 < gmaxwell> phantomcircuit: yea, sort of, except he can do an offline brute force, which digest auth is supposted to prevent.
23:37 < gmaxwell> presumably it uses a constant nonce or something stupid like that.
23:38 < phantomcircuit> probably
23:38 < maaku> why the hell was this posted online?
23:38 < phantomcircuit> but still
23:38 < phantomcircuit> maaku, the guy who found it decided to
23:40 < gmaxwell> someone reported the post and asked me to remove it, but I think its too late.
23:40 < maaku> phantomcircuit: i understand, but besides being unethical it is illegal with legal implicaitons if any of those boxes do get hacked
23:40 < phantomcircuit> maaku, publishing an exploit like that isn't illegal
23:40 < gmaxwell> in the grand scheme of shitty behavior in bitcoin land, someone hacking miners to divert them is probably the most minor.
23:40 < phantomcircuit> admitting to breaking into 28 boxes is
23:41 < phantomcircuit> gmaxwell, well he is basically rootkitting them
23:41 < gmaxwell> hehe 'most minor'
23:41 < phantomcircuit> those 28 people are going to have to pull the sd card to fix them
23:41 < maaku> phantomcircuit: depends on your jurisdiction, but yes publishing exploits is typically illegal
23:41 < gmaxwell> he said he didn't actually do that.
23:41 < maaku> if done in a negligent way
23:41 < phantomcircuit> oh i missed that part
23:42 < phantomcircuit> maaku, not in parts of the world with freedom
23:42 < gmaxwell> maaku: illegal? probably not. Exposes him to civil claims, perhaps.
23:42 < phantomcircuit> im going to assume he doesn't live in north korea
23:42 < phantomcircuit> since he's on the internet
23:42 < gmaxwell> actually reading again, I'm not sure what he's saying.
23:43 < gmaxwell> http digest auth doesn't prevent bruteforcing, and it actually does sound like he's doing a regular bruteforce attack. kinda boring.
23:44 < maaku> phantomcircuit: North Korea? try France, for example. In the U.S. this is borderline. see: https://www.eff.org/issues/coders/vulnerability-reporting-faq
23:44 < phantomcircuit> maaku, im not aware of anybody who has even been prosecuted in the us for disclosing a flaw
23:45 < phantomcircuit> numerous people have been subsequently accused of using the flaw under the assumption they the attack happened before they had disclosed it
23:45 < phantomcircuit> so thye must have been the attacker
23:45 < phantomcircuit> but that's not the same thing
23:50 < CodeShark> the funny thing is that this guy's "exposure of vulnerability" applies just about to pretty much any device connected directly to the Internet :p
23:50 < CodeShark> so it's not so much an exposure as it is just another example of a well-known attack
23:55 < maaku> CodeShark: it's pointing people at the factor reset script and config files to update which is more unique
23:55 < maaku> not hard to figure out by anyone technically compitent, but he reduced it down to script kiddie level
23:57 < CodeShark> the hard part is getting root access :p
23:58 < CodeShark> but yeah, this guy sounds a tad bit too boastful
--- Log closed Tue Dec 31 00:00:42 2013
--- Log opened Tue Dec 31 00:00:42 2013
00:03 < brisque> that's bold, announcing that you're exploiting people's hardware on a public forum.
00:05 < brisque> depending on the country that's most certainly illegal, akin to breaking and entering. if they get charged for doing it or not is a whole different matter.
00:05 < CodeShark> it's not announcing it that's illegal - it's doing it that's illegal
00:06 < brisque> certainly, but announcing that you did it is foolhardy
00:07 < brisque> oh dear. the user has also posted their KNC order number on the forums, and their country.
00:14 < brisque> who connects an embedded device directly to the internet anyway?
00:19 < phantomcircuit> brisque, people putting them in a dc who dont pay attention
00:20 < brisque> right. forgotten people might be doing that.
00:37 < gmaxwell> hey, could be worse, he could have posted instructions for making it look like one 1/4 of the hardware failed, while sending the 1/4 of the hashrate to himself.
11:22 < gmaxwell> It appears the secp256k1 was also selected using basically the same nothing up my sleeve technique. (just motified to produce curves with the fast implementation)
11:24 < gmaxwell> Hm. I take that back.
11:24 < gmaxwell> thats odd that they didn't do that.
11:25 < gmaxwell> then again the form constrains the design space a fair amount.
11:30 < HM> well it's enjoyable reading the pandemonium
11:31 < jgarzik> if forced, could we come up with our own curve parameters?  or switch to djb's favorite curve?
11:31 < gmaxwell> jgarzik: it's a softforking change to add another checksig.
11:31 < jgarzik> yes
11:32 < gmaxwell> Though I'd prefer that we not uberparanoia with yet another ECC implementation, and just stick in lamport signatures as the oh-shit fallback.
11:32 < jgarzik> I consider it akin to replacing SHA256
11:32 < gmaxwell> well a complete replacement of sha256 is a hardforking change.
11:32 < HM> I doubt the NSA are going to waste their time on Bitcoin, it's more a concern if any advances they have tucked away become public
11:32 < gmaxwell> a CHECKSIG2 we could have deployed and usable in a month.
11:35 < gmaxwell> (lamport having the benefit of being immune to any DLP or EC related weakness, and giving a pat answer to quantum computer fud, plus a trivial implementation is still ultra fast.  Downside: big signatures.)
11:47 < HM> Lamport still relies on solid hash functions
11:47 < HM> Pretty much everything touching crypto seems to use a hash function at some point, so they're obvious targets
11:49 < gmaxwell> HM: sure, but no ecdsa implementation is useful without a strong hash function. Besides, hash functions never get broken in a way that would break lamport.
11:51 < gmaxwell> Nothing is certian of course, but at least it's completely orthorgonal.
11:51 < gmaxwell> or as near as completely as anything is.
11:51 < gmaxwell> and has a trivial implementation. (well, I'd like to use some compression that makes it slightly less trivial.)
11:52 < HM> But can't keypairs only be used once?
11:53 < HM> publishing a public key requires trust, so having to do it regularly is undesirable
11:55 < gmaxwell> HM: nah, you just make a public key a tree of public keys. They have a finite lifespan but you can make it large.
11:55 < gmaxwell> e.g. 1024 uses.
11:56 < gmaxwell> or with the imbalanced tree thing I suggested make it very large while only making heavy reuse bit.
11:56 < gmaxwell> er big.
11:56 < HM> meh
11:56 < HM> I guess if you got 1024 uses you could use your final message to publish a new public key
11:57 < gmaxwell> e.g. 32768 reuses, but uses 1-4 are only one extra hash each.
20:52  * amiller starts writing about the parking meter fee model
--- Log closed Sat Sep 07 00:00:14 2013
--- Log opened Sat Sep 07 00:00:14 2013
--- Log closed Sun Sep 08 00:00:17 2013
--- Log opened Sun Sep 08 00:00:17 2013
08:56 < gmaxwell> oh come on. I just actually looked at the random ecdsa curves in FIPS.. and sure, they're determistically generated... but the seed values are implausably high.
08:58 < sipa> ?
08:58 < sipa> veing?
08:58 < sipa> being?
08:59 < gmaxwell> e.g. for P-256r
09:00 < gmaxwell> SEED
09:00 < gmaxwell> =
09:00 < gmaxwell> c49d3608 86e70493 6a6678e1 139d26b7 819f7e90
09:04 < gmaxwell> the determinstic procedure is basically sha1(the seed) to generate a bunch of random numbers, pull out the parameters and check the curve order.
09:06 < gmaxwell> As least the prime is uses is the largest prime less than 2^256.
09:06 < gmaxwell> but the other paremeters could be freely cooked. :(
10:37 < HM> then Schneier is right
10:44 < gmaxwell> I think its even worse than if they hadn't done the "verifibly random" procedure. :-/
10:49 < HM> The way I'd do it is announce you're going to use the hash of the front page headlines of 12 internationally renowned newspapers ahead of time :P
10:51 < HM> Completely original I swear
11:05 < gmaxwell> nah, you have a bunch of resepected people commit to secrets. Then you hash the commitments and commit to in a bitcoin block. Then everyone reveals their secrets and you hash that them up with the block hash and feed to to some quite-expensive KDF.
11:05 < gmaxwell> What http://tools.ietf.org/html/rfc5639 also looks basically reasonable, if not quite as good.
11:06 < HM> 'respectable' is personal
11:06 < HM> using news events has the advantage that if the headline is "Aliens arrive on Earth and win poker tournament", you can be reasonably sure it wasn't rigged
11:10 < gmaxwell> HM: the reason to use the bitcoin step in my example is to make it computationally infeasable to cheat even if you think all the respected people potentially conspired.
11:11 < gmaxwell> all your requires is someone to control a couple newspaper headlines.
11:11 < gmaxwell> And the use of the people step in my example is to make it hard for someone to dismiss it as "oh nsa can instantly do sha256 so the bitcoin part is pointless"
11:11 < HM> not so, it also requires they be able to select 12 inconspicuous and consistent (with current event) headlines within whatever window you allow that hash to what you require
11:11 < gmaxwell> "respected" might also be hundreds or thousands of people.
11:12 < gmaxwell> HM: bullshit, if you only care about picking a few bits of the final version then you just need to control the phrasing or typesetting.
11:12 < gmaxwell> of a single headline too, assuming that you simply know the other ones.
11:13 < HM> sure...i guess, but if you only require a couple of bits then i think that weakness would be easier to discover in whatever algorithm you're using
11:14 < HM> i mean, if all even seeds were crackable then you're probably not going to pass inspection
11:15 < gmaxwell> who says? you're talking about embedding a property which isn't known to the public.. it might exist only in one in thirty two curves. You could easily pick that with your newspaper headlines.
11:16 < gmaxwell> besides, if you're really fixated on them you could just add them to my scheme too. :P
11:16 < HM> if it exists in only 32 curves, you'd need to fix, say, 251 bits of your 256 bit hash
11:17 < gmaxwell> HM: one in thirty two.
11:17 < gmaxwell> 1/32
11:17 < gmaxwell> as a rate.
11:18 < HM> *shrug*
12:01 < sipa> gmaxwell: they are perhaps optimized for certain weakness, but not more than a an exhaustive search can find
12:01 < sipa> as the sha1 in the deterministic procdure is assumed to be irreversible
12:02 < sipa> if there is a weakness that appears in a very high frequency of curves, a small number or a large number as seed doesn't make a difference
12:05 < HM> We used the 160bit sequence from pi offset N, where N is totally random. Promise.
12:07 < gmaxwell> sipa: sure. The distinction there is they could have chosen for weaknesses which were as rare as-say- 1:2^40 through this method without hypotizing enormous expenditures on the project.
12:07 < gmaxwell> (or strenghts, for that matter)
12:07 < gmaxwell> Effectively they've failed to show that they weren't selecting for additional criteria which might have made it stronger or weaker.
12:08 < sipa> right
12:08 < sipa> but they do show that whatever selection criterion was used, it cannot be faster than exhaustive search
12:10 < sipa> if there exists a weakness that is present in 1 in 2**128 curves, if the parameters were given without any alhorithms, they could have been found through a algebraic method
12:10 < sipa> and be vulnerable to it
12:14 < gmaxwell> Yes, having this scheme is better than just giving the parmeters and saying "here you go"
12:15 < gmaxwell> The scheme reduces the space of attacks, but at the same time leaves the space of attacks unnecessarily wide, which is curious since they did go through the trouble of acknowledging the concern.
12:34 < jrmithdobbs> nsa dhe/ec speculation/theories (don't mean that dismissively) or did i miss something else?
12:37 < jrmithdobbs> if the former, on a related note, i really like how it's starting to look like nsa really is decrypting rc4 ... between djb's recent paper and the recent snowden/etc publications ...
12:37 < jrmithdobbs> or at least, are close enough to being able to do so that it's worth storing
16:58 < gmaxwell> jrmithdobbs: you would be interested in http://eprint.iacr.org/2013/525
16:58 < gmaxwell> jrmithdobbs: I like it because the memory access pattern is constant, not only would it avoid leaking data via timing, but it sould be harder to optimize out than scrypt's memory accesses.
17:16 < amiller> that looks awesome
17:18 < amiller> "Catena supports client-independent updates by increasing the garlic or by turning salt bits into pepper."
17:31 < amiller> yeah i guess it makes sense
20:35 < maaku> holy cow, how did i not know about this channel
20:35 < maaku> are there logs?
20:36 < gmaxwell> I could send you them... though I don't know that they're that interesting.
20:38 < gmaxwell> You should be in here though. Mostly we discuss cryptographic rocket science in here, and stuff.. which may only have applications to bitcoin in the (far?) future.
20:39 < gmaxwell> basically lots of us have interest in things like zero knoweldge proofs, fancy and speculative crypto, changes to the bitcoin protocol which are not near term (or ever?) viable, etc.. and it was crufting up #bitcoin-dev which should try to stay on-topic for transparency reasons.
20:40 < gmaxwell> (and I was a major source of the offtopic stuff. :( )
20:48  * phantomcircuit puts on his wizard hat
20:51 < gmaxwell> phantomcircuit: Awesome. So the old proof of non-fractionality had the bank commit to a tree over its outputs, and allowing for randomized checking that it did indeed have the balance it claimed. And then a hashtree over balances, to show users that their balance was in the balances proof and that the sum of balances was <= the sum of funds.
10:14 < TD> the US finances are so completely unfixable that once that infrastructure is in place, the temptation to tax foreigners will be overwhelming and irresistable
10:14 < TD> yes sure, but i'm talking about stuff that will pay down the deficit. doing that would be politically popular.
10:15 < phantomcircuit> TD, iirc the law actually only provides for enforcing existing obligations, but does not actually allow for rejecting your renunciation
10:15 < jgarzik> It is quite literally impossible to fully pay down the deficit.
10:15 < adam3us> TD: probably increased inflation to inflate away the debts value, that has been the historical method
10:15 < phantomcircuit> jgarzik, we could sell like maine
10:15 < TD> they're already doing that
10:16 < jgarzik> Inflating away debt is the only tool remaining in the toolbox.
10:16 < phantomcircuit> adam3us, the debt is growing much faster than inflation
10:16 < jgarzik> (I'm not saying that's a good thing... just the engineering reality)
10:16 < TD> the problem is the politics of it. the way modern governments inflate away their debts is that the central bank prints money and lends it to the other branches of government
10:16 < phantomcircuit> it's like 800 billion/year and we're at about 17 trillion
10:16 < TD> technically the government is printing money, but when you add up the "debt" it includes debt to the central bank
10:16 < phantomcircuit> so ~4%
10:16 < TD> and people will then be shown a graph of debt going upwards
10:17 < phantomcircuit> (that's a conservative number)
10:17 < adam3us> its possible we're looking at a second round of financial system shocks, eg when more major countries default, historically it has happened relatively often, and more recently than people imagine
10:17 < phantomcircuit> inflation is ~2.5%
10:17 < jgarzik> Fallacy:  most countries will not default.
10:17 < TD> which is unpopular and then politicians looking to get elected will campaign on "reducing the deficit". but they can't raise taxes domestically, because that's even more unpopular than deficit, and they can't cut back the  DoD because it's such a huge part of the economy
10:17 < jgarzik> Gold bugs love to think about impossible scenarios where 95% of the world melts down, except for the wise people holding gold.  </eye roll>
10:17 < phantomcircuit> TD, the problem is that the US has actually borrowed money from itself for decades
10:17 < TD> so - that leaves, taxation of foreign income
10:18 < phantomcircuit> TD, so now there are massive unfunded obligations like social security and medicare
10:18 < TD> yes, pensions are a huge problem everywhere. but massive deficit spending on the military makes a bad situation worse, and that's politically infeasible to fix
10:18 < jgarzik> Politicians get elected by writing checks that can be inflated away.  Money in the pocket now, and not thinking about long term consequences.	But when the crisis comes, the populace will vote for whatever avoids total meltdown for their local community.  Simple self-interest.
10:18 < TD> for reasons i don't really get, but still, that's how it is
10:19 < adam3us> TD: maybe some more faux-imperialism - annex some more countries in thte name of exporting "freedom" and install us megacorps to exploit their resources
10:19 < phantomcircuit> jgarzik, that depends on if you're using the technical definition of default and whether you include obligations to citizens or just to bond holders
10:19 < TD> well that was already tried in iraq
10:19 < TD> and it sorta worked and sorta didn't
10:19 < TD> they're running out of things that weren't done yet
10:19 < phantomcircuit> jgarzik, it's almost certain that nearly every western country will default on it's obligation to citizens
10:21 < adam3us> phantomcircuit: they may avoid technical default, but there maybe some major money printing bail outs eg within europe, haircuts for depositors, bondholder conversion (the paper work maybe prepped for that by now)
10:21 < phantomcircuit> TD, in large parts of the us military spending is a significant part of the economy, because of the way representatives are selected (it's a combination of districts and number of people) they have disproportionate representation relative to population size
10:21 < TD> yeah. i know about the way the campaign donations are structured. but military spending isn't unpopular
10:21 < TD> it's barely even discussed, it seems
10:21 < phantomcircuit> TD, more so they pretend to have many issues but really they only have one
10:21 < phantomcircuit> more pork for their district
10:22 < phantomcircuit> TD, because it's largely pointless
10:22 < phantomcircuit> there is a significant voting bloc which only cares about that one issue
10:23 < jgarzik> phantomcircuit, c.f. Crysler bailout.	USG has already proven it is willing to favor a junior-yet-politically-favored class over senior debt holders
10:23 < TD> people who work for the military or have relatives who do, i guess
10:23 < jgarzik> Chrysler
10:25 < jgarzik> phantomcircuit, Having lived in a military family in military towns... that's demonstrably not true... unless the local base is majorly threatened.  People tend to ignore the issue unless somebody threatens to close the local base.
10:26 < jgarzik> phantomcircuit, a lot of the US military tends to vote Republican/tea party/conservative, not pro-government Democrat
10:27 < TD> because they know the republicans are anti-spending, except for the military, where they always spend more.
10:30 < adam3us> amiller: you mentioned you had a solution to non-outsourceable puzzle - are you going to update the bct thread?
10:34 < amiller> adam3us, yes, probably not for a week or so though
10:35 < adam3us> amiller: nudge me when you do - interested if there maybe other apps of it
10:38 < TD> jgarzik: btw bitpay rocks
10:38 < TD> jgarzik:  i can now purchase takeout food in zurich thanks to bitpay+lieferservice.ch
10:38  * TD remembers just 18 months ago pondering creating a manual gateway for buying pizza locally with bitcoin.
10:40 < jgarzik> hehe
10:40 < jgarzik> TD, I am scheming to buy real estate with bit coins, through bit pay.
10:41  * TD is happy with smaller pleasures
10:41 < jgarzik> TD, investors pay bitcoins, and bitpay auto-converts and puts money in the escrow bank account used for purchasing real estate :)
10:41 < TD> like pizza
10:41 < jgarzik> hehe
10:41 < TD> so they can more easily switch from one bubble to another? nice! :)
10:41  * TD is finding it so hard to concentrate this afternoon
10:42 < jgarzik> My lifelong dream has been to build cool real estate, like affordable castles (strongly  built with redundancy,   but affordable for the average person)
10:42 < jgarzik> Nah, the real estate thing will not use leverage, just cash.  Less bubbly ;p
10:43 < TD> a mans home is literally his castle?
10:43 < jgarzik> That's the middle class dream, and we are amazingly close to it
10:44 < TD> screw castles. i want one of those: http://www.digsdigs.com/photos/the-most-futuristic-house-4.jpg
10:44 < TD> although - possibly with a road next to it
10:44 < jgarzik> Think about everything that only a king had access to, 400 years ago:	food preparers, groundskeepers, imported food and wine, servants (now at $/hr, divided out and outsources)
10:44 < jgarzik> personal doctors/health care
10:44 < TD> a harem?
10:45 < jgarzik> TD, redtube.com?
10:45 < jgarzik> ;p
10:45 < TD> lol
10:45 < TD> close enough
10:45 < TD> http://lifewithoutbuildings.net/greentextiletower.jpg
10:45 < TD> i'd also settle for that one
10:46 < TD> ooh: http://futuristicnews.com/wp-content/uploads/2012/07/Cocoon-House-Jeju-Island-Korea-02.jpg
10:46 < jgarzik> That's the best of the three
10:49  * TD is debugging code that is too complicated and is procrastinating
10:49 < TD> best thing is - i wrote it!
11:18 < adam3us> maaku, jtimon: when we were discussing blind certificates with chaum blinding (or brands) here yday or so, you mentioned using ZC for on chain respending
11:21 < adam3us> maaku, jtimon: but if you have an issuer (or an offline issuer, but online transaction server), maybe you could consider giving the transaction server a key authority to reblind the tokens, optionally using the chain as the authority for double spending prevention
12:32 < adam3us> had to say something about the coin validation stupidity
12:32 < adam3us> https://bitcointalk.org/index.php?topic=333882.new#new
12:32 < adam3us> (the forbes article)
12:40 < TD> if they want buyers to have to identify themselves, the right approach is a payment protocol extension
12:40 < TD> but their thinking seems muddled in other ways, so i am not surprised they didn't think of that
12:46 < adam3us> TD: precisely - its stupid and the wrong approach - identify the user, not break fungibility
12:46 < TD> fungibility isn't absolute even with bitcoin. i made this point on the foundation forums
12:46 < TD> e.g. unconfirmed coin with zero fee < 100 confirms
12:47 < TD> though technically they both give you bitcoins
12:47 < adam3us> i encourage everyone to ram home to any bitcoin biz people who may not understand, that this will damage fungibilty, and so if their business depends on fungibility, and bitcoins success particpating in this is destructive
12:48 < adam3us> TD: yes bitcoin fungibility is imperfect which is partly is what makes it vulnerable to the dangers  coin validation creates
12:48 < adam3us> TD: and the defenses that exist (or could be implemented) like wallet coin control, coinjoin are either not impl or not widely deployed
12:50 < adam3us> (if fungibility was cryptographically perfect, they'd be force to adopt a sensible approach- provide users with certificates that they can use with regulated businesses when AML/KYC are required)
12:50 < TD> none of those are related to the lack of fungibility i just pointed out
04:23 < petertodd> that just says litecoin isn't very valuable
04:23 < warren> yup
04:23 < petertodd> pool ops can always say they'll accept tx's directly iwth lower fees
04:24 < warren> they aren't smart enough to realize that
04:24 < petertodd> well then start your own pool that does that
04:26 < warren> Then I also figured out how to reduce the UXTO set by 50%.
04:26 < warren> at no cost
04:31 < warren> petertodd: err... does decreasing the hard limit really matter for them?  Even if mining pools remove the soft limit, the cost of including absurd sized tx's in the block is extremely high.
04:31 < petertodd> you mean increasing?
04:32 < warren> oh, misunderstood you later
04:32 < warren> err earlier
04:32 < petertodd> it must not be opposite day for you
04:33 < warren> very tired
04:33 < petertodd> go to bed
04:33 < warren> night =)
04:33 < warren> thanks for confirming my p2pool realization. this sucks. =(
04:33 < warren> well, it isn't THAT bad, block header forwarding can be improved
04:34 < petertodd> go to bed :)
04:34 < warren> night =)
05:43 < warren> went to bed, then my mtgox shenanigans alarm went off on my phone.  I look at the chart and *holy crap*
11:09 < gmaxwell> 00:14 < petertodd> >1MB blocks will without a doubt kill p2pool for that exact reason
11:09 < gmaxwell> no,
11:09 < gmaxwell> jesus
11:09 < gmaxwell> fucking fools, all of you :P
11:10 < gmaxwell> warren: I'm not sure how you missed the complicated design where p2pool nodes are forced to _pre send_ all the txn they're mining on to their peers
11:10 < gmaxwell> and then when they find a share the share contains the whole txn list
11:10 < gmaxwell> meaning that all the peers can recover the block cheaply
11:11 < gmaxwell> this means that (1) it doesn't take much bw for a p2pool node to transmit a block and (2) if its slow at doing this it will have a higher p2pool stale rate and naturally get paid less
11:14 < gmaxwell> The p2pool 'luck' is well within the expected norms, and it appears to have a _much_ lower orphan rate than eligius (appears because there is a lot of shot noise in any such measurement) now  (it didn't prior to the change to doing the share preforwarding)
11:16 < gmaxwell> 00:43 < petertodd> p2pool would be making the assumption that tx's have propagated to the whole network
11:16 < gmaxwell> No, it forces them to be propagated there is no assumption.
11:16 < gmaxwell> If you're mining on a txn you tell your peers about it first. If you don't your peers will discourage your shares.
11:50 < petertodd> oh, good to hear, although if you read the whole discussion warren and I did come to the conclusion that p2pool did that... in any case, still doesn't solve the real issue, which is the same as any other one: the bandwidth will get too expensive relative to the profit, but that's a long way off
11:50  * petertodd needs to stop writing about stuff at 4am when he's trying to do other things at the same time.
12:24 < gmaxwell> yea, sure but that issue isn't unique to p2pool. And sure, generally the bigger the blocks are the more genuine argument there is for cost saving existing for consolidating mining.
12:50 < petertodd> of course it's not unique, but p2pool is a good example where it very directly leads to centralization
--- Log closed Thu Apr 11 14:11:51 2013
--- Log opened Thu Apr 11 14:12:23 2013
15:14 < warren> gmaxwell: why do I see INCOMPLETE BLOCK so frequently then?
15:15 < warren> gmaxwell: whatever the issue is it appears it can be improved
15:18 < gmaxwell> warren: I _never_ got that on bitcoin p2pool. (just went to grep logs) Perhaps some genius litcoin p2pool users have modified their code in some daft way
15:18 < warren> how long do your logs go for?
15:18 < gmaxwell> warren: it's written so that it won't include a txn until it has relayed it, so other than right at startup or with modification, that should just not happen.
15:19 < gmaxwell> warren: The whole time share preforwarding existed while I was on p2pool.
15:20 < warren> hmm... weird.  INCOMPLETE BLOCK disappeared entirely four days ago.  it was like 50% before that.
15:20 < gmaxwell> it was probably some idiot who thought they could get some great advantage by turning off share preforwarding
15:21 < warren> OK, thank you for cluebatting me.
15:21 < warren> gmaxwell: btw, saw the post where ck claims to have reduced the avalon latency to 100ms?
15:22 < gmaxwell> warren: link?
15:22  * warren finds
15:24 < warren> https://bitcointalk.org/index.php?topic=18313.msg1761478#msg1761478  "I've spent quite a bit of time hacking on the Avalon(s) the last few days thanks to Aseras and then Xiangfu giving me access to them. I've come to the conclusion that any latency issues that prevent it mining on p2pool should be resolved in the next cgminer release incorporating the changes
I've committed to the code. The max latency for restart should be on the order of 1
15:24 < warren> 00ms now which is fine even for 10s longpolls. Hopefully it will talk to p2pool better via stratum as well."
15:24 < warren> He goes on to say that p2pool has some other bugs that need to be fixed.
15:55 < warren> gmaxwell: are his latency improvements real?
--- Log closed Thu Apr 11 16:12:58 2013
--- Log opened Mon Apr 15 10:58:38 2013
10:58 !wolfe.freenode.net [freenode-info] if you're at a conference and other people are having trouble connecting, please mention it to staff: http://freenode.net/faq.shtml#gettinghelp
19:21 < BlueMatt> so my research advisor commented that people dont want to do research on bitcoin because it is "the biggest ponzi scheme in history" :(
19:21 < BlueMatt> ofc I didnt have time to correct him then, so I had to put it in an email :(
19:24 <@gmaxwell> But it is the worlds first ponzi scheme based on CRYPTOGRAPHY!
19:24 <@gmaxwell> I usually find that it's best to embrace the skepticism.  "Sure it's crazy and going to lose people money
 but look how _interesting it is_"  .. a week later they're asking me how to buy bitcoins.
19:25 < BlueMatt> all I had time to do (lecture had already started) was say that "ehh, the system is freaking awesome, even if you dont care about the currency"
19:25 <@gmaxwell> yea, thats the general approach.
19:26 <@gmaxwell> Once someone has grasped the idea its often hard to talk them _out_ of buying into it. Convincing technical people that bitcoin isn't a scam is not a limiting factor in my expirence.
19:26 < BlueMatt> problem is, I highly, highly doubt he has time to read into the system
19:27 < BlueMatt> hes "director of undergraduate studies" so...
19:28 < petertodd> indeed, I spend most of my time talking to my coworkers about how many serious problems bitcoin has
19:28 < BlueMatt> what production system doesnt?
19:28 < petertodd> and the other day I had two of them asking me what's the best ASIC company to buy mining equipment from...
19:28 < warren> I already told this story (here?).  2.5 weeks ago a MBA student asked if I had bitcoins to sell him.  I refused to sell to him and told him to do his own risk/reward research. This guy doesn't know how to use his own computer.
19:29 < BlueMatt> heh
19:30 < petertodd> ouch...
19:30 < warren> perhaps interest in ASIC's will be lower now.
19:30 < petertodd> maybe, although I will say, one of those co-workers wanted to buy his 17 year old son an ASIC miner, because he figured he'd either learn about crypto, or business, specifically risk
19:31 < BlueMatt> heh, thats a fun gify
19:31 < BlueMatt> t
19:31 < petertodd> I support repeatable life-lessons :)
19:31 < BlueMatt> he should have given him a bitcoin a week ago
19:31 < petertodd> ha, for sure
19:35 < petertodd> so, wizard topic: I'm thinking it might be worthwhile to make the mother of all alt-coin scams, er, I mean trusted ledgers. basically addresses in this scheme would look like 1AGUP2MVtTqMHysb9gS3upedZmSvaV1f5h@3CK4fEwbMP7heJarmU4eqA3sMbVJyEnU3V and the logic is pretty much as you would expect "pay to the first bit, and the transaction is guaranteed and
recorded in some ledger by the second address"
19:35 < petertodd> the advantage being you can re-use all the existing transaction infrustructure, in particular, existing and future hardware wallets and similar things
19:36 < petertodd> the logic also becomes nice: pay to the person holding these public keys, but guarantee the transaction using whomever is running the ledger service with the identity this set of pubkeys
19:36 < petertodd> s/pubkey/seckeys/
19:36 <@gmaxwell> so basically the 3CK4fEwbMP7heJarmU4eqA3sMbVJyEnU3V identifies the ledger in question?
19:37 < petertodd> exactly, how you determine how to communicate with that is another matter, but it's that signature that is important
19:37 < petertodd> (hence my post on the -dev list about multisig signmessage)
19:38 <@gmaxwell> I'd worry about cross ledger signature rebinding in that.
19:38 < petertodd> what do you mean exactly?
19:39 <@gmaxwell> E.g. you make a transaction X in ledger 1  and I replay that transaction in ledger 2.
19:41 < petertodd> right, yeah, I'm thinking the ledgers should act like blockchains, which means when coins enter the ledger, apply something like HMAC(on-chian-txid, ledger-identity) to the txid's to ensure that they don't make sense in the context of another ledger.
19:44 < petertodd> also, from a ui perspective, you need to ensure the user can determine where coins are being sent, so I'd just take the ugly hack of interleaving txouts the user wants, with txouts specifying what ledger (or the blockcahin itself) each txout is going to, heck, those txouts can contain the fees...
19:45 < petertodd> basically, the philosophy being leverage existing software as much as possible for v0.1
19:46 <@gmaxwell> I think it's too abstract for me to say anything more.
19:46 < petertodd> well, sounds like it's not inherently a bad idea, so worth a prototype
16:36 < adam3us> maaku: the person who bought it cares maybe
16:36 < justanotheruser1> whats freimarkets
16:37 < maaku> adam3us: yes, but all your fears about regulation etc. could just as easily be applied to the person who issued it in real life
16:37 < adam3us> maaku: especially if it was expensive or the issuer is a bank say
16:37 < gmaxwell> that goes back to the point I made earlier about distinguishing the currency vs other things and not allowing the grey-goo on the currency.
16:37 < gmaxwell> (nice metaphor)
16:37 < adam3us> maaku: this is true.  well i mean there is regulation in the market weak though it is, and hackable by banksters as it is, to protect consumers from malicious financial instruments
16:38 < maaku> adam3us: the benefit here is that there is a mechanism for stating the conditions of these financial instruments, in a way which can't be retroactively changed
16:38 < maaku> that is actually pro-consumer
16:39 < maaku> (idk. maybe we end up using old-style bitcoin scripts for host currency outputs, to avoid the grey-goo, or disable opcodes)
16:39 < adam3us> maaku: yeah that i like and is a central promise of smart-contracts as applied to block-chain validation
16:40 < adam3us> maaku: but at a high-level would you no want to constrain the covenant to the instrument, not have it infect and convert other assets into the same form somehow.  not sure how to do that.
16:40 < michagogo|cloud> andytoshi: Ah, so you just call createrawtransaction?
16:40 < maaku> justanotheruser1: ok i'm a pragmatist who defines "perfect" as the best which can be actually achieved :)
16:41 < justanotheruser1> maaku: okay.
16:41 < maaku> justanotheruser1: https://bitcointalk.org/index.php?topic=278671.0
16:41 < michagogo|cloud> andytoshi: Hmm, I clicked the "Submit Transaction to Joiner" button
16:41 < michagogo|cloud> Nothing seems to have happened
16:42 < michagogo|cloud> http://testing.wpsoftware.net/coinjoin/ doesn't show there being a session
16:43 < justanotheruser1> maaku: is there a reason this has to be part of bitcoin and not just merged mined with it?
16:43 < maaku> adam3us: I think if you disabled the LOAD_TRANSACTION opcode in host currency, all of these fears would disappear
16:44 < maaku> justanotheruser1: what are you talking about?
16:44 < justanotheruser1> maaku: What do you mean by "an extension of bitcoin"?
16:46 < maaku> justanotheruser1: freimarkets is an extension of the bitcoin protocol. it adds new features by changing the transaction format, introducing new scripting opcodes, and changing the validation rules
16:46 < maaku> this are hard-fork changes
16:46 < justanotheruser1> maaku: does it have merged mining?
16:47 < maaku> justanotheruser1: that's a tangential question. this could in principle be applied to bitcoin in a future hard fork
16:47 < maaku> but given that the chance of this happening in bitcoin itself is approximately nil, we're going to deploy it in freicoin and freicoin will be merged mined against bitcoin
16:48 < maaku> so yes, it will be merged mined, but that's a point separate from the proposal itself
16:49 < michagogo|cloud> andytoshi: aha, the cj-client tries to spend to the mainnet fee/donation address
16:49 < michagogo|cloud> So it fails because that address isn't valid
16:51 < justanotheruser1> maaku: whats the difference between this and protoshares an mastercoin?
16:51 < justanotheruser1> *and
16:51 < justanotheruser1> and coloredcoins
16:51 < maaku> justanotheruser: read the thread
16:51 < justanotheruser> I am
16:52 < michagogo|cloud> andytoshi: Heh, I tried manually creating that transaction
16:52 < maaku> also this one : https://bitcointalk.org/index.php?topic=280292.0
16:52 < michagogo|cloud> On attempt to submit to the coinjoiner's web interface, 413 Request Entity Too Large
16:52 < maaku> (more appropriate to post there if you have technical questiosn than the crowdfund thread)
16:57 < adam3us> maaku: anyway enough from me about hypothetical systemic risks, I am actually quite interested in the potential of smart-contracts, and like the extensions you put in freimarket from a programming perspective.
16:57 < maaku> adam3us: what do you think about simply disabling the load-transaction opcode in the host currency? i feel silly for not thinking of this before the long-winded argument
16:58 < adam3us> also maybe i am not enuf of a forth-fan but bitcoin scripts seem kind of hard to read & program with.	maybe it was envisaged that there would be some higher level language translated into it
16:58 < maaku> yeah forth is kinda on the level of intermediate code
16:59 < adam3us> maaku: i dont know what load-tx does?
16:59 < gmaxwell> adam3us: really? I think forth is basically ideal.
17:00 < gmaxwell> adam3us: The problem with higher level languages is that they're easy to hide subtle behaviors in.
17:00 < adam3us> gmaxwell: taste i guess.  i did some dc programming, kind of reminds me.  yes unambiguity is a good thing
17:00 < maaku> adam3us: load-transaction is how all these covenants are accomplished - it pushes the transaction onto the stack so it can be examined by the script
17:00 < adam3us> maaku: i guess the extrospection hook?
17:00 < maaku> yeah
17:00 < gmaxwell> "oh look, this does exactly the opposite of what you expected because the hostile author took advantage of some order of operations subtly"
17:01 < gmaxwell> The forth is high enough level to express what it means, mostly, but low enough level to also express what it does.
17:01 < adam3us> gmaxwell: only complaint is like readability.	especially with the long OP_BLAH names.
17:01 < gmaxwell> takes more study to understand than something higher level but has a harder time lying to you.
17:02 < gmaxwell> oh well yea, surely better tools could be done for working with it.
17:02 < gmaxwell> including things like pesudo opcodes that compress common and easily explained idioms.
17:04 < adam3us> maaku: does that kill interest bearing loans denominated in freicoin but not in maakucoin (self-issued iou)?  there is some feature downside implied.
17:06 < maaku> adam3us: yes you would have to use user-issued IOUs, although that was the original scenario
17:07 < maaku> in fact I'm not sure how you'd do the loan trading freicoins for freicoins
17:07 < maaku> the point was that you loan the freicoins into existence
17:08 < maaku> you could still do some nasty things based on UTXO state (maybe you disable that as well)
17:08 < adam3us> maaku: doesnt that risk uncontrolled supply side inflation?
17:08 < maaku> that's ... rather the point isn't it?
17:09 < maaku> debt-based IOU currency
17:09 < maaku> maybe there's a misunderstanding here? i'm not sure what it is
17:09 < adam3us> maaku: fair enough there, but in relation to there existing two types: mined freicoins with demurrage and iou ones
17:12 < maaku> well sortof. IOU freicoins are actually freicoins, just a promise from whoever issued them to eventually, someday redeem them
17:12 < maaku> they're only usable as currency in so much as other people are willing to accept that IOU promise
17:12 < maaku> ripple is built on this premise
17:13 < gmaxwell> How is ripple doing btw?
17:13 < adam3us> maaku: but then you have the ripple graph of trust so they can circulate, quite far from the issuer and his immediate friends indirectly
17:14 < maaku> oh i meant pre-OpenCoin ripple. no idea what they're up to :)
17:14 < maaku> adam3us: yes, and with sub-transactions you can build atomic movements of these IOUs through the trust graph
17:14 < adam3us> maaku: i think it'd be fair to call this real-ripple.
17:15 < gmaxwell> meh. I still think real-ripple ought not need a global consensus system.
17:15 < maaku> but where there are gaps in the graph, exchanging IOU-for-freicoin instead of IOU-for-IOU lets you get hard currency
17:16 < maaku> gmaxwell: agreed, except when you want to interact with non-ripple assets like bitcoin/freicoin
17:17 < maaku> jtimon and I are planning on having these user assets be off-chain, but using the same scripting system so you can coordinate movements with the chain when public assets are involved
17:17 < gmaxwell> maaku: well, when you want to interact with them in a way which isn't trusting of an issuer.
17:17 < maaku> yes
17:20 < midnightmagic> real-ripple didn't.
17:20 < midnightmagic> :-(
17:21 < maaku> midnightmagic: unfortunately the distributed protocol was never implemented :\
17:22 < midnightmagic> yah. sad-midnight-face
17:31 < andytoshi> michagogo|cloud: sorry, was afk
17:31 < andytoshi> michagogo|cloud: one moment, cj
17:32 < andytoshi> michagogo|cloud: one moment, cj-client doesn't choose the donation address, the server does, but i forgot to set that for the testnet version
17:57 < andytoshi> michagogo|cloud: gonna head out now, will work on this later tonight, i have having decode problems that didn't happen with mainnet, sorry
17:57 < am42> ?
18:10 < jgarzik> adam3us, unlinkedable static address...  USA! USA! USA!
18:10  * jgarzik waits for the conspiracies to start
18:11 < adam3us> jgarzik: not getting conspiracy part?
18:12 < jgarzik> adam3us, a poor attempt at a joke.  e.g. paid by USA to develop tech whose acronym is USA
18:12 < adam3us> jgarzik: oooh.. didnt notice the acronym :)
18:12 < jgarzik> plus an acknowledgement that the bitcoin community will imagine a conspiracy for all events.
18:12 < jgarzik> It's like the multiverse of conspiracies
18:12 < jgarzik> quantum conspiracy theory
18:13 < adam3us> jgarzik: just wish i could find an efficient spv compatible version (or a replacement for bloom that worked with them).. would be sooo nice to forget about address reuse and battling user confusion and wallet author laziness
18:14 < jgarzik> indeed
18:14 < sipa> that seems contradictory
18:14 < sipa> you want something that achieves privacy from the public
18:14 < sipa> but still want them to do efficient filtering for you
07:40 < jtimon> I don't undesrtand what makes you think that, and no, (natural) 0% interest rates prevent debt exponential gorwth
07:40 < jtimon> demurrage encourages debtors to pay their debts
07:42 < jtimon> Mike_B demurrage is inpired in this book (parts 3 to 5): https://www.community-exchange.org/docs/Gesell/en/neo/
07:42 < Mike_B> jtimon: so let's assume freicoin has a 0% loss rate to make it simple
07:42 < Mike_B> and let's assume this is in the future when all coins are mined
07:42 < jtimon> take a look at part IV point 5 How Free-Money will be judged
07:42 < Mike_B> now, let's make the (silly) assumption that nobody is lending anything to anyone - that no debt exists. this is silly, but bear with me for a second
07:43 < Mike_B> under the assumption that there's no debt at all, do you agree that a 5% demurrage rate is exactly equivalent to a 5% rate of inflation?
07:43 < jtimon> ok, but just a second
07:43 < jtimon> uff
07:43 < jtimon> I have never thought about a world without debt
07:44 < jtimon> debt is not intrinsically bad
07:44 < jtimon> there's 0% itnerest debt too
07:44 < Mike_B> i'm just doing this to simplify the math
07:45 < Mike_B> we'll bring debt back into it in a second
07:45 < Mike_B> i just want us to get on the same wavelength first re: assumptions
07:45 < jtimon> yes, I guess in a world without a finantial markets, investors that borrow money, without IOUs, without time banks, etc...
07:45 < jtimon> inflation would be equivalent to demurrage
07:46 < jtimon> but I also think that the assumption is totally irrealistic
07:46 < Mike_B> so assuming there's no debt, or let's say "only 0% interest debt", then do you agree the following two scenarios produce exactly identical results?
07:46 < Mike_B> 1) take 5% of money out of circulation proportional to everyone's holdings, give it to some guy (a miner, a bank, whatever)
07:46 < Mike_B> 2) increase the money supply by 5%, give it to some guy (a miner, a bank, whatever)
07:46 < Mike_B> ok
07:46 < Mike_B> so now let's bring debt back into it
07:47 < jtimon> yes, the re-distribution part is equivalent
07:47 < Mike_B> say I borrow $100,000 from you to buy a house
07:47 < jtimon> we're talking usd, really?
07:47 < jtimon> why not a simpler currency like gold or bitcoin?
07:47 < jtimon> usd is very hard to understand
07:48 < jtimon> shells or gold in an island, please?
07:48 < Mike_B> so i have to pay you back that $100,000 over x years or whatever, let's even say there's 0% interest
07:48 < Mike_B> i just have to pay you back $100k
07:48 < jtimon> what do you mean by "there's 0% interest"?
07:48 < Mike_B> however, now the two scenarios are different
07:48 < jtimon> you want to lend me 100k usd at 0% why?
07:49 < jtimon> you should just keep them yourself
07:49 < Mike_B> 1) demurrage scenario: i get 5% taken out of my paycheck per year due to demurrage, so i actually have to make something like $105,000 just to pay back the $100,000
07:49 < jtimon> you won't gain anything by lending usd to me at 0%
07:49 < jtimon> no
07:50 < jtimon> if they were freicoins, for example, it could make sense for you to lend me 100k of them at 0% interest
07:50 < Mike_B> assuming i try to pay it back in one year
07:50 < jtimon> but I owe you 100k frc, not 105k
07:51 < jtimon> so if I make 100k frc I will call you as soon as possible to pay you
07:51 < Mike_B> aw man, i dropped
07:51 < Mike_B> jtimon: what was the last thing you heard from me?
07:51 < Mike_B> i was typing into the ether for a while
07:53 < jtimon> I've pasted it privately
07:54 < Mike_B> ok yeah so my connection was weird
07:54 < Mike_B> you saw stuff i was saying but it didn't send me anything you were saying
07:54 < Mike_B> jtimon: yeah so now that i have the full log, i'll clarify
07:54 < Mike_B> say i'm borrowing $100,000 worth of freicoin
07:54 < Mike_B> from you
07:54 < Mike_B> and the loan is denominated in freicoin
07:54 < Mike_B> ok?
07:55 < jtimon> ok
07:55 < Mike_B> and i'm going to pay you back in one year, and you're going to charge me 0% interest
07:55 < jtimon> ok
07:55 < jtimon> assuming constant frc/usd price?
07:55 < Mike_B> yeah
07:55 < Mike_B> let's just say it's 100k freicoins, whatever
07:56 < Mike_B> i dunno how much that is
07:56 < jtimon> me neither
07:56 < Mike_B> so under that scenario i owe you 100k freicoins, but because I lose 5% a year, i actually have to earn 100k/.95 = 105263 freicoins to have 100k left over after demurrage to pay you back
07:56 < jtimon> 400k frc i think
07:56 < Mike_B> agree so far?
07:56 < jtimon> but wait, did you borrow the frc to hard them?
07:57 < jtimon> hoard
07:57 < Mike_B> yeah, you're a bank and you're lending me freicoins to buy a house
07:57 < Mike_B> no, it's a loan
07:57 < jtimon> ok, you could have probably done something more productive but whatever
07:57 < Mike_B> you lend me them to start a business, i dunno
07:57 < Mike_B> point is i don't have it anymore
07:58 < jtimon> when you buy the house you stop paying demurrage
07:58 < Mike_B> jtimon: i don't stop paying demurrage because now i have to pay you back, and those payments come from my salary, and my salary is subjected to demurrage
07:58 < jtimon> why would the borrower pay demurrage?
07:58 < jtimon> but you don't receive your salary yearly do you?
08:00 < jtimon> whatever you pay back from the loan each month, you will want to pay it as soon as you receive your salary
08:00 < Mike_B> jtimon: hm, maybe i don't understand. does demurrage only take money out of each transaction, or out of your holdings as well?
08:00 < jtimon> from all outputs all the time
08:00 < Mike_B> ok but if i just have a million freicoins in a wallet and leave them there for 10 years and never move them around, they aren't touched?
08:01 < jtimon> of course they're touched
08:01 < jtimon> when you want to spend them in a year you will have 950,000 frc
08:01 < jtimon> aprox
08:02 < Mike_B> ok so i thought you were saying it only comes from tx outputs
08:02 < Mike_B> and it's like 2^-20% per each output
08:02 < jtimon> the only way to dodge demurrage is spend, invest or lend
08:02 < jtimon> no, from every "account"
08:02 < jtimon> but there's really no accounts in bitcoin
08:02 < Mike_B> oh oh oh sorry
08:02 < jtimon> only public keys
08:03 < Mike_B> you meant it takes 2^-20% from the total set of utxo's
08:03 < Mike_B> i thought you just meant new utxo's from the current block
08:03 < jtimon> no, every block, the amounts in the utxo are reduced
08:04 < jtimon> well, we use a reference height for each transaction
08:04 < Mike_B> ok, so yeah, so then that's back to what i was saying before
08:04 < Mike_B> i owe you 100k and i have to pay it back over a year with 0% interest
08:04 < jtimon> and you calculate current_available_amount(refHeight, old_amount, current_block_height)
08:05 < jtimon> you have to pay me back the 100k in one payment or are you allowed to make 12 smaller payments?
08:05 < Mike_B> ok, i have to think about this
08:05 < jtimon> I recommend Gesell's book
08:06 < Mike_B> yeah, so if it's one large payment at the end of the year, i actually have to pay you 105263 freicoins
08:06 < jtimon> no
08:06 < Mike_B> like if i get paid all at once and save it for a year or something
08:06 < jtimon> say you get the loan and buy a house for 100 k
08:06 < jtimon> in one year, you sell the house for 100 k frc again and pay me back
08:07 < jtimon> but I think it will more typical that I allow you to pay me back gradually
08:07 < Mike_B> what's the block time for freicoin
08:07 < Mike_B> still 10m?
08:08 < jtimon> maybe I know I won't spend 120k frc I have soon and prefer to lend you
08:08 < jtimon> so that you pay me 10k frc a month back for the next year
08:09 < Mike_B> ok, i see what's happening now
08:09 < Mike_B> very interesting
08:10 < jtimon> that's what savers usually want, not spend now but spend in the future
08:11 < jtimon> https://www.community-exchange.org/docs/Gesell/en/neo/part4/5g.htm
08:19 < Mike_B> jtimon: ok, i'll think more about it
08:20 < Mike_B> intersting
08:27 < jtimon> cool, Mike_B I'm glad that you find the concept interesting
08:27 < jtimon> and I understand is hard to digest
13:14 < maaku> <Mike_B> under the assumption that there's no debt at all, do you agree that a 5% demurrage rate is exactly equivalent to a 5% rate of inflation?
13:15 < maaku> No they are not the same. Demurrage is reflected immediately whereas inflation takes time to move through the economy (price updating, etc.)
13:16 < maaku> Which has real-world economic consequences, causing those close to the source of inflation (large investment banks with fiat, miners with cryptocurrency) to have significant unearned advantages over the little guy
13:19 < maaku> The purpose of Freicoin is to eliminate advantages the holders and creators of money have due only to the nature of money
13:19 < maaku> Which in the inflationary case, includes the temporal advantage of being close to the source of inflation
13:20 < maaku> That could alternatively be neutralized by having everyone everywhere continuously update prices with electronic counters, based on current inflation rates
13:21 < maaku> Or, as Freicoin does, just make the clearing house software update wallet balances by protocol. We found that to be the easier solution - build the fix into the nature of money itself.
13:29 < amiller> i just found the strangest paper.
13:29 < amiller> http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.45.1255&rep=rep1&type=pdf
13:29 < amiller> it's by "Naoshi Sakamoto"
13:29 < nsh> mmm
13:30 < nsh> is real person i think
13:30 < amiller> meh i'm pretty sure it's a red herring
13:30 < amiller> it's not that interesting a find. oh well
13:30 < maaku> japanese is a sound-poor language
13:30 < maaku> it's not surprising
13:36 < gmaxwell> amiller: Do take care that you don't cause some poor dude to get hounded by the press.
17:10 < gmaxwell> Yea, I don't think I've seen any convincing evidence art was doing that. But it does make sense.
17:11 < gmaxwell> plus art always was a bit sneaky like that. :)
17:11 < Emcy> artforz was/is the Switzerland of cryptocoins
17:11 < gmaxwell> he's still on irc you know.
17:11 < gmaxwell> just hiding from the bitcoin channels.
17:11 < Emcy> keeps his nose out of pointless shit, skims a tidy living off everyone elses pointless shit
17:12 < iddo> gmaxwell: iirc you said once that scrypt isn't the best choice (to resist ASIC) because it's not so efficient for GPUs ? is there another hash function that works better on GPUs and is hard for ASIC ?
17:13 < Emcy> isnt choosing any hash function that is x arch resisteant only really delaying the inevitable?
17:13 < gmaxwell> iddo: no function is hard for asics in a useful enough sense. I mean, what do you think gpus are made from? :P  At most you can do is try to reduce the specialization gap by making use of "all of the bison".
17:13 < phantomcircuit> <ecurrency> does any one have any idea why the latest version of bitcoind keeps stopping? Been trying to download the blockchain since yesterday and everytime I return I have to restart bitcoind (under ubuntu 12.04 (and 12.10))
17:13 < Emcy> in that if the coin succeeds then it fails cos someone will make hardware for it making it moot
17:13 < phantomcircuit> i've seen a number of people saying the same thing recently
17:13 < phantomcircuit> i wonder if there is someone running nodes that dont serve anything
17:14 < gmaxwell> phantomcircuit: they don't need to restart, they'll continue on the next block but they don't wait that long.
17:14 < Emcy> how simple a change would it be for the p2p to just pull a block each from all your connections in a round robin fashion?
17:14 < gmaxwell> phantomcircuit: presumably they are pulling from nodes whos operators shut them down because they get irritated by 1 second pingtimes.
17:15 < gmaxwell> which is what happens when someone pulls the chain from you and you have consumer DSL today.
17:15 < Emcy> as an interim. I got a feeling lots of nodes never finish bootstrapping which is a crying shame
17:17 < pigeons> this one of Artforz contributions to lolcust's forum a few months back now: http://dpaste.com/1493066/
17:17 < pigeons> I notice the forum isnt up at the moment
17:17 < maaku> phantomcircuit: is your clock synced?
17:17 < phantomcircuit> maaku, not my node :)
17:18 < Emcy> Colin Percival @cperciva 11 Mar
17:18 < Emcy> @shamoons I'd suggest talking to @solardiz about this -- my knowledge of how litecoin misuses scrypt comes mostly from him.
17:18 < Emcy> #iceburn #shotsfired
17:22 < Emcy> aw that quake bot story was fake
17:22 < Emcy> fucking internet
17:37 < jtimon> hehe, the bot world peace?
17:47 < warren> Emcy: Colin Percival is both correct and wrong about misuse.
17:47 < warren> Emcy: scrypt was designed for passwords.  scrypt in Litecoin is crappy for passwords.  It is good for fast validation
17:48 < warren> Emcy: we don't care about passwords
18:03 < Luke-Jr> Emcy: the goal would be to make it *just as easy* for CPUs/GPUs as it is for custom ASICs
18:03 < Luke-Jr> Emcy: but that has some practical concerns still
18:03 < Luke-Jr> you cannot make ASICs hard (relatively), so you just have to make something else just as easy
18:04 < Luke-Jr> now that SHA256d has lots of custom ASICs, it is essentially at that point
18:25 < andytoshi> because schnorr signatures can be used additively, is it true that multisig transactions would look identical to single-sig ones?
18:25 < andytoshi> and in particular, coinswap could be done without anything looking odd
18:25 < andytoshi> (if bitcoin used schnorr)
18:33 < gmaxwell> andytoshi: 12:05 < gmaxwell> petertodd: if we used schnorr than 2 of 2 multisig txn would be indistingushable from regular transactions.
18:33 < gmaxwell> yea, I'd made that same point before.
18:33 < gmaxwell> It's a big advantage for privacy IMO.
18:34 < gmaxwell> somewhere on my todo list I have actually implementing that for ed25519 to confirm that it works, and that nothing in ed25519 breaks it.
19:01  * andytoshis-logge is logging
19:07 < firepacket> wow this channel is pretty awesome. has anyone ever thought of a pow based on some kind of turing test? would it be possible?
19:08  * andytoshi-logbot is logging
19:08 < maaku> firepacket: sorry, that doesn't even make sense
19:08 < sipa> firepacket: that would require a human to validate...
19:09 < andytoshi> firepacket: the closest thing to a turing test used today are captchas, and i think machines are better than humans at that anyway ;)
19:09 < firepacket> yes it would
19:09 < firepacket> machines are better at solving captchas?
19:09 < firepacket> why would it be a problem? it would employ humans for a pay check
19:09 < firepacket> it would prevent consolodation
19:10 < sipa> what is'it' ?
19:10 < sipa> who creates the probkems?
19:10 < andytoshi> also limiting miners to humans with way too much free time would definitely cause consolidation
19:10 < firepacket> a computer would have to generate the problem
19:10 < firepacket> im not sure how
19:10 < sipa> which computer?
19:11 < firepacket> not sure
19:11 < firepacket> it could be generated based on information from the last block
19:11 < sipa> please think aout those things more first :)
19:12 < firepacket> it could also be generated using the chosen nonce
19:12 < sipa> i don't think you understand the problem
19:13 < sipa> the computer that generates the problem can trivially solve it
19:13 < sipa> as it knows the answer
19:13 < sipa> and there is no way to validate that a human-generated solution is right without knowing the real answer already
19:14 < firepacket> maybe validating other peoples tests could be the test itself
19:14 < sipa> come back when you have actual ways to deal with this :)
19:14 < michagogo|cloud> firepacket: Do you know what the properties that a PoW system needs to have are?
19:14 < michagogo|cloud> (I suspect not)
19:15 < sipa> not "maybe we could do something *handwaving* X"
19:16 < firepacket> i was just wondering if anyone had ever thought of it
19:16 < firepacket> i mean captcha still seems to work
19:16 < michagogo|cloud> ...no, because it can't be done
19:17 < firepacket> alright.
19:17 < michagogo|cloud> Yes, captchas are useful for many things
19:17 < michagogo|cloud> PoW isn't one of those things.
19:18 < Luke-Jr> captchas are useful for what exactly?
19:18 < firepacket> ensuring a human is present
19:18 < Luke-Jr> they seem to keep humans out better than bots
19:18 < firepacket> well, in reality it just spawned a captcha solving industry
19:18 < firepacket> that the bots use
19:18 < firepacket> but it still limits you to the number of people on earth at any given time
19:19 < Luke-Jr> I have to try like 4 or 5 times to solve captchas
19:20 < michagogo|cloud> Well, some captchas are better than others
19:20 < firepacket> googles are the worst
19:20 < maaku> firepacket: the point is i don't think you understand the purpose of a proof-of-work
19:20 < michagogo|cloud> I'm usually able to get recaptchas first try
19:20 < maaku> the intent is not to determine if there is a live human on the other side
19:20 < michagogo|cloud> (it helps that recaptcha is also somewhat flexible in certain ways)
19:21 < firepacket> maaku: what don't i understand?
19:21 < maaku> <maaku> the intent is not to determine if there is a live human on the other side
19:21 < firepacket> maaku: I know that is not the primary intent, but it could be helpful if the goal is to resist asics
19:21 < maaku> 1) the goal is not to resist asics
19:21 < maaku> 2) it's not the intent *at all*
19:21 < Luke-Jr> firepacket: that's a bad goal
19:22 < andytoshi> firepacket: why is asic resistance a goal?
19:22 < firepacket> or colsolidation rather
19:22 < andytoshi> i am genuinely curious as to the mindset behind this..
19:22 < firepacket> consolidation*
19:22 < firepacket> if all *humans* in the world were able to help verify bitcoin transactions and get paid to do so from anywhere in the world
19:22 < firepacket> how would not that help promote diversity?
19:23 < firepacket> it also gives us clear sides when the machines attack
19:23 < hno> humans very often fail to follow even basic rules.
19:24 < firepacket> i didnt say we should trust them
20:06 < Mike_B> has anyone thought about forking ripple and turning it into a decentralized forex exchange?
20:06 < Mike_B> like a really decentralized one
20:06 < Mike_B> i guess that'd be really hard to do though
20:07 < Mike_B> given the best way i know to decentralize ripple is to get away from consensus and go back to pow
20:07 < Mike_B> and then trades take 60m to confirm
20:08 < gmaxwell> Mike_B: you can make pow much faster than bitcoin if you don't care about decenteralization of the network... though never as fast as a non-anonymous system.
20:08 < gmaxwell> Mike_B: e.g. you control the difficulty to achieve a constant orphan rate, instead of constant time.
20:09 < gmaxwell> it's still slower because you need settling time because you don't know if there is a hidden majority.
20:09 < gmaxwell> whereas in a non anonymous network the majority can never be hidden.
20:11 < Mike_B> right
20:11 < Mike_B> i was thinking about how a decentralized exchange would work
20:11 < Mike_B> to stop the government from going after gox and bitstamp or whatever
20:12 < Mike_B> and it seems to me that this problem is just as hard as making a cryptocurrency where transactions don't take 10m to hit the blockchain
20:12 < gmaxwell> but you can't really do that in any case.
20:12 < Mike_B> unless you want trades to take place quickly
20:12 < gmaxwell> US is not a cryptocurrency.
20:12 < Mike_B> yeah of course
20:12 < gmaxwell> Creating a US crypto currency is almost certantly unlawful, and anyone issuing US crypto notes in the past has been shut down.
00:49 < BlueMatt> that way if any alts popup that get to big, we can just step in and shut down their networks with the bloom /0 bug
00:51 < andytoshi> hmm, this sounds like a slippery slope to actually becoming the illuminati
00:51 < nsh> wait, i thought that was the plan?
00:51 < andytoshi> yeah, i guess i could live with that :)
00:51 < BlueMatt> nsh: shhhhh
00:51  * nsh smiles
00:52 < nsh> BlueMatt, what's required for altcoin builder?
00:52 < BlueMatt> me spending a night and learning bootstrap and then y'all advertising it
00:52 < nsh> i've been semirecruited for a somewhat similar venture, so might be able to help
00:54 < BlueMatt> not sure what you're offering here...
00:54 < nsh> neither do i, it's fine
00:54 < BlueMatt> heh, ok
00:55 < nsh> "Summary: Remote p2p crash via bloom filters"  is that the bloom /0 bug?
00:55 < BlueMatt> yup
00:55 < nsh> ah, *reads*
00:55 < BlueMatt> yours truly cant code
00:56 < nsh> ah, it's just a case of iterative failure most of the time
00:56 < gmaxwell> wasn't your fault in coding it, there is one of you and more people than you reviewed it.
00:56 < gmaxwell> crashbugs are the fault of the reviewers.
00:56 < nsh> idd
00:56 < gmaxwell> :P
00:57 < nsh> has there been any exploitation of it?
00:57 < nsh> i don't recall hearing about it until now which is a good sign
00:57 < BlueMatt> you cant really exploit it, just crash the node
00:57 < nsh> that's what i meant, sorry
00:57 < BlueMatt> ideally someone will step up and kill nodes to force upgrades slowly
00:57 < nsh> i'd volunteer, but...
00:57 < nsh> :)
00:57 < BlueMatt> ie kill a few nodes a day until there are no more nodes with the bug running
00:58  * nsh nods
00:59 < nsh> they'll turn over eventually. plenty worse vulns out there...
00:59 < nsh> 28 million open DNS resolvers on the internet or something
01:09 < BlueMatt> well, sure
01:10 < BlueMatt> not my job to fix the internet though, I just need to fix bitcoin
01:16 < nsh> true
02:16 < maaku> i wish there was someone whose job is was to fix the internet
02:16 < BlueMatt> there may be a few of those...
03:43 < gmaxwell> petertodd: I see you changed to SIGHASH_NONE in dust-b-gone, now you need to automatically feed the dust-b-gone data into andy's tool when there is an open cj.
03:43 < gmaxwell> though I expect andy's joining will need to be taught to not strip that signature. :P
03:48 < gmaxwell> andytoshi: ^	PT's dustbegone now generates transactions which spend dust coins (ones with very low value) with the sighash flags set to NONE|ANYONECANPAY  if you supported these being submitted to you, you could have people one-pass give away coins to the join.
12:30 < andytoshi> gmaxwell: cool, i'll definitely check this out
12:31 < andytoshi> how much of OP_CHECKSIG do i need to implement to find the hash byte?
12:46 < andytoshi> ah, i see, none -- the wiki is just worded weirdly
13:31 < midnightmagic> petertodd: Does this mean I'm updating dust-b-gone?
13:32 < andytoshi> midnightmagic: latest commit was dec 19
13:33 < midnightmagic> guess so then.
13:41  * nsh imagines dust-b-done being advertised as a 1950s style household cleaning product with subtle sexual undertones
13:41 < nsh> *gone
13:59 < andytoshi> ok, i have updated coinjoin so that it won't strip signatures in the specific case that sighash is NONE|ANYONECANPAY
13:59 < andytoshi> petertodd: if you want to throw dust in the joiner, you will also have to add an output to the donation address to indicate that it should all go to fees
14:00 < andytoshi> CodeShark: maybe this gives you a way to preserve your multisig information? if you can make your scriptSigs look like an ordinary NONE|ANYONECANPAY sig then the joiner won't wreck them
14:17 < andytoshi> (if the scriptSig starts with a PUSHDATA, coinjoin just jumps to the end of the data and reads that byte as a hashType)
14:35 < midnightmagic> andytoshi: Is there a way I can fire off dust txes into the next coinjoin tx on the command-line?
14:35 < midnightmagic> :-D
14:36 < midnightmagic> I seem to get a lot of dust. It's pretty annoying
14:36 < maaku> midnightmagic: sign it away NONE|ANYONECANPAY
14:37 < maaku> actually, make a transaction paying to the fee address, and sign with NONE|ANYONECANPAY
14:37 < maaku> then submit it as a usual coinjoin transaction
14:37 < midnightmagic> hrm
14:38 < andytoshi> midnightmagic: the POST form on the coinjoin site is dead simple, you can probably use curl
14:38 < andytoshi> it doesn't report errors in a super simple-to-parse way.. so don't make mistakes ;)
14:38 < midnightmagic> ok
14:38 < andytoshi> you can read the current status in text https://www.wpsoftware.net/coinjoin/status.php
14:39 < andytoshi> one moment, i'll pastebin the source of that file so you can see all possible outputs
14:40 < BlueMatt> anyone looked into the network fork?
14:40 < andytoshi> http://pastebin.com/nYLHDMfM
14:40 < andytoshi> BlueMatt: i'm reading all the txouts right now, haven't seen any weird ones
14:41 < andytoshi> there are a few massive txs
14:41 < andytoshi> eg 057f800f430b22417bdf829d16e78393249634d5409c36b63f058c1a2b54fcf1
14:41 < andytoshi> is about 64k
14:42 < BlueMatt> which block is this?
14:42 < andytoshi> block 277596 is 0000000000000001947cc7acbbc9a240517f9ba19c16b4f937795c6b58019fb5
14:42 < andytoshi> bc.i and blockexplorer are stuck at 277595
14:42 < BlueMatt> bc.i isnt anymore
14:42 < BlueMatt> yea
14:44 < maaku> ;;cjs
14:44 < gribble> Coinjoin Status: There is no currently open session. Visit https://www.wpsoftware.net/coinjoin/ or http://xnpjsvp7crbzlj3w.onion/ to start one.
14:46 < andytoshi> i've found 2 now which exceed 64k, which makes bash whine at me..idk if 64k is a magic number for anything else
14:46 < andytoshi> make that 3
14:46 < andytoshi> 5
15:10 < justanotheruser> Whats all this I'm hearing about 277596
15:15 < nsh> it's the new magic number. three has retired
15:29 < Emcy> whats interesting about that block
15:33 < andytoshi> Emcy: on #bitcoin-dev they are discussing it, appears to be just a communication problem around an ordinary reorg
15:35 < BlueMatt> Emcy: not even communication, just a reorg
15:41 < midnightmagic> andytoshi: Hey I think your .onion hidden site doesn't work with the /coinjoin/ action. nginx says file not found.
15:42 < andytoshi> oh, thanks
15:42 < andytoshi> fixed
15:43 < Emcy> andytoshi i got it
15:43 < Emcy> big reorg tho
15:44 < Emcy> that guy limiting his blocks to 32kb wtf
15:51 < andytoshi> fyi there is a new paper on bitcoin mining vulnerabilities out: http://eprint.iacr.org/2013/868.pdf
15:52 < andytoshi> which we may get swamped by over the next few days
15:52 < andytoshi> it starts by assuming an attacker can communicate with every miner faster than they can communicate with each other
15:53 < andytoshi> the top of page 3 invokes the sunk cost fallacy as some sort of determiner of miner behavior, so i stopped reading there
15:54 < BlueMatt> so...same assumption as many other attacks on mining stuff...
15:59 < Emcy> isnt the biggest predictor of miner behavior the fire and forget factor
16:03 < BlueMatt> in other words we need to further encourage mining pool peering even though it already exists pretty extensively for the largest ones afaiu
16:05 < Emcy> why? it reorged fine
16:05 < BlueMatt> re: the paper, not the reorg
16:05 < Emcy> oh
16:23 < midnightmagic> lol
16:25 < phantomcircuit> BlueMatt, re: super old stale block
16:25 < phantomcircuit> some mining hardware fails to flush when the network finds a new block
16:25 < phantomcircuit> so they can submit shares for minutes and minutes after the pool has updated
16:25 < nsh> sacrifices to the fallen CPU miners
16:26 < nsh> pour out some hashes for your homies
16:26 < phantomcircuit> smarter pools publish the block on the off chance it's accepted
16:34 < midnightmagic> lol
16:38 < BlueMatt> phantomcircuit: does that effect the paper or just random statement of dumb mining hardware?
16:38 < phantomcircuit> BlueMatt, i was commenting on the recent fork
16:38 < BlueMatt> ahh
16:38 < BlueMatt> Im not even sure this is the case here
16:39 < phantomcircuit> BlueMatt, just the terrible operator with his terrible connection
16:40 < phantomcircuit> also the stuff about chinese internet beign terrible is true but im sure he can afford a real connection
16:40 < phantomcircuit> it doesn't even have to be that big
16:40 < midnightmagic> andytoshi: Okay, I'm attempting to submit a transaction to the coinjoin interface consisting of 0.00000004 btc, with the sum being completely "donated" to the fee address. It's telling me my inputs are not valid, usually meaning they've already been spent.
16:42 < BlueMatt> he limits his blocks so he can relay with 1 udp packet....
16:42 < BlueMatt> I mean thats just overkill no matter how shitty your connection is...
16:42 < phantomcircuit> that's just sillyness
16:42 < phantomcircuit> im sure he has the bandwidth but his latency is probably terrible
16:43 < phantomcircuit> also i wonder if he remembers to retransmit
16:43 < phantomcircuit> im guessing no
16:44 < BlueMatt> probably not
16:50 < andytoshi> midnightmagic: can you msg me the tx?
16:51 < andytoshi> or just the input ids?
17:12 < midnightmagic> andytoshi: sure
22:18 < phantomcircuit> huh
22:18 < phantomcircuit> sitting here it just hit me why a deflationary spiral is a non sequitur with bitcoin
22:19 < phantomcircuit> risk of collapse makes the issue of people as a whole "hoarding" bitcoins impossible
22:19 < phantomcircuit> ironic
22:30 < gmaxwell> the point I like to make is one that I don't have a succinct expression of yet...
22:31 < gmaxwell> which is that you can only use that as argument against such against any deflationary asset existing since any "deflationary spiral" 'risk' exists if you use it or not.
00:09 < jgarzik> petertodd, It does need a blockchain piece to ensure a single identity is commited to that
00:09 < jgarzik> petertodd, without a chain, someone could create any number of root records for a given sacrifice pair
00:10 < jgarzik> petertodd, is there any issue beyond that?
00:11 < petertodd> jgarzik: just sent you my reply
00:17 < jgarzik> petertodd, OP.RETURN <txid> seems sufficient proof in the future, if you provide the serialized TX later? by broadcast perhaps ;p
00:19 < jgarzik> petertodd, I do agree that OP_RETURN <master pubkey digest> makes life much easier
00:22 < petertodd> jgarzik: but the txid doesn't prove that the serialized tx was available to anyone but you to mine
00:22 < petertodd> jgarzik: I could never broadcast the txid, and with my %5 hashing power just wait until I find a block
00:24 < petertodd> or even almost zero hashing power if I'm willing to fail the first few times, at no cost other than the fees associated with TX1
00:28 < jgarzik> petertodd, oh, I see your point, agreed
00:29 < petertodd> jgarzik: you're just trying to get around how few people want to allow large OP_RETURN data payloads aren't you?
00:33 < jgarzik> petertodd, yes :)
00:34 < jgarzik> petertodd, having to broadcast the entire tx is burdensome
00:35 < jgarzik> s/broadcast/encode in another tx that is broadcast/
00:35 < petertodd> jgarzik: indeed, but there is no other way
00:35  * jgarzik nods
00:35 < petertodd> jgarzik: also don't forget to take into account signature mutability
00:36 < petertodd> jgarzik: the mined tx might not be identical to the announced one; make sure they spend the same inputs
00:38 < petertodd> adam3us: is http://eprint.iacr.org/2007/433.pdf the state of the art in combining multiple proofs of work?
00:39 < petertodd> adam3us: I could use a scheme to combine proofs-of-* arbitrarily to keep proof size down, but it strikes me as an inherently difficult problem if the proofs are arbitrary
00:41 < adam3us> reading paper, not seen before
00:41 < petertodd> adam3us: thanks
00:48 < adam3us> btw you know multi-sub-puzzle approaches to lower variance are a problem because they create progress, and for bitcoin you cant have progress, or powerful nodes/miners win disproportionately to their power (even more than the proportion their power is higher than a less powerful node)
00:48 < petertodd> for sure; I have very different application in mind
00:49 < amiller_> yeah i know that paper
00:50 < amiller_> the thing is bitcoin is *not* actualy based on a proof of work
00:50 < amiller_> it's based on something else!
00:50 < amiller_> the ideal proof of work (like the one in this constant-verification-effort) is that it takes *precisely* a certain amount of work to complete
00:50 < petertodd> what would you describe what bitcoin is based on?
00:50 < amiller_> but it's more important in bitcoin that the puzzle acts like hashcash rather than that
00:50 < petertodd> s/what/how/
00:51 < amiller_> it has to have high variance and really small trials
00:51 < amiller_> it's better described as a lottery than a proof of work
00:51 < petertodd> "proof-of-ticket-purchase"
00:51 < amiller_> yeah
00:51 < petertodd> "proof-of-wager"
00:51 < petertodd> "proof-of-gambling-problem" :P
00:52 < amiller_> this guy dave levin i've been talking with has some interesting, one thing he likes he calls the 'alibi' problem
00:52 < petertodd> ?
00:52 < amiller_> basically it's easy to prove something happened, but it's harder to prove something didn't happen
00:53 < petertodd> hence the UTXO proof stuff...
00:53 < amiller_> you can do it exhaustively by showing every single thing that *did* happen and showing that a bad thing is not included
00:53 < jgarzik> petertodd, Updated and simplified design, https://en.bitcoin.it/wiki/Identity_protocol_v1    Thanks for the assist.
00:53 < petertodd> or the double-spend problem in general
00:53 < amiller_> but the alternate is to show an "alibi"
00:53 < amiller_> so every time you spend a hash mining on a block, that's a hash that's *definitely* not for some *different* block
00:53 < amiller_> merge mining is sort of the opposite idea though which is interesting too
00:54 < petertodd> so that means that a convincing proof-of-non-double-spend would be to somehow show that all the available hashing power was doing something else
00:54 < amiller_> right
00:54 < amiller_> if suddenly the observed hashpower rate drops by 70%
00:54 < amiller_> then it should be really concerning to everyone
00:54 < amiller_> where did that hashpower go and what's it doing
00:55 < amiller_> but as long as all the asics we estimate have been produced are accounted for you know they're not doing anything else
00:55 < amiller_> something like that
00:55 < petertodd> yeah, yet that's always fuzzy, because there is no engineering way to achieve consensus quickly in a distributed network, let alone a decentralized one
00:56 < petertodd> jgarzik: I have a few edits
00:57 < amiller_> hm, this proposal is pretty neat actually
01:00 < petertodd> jgarzik: also, code wise, you planning on implementing a library or adding it to an existing one or what?
01:01 < petertodd> amiller_: it'll be very interesting to see how the social dynamics of proof-of-sacrifice SIN's work out
01:02 < petertodd> amiller_: and Freenet among other's need them
01:02 < amiller_> yeah.
01:02 < amiller_> it'll be the first new hat in the ring in a long time as far as identities go
01:03 < amiller_> well, besides vanity addresses
01:03 < petertodd> Reminds me: I was thinking that for a lot of social applications the correct metric to compare different sacrifices is probably value*time
01:04 < petertodd> Like, for anti-spam you want to reward the identity that has been around the longest, not just that has sacrificed the most.
01:04 < petertodd> Or if you are trying to figure out which GPG key is probably correct. (in the absense of a consensus key-value store of course)
01:05 < amiller_> there's all sorts of other subtle cues like
01:05 < jgarzik> petertodd, code-wise, the first will be a minimal command line tool just to prove it works
01:05 < amiller_> if it's been in forum sigs on the wayback machine, famous tweets, etc
01:06 < petertodd> jgarzik: cool; I was intending to put fairly generic proof-of-sacrifice code under my yet-to-be-written trustbits library
01:06 < jgarzik> petertodd, thus "version 1"
01:07 < petertodd> jgarzik: "1" is a bit ambitious IMO :P
01:07 < petertodd> jgarzik: version 0
01:07 < jgarzik> petertodd, This is just to get something out there that works.  I imagine a version 2 will appear within 12 months, if people like the concept
01:07 < jgarzik> ;p
01:08 < petertodd> jgarzik: Yeah, mainly I'm thinking to make sure we don't wind up with a bunch of subtley different sacrifice techniques...
01:08 < jgarzik> petertodd, feel free to edit if you think I won't yell and complain ;p
01:14 < petertodd> jgarzik: "Hyphenate or space SIN for easier human reading" <- tricky because base58 has inconsistent length
01:15 < jgarzik> petertodd, IMO it is needed, even so
01:17 < jgarzik> petertodd, disagree with that last.  it should be a miner's fee.
01:18 < petertodd> jgarzik: but then you have to provide proofs of tx existence for every input
01:18 < adam3us> seems to me this paper  http://eprint.iacr.org/2007/433.pdf does not use partial collisions internally
01:18 < petertodd> adam3us: what do you mean by internally?
01:18 < adam3us> it does not even mention partial collisions in their proposed merkle
01:19 < adam3us> i mean the merkle tree hashes below root
01:19 < adam3us> or even in the root
01:19 < adam3us> maybe its unstated assumption?
01:19 < petertodd> jgarzik: although, brainfart, it should be <digest> OP_TRUE in that case
01:19 < adam3us> otherwise it seems to scale to a lot of work you hve to have a massive merkle tree that barely fits in ram
01:20 < petertodd> adam3us: I read that as an unstated assumtpion; it's a mechanism to combine multiple partial collisions
01:20 < adam3us> they talk about a slower hash as an option, but that slows down the verifier
01:20 < jgarzik> petertodd, miner's fee is a requirement.  Can be on T1 if not T2.
01:20 < petertodd> jgarzik: No, the miners fee or anyone-can-spend has to be on T2, because T1 can be mined for free with patience.
01:21 < jgarzik> true
01:21 < adam3us> petertodd: i think they are aiming for space optimality and so maybe they dont like that because if you have internal node including sub-collisions you have to encode the ones you disclose in the P.log(N) nodes in the proof
01:22 < jgarzik> petertodd, OP_TRUE is anyone-can-spend?
01:22 < adam3us> but that would make sense and then you could view their advance as to say that you can more efficiently encode multiple sub-puzzle solutions via their approach to select which sub-puzzles to disclose based on the root hash
01:22 < jgarzik> petertodd, additional, I was trying to think of a way to use 100% standard transactions, perhaps with multisig abuse
01:23 < petertodd> jgarzik: yeah, technically it can be just <digest> but a anyone-can-spend IsStandard() thing would want to add the OP_TRUE so that <digest> can be non-true and to prevent mistakes
01:23 < petertodd> adam3us: yeah, I read it as more of a "I did all this work, and I'm revealing some of it in a way where I can't do less of that work and get away with it"
01:23 < petertodd> jgarzik: I really think we should avoid that...
01:24 < petertodd> jgarzik: just make OP_RETURN with a reasonable payload IsStandard()
01:25 < petertodd> jgarzik: note BTW that a miner can spend an anyone-can-spend output really cheaply: scriptSig="", scriptPubKey=OP_RETURN, value out=0, thus turning the into into fees and sending it to the coinbase
01:26 < petertodd> *thus turning the input into fees
03:12 < Luke-Jr> <.<
03:12 < realazthat> "Add your signatures"
03:13 < realazthat> doesn't that take away the old signature?
03:13 < Luke-Jr> not necessarily'
03:13 < Luke-Jr> every input has a signature
03:13 < realazthat> right
03:14 < realazthat> mmm, I am just forgetting the protocol
03:14 < realazthat> what ensures that the output is not forged?
03:14 < realazthat> I'll just look taht up
03:14 < Luke-Jr> realazthat: you check it before signing :P
03:15 < realazthat> heh, I implemented a blockchain parser to figure all this stuff out
03:15 < realazthat> but I forgot some details already
03:18 < realazthat> Luke-Jr: so if you could remind me (since you are trying to be distracted anyway, I don't feel bad wasting your time), what stops a client that sees a tx from modifying the outputs?
03:18 < Luke-Jr> realazthat: the signatures include a hash of the outputs
03:24 < realazthat> oh I think I remember now
03:24 < realazthat> the inputs' scripts are written so that they strip all the other inputs and include the outputs
03:24 < realazthat> and they hash that
03:25 < Luke-Jr> yes
03:25 < realazthat> so how do we "fix" this when combining?
03:26 < realazthat> oh ah
03:26 < realazthat> does it go back to the originator who then resigns it?
03:26 < realazthat> and then back to you
03:26 < realazthat> and you resign it
03:27 < realazthat> if thats the way it works, then I think I at least understand it conceptually :D
03:44 < zooko> Here's what I did tonight instead of understanding this channel's conversation: https://twitter.com/zooko/status/340010405525061632
03:46 < realazthat> lol
03:47 < realazthat> is that a safe use of random?
03:48 < realazthat> I would use pycropto or somesuch
03:48 < Luke-Jr> realazthat: the signing is p2p :p
03:48 < realazthat> Luke-Jr: is it how I described?
03:48 < Luke-Jr> almost
03:49 < Luke-Jr> each change is rebroadcast, and everyone participating in it has to resign
03:49 < realazthat> right
03:49 < Luke-Jr> but they don't need to resign in any specific order
03:49 < realazthat> right
03:49 < realazthat> yeah I get it
03:49 < realazthat> I am wondering if I could do this all via the rpc
03:49 < Luke-Jr> probably
03:49 < realazthat> because I haven't touched bitcoin source itself
03:49 < realazthat> yeah I know how to construct the txs
03:49 < realazthat> so I think I can
03:50 < realazthat> mmm
03:50 < realazthat> but does this allow some sort of DOS
03:51 < realazthat> because how do peers know to resend a ctx if some of the sigs are missing/bad
03:51 < realazthat> a valid tx makes sense to rebroadcast
03:51 < realazthat> a half valid tx ...
03:51 < realazthat> I guess if the peer knows the origina ctx, and the new one, and sees that you combined
03:52 < realazthat> then it is worthy to rebroadcast
03:59 < zooko> realazthat: good question. It would be unsafe if it were "random.choice" or "random.Random".
03:59 < zooko> But it is "random.SecureRandom", so it is safe.
03:59 < zooko> I wouldn't recommend relying on pycrypto...
03:59 < zooko> Goodnight!
04:00 < realazthat> random.SystemRandom
04:00 < realazthat> "The generators of the random module should not be used for security purposes. Use ssl.RAND_bytes() if you require a cryptographically secure pseudorandom number generator.
04:00 < realazthat> "
04:01 < realazthat> - py.random docs
05:55 < wumpus> the advantage of using SSL random is that it is more portable, it is secure even on systems that have insecure system random generators
05:56 < wumpus> and you can feed arbitrary additional entropy sources into SSL
12:44 < realazthat> wumpus: so random.SystemRandom is fine?
12:44 < realazthat> except for those advantages?
12:44 < realazthat> I would be suspcious of side-channel attacks :/
12:44 < realazthat> and just assume SSL does the most magic that it can
12:45 < realazthat> openssl
12:45 < realazthat> and hi wumpus :D
12:47 < wumpus> nah if random explicitly warns against using it for security you should likely heed that warning
12:47 < wumpus> hi realazthat
12:59 < zooko> There may be some confusion here. There is an explicit warning against using random.Random, not random.SystemRandom.
13:03 < realazthat> mmmm
13:03 < realazthat> "generators of the random module should not be used for security purposes"
13:03 < realazthat> dunno ...
13:03 < realazthat> random module
13:04 < realazthat> bad source of randomness is notorious for side-channel attacks
13:04 < realazthat> even if it is system
13:04 < realazthat> unless it is explicitly meant for crypto, I would not trust it
13:05 < realazthat> anyway
13:05 < realazthat> I don't think your program is susceptable
14:13 < realazthat> mmm
14:13 < realazthat> now that I think about it, if you use SCIP for proof of work in a blockchain, it doesn't really matter if there is a faster way to solve the problem; you must run the program
14:14 < realazthat> no?
14:16 < realazthat> or is that not a guarantee
14:33 < gmaxwell> realazthat: they can just simplify the SCIP computation. :)
14:34 < realazthat> yeah but its at least O(T), no?
14:34 < realazthat> oh
14:34 < realazthat> mmm
14:34 < realazthat> if T is less
14:35 < realazthat> than maybe SCIP is less, is what you saying?
14:35 < realazthat> gmaxwell: are you certain about that?
14:36 < realazthat> basically, to rephase question:
14:36 < realazthat> Is there a guarantee that there is no way to generate sig if a correct answer is otherwise found in a quicker manner than running `P`, the original, via running `Q` instead.
14:57 < Luke-Jr> I don't think SCIP supports sleep() :P
14:57 < Luke-Jr> almost certainly not random
14:58 < realazthat> mmm
14:58 < realazthat> thats beside the point
14:58 < realazthat> but anyway it does support random AFAICT
14:58 < realazthat> because you can have that as input
14:58 < realazthat> ie. int[] randoms
14:58 < realazthat> and input can be private
14:58 < realazthat> my point is,
14:59 < realazthat> can you do BogoSort
14:59 < realazthat> and force him to actually do bogosort
14:59 < Luke-Jr> but you can't guarantee the input was chosen randomly
14:59 < realazthat> or can he do an optimal sort instead
14:59 < realazthat> oh yeah
14:59 < realazthat> probably not
14:59 < realazthat> but again, I don't see how that answers or related to the question I am asking
21:02 < warren> http://www.coinchoose.com/charts.php  <--- looks scary, suggesting a lot of people are assigning stupid value to scam coins
21:02 < warren> but the methodology is wrong, the alts are a lot smaller than this chart suggests
21:46 < petertodd> warren: remind me to start an altcoin called "OneCoin" that has exactly one coin, just so I can claim is has a much higher OneCoin/USD ratio than Bitcoin itself
21:49 < Luke-Jr> ask them to replace BTC with kBTC
21:49 < Luke-Jr> <.<
21:54 < realazthat> ohcool
21:54 < realazthat> I gonna email eli
22:57 < zooko> Okay I finished reading http://pastebin.com/Rj4bshY3
23:51 < realazthat> mmm
23:51 < realazthat> just sent email
--- Log closed Fri May 31 00:00:51 2013
--- Log opened Fri May 31 00:00:51 2013
00:01 < realazthat> mmm
00:02 < realazthat> gmaxwell: eli mentions implementing something analogous to zerocoin
00:02 < realazthat> what is your opinion on that?
00:08 < petertodd> zooko: thoughts? like a better name than pos-key-value?
00:09 < petertodd> zooko: come up with a good one or it's gunna be zookey
00:09 < zooko> Haha!
00:09 < petertodd> zookeydns!
00:10 < petertodd> Hmm... actually, overruled, it's now zookey
00:10 < zooko> Well, I didn't understand all of it.
00:10 < zooko> Haha!
00:10 < zooko> Very funny
00:10 < zooko> I'm honored.
00:10 < petertodd> What didn't you understand?
00:10 < zooko> So, I was chatting in here with gmaxwell about some relatedish topics, IIUC.
00:10 < petertodd> At least I didn't name it zooko^2...
00:10 < zooko> Namely, the possibility of a rebooted and improved Namecoin.
00:10 < petertodd> ...which should be done
00:11 < petertodd> ooh, zookeyv has a nice ring too it
00:15 < zooko> Let's see... I didn't fully understand why a Bitcoin or Bitcoin-like thingie would be necessary or useful for this catalog of identities.
00:15 < zooko> Also, I think the notion of "identity" that was being discussed, especially by jgarzik is underspecified and maybe not that useful.
00:16 < zooko> Sorry for the delay -- there is a security investigation ongoing here and I'm trying to ignore it and have fun hacking instead.
00:16 < petertodd> Fun...
00:16 < petertodd> Well, it all boils down to a global consensus on a mapping of keys to values right?
00:16 < petertodd> So zookeyv is just that mapping, which can be used for a lot of things.
00:16 < petertodd> How do you come to a global consensus? Voting. We know of no other way.
00:17 < zooko> Okay, so that is what I have always perceived as the core usefulness of Namecoin.
00:17 < zooko> I'm not sure what you mean by "voting". My answer would be "Bitcoin".
00:17 < petertodd> How do we vote? Proof of work; proof of sacrifice is really just transferrable proof of work.
00:17 < petertodd> See, this could be implemented directly on Bitcoin, but then people would try to kill me.
00:18 < zooko> ;-)
00:18 < petertodd> Specifically gmaxwell, and he knows where I live.
00:18 < zooko> Okay, so my answer would be "The Bitcoin Idea".
00:18 < zooko> Which is the first plausible global consensus system.
00:18 < petertodd> Indeed, and once you have one global consensus system, you don't need any more.
00:18 < zooko> I think there are more options than proof-of-work, proof-of-sacrifice...
00:18 < petertodd> There's proof-of-stake
00:19  * zooko nods.
00:19 < petertodd> ...and really proof-of-stake is proof-of-work done in the past.
00:19 < zooko> Okay, so suppose we're going to maintain a k-v mapping with global consensus.
00:19 < petertodd> *proof-of-work-done-in-the-past
20:38 < warren> you folks manage to get it? I have westlaw and lexis access right now
20:40 < phantomcircuit> warren, i have it but scribd doesn't like me
20:43 < phantomcircuit> gmaxwell, http://198.27.67.106/hashfast.pdf
20:43 < gmaxwell> phantomcircuit: Can I post that URL on the forum?
20:44 < warren> from PACER?
20:44 < phantomcircuit> gmaxwell, sure
20:44 < gmaxwell> Thanks.
20:45 < phantomcircuit> warren, yes
20:45 < warren> well, good luck to them on getting their BTC back... USD value seems more likely
20:47 < phantomcircuit> warren, sure, but at what day?
20:47 < phantomcircuit> warren, did you notice the spike to 1000 on mtgox?
20:47 < phantomcircuit> i wonder if that's a coincidence
20:47 < phantomcircuit> or you know... not
20:49 < jgarzik> michagogo|cloud, yes, it is time to update bootstrap torrent.	Past time, even.
20:50 < phantomcircuit> http://ia600407.us.archive.org/25/items/gov.uscourts.cand.273355/gov.uscourts.cand.273355.docket.html
20:52 < phantomcircuit> i wonder if pacer has broken recap on purpose
21:10 < phantomcircuit> http://www.archive.org/download/gov.uscourts.cand.273355/gov.uscourts.cand.273355.1.0.pdf
21:10 < phantomcircuit> there we go
21:10 < phantomcircuit> that cost me like $10
21:10 < phantomcircuit> stupid pacer
21:57 < fagmuffinz_> +1 on updating the bootstrap torrent
21:58 < fagmuffinz_> I'm currently catching up my laptop and it's > 10 weeks behind
21:58 < fagmuffinz_> Been several hours now and I'm just 7 weeks behind now
22:01 < gmaxwell> the torrent is just papering over the lack of the headers first patches.
22:16 < maaku> fagmuffinz_: it will take just as long to verify via the bootstrap download
22:16 < maaku> unless you manually set a checkpoint or something
22:18 < phantomcircuit> maaku, actually it's much faster
22:18 < gmaxwell> maaku: fetch is seriously fuxored now..
22:19 < maaku> well i guess it depends on your internet speed :P
22:19 < maaku> i'm behind an ADSL.1 here :(
22:19 < maaku> rural speeds
22:24 < gmaxwell> maaku: right you now you can expect to fetch the same blocks over and over again during sync, doesn't help when you're on adsl. :(
--- Log closed Wed Jan 08 00:00:06 2014
--- Log opened Wed Jan 08 00:00:06 2014
00:21 < michagogo|cloud> jgarzik: do you know which block you'll extend it to?
00:22 < michagogo|cloud> (If so, I can generate the file myself, and be ready to seed when it goes live)
00:33 < gmaxwell> warren: http://peercoin.net/index.php  < click Myth 2.
00:51 < michagogo|cloud> gmaxwell: o_O
00:52 < michagogo|cloud> They were the ones that allow the dev to add new checkpoints at any time without an update to the software, right?
00:52 < BlueMatt> gmaxwell: though that looks ridiculous, it does say they dont enforce checkpoints by default....
00:52 < BlueMatt> michagogo|cloud: yes
00:54 < gmaxwell> BlueMatt: it's not true.
00:54 < BlueMatt> ahh
00:54 < gmaxwell> BlueMatt: the text they're quoting there is about XPM not PPC.
00:54 < BlueMatt> well...thats just ridiculous
00:54 < gmaxwell> BlueMatt: it also says that Bitcoin and Litecoin has "checkpoints" too.
00:54 < BlueMatt> yea
00:54 < BlueMatt> I liked that bit
00:55 < michagogo|cloud> And even if it were true, if part of the network enforced them DNA another part didn't, that means a hardfork
00:55 < michagogo|cloud> and*
00:55 < gmaxwell> The PPC consensus model _requires_ them, not just for fuzzy security reasons, but because you cannot validate PoS without a transaction index containing the stake thats being used on the block... so they only allow coins which have been immobile for >30 days to be used for PoS and then use the checkpoints to make damn sure the network agrees about the state in the past.
00:56 < gmaxwell> I also checked the PPC codebase, they're on, and there appears to be no way to turn them off.
00:57 < warren> gmaxwell: and of course it doesn't matter if it isn't enabled by default, if pools do then the users don't have a choice.
00:58 < michagogo|cloud> Erm, maybe not hard
01:40 < gmaxwell> I wish people would ask better questions: http://www.reddit.com/r/Bitcoin/comments/1uoq6e/what_do_you_guys_think_of_proof_of_stake_mining/cek9fhq
01:42 < home_jg> I wish reddit would not suck so much
01:43 < home_jg> Cardinal example of upvoting/downvoting systems producing herds of fast-moving idiots
01:43 < home_jg> I say this as a near-daily reddit user, of course
01:45 < home_jg> well-informed cautionary answers on brainwallets routinely get downvoted
01:53 < Guest58374> herding idiots
01:53 < Guest58374> i'm going to remember that :)
01:58 < gmaxwell> the upvoted downvotey stuff overweighs superficial opinions. It's fine for cat pictures.
01:58 < gmaxwell> (which is mostly why I browse reddit)
01:58 < gmaxwell> I hardly read any bitcoin or technology things at all, mostly just funny pictures of animals.
02:00 < Taek42> I'm not sure that it's a symptom of upvotes and downvotes so much as Reddit being a general audience
02:01 < maaku> people are stupid
02:01 < gmaxwell> Taek42: nah, normally the general audience doesn't have their hands firmly placed on the steering wheel.
02:01 < maaku> it boggles my mind that when you have a crowd of them, wisdom is supposed to emerge
02:01 < gmaxwell> lol
02:01 < Taek42> democracy!
02:02 < gmaxwell> to be fair even the crappy "Wisdom of the crowds" book said that wasn't actually so.
02:04 < Taek42> I've often wondered what would happen if voting had a cost to it, and you could pick the power of your vote by adjusting the cost
02:04 < maaku> never actually read it. was the thesis that you need proper incentives?
02:07 < michagogo|cloud> Taek42: a monetary cost, you mean?
02:08 < Taek42> well, some sort of currency that could be swapped for real currency
02:08 < maaku> citizen cost a la starship troopers?
02:08 < Taek42> dogecoin, perhaps
02:08 < gmaxwell> voting already has a substantial cost in terms of time/trouble.
02:08 < Taek42> on reddit, the first vote is pretty costly
02:08 < Taek42> seeing as you have to log in, and maybe create an account
02:08 < Taek42> but the rest are painless
02:09 < michagogo|cloud> Or creddits
02:09 < Taek42> I imagine though that it wouldn't actually be that different even if there were a monetary cost to each vote (or a karma cost)
02:10 < Taek42> The problem being that the average person could have as much authority/power as the expert
02:10 < michagogo|cloud> I seem to recall there was some site like that
02:10 < michagogo|cloud> Where you spend reputation points to vote
02:11 < phantomcircuit> gmaxwell, is there still a penalty for p2pool?
02:11 < phantomcircuit> iirc there used to be a substantial orphan rate
02:11 < phantomcircuit> also @anybodyelse
02:12 < gmaxwell> phantomcircuit: it has the lowest orphan rate of any pool as far as I can tell.
02:12 < phantomcircuit> what's it's current orphan rate?
02:13 < gmaxwell> there has been two this year.
02:14 < gmaxwell> 0.12% in my data. (eligius, by comparison, has been ~1%)
02:14 < phantomcircuit> that's interesting
02:14 < gmaxwell> phantomcircuit: p2pool changed a couple years ago to a model where nodes pre-forwarded transaction data to their peers. So when one finds a block it just has to send the list of transactions that were actually in it.
02:15 < Taek42> theoretical problem: suppose every miner picks the maximum-payout pool. Wouldn't every miner end up picking the same pool?
02:15 < gmaxwell> it will also mine a transactionless block in brief windows when the local bitcoind is lagging but p2pool peers have produced shares against a further along chain.
02:15 < phantomcircuit> any idea why the orphan rate would be lower than eligius?
02:16 < gmaxwell> phantomcircuit: because it has an enormous network connectivity advantage.
02:16 < phantomcircuit> it might also have to do with what kind of hardware is connected to p2pool
02:16 < phantomcircuit> some of them have uh
02:17 < phantomcircuit> interesting ideas of what stale means
02:17 < gmaxwell> p2pool blocks end up being concurrently announced by a dozen peers in the first 30ms after finding a block... hundreds within 400ms.
02:18 < gmaxwell> phantomcircuit: maybe, p2pool direct miners to return "stale" shares.
02:18 < gmaxwell> in any case, if some miner is overly agressive in what its discarding, its not getting paid for that portion of its work.
03:51 < gmaxwell> I think bitcoin is becoming the new DHT. :(
03:52 < wumpus> yo, slap a blockchain on it
03:53 < roidster> COULUD STAND FOR HEMROID
03:53 < roidster> could* pardon the caps
03:55 < BlueMatt> gmaxwell: I think we've known that was gonna happen for a while
03:55 < BlueMatt>  /has been happening for a while
03:55 < wumpus> well yes bitcoin is the new idea of the day, so now we're in the [try_with_new_idea(x) for x in old ideas] phase
03:56 < wumpus> and you get nonsensical ideas, like in the internet boom.... just like your old pet shop, but online!
04:06 < gmaxwell> a miracle happened on reddit today
04:07 < gmaxwell> someone mentioned my name in a ppc thread, which is what brought my attention to those claims on that website.
04:07 < gmaxwell> I refuted them with citations to source code.
04:07 < warren> URL?
04:07 < warren> (reddit thread)
04:08 < gmaxwell> http://www.reddit.com/r/Bitcoin/comments/1uoq6e/what_do_you_guys_think_of_proof_of_stake_mining/cek7vbc
04:08 < gmaxwell> and someone argued with me... and then actually accepted my counter arguments. and I'm not being voted down!
04:14 < sipa> i've been explaining the problem with PoS a few times now at the zurich bitcoin meetups
04:14 < sipa> people do seem to understand it
04:18 < gmaxwell> it makes me sad, I really wish it worked.
04:19 < justanotheruser> What are the potential problems of associating namecoin registration price with transaction fee sum?
04:19 < gmaxwell> what is a "transaction fee sum"?
16:50 < adam3us> maaku: i mentioned last few days that i think multiple smaller blocks are statistically harder to 51% attack because p^12 << p^6 eg (if you have p=10% or whatever) and to do an n-confirmation attack you need a chain n blocks long, and so if block interval is lower, then you can get more security per time-interval (eg within 30mins say)
16:51 < maaku> adam3us: SPV nodes must download headers + merkle path + coinbase tx for every block. that alone is a large but manageable cost already
16:52 < maaku> plus they must perform a boom or prefix query for the contents of each block
16:52  * sipa likes boom queries
16:54 < adam3us> adam3us: so actually i think shorter block intervals allow more short confirmations (in a given time interval) and so are more secure, per elapsed time, and or allow faster confirmation to a given assurance level
16:54 < sipa> adam3us: depends on whether your attack model is about someone buying hash power, or buying hashes
16:54 < adam3us> maaku: (i know that was refuted in terms of "litecoin more secure than bitcoin" but i am not saying 6-conf on each I am saying 24-conf on 2.5min block interval is more secure than 6-conf on 10min block interval)
16:54 < sipa> i think
16:55 < maaku> adam3us: yes, but how often are those few minutes really worth it?
16:55 < adam3us> maaku: (sorry meant "ltc faster..." not "ltc securer" as people said yes but weaker so not usefully faster)
16:56 < maaku> vs increasing bandwidth requirements for spv nodes by an order of magnitude - especially when these users are often on data-capped mobile plans
16:56 < adam3us> maaku: spv min feed bloat is bad, yes.
16:57 < justanotheruser> Any idea how much of ghash is cloud mining?
16:57 < adam3us> sipa: there would be less electricity used, and smaller reward interval, so if they were bought yes they would be economically weaker. alternatively in terms of you own some hash power then statistically stronger
16:58 < maaku> adam3us: actually it is generally true that you should compare confirmations, not work done
16:58 < maaku> at least in standard bitcoin
16:58 < maaku> and so long as you're not approaching bandwith/latency limits
16:59 < adam3us> maaku: yes that was in regards sipas comment "depends on whether your attack model is about someone buying hash power, or buying hashes"
16:59 < sipa> maaku: i've suggested using (total_work_at_tip - total_work_at_inclusion)/current_difficulty as measure for confirmations
16:59 < sipa> "PoW equivalent time"
17:00 < adam3us> maaku: you cant determine work done really.  luck.  if you meant that in a strict sense
17:00 < michagogo|cloud> ;;later tell andytoshi Heh, your cj client is impossible to use on unencrypted wallets
17:00 < gribble> The operation succeeded.
17:01 < sipa> unfortunately, the current PoW-equivalent confirmation time of the genesis block is around 50 days
17:01 < adam3us> maaku: maybe you meant compare ltc 6-conf to btc 6-conf (rather than compare ltc 24 to btc 6)
17:03 < adam3us> sipa: yes thats a fun fact, nice stat feels weak intuitively,	but it still its a long way from a rogue network subset going off and rewriting history.
17:03 < maaku> michagogo|cloud: why?
17:03 < michagogo|cloud> Because it assumes there's a passphrase
17:04 < maaku> michagogo|cloud: ah
17:04 < adam3us> sipa: the formula is nice for long confirmations separated by difficulty adjustments
17:04 < michagogo|cloud> maaku: http://imgur.com/4RYgCpJ
17:04 < maaku> adam3us: i'm saying ltc 6-conf is equal to btc 6-conf in realistic attack scenarios
17:05 < maaku> e.g. a pool trying to win money from a zero-conf service
17:06 < maaku> if the question is "what's the probability of my fraud chain pulling ahead?" interblock time doesn't factor into that
17:06 < sipa> adam3us: http://bitcoin.sipa.be/powdays-50k.png
17:06 < adam3us> sipa: yeah i know, i saw it, very nice :)
17:09 < maaku> sipa: it's an interesting measure, but it doesn't really factor into real attack analysis now does it?
17:10 < maaku> i should say, it's relevant if you can actually pull off a 51% attack
17:11 < maaku> otherwise you know you're going to lose in the long run so the question becomes liklihood of success , which depends on # confirmations, not pow days
17:11 < gmaxwell> maaku: so modifying your statement, "foocoin with 1ns blocks 6-conf is equal to btc 6-conf in realistic attack scenarios"
17:15 < adam3us> gmaxwell: i think it sipa had it better, shorter interval = lower reward loss/lower PoW cycles; but same probability
17:15 < maaku> [13:58:25] <maaku> and so long as you're not approaching bandwith/latency limits
17:16 < adam3us> maaku: exactly.
17:18 < adam3us> maaku: actually i suppose the probability of pulling off a 51% attack per time interval is higher, because there are more block intervals pr time period (more attacks to run)
17:19 < adam3us> maaku: eg with lite coin i get 4 tries per hour, with bitcoin i get 1 (other params than block interval being equal, same total reward aggregate etc)
17:21 < maaku> adam3us: yes, but if you're trying every block then your costs similarly increase
17:21 < maaku> and the payoff remains the same, if measured as expected gain/loss per block
17:22 < gmaxwell> maaku: ignoring that fact that orphaning causes increased hashpower dillution
17:22 < gmaxwell> thats why I gave the 1ns example.
17:22 < adam3us> maaku: so probability of being able to double spend goes from p^6 to 1-(1-p^6)^4
17:23 < adam3us> maaku: eg 25% hash power from .024% to .098%
17:24 < adam3us> maaku: your costs are the same i think .. no reward for 1hr period presuming same reward distribution per hour
17:24 < maaku> adam3us: the costs are whatever you're trying to double-spend, not the reward per se
17:25 < maaku> adam3us: also there's a reason I said "assuming standard bitcoin"
17:25 < adam3us> maaku: thats a (misgotten) profit not a cost?
17:25 < maaku> if you assume GHOST, then it actually makes the double-spend harder to pull off
17:25 < adam3us> maaku: (assuming something liquid with low commission to trade against with your fraud, like say ltc/btc or whatever)
17:25 < maaku> because the honest chain has stales the fraud chain does not
17:26 < maaku> and if you assume fractional proof of works are distributed it gets worse for the attacker
17:27 < maaku> adam3us: you will never find zero commision, zero spread
17:29 < adam3us> maaku: agreed the commission & spread is the additional cost
17:33 < adam3us> maaku: there seem to be faster params that are more secure against double spend.  so like 8x 2.5min blocks less chance of double spend per hour, and less chance per try and shorter confirmation (than 6x10min)
17:35 < adam3us> maaku: p^6=.024%, p^8=.0015%, 1-(1-p^6)^4=.098%, 1-(1-p^8)^3=.0046%
17:42 < adam3us> maaku: but as u said the spv cost for more blocks is a problem with ghost.  they even mention 1 second interval.  surely that would lead to quite strong advantages for cloud hosted mining
18:09 < andytoshi> michagogo|cloud: that's correct, i am mulling over supporting unencrypted wallets
18:09 < andytoshi> michagogo|cloud: i just put a passphrase on my testnet wallet, which was annoying..
--- Log closed Sun Jan 19 00:00:43 2014
--- Log opened Sun Jan 19 00:00:43 2014
05:23 < adam3us> petertodd: your time-lock stego for msc non payment msgs, why not make keys available, then time-lock decrypt is just a reactive fail-safe plan in event of blocking, the fast/normal path would be to reveal keys via msc only sub-net, or even reveal of previous keys (in a committed tx like way) with later msgs.  consensus is preserved, speed & cpu efficiency is improved
05:23 < adam3us> petertodd: (not that i think stego spamming btc network is a good idea, just because of the interesting theoretical question:)
11:57 < tacotime_> Hey guys.  I'm going on stealth transactions right now and I'm trying to wrap my head around them.  To fully anonymize, do you also need another protocol on top of it like coinjoin to anonymize inputs and outputs?
11:57 < tacotime_> *on=over
11:59 < sipa> tacotime_: don't confuse privacy with anonimity
12:00 < sipa> bitcoin doesn't provide anonimity at all, and stealth addresses nor coinjoin help with that
12:00 < sipa> both do improve privacy though, and in different ways
12:00 < tacotime_> Okay.
12:00 < sipa> but apart from that, yes, you likely want both
12:01 < sipa> stealth addresses helps preventing address reuse - you could do it without stealth addresses too
12:02 < orperelman> I agree with Sipa, on that - bitcoin doesn't provide anonimity
12:05 < tacotime_> Does it require a hardfork to implement (is the stealth address itself published to the blockchain)?  I understand the generation of a secret and secret sharing to generate a private key for the receiver to spend the funds at the sender's public address, but I'm fuzzy on the way things go on in the actual blockchain for this.
12:07 < sipa> stealth addresses don't require any change to the protocol
12:09 < tacotime_> OK
12:17 < tacotime_> The payee's address never actually receives inputs under this system, but is just used to generate addresses for a payer to send to?
12:19  * nsh wonders...
12:21 < nsh> could a payer and a payee use some kind of asymmetric diffie-hellman exchange to arrive at a payment address with the payee having enough information to construct the corresponding private key...
12:22 < tacotime_> (or, I guess, the address corresponding to the pubkey Q)
12:25 < tacotime_> Oh, OP_RETURN is used to publish the pubkey to the blockchain.  And you can't associate these with any given payments because they have no outputs other than fees.
12:27 < tacotime_> The reddit ELI5 is really helpful for this, heh.
12:35 < tacotime_> Neat.  Is OP_RETURN used very much at the moment?
12:39  * andytoshi-logbot is logging
02:07 < warren> Diablo-D3: that's the tracebacks I'm seeing, the nonce is an odd-length or some other problem
02:07 < warren> it crashes on two different lines
02:07 < Diablo-D3> warren: yeah, but I dont know where the hell the commit went
02:07 < Diablo-D3> I swear I saw it in #p2pool on the commit bot
02:08 < warren> uh....
02:08 < Diablo-D3> maybe I was seeing things
02:08 < warren> Diablo-D3: some other scrypt coin fork run by Balthazar apparently has a forked p2pool which disables stratum for this reason
02:08 < Diablo-D3> yeah, I can see why he'd do that
02:10 < Diablo-D3> gmaxwell: so wait
02:10 < Diablo-D3> gmaxwell: your way
02:10 < Diablo-D3> I send the share header in clear text
02:10 < warren> p2pool/bitcoin/stratum.py:
02:10 < warren>         coinb_nonce = extranonce2.decode('hex')
02:10 < warren>         assert len(coinb_nonce) == self.wb.COINBASE_NONCE_LENGTH
02:10 < warren> it crashes on either of these lines
02:11 < Diablo-D3> gmaxwell: and then I send the share body as reed solomon codes?
02:11 < Diablo-D3> gmaxwell: so remote peers can reconstruct the body without all the codes?
02:12 < Diablo-D3> gmaxwell: well, reed solomon as an erasure code
02:12 <@gmaxwell> Diablo-D3: the idea is that you get X share chunks from X peers and can reconstruct X shares. .. without the risk that two peers sent you the same thing.
02:13 < Diablo-D3> gmaxwell: yeah, but you dont need X shares for X peers
02:13 < Diablo-D3> with a proper erasure code setup you can do, say, X-1 blocks from X-1 peers
02:13 < Diablo-D3> and reconstruct the missing one
02:14 <@gmaxwell> Diablo-D3: forget x-1.
02:14 < Diablo-D3> and if you dont get enough to reconstruct you select random low latency peers "I have 1, 2, 3,
, n, randomly send me one I dont have"
02:14 < Diablo-D3> gmaxwell: well, if this was DiabloPool, it'd be over UDP
02:14 <@gmaxwell> For an N,M code you can get any N out of M syndromes and recover N shares.
02:14 < Diablo-D3> gmaxwell: oh, you're doing it that way
02:14 < Diablo-D3> I was doing it for the share body
02:15 <@gmaxwell> forget the body, we're latency not throughput limited.
02:15 < Diablo-D3> no, if we wre throughput limited I'd be throwing lz4 on top of this
02:15 < Diablo-D3> or full scale gzip
02:16 < jrmithdobbs> gmaxwell: i thought you were trolling me, this is really where the interesting conversation from -dev went ;p
02:17 < Diablo-D3> gmaxwell: wait, is M less than N? or more than?
02:17 < jrmithdobbs> M *of* N
02:17 < jrmithdobbs> so <=
02:18 < Diablo-D3> ahh kay
02:18 < jrmithdobbs> err wait, actually i'm confused which you were using for which in that sentence too
02:18 < jrmithdobbs> gmaxwell: ^
02:18 < Diablo-D3> oh heh
02:18 < Diablo-D3> [02:14:41] <gmaxwell> For an N,M code you can get any N out of M syndromes and recover N shares.
02:18 < Diablo-D3> I assume M is > N
02:19 < Diablo-D3> well >=
02:20 < jrmithdobbs> n >= m, it's n of m, so n shares to combine, m total shares in existence
02:20 < jrmithdobbs> err n <= m
02:21 < jrmithdobbs> damn it
02:21 < Diablo-D3> so I was right
02:21 < jrmithdobbs> yes, i'm dyslexic tonight apparently
02:21 < Diablo-D3> happens
02:21 < jrmithdobbs> i hate m/n x/y etc naming in this crap :P
02:21 < jrmithdobbs> i/j is the worst
02:22 < Diablo-D3> yeah so do I
02:22 < Diablo-D3> heh i
02:22 < warren> Diablo-D3: if you do find that patch it would be very appreciated.  I haven't seen anything like it anywhere.
02:22 < Diablo-D3> the only time I use i as a variable in code
02:22 < jrmithdobbs> i&j actually kind of anger me when i see them outside of very very simple loop counters ;p
02:22 < Diablo-D3> is if its an obvious foreach loop
02:22 < Diablo-D3> I dont even like using j
02:22 < jrmithdobbs> ya either/or in isolation is fine
02:22 < jrmithdobbs> but both at once is just NO
02:22 < Diablo-D3> because if I use j, I almost invariably have to rename j to k
02:23 < Diablo-D3> because I have to insert a loop between i and k
02:23 < Diablo-D3> happens every fucking time
02:23 < Diablo-D3> and then, of course
02:23 < Diablo-D3> I always miss one
02:23 < Diablo-D3> and then wonder why my code isnt working for ten minutes
02:23 < warren> Although I didn't quit p2pool because of the tracebacks, I think the tracebacks are only on pseudoshares that are invalid, so you're not losing anything.
02:23 < jrmithdobbs> and you can't :%s///g because that will end in hilarity
02:24 < jrmithdobbs> that's the worst part ;p
02:24 < jrmithdobbs> and yet, EVERYONE KEEPS DOING IT
02:24 < Diablo-D3> jrmithdobbs: and on my vim, for some reason
02:24 < Diablo-D3> g isnt g
02:25 < jrmithdobbs> seriously, this should be day one of hs/undergrad cs classes (because the formally "educated" seem worst about it;p)
02:25 < Diablo-D3> it doesnt replace every occurance on each line
02:25 < Diablo-D3> and I havent been assed to figure out why
02:25 < jrmithdobbs> 'IF YOU EVER THINK YOU SHOULD USE A ONE LETTER VARIABLE NAME YOU ARE WRONG AND WILL FAIL THIS AND ALL FUTURE CS CLASSES!'
02:25 < jrmithdobbs> and enforce it as part of the code of conduct
02:25 < Diablo-D3> but yeah
02:25 < Diablo-D3> i only exists for obvious foreach loops
02:25 < jrmithdobbs> for the love of god
02:25 < Diablo-D3> jrmithdobbs: hell, people dont even realize they can do linked list shit with for
02:26 < jrmithdobbs> i'd be willing to give up i for that use to get rid of the rest of it!
02:26 < jrmithdobbs> ;p
02:26 < jrmithdobbs> i shall henceforth be called iterator
02:26 < jrmithdobbs> DONE
02:27 < jrmithdobbs> that's how it reads anyways.
02:27 < Diablo-D3> for(your_struct **head = &your_head; *head; *head; **head = (*head)>next) or some shit like that
02:27 < jrmithdobbs> (should*)
02:27 < Diablo-D3> er, ignore the doubled middle arg there
02:29 < jrmithdobbs> Diablo-D3: dude things like size_t end=strlen(input)+1;/*horrible*/for(src=&input,end=src+end;src<end;src++) ; are enough to confuse most people =/
02:29 < Diablo-D3> well, mainly because of your lack of whitespace
02:29 < jrmithdobbs> no even with the whitespace
02:30 < Diablo-D3> er, +1? you sure about that?
02:30 < Diablo-D3> why do you want to see the end null?
02:30 < jrmithdobbs> positive
02:30 < jrmithdobbs> because i'm copying it
02:30 < Diablo-D3> because if you're just copying it use memcpy
02:30 < jrmithdobbs> also, such a construct is obv not useful on anything you can run strlen on in the first place
02:30 < Diablo-D3> then you get the wide copy enhanced versions
02:30 < Diablo-D3> OR
02:31 < Diablo-D3> if you're doing it for read only
02:31 < jrmithdobbs> the strlen was just for ilustration
02:31 < jrmithdobbs> ;p
02:31 < Diablo-D3> just make another pointer jumped into the string
02:31 < Diablo-D3> jrmithdobbs: you know whats interesting?
02:31 < Diablo-D3> strlen can be done extremely fast
02:31 < Diablo-D3> you can check 8 bytes at a time to see if any of them have a zero byte nearly for free
02:31 < jrmithdobbs> sure but any data you'd want a loop like that for is most likely not a null terminated string
02:32 < jrmithdobbs> because if it was, you already have super highly optimized libc routines to do 99% of what you need to with it ;p
02:32 < Diablo-D3> yeah
02:32 < jrmithdobbs> (assuming your platform doesn't suck)
02:32 < Diablo-D3> I cant think of a good example where that makes sense
02:33 < jrmithdobbs> also i never said it was useful, i just said simple loop constructions like that confuse people, of course trying to do linked list traversal in your control variables is going to confuse people
02:33 < jrmithdobbs> that was my point :)
02:33 < Diablo-D3> well, it confuses me to as why anyone would write that
02:33 < Diablo-D3> if I was syntax parsing, thats not what I'd use
02:34 < jrmithdobbs> it confuses me as to why anyone would traverse a linked list like you showed too
02:34 < jrmithdobbs> heh
02:34 < jrmithdobbs> Diablo-D3: anyways, it's useful for things like inplace byte string reversal
02:35 < Diablo-D3> jrmithdobbs: here
02:35 < Diablo-D3> http://wordaligned.org/articles/two-star-programming
02:35 < Diablo-D3> this is why.
02:35 < jrmithdobbs> (if you pretend you live in a world without SIMD and/or need portability)
02:35 < Diablo-D3> Ive known about the trick for years, but thats a good explaination why
02:35 < Diablo-D3> jrmithdobbs: heh, if it was bit reversal
02:36 < Diablo-D3> that can be done quickly
02:39 < jrmithdobbs> err, what he's talking about doesn't have to do with the silly-ish loop usage necessarily ... but when you put it in context of deletes i see what you were originally getting at
02:45 < warren> Diablo-D3: The hash > target and tracebacks bug happens in p2pool BTC, but it is so rare that you almost never see it.  A month of p2pool BTC here and I saw it only once.
02:49 < Diablo-D3> warren: I have several months of logs
02:49 < Diablo-D3> its not on mine
02:49 < Diablo-D3> jrmithdobbs: I dunno, I think doing it linus's way is more elegant
02:50 < jrmithdobbs> ya but that's not the thing you said, the loop in that article makes sense ;p
03:08 < Diablo-D3> yeah I think I fucked that one up
03:08 < Diablo-D3> I wasnt doing the if on the next though
03:12 < jrmithdobbs> ya i see what you were getting at now :)
03:59 < jgarzik> On legality of IRC micropayment bots: https://bitcointalk.org/index.php?topic=154754.msg1640873#msg1640873
03:59 < jgarzik> I still think he's overly optimistic
04:00 < jgarzik> but maybe that just means I'm overly pessimistic :)
04:00 < petertodd> Heh, who knows really.
04:00 < petertodd> I still wouldn't run one myself.
04:02 < petertodd> Has FinCEN said anything about more general logging requirements? Chaum tokens are an obvious counter-example... Transaction limits are pretty much meaningless when identities are cheap and you can just do thousands of transactions instead of one.
14:11 < michagogo|cloud> phantomcircuit: 3.6(b), you mean?
14:11 < TD> july
14:11 < TD> it's in the complaint
14:11 < shesek> some people are also accusing him of stealing money - http://bitinstant.info/
14:12 < phantomcircuit> michagogo|cloud, 3.6(b) defines how a member can be terminated, 5.16(b) defines how a founding member can be terminated
14:12 < phantomcircuit> shrem is a founding member
14:12 < TD> i looked at the SR forums once, a long time ago. it was full of threads complaining about bitinstant's AML policies. i figured charlie had finally wised up.
14:12 < TD> guess not
14:12 < michagogo|cloud> 3.6(b) is what defines founding members' special rights, afaict
14:12 < maaku> phantomcircuit: charges are pretty damning and not defending shrem at all ... but innocent until proven guilty is a pretty important part of due process
14:13 < shesek> so if I understand this correctly, until (and if) he's convicted, and unless he resigns, he remains a foundation members and part of the board
14:13 < phantomcircuit> maaku, sure, but the foundation is not the government, charlie has no right to be assumed innocent by a private party
14:13 < maaku> maybe there's some sort of way his duties as director can be suspended
14:13 < phantomcircuit> especially when he is so clearly guilty as all hell
14:13 < phantomcircuit> shesek, that's correct
14:14 < TD> there's a 2/3rd vote that could also remove him
14:14 < sipa> gmaxwell: and how long has that bitinstant.info thing been going on?
14:14 < michagogo|cloud> Hrm
14:14 < shesek> 3.6b - Except for the Founding Members who shall only be removed for cause (per the requirements detailed in Section 5.16(b)) ... 5.16b: : (i) declared of unsound mind by a final order of court; (ii) convicted of a felony; or (iii) found by a final order or judgment to have breached any duty arising under these Bylaws,
14:14 < michagogo|cloud> I haven't read the whole thing, but it looks like he can be removed as director under 5.16(c)
14:14 < shesek> right
14:14 < _ingsoc> sipa: First time I heard of it. :/
14:14 < sipa> _ingsoc: same
14:14 < michagogo|cloud> All that requires cause is removal of his membership entirely
14:15 < phantomcircuit> TD, you're right 5.16(c)
14:15 < shesek> michagogo|cloud, not as a founding member, it seems
14:15 < phantomcircuit> TD, except looking at the sitting members of the board you're not going to get that
14:15 < maaku> sipa: since about the time bitinstant shut down, I forget when that was
14:15 < michagogo|cloud> shesek: From those two sections, I think it's only his membership that's protected as a founding member
14:15 < michagogo|cloud> Not his directorship
14:15 < phantomcircuit> michagogo|cloud, there isn't a way to remove him as a director without stripping his membership afaict
14:16 < michagogo|cloud> Isn't there?
14:16 < TD> sipa: that site is itself kind of dodgy looking.
14:16 < sipa> TD: no doubt about that
14:16 < michagogo|cloud> What about 5.16(c)?
14:16 < sipa> i just never knew there was any problem with bitinstant or people complaining about it :)
14:16 < sipa> but i clearly missed some things :)
14:16 < michagogo|cloud> Or is there something saying that removing a director necessarily removes their membership?
14:16 < TD> i knew they had an issue supplying people during the april spike and that triggered a class action lawsuit. this sounds different
14:17 < shesek> I bumped into that .info site for the first time today, too
14:17 < shesek> I have no idea who's behind that and if they have anything to back that up, was just pointing out he's accused by some people
14:18 < phantomcircuit> TD, they have bigger problems than that
14:18 < TD> clearly!
14:19 < phantomcircuit> TD, well...
14:19 < phantomcircuit> i believe bitinstant actually lost a good amount of their records
14:19 < phantomcircuit> as in they failed to deliver because they didn't know who purchased what
14:19 < michagogo|cloud> It would seem to me, from sections 3.6 and 5.16, that while his membership can't be terminated without cause, he can be removed as a director
14:19 < TD> at this point i'd believe anything about them
14:19 < michagogo|cloud> (unless there's a part saying that removing a director terminates their membership...)
14:19 < phantomcircuit> michagogo|cloud, except getting 2/3rds of the board to agree isn't something i expect to happen
14:19 < michagogo|cloud> Ah.
14:20 < jgarzik> "my night out with bitcoin millionaire and proud stoner Charlie Shrem"  http://www.vocativ.com/12-2013/night-bitcoin-millionaire-proud-stoner-charlie-shrem/
14:20 < midnightmagic> michagogo|cloud: Only if he's convicted.
14:20 < jgarzik> Profile pieces like that can't help.
14:20 < michagogo|cloud> midnightmagic: no
14:20 < michagogo|cloud> midnightmagic: If he were convicted, his membership could be terminated
14:20 < midnightmagic> Ah (c)
14:20 < michagogo|cloud> But without a co-yes
14:20 < TD> and banned in russia too? crappy day for bitcoin indeed
14:21 < midnightmagic> Simple majority required for cause.  2/3 for without cause.
14:21 < phantomcircuit> russia is bipolar about regulation
14:21 < phantomcircuit> tomorrow they'll change their mind entirely
14:21 < TD> seems like it's the usual thing where different parts of government can't agree
14:21 < phantomcircuit> midnightmagic, you'll notice a felony conviction doesn't automatically eject them
14:21 < phantomcircuit> this is because roger ver is a felon
14:22 < TD> i would assume it'd be easy to distinguish between "convicted whilst being a member" and "convicted before being a member"
14:22 < TD> anyway. home time.
14:26 < midnightmagic> lol
14:26  * michagogo|cloud cringes at the away nick
14:26 < midnightmagic> phantomcircuit: Yeah I remember we had that conversation before and thinking it was odd but I suppose not unexpected.
14:27 < maaku> :sigh: is it really so hard to run an honest bitcoin business?
14:27 < maaku> /honest/law-abiding/
14:28 < gmaxwell> it's probably very hard or nearly impossible to be pedantically law abiding for many classes of business.
14:28 < midnightmagic> maaku: The attraction is very very strong to psychopaths and sociopaths. It's not hard. It's just easier to someone who literally can't anticipate or is completely unaffected by, consequences for actions.
14:28 < midnightmagic> ..  to choose to conduct themselves unethically.
14:28 < gmaxwell> So you have this cooling effect where people who are both smart enough and interested enough in being law abiding run for the hills. What remains is overly dense with people who are stupid or sleezy.
14:29 < midnightmagic> and what gmaxwell said
14:29 < midnightmagic> maaku: The cool part is honest people are pretty good at recognising other honest people, and especially non-psychopaths.
14:30 < midnightmagic> s/honest/honest\/smart/
14:30 < midnightmagic> :)
14:30 < gmaxwell> Back in early 2011 I got pulled into technically consult with some people looking at running an exchange in the US and basically they concluded that the regulatory uncertanty was so great
 esp with the possiblity of criminal charges even if you thought you were doing everything right
 that no amount of potential upside would make it make sense.
14:30 < jgarzik> yep
14:30 < jgarzik> I concluded same, independently ;p
14:31  * midnightmagic is glad to live in Canada, not for the first time
14:31  * jgarzik wanted to do an exchange in late 2010, but research proved 'hell no'
14:32 < phantomcircuit> gmaxwell, the principle issue is that it's difficult to operate a legitimate business if your competition are not compliant
14:32 < phantomcircuit> their costs are temporarily below yours
14:32 < _ingsoc> jgarzik: Smart man.
14:33 < jgarzik> phantomcircuit, indeed
14:33 < phantomcircuit> gmaxwell, operating an exchange in the us isn't impossible, just wildly expensive
14:33 < sipa> this is not really a wizards discussion, though...
14:33 < midnightmagic> sometimes wizards non-technical analyses or research is a quick way to disseminate myth-free facts.
14:34 < midnightmagic> just.. wanted to say I appreciate the links and quick refreshers on bitinstant history.
14:35 < jgarzik> sipa, agreed, though I think it's OK on rare days, when it's not drowning out other discussion
14:36 < jgarzik> days like when bitcoin is almost-banned in Russia and Shrem is arrested, for instance ;p
14:36 < sipa> well, i'm not innocent in keeping the discussion alive either
14:36 < sipa> but i like the rule of keeping this channel about non-actual-today-bitcoin stuff
14:37 < gmaxwell> sadly I don't think I can extract any real wizards discussion from this.
14:39 < optimator> sobering read - http://www.scribd.com/doc/202555785/United-States-vs-Charles-Shrem-and-Robert-M-Faiella
14:41  * midnightmagic 's optimism gets strangled in its crib
14:41 < jgarzik> sipa, part of the "problem" is that the conversation is really people-centered, not topic-centered.  #bitcoin-dev-chatter-but-without-the-assholes.
14:41 < michagogo|cloud> optimator: Is that document identical to http://www.scribd.com/doc/202572639/Faiella-Robert-M-and-Charlie-Shrem-Complaint?
14:41 < jgarzik> thus is appears whereever we are ;p
14:41 < michagogo|cloud> (appears to be)
14:43 < optimator> michagogo|cloud - i think so, it's just the link i had
15:38 < adam3us1> ooh policy-wizards :)  shrem = crazy guy, doing seemingly self-sabotaging actions if the accusations are correct.
15:46 < petertodd> adam3us1: overhearing him talking with a group while prepping my talk in the speakers room at the san jose conference convinced me the dude was a bit unbalanced to say the least
15:47 < petertodd> bbl
16:36 < jtimon> has anyone looked into twister?
16:37 < jtimon> seems interesting http://twister.net.co/
He proposed 20 MB, with no exponential increase. Again, no agreement, no counter proposal, no willingness to compromise, despite all indications that the community at large wants to do a hard fork.

Gavin suggested that perhaps we could do 8 MB. Again, no counter proposal, no compromise.

Look, the developers owe the community nothing. They're working for free, making free software that makes Bitcoin, and by extension, the world, better. However, the community also has a right to move from their consensus if it deems it sub-optimal. Hopefully it won't come to that, and cooler heads will prevail, and reach some kind of mutually acceptable consensus.

    permalink
    save
    parent
    report
    give gold
    reply

]awemany 6 points 17 hours ago

    Gavin suggested that perhaps we could do 8 MB. Again, no counter proposal, no compromise.

That's the point. Consensus isn't reached when one party (the blocksize limiters) vetoes everything.

And they don't even really veto it. They just stay stubborn and let Gavin argue for an increase - and they basically sit there without reacting.

That, IMO, is not constructive behavior at all. That alone makes me think that it is indeed a wise choice of Satoshi to hand Gavin the keys and not Greg. Greg certainly has some very deep, technical knowledge and great ideas - but lacks the overall high-level perspective and foresight that Gavin has. Because he was on this blocksize increase issue for years, and given the
contention here, he was obviously right in planning it and pushing it forward now.

    permalink
    save
    parent
    report
    give gold
    reply

]whitslack 5 points 1 day ago

    If any of the core devs wants to make an hard-fork change that can't gain consensus, he should indeed make a new coin.

That's exactly what happens at any hard fork, consensus or no. The only question is which of the two coins (old or new) will ultimately win the battle for market share. I personally will refrain from betting, by running both clients and demanding that anyone paying me a large sum pay me in both block chains.

    permalink
    save
    parent
    report
    give gold
    reply

]Noosterdam 6 points 22 hours ago

    ruled by consensus, not by dictatorship.

Open source means you always can have consensus if you value it over all else. There is no actual dictatorship, except in the quite trivial sense that each maintainer is the dictator of their own fork. No one is in control. Gavin can't dictate that the coin issuance increase to 22M coins, for example. If he does, he's suddenly the dictator of an unused fork. No actual people
are being controlled in any way. Everyone is free to do anything they want. The users will gravitate toward whoever is creating the most value at any given time.

    permalink
    save
    parent
    report
    give gold
    reply

]exo762 5 points 13 hours ago

/r/bitcoin members have been repeating words decentralized and consensus which both mean very specific things in so many contexts that they pretty much lost their meaning.

Consensus is achieved while solving Byzantine generals problem by miners. It's a consensus between machines and it's about transactions. It's not a consensus between people or between developers.

Decentralization. Same thing - no way to censor or block transactions, to limit one's access to network, to shutdown whole thing by attacking single point of failure. It's not decentralization of development process or decision making process.

Successful projects have leadership. Peter Todd is not a leader, he is at most advisor. He has knowledge, but he obstructs action by excessive warnings about often obscure dangers, not leading minds forward. This is not how a proper engineering is done.

    permalink
    save
    parent
    report
    give gold
    reply

]dudemanguysirmister 11 points 1 day ago

Humans have never and will never reach 100% consensus on anything.

Would you say that if Satoshi was still developing the coin? It would be his project and he can do what he wants with it. Gavin was given control of the project and at some point he's going to have to lead. Gavin is not the only developer in favour of the increase.

If everyone is sensible and wants to increase it, then let's increase it. The mechanism is 1 line of code. The timing is within the next year.

    permalink
    save
    parent
    report
    give gold
    reply

]lorempsum[S] 3 points 1 day ago

Consensus doesn't necessarily mean 100%. Reaching a broad consensus is possible even if a few developers are against it. The current state of affairs, where everyone other than Gavin and Mike are opposing the change, is VERY FAR from any kind of consensus. If anything, there's a very clear consensus against Gavin's proposal (but not against raising the limit in general).

    Would you say that if Satoshi was still developing the coin?

I would say the exact same thing. If he was in such a clear minority pushing for a change, the change should be rejected. He's not god and shouldn't be trusted blindly. I trust reason and rational, not people.

    The mechanism is 1 line of code.

The change being simple code-wise does not make it simple. There are many ideological, political and technical challenges there. Changing the total number of coins is also a one line change - do you consider that a "simple" change too?

    permalink
    save
    parent
    report
    give gold
    reply

]dudemanguysirmister 11 points 1 day ago*

Last I knew, more than just Mike and Gavin wanted the increase. Furthermore, a large percentage of the community wants it and is being held hostage with solutions that don't exist.

Just because a project is open source doesn't mean we treat every person in the auditorium with an idea as a special snowflake. Look at Linux as an example.

As for the block limit, it's pretty simple actually, it used to be higher and was artificially capped. This isn't some kind of new paradigm shift or technological breakthrough where we aren't sure what will happen. Miners can still relay smaller blocks if they want to. UTXO will fill up some but that's inevitable. The coin limited was never artificially capped and can't
be. It is simply not a good comparison.

I actually don't care if Gavin makes Gavincoin. I would use that and sell all my Bitcoin because Bitcoin would serve no purpose any more. Bitcoin with larger blocks will not cease to function and is a more robust payment network, it's closer to reaching its potential. Even lightning devs have said they would need bigger blocks. With Gavincoin, developers could port Lightning
to it and all the other Bitcoin addon layers. Bitcoin would then look silly in comparison and the people left behind would have deliberately shot themselves in the foot.

How is Bitcoin going to be the internet of money with 1 MB blocks?

Make it 4 MB then. IDC at this point, it must increase to something.

    permalink
    save
    parent
    report
    give gold
    reply

]lorempsum[S] -3 points 1 day ago

    Last I knew, more than just Mike and Gavin wanted the increase.

Nope. It is just Mike and Gavin. The majority of the other core devs wants an increase, just not as per Gavin's proposal.

    a large percentage of the community wants it

This should not be a popularity contest. Many in the community wants it only because Gavin is pushing for it and their vulnerability to "appeal to authority" arguments. This is evident by the shrinking support since the public debate started, compared to when Gavin originally started his push to 20mb blocks.

    This isn't some kind of new paradigm shift or technological breakthrough where we aren't sure what will happen.

It sure is. It would effect the decentralized nature of the network, make the requirements for running a full node higher, exclude many people from running a full node, change the fee-market economics and alter one of the two important scarcities in Bitcoin (the coins limit being the other one).

In addition, and probably most importantly, it alters the decision-making process of Bitcoin development from rule-by-consensus to rule-by-dictatorship, which is the part I find most problematic.

    Miners can still relay smaller blocks if they want to.

There are many problems with that. The blockchain is a public good and is prune to the tragedy of the commons issues. Once could say the same thing about coin generation - why not let the "free market mining process" determine that too?

    I actually don't care if Gavin makes Gavincoin.

That would be much better than forcing a change down Bitcoin's throat, but also quite problematic for the future of Bitcoin. I would still be completely okay with that (though, imho, Gavin is only playing that Bitcoin-XT card to gather support for a 20MB change in Bitcoin itself; More of a game-theory kind of thing where he makes that threat so that he doesn't have to actually do that).

    How is Bitcoin going to be the internet of money with 1 MB blocks?

I'm totally for a block size increase; Just not to 20mb in one quick jump made now.

    permalink
    save
    parent
    report
    give gold
    reply

]dudemanguysirmister 6 points 1 day ago*

Blocks aren't consistently full now so it doesn't really change the fee structure all that much.

Blocks also wouldn't magically become 20 MB overnight. They wouldn't become 8 MB overnight.

I don't really care what the number is so long as it's greater than 4 MB, which would make this a very temporary fix. This is all going to look ridiculous in retrospect.

As long as the miners are being subsidized by the block reward the fee-market doesn't matter except for getting included in a full block. The fee market will not matter for a long time. If the limit was increased to 8 MB then we would eventually get back to this same exact scenario and you would be saying the same exact thing.

I agree that Gavin's proposal of forcing it isn't the best idea, but nobody is actually compromising. If you could point to a post where Maxwell et. al says anything greater than 4 MB would be ok then I'd be interested to read that. Last I saw Gavin was trying to get 8 MB, chinese miners were saying no, and the other devs were silent. The problem with going too low is we'll
be back to this same scenario rather quickly.

edit: I want to add that nodes are not a problem. This is like when Peter Todd said he sold x% of his coins because mining centralization was a problem. Look at how wrong he was. I said it at the time on a different account that he would be proven wrong and that it was VERY obvious that he would be. All of us involved in the community know that it is in our best interest to
see Bitcoin succeed, whether it's from a purely ideological standpoint or an economic one. I run a full node because I know it's important. I pay for a server in a data center with a huge connection. If the node count dropped drastically and was in danger then I'd run more. It would be stupid of me not to (because of the wealth I have in Bitcoin), and I know a large portion
of this community is in it to win it. We aren't going to watch our money evaporate because we can't be hassled to run a few servers. Don't kill the goose that laid the golden egg.

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 4 points 1 day ago

    Last I saw Gavin was trying to get 8 MB, chinese miners were saying no, and the other devs were silent.

Chinese miners actually said "yes" to that proposal. I agree though that I didn't actually hear any other devs respond to it, beside Luke (props to Luke for participating). Let's get proper discussion on the 8MB/4MB idea. According to Gavin, that compromise would be viable, so this seems like a far better place to start than with 20MB.

    permalink
    save
    parent
    report
    give gold
    reply

]laisee 0 points 23 hours ago

Can we simplify the debate to 8MB or No Change? Final offer from all sides. There has been enough talk and, IMHO, Gavin has tried very hard to find a sensible compromise.

8MB or No - whats the answer?

    permalink
    save
    parent
    report
    give gold
    reply

continue this thread

]persimmontokyo 2 points 13 hours ago

Chinese miners were good with 10MB who expressed an opinion. Please don't spread FUD.

    permalink
    save
    parent
    report
    give gold
    reply

]awemany 1 point 17 hours ago

Is blocking consensus at all costs itself consensus? I don't think so...

    permalink
    save
    parent
    report
    give gold
    reply

]bobbyb500 1 point 1 day ago

I thought it was ruled by the consensus of the miners. It's not a dictatorship when any dev can make any change they want, but it's up to the miners to implement that change. If Gavin makes this change to the block size and the miners consent to that change, shouldn't that be all that it takes?

    permalink
    save
    parent
    report
    give gold
    reply

[+]lorempsum[S] comment score below threshold  (12 children)

]bit-cash -1 points 17 hours ago

No. The miners don't have any power. The power lies in the hands of people that are willing to purchase the mined coins. So miners will make sure they mine the coins that have the best value, because if they don't they will go bankrupt. And that will be the scalable version, I have zero doubt in that.

    permalink
    save
    parent
    report
    give gold
    reply

]mmeijeri 2 points 20 hours ago

Peter Todd is not proposing a fork.

    permalink
    save
    parent
    report
    give gold
    reply

]pointjudith 3 points 13 hours ago

Fork him.

    permalink
    save
    parent
    report
    give gold
    reply

]aminok 4 points 1 day ago*

It seems like the least bad option if all else fails, but it is indeed a very poor and dangerous option, and should be avoided if at all possible.

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 1 point 1 day ago*

Seems like utter nonsense and incredibly foolish. Gavin is not ruler of Bitcoin and the $3.2 billion of value it represents. Many people made Bitcoin what it is today, and Gavin has a responsibility (if he thinks 'wisdom' and 'humility' are virtues) to aim for consensus and not act rashly. If alarmist fools are "pushing him to be more of a dictator", then he should have
the sense to resist that "push" instead of allowing the ignorant/emotional mob to inflate his ego.

The more I hear Gavin's arrogance come out, the more I feel he has lost his mind and needs to step down from his position or forcefully be made to step down. I'm having a hard time believing he is still a good steward of Bitcoin, or that he can responsibly handle a position of power.

Gavin needs to gain a sense of perspective, perhaps by looking at great leaders of the past for his inspiration, e.g. the great Roman emperor, Marcus Aurelius.

    "Marcus Aurelius' Stoic tome Meditations, written in Greek while on campaign between 170 and 180, is still revered as a literary monument to a philosophy of service and duty, describing how to find and preserve equanimity in the midst of conflict by following nature as a source of guidance and inspiration."

    permalink
    save
    parent
    report
    give gold
    reply

]BusyBeaverHP 5 points 1 day ago

Gavin isn't the ruler of bitcoin, he's just a man whom Satoshi handed Bitcoin's GitHub keys to before disappearing, therefore Satoshi's will is with Gavin. That isn't to say he is infallible, but the thing is, Gavin has the popular support AND the support of many key players in the space regarding the blocksize increase:

https://www.reddit.com/r/Bitcoin/comments/37y8wm/list_of_bitcoin_services_that_supportoppose/

... On the other side of the blocksize debate, there's GMaxwell.

GMaxwell thinks he's libertarian, but he's extremely tyrannical by the fact that he thinks his beliefs of what is decentralization should be imposed on others for their own good.

An excerpt:

    I believe that a Bitcoin like that would be a failure even if the coins somehow retained high value, because it would be just a reboot of the existing infrastructure, but probably worse-- lacking the a design purpose fit for a centralized world, as well as the regulatory history and experience of the traditional systems...

    ...Instead, I believe Bitcoin can be successful as a truly decentralized system which depends on cryptographic proof rather than trust. To get there we have to frankly face the extreme costs of having a decentralized system, and potentially tolerate slower short term adoption...

So Maxwell's got his million dollars from Blockstream's VC rounds, and has leisurely time to mull about theoretical things without running real numbers backing them up, and has no incentive to increase the value of the network in the face of innumerable alt-coins waiting for Bitcoin to fuck up.

Just as the construction of the blockchain is a competition, Bitcoin is a zero-sum contestant in the cryptocurrency space. Having less value while there are many competitors who are faster to adopt whatever slow changes you throw their way plus their own innovation, is asking for death by a thousand cuts.

When given a chance to raise Bitcoin's value, never, ever, ever back down, because the moment we do, the Alt-coins and powers-that-be will not waste a moment's time to capitalize on it.

Last I checked, wasn't Blockstream funded to improve the cryptographic protocol and not impose ill-researched economic decisions on the entire ecosystem? If I was running a company and some engineer was spouting some bullshit like holding off our company's growth (hence increased revenue) in the face of competition, I'd fire him on the spot.

Last but not least. GMaxwell's shining leadership on display:

    If the Bitcoin community wants to go commit suicide, I'm confident that I can sell my most of my bitcoins before most of the public has realized things have gone wrong.

    permalink
    save
    parent
    report
    give gold
    reply

]aminok 4 points 1 day ago*

GMaxwell has proposed several ways to tackle the hard fork issue, and has always said he's not for a "1 MB block size limit forever". He's entitled to his views on decentralization, and entitled to walk away if the project moves in a direct not congruent to his views. This would be a great loss to the community, and to the future of digital currency, so this should be
discouraged if at all possible.

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 0 points 1 day ago

That's where we disagree. I think it should be avoided at all costs, especially since most of the experts are against the increase, including Garzik. Gavin and Hearn are essentially the only core contributors in favor of a massive 20x increase in block size.

    permalink
    save
    parent
    report
    give gold
    reply

]conv3rsion 1 point 23 hours ago

in MAXIMUM block size.

its not massive. its just not. its < $50 a year in storage if all blocks were full, total.

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 2 points 23 hours ago

Storage is one factor, but the bigger concern is a 20x increase in bandwidth requirement for nodes. Bandwidth is still very scarce in many parts of the world, including the U.S. (due to the U.S.'s telecom monopolies and horrible competitive landscape for broadband).

    permalink
    save
    parent
    report
    give gold
    reply

]conv3rsion 1 point 23 hours ago

20MB blocks require a MAXIMUM of 1 MB/S broadband.

Most of the world is way way past that. In fact, 110 countries have faster AVERAGE broadband than that. Can we at least target something that works almost everywhere in the world?

Source: http://www.netindex.com/download/allcountries/

    permalink
    save
    parent
    report
    give gold
    reply

]zeusa1mighty 2 points 22 hours ago

You forget data caps; the speed is irrelevant. It's the total bandwidth usage per month. Upping to 20mb would multiply the data requirements by 20x (assuming all full blocks in both 1mb and 20mb scenarios).

People with reasonable datacaps (I now have 750gb/month) may not be able to keep a full node running on their ISP.

    permalink
    save
    parent
    report
    give gold
    reply

]i_wolf 1 point 17 hours ago

20mb requires only 170gb per month. If we'll see an actual 50x spike in demand then there will be plenty of new full nodes and miners all over the world.

    permalink
    save
    parent
    report
    give gold
    reply

continue this thread

]eragmus 2 points 6 hours ago

The argument concerns data caps, not speeds. See:

    https://www.reddit.com/r/Bitcoin/comments/393fym/gavin_andresen_a_lot_of_people_are_pushing_me_to/cs0xznd

    permalink
    save
    parent
    report
    give gold
    reply

]lorempsum[S] 4 points 1 day ago

    ... On the other side of the blocksize debate, there's GMaxwell.

And every other core developer, other than Gavin and Mike (though Mike isn't really a contributing developer for a long long time now).

    GMaxwell thinks he's libertarian, but he's extremely tyrannical by the fact that he thinks his beliefs of what is decentralization should be imposed on others for their own good.

Come on, really? How is that even relevant? Talk about his claims and rational, not about his personality.

https://yourlogicalfallacyis.com/ad-hominem

    When given a chance to raise Bitcoin's value, never, ever, ever back down, because the moment we do, the Alt-coins and powers-that-be will not waste a moment's time to capitalize on it.

There are many valid reason to oppose a change that might increase Bitcoin's value on the short-term, but harm it in the long-term. Your arguments are just classic scare tactics.

    Last I checked, wasn't Blockstream funded to improve the cryptographic protocol and not impose ill-researched economic decisions on the entire ecosystem?

Blockstream has no opinion on this matter; It's the people who happen to work there that too. I don't see any relevance in that argument, at all.

    permalink
    save
    parent
    report
    give gold
    reply

][deleted] 1 day ago

[deleted]

]aminok 2 points 1 day ago

Your contribution is really moving the discussion forward in a civil and constructive direction. /s

    permalink
    save
    report
    give gold
    reply

]laisee 0 points 23 hours ago

Blockstream has no opinion, but it does have a stake in the argument though it's expected future profits. Tell me that doesn't change the debate ever so slightly for the "No" camp.

    permalink
    save
    parent
    report
    give gold
    reply

]laisee 0 points 23 hours ago

Blockstream has no opinion, but it does have a stake in the argument though it's expected future profits. Tell me that doesn't change the debate ever so slightly for the "No" camp.

    permalink
    save
    parent
    report
    give gold
    reply

]mmeijeri 2 points 20 hours ago

Gavin does not need to step down from any official position as Bitcoin doesn't have any official positions. He's just some guy on the internet, just like you and me, only with far more influence than you or me.

    permalink
    save
    parent
    report
    give gold
    reply

]eragmus 2 points 7 hours ago

Sadly.

    permalink
    save
    parent
    report
    give gold
    reply

]Apatomoose 4 points 23 hours ago

In the face of all the chaos and lack of action it is refreshing to see someone stepping up and talking a strong lead.

Heil Gavin!

    permalink
    save
    report
    give gold
    reply

]DakotaChiliBeans 2 points 17 hours ago

Bitcoin price is up today. The market has spoken, it demands more division among bitcoin users. To the Moooonnn!!!

    permalink
    save
    report
    give gold
    reply

]BeefSupreme2 2 points 23 hours ago

My coins are going to be worthless after this debacle :(

    permalink
    save
    report
    give gold
    reply

]scotty321 1 point 21 hours ago

LOVE GAVIN ANDRESEN!!!

    permalink
    save
    report
    give gold
    reply

]MeanOfPhidias 1 point 1 day ago

That's the exact kind of sentiment that needs to find another project.

If that is where his heart lies maybe it's time to listen to the Dark Wallet folks

    permalink
    save
    report
    give gold
    reply

]leon6677 2 points 23 hours ago

Gavin we trust you do what you think I'd best in the long run

    permalink
    save
    report
    give gold
    reply

]luckdragon69 1 point 23 hours ago

don't fall for scare tactics - the other devs arnt worried, Gavin is in the Minority

    permalink
    save
    parent
    report
    give gold
    reply

]leon6677 1 point 15 hours ago

it with SVN. &nbsp;Place your .po file 3 directories deep under the src directory. &nbsp;Open it with poedit and do Catalog-&gt;Update from sources.<br /><br />So for example, you have:<br />src<br />src\\base58.h<br />src\\bignum.h<br />...<br />src\\util.cpp<br />src\\util.h<br />src\\xpm<br />src\\locale\\ru\\LC_MESSAGES\\bitcoin.po<br /><br />Open bitcoin.po with poedit,
do Catalog-&gt;Update from sources. &nbsp;It looks for the sourcecode up 3 directories (..\\..\\..) from where bitcoin.po is.<br /><br />This updates your existing .po file you already worked on and adds any news strings. &nbsp;It may try to match close strings, so check things over and make sure it didn&#039;t make any bad guesses.<br /><br />Make sure you use the .po file
I uploaded to SVN or in a release, because I always fix up at least a few things.&nbsp; I&#039;m attaching your Russian one to this message.<br />
15366	1347	6	1286221720	15366	0		xx	1	Re: [PATCH] increase block size limit	It can be phased in, like:<br /><br />if (blocknumber &gt; 115000)<br /> &nbsp; &nbsp;maxblocksize = largerlimit<br /><br />It can start being in versions way ahead, so by the time it reaches that block number and goes into effect, the older versions that
don&#039;t have it are already obsolete.<br /><br />When we&#039;re near the cutoff block number, I can put an alert to old versions to make sure they know they have to upgrade.<br />
15660	151	6	1286379759	15668	1286383231	satoshi xx	1	Re: Website and software translations	poedit reorganised the file for some reason. &nbsp;I re-ran update from sources and it put it back in the original order so it&#039;s fine now. &nbsp;Did you run it on a drive where files aren&#039;t sorted alphabetically, like a FAT drive or USB
flash drive?<br /><br />Strings aren&#039;t added or changed very often. &nbsp;It&#039;s months before enough changes build up.<br /><br />I uploaded the changes.<br /><br />This Windows build has the Russian translation in it:<br />http://www.bitcoin.org/download/bitcoin-0.3.13.2-win32-setup.exe
15662	1378	3	1286379992	15662	0		xx	1	Re: I'm not seeing post attachments...	Fixed. &nbsp;<br /><br />You were right.&nbsp; Post Attachments and View Attachments was unchecked.
15672	1306	6	1286384063	15672	0		xx	1	Re: I broke my wallet, sends never confirm now. That&#039;s going to be more of a SelectCoins thing.<br /><br />SVN rev 161 has a refinement to recursively determine if your own unconfirmed transactions can be spent.&nbsp; This is needed because you should be able to spend your own change right
away.<br /><br />The new recursive determination is: 0/unconfirmed can be spent if it&#039;s yours and all its dependencies are either in a block or also yours.<br /><br />Here&#039;s a Windows build:<br />http://www.bitcoin.org/download/bitcoin-0.3.13.2-win32-setup.exe<br /><br />This version is an improvement if you already had a 0/unconfirmed transaction and might have
already spent it.&nbsp; If you were the original creator of a 0/unconfirmed transaction, you still need theymos&#039; patch instead.
15682	1375	6	1286386601	15682	0		xx	1	Re: Tor connections not working reliably, many seednodes offline	Maybe you were just unlucky to have an exit node without reverse lookup.<br /><br />The IRC server&#039;s response doesn&#039;t look like it was disconnecting you for that.&nbsp; It&#039;s supposed to go IRC SENDING: NICK
after that, and it doesn&#039;t so it gets timed out.<br /><br />I see the problem.&nbsp; The IRC code is looking for various phrases to see when the server is ready to receive your NICK, but it&#039;s not looking for that particular phrase.&nbsp; I&#039;ll fix it.<br /><br />I don&#039;t know if it&#039;s really required to wait for the server to finish looking up hostname
before sending nick.<br /><br />How long did it take to get connected with TOR the first time, having to use the seed nodes?
15741	1268	5	1286406631	16341	1286662327	satoshi xx	1	Re: The Niche List	[quote author=kiba link=topic=1268.msg13828#msg13828 date=1285257616]<br />1. Download site like rapidshare and other crappy host. Inconvenient captcha and required paypal. Bitcoin can possibly take both roles and streamline the whole process.<br />[/quote]<br
/>Repeating myself here, but there is open source software for that, so it would just be a matter of bolting on a Bitcoin payment mechanism. &nbsp;One good one I found was Mihalism Multi Host. &nbsp;It&#039;s designed as a free host, so it would just need a few tweaks to loosen up restrictions consistent with paid use.<br />
16316	1414	6	1286655573	16316	0		xx	1	Key pool feature for safer wallet backup	SVN rev 163 (ver 0.3.13.3) has the key pool feature. &nbsp;Pre-generated new keys are aged in a queue before use, so that backups of wallet.dat hold keys you&#039;ll use in the future.<br /><br />For now I made the default pool size 100. &nbsp;It
can be configured with -keypool=. &nbsp;Be aware, it takes a little time to increase the pool size, so don&#039;t go crazy with it. &nbsp;Disk space is about 1K per key.<br /><br />I have not addressed the recovery side of this yet. &nbsp;If you actually did restore an old wallet.dat, I think you may have to delete blk*.dat to rediscover your own transactions during the
redownload.<br /><br />I&#039;ve only tested this moderately. &nbsp;You might not want to use this for a website server until it&#039;s had some more testing.
17924	1528	6	1287679167	17961	1287700410	satoshi xx	1	Version 0.3.14	Version 0.3.14 is now available<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.14/<br /><br />Changes:<br />- Key pool feature for safer wallet backup<br />Gavin Andresen:<br />- TEST network mode with switch -testnet<br />- Option to use SSL for
JSON-RPC connections on unix/osx<br />- validateaddress RPC command<br />eurekafag:<br />- Russian translation<br />
17965	151	6	1287701447	17965	0		xx	1	Re: Website and software translations	The order matters not to the program, but it matters to me maintaining it. &nbsp;If it jumbles the order of the .po file then I can&#039;t diff for changes. &nbsp;I have to update all 7 translation files when I change the English text in the program,
and it&#039;s easier when they&#039;re all in the same order.<br /><br />I can still put it back into normal order by making poedit rescan it.<br /><br />It is normal that untranslated strings are shown on top.<br /><br />[quote author=eurekafag link=topic=151.msg15697#msg15697 date=1286393976]<br />By the way, there are some similar lines that possibly may be replaced by
one. They are very close by meaning and differs only by 1-2 words. Just a suggestion of course.<br />[/quote]<br />I know, but not easily without complicating the sourcecode.
18241	1530	4	1287858169	18243	1287858772	satoshi xx	1	Re: ERROR - PLEASE HELP ME!	[quote author=theymos link=topic=1530.msg17955#msg17955 date=1287698426]<br />his block count remains &quot;stuck&quot; at 1698.<br />[/quote]<br />He was generating invalid blocks at difficulty 1.0. &nbsp;He must have a corrupted entry in his blk0001.dat or
blkindex.dat file. &nbsp;He just needs to delete blk*.dat and let it redownload.<br /><br />The safety lockdown detected the problem and was displaying &quot;WARNING: Displayed transactions may not be correct!&quot; because it saw a longer chain existed that it was unable to accept. &nbsp;The safety lockdown cannot stop generation or it would create an attack possibility.<br
/><br />[quote author=gavinandresen link=topic=1530.msg18074#msg18074 date=1287757514]<br />The Bitcoin client really shouldn&#039;t allow coin generation until you have all of the blocks up to the last block checkpoint.<br />[/quote]<br />Good idea, I made a change to make sure it won&#039;t generate before checkpoint block 74000.<br />
18245	1530	4	1287859084	18245	0		xx	1	Re: ERROR - PLEASE HELP ME!	OK, if it really won&#039;t get past block 1698 on redownload, then we&#039;re in stranger territory.<br /><br />Yes, possibly he has antivirus software or even a router or filewall that is pattern matching a sequence of bytes and censoring it.<br /><br />It would
be instructive to get knightmb&#039;s blk*.dat and see if that gets him past that point.
18246	1540	4	1287859922	18246	0		xx	1	Re: Win7 64bit since last patch Tues now crashes	[quote author=Odin link=topic=1540.msg18105#msg18105 date=1287782678]<br /> &nbsp;Fault Module Name:\tmingwm10.dll<br />[/quote]<br />This is the important clue. &nbsp;I believe it&#039;s saying it crashed in that. &nbsp;Maybe there are
other versions of it to try.&nbsp; mingwm10.dll is just a simple placeholder thing that satisfies some callback requirement for multithreaded apps.<br /><br />Is anyone else running OK on Windows 64-bit?
18250	1545	6	1287860577	18250	0		xx	1	Re: Suggestion: Allow short messages to be sent together with bitcoins ?	ECDSA can&#039;t encrypt messages, only sign signatures.<br /><br />It would be unwise to have permanently recorded plaintext messages for everyone to see. &nbsp;It would be an accident waiting to happen.<br /><br
/>If there&#039;s going to be a message system, it should be a separate system parallel to the bitcoin network. &nbsp;Messages should not be recorded in the block chain. &nbsp;The messages could be signed with the bitcoin address keypairs to prove who they&#039;re from.
18349	665	6	1287947871	18349	0		xx	1	Re: Multiple Wallets, one computer	I have the beginning of something like this. &nbsp;It&#039;s mostly like what Gavin described.<br /><br />Some more rpc interface:<br /><br />move &lt;fromaccount&gt; &lt;toaccount&gt; &lt;amount&gt;<br /> &nbsp; Move from one internal account to
another. &nbsp;I think blank account name (&quot;&quot;) will be your default account. &nbsp;If you sell something to a user, you could do move &quot;theiraccount&quot; &quot;&quot; 123.45.<br /> &nbsp; Is &quot;move&quot; the best name for this? &nbsp;I shied away from &quot;transfer&quot; because that sounds too close to sending a transaction.<br /><br />I&#039;m thinking
a new function getaccountaddress instead of overloading getnewaddress:<br /><br />getaccountaddress &lt;account&gt;<br /> &nbsp; Gives you an address allocated from getnewaddress &lt;account&gt;. &nbsp;It&#039;ll keep giving the same address until something is received on the address, then it allocates a new address. &nbsp;(It automatically does what the sample code I posted
some time ago did)<br /><br />Would these commands make it possible in simple cases to implement your website without needing a database of your own?<br />
18508	665	6	1288025633	18508	0		xx	1	Re: Multiple Wallets, one computer	Here&#039;s some pseudocode of how you would use the account based commands.&nbsp; It sure makes website integration a lot easier.<br /><br />print &quot;send to &quot; + getaccountaddress(username) + &quot; to fund your account&quot;<br />print &quot;balance:
&quot; + getbalance(username, 0)<br />print &quot;available balance: &quot; + getbalance(username, 6)<br /><br />// if you make a sale, move the money out of their account<br />move(username, &quot;&quot;, amount, 6)<br /><br />// withdrawal<br />sendfrom(username, bitcoinaddress, amount, 6)
18511	1540	4	1288027667	18682	1288110542	satoshi xx	1	Re: Win7 64bit since last patch Tues now crashes	The only thing I can think of is to see if there are other versions of mingwm10.dll you can get. &nbsp;mingwm10.dll is a tiny little DLL that came with the MinGW compiler that you need when you build for multi-thread. &nbsp;I
don&#039;t know exactly what it does, but it probably just says something like &quot;yes Windows, see I&#039;m in a DLL like you insisted.&quot;<br /><br />The end of your debug.log file might show the last thing it was doing before it crashed.
21766	64	1	1289609751	21766	1289610386	satoshi xx	1	Re: New icon/logo	I&#039;m happy if someone with artistic skill wants to contribute alternatives. &nbsp;The icon/logo was meant to be good as an icon at the 16x16 and 20x20 pixel sizes. &nbsp;I think it&#039;s the best program icon, but there&#039;s room for improvement at larger
sizes for a graphic for use on websites.<br /><br />It&#039;ll be a lot simpler if authors could make their graphics public domain.
21896	1668	6	1289690726	21896	0		xx	1	Re: Some testing that I did on the testnetwork, my findings.	Thank you for limiting flood tests to the testnet.<br /><br />Version 0.3.15 combines several features to help legitimate transactions jump the queue during a flood attack.&nbsp; The key was Gavin&#039;s idea for prioritising
transactions based on the age of their dependencies.&nbsp; Every coin is entitled to turn over so often.&nbsp; The longer waited, the more priority accumulates.&nbsp; Priority is sum(valuein * age) / txsize.&nbsp; Transaction fee still takes precedence over priority, and priority determines the order of processing within a fee strata.<br /><br />In support of the priority
feature, SelectCoins only uses your own 0 conf transactions only as a last resort if that&#039;s all you have left.&nbsp; This helps keep you from turning your coins over rapidly unless you&#039;re forcing it by actually turning all your coins over rapidly.
21897	1780	6	1289690800	21897	0		xx	1	Version 0.3.15	Version 0.3.15 is now available.<br /><br />Changes:<br />- paytxfee switch is now per KB, so it adds the correct fee for large transactions<br />- sending avoids using coins with less than 6 confirmations if it can<br />- BitcoinMiner processes transactions in priority order
based on age of dependencies<br />- make sure generation doesn&#039;t start before block 74000 downloaded<br />- bugfixes by Dean Gores<br />- testnet, keypoololdest and paytxfee added to getinfo<br />
21959	1668	6	1289753599	21959	1289754952	satoshi xx	1	Re: Some testing that I did on the testnetwork, my findings.	[quote author=ByteCoin link=topic=1668.msg21899#msg21899 date=1289692511]<br />Of course, if the network is not being flooded and you&#039;re not overly concerned about the current transaction getting held up then it&#039;s
probably worth preferring to use your 0 conf transactions so that you can &quot;save&quot; the higher priority coins for when the network [b]is[/b] being flooded.<br />[/quote]<br />You should use at least some priority in case a flood comes along before the next block.<br /><br />As long as all dependencies have at least 1 conf, if the transaction doesn&#039;t have enough
priority at first, the dependencies will age until it does.<br /><br />[quote]<br />Gaming the system &nbsp;by including 1000 or so recently turned over BTC to bump the priority as described in my post above still works of course! <br />[/quote]<br />Or managing how much priority you spend on a transaction. &nbsp;The software would have to know your future plans to know
9530	823	6	1281905949	9530	0		xx	1	Re: overflow bug SERIOUS	Here&#039;s the preliminary change.&nbsp; Look right?&nbsp; I have more changes to make, this isn&#039;t all of it.&nbsp; Will SVN shortly.<br /><br />[code]<br />&nbsp; &nbsp; bool CheckTransaction() const<br />&nbsp; &nbsp; {<br />&nbsp; &nbsp; &nbsp; &nbsp; //
Basic checks that don&#039;t depend on any context<br />&nbsp; &nbsp; &nbsp; &nbsp; if (vin.empty() || vout.empty())<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; return error(&quot;CTransaction::CheckTransaction() : vin or vout empty&quot;);<br /><br />&nbsp; &nbsp; &nbsp; &nbsp; // Check for negative and overflow values<br />&nbsp; &nbsp; &nbsp; &nbsp; int64 nTotal =
0;<br />&nbsp; &nbsp; &nbsp; &nbsp; foreach(const CTxOut&amp; txout, vout)<br />&nbsp; &nbsp; &nbsp; &nbsp; {<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if (txout.nValue &lt; 0)<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; return error(&quot;CTransaction::CheckTransaction() : txout.nValue negative&quot;);<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
if (txout.nValue &gt; 21000000 * COIN)<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; return error(&quot;CTransaction::CheckTransaction() : txout.nValue too high&quot;);<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; nTotal += txout.nValue;<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if (nTotal &gt; 21000000 * COIN)<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; return error(&quot;CTransaction::CheckTransaction() : txout total too high&quot;);<br />&nbsp; &nbsp; &nbsp; &nbsp; }<br /><br />&nbsp; &nbsp; &nbsp; &nbsp; if (IsCoinBase())<br />&nbsp; &nbsp; &nbsp; &nbsp; {<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if (vin[0].scriptSig.size() &lt; 2 || vin[0].scriptSig.size() &gt; 100)<br />&nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; return error(&quot;CTransaction::CheckTransaction() : coinbase script size&quot;);<br />&nbsp; &nbsp; &nbsp; &nbsp; }<br />&nbsp; &nbsp; &nbsp; &nbsp; else<br />&nbsp; &nbsp; &nbsp; &nbsp; {<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; foreach(const CTxIn&amp; txin, vin)<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
if (txin.prevout.IsNull())<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; return error(&quot;CTransaction::CheckTransaction() : prevout is null&quot;);<br />&nbsp; &nbsp; &nbsp; &nbsp; }<br /><br />&nbsp; &nbsp; &nbsp; &nbsp; return true;<br />&nbsp; &nbsp; }<br />[/code]<br /><br />Don&#039;t sticky the topic, nobody looks up there.&nbsp;
There&#039;ll be enough posts to bump.
9531	823	6	1281906405	9531	0		xx	1	Re: overflow bug SERIOUS	It would help if people stop generating.&nbsp; We will probably need to re-do a branch around the current one, and the less you generate the faster that will be.<br /><br />A first patch will be in SVN rev 132.&nbsp; It&#039;s not uploaded yet.&nbsp; I&#039;m
pushing some other misc changes out of the way first, then I&#039;ll upload the patch for this.
9539	823	6	1281907435	9539	0		xx	1	Re: overflow bug SERIOUS	Once you have an update, you could download knightmb&#039;s block chain. &nbsp;You&#039;ll want one that&#039;s old enough that it ends [i]before[/i] block 74000 so the most recent security lockin will check it. &nbsp;Can someone find the link for that?&nbsp;
9548	823	6	1281908419	9548	0		xx	1	Re: overflow bug SERIOUS	Patch is uploaded to SVN rev 132! <br /><br />For now, recommended steps:<br />1) Shut down.<br />2) Download knightmb&#039;s blk files.&nbsp; (replace your blk0001.dat and blkindex.dat files)<br />3) Upgrade.<br />4) It should start out with less than 74000
blocks. Let it redownload the rest.<br /><br />If you don&#039;t want to use knightmb&#039;s files, you could just delete your blk*.dat files, but it&#039;s going to be a lot of load on the network if everyone is downloading the whole block index at once.<br /><br />I&#039;ll build releases shortly.
9573	823	6	1281913088	9573	0		xx	1	Re: overflow bug SERIOUS	Don&#039;t update the block chain download. &nbsp;When you take someone&#039;s block chain download, you don&#039;t want it right up to the end. &nbsp;A somewhat old one is better so it can download and verify the most recent blocks.<br /><br />tcatm&#039;s 4-way
SSE2 SHA-256 is in the file sha256.cpp and already uploaded a few revs ago.<br /><br />I just now uploaded rev 134 which is the makefile.unix that enables building with it on Linux. &nbsp;If you build rev 134 on Linux now you&#039;ll get the -4way switch.<br /><br />If you have problems building because of it, then edit makefile.unix and:<br />- remove -DFOURWAYSSE2<br />-
remove obj/sha256.o from the end of these lines:<br />bitcoin: $(OBJS) obj/ui.o obj/uibase.o obj/sha256.o<br />bitcoind: $(OBJS:obj/%=obj/nogui/%) obj/sha256.o<br /><br />The 0.3.10 linux build [i]will[/i] have the -4way option when I build it.<br /><br />Here are the patch downloads for Windows:<br /><br />http://www.bitcoin.org/download/bitcoin-0.3.10-win32-setup.exe<br
/>http://www.bitcoin.org/download/bitcoin-0.3.10-win32.zip<br /><br />SHA1 16645ec5fcdb35bc54bc7195309a1a81105242bb bitcoin-0.3.10-win32-setup.exe<br />SHA1 4f35ad7711a38fe8c880c6c9beab430824c426d3 bitcoin-0.3.10-win32.zip<br /><br />Steps:<br />1) Shut down.<br />2) Download knightmb&#039;s blk files and replace your blk0001.dat and blkindex.dat files.<br
/>http://knightmb.dyndns.org/files/bitcoin/blocks/<br />http://rapidshare.com/files/413168038/BitcoinBlocks.torrent<br />3) Upgrade to 0.3.10.<br />4) It should start out with less than 74000 blocks and redownload the rest.<br /><br />Or if you don&#039;t want to mess with downloading blk files, you can just do this:<br /><br />1) Shut down.<br />2) Delete (or move)
blk*.dat<br />3) Upgrade to 0.3.10.<br />4) It redownloads all blocks, probably take about an hour.<br /><br /><br />
9576	823	6	1281914244	9576	0		xx	1	Re: overflow bug SERIOUS	[quote author=knightmb link=topic=823.msg9574#msg9574 date=1281913144]<br />[b][edit][/b] Just saw your post, I&#039;ll build one to less than 74,000 then, should at least save you technical people a few minutes of downloading the new chain. &nbsp;;)<br />[/quote]<br
/>Just leave the old one alone! &nbsp;Older is better. &nbsp;What block number is it? &nbsp;Anywhere from 60000-74000 is good.&nbsp; The one that you&#039;ve had available for a while has been vetted and is the best choice.
9584	823	6	1281915370	9584	0		xx	1	Re: overflow bug SERIOUS	Starting at 67000 is [i]perfect[/i]. &nbsp;<br /><br />Yeah, at the moment you&#039;ll stop at 74638. &nbsp;It should start slowly creeping up as more nodes upgrade and generate.<br /><br />Linux build links below.<br /><br />The Linux version includes tcatm&#039;s 4-way
SSE2 SHA-256 that makes generating faster on i5 and AMD CPU&#039;s. &nbsp;Use the &quot;-4way&quot; switch to enable it and check if it&#039;s faster for you.<br /><br />Download links:<br />http://www.bitcoin.org/download/bitcoin-0.3.10-win32-setup.exe<br />http://www.bitcoin.org/download/bitcoin-0.3.10-win32.zip<br />http://www.bitcoin.org/download/bitcoin-0.3.10-linux.tar.gz<br
/><br />SHA1 16645ec5fcdb35bc54bc7195309a1a81105242bb bitcoin-0.3.10-win32-setup.exe<br />SHA1 4f35ad7711a38fe8c880c6c9beab430824c426d3 bitcoin-0.3.10-win32.zip<br />SHA1 e3fda1ddb31b0d5c35156cacd80dee6ea6ae6423 bitcoin-0.3.10-linux.tar.gz
9586	823	6	1281915427	9586	0		xx	1	Re: overflow bug SERIOUS	[quote author=Joozero link=topic=823.msg9582#msg9582 date=1281915163]<br />I think that you should add something about this: http://www.bitcoin.org/smf/index.php?topic=259.0<br />There must be a label on the client that show a warning message if needed :)<br />Now
everyone have always to check the website, and I think that this is bad.<br />[/quote]<br />Agree, wanted to do that for a long time, haven&#039;t had time to do it.<br /><br />For now, you could also subscribe to the bitcoin-list mailing list.&nbsp; It rarely gets used except for announcements like this and major new versions.<br /><br />Subscribe/unsubscribe page:<br
/>http://lists.sourceforge.net/mailman/listinfo/bitcoin-list<br />
9590	827	1	1281916102	9734	1281964256	satoshi exclamation	1	Version 0.3.10 - block 74638 overflow PATCH!	Version 0.3.10 patches the block 74638 overflow bug. &nbsp; http://www.bitcoin.org/smf/index.php?topic=823<br /><br />The Linux version includes tcatm&#039;s 4-way SSE2 SHA-256 that makes generating faster on i5, i7 (with hyperthreading)
and AMD CPU&#039;s. &nbsp;Try the &quot;-4way&quot; switch to enable it and check if it&#039;s faster for you.&nbsp; <br /><br />Download from sourceforge:<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.10/<br /><br />SHA1 16645ec5fcdb35bc54bc7195309a1a81105242bb bitcoin-0.3.10-win32-setup.exe<br />SHA1 4f35ad7711a38fe8c880c6c9beab430824c426d3
bitcoin-0.3.10-win32.zip<br />SHA1 e3fda1ddb31b0d5c35156cacd80dee6ea6ae6423 bitcoin-0.3.10-linux.tar.gz<br />SHA1 b812ccff4881778b9090f7c0b0255bcba7b078ac bitcoin-0.3.10-macosx.zip<br /><br />It is no longer necessary to delete blk*.dat.&nbsp; The good block chain has overtaken the bad block chain, so you can just upgrade and it&#039;ll automatically reorg away the bad block chain.
9608	828	6	1281918508	9608	0		xx	1	Re: 0.3.10.1 Question on where block should be	I suspect there&#039;s some difficulty receiving blocks if all the nodes you&#039;re connected to are 0.3.9 or lower.&nbsp; We need enough of us so that at least one node you connect to will be 0.3.10.&nbsp; The problem will start to go away when
we make up more than 1/8th of the network.<br /><br />It&#039;ll help if you port forward so you can get lots of connections.
9612	828	6	1281919040	9612	0		xx	1	Re: 0.3.10.1 Question on where block should be	For now, can some people running 0.3.10 with static IP who can receive incoming connections post their IP?&nbsp; Then we can -addnode= them and make sure to connect to at least one 0.3.10 node.<br /><br />
9623	823	6	1281920445	9623	0		xx	1	Re: overflow bug SERIOUS	[quote author=Ground Loop link=topic=823.msg9609#msg9609 date=1281918595]<br />Question about fallout: &nbsp;I had a [b]transaction[/b] that I submitted after the bad block, using the bad block chain.<br /><br />What is the status of that transaction?<br />From
what I can tell, my (updated) sending client wallet shows the deducted amount.<br /><br />Will it get reincorporated into the fixed chain, and will the recipient be able to spend it?<br />[/quote]<br />Right, it will get reincorporated into the fixed chain. &nbsp;The transaction won&#039;t disappear, it&#039;ll still be visible on both sides, but the confirmation count will
jump back to 0 and start counting up again.<br /><br />It&#039;s only if you generated a block in the bad chain after block 74638 that the 50 BTC from that will disappear. &nbsp;Any blocks in the bad chain wouldn&#039;t have matured yet.
9624	823	6	1281920544	9624	0		xx	1	Re: overflow bug SERIOUS	[quote author=kosovito link=topic=823.msg9615#msg9615 date=1281919157]<br />I did all steps, now my client is 0.3.10 and it stopped at block 74638. Is all fine?<br />[/quote]<br />If you still show 74638 blocks then you aren&#039;t connected to any 0.3.10
nodes. &nbsp;<br /><br />For today, try adding these parameters:&nbsp; <br />-addnode=75.158.131.108 -addnode=99.27.237.13 -addnode=68.68.99.14<br /><br />See<br />http://www.bitcoin.org/smf/index.php?topic=828
9628	823	6	1281921125	9628	0		xx	1	Re: overflow bug SERIOUS	[quote author=trebronics link=topic=823.msg9625#msg9625 date=1281920555]<br />Most people running clients are not reading this message thread. &nbsp;So... &nbsp;Silly questions:<br /><br />1) How will this continue to affect version 3.8.1 (pre-catastrophe) clients
with bad block chain?<br />2) How will this affect clients that upgrade to 3.8.10 but don&#039;t remove their block chain files?<br />[/quote]<br />1) Once more than 50% of the node power is upgraded and the good chain overtakes the bad, the 0.3.10 nodes will make it hard for any bad transactions to get any confirmations. <br />2) If you didn&#039;t remove your blk*.dat
files, you&#039;re not helping to contribute to that 50%, and you&#039;ll still show bad transactions until the good chain overtakes the bad chain.
9642	823	6	1281924970	9642	0		xx	1	Re: overflow bug SERIOUS	The bad chain is also slowed down as more nodes upgrade.<br /><br />We&#039;ve already generated 14 blocks since 74638. &nbsp;The builds of 0.3.10 were uploaded about 2 and 3 hours ago. &nbsp;Of the nodes I&#039;m connected to, more than half are already
0.3.10. &nbsp;I would say we probably already have more power than the bad chain.<br />
9648	823	6	1281926301	9648	0		xx	1	Re: overflow bug SERIOUS	On Windows, findstr /c:&quot;version message&quot; debug.log<br /><br />It looks like the bad chain was on block 74678 recently. &nbsp;Can&#039;t wait to overtake it.<br /><br />On the stats at http://nullvoid.org/bitcoin/statistix.php&nbsp; there&#039;s been 5
blocks per hour in the last 3 hours. &nbsp;We had a difficulty adjustment about a day ago that should have put it back to 6 blocks per hour.<br />
9655	820	6	1281927477	9655	0		xx	1	Re: tcatm's 4-way SSE2 for Linux 32/64-bit 0.3.9 rc2	[quote author=tcatm link=topic=820.msg9617#msg9617 date=1281919419]<br />I propose to compile sha256.cpp with -O3 -march=amdfamk10 (will work on 32bit and 64bit) as only CPUs supporting this instruction set (AMD Phenom, Intel i5 and newer)
benefit from -4way and it&#039;ll improve performance by ~9%.<br />[/quote]<br />GCC 4.3.3 doesn&#039;t support -march=amdfamk10.&nbsp; I get:<br />sha256.cpp:1: error: bad value (amdfamk10) for -march= switch<br /><br /><br />[quote author=NewLibertyStandard link=topic=820.msg9630#msg9630 date=1281923341]<br />With 4way, I get significantly better performance when I have
all my virtual cores enabled. I think I get about the same amount of hashes when hyper threading is turned off with or without 4way.<br />[/quote]<br />Hey, you may be onto something!<br /><br />hyperthreading didn&#039;t help before because all the work was in the arithmetic and logic units, which the hyperthreads share.<br /><br />tcatm&#039;s SSE2 code must be a mix of
normal x86 instructions and SSE2 instructions, so while one is doing x86 code, the other can do SSE2.<br /><br />How much of an improvement do you get with hyperthreading?<br /><br />Some numbers? &nbsp;What CPU is that?<br />
9661	820	6	1281928984	9661	0		xx	1	Re: tcatm's 4-way SSE2 for Linux 32/64-bit 0.3.9 rc2	[quote author=Vasiliev link=topic=820.msg9660#msg9660 date=1281928627]<br />try -march=amdfam10<br />[/quote]<br />That works.<br /><br />That&#039;s strange...&nbsp; are we sure that&#039;s the same thing?&nbsp; tcatm, try amdfam10 and
make sure you get the same speed measurement.
it&#039;s not an accident waiting to happen.<br /><br />It would be nice if the forum could be at www.bitcoin.org/forum/ instead of www.bitcoin.org/smf/ but that&#039;s a whole nother thing.&nbsp; Would you be in favour of that change?&nbsp; If we want to do that, I should do it because I already know where all the path settings are and how to do it, since I had to figure
all this stuff out the first time there was the Forum URL https/http problem.&nbsp; There are other urls under Admin-&gt;Themes and Layout.&nbsp; I think if a mirror directory forum -&gt; smf was created, it would be possible to change the urls in the admin interface without the forum software stopping working.<br />
217	33	3	1265239271	217	0		xx	1	Re: Installed anti-bruteforce module to Drupal	3 seems dangerously low to get ourselves locked out.&nbsp; Why not make it 10?
219	27	4	1265239797	219	0		xx	1	Re: Bitcoin crash when sending coins	I uploaded this fix to the SVN.&nbsp; It watches for spent coins and updates your wallet on load and also continuously as blocks come in.&nbsp; I also put a better error message, but it should never hit it because it always finds spent coins ahead of time,
unless you spent the same money at the same time on two computers at once.<br /><br />If you want to try it, PM or e-mail me your e-mail address where I can send it as an attachment and also what OS (win, linux 32-bit, linux 64-bit).
220	35	4	1265240214	220	0		xx	1	Re: Win32 CPU Cycles vs 'Live Protection' Engines ?	Thanks for that.&nbsp; Which version of Windows?
222	34	1	1265242027	222	0		xx	1	Re: Questions about Addresses	Port forwarding forwards a port to one computer.&nbsp; It tells the router which computer handles connections to that port.&nbsp; So that&#039;s the computer receiving.<br /><br />If you didn&#039;t set up port forwarding, then incoming connections won&#039;t go
to any computer, and attempts to send to that IP would just say it couldn&#039;t connect to the recipient and nothing is sent.&nbsp; When sending by IP, you still send to a bitcoin address, but your computer connects to that IP, gets a new bitcoin address from it, gives the transaction directly to the them and confirms that it was received and accepted.<br /><br />Someone
should post their static IP so people can try out sending by IP and also give that user free money.<br /><br />There&#039;s a 32-bit checksum in bitcoin addresses so you can&#039;t accidentally type an invalid address.<br /><br />If 4) you send to a recipient who has abandoned or lost their wallet.dat, then the money is lost.&nbsp; A subtle point can be made that since
there is then less total money in circulation, everyone&#039;s remaining money is worth slightly more, aka &quot;natural deflation&quot;.
223	22	6	1265243450	223	0		xx	1	Re: TOR and I2P When using proxy port 9050, it will only make one attempt to connect to IRC, then give up, since it knows it will probably always fail because IRC servers ban all the TOR exit nodes.&nbsp; If you&#039;re using another port, it would assume it might be a regular old normal proxy
and would keep retrying IRC at longer and longer intervals.&nbsp; You should not use Polipo or Privoxy as those are http filters and caches that would corrupt Bitcoin&#039;s messages if they make any changes.&nbsp; Bitcoin might be trying to overcome it by reconnecting.&nbsp; You should use port 9050.<br /><br />As riX says, the &quot;is giving Tor only an IP address. Apps
that do DNS...&quot; warnings are nothing to worry about. &nbsp;Bitcoin doesn&#039;t use DNS at all in proxy mode.<br /><br />Since Bitcoin can&#039;t get through to IRC through Tor, it doesn&#039;t know which nodes are currently online, so it has to try all the recently seen nodes. &nbsp;It tries to conserve connection attempts as much as possible, but also people want it
to connect quickly when they start it up and reconnect quickly if disconnected. &nbsp;It uses an algorithm where it tries an IP less and less frequently the longer ago it was successful connected. &nbsp;For example, for a node it saw 24 hours ago, it would wait 5 hours between connection attempts. &nbsp;Once it has at least 2 connections, it won&#039;t try anything over a
week old, and 5 connections it won&#039;t try anything over 24 hours old.
249	43	1	1265397552	11340	1282868283	satoshi xx	1	Proof-of-work difficulty increasing	We had our first automatic adjustment of the proof-of-work difficulty on 30 Dec 2009. &nbsp;<br /><br />The minimum difficulty is 32 zero bits, so even if only one person was running a node, the difficulty doesn&#039;t get any
easier than that. &nbsp;For most of last year, we were hovering below the minimum. &nbsp;On 30 Dec we broke above it and the algorithm adjusted to more difficulty. &nbsp;It&#039;s been getting more difficult at each adjustment since then.<br /><br />The adjustment on 04 Feb took it up from 1.34 times last year&#039;s difficulty to 1.82 times more difficult
than last year. &nbsp;That means you generate only 55% as many coins for the same amount of work.<br /><br />The difficulty adjusts proportionally to the total effort across the network. &nbsp;If the number of nodes doubles, the difficulty will also double, returning the total generated to the target rate.<br /><br />For those technically inclined,
the proof-of-work difficulty can be seen by searching on &quot;target:&quot; in debug.log. &nbsp;It&#039;s a 256-bit unsigned hex number, which the SHA-256 value has to be less than to successfully generate a block. &nbsp;It gets adjusted every 2016 blocks, typically two weeks. &nbsp;That&#039;s when it prints &quot;GetNextWorkRequired RETARGET&quot; in
debug.log. <br /><br />minimum &nbsp; &nbsp;00000000ffff0000000000000000000000000000000000000000000000000000<br />30/12/2009 00000000d86a0000000000000000000000000000000000000000000000000000<br />11/01/2010 00000000c4280000000000000000000000000000000000000000000000000000<br />25/01/2010 00000000be710000000000000000000000000000000000000000000000000000<br
/>04/02/2010 000000008cc30000000000000000000000000000000000000000000000000000<br />14/02/2010 0000000065465700000000000000000000000000000000000000000000000000<br />24/02/2010 0000000043b3e500000000000000000000000000000000000000000000000000<br />08/03/2010 00000000387f6f00000000000000000000000000000000000000000000000000<br />21/03/2010
0000000038137500000000000000000000000000000000000000000000000000<br />01/04/2010 000000002a111500000000000000000000000000000000000000000000000000<br />12/04/2010 0000000020bca700000000000000000000000000000000000000000000000000<br />21/04/2010 0000000016546f00000000000000000000000000000000000000000000000000<br />04/05/2010 0000000013ec5300000000000000000000000000000000000000000000000000<br
/>19/05/2010 00000000159c2400000000000000000000000000000000000000000000000000<br />29/05/2010 000000000f675c00000000000000000000000000000000000000000000000000<br />11/06/2010 000000000eba6400000000000000000000000000000000000000000000000000<br />24/06/2010 000000000d314200000000000000000000000000000000000000000000000000<br />06/07/2010
000000000ae49300000000000000000000000000000000000000000000000000<br />13/07/2010 0000000005a3f400000000000000000000000000000000000000000000000000<br />16/07/2010 000000000168fd00000000000000000000000000000000000000000000000000<br />27/07/2010 00000000010c5a00000000000000000000000000000000000000000000000000<br />05/08/2010 0000000000ba1800000000000000000000000000000000000000000000000000<br
/>15/08/2010 0000000000800e00000000000000000000000000000000000000000000000000<br />26/08/2010 0000000000692000000000000000000000000000000000000000000000000000<br /><br />date, difficulty factor, % change<br />2009 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 1.00<br />30/12/2009 &nbsp; &nbsp; 1.18 &nbsp; +18%<br />11/01/2010 &nbsp; &nbsp; 1.31 &nbsp; +11%<br />25/01/2010 &nbsp; &nbsp;
1.34 &nbsp; &nbsp;+2%<br />04/02/2010 &nbsp; &nbsp; 1.82 &nbsp; +36%<br />14/02/2010 &nbsp; &nbsp; 2.53 &nbsp; +39%<br />24/02/2010 &nbsp; &nbsp; 3.78 &nbsp; +49%<br />08/03/2010 &nbsp; &nbsp; 4.53 &nbsp; +20%<br />21/03/2010 &nbsp; &nbsp; 4.57 &nbsp; &nbsp;+9%<br />01/04/2010 &nbsp; &nbsp; 6.09 &nbsp; +33%<br />12/04/2010 &nbsp; &nbsp; 7.82 &nbsp; +28%<br />21/04/2010
&nbsp; &nbsp;11.46 &nbsp; +47%<br />04/05/2010 &nbsp; &nbsp;12.85 &nbsp; +12%<br />19/05/2010 &nbsp; &nbsp;11.85 &nbsp; &nbsp;-8%<br />29/05/2010 &nbsp; &nbsp;16.62 &nbsp; +40%<br />11/06/2010 &nbsp; &nbsp;17.38 &nbsp; &nbsp;+5%<br />24/06/2010 &nbsp; &nbsp;19.41 &nbsp; +12%<br />06/07/2010 &nbsp; &nbsp;23.50 &nbsp; +21%<br />13/07/2010 &nbsp; &nbsp;45.38 &nbsp; +93%<br
/>16/07/2010 &nbsp; 181.54 &nbsp;+300%<br />27/07/2010 &nbsp; 244.21 &nbsp; +35%<br />05/08/2010 &nbsp; 352.17 &nbsp; +44%<br />15/08/2010 &nbsp; 511.77 &nbsp; +45%<br />26/08/2010&nbsp;  623.39&nbsp;  +22%<br />
250	34	1	1265399086	250	0		xx	1	Re: Questions about Addresses	[quote author=Sabunir link=topic=34.msg246#msg246 date=1265391090]<br />Perhaps there should be a feature against this? For instance, if a transaction isn&#039;t accepted by the recipient for a long period of time (a month?), the transaction will be canceled and
the coins returned to the one who sent them?<br />[/quote]<br /><br />That&#039;s not possible.&nbsp; You&#039;ve handed control of the money over to the recipient&#039;s keypair.&nbsp; Only that key can control it.<br /><br />It&#039;s similar to if you encrypt a file with AES and a strong password, and you lose the password.&nbsp; The data is lost.
264	7	1	1265490392	264	0		xx	1	Re: Repost: Request: Make this anonymous?	When you send to a bitcoin address, you don&#039;t connect to the recipient.&nbsp; You send the transaction to the network the same way you relay transactions.&nbsp; There&#039;s no distinction between a transaction you originated and one you
received from another node that you&#039;re relaying in a broadcast.&nbsp; With a very small network though, someone might still figure it out by process of elimination.&nbsp; It&#039;ll be better when the network is larger.<br /><br />If you send by IP, the recipient sees you because you connect to their IP.&nbsp; You could use TOR to mask that.<br /><br />You could use
TOR if you don&#039;t want anyone to know you&#039;re even using Bitcoin.<br /><br />Bitcoin is still very new and has not been independently analysed.&nbsp; If you&#039;re serious about privacy, TOR is an advisable precaution.
267	44	7	1265498753	267	0		xx	1	Re: How divisible are bitcoins and other market/economic questions	Eventually at most only 21 million coins for 6.8 billion people in the world if it really gets huge.<br /><br />But don&#039;t worry, there are another 6 decimal places that aren&#039;t shown, for a total of 8 decimal places
internally.&nbsp; It shows 1.00 but internally it&#039;s 1.00000000.&nbsp; If there&#039;s massive deflation in the future, the software could show more decimal places.<br /><br />If it gets tiresome working with small numbers, we could change where the display shows the decimal point.&nbsp; Same amount of money, just different convention for where the &quot;,&quot;&#039;s
and &quot;.&quot;&#039;s go.&nbsp; e.g. moving the decimal place 3 places would mean if you had 1.00000 before, now it shows it as 1,000.00.
278	45	1	1265592149	278	0		xx	1	Re: Make your &quot;we accept Bitcoin&quot; logo	No, sorry.&nbsp; I&#039;ve been meaning to redo it.&nbsp; The largest icon that still looks good is the 20x20 one which is used for the tray icon in GNOME.&nbsp; Any larger than that looks bad.&nbsp; The 16x16 and 20x20 ones have quite
a bit of hand tweaking to get the pixels to work out right.&nbsp; If you just scale down a larger image, the pixels end up blurred and awkward in places where the lines in &quot;BC&quot; don&#039;t land square on a pixel.<br /><br />The best 16x16 with full alpha channel is in src/rc/bitcoin.ico.&nbsp; I don&#039;t like the 32x32 version.<br /><br />I&#039;m attaching
bitcoin20x20.png, the 20x20 version with full transparency.
279	47	1	1265592422	296	1265731172	sirius-m	xx	1	Bitcoin client and website translation	Thank you for the offer to help translate. &nbsp;That is probably the best way you could help.<br /><br />I will need to prepare the code for translation first. &nbsp;wxWidgets has locale support, and most strings are in generated code that is
already wrapped, so it shouldn&#039;t be too hard. &nbsp;We also must finish upgrading to wxWidgets-2.9.0 to get UTF-8 support. &nbsp;I&#039;ve done test builds with 2.9.0 and there is one bug left to fix. <br /><br />What operating system are you using? &nbsp;Windows, Linux 32-bit or 64 bit?<br /><br />[color=blue]Split from [url=https://www.bitcoin.org/smf/index.php?topic=44]another
thread[/url].<br />sirius-m[/color]
283	47	1	1265645437	283	0		xx	1	Bitcoin client and website translation	It&#039;s much easier to have a single binary and multiple .mo files.&nbsp; It&#039;s too much maintenance work to have lots of build variations.&nbsp; Once the software support is implemented, anyone could contribute translations.<br /><br />wxWidgets
uses the gettext standard.&nbsp; You use the gettext tools or something like poedit to create a .po file by scanning the sourcefiles for strings and editing the translations into the .po file, then compile it into a .mo file.&nbsp; The program loads the .mo file at runtime and reskins all the strings.&nbsp; Additional languages can be added to an existing program by adding
.mo files without recompiling the program.<br /><br />On Windows, the .mo files would go in a lang subdirectory in the directory where the EXE is located.<br /><br />Right now I&#039;m working on JSON-RPC and command line support, but when I&#039;m finished with that I hope to do this next.
284	46	1	1265647044	284	0		xx	1	Re: Simple to implement feature requests	There are command line options:<br /><br />bitcoin -addnode=1.2.3.4&nbsp; &nbsp; to tell bitcoin about a node to connect to<br />bitcoin -connect=1.2.3.4&nbsp; &nbsp; connect only to the specified node(s)<br /><br />You can use more than one of
these, for instance<br />bitcoin -connect=(first to try) -connect=(next to try) ...<br /><br />You can specify non-routable IPs with -connect like 192.168.x.x, so if you had a server farm and you wanted one server to connect to the world and the rest to connect to the one server, you could do that.<br /><br />In particular, -addnode is needed if you&#039;re always going to
connect through TOR, since the IRC server blocks all the TOR exit nodes.&nbsp; To connect through TOR, you could use:<br /><br />bitcoin -proxy=127.0.0.1:9050 -addnode=212.159.72.216
315	49	4	1265941982	315	0		xx	1	Re: DEB Package?	Are you just trying to run the program or do you really need to compile it?&nbsp; There&#039;s a 32-bit linux binary that can be run on 64-bit ubuntu if you &quot;sudo apt-get ia32-libs&quot;.<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.2.0-linux.tar.gz/download<br
2886	72	4	1279129111	2886	0		xx	1	Re: bitcoin auto-renice-ing	Laszlo corrected this, but unfortunately it was too late to make it into 0.3.0. &nbsp;There will probably be a 0.3.1 soon though.<br /><br />The problem is I used PRIO_MIN, I should have used PRIO_MAX for the lowest priority. &nbsp;The OS isn&#039;t supposed to
let you increase priority, so the PRIO_MIN ought to leave it at priority 0.
2895	305	4	1279130548	2895	0		xx	1	Re: Stuck on 513 blocks This is the second time I&#039;ve seen this &quot;Live Protection&quot; problem reported.<br /><br />It must be blocking the program&#039;s network communication.&nbsp; It sounds like it&#039;s allowing connections to be made, hence the 10 connections shown, but not
allowing any data to be sent or received on them.<br /><br />We need to understand this problem better.<br /><br />Can someone write some instructions on the wiki explaining how to turn off or add an exclusion to Live Protection or whatever its full proper name is.
2898	351	3	1279131319	2898	0		xx	1	Live Protection causing initial block download early stallout	Twice I&#039;ve seen reports of Live Protection causing initial block download to stall out early.<br />http://www.bitcoin.org/smf/index.php?topic=305<br /><br />Just brainstorming here how this could happen.<br /><br />Someone saying
they got 513 or 1001 blocks before it stalled, yet they report having 10 connections.&nbsp; The person had port forwarding, and must have since this is Windows and outbound from windows is limited to 8, and they had 10 connections.&nbsp; With port forwarding usually you&#039;d have more than 10, but if IRC was blocked, I could see how inbound would be a lot more limited
like 10.<br /><br />Seems like Live Protection is allowing connections to be made, but keeping them silent.&nbsp; Or maybe only allowing a little data to go out but not much, which is strange.&nbsp; Maybe it doesn&#039;t want to block outbound requests like browser page requests, which are less than 1K or so, but it wants to shut down large data transfer, so it stops it
after just a little bit of data like the size of a URL.<br /><br />If IRC is blocked, you typically do get like 501 or 5?? or 1001 blocks at first from the seed node.&nbsp; You connect to a seed node, get the address list, then disconnect from the seed node but it usually slips in one or two block requests before the disconnect, hence around 500 or 1000 blocks.&nbsp; If
Live Protection zombies all further connections, that would give the result the guy got.&nbsp; Maybe it zombies all inbound connections, and after the first seed node, the inbound connections came and gave him 10 connections so he didn&#039;t connect outward anymore, so it&#039;s all inbound connections.<br /><br />That seems to fit what happened the best.&nbsp; IRC blocked
by Live Protection.&nbsp; The node connects to a seed node, gets roughly 500 or 1000 blocks, broadcasts inbound IP address to the net, disconnects seed node, doesn&#039;t get any more outbound connections before the inbound connections give him 10 connections and it stops looking for outbound.&nbsp; Now all his connections are inbound, and maybe Live Protection zombies the
inbound, letting them connect but not letting any data through (or only one direction).&nbsp; He doesn&#039;t get the usual 50 or so connections because he&#039;s not visible on IRC.<br />
2903	318	4	1279131941	2903	0		xx	1	Re: Error on Ubuntu 10.04	What language is your computer set to?&nbsp; Is it set to German, Dutch or Italian?&nbsp; Is it one of those sub-languages like &quot;nl-??&quot;?<br /><br />It&#039;s trying to load a translation and failing.&nbsp; You could delete the locale directory that came
with bitcoin so it doesn&#039;t try to use it.<br /><br />Can someone test each language on Ubuntu and see if there&#039;s a problem with just one of them or maybe all three?
2908	299	4	1279133153	2908	0		xx	1	Re: Runaway CPU usage for 64bit BitCoin (Linux Client)	After it initially tries incorrectly to set itself to the lowest priority, the generate thread only changes its priority again temporarily when it finds a block.&nbsp; When you&#039;ve found a block, you should want it to hurry up and
broadcast it as soon a possible before someone else finds one and makes yours invalid.&nbsp; The generate thread only changes to higher priority for less than a second every few days.<br /><br />There should be a 0.3.1 release for this soon.&nbsp; There are a few other issues we need to look at fixing in 0.3.1 before making a release.<br /><br />[quote author=knightmb
link=topic=299.msg2409#msg2409 date=1278974353]<br />On a side note, I&#039;ve tracked down the other GUI issue.<br /><br />The &quot;minimize to tray instead of taskbar&quot; is what was eating up all the CPU on my system. After I turned this off, the issue was resolved with Runaway CPU.<br /><br />This only seems to affect the 64 bit Client, as the 32 bit Clients I have
don&#039;t seem to be affected by this.<br /><br />I did notice on the 64 bit Client, what happens is, it spawns multiple &quot;tray&quot; icons until X server finally kills over, so I guess I should submit that as a bug to somewhere?&nbsp; ???<br />[/quote]<br />That&#039;s interesting.&nbsp; I know the minimize to tray on Ubuntu is very clunky, but I didn&#039;t know it
had a CPU peg problem too.&nbsp; Anyone else able to reproduce this problem?&nbsp; We had this feature disabled on Linux before, but then it seemed better to have the imperfect UI than to lose the feature entirely.&nbsp; I&#039;m thinking we should disable it again on Linux.
2913	291	4	1279133789	2913	0		xx	1	Re: Warning this block was not received by any other nodes	Microsoft Security Essentials Live Protection is blocking your communication with the network.&nbsp; You have connections, which tricks Bitcoin into thinking it&#039;s connected, but they are silent because the data is being blocked.<br
/><br />You need to make bitcoin.exe an excluded process in Live Protection.<br /><br />This is becoming a common problem.&nbsp; Someone should write this up in a pegged thread.<br /><br />The message &quot;Warning: This block was not received by any other nodes&quot; occurs when Bitcoin broadcasts a block, but nobody confirms they received it.&nbsp; The warning is there
just for this kind of situation, where for some reason you have connections, but they have gone dead and nobody can hear you.&nbsp; Your block will never become valid because nobody received it.<br />
2935	325	6	1279139106	2935	0		xx	1	Re: Hash/sec Throttling for Democracy	[quote author=knightmb link=topic=325.msg2917#msg2917 date=1279135063]<br /> So if your computer was only 1% towards solving block 68000 [/quote]<br />This is a common point of confusion.&nbsp; There&#039;s no such thing as being 1% towards solving a
block.&nbsp; You don&#039;t make progress towards solving it.&nbsp; After working on it for 24 hours, your chances of solving it are equal to what your chances were at the start or at any moment.<br /><br />It&#039;s like trying to flip 37 coins at once and have them all come up heads.&nbsp; Each time you try, your chances of success are the same.<br /><br />The RNG is the
OpenSSL secure random number generator.&nbsp; On Windows it&#039;s seeded with the complete set of all hardware performance counters since your computer started, on Linux it&#039;s dev/random.
2947	286	6	1279141852	2947	0		xx	1	Re: Scalability The design outlines a lightweight client that does not need the full block chain.&nbsp; In the design PDF it&#039;s called Simplified Payment Verification.&nbsp; The lightweight client can send and receive transactions, it just can&#039;t generate blocks.&nbsp; It does not need
to trust a node to verify payments, it can still verify them itself. <br /><br />The lightweight client is not implemented yet, but the plan is to implement it when it&#039;s needed.&nbsp; For now, everyone just runs a full network node. <br /><br />I anticipate there will never be more than 100K nodes, probably less.&nbsp; It will reach an equilibrium where it&#039;s not
worth it for more nodes to join in.&nbsp; The rest will be lightweight clients, which could be millions.<br /><br />At equilibrium size, many nodes will be server farms with one or two network nodes that feed the rest of the farm over a LAN.
3008	299	4	1279153103	3008	0		xx	1	Re: Runaway CPU usage for 64bit BitCoin (Linux Client)	OK, the undocumented switch &quot;-minimizetotray&quot; which re-enables the option.<br /><br />I uploaded the change to SVN.
3146	351	3	1279201337	3146	0		xx	1	Re: Live Protection causing initial block download early stallout	I still don&#039;t see a pegged thread about Microsoft Security Essentials Live Protection. &nbsp;Someone needs to write a thread telling people if they have Microsoft Security Essentials how to exempt or whatever bitcoin.exe
and pin it ASAP. &nbsp;I&#039;m really busy, surely someone else can do this?!!<br /><br />I&#039;m adding this to the readme.txt of the 0.3.1 release:<br />If you have Microsoft Security Essentials, you need to add bitcoin.exe to its<br />&quot;Excluded Processes&quot; list.<br /><br />Kind of a blind guess because I don&#039;t have it so I can&#039;t look exactly what it
says, but going on what others have said.<br /><br />Here&#039;s another case:<br />http://www.bitcoin.org/smf/index.php?topic=323.0
3150	373	4	1279202720	3150	0		xx	1	Re: [Bitcoin 0.3.0] Runtime error	More directly, this:<br />http://www.bitcoin.org/smf/index.php?topic=246.0<br /><br />I will be posting release candidate of 0.3.1 with this fix shortly.&nbsp; Please try that and let me know if it fixes the problem.
3157	326	4	1279204384	3157	0		xx	1	Re: Static Linux x86_64 bins for those having libcrypto troubles	We don&#039;t even specify linking glibcxx_3.4.11, so gcc must automatically link it behind the scenes.&nbsp; There&#039;s probably a compiler switch that would tell it to static link it.&nbsp; I&#039;m not sure what the
licensing issues would be.&nbsp; Typically, compiler stuff is fully redistributable.
3162	327	1	1279205940	3162	0		xx	1	Re: resource hog	Then all the CPU time is the generate thread, which definitely runs at the lowest possible priority, idle priority.&nbsp; It&#039;s normal that your CPU meter is 100%.&nbsp; Since it&#039;s idle priority, it won&#039;t actually slow anything else down, even though the CPU meter is 100%.
3198	383	6	1279213554	3589	1279314042	satoshi xx	1	Bitcoin 0.3.1 released	This is a bugfix maintenance release. &nbsp;It is now uploaded to SourceForge. &nbsp;Mac OS X didn&#039;t need any fixes so we don&#039;t really need to update it, 0.3.0 is still good.<br /><br />The download links are on bitcoin.org<br /><br />Changes:<br />- Added
Portuguese translation by Tiago Faria<br />Windows<br />- Fix for 22DbRunRecoveryException if your username has non-ascii characters in it<br />Linux<br />- Laszlo&#039;s fix for lowering generate thread to lowest priority <br />- Fix for if you&#039;re having trouble with libcrypto linkage<br />- Gavin Andresen&#039;s implementation of &quot;start on windowing system startup&quot; option<br />
3205	383	6	1279214628	3205	0		xx	1	Re: 0.3.1 release candidate, please test	Well, it can&#039;t hurt to do a backup and it&#039;s a good idea to backup regularly, but no, a backup is not required before installing this.<br /><br />
3211	351	3	1279215151	3211	0		xx	1	Re: Live Protection causing initial block download early stallout	I used that link to write the following in the readme.txt:<br /><br />If you have Microsoft Security Essentials, you need to add bitcoin.exe to its<br />&quot;Excluded processes&quot; list.&nbsp; Microsoft Security
Essentials-&gt;Settings tab,<br />select Excluded processes, press Add, select bitcoin.exe, OK, Save changes.<br /><br />Is there anything else we should do?&nbsp; Maybe a link on the lower part of the homepage like &quot;If you have Microsoft Security Essentials, see these instructions to add bitcoin.exe to the Excluded processes list.&quot;
3221	383	6	1279216603	3221	0		xx	1	Re: 0.3.1 release candidate, please test	I don&#039;t think you have a particular problem, I think your system is laggy because you&#039;re running a lot of things at once and hitting the pagefile because memory is full. &nbsp;You confirmed when you shut off generation that your CPU drops
to 0%, so the CPU usage is definitely all idle priority. &nbsp;There&#039;s nothing in the 0.3.1 that would affect these things.
3238	151	6	1279218622	3238	0		xx	1	Re: Website and software translations	[quote author=aidos link=topic=151.msg3017#msg3017 date=1279154951]<br />Ok here is the .po file for French. While I&#039;m at it, I noted a couple of issues:<br /><br />1. The &quot;About&quot; box didn&#039;t take the translation into account, it still
displays the english version to me, even though the rest of the software is using the translated strings, and the .po file contains the translation string of the &quot;About&quot; box message. Same problem with the &quot;Apply&quot; button in the Settings window.<br />[/quote]<br />I need to give an updated .po file.<br /><br />[quote author=aidos link=topic=151.msg3017#msg3017
date=1279154951]<br />2. If an transaction&#039;s description in the list of transaction in the main window contains a diacritical character (such as &quot;
&quot;), it&#039;s not displayed. I suppose the string is not being properly handled as UTF8 somewhere.<br />[/quote]<br />OK, this must be a problem somewhere, I&#039;ll have to take a look at it or one of
the other devs can.<br /><br />[quote author=aidos link=topic=151.msg3017#msg3017 date=1279154951]<br />4. About the .po file :<br />&nbsp;  - There are a few strings in the .po file that don&#039;t needs translation (ie: &quot;Bitcoin&quot;). Maybe those shouldn&#039;t be inside _(&quot;...&quot;) ?<br />&nbsp;  - Others shouldn&#039;t be split. I can remember one message
about transaction fee where the string is split in two to insert the fee value, where you could simply have put a %s. It makes the message harder to translate as I had to go in the source to find exactly what was going on.<br />&nbsp;  - Some strings have whitespace at the end or start, which necessity is very debatable, and it&#039;s easy to miss in PoEdit.<br />[/quote]<br
/>Many of the strings are in code automatically generated from uiproject.fbp where nothing can be done about these things.&nbsp; I have a program I use to find all the spacing inconsistencies at the beginning and ending of strings in your .po file and manually fix them up before I upload them to SVN.<br />
3242	151	6	1279219033	3242	0		xx	1	Re: Website and software translations	I uploaded an updated bitcoin.po for 0.3.1 attached to this message:<br />http://www.bitcoin.org/smf/index.php?topic=151.msg1259#msg1259<br /><br />please use it if you&#039;re starting a new translation.<br /><br />If you already have a po file, poedit
/><br />I recently updated the SVN for building on 64-bit Karmic with wxWidgets 2.9.0.&nbsp; This was after the 0.2.0 release.&nbsp; The 0.2.0 release did not build on 64-bit yet.<br /><br />Unfortunately there currently isn&#039;t a -dev deb package of either of the versions of wxWidgets that we can use.&nbsp; On Karmic they only have the UTF-16 version.&nbsp; We need
either the ANSI (libwxgtk2.8-ansi-dev) version or the UTF-8 (wxWidgets 2.9.0) version.&nbsp; We&#039;re moving towards 2.9.0.<br /><br />I know you said you didn&#039;t want VM, but as a last resort, last I checked the Windows version runs fine in Wine.
316	48	1	1265944088	327	1266129391	satoshi xx	1	Re: What's with this odd generation?	There&#039;s a small transaction fee for very large transactions. &nbsp;The node that generates the block that contains the transaction gets the fee.<br /><br />If the same money gets sent again, it won&#039;t incur the fee again. &nbsp;If all you
have is generated coins in your wallet, if you send them all in one huge transaction, it has to bundle hundreds of 50 bc coins together. &nbsp;After that it&#039;s just one line to send the combined unit.
322	49	4	1265990257	322	0		xx	1	Re: DEB Package?	[quote author=soultcer link=topic=49.msg321#msg321 date=1265985110]<br />If you want, I can provide you with a precompiled binary.<br />[/quote]<br /><br />Am I missing something?&nbsp; Is there something wrong with the 32-bit linux precompiled binary on bitcoin.org?<br
/><br />The bitcoin binary in the distribution static links the wxWidgets library, and its shared links (openssl and GTK) are included in Ubuntu, so it can run without needing to be a .deb to pull down dependencies.<br /><br />Since we&#039;re upgrading to wxWidgets 2.9.0 for UTF-8, which doesn&#039;t have a DEB package yet, we&#039;ll continue to need to static link it.
324	7	1	1265995712	324	0		xx	1	Re: Repost: Request: Make this anonymous?	True, sending by IP through Tor trades one problem for another.&nbsp; The Tor exit node can see the text of your message and potentially MITM you.<br /><br />Best to only send to bitcoin addresses then.&nbsp; Payments by bitcoin address are broadcast
over the network as part of the normal network traffic.&nbsp; All communications with the network are broadcasts of public information.
326	49	4	1266025117	326	1266106172	satoshi xx	1	Re: DEB Package?	I couldn&#039;t get wxWidgets 2.8.9 to compile on Karmic 64-bit either.<br /><br />I have been compiling the latest SVN on Karmic 64-bit with wxWidgets 2.9.0, which compiles fine on 64-bit. &nbsp;Read build-unix.txt and use the given ../configure parameters on
wxWidgets so you can use the makefile.unix.wx2.9 as supplied. &nbsp;(--enable-debug --disable-shared --enable-monolithic)<br /><br />[s]There&#039;s one cosmetic bug with 2.9.0 I still need to fix where the status number display is bunched up for some reason.[/s]&nbsp; -- fixed<br /><br />The download link on the homepage is to the sourceforge tar.gz archive which contains
the 32-bit binary and the 0.2.0 sources, which were not yet buildable on 64-bit at the time.<br /><br />The SVN was first buildable on 64-bit with wx2.9.0 on 28 January 2010.<br /><br />Hopefully they&#039;ll have a wxWidgets 2.9.0 debian package someday.
327	48	1	1266128883	327	0		xx	1	Re: What's with this odd generation?	[quote author=theymos link=topic=48.msg318#msg318 date=1265963512]<br />Does the sending client send more BitCoins to account for the fee (so the recipient gets what he&#039;s expecting)?<br />[/quote]<br />Yes.<br /><br />[quote author=SmokeTooMuch
link=topic=48.msg319#msg319 date=1265980269]<br />why do we even need fees ? i thougt the no-fees-feature was one of the advantages of bitcoin ?!<br />[/quote]<br />Almost all transactions are free.&nbsp; A transaction is over the maximum size limit if it has to add up more than 500 of the largest payments you&#039;ve received to make up the amount.&nbsp; A transaction over
the size limit can still be sent if a small fee is added.<br /><br />The average transaction, and anything up to 500 times bigger than average, is free.<br /><br />It&#039;s only when you&#039;re sending a really huge transaction that the transaction fee ever comes into play, and even then it only works out to something like 0.002% of the amount.&nbsp; It&#039;s not money
sucked out of the system, it just goes to other nodes.&nbsp; If you&#039;re sad about paying the fee, you could always turn the tables and run a node yourself and maybe someday rake in a 0.44 fee yourself.
329	48	1	1266162743	329	1266163376	satoshi xx	1	Re: What's with this odd generation?	Right. &nbsp;Otherwise we couldn&#039;t have a finite limit of 21 million coins, because there would always need to be some minimum reward for generating. &nbsp;In a few decades when the reward gets too small, the transaction fee will become the
main compensation for nodes.&nbsp; I&#039;m sure that in 20 years there will either be very large transaction volume or no volume.
346	43	1	1266215318	346	0		xx	1	Re: Proof-of-work difficulty increasing 14/02/2010 0000000065465700000000000000000000000000000000000000000000000000<br /><br />2009&nbsp; &nbsp; &nbsp; &nbsp; 1.00<br />30/12/2009&nbsp; 1.18&nbsp;  +18%<br />11/01/2010&nbsp; 1.31&nbsp;  +11%<br />25/01/2010&nbsp; 1.34&nbsp; &nbsp; +2%<br
/>04/02/2010&nbsp; 1.82&nbsp;  +36%<br />14/02/2010&nbsp; 2.53&nbsp;  +39%<br /><br />Another big jump in difficulty yesterday from 1.82 times to 2.53 times, a 39% increase since 10 days ago.&nbsp; It was 10 days apart not 14 because more nodes joined and generated the 2016 blocks in less time.
360	54	4	1266284096	360	0		xx	1	Re: Setting up multiple bitcoin machines behind NAT	Right now there isn&#039;t a port number setting to do that. &nbsp;It&#039;s a feature yet to be implemented. &nbsp;You can only set up your NAT to port-forward to one of the computers. &nbsp;(I said something earlier about NAT port translation,
but that wouldn&#039;t work, other nodes wouldn&#039;t know to connect to that port)<br /><br />If you want, as a small optimization, you could run the rest of your computers as:<br />bitcoin -connect=&lt;the IP of the first computer&gt;<br /><br />so they get all their network communication from the first computer and don&#039;t all connect over the net individually for the
same information. &nbsp;This saves bandwidth, although it doesn&#039;t use much bandwidth to begin with, so it wouldn&#039;t really matter unless you had tons of computers.<br /><br />For redundancy in case the first computer goes down, you could have two that connect out and the rest connect to both of them. &nbsp;The first two are run normally, the rest are run like:<br
/>bitcoin -connect=&lt;IP1&gt; -connect=&lt;IP2&gt;
376	43	1	1266341800	376	0		xx	1	Re: Proof-of-work difficulty increasing [quote author=Suggester link=topic=43.msg361#msg361 date=1266286549]<br />Satoshi, I figured it will take my modern core 2 duo about 20 hours of nonstop work to create &#3647;50.00! With older PCs it will take forever. People like to feel that they
&quot;own&quot; something as soon as possible, is there a way to make the generation more divisible? So say, instead of making &#3647;50 every 20 hours, make &#3647;5 every 2 hours? <br />[/quote]<br />I thought about that but there wasn&#039;t a practical way to do smaller increments. &nbsp;The frequency of block generation is balanced between confirming transactions as
fast as possible and the latency of the network.<br /><br />The algorithm aims for an average of 6 blocks per hour. &nbsp;If it was 5 bc and 60 per hour, there would be 10 times as many blocks and the initial block download would take 10 times as long. &nbsp;It wouldn&#039;t work anyway because that would be only 1 minute average between blocks, too close to the broadcast
latency when the network gets larger.
388	43	1	1266429483	388	0		xx	1	Re: Proof-of-work difficulty increasing [quote author=Sabunir link=topic=43.msg372#msg372 date=1266310311]<br />. Perhaps it has to do with my connection&#039;s very high latency (2000ms or more on average) <br />[/quote]<br />2 seconds of latency in both directions should reduce your generation
success by less than 1%.<br /><br />[quote author=Sabunir link=topic=43.msg372#msg372 date=1266310311]<br />and/or my high packet loss (sometimes up to 10% loss)?<br />[/quote]<br />Probably OK, but I&#039;m not sure.&nbsp; The protocol is designed to resync to the next message, and messages get re-requested from all the other nodes you&#039;re connected to until received.&nbsp;
If you miss a block, it&#039;ll also keep requesting it every time another blocks comes in and it sees there&#039;s a gap.&nbsp; Before the original release I did a test dropping 1 out of 4 random messages under heavy load until I could run it overnight without any nodes getting stuck.
389	47	1	1266434383	389	0		xx	1	Re: Bitcoin client and website translation	I updated the SVN with changes to support translation.&nbsp; Translatable strings are all enclosed in _(&quot;&quot;), and we&#039;re using UTF-8 on all platforms.<br /><br />When the program runs, it looks in the directory of the EXE for the
file: locale\\&lt;langcode&gt;\\LC_MESSAGES\\bitcoin.mo<br /><br />&lt;langcode&gt; is the two letter code of the language your OS is set to, like &quot;de&quot; or &quot;nl&quot;.<br /><br />On Linux, it also looks for:<br />/usr/share/locale/&lt;langcode&gt;/LC_MESSAGES/bitcoin.mo<br />/usr/local/share/locale/&lt;langcode&gt;/LC_MESSAGES/bitcoin.mo<br />(are there other
standard places it should look on linux?)<br /><br />Here&#039;s a quick walkthrough using poedit to make a .po and .mo file:<br /><br />- Download the bitcoin sourcecode from SVN<br />- In the trunk directory, mkdir locale\\&lt;lang&gt;\\LC_MESSAGES<br />- In poedit, File-&gt;New catalog-&gt;Paths tab<br />- Click the &quot;New item&quot; dotted rectangle button<br />-
Put &quot;../../..&quot; and MAKE SURE TO PRESS ENTER to add the path<br />- Click OK<br />- Save the file as &quot;bitcoin.po&quot; in the LC_MESSAGES directory you made<br />- It should then scan the sourcecode and find about 170 strings<br />- If it didn&#039;t find anything, check Catalog-&gt;Settings-&gt;Path tab, make sure the &quot;../../..&quot; was added<br /><br
/>When you&#039;re done translating, commit both bitcoin.po (the editable catalog file) and bitcoin.mo (compiled data used by the program).<br />
413	58	6	1266723828	413	0		xx	1	Re: Number of connections	Nodes stop trying to initiate connections once they have 15.&nbsp; If you can accept incoming connections, then you can get well above that from nodes connecting to you, otherwise you max out at 15.<br /><br />I don&#039;t know if there&#039;s any reason to have
15 connections.&nbsp; Maybe it should be 10.<br /><br />Since nodes that can only connect out are probably at or near 15 most of the time now, you should level off to an equilibrium.&nbsp; 45 suggests a ratio of 3 out-only nodes to every 1 in-accepting node.<br /><br />The number of connections won&#039;t be a good gauge of the size of the network any more.&nbsp; Someone
should periodically IRC to the bitcoin channel on chat.freenode.net and count the number of users.&nbsp; That gives you the total count of network nodes (except TOR nodes).<br /><br />Block generation is again running ahead of pace.&nbsp; We&#039;re in for another big step up in difficulty at the next adjustment in about 5 days.
414	59	1	1266725993	2877	1279126387	satoshi xx	1	Post your static IP	It would be nice to have a list of static IPs for new users to send test donations to so they can see how the software works.&nbsp; If you can accept incoming connections and you have a static IP address, post it here!<br /><br />Anything sent to these IPs should
be considered a donation. &nbsp;<br /><br />If you do request a round-trip, be sure to include your return bitcoin address or IP in the comment, but please assume it&#039;ll be one-way. &nbsp;They won&#039;t necessarily be watching for incoming transactions to send back.
415	57	7	1266731064	415	0		xx	1	Re: Current Bitcoin economic model is unsustainable	Excellent analysis, xc.<br /><br />A rational market price for something that is expected to increase in value will already reflect the present value of the expected future increases. &nbsp;In your head, you do a probability estimate balancing
the odds that it keeps increasing.<br /><br />In the absence of a market to establish the price, NewLibertyStandard&#039;s estimate based on production cost is a good guess and a helpful service (thanks). &nbsp;The price of any commodity tends to gravitate toward the production cost. &nbsp;If the price is below cost, then production slows down. &nbsp;If the price is above
cost, profit can be made by generating and selling more. &nbsp;At the same time, the increased production would increase the difficulty, pushing the cost of generating towards the price.<br /><br />In later years, when new coin generation is a small percentage of the existing supply, market price will dictate the cost of production more than the other way around.<br /><br
/>At the moment, generation effort is rapidly increasing, suggesting people are estimating the present value to be higher than the current cost of production.
426	60	1	1266788881	426	0		xx	1	UI improvements Uploaded some UI changes to SVN as version 0.2.5.<br /><br />Instead of View-&gt;Show Generated, we now have tabs:<br />- All Transactions<br />- Sent/Received<br />- Sent<br />- Received<br /><br />Makes it a lot easier to flip to received and check for payments.<br /><br />Moved
the &quot;Your Addresses&quot; book inside the main address book.&nbsp; It was confusing having two address books.<br /><br />I found the &quot;To:&quot; in &quot;From: unknown, To: (one of your bitcoin addresses)&quot; still confusing, so I changed it to &quot;From: unknown, Received with:&quot;.&nbsp; The bitcoin address is abbreviated so you can see the label that you
set in the Receiving tab of the address book.<br /><br />Fixed a few UI glitches from the upgrade to wxWidgets 2.9.0.<br /><br />I haven&#039;t forgotten about you people who want non-UI, but I had to do some fun stuff before more build bashing.<br />
433	61	1	1266886196	433	0		xx	1	Re: generation slowed down dramatically Just a random streak of bad luck.&nbsp; It looks steady to me.<br /><br />Competition doesn&#039;t have an effect until the next automatic retarget adjustment, and we haven&#039;t reached the next one yet.<br /><br />The adjustments are every 2016
blocks.&nbsp; To calculate our progress towards the next one, divide the block total by 2016.&nbsp; The fractional part is how far we are to the next one.&nbsp; <br /><br />My back-of-the-envelope projection: 42032 blocks/2016 = 20.85 = 85% of the way.&nbsp; About 1.5 days to go until the next one.&nbsp; That&#039;ll only be about 10 days since the last one, the target is
9676	820	6	1281933419	9676	0		xx	1	Re: tcatm's 4-way SSE2 for Linux 32/64-bit is in 0.3.10 [quote author=jgarzik link=topic=820.msg9665#msg9665 date=1281929728]<br />[code]cpu family\t: 6<br />model\t\t: 26<br />model name\t: Genuine Intel(R) CPU&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  000&nbsp; @ 3.20GHz<br />stepping\t:
4[/code]<br />[/quote]<br />cpu family 6 model 26 stepping 4 is an Intel Core i7.<br />That&#039;s a 23% speedup with -4way, 63% total speedup with -4way + hyperthreading.<br />33% faster with hyperthreading than without it.
9734	823	6	1281963578	9734	0		xx	1	Re: overflow bug SERIOUS	It looks like we overtook the bad chain somewhere around 74689.&nbsp; 0.3.9 and lower nodes have been responding with the current block number for some hours now.<br /><br />That means it&#039;s no longer necessary to delete blk*.dat before upgrading.&nbsp; You
can just upgrade and it&#039;ll reorg away the bad block chain.<br /><br />Thanks to everyone for the quick response!
9736	820	6	1281965881	9736	0		xx	1	Re: tcatm's 4-way SSE2 for Linux 32/64-bit is in 0.3.10 I wrapped sha256.cpp in <br />#ifdef FOURWAYSSE2<br />#endif // FOURWAYSSE2<br /><br />try it now.
9754	832	6	1281972354	9812	1281989218	satoshi xx	1	Re: [PATCH] Automatic block validation	That&#039;s a difficult approach.<br /><br />We need to cause a reorg, which will disconnect the invalid chain.<br /><br />This is code that will rarely ever get tested, and is fairly intricate, so something simple and safe is best.<br /><br
/>Here&#039;s what I was thinking of. &nbsp;(I haven&#039;t tested this yet) &nbsp;It checks all the blocks in the main chain. &nbsp;If it finds a bad one, it sets all that chain&#039;s bnChainWork to 0 so it can&#039;t win best chain again, and it reduces best chain work to the fork level so any new block after the fork will cause a reorg. &nbsp;(It can&#039;t change
pindexBest without actually doing a reorg)<br /><br />This isn&#039;t perfect yet. &nbsp;It still needs to receive one valid block to trigger the reorg. &nbsp;<br /><br />It would probably be possible to initiate an AddToBlockIndex or Reorganize after the check, but it would require a lot more careful attention. &nbsp;I probably should break out part of AddToBlockIndex
that sets the new best block. &nbsp;I&#039;ll probably end up doing that instead of the code below.<br /><br />[code]<br />bool CTxDB::LoadBlockIndex()<br />{<br /> &nbsp; &nbsp;...<br /><br /> &nbsp; &nbsp;// Verify blocks in the main chain<br /> &nbsp; &nbsp;vector&lt;CBlockIndex*&gt; vChain;<br /> &nbsp; &nbsp;for (CBlockIndex* pindex = pindexBest; pindex &amp;&amp;
pindex-&gt;pprev; pindex = pindex-&gt;pprev)<br /> &nbsp; &nbsp;{<br /> &nbsp; &nbsp; &nbsp; &nbsp;vChain.push_back(pindex);<br /> &nbsp; &nbsp; &nbsp; &nbsp;CBlock block;<br /> &nbsp; &nbsp; &nbsp; &nbsp;if (!block.ReadFromDisk(pindex))<br /> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;return error(&quot;LoadBlockIndex() : block.ReadFromDisk failed&quot;);<br /> &nbsp; &nbsp;
&nbsp; &nbsp;if (!block.CheckBlock())<br /> &nbsp; &nbsp; &nbsp; &nbsp;{<br /> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;bnBestChainWork = pindex-&gt;pprev-&gt;bnChainWork;<br /> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;foreach(CBlockIndex* pindex2, vChain)<br /> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;pindex2-&gt;bnChainWork = 0;<br /> &nbsp; &nbsp; &nbsp;
&nbsp;}<br /> &nbsp; &nbsp;}<br /><br /> &nbsp; &nbsp;return true;<br />}<br />[/code]
9757	837	6	1281974365	9757	0		xx	1	blocks minus 1	I&#039;d like to reduce the number of blocks displayed in the status bar by 1.&nbsp;  When you first load the program, it&#039;ll display 0 blocks instead of 1:<br />&quot;0 connections&nbsp; &nbsp; 0 blocks&nbsp; &nbsp;  0 transactions&quot;<br /><br />It&#039;s always been
&quot;nBestHeight + 1&quot; because it&#039;s counting the genesis block.&nbsp; Technically, yes, the genesis block is a block.&nbsp; It&#039;s a hardcoded block that you start out with.&nbsp; You can&#039;t [i]not[/i] have the genesis block.&nbsp; Maybe think of it as a reference coin that you measure other coins against.&nbsp; The block count people are looking for is
the number of blocks they&#039;ve downloaded.<br /><br />The main benefit is that blocks will be equal to the block number of the current best block.&nbsp; If blocks is 10, then the highest block number you have is 10.&nbsp; It means you have block 10 and you don&#039;t have block 11.<br /><br />It would reduce the confusion we had here:<br /><br />[quote author=kencausey
link=topic=823.msg9588#msg9588 date=1281915926]<br />[quote author=davidonpda link=topic=823.msg9580#msg9580 date=1281915097]<br />... It already is on block 74638. I assume that means that block is now a good one?<br />[/quote]<br /><br />I had some confusion on this myself and got clarification in #bitcoin-dev:<br /><br />The bad block was number 74638, the last good one
was 74637.&nbsp; The numbers start at 0, so when your client shows there are 74638 blocks then that means you have up to block number 74637, the last good one.<br />[/quote]<br />
9774	837	6	1281978387	9774	0		xx	1	Re: blocks minus 1	Done in SVN rev 137
9775	832	6	1281978482	9793	1281984613	satoshi xx	1	Re: [PATCH] Automatic block validation	[quote author=satoshi link=topic=832.msg9754#msg9754 date=1281972354]<br />It would probably be possible to initiate an AddToBlockIndex or Reorganize after the check, but it would require a lot more careful attention. &nbsp;I probably should break
out part of AddToBlockIndex that sets the new best block. &nbsp;I&#039;ll probably end up doing that instead of the code below.<br />[/quote]<br />This is what I ended up doing in SVN rev 139.<br /><br />Instead of deleting the bad chain, I added an extra CheckBlock to ConnectBlock so bad blocks can&#039;t get back into the best chain once they&#039;re kicked out.
9813	841	6	1281989266	9813	0		xx	1	Checking the block chain on load	SVN rev 139 does a basic check of the block chain after loading.<br /><br />With this we wouldn&#039;t have needed to delete blk*.dat, it would have automatically done a reorg back to the fork.&nbsp; There wasn&#039;t time to do a careful implementation
of this at the time.<br /><br />It might take longer than we want, since it has to load all the blocks.&nbsp; If it&#039;s too slow, we could have it only go back to a certain block number.
9816	834	1	1281990053	9816	0		xx	1	Re: checkpointing the block chain	There is no way for the software to automatically know if one chain is better than another except by the greatest proof-of-work.&nbsp; In the design it was necessary for it to switch to a longer chain no matter how far back it has to go.<br /><br />The
only exception to that is the manual checkpoints I&#039;ve added.&nbsp; If it weren&#039;t for those, it would be able to reorg all the way back to the first block.
9841	823	6	1281999295	9841	0		xx	1	Re: overflow bug SERIOUS	Un-upgraded nodes have the correct chain most of the time, but they are still trying to include the overflow transaction in every block, so they&#039;re continually trying to fork and generate invalid blocks.&nbsp; If an old version node is restarted, its transaction
pool is emptied, so it may generate valid blocks for a while until the transaction gets broadcast again.&nbsp; 0.3.9 and lower nodes still must upgrade.<br /><br />The SVN now has the code we needed to automatically reorg the block chain without having to delete the blk*.dat files manually.&nbsp; I knew I couldn&#039;t write that code fast and carefully enough yesterday,
so I went with the quick manual option.
9843	834	1	1281999708	9843	0		xx	1	Re: checkpointing the block chain	[quote author=NewLibertyStandard link=topic=834.msg9839#msg9839 date=1281998548]<br />How is the strength of the chain calculated?<br />[/quote]<br />Total proof-of-work.
10067	850	1	1282150724	10067	0		xx	1	Re: New screenshots to the front page?	Definitely.&nbsp; The old screenshots of 0.1 are very outdated.<br /><br />Windows Aero is a good choice.&nbsp; Windows is still the largest user group.&nbsp; Mind what&#039;s behind it for the transparent parts.<br /><br />What to have displayed in the
transaction list?&nbsp; Not completely filled up with stuff, just a few things.
10076	846	6	1282154500	10076	0		xx	1	Re: Difficulty: More nodes active, or faster nodes?	The performance numbers posted from a VIA C7&#039;s hardware SHA-256 weren&#039;t astronomical.&nbsp; Only in the 1500 khash/s range.&nbsp; If you think about it, just because it&#039;s implemented in hardware doesn&#039;t mean it&#039;s
crazy fast.&nbsp; It still has to do all the steps.&nbsp; It&#039;s only if simplifying it down to single-purpose hardware makes it small enough to fit many in parallel.&nbsp; That&#039;s not necessarily easy or a given.<br /><br />
10082	841	6	1282156108	10082	0		xx	1	Re: Checking the block chain on load	In the next SVN rev, I&#039;ll make it only go back to the last checkpoint at block 74000.&nbsp; If we need to correct a problem in the future, we can always make sure it goes back at least as far back as the problem.&nbsp; Also, I&#039;m adding code to
verify the block index, which means the proof-of-work chain is checked.<br /><br />Still, the system won&#039;t be entirely secure against your blk*.dat files.&nbsp; You are trusting someone if you use a copy of their blk files.<br />
10272	867	6	1282243476	10272	0		xx	1	Re: Convert Bitcoin to GTK: Yes?  No?  wx is better?	[quote author=BioMike link=topic=867.msg10226#msg10226 date=1282205118]<br />WxWidgets is not really a problem. My problem is the version that is used (2.9), which is considered unstable by many distro packagers (although the WxWidgets
devs say it isn&#039;t). On the other side, as far as I know WxWidgets uses gtk under Linux for drawing the whole stuff and makes it for the bitcoins devs easy to make things cross platform.<br />[/quote]<br />wxWidgets 2.9 is their first UTF-8 version.&nbsp; We are UTF-8 on all platforms including Windows.<br /><br />The distro packages of 2.8 are UTF-16, so they just trip
people up.&nbsp; People had endless build problems with 2.8 and its wxString UTF-16/ANSI conditional build options until we standardized on 2.9.&nbsp; Also, to use 2.8, we were using ANSI, which was just a temporary stopgap until wxWidgets supported UTF-8.<br /><br />This is a problem that will solve itself.&nbsp; With time, 2.9 will become a more mainline release.
10275	868	6	1282244148	10275	0		xx	1	Re: HOWTO: Compiling Bitcoin on Ubuntu 10.04 (Karmic)	That&#039;s a really well written walkthough.&nbsp; Someone should confirm if they followed it and didn&#039;t run into any snags.<br /><br />
10281	820	6	1282244863	10281	0		xx	1	Re: tcatm's 4-way SSE2 for Linux 32/64-bit is in 0.3.10 [quote author=Ground Loop link=topic=820.msg10167#msg10167 date=1282173266]<br />Any non-Mac i5 love?<br />Windows i5 64-bit got slower here.<br />[/quote]<br />That&#039;s the first I&#039;ve heard anyone say i5 was slower. &nbsp;Everyone
else has said 4way was faster on i5. &nbsp;Moreso with hyperthreading enabled.<br /><br />[quote author=nelisky link=topic=820.msg10164#msg10164 date=1282172545]<br />And i5, at least on my macbookpro<br />[/quote]<br />Good, so I take it that&#039;s a confirmation that it&#039;s working on Mac as well?<br /><br />Laszlo told me he did compile in the -4way stuff on Mac,
so the -4way switch is also available to try on Mac.&nbsp; I don&#039;t think makefile.osx on SVN has it yet, just the built version.
10290	862	4	1282246830	10290	0		xx	1	Re: 28 days without generation, i have 4200khash/s	Make sure your computer&#039;s date and time are correct.
10297	873	4	1282248841	10297	0		xx	1	Need a post writing up some things users should know	I&#039;m not sure what to call it, but we could use a post that lists these things users should know. &nbsp;If someone has time to write it, here&#039;s the list:<br /><br />- Make sure your clock is set correctly. <br /><br />- Microsoft
Security Essentials. &nbsp;This never got written up proper.<br /><br />- Warning not to mess around with your wallet.dat file. &nbsp;It&#039;s a database file, it&#039;s not as simple as you think. &nbsp;In this Beta version, we haven&#039;t had time to try and tinker-proof it yet. &nbsp;It may not work as expected if you start swapping it around.<br /><br />
10300	870	4	1282249730	10300	0		xx	1	Re: Hypothetical question on lost coins / transfers	That&#039;s right.&nbsp; You don&#039;t need to be re-broadcasting your transactions for it to work.<br /><br />When any node disconnects a fork, it dumps all the transactions from the fork back into the transaction pool to add to the new
chain.&nbsp; The entire network is making sure to re-integrate your transactions again.&nbsp; All you should see is that your number of confirmations starts over from 0.<br /><br />In some types of forks, your transaction would have gotten into both forks already, so you&#039;re already good either way.
10715	873	4	1282517460	10715	0		xx	1	Re: Need a post writing up some things users should know	The clock part will be covered in the next release (0.3.11 or higher).&nbsp; SVN rev 141 pops up a message box if your clock is too far off.
10717	862	4	1282518062	10717	0		xx	1	Re: 28 days without generation, i have 4200khash/s	Search debug.log for &quot;proof-of-work found&quot;.&nbsp; If you find any, then check for any errors right after that.<br /><br />[quote author=davidonpda link=topic=862.msg10291#msg10291 date=1282246981]<br />How big of a margin on the
time is allowed for things to work right.<br />[/quote]<br />The margin is 2 hours.<br /><br />This should be solved in SVN rev 141 and the next release (0.3.11+).&nbsp; It&#039;ll pop up a message box alerting you if your clock is off by more than an hour.
10720	820	6	1282519310	10720	0		xx	1	Re: tcatm's 4-way SSE2 for Linux 32/64-bit is in 0.3.10 Thanks for clearing that up. &nbsp;I read the link someone posted about AMD making that change around 2007, but I didn&#039;t know what the story was for Intel.<br /><br />There&#039;s no hope for Core/Core2 then.&nbsp; They only have half
the SSE2 hardware.<br /><br />Strange that Intel has 3 128bit units, but AMD with 2 128bit units is the faster one.<br />
10722	898	6	1282521306	11150	1282751853	satoshi xx	1	Development of alert system	I&#039;ve been working on writing the alert system. &nbsp;Alerts are broadcast through the network and apply to a range of version numbers. &nbsp;Alert messages are signed with a private key that only I have.<br /><br />Nodes can do two things in response
to an alert:<br />- Put a warning message on the status bar.<br />- Make the money handling methods of the json-rpc interface return an error.<br /><br />In cases like the overflow bug or a fork where users may not be able to trust received payments, the alert should keep old versions mostly safe until they upgrade. &nbsp;Manual users should notice the status bar warning
that way is a non-obvious trap.<br /><br />[quote author=jgarzik link=topic=2151.msg28301#msg28301 date=1291849642]<br />[quote author=satoshi link=topic=2151.msg28292#msg28292 date=1291847805]<br />3) A transaction can be replaced by a double-spend with a different txid. &nbsp;You would count both spends.<br />[/quote]<br /> listtransactions does not add anything to this
problem, beyond that which is already vulnerable through listreceivedbyaddress.<br />[/quote]<br />Suppose both spends are to the same address. &nbsp;getreceivedbyaddress would always count only one or the other spend at any given time, never both.<br /><br />Using listtransactions, it would be very easy to count both. &nbsp;You see the first spend, you count it. &nbsp;You
see the second spend, you count it. &nbsp;Total is double counted.<br />
28533	2162	6	1291905425	28533	0		xx	1	Re: Version 0.3.18	New transaction templates can be added as needed. &nbsp;Within a few days, there will be plenty of GPU power that accepts and works on it. &nbsp;Network support will be thorough [i]long before[/i] there&#039;ll be enough clients who understand how to receive and interpret the
new transaction.<br /><br />Timestamp hashes are still already possible:<br /><br />txin: 0.01<br />txout: 0.00 &nbsp;&lt;appid, hash&gt; OP_CHECKSIG<br />fee: 0.01 <br /><br />If there&#039;s an actual application like BitDNS getting ready to actually start inserting hashes, we can always add a specific transaction template for timestamps.<br /><br />I like Hal Finney&#039;s
idea for user-friendly timestamping. &nbsp;Convert the hash of a file to a bitcoin address and send 0.01 to it:<br /><br />[quote author=Hal link=topic=2077.msg27173#msg27173 date=1291592636]<br />I thought of a simple way to implement the timestamp concept I mentioned above. Run sha1sum on the file you want to timestamp. Convert the result to a Bitcoin address, such as via
http://blockexplorer.com/q/hashtoaddress . Then send a small payment to that address.<br /><br />The money will be lost forever, as there is no way to spend it further, but the timestamp Bitcoin address will remain in the block chain as a record of the file&#039;s existence.<br /><br />I understand that this is arguably not a good use of the Bitcoin distributed database,
but nothing stops people from doing this so we should be aware that it may be done.<br />[/quote]<br />
28549	2162	6	1291907873	28549	0		xx	1	Re: Version 0.3.18	I came to agree with Gavin about whitelisting when I realized how quickly new transaction types can be added.<br /><br />[quote author=nanotube link=topic=2162.msg28434#msg28434 date=1291875545]<br />why not make it easier on everyone and just allow say, 64 or 128 bytes of
random data in a transaction?<br />[/quote]<br />That&#039;s already possible. &nbsp;&lt;pubkey&gt; OP_CHECKSIG. &nbsp;&lt;pubkey&gt; can be 33 to 120 bytes.<br /><br />I also support a third transaction type for timestamp hash sized arbitrary data. &nbsp;There&#039;s no point not having one since you can already do it anyway. &nbsp;It would tell nodes they don&#039;t need to bother to index it.
28640	2151	6	1291918088	28640	0		xx	1	Re: JSON-RPC method idea: list transactions newer than a given txid	[quote author=jgarzik link=topic=2151.msg28330#msg28330 date=1291856285]<br />I agree with you and satoshi about &quot;txs after &lt;txid&gt;&quot;. &nbsp;My listtransactions (now xlisttransactions) patch pointedly does
not have that feature, and never has.<br />[/quote]<br />As long as the interface is designed for things like showing the user the last N transactions history, it&#039;s fine, now that we have the Accounts feature making it easier to do payment detection the right way.<br /><br />Gavin, could listtransactions have an option to list transactions for all accounts?<br /><br
/>I&#039;m not sure what the interface could be, maybe:<br />listtransactions &lt;JSON null type&gt; [count]<br /><br />It would be hard to do that from the command line though. <br /><br />I can&#039;t think of a good solution for the interface, that&#039;s the problem.&nbsp; Maybe &quot;*&quot; special case like &quot;&quot; is. &nbsp;Everyone would have to make sure no
user can create account name &quot;*&quot;.<br /><br />[quote author=jgarzik link=topic=2151.msg28572#msg28572 date=1291911230]<br />Sure, and that&#039;s easy enough to track with transactions.<br />[/quote]<br />I don&#039;t get how that&#039;s &quot;easy&quot; to track with transactions.
28643	644	6	1291919325	28643	0		xx	1	Re: Automated nightly builds	Thanks for setting this up Cdecker.&nbsp; <br /><br />Is there any chance of getting it to build the GUI version also?&nbsp; If this is Ubuntu, if you get wxWidgets 2.9.0 it should just be a matter of following the steps in build-unix.txt exactly.&nbsp; Is this
an environment where you can build wxWidgets once and leave it there and just keep using it?
28696	1790	1	1291928562	28696	0		xx	1	Re: BitDNS and Generalizing Bitcoin	I think it would be possible for BitDNS to be a completely separate network and separate block chain, yet share CPU power with Bitcoin.&nbsp; The only overlap is to make it so miners can search for proof-of-work for both networks simultaneously.<br /><br
/>The networks wouldn&#039;t need any coordination.&nbsp; Miners would subscribe to both networks in parallel.&nbsp; They would scan SHA such that if they get a hit, they potentially solve both at once.&nbsp; A solution may be for just one of the networks if one network has a lower difficulty.<br /><br />I think an external miner could call getwork on both programs and
combine the work.&nbsp; Maybe call Bitcoin, get work from it, hand it to BitDNS getwork to combine into a combined work.<br /><br />Instead of fragmentation, networks share and augment each other&#039;s total CPU power.&nbsp; This would solve the problem that if there are multiple networks, they are a danger to each other if the available CPU power gangs up on one.&nbsp;
Instead, all networks in the world would share combined CPU power, increasing the total strength.&nbsp; It would make it easier for small networks to get started by tapping into a ready base of miners.
28715	1790	1	1291934810	28720	1291936748	satoshi xx	1	Re: BitDNS and Generalizing Bitcoin	[quote author=nanotube link=topic=1790.msg28700#msg28700 date=1291929640]<br />seems that the miner would have to basically do &quot;extra work&quot;. and if there&#039;s no reward from the bitdns mining from the extra work (which of course, slows
down the main bitcoin work), what would be a miner&#039;s incentive to include bitdns (and whatever other side chains) ?<br />[/quote]<br />The incentive is to get the rewards from the extra side chains also for the same work.<br /><br />While you are generating bitcoins, why not also get free domain names for the [i]same work[/i]?<br /><br />If you currently generate 50 BTC
per week, now you could get 50 BTC and some domain names too.<br /><br />You have one piece of work. &nbsp;If you solve it, it will solve a block from both Bitcoin and BitDNS. &nbsp;In concept, they&#039;re tied together by a Merkle Tree. &nbsp;To hand it in to Bitcoin, you break off the BitDNS branch, and to hand it in to BitDNS, you break off the Bitcoin branch.<br /><br
/>In practice, to retrofit it for Bitcoin, the BitDNS side would have to have maybe ~200 extra bytes, but that&#039;s not a big deal. &nbsp;You&#039;ve been talking about 50 domains per block, which would dwarf that little 200 bytes per block for backward compatibility. &nbsp;We could potentially schedule a far in future block when Bitcoin would upgrade to a modernised
arrangement with the Merkle Tree on top, if we care enough about saving a few bytes.<br /><br />Note that the chains are below this new Merkle Tree. &nbsp;That is, each of Bitcoin and BitDNS have their own chain links inside their blocks. &nbsp;This is inverted from the common timestamp server arrangement, where the chain is on top and then the Merkle Tree, because that
creates one common master chain. &nbsp;This is two timestamp servers not sharing a chain.<br />
28729	2181	6	1291939134	28729	0		xx	1	Re: Fees in BitDNS confusion	Not locktime.<br /><br />There&#039;s a possible design for far in the future:<br /><br />You intentionally write a double-spend. &nbsp;You write it with the same inputs and outputs, but this time with a fee. &nbsp;When your double-spend gets into a block, the first
spend becomes invalid. &nbsp;The payee does not really notice, because at the moment the new transaction becomes valid, the old one becomes invalid, and the new transaction simply takes its place.<br /><br />It&#039;s easier said than implemented. &nbsp;There would be a fair amount of work to make a client that correctly writes the double-spend, manages the two versions in
the wallet until one is chosen, handles all the corner cases. &nbsp;Every assumption in the existing code is that you&#039;re not trying to write double-spends.<br /><br />There would need to be some changes on the Bitcoin Miner side also, to make the possibility to accept a double-spend into the transaction pool, but only strictly if the inputs and outputs match and the
transaction fee is higher. &nbsp;Currently, double-spends are never accepted into the transaction pool, so every node bears witness to which transaction it saw first by working to put it into a block.
28917	1790	1	1292002168	29148	1292070528	satoshi xx	1	Re: BitDNS and Generalizing Bitcoin	Piling every proof-of-work quorum system in the world into one dataset doesn&#039;t scale.<br /><br />Bitcoin and BitDNS can be used separately. &nbsp;Users shouldn&#039;t have to download all of both to use one or the other. &nbsp;BitDNS users may
not want to download everything the next several unrelated networks decide to pile in either.<br /><br />The networks need to have separate fates. &nbsp;BitDNS users might be completely liberal about adding any large data features since relatively few domain registrars are needed, while Bitcoin users might get increasingly tyrannical about limiting the size of the chain so
it&#039;s easy for lots of users and small devices.<br /><br />Fears about securely buying domains with Bitcoins are a red herring. &nbsp;It&#039;s easy to trade Bitcoins for other non-repudiable commodities.<br /><br />If you&#039;re still worried about it, it&#039;s cryptographically possible to make a risk free trade. &nbsp;The two parties would set up transactions on
both sides such that when they both sign the transactions, the second signer&#039;s signature triggers the release of both. &nbsp;The second signer can&#039;t release one without releasing the other.
28947	2202	6	1292008863	28947	0		xx	1	Accounts example code	Some sample pseudocode using the new Accounts based commands in 0.3.18.<br /><br />print &quot;send to &quot; + getaccountaddress(username) + &quot; to fund your account&quot;<br />print &quot;balance: &quot; + getbalance(username, 0)<br />print &quot;available balance:
&quot; + getbalance(username, 6)<br /><br />// if you make a sale, move the money from their account to your &quot;&quot; account<br />if (move(username, &quot;&quot;, amount, 6, &quot;purchased item&quot;))<br /> &nbsp; &nbsp;SendTheGoods()<br /><br />// withdrawal<br />sendfrom(username, bitcoinaddress, amount, 6, &quot;withdrawal by user&quot;)<br /><br />You can use
listtransactions(username) to show them a list of their recent transactions.<br />
28959	1790	1	1292010912	29014	1292019370	satoshi xx	1	Re: BitDNS and Generalizing Bitcoin	[quote author=Hal link=topic=1790.msg28938#msg28938 date=1292008444]<br />additional block chains would each create their own flavor of coins, which would trade with bitcoins on exchanges? These chain-specific coins would be used to reward miners
on those chains, and to purchase some kinds of rights or privileges within the domain of that chain?<br />[/quote]<br />Right, the exchange rate between domains and bitcoins would float.<br /><br />A longer interval than 10 minutes would be appropriate for BitDNS.<br /><br />So far in this discussion there&#039;s already a lot of housekeeping data required. &nbsp;It will be
much easier if you can freely use all the space you need without worrying about paying fees for expensive space in Bitcoin&#039;s chain. &nbsp;Some transactions:<br /><br />Changing the IP record.<br /><br />Name change. &nbsp;A domain object could entitle you to one domain, and you could change it at will to any name that isn&#039;t taken. &nbsp;This would encourage users
to free up names they don&#039;t want anymore. &nbsp;Generated domains start out blank and the miner sells it to someone who changes it to what they want. &nbsp;<br /><br />Renewal. &nbsp;Could be free, or maybe require consuming another domain object to renew. &nbsp;In that case, domain objects (domaincoins?) could represent the right to own a domain for a year. &nbsp;The
spent fee goes to the miners in the next block fee.
28963	1790	1	1292012379	29149	1292070609	satoshi xx	1	Re: BitDNS and Generalizing Bitcoin	I agree.&nbsp; All transactions, IP changes, renewals, etc. should have some fee that goes to the miners.<br /><br />You might consider a certain amount of work to generate a domain, instead of a fixed total circulation. &nbsp;The work per domain
could be on a schedule that grows with Moore&#039;s Law. &nbsp;That way the number of domains would grow with demand and the number of people using it.
29159	1790	1	1292072910	29159	0		xx	1	Re: BitDNS and Generalizing Bitcoin	@dtvan: all 3 excellent points. <br />1) IP records don&#039;t need to be in the chain, just do registrar function not DNS. &nbsp;And CA problem solved, neat.<br />2) Pick one TLD, .web +1.<br />3) Expiration and significant renewal costs, very important.<br
/><br />[quote author=joe link=topic=1790.msg29130#msg29130 date=1292064838]<br />However, thinking more about this now I support inclusion of additional coinbases / tracking systems in the main network. The reason for doing this is so as not to water down CPU power into multiple networks. We want one strong network, so the network should be versatile.<br />[/quote]<br
/>Avoiding CPU power fragmentation is no longer a reason. &nbsp;Independent networks/chains can share CPU power without sharing much else. &nbsp;See: http://www.bitcoin.org/smf/index.php?topic=1790.msg28696#msg28696 and http://www.bitcoin.org/smf/index.php?topic=1790.msg28715#msg28715<br />
29165	2208	6	1292074357	29165	0		xx	1	Re: Bitcoin and buffer overflow attacks [quote author=da2ce7 link=topic=2208.msg29095#msg29095 date=1292046562]<br />direct to IP address transfers seems like a obvious surface area to attack.<br />[/quote]<br />If you ever find anyone who turned it on.&nbsp; It&#039;s disabled by default.<br
73	16	1	1261003536	73	1261015885	satoshi xx	1	Bitcoin 0.2 released!	Bitcoin version 0.2 is here!<br /><br />Download links:<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.2.0-win32-setup.exe/download<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.2.0-win32.zip/download<br
/>http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.2.0-linux.tar.gz/download<br /><br />New Features<br /><br />Martti Malmi<br /> - Minimize to system tray option<br /> - Autostart on boot option so you can keep it running in the background automatically<br /> - New options dialog layout for future expansion<br /> - Setup program for Windows<br /> - Linux
version (tested on Ubuntu)<br />Satoshi Nakamoto<br /> - Multi-processor support for coin generation<br /> - Proxy support for use with TOR<br /> - Fixed some slowdowns in the initial block download<br /><br />Major thanks to Martti Malmi (sirius-m) for all his coding work and for hosting the new site and this forum, and New Liberty Standard for his help with testing the Linux version.<br />
77	12	6	1261075086	77	0		xx	1	Re: A few suggestions	That&#039;s good, is it running fine on FreeBSD?<br /><br />I committed the changes to headers.h.&nbsp; For consistency, I used __BSD__.&nbsp; The complete list of defines is at http://docs.wxwidgets.org/stable/wx_cppconst.html<br />#ifdef __BSD__<br />#include
&lt;netinet/in.h&gt;<br />#endif<br /><br />malloc.h is only needed on windows, I&#039;ll move that into the __WXMSW__ section before it causes any more trouble.
79	12	6	1261157868	79	0		xx	1	Re: A few suggestions	What you can currently do is set &quot;Minimize to the tray&quot; in options, then run it as &quot;bitcoin -min&quot; so it starts minimized. &nbsp;The only visible part will be a small (20x20) icon on the tray, which can be doubleclicked if you want to access the
UI. &nbsp;Note: there&#039;s a bug with tray icons sometimes disappearing on 64-bit Karmic Koala, not sure if it&#039;s from 64-bit or Karmic, it was fine on 32-bit Jaunty.<br /><br />We didn&#039;t have time to implement the &quot;Start Bitcoin on system startup&quot; feature on Linux in time for 0.2 so it&#039;s greyed out. &nbsp;I figured Linux people wouldn&#039;t mind
doing that manually anyway. &nbsp;I guess they need to know about the -min switch to do it right.<br /><br />You can locate the data directory where you want with the &quot;-datadir=&lt;directory&gt;&quot; switch. &nbsp;I know someone is already doing that to put it on a TrueCrypt USB drive.
85	17	1	1262721646	85	1262724851	satoshi xx	1	Re: Is my second Transaction working correctly? +Transfer Question	The transfer is immediate if you send by IP address. &nbsp;If you send by bitcoin address and the recipient isn&#039;t online at the time, it might take 30 minutes or more to see it. &nbsp;<br /><br />Also, the recipient
needs to be synced up with the block chain before it&#039;ll see the received transaction. &nbsp;That means the status bar at the bottom needs to say at least 33000 blocks, like &quot;x connections &nbsp;33200 blocks &nbsp;x transactions&quot;.<br /><br />[quote author=sirius-m link=topic=17.msg84#msg84 date=1262654406]<br />[quote]<br />However, once that transaction was
complete, a new transaction hasn&#039;t started. Or maybe it has. There&#039;s only one transaction in the list but I&#039;m up to 131 Blocks under &quot;Status&quot;. Is this the way it&#039;s supposed to happen? Does it keep processing on the same transaction and generating coins every 120 blocks or so? Or is it supposed to start a new transaction?<br />[/quote]<br /><br
/>The number of blocks of a transaction is the amount of new blocks that have been generated by the whole network after the transaction. Each new block in the chain means new coins to its creator. One &quot;generated&quot; -transaction in your transaction list means that you have generated one block. You&#039;re not the first one to find the concept of a &quot;block&quot;
a bit confusing on the first sight.<br />[/quote]<br /><br />Would it be clearer if the status said &quot;x confirmations&quot;, like:<br />2/unconfirmed<br />3/unconfirmed<br />4/unconfirmed<br />5/unconfirmed<br />6 confirmations<br />7 confirmations<br />8 confirmations<br /><br />Each block essentially means another node has confirmed that it agrees with all transactions
up to that point.<br /><br />
97	18	1	1263500240	97	0		xx	1	Re: 64bit support	I haven&#039;t tried compiling 64-bit yet. 64-bit wouldn&#039;t make it any faster, since it uses 64-bit numbers in only a few places and SHA-256 is a 32-bit algorithm, but it may be convenient for those running a 64-bit OS. If I get a chance I&#039;ll try -m64 and see
what the problem is.<br /><br />You can run the 32-bit version on 64-bit Linux by installing ia32-libs. &nbsp;(sudo apt-get install ia32-libs) &nbsp;If we made a Debian package, it could automatically pull that in as a dependency.
98	4	3	1263501396	98	0		xx	1	Re: SMF Config Notes	Is there any reason to have e-mail confirmation?<br /><br />If you&#039;re doing that out of spam concerns, I&#039;ve already got that covered.&nbsp; I made some customizations to the registration HTML so any spambots designed for SMF won&#039;t be able to figure it
out.&nbsp; The CAPTCHA image URL requires an extra parameter, and there are 3 different CAPTCHA images, but only one shows because the others have stuff like width=0 height=0.
112	21	1	1264018035	112	1264022635	satoshi xx	1	Re: Number of connections?	Coins generate at the same speed with any number of connections &gt;= 1.<br /><br />More connections just add redundancy. &nbsp;If you only had one connection, what if that node is slow or busy, or only connected to you? &nbsp;Having several connections
increases the certainty that you&#039;re well connected to the network. &nbsp;That hasn&#039;t been a problem in practice, the network is very thoroughly connected. &nbsp;If you have 2 or 3 connections, you&#039;re fine.
113	22	6	1264025128	113	0		xx	1	Re: TOR and I2P I&#039;ve been thinking about that for a while. &nbsp;I want to add the backend support for .onion addresses and connecting to them, then go from there.<br /><br />There aren&#039;t many .onion addresses in use for anything because the user has to go through a number of steps to
create one. &nbsp;Configure TOR to generate a .onion address, restart TOR, configure it with the generated address. &nbsp;Perhaps this is intentional to keep TOR so it can&#039;t be integrated into file sharing programs in any sufficiently automated way.<br />
156	27	4	1264629147	156	0		xx	1	Re: Bitcoin crash when sending coins	That is what happens if you copy wallet files around.&nbsp; If you copy your wallet file to a second computer, then they both think the money in the wallet is theirs.&nbsp; If one spends any of it, the other doesn&#039;t know those coins are already spent
and would try to spend them again, and that&#039;s the error you would hit.<br /><br />Now that it&#039;s clear this is a key error message, it ought to be something more like &quot;the money appears to be already spent...&nbsp; this could happen if you used a copy of your wallet file on another computer.&quot; <br /><br />You can move or backup your wallet file, but it
needs to have only one &quot;lineage&quot; and only used in one place at a time.&nbsp; Any time you transfer money out of it, then you must no longer use any previous copies.<br /><br />This brings up a good point.&nbsp; In the case of restoring a backup that may be from before you spent some coins, we need to add functionality to resync it to discover which coins have
already been spent.&nbsp; This would not be hard to do, it just hasn&#039;t been implemented yet.&nbsp; I&#039;ll add it to the list.&nbsp; This would make it mostly repair the situation instead of giving that error message.
159	25	1	1264640508	159	0		xx	1	Re: A newb's test - anyone want to buy a picture for $1?	Yes, it&#039;s a technical limitation.&nbsp; Sending by bitcoin address enters the transaction into the network and the recipient discovers it from the network.&nbsp; You don&#039;t connect directly with them and they don&#039;t have
to be online at the time.<br /><br />I very much wanted to find some way to include a short message, but the problem is, the whole world would be able to see the message.&nbsp; As much as you may keep reminding people that the message is completely non-private, it would be an accident waiting to happen.<br /><br />Unfortunately, ECDSA can only sign signatures, it can&#039;t
encrypt messages, and we need the small size of ECDSA.&nbsp; RSA can encrypt messages, but it&#039;s many times bigger than ECDSA.
160	28	1	1264640913	160	0		xx	1	Re: Blocks never stop generating?	Where it says &quot;# blocks&quot; in the status column I&#039;m changing it to say &quot;# confirmations&quot;.&nbsp; That might be clearer.<br /><br />If you doubleclick on the transaction you get a little more information.
169	32	3	1264717768	169	0		xx	1	Re: SSL certificate	I think I could receive @bitcoin.org, but I&#039;d rather procrastinate on this and work on other things first.&nbsp; Is there a reason we need this sooner?
170	27	4	1264720082	170	0		xx	1	Re: Bitcoin crash when sending coins	The resync idea would go through your wallet and check it against the block index to find any transactions that your current computer doesn&#039;t realize are already spent.&nbsp; That could happen if they were spent on another computer with a copy of
the wallet file, or you had to restore the wallet to a backup from before they were spent.&nbsp; Currently, the software just assumes it always knows whether its transactions are spent because it marks them spent in wallet.dat when it spends them.<br /><br />A wallet merge tool is possible to implement but much less in demand once resync solves most of the problem.&nbsp;
With resync, you could do about the same thing by sending all the money from one wallet to the other.&nbsp; The receiver would resync and discover all its overlapping coins were spent, then receive them in the new transaction.
172	29	1	1264721169	172	0		xx	1	Re: Payment server	That&#039;s the right way to do it as riX says.&nbsp; The software can generate a new bitcoin address whenever you need one for each payment.&nbsp; &quot;Please send X bc to [single-use bitcoin address] to complete your order&quot;&nbsp; When the server receives that
amount to the bitcoin address, that could trigger it to automatically fulfil the order or e-mail the shop owner.<br /><br />Adding command line support is a high priority.&nbsp; It&#039;s just a matter of getting the time to code it.
173	25	1	1264724533	173	0		xx	1	Re: A newb's test - anyone want to buy a picture for $1?	The recommended ways to do a payment for an order:<br />1) The merchant has a static IP, the customer sends to it with a comment.<br />2) The merchant creates a new bitcoin address, gives it to the customer, the customer sends to
that address. &nbsp;This will be the standard way for website software to do it.<br /><br />RSA vs ECDSA: it&#039;s not the size of the executable but the size of the data. &nbsp;I thought it would be impractical if the block chain, bitcoin addresses, disk space and bandwidth requirements were all an order of magnitude bigger. &nbsp;Also, even if using RSA for messages,
it would still make sense to do all the bitcoin network with ECDSA and use RSA in parallel for only the message part. &nbsp;In that case, everything that&#039;s been implemented up to now would be implemented exactly as it has been.<br /><br />We can figure out the best way to do this much later. &nbsp;It could use a separate (maybe existing) e-mail or IM infrastructure to
pass messages, and instead of RSA, maybe just put a hash of the message in the transaction to prove that the transaction is for the order described in the message. &nbsp;The message would have to include a salt so nobody could brute force the hash to reveal a short message.
174	18	1	1264725769	174	0		xx	1	Re: 64bit support	I committed a fix for 64-bit compile and some fixes to support wxWidgets 2.9.0.<br /><br />There was one compile error in serialize.h with min(sizeof()) that I fixed for 64-bit.&nbsp; The rest of the 64-bit compile errors I was getting were in wxWidgets 2.8.9, so I started
working on supporting wxWidgets 2.9.0.<br /><br />wxWidgets 2.9.0 is UTF-8.&nbsp; We&#039;ve been using the ANSI version of wxWidgets 2.8.9 in anticipation of wxWidgets UTF-8 support.<br /><br />I compiled and ran on 64-bit Ubuntu 9.10 Karmic.<br /><br />I think the only bug left is where the status number is mashed up.&nbsp; I&#039;m not sure why, I have to suspect it&#039;s
a UTF-8 thing, but no idea how that could happen.&nbsp; Haven&#039;t looked into it.<br /><br />build-unix.txt is updated and two makefiles on SVN:<br />makefile.unix.wx2.8<br />makefile.unix.wx2.9<br /><br />Unfortunately there&#039;s still no debian package for either version of wxWidgets we use.&nbsp; They only have the wchar (&quot;unicode&quot;) version of wxWidgets 2.8,
which is a disaster because wchar wxString doesn&#039;t convert to std::string.&nbsp; We use either ANSI wxWidgets 2.8, or wxWidgets 2.9.&nbsp; So you still have to get it and build it yourself.<br />
175	32	3	1264726572	175	0		xx	1	Re: SSL certificate	I didn&#039;t know all the forum links point to https.&nbsp; I always use https so I wouldn&#039;t have noticed.&nbsp; SMF is supposed to detect and give you the same as what you&#039;ve got.&nbsp; If you&#039;re on an http page, then all the links should also be http.&nbsp;
If that&#039;s not working then I need to fix it.
176	32	3	1264728923	176	0		xx	1	Re: SSL certificate	OK, the problem was that $boardurl was switched to https://www.bitcoin.org/smf again.&nbsp; It&#039;s supposed to be http://www.bitcoin.org/smf and the software will replace http with https as needed.&nbsp; It always assumes the base $boardurl is http.&nbsp; It can&#039;t
switch it in the other direction.<br /><br />$boardurl is &quot;Forum URL&quot; under:<br />Under Admin-&gt;Server Settings-&gt;Core Configuration<br /><br />The cause of the problem is that the default fill-in for &quot;Forum URL&quot; is the cooked $boardurl, with https in it.&nbsp; So, if you are logged in with https, it fills it in with https, so if you submit that
page as is, you change it to https.<br /><br />It&#039;s an accident waiting to happen if you ever submit that page without changing the https to http each time, that happens.<br /><br />I switched it back to http, please doublecheck that all the links are now http if you&#039;re using the forum as http.<br /><br />I don&#039;t have time to fix the admin page right now so
3565	43	1	1279305831	3565	0		xx	1	Re: Proof-of-work difficulty increasing Right, the difficulty adjustment is trying to keep it so the network as a whole generates an average of 6 blocks per hour.&nbsp; The time for your block to mature will always be around 20 hours.<br /><br />The recent adjustment put us back to close to 6
blocks per hour again.<br /><br />There&#039;s a site where you can see the time between blocks, and since block 68545, it&#039;s been more like 10 minutes per block:<br />http://nullvoid.org/bitcoin/statistix.php
3579	417	6	1279309510	3579	0		xx	1	Sample account system using JSON-RPC needed	We need someone to write sample code, preferably Python or Java, showing the recommended way to use the JSON-RPC interface to create an account system.&nbsp; Most sites that sell things will need something like this.&nbsp; Someone who&#039;s kept
up on the JSON-RPC threads here should have some idea how it should work.<br /><br />When a user is logged in to their account, you show the bitcoin address they can send to to add funds.&nbsp; Before showing it, you check if it&#039;s been used, if it has then you replace it with a new one (getnewaddress &lt;username&gt;).&nbsp; You only need to keep the latest bitcoin
address for the account in your database.&nbsp; (I posted a sample code fragment for this in an earlier thread somewhere, search on getnewaddress)<br /><br />You use getreceivedbylabel &lt;username&gt; with the username as the label to get the &quot;credit&quot; amount of the account.&nbsp; You need to keep a &quot;debit&quot; amount in your database.&nbsp; The current
balance of the account is (credit - debit).&nbsp; When the user spends money, you increase debit.<br /><br />If you&#039;re requiring more than 0 confirmations, it&#039;s nice if you show the current balance (0 confirmations) and the available balance (1 or more confirmations), so they can immediately see that their payment is acknowledged.&nbsp; Not all sites need to wait
for confirmations, so the dual current &amp; available should be optional.&nbsp; Most sites selling digital goods are fine to accept 0 confirmations. <br /><br />A nice sample app for this would be a simple bank site, which would have the above, plus the option to send a payment to a bitcoin address.&nbsp; The sample code should be the simplest possible with the minimum
extra stuff to make it a working site.<br /><br />vekja.net is an example of a site like this.<br />
3590	383	6	1279314417	3590	0		xx	1	Re: Bitcoin 0.3.1 released	I uploaded windows 0.3.1 rc1 and linux 0.3.1 rc2 to SourceForge and updated the links on the homepage.<br /><br />You don&#039;t need to update to 0.3.1 unless you had one of the problems listed in the first post.&nbsp; If you&#039;ve got it working already, stay with 0.3.0.
3601	418	3	1279317740	3601	0		xx	1	Re: DOS attack happening right now?	I&#039;ll take a look a the logs.<br /><br />It could be someone&#039;s server farm all starting at once.<br /><br />There have been some issues with garbage addr messages in previous versions.&nbsp; Not saying that&#039;s the problem now, just want to
make you aware.<br /><br />In 0.1.5 there was a bug where a socket could get closed twice, which (maybe only on linux) could end up closing another random socket that could get reopened by IRC.&nbsp; If that node was in the middle of receiving an addr message, IRC content could be converted into addr messages.<br /><br />0.3.0 ignores addr messages from 0.1.5, but a 0.2.0
node could relay it.&nbsp; I don&#039;t think there are any 0.1.5 nodes left anymore though.<br /><br />In 0.2.9, I added a checksum to the message headers so no unintended messages can get into the system.&nbsp; The new verack message is part of the version negotiation used to switch to the new header.&nbsp; I&#039;m embarrassed that I didn&#039;t do this originally,
but I thought TCP already does that.<br /><br />I have seen addr messages that are made of other addr messages shifted by 3 bytes.&nbsp; I added some filtering in 0.2.9 for that in net.h.&nbsp; The comment there explains how a 3-byte shift might happen if just the right bytes are garbled.<br /><br />Garbage addr messages always have something else in the pchReserved field,
so no nodes actually try to connect to the garbage addresses.<br /><br />These problems should improve as more 0.2.0 nodes upgrade.&nbsp; <br /><br />0.2.0 obsoletes on 20 Feb 2012.&nbsp; 0.3.0 nodes will require the checksum header on that date and refuse to talk to 0.2.0 nodes.<br />
3605	128	1	1279318809	3605	0		xx	1	Re: A New Currency System for the World [quote author=hugolp link=topic=128.msg1082#msg1082 date=1273315131]<br /> When I run bitcoin it becomes very sluggish, almost unusable. When I stop bitcoin everything goes ok again. Its running Ubuntu desktop 10.04 amd64 using ia32libs and the binary in
bitcoin 0.20 tarball.<br />[/quote]<br />0.3.1 fixes that, sets the generate threads to the lowest priority. &nbsp;Download links are on the homepage now.
3672	418	3	1279341408	3672	0		xx	1	Re: DOS attack happening right now?	I looked at the logs.&nbsp; It looks like it&#039;s just heavy addr traffic.&nbsp; I only saw a few garbage addresses, it&#039;s mostly well formed addresses.<br /><br />There&#039;s much too much addr traffic though.&nbsp; I&#039;m making adjustments to
quiet it down.<br /><br />I added some code in 0.3.0 to limit the amount of addr messages, but the limits were pretty loose.&nbsp; I&#039;m limiting it down much more in 0.3.2.&nbsp; In 0.3.0, it only sent to 10 other nodes, but those 10 nodes changed every hour, so you could have the same addr going around every hour.&nbsp; In 0.3.2 I&#039;m lowering it to 4 nodes and every 12 hours.<br />
3769	432	6	1279382772	3769	0		xx	1	Re: BUG Report: Rounding glitch It must be a rounding error when getinfo converts to floating point to return the JSON-RPC result.&nbsp; The only place where it uses floating point to represent money is returning a value in JSON-RPC.<br /><br />1.139999999999 is longer than bitcoin can internally
represent.<br /><br />internally, it could only be:<br />1.13999999 or<br />1.14000000<br /><br />1.139999999999 is much much closer to 1.14000000 than 1.13999999, so it must be 1.14000000.<br /><br />The code is this:<br />(double)GetBalance() / (double)COIN.<br /><br />(I can&#039;t think of an easy way to fix it at the moment)
3770	434	6	1279384059	3770	0		xx	1	Re: Privacy versus Safety: handling change	We should queue up a supply of pre-made addresses in the wallet to use when a new address is needed.&nbsp; They aren&#039;t very big, so it wouldn&#039;t hurt to have a lot of them.&nbsp; This would more generally cover the case also where someone
backs up, then requests a new address and receives a big payment with it.&nbsp; Maybe there should be separate queues so one type of demand on addresses doesn&#039;t deplete it for the others.<br /><br />The addresses would be created and stored in the normal place, but also listed on a separate list of created-but-never-used addresses.&nbsp; When an address is requested,
the address at the front of the never-used queue is handed out, and a new address is created and added to the back.<br /><br />There&#039;s some kind of rescan in the block loading code that was made to repair the case where someone copied their wallet.dat.&nbsp; I would need to check that the rescan handles the case of rediscovering received payments in blocks that were
already received, but are forgotten because the wallet was restored.
3773	431	1	1279385766	3854	1279416831	satoshi xx	1	Re: Nenolod, the guy that wants to prove Bitcoin doesn't work.	0.3.2 has some security safeguards to lock in the block chain up to this point and limit the damage a little if someone gets 50%.<br /><br />But if someone has 50%+ of the CPU power and malicious intent, they can prove what
it already says in the design document.
3807	437	6	1279402551	3834	1279410373	satoshi xx	1	Bitcoin 0.3.2 released	Download links available now on bitcoin.org.&nbsp; Everyone should upgrade to this version.<br /><br />- Added a simple security safeguard that locks-in the block chain up to this point.<br />- Reduced addr messages to save bandwidth now that there are plenty of
nodes to connect to.<br />- Spanish translation by milkiway.<br />- French translation by aidos.<br /><br />The security safeguard makes it so even if someone does have more than 50% of the network&#039;s CPU power, they can&#039;t try to go back and redo the block chain before yesterday. &nbsp;(if you have this update)<br /><br />I&#039;ll probably put a checkpoint in each
version from now on. &nbsp;Once the software has settled what the widely accepted block chain is, there&#039;s no point in leaving open the unwanted non-zero possibility of revision months later.
3819	423	1	1279405753	4072	1279489756	satoshi xx	1	Re: Bitcoin snack machine (fast transaction problem)	I believe it&#039;ll be possible for a payment processing company to provide as a service the rapid distribution of transactions with good-enough checking in something like 10 seconds or less.<br /><br />The network nodes only
accept the first version of a transaction they receive to incorporate into the block they&#039;re trying to generate. &nbsp;When you broadcast a transaction, if someone else broadcasts a double-spend at the same time, it&#039;s a race to propagate to the most nodes first. &nbsp;If one has a slight head start, it&#039;ll geometrically spread through the network faster and
get most of the nodes.<br /><br />A rough back-of-the-envelope example:<br />1 &nbsp; &nbsp; &nbsp; &nbsp; 0<br />4 &nbsp; &nbsp; &nbsp; &nbsp; 1<br />16 &nbsp; &nbsp; &nbsp; &nbsp;4<br />64 &nbsp; &nbsp; &nbsp; &nbsp;16<br />80% &nbsp; &nbsp; &nbsp;20%<br /><br />So if a double-spend has to wait even a second, it has a huge disadvantage.<br /><br />The payment processor
has connections with many nodes. &nbsp;When it gets a transaction, it blasts it out, and at the same time monitors the network for double-spends. &nbsp;If it receives a double-spend on any of its many listening nodes, then it alerts that the transaction is bad. &nbsp;A double-spent transaction wouldn&#039;t get very far without one of the listeners hearing it. &nbsp;The
double-spender would have to wait until the listening phase is over, but by then, the payment processor&#039;s broadcast has reached most nodes, or is so far ahead in propagating that the double-spender has no hope of grabbing a significant percentage of the remaining nodes.<br />
3823	400	4	1279406226	3823	0		xx	1	Re: Assertion Failure - Ubuntu Lucid	[quote author=singpolyma link=topic=400.msg3815#msg3815 date=1279405188]<br />My coins disappeared, but I assume they&#039;ll come back when it&#039;s up to current?<br />[/quote]<br />Right, they&#039;ll re-appear when it&#039;s finished downloading all the blocks.
3825	437	6	1279407264	3825	0		xx	1	Re: Bitcoin 0.3.2 released	[quote author=llama link=topic=437.msg3810#msg3810 date=1279403785]<br />However, it&#039;s important that you don&#039;t lock all the way up the very latest block. &nbsp;Otherwise, the attacker could generate a fake block (or a few) right before you happen to
lock it, and then his attack would be far easier than it would have been without the block lock.<br />[/quote]<br />I went about 200 blocks back.&nbsp; The block chain was a clean straight line without branches, and there was only one known version of the locked block.<br /><br />[quote author=llama link=topic=437.msg3810#msg3810 date=1279403785]<br />Also, I&#039;m assuming
that the block lock means that the blocks will also come prepackaged with the client. &nbsp;Is this so?<br />[/quote]<br />Sorry, not yet, but I do want to make the initial block download faster.<br />
3828	393	6	1279408710	3828	0		xx	1	Re: Source code documentation	I didn&#039;t realize you were going to document all the intentionally undocumented commands.&nbsp; They&#039;re unsupported and not intended to be used by users.<br /><br />All the user-facing commands are listed in the -? help.
3830	419	6	1279409116	3830	0		xx	1	Re: Network Size	[quote author=NewLibertyStandard link=topic=419.msg3817#msg3817 date=1279405329]<br />Version 0.3 was supposed to reduce the number of outgoing connections on non-port forwarded clients from 15 to 8, but I don&#039;t think it really happened. I&#039;m not positive if this
is the case. Correct me if I&#039;m wrong.<br />[/quote]<br />In 0.3.0, the change to 8 only ended up in the Windows version, the other versions still had 15.<br /><br />Please upgrade to 0.3.2, it&#039;s available now.
3867	423	1	1279418355	3867	0		xx	1	Re: Bitcoin snack machine (fast transaction problem)	[quote author=llama link=topic=423.msg3836#msg3836 date=1279411409]<br />This is a good start, but still not impermeable.<br />[/quote]<br />I didn&#039;t say impermeable, I said good-enough.&nbsp; The loss in practice would be far lower than
with credit cards.<br /><br />[quote]<br />(for example, by refusing to propogate word of the transaction at the vending machine)<br />[/quote]<br />No, the vending machine talks to a big service provider (aka payment processor) that provides this service to many merchants.&nbsp; Think something like a credit card processor with a new job.&nbsp; They would have many well connected network nodes.
3999	393	6	1279465974	3999	0		xx	1	Re: Source code documentation	They&#039;re only intended for intrepid programmers who read the sourcecode.
4008	55	6	1279469176	4008	0		xx	1	Re: URI-scheme for bitcoin	[quote author=lachesis link=topic=55.msg1597#msg1597 date=1276668845]<br />I think you&#039;re misunderstanding the issue. My browser will always be able to go to 127.0.0.1 (barring some strange IE settings or a virus). If I type the address into the URL bar
or click a link, it will work fine. However, it isn&#039;t possible to use Javascript to complete POST requests between domains (or ports on the same domain).<br />[/quote]<br />That&#039;s what I thought too.<br /><br />[quote author=sirius-m link=topic=55.msg1598#msg1598 date=1276676774]<br />Yeah, I meant to say that cross-domain javascript calls are forbidden, so you
can&#039;t call 127.0.0.1 from a javascript that doesn&#039;t reside in 127.0.0.1. Come to think of it, it would be quite funny if browsers allowed malicious cross-domain javascript to change people&#039;s Facebook pages etc.<br />[/quote]<br />Now I&#039;m hearing a report that it IS possible for javascript to do a cross-domain POST request to 127.0.0.1.&nbsp; Not other
domains, but just specifically to that one.&nbsp; Great...<br /><br />If this is the case, then do not use the -server switch or bitcoind on a system where you do web browsing.<br /><br />I&#039;ll get started on adding the password field.<br />
14 days, so 14/10 = 1.4 = around 40% difficulty increase.<br />
434	60	1	1266887788	434	0		xx	1	Re: UI improvements	There are now &quot;Sending&quot; and &quot;Receiving&quot; tabs in the Address Book.&nbsp; Your addresses are referred to as &quot;receiving addresses&quot;.<br /><br />madhatter was working on building it on Mac.&nbsp; He had errors probably caused by UTF-16 wxWidgets
2.8.&nbsp; Should have better luck now with 2.9.0.&nbsp; wxWidgets 2.9.0 is UTF-8 and wouldn&#039;t have that problem.<br /><br />I think he had it working on FreeBSD, but he wanted a non-UI version.<br /><br />I have the command line and JSON-RPC daemon version working now.&nbsp; Will SVN it in a day or two.<br /><br />I disabled gdm on my Ubuntu system so it boots into
command line.&nbsp; I hope I will be able to get it enabled again with rcconf.
443	62	1	1266942369	443	0		xx	1	Re: Bitcoin Address Collisions	There&#039;s a separate public/private keypair for every bitcoin address.&nbsp; You don&#039;t have a single private key that unlocks everything.&nbsp; Bitcoin addresses are a 160-bit hash of the public key, everything else in the system is 256-bit.<br /><br
/>If there was a collision, the collider could spend any money sent to that address.&nbsp; Just money sent to that address, not the whole wallet.<br /><br />If you were to intentionally try to make a collision, it would currently take 2^126 times longer to generate a colliding bitcoin address than to generate a block.&nbsp; You could have got a lot more money by generating
blocks.<br /><br />The random seed is very thorough.&nbsp; On Windows, it uses all the performance monitor data that measures every bit of disk performance, network card metrics, cpu time, paging etc. since your computer started.&nbsp; Linux has a built-in entropy collector.&nbsp; Adding to that, every time you move your mouse inside the Bitcoin window you&#039;re generating
entropy, and entropy is captured from the timing of disk ops.
446	60	1	1266944007	446	0		xx	1	Re: UI improvements	[quote author=Xunie link=topic=60.msg439#msg439 date=1266928107]<br />[i]/etc/init.d/gdm start[/i] and it will start gdm!<br />[/quote]<br />Ah yes, there we go, back to normal again.<br /><br />The ctrl+alt+F[1-8] thing never worked on this computer.&nbsp; The screen just goes haywire.
452	63	6	1266963341	453	1266970364	satoshi xx	1	Command Line and JSON-RPC	Version 0.2.6 on SVN can now run as a daemon and be controlled by command line or JSON-RPC.<br /><br />On Linux it needs libgtk2.0-0 installed, but does not need a GUI running. &nbsp;Hopefully gtk can be installed without having a windowing system
installed.<br /><br />The command to start as a daemon is:<br />bitcoin -daemon [switches...]<br /><br />Or, to run the UI normally and also be able to control it from command line or JSON-RPC, use the &quot;-server&quot; switch.<br />bitcoin -server [switches...]<br /><br />With either switch, it runs an HTTP JSON-RPC server that accepts local socket connections on
127.0.0.1:8332. &nbsp;The port is bound to loopback and can only be accessed from the local machine, but from any account, not just the user it&#039;s running under.<br /><br />To control it from the command line, the interface is a command name without any switches, followed by parameters if any.<br />bitcoin &lt;command&gt; [params...]<br /><br />For example:<br />bitcoin
getinfo<br />bitcoin getdifficulty<br />bitcoin setgenerate true<br />bitcoin stop<br /><br />It&#039;s a simple JSON-RPC client and prints the JSON result. &nbsp;Look at rpc.cpp for the list of commands.<br /><br />Web apps or anything automated will normally use JSON-RPC directly, not command line. &nbsp;There are JSON-RPC libraries for all the major languages. &nbsp;In
script languages like PHP and Python the syntax is as natural as calling a local function.
453	62	1	1266963840	453	0		xx	1	Re: Bitcoin Address Collisions	[quote author=NewLibertyStandard link=topic=62.msg450#msg450 date=1266951887]<br />Are generated bitcoins encrypted with whichever address is currently displayed in the main Bitcoin window?<br />[/quote]<br />No, each generated transaction uses a new, single-use
address.<br /><br />Nothing uses the address in the main window, it&#039;s just there for convenience for you to copy.&nbsp; 0.2.5 has a &quot;New...&quot; button next to it to make it easy to change each time you use it.
481	55	6	1266991063	481	0		xx	1	Re: URI-scheme for bitcoin	That would be nice at point-of-sale.&nbsp; The cash register displays a QR-code encoding a bitcoin address and amount on a screen and you photo it with your mobile.
482	63	6	1266992243	482	0		xx	1	Re: Command Line and JSON-RPC	[quote author=theymos link=topic=63.msg467#msg467 date=1266980857]<br />[quote author=satoshi link=topic=63.msg452#msg452 date=1266963341]<br />On Linux it needs libgtk2.0-0 installed<br />[/quote]<br />Will this requirement be removed sometime? I&#039;d rather
not have to deal with GTK.<br />[/quote]<br />How much &quot;dealing with&quot; does GTK actually require?&nbsp; Is it just a matter of &quot;sudo apt-get install libgtk2.0-0&quot; and having some extra libraries sitting around?&nbsp; GTK doesn&#039;t have to do anything, just be there for bitcoin to link to when it loads up, have the gtk-init-check call fail because no
GUI present, then it&#039;s done.&nbsp; <br /><br />It saves us butchering everything with ifdefs and a separate compile and binary to use wxBase just to try to avoid linking GTK.
504	64	1	1267046663	21762	1289607746	satoshi xx	1	New icon/logo	New icons, what do you think? &nbsp;Better than the old one?<br /><br />[img]http://www.bitcoin.org/download/bitcoin16.4.png[/img] &nbsp;[img]http://www.bitcoin.org/download/bitcoin20.4.png[/img] &nbsp;[img]http://www.bitcoin.org/download/bitcoin32.5.png[/img]
&nbsp;[img]http://www.bitcoin.org/download/bitcoin48.5.png[/img]<br /><br />Full size 530x529 image for scaling down to custom sizes:<br />[url=http://www.bitcoin.org/download/bitcoin530.png]http://www.bitcoin.org/download/bitcoin530.png[/url]<br /><br />The perspective shadow was too thick on the larger sizes. &nbsp;I updated 32, 48 and the full size.<br /><br />I release
these images into the public domain (copyright-free).&nbsp; I request that derivative works be made public domain.<br />
507	45	1	1267048432	507	0		xx	1	Re: Make your &quot;we accept Bitcoin&quot; logo	If you GPL stuff, I have to avoid using it.&nbsp; Nothing against GPL per-se, but Bitcoin is an MIT license project.&nbsp; Anything GPL please clearly mark it as such.
509	63	6	1267049335	509	0		xx	1	Re: Command Line and JSON-RPC	When and how fast did memory usage increase?&nbsp; Right away, slowly over a long time, or starting at some later event?<br /><br />I have -daemon running on ubuntu 9.10 64-bit and memory usage is steady.<br /><br />It has to be something about the difference on
the server besides 64-bit.&nbsp; Maybe some malfunction from the lack of GUI.&nbsp; A memory leak debug tool could give a clue.
510	43	1	1267051344	510	0		xx	1	Re: Proof-of-work difficulty increasing The automatic adjustment happened earlier today.<br /><br />24/02/2010 0000000043b3e500000000000000000000000000000000000000000000000000<br /><br />24/02/2010&nbsp; 3.78&nbsp; +49%<br /><br />I updated the first post.<br />
521	64	1	1267062984	521	0		xx	1	Re: New icon/logo	[quote author=Sabunir link=topic=64.msg519#msg519 date=1267062476]<br />I like them. Do they come in higher resolutions?<br />[/quote]<br />Yes, the original is 546x531 pixels.<br /><br />It looks good at larger size too, but since the small icons are what you mostly
always see, I wanted to judge it on those first. &nbsp;I&#039;ll post larger sizes and full size a little later.
539	63	6	1267138457	539	0		xx	1	Re: Command Line and JSON-RPC	OK, I made a build target bitcoind that only links wxBase and does not link GTK.&nbsp; Version 0.2.7 on SVN.<br /><br />I split out the init and shutdown stuff from ui.cpp into init.cpp, so now ui.cpp is pure UI.&nbsp; ui.h provides inline stubs if wxUSE_GUI=0.&nbsp;
We only have four functions that interface from the node to the UI.&nbsp; In the bitcoind build, we don&#039;t link ui.o or uibase.o.<br /><br />[quote author=sirius-m link=topic=63.msg538#msg538 date=1267115537]<br />It started increasing right away. I&#039;ll see if valgrind can help me.<br />[/quote]<br />Sure feels like it could be something in wxWidgets retrying endlessly
because some UI thing failed or something wasn&#039;t inited correctly.&nbsp; Our hack to ignore the initialize failure and run anyway means we&#039;re in uncharted territory.&nbsp; We&#039;re relying on the fact that we hardly use wx in this mode.&nbsp; We do still use a few things like wxGetTranslation and wxMutex.<br /><br />Another way to debug would be to run in gdb,
wait until everything is quiet and all threads should be idle, and break it and see which thread is busily doing something and what it&#039;s doing.<br /><br />I suspect bitcoind will probably work fine, but I hope you can still debug the problem.
540	43	1	1267139189	540	0		xx	1	Re: Proof-of-work difficulty increasing The formula is based on the time it takes to generate 2016 blocks. &nbsp;The difficulty is multiplied by 14/(actual days taken). &nbsp;For instance, this time it took 9.4 days, so the calculation was 14/9.4 = 1.49. &nbsp;Previous difficulty 2.53 * 1.49 =
3.78, a 49% increase. <br /><br />I don&#039;t know what you&#039;re talking about accepting easier difficulties.
555	63	6	1267201761	555	0		xx	1	Re: Command Line and JSON-RPC	wx/clipbrd.h isn&#039;t used, move it inside the #if wxUSE_GUI.<br /><br />Updated headers.h on SVN.<br /><br />Sorry, I linked to wxbase but I had full wxWidgets on my computer.<br /><br />The db.h:140 class Db no member named &quot;exisits&quot; is stranger.&nbsp;
pdb-&gt;get, pdb-&gt;put, pdb-&gt;del compiled before that.&nbsp; Do you have version 4.7.25 of Berkeley DB?<br /><br />Db::exists()<br />http://www.oracle.com/technology/documentation/berkeley-db/db/api_reference/CXX/frame_main.html<br />http://www.oracle.com/technology/documentation/berkeley-db/db/api_reference/CXX/dbexists.html<br /><br />I suppose they might have added
exists recently, using get before that.
561	64	1	1267226239	561	0		xx	1	Re: New icon/logo	Good suggestion.&nbsp; I made the B slightly lighter and the background slightly darker.&nbsp; Very slightly.&nbsp; The foreground is now exactly the same colour as the BC in the old one.<br /><br />It&#039;s kind of OK if you can&#039;t easily read the B in the 16x16.&nbsp;
At that size, you just need to see that it&#039;s a coin.&nbsp; It doesn&#039;t matter so much what&#039;s embossed on it, just that there be some detail there because it wouldn&#039;t look like a coin if it was a blank smooth circle.<br /><br />It&#039;s slightly wider than tall because the dark perspective under it goes more to the right than down.<br /><br />I finished
and posted the 32x31 and 48x47 versions in the first message.&nbsp; I like the 48 a lot.<br /><br />How does everyone feel about the B symbol with the two lines through the outside?&nbsp; Can we live with that as our logo?
562	63	6	1267228124	562	0		xx	1	Re: Command Line and JSON-RPC	Are you using wxWidgets 2.9.0?&nbsp; I don&#039;t recommend using anything other than 2.9.0.<br /><br />It looks like they&#039;ve got a reference in the wx headers (arrstr.h) to something outside of wxBase.<br /><br />Removing -D__WXDEBUG__ from bitcoin&#039;s
makefile would probably solve it.<br /><br />If that doesn&#039;t work and you just want to get it working, you could edit wxWidgets include/wx/arrstr.h, line 167 and comment out the wxASSERT_MSG.
566	64	1	1267244909	566	0		xx	1	Re: New icon/logo	[quote author=Cdecker link=topic=64.msg565#msg565 date=1267241047]<br />How about an SVG version? That way we could automatically generate smaller and larger versions as needed.<br />[/quote]<br />I don&#039;t know how to do SVG, but I did the original very large, over
500 pixels across, so it can be scaled down. &nbsp;I&#039;ll give the original when I&#039;m finished.<br /><br />I had to custom tweak each icon size so the vertical lines land square on their pixels, otherwise they&#039;re ugly blurry and inconsistent. &nbsp;Such is the challenge of making icons. &nbsp;The original will be good for scaling to custom sizes between 48 and 500 but not smaller.
571	65	6	1267305773	571	0		xx	1	Re: wxWidgets 2.9.0	[quote author=Cdecker link=topic=65.msg569#msg569 date=1267290599]<br />Looking through the source of 2.8.10 it appears that [i]unicode[/i] is possible with that version too.<br />[/quote]<br />In the Windows world, &quot;unicode&quot; means UTF-16 (wchar).<br /><br />2.8
has two build variations, ANSI and UTF-16 (unicode). &nbsp;The UTF-16 version is the &quot;unicode&quot; version provided in the Debian package. &nbsp;I believe 2.8 and its UTF-16 build labelled simply &quot;unicode&quot; has been the source of build problems described in the forum. &nbsp;We were previously using 2.8 ANSI in anticipation of getting to UTF-8 without going
through UTF-16 hell. &nbsp;We cannot compile with UTF-16.<br /><br />2.9 has only one version, UTF-8. &nbsp;On Windows, we set the codepage to UTF-8, so on all platforms our code is UTF-8 and wxWidgets interfaces with us in UTF-8. &nbsp;On Linux I assume the codepage is already UTF-8. &nbsp;By standardizing on 2.9 we avoid the multi-build confusion of 2.8, and we need 2.9 for
UTF-8 internationalization.<br /><br />Make sure you read build-unix.txt and configure wxWidgets using the configure parameters given.<br /><br />Curious, why is it incredibly hard to provide wxWidgets 2.9.0? &nbsp;If you mean for users, that&#039;s why we static link it.<br /><br />It&#039;s unfortunate that we require so many big dependencies, but we need them all.&nbsp;
At least on Debian/Ubuntu, all but wxWidgets are available as packages.&nbsp; Eventually they&#039;ll provide a 2.9 package.
588	64	1	1267497185	588	0		xx	1	Re: New icon/logo	We have the standard icon sizes, and the full size scales nicely to anything else.<br /><br />I added the full size to the first post.
614	69	8	1267590536	614	0		xx	1	Re: Money Transfer Regulations	When there&#039;s enough scale, maybe there can be an exchange site that doesn&#039;t do transfers, just matches up buyers and sellers to exchange with each other directly, similar to how e-bay works.<br /><br />To make it safer, the exchange site could act as an
escrow for the bitcoin side of the payment. &nbsp;The seller puts the bitcoin payment in escrow, and the buyer sends the conventional payment directly to the seller. &nbsp;The exchange service doesn&#039;t handle any real world money.<br /><br />This would be a step better than e-bay. &nbsp;E-bay manages to work fine even though shipped goods can&#039;t be recovered if payment falls through.
or easily malleable either<br />- not useful for any practical or ornamental purpose<br /><br />and one special, magical property:<br />- can be transported over a communications channel<br /><br />If it somehow acquired any value at all for whatever reason, then anyone wanting to transfer wealth over a long distance could buy some, transmit it, and have the recipient sell
it.<br /><br />Maybe it could get an initial value circularly as you&#039;ve suggested, by people foreseeing its potential usefulness for exchange. &nbsp;(I would definitely want some) &nbsp;Maybe collectors, any random reason could spark it.<br /><br />I think the traditional qualifications for money were written with the assumption that there are so many competing objects
in the world that are scarce, an object with the automatic bootstrap of intrinsic value will surely win out over those without intrinsic value. &nbsp;But if there were nothing in the world with intrinsic value that could be used as money, only scarce but no intrinsic value, I think people would still take up something.<br /><br />(I&#039;m using the word scarce here to only
mean limited potential supply)<br />
11439	941	6	1282946052	11504	1283006064	satoshi xx	1	Version 0.3.11 with upgrade alerts	Version 0.3.11 is now available.<br /><br />Changes:<br />- Some blk*.dat checking on load<br />- Built the -4way code with -march=amdfam10, which makes it a little faster<br />- Warning if your clock is too far off<br />- Warnings/errors/alerts
can also be seen in the getinfo command<br />- Alert system<br /><br />The alert system can display notifications on the status bar to alert you if you&#039;re running a version that needs to be upgraded for an important security update.<br /><br />In response to an alert, your node may also go into safe mode, which disables the following json-rpc commands (used by automated
websites) to protect it from losing money until you get a chance to upgrade:<br /> sendtoaddress<br /> getbalance<br /> getreceivedbyaddress<br /> getreceivedbylabel<br /> listreceivedbyaddress<br /> listreceivedbylabel<br /><br />If you decide it&#039;s a false alarm and want to take your chances, you can use the switch -disablesafemode to re-enable them.<br /><br />This is
an important safety improvement. &nbsp;For a large segment of possible problems, this can warn everyone immediately once a problem is discovered and prevent them from acting on bad information.<br /><br />Nodes keep operating and do not stop generating in response to an alert, so old versions may still try to make a fork, but the alert system can make sure users are warned
not to act on anything in the fork.<br /><br />Download:<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.11/<br />
11503	820	6	1283005635	11503	0		xx	1	Re: tcatm's 4-way SSE2 for Linux 32/64-bit is in 0.3.10 The simplification is intentional. &nbsp;There will only be more than one thash[7]=0 in one out of 134,217,728 cases. &nbsp;It only makes it 0.0000007% slower.<br />
11505	941	6	1283007244	11505	0		xx	1	Re: Version 0.3.11 with upgrade alerts	[quote author=torservers link=topic=941.msg11499#msg11499 date=1283000437]<br />The &quot;About&quot; dialog still shows 0.3.10.1 beta.<br />[/quote]<br />What OS?&nbsp; I ran the Windows and 64-bit Linux version and checked the about dialog.<br /><br
/>The Mac version is still 0.3.10.1.<br /><br />[quote author=pavelo link=topic=941.msg11481#msg11481 date=1282980967]<br />iirc, it is possible to specify -march on a per-function basis using some gcc __attribute__. That way, only the function in question would be optimized, and if the user doesn&#039;t specify -4way, everything else should be ok.<br />[/quote]<br />I
updated the first post to be more specific.&nbsp; Only the -4way code is compiled this way.<br />
11610	816	6	1283120076	11610	0		xx	1	Re: Big endian code problems	The code assumes little-endian throughout and was written with the intention of never being ported to big-endian. &nbsp;Every integer that is sent over the network would have to be byte swapped, in addition to many dozens of other places in code. &nbsp;It would
not be worth the extra sourcecode bloat.<br /><br />Big-endian is on its way out anyway.
12062	967	4	1283729132	12062	0		xx	1	Re: CryptoPP Assertion Error	You can probably just comment out the line<br />cryptopp/secblock.h:187<br />&nbsp; //assert(false);<br /><br />Let me know if it works, and watch if it memory leaks. <br /><br />It looks like a template class to make sure the derived class defines its own version
of allocate and deallocate.&nbsp; It would be weird if that was the actual problem and it made it all the way to release.&nbsp; Probably a false alarm.
12063	960	4	1283729780	12063	0		xx	1	Re: Warning : Check your system   ( Help me )	Any suggestions for better text to put for this error message so the next person will be less likely to be confused?<br /><br />It&#039;s trying to tell them their clock is wrong and they need to correct it.<br /><br />It&#039;s relying on 3 time
sources:<br />1) the system clock<br />2) the other nodes, if within an hour of the system clock<br />if those disagree, then<br />3) the user (asking the user to fix the system clock)<br /><br />I&#039;ve thought about NTP, but this is more secure.
12130	969	6	1283808081	12130	0		xx	1	Re: HTTP status codes from the JSON-RPC api	This is in SVN rev 147.<br /><br />This is more standard, and although json-rpc 1.0 didn&#039;t specify the format of error objects, it did specify that they would be [i]objects[/i] not strings or other values, so we needed to change this to be
correct.&nbsp; The code/message members have become standard in later json-rpc specs.<br /><br />If you have code that checks the error and expects a string, you&#039;ll need to change it.&nbsp; When there is an error, the error member is now an object not a string.<br /><br />Also in SVN rev 147:<br />- The command line json-rpc returns the error code as its exit code.&nbsp;
Exit codes can only be 0-255 on unix, so it&#039;s abs(code)%256.<br />- The &quot;backupwallet &lt;destination&gt;&quot; command that was discussed in another thread.&nbsp; It locks the wallet and copies it, so you can be sure you get a correct copy.<br />
12132	960	4	1283809266	12132	0		xx	1	Re: Warning : Check your system   ( Help me )	[quote author=Insti link=topic=960.msg12101#msg12101 date=1283777497]<br />[quote author=satoshi link=topic=960.msg12063#msg12063 date=1283729780]<br />Any suggestions for better text to put for this error message so the next person will be less
likely to be confused?<br />[/quote]<br />&quot;Please check that your computer&#039;s date and time are correct. If your clock is wrong Bitcoin will not work properly.&quot;<br />[/quote]<br />Thanks.
12134	921	6	1283809510	12134	0		xx	1	Re: auto backing up of wallet.dat	rpc backupwallet &lt;destination&gt; is in SVN rev 147.
12135	992	4	1283809965	12135	0		xx	1	Re: bitcoind as daemon in OSX	Can you build?<br /><br />Try changing line 78 of init.cpp from:<br />#ifdef __WXGTK__<br /><br />to:<br />#ifndef __WXMSW__<br /><br />If that works, I&#039;ll change the source.&nbsp; It should work.
12168	994	1	1283877141	12168	0		xx	1	Re: Always pay transaction fee? Another option is to reduce the number of free transactions allowed per block before transaction fees are required. &nbsp;Nodes only take so many KB of free transactions per block before they start requiring at least 0.01 transaction fee.<br /><br />The threshold
should probably be lower than it currently is.<br /><br />I don&#039;t think the threshold should ever be 0. &nbsp;We should always allow at least some free transactions.<br />
12181	999	6	1283887075	12190	1283891671	satoshi xx	1	Version 0.3.12	Version 0.3.12 is now available.<br /><br />Features:<br />- json-rpc errors return a more standard error object. (thanks to Gavin Andresen)<br />- json-rpc command line returns exit codes.<br />- json-rpc &quot;backupwallet&quot; command.<br />- Recovers and continues
if an exception is caused by a message you received. &nbsp;Other nodes shouldn&#039;t be able to cause an exception, and it hasn&#039;t happened before, but if a way is found to cause an exception, this would keep it from being used to stop network nodes.<br /><br />If you have json-rpc code that checks the contents of the error string, you need to change it to expect error
objects of the form {&quot;code&quot;:&lt;number&gt;,&quot;message&quot;:&lt;string&gt;}, which is the standard. &nbsp;See this thread:<br />http://www.bitcoin.org/smf/index.php?topic=969.0<br /><br />Download:<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.12/<br />
12237	994	1	1283967014	12237	0		xx	1	Re: Always pay transaction fee? Currently, paying a fee is controlled manually with the -paytxfee switch.&nbsp; It would be very easy to make the software automatically check the size of recent blocks to see if it should pay a fee.&nbsp; We&#039;re so far from reaching the threshold, we don&#039;t
need that yet.&nbsp; It&#039;s a good idea to see how things go with controlling it manually first anyway.<br /><br />It&#039;s not a big deal if we reach the threshold.&nbsp; Free transactions would just take longer to get into a block.<br /><br />I did a rough tally of 4000 blocks from around 74000-78000.&nbsp; This is excluding the block reward transactions:<br /><br
/>There were average 2 transactions per block, 17 transactions per hour, 400 transactions per day.<br /><br />Average transaction bytes per block was 428 bytes, or 214 bytes per transaction.<br /><br />The current threshold is 200KB per block, or about 1000 transactions per block.&nbsp; I think it should be lowered to 50KB per block.&nbsp; That would still be more than 100
times the average transactions per block.<br /><br />The threshold can easily be changed in the future.&nbsp; We can decide to increase it when the time comes.&nbsp; It&#039;s a good idea to keep it lower as a circuit breaker and increase it as needed.&nbsp; If we hit the threshold now, it would almost certainly be some kind of flood and not actual use.&nbsp; Keeping the
threshold lower would help limit the amount of wasted disk space in that event.<br />
12240	999	6	1283969164	12240	0		xx	1	Re: Version 0.3.12	Bitcoin clients currently only create and recognize transactions that match two possible templates.&nbsp; <br /><br />Those are some quick tests that loosely check if transactions fit some general metrics that those standard transactions fit.&nbsp; Nodes will only work
on adding those transactions to their block.<br /><br />In the future, if we add more templates to the existing 2 types of transactions, we can change the &quot;rather not work on nonstandard transactions&quot; test to accept them.<br />
12248	955	1	1283977659	12248	0		xx	1	Re: Bitcoin Blogger: Is It Better To Buy Or Generate Bitcoins?	[quote author=BitLex link=topic=955.msg12189#msg12189 date=1283890254]<br />AMD X3 @2.8ghz<br />-&gt;stock client<br />~3800khs ~150Watt<br />[/quote]<br />Did you try -4way?<br /><br />[quote]<br />How many hashes can I expect
with a 24 core machine? I have a quad-core generating 4,300 hashes-per-second, so I am estimating a 24-core machine could mine bitcoins at 25,000 hashes-per-second.<br />[/quote]<br />AMD Phenom (I think 4-core) CPUs are doing about 11,000khps with -4way, about 100% speedup. &nbsp;24 cores should get 66,000khps. &nbsp;AMD is the best choice because it has the best SSE2
implementation. (or maybe because tcatm had an AMD and optimised his code for that)<br /><br />There&#039;s been so much else to do that I haven&#039;t had time to make -4way automatic. &nbsp;For now you still have to do it manually.<br />http://www.bitcoin.org/smf/index.php?topic=820.0<br />
12262	1007	6	1283994245	12262	0		xx	1	Auto-detect for 128-bit 4-way SSE2	SVN rev 150 has some code to try to auto-detect whether to use 4-way SSE2. &nbsp;We need this because it&#039;s only faster on certain newer CPUs that have 128-bit SSE2 and not ones with 64-bit SSE2.<br /><br />It uses the CPUID instruction to get the CPU
brand, family, model number and stepping. &nbsp;That&#039;s the easy part. &nbsp;Knowing what to do with the model number is the hard part. &nbsp;I was not able to find any table of family, model and stepping numbers for CPUs. &nbsp;I had to go by various random reports I saw.<br /><br />Here&#039;s what I ended up with:<br />[code]<br /> &nbsp;// We need Intel Nehalem
or AMD K10 or better for 128bit SSE2<br /> &nbsp;// Nehalem = i3/i5/i7 and some Xeon<br /> &nbsp;// K10 = Opterons with 4 or more cores, Phenom, Phenom II, Athlon II<br /> &nbsp;// &nbsp;Intel Core i5 &nbsp;family 6, model 26 or 30<br /> &nbsp;// &nbsp;Intel Core i7 &nbsp;family 6, model 26 or 30<br /> &nbsp;// &nbsp;Intel Core i3 &nbsp;family 6, model 37<br /> &nbsp;//
&nbsp;AMD Phenom &nbsp; &nbsp;family 16, model 10<br /> &nbsp;bool fUseSSE2 = ((fIntel &amp;&amp; nFamily * 10000 + nModel &gt;= &nbsp;60026) ||<br /> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; (fAMD &nbsp; &amp;&amp; nFamily * 10000 + nModel &gt;= 160010));<br />[/code]<br /><br />I saw some sporadic inconsistent model numbers for AMD CPUs, so I&#039;m
not sure if this will catch all capable AMDs.<br /><br />If it&#039;s wrong, you can still override it with -4way or -4way=0.<br /><br />It prints what it finds in debug.log. &nbsp;Search on CPUID.<br /><br />This is only enabled if built with GCC.
12341	1013	1	1284078204	12341	0		xx	1	Re: Won't let me send coins because it requires a transaction fee?	What version is the one where this happened?&nbsp; Release build, or built it yourself?&nbsp; Which operating system?&nbsp; <br /><br />Were you sending by IP or by Bitcoin Address?<br /><br />When you sent 49.99, did it
prompt you to pay a 0.01 fee?<br /><br />There was a change in GetMinFee, but I can&#039;t see how it would cause this. &nbsp;It only starts to apply when a block gets huge. <br /><br />The reason for the difference in block number is the number displayed was reduced by 1 in 0.3.11 because it made more sense that way.
12342	1013	1	1284079597	12342	0		xx	1	Re: Won't let me send coins because it requires a transaction fee?	I think I know what happened. &nbsp;Doubleclick on the generated transaction. &nbsp;It probably has a sub-0.01 transaction fee in it.<br /><br />Someone has been paying a 0.00000010 transaction fee. &nbsp;I don&#039;t think
you can even set that with -paytxfee, I think you&#039;d have to modify the code to do it. &nbsp;Your generated block is worth 50.00000010, so when you try to send the whole thing you have 0.00000010 left over for the change, which triggers the dust spam 0.01 fee.<br /><br />It would normally be harmless except in this corner case. &nbsp;I should add a special case to
CreateTransaction to handle this.
633	63	6	1267753585	633	0		xx	1	Re: Command Line and JSON-RPC	[quote author=sirius-m link=topic=63.msg502#msg502 date=1267035455]<br />This is strange... When I start Bitcoin as a daemon on my 64 bit Linux server, it eats up all the 250MB of remaining RAM, 700MB of swap and eventually crashes. On my 32 bit Ubuntu desktop,
it works fine and stays at 15MB of memory usage. The server is running a 64 bit build of Bitcoin. Maybe there&#039;s something wrong with the build or something.<br />[/quote]<br />sirius-m debugged this, it was 64-bit related.&nbsp; <br /><br />The fix is now available on SVN, file util.cpp.
639	71	3	1267759330	639	0		xx	1	Re: Lots of guests online	Maybe an embedded link or image in a post somewhere else, such that when anyone reads the post on the busier forum, it loads part of the content from this forum.<br /><br />It&#039;s stopped now.
717	72	4	1268678652	717	0		xx	1	Re: bitcoin auto-renice-ing	It sets different priorities for each thread. &nbsp;The generate threads run at PRIO_MIN. &nbsp;The other threads rarely take any CPU and run at normal.<br /><br />#define THREAD_PRIORITY_LOWEST &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;PRIO_MIN<br />#define
THREAD_PRIORITY_BELOW_NORMAL &nbsp; &nbsp;2<br />#define THREAD_PRIORITY_NORMAL &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0<br /><br />The priorities converted from Windows priorities were probably from a table like this:<br /><br /> &nbsp; &quot;The following table shows the mapping between nice values and Win32 priorities. Refer to the Win32 documentation for SetThreadPriority()
for more information on Win32 priority issues.<br /><br />nice value \tWin32 Priority<br />-20 to -16 \tTHREAD_PRIORITY_HIGHEST<br />-15 to -6 \tTHREAD_PRIORITY_ABOVE_NORMAL<br />-5 to +4 \tTHREAD_PRIORITY_NORMAL<br />+5 to +14 \tTHREAD_PRIORITY_BELOW_NORMAL<br />+15 to +19 \tTHREAD_PRIORITY_LOWEST&quot;<br /><br />If you have better values, suggestions welcome.<br /><br
/>Also, there was some advice on the web that PRIO_PROCESS is used on Linux because threads are processes. &nbsp;If that&#039;s not true, maybe it accounts for unexpectedly setting the priority of the whole app.<br /><br /> &nbsp; &nbsp;// threads are processes on linux, so PRIO_PROCESS affects just the one thread<br /> &nbsp; &nbsp;setpriority(PRIO_PROCESS, getpid(), nPriority);<br />
719	83	1	1268680616	808	1269453031	satoshi xx	1	Idea for file hosting and proxy services	When you want to upload an image to embed in a forum post, there are services like imageshack, but because they&#039;re free, they limit the number of views. &nbsp;It&#039;s a minuscule amount of bandwidth cost, but they can&#039;t just
give it away for free, there has to be something in it for them. &nbsp;It would be nice to be able to pay for the bandwidth and avoid the limits, but conventional payments are too inconvenient for such a minor thing.<br /><br />It&#039;s worse if you want to upload a file for others to download. &nbsp;There are services like rapidshare, but they require the downloaders to
go through extra steps and delays to make them look at advertising or encourage upgrading to a paid subscription, and they limit it to 10 or so downloads.<br /><br />It would be nice if we made some free PHP code for an image and file hosting service that charges Bitcoins. &nbsp;Anyone with some extra bandwidth quota could throw it on their webserver and run it. &nbsp;Users
could finally pay the minor fee to cover bandwidth cost and avoid the limits and hassles. &nbsp;Ideally, it should be MIT license or public domain.<br /><br />Services like this would be great for anonymous users, who have trouble paying for things.
729	84	6	1268768927	729	0		xx	1	Re: On IRC bootstrapping	Thanks soultcer for talking with the Freenode staffer.&nbsp; Good to know it&#039;s OK at the current size, and now they know who we are.&nbsp; They&#039;re supportive of projects like TOR so I hope they would probably be friendly to us.&nbsp; We don&#039;t want
to overstay our welcome.&nbsp; If we get too big, then by the same token, we&#039;re big enough that we don&#039;t need IRC anymore and we&#039;ll get off.<br /><br />We only needed IRC because nobody had a static IP.&nbsp; In the early days there were some steady supporters, but they all had pool-allocated IPs that change every few days.&nbsp; IRC was only intended as
a temporary solution.&nbsp; Bitcoin&#039;s built-in addr system is the main solution.<br /><br />Bitcoin can get the list of IPs from any bitcoin node.&nbsp; In that sense, every node serves as a directory server.<br /><br />When there are enough static IP nodes to have a good chance that at least one will still be running by the time the current version goes out of use,
we can preprogram a seed list.<br /><br />How do you think we should compile the seed list?&nbsp; Would it be OK to create it from the currently connected IPs that have been static for a while?<br /><br />BTW, if we want to supplement by deploying separate directory server software, may I suggest IRC?&nbsp; IRC is a good directory server (I&#039;ve heard it has other uses
too), and there are mature IRC server implementations available that anyone can run. :)&nbsp; Bitcoin&#039;s IRC client implementation is already thoroughly tested.
731	83	1	1268770654	731	0		xx	1	Re: Idea for file hosting service	That&#039;s a great idea.&nbsp; There&#039;s a thriving business in those services, but I&#039;ve always thought the standard payment methods are at odds with privacy minded customers.<br /><br />Would you consider making your software freely available
so anyone could easily set one up?&nbsp; I know for competitive reasons the inclination is to keep it to yourself, but it could get an order of magnitude more use if anyone could give proxy access to their country just by putting the software on a server.<br /><br />I wonder if there are other kinds of web application servers where we would only have to tack on the payment
mechanism to an already existing system?<br />
806	88	1	1269357761	806	0		xx	1	Re: who is bitcoin.com	It&#039;s unrelated.&nbsp; There wasn&#039;t anything there when I started.<br /><br />The price of .com registrations is lower than it should be, therefore any good name you might think of is always already taken by some domain name speculator.&nbsp; Fortunately, it&#039;s
standard for open source projects to be .org.
807	87	8	1269365734	807	0		xx	1	Re: Exchange Methods	LR and Pecunix have many established exchanges to paper currencies by various payment methods, and a number of vendors accept them as payment, so an exchange link between Bitcoin and LR/Pecunix would give us 2nd-hop access to all that. &nbsp;The possibility to cash out
through them would help support the value of bitcoins.<br /><br />Bitcoin has unique properties that would be complementary. &nbsp;LR/Pecunix are easy to spend anonymously, but hard to buy anonymously and not worth the trouble to buy in small amounts. &nbsp;Bitcoin, on the other hand, is easy to get in small amounts anonymously. &nbsp;It would be convenient to buy LR/Pecunix
with bitcoins rather than through conventional payment methods.<br /><br />Most customers who convert to LR to buy something would probably ask the seller first if they accept Bitcoin, encouraging them to start accepting it.
809	83	1	1269453717	809	0		xx	1	Re: Idea for file hosting and proxy services	Title changed.<br /><br />It helps that we have someone with actual experience running a proxy service. &nbsp;Do you think Psiphon is the best one currently? &nbsp;(sometimes the one you run was the best when you started but you found better ones later)
810	83	1	1269453775	810	0		xx	1	Re: Idea for file hosting and proxy services	Mihalism Multi Host is a popular open source PHP file hosting server.<br /><br />It&#039;s geared toward image hosting, but I think by increasing the file size limit and liberalising the allowed file extensions, it could just as easily be used for
general file upload hosting.&nbsp; They need the limits to keep it reasonable as a free service, but if we bolt on a Bitcoin payment mechanism, the limits could be relaxed.<br /><br />It doesn&#039;t have a bunch of client side scripting or anti-embedding junk to rip out.&nbsp; It generates standard links that work normally.<br /><br />There&#039;s a turnover churn in these
free hosting sites.&nbsp; Small sites can give free image hosting, but once one starts getting popular, it gets too swamped with moochers using them for free bandwidth.&nbsp; Any site that gets well known has to become more aggressively pay-naggy to cover bandwidth costs.&nbsp; It&#039;s a perfect example of a service where the needed price point is in the no-man&#039;s-land
between just a little too expensive to be free, but too cheap for most users to take the trouble of a conventional payment.&nbsp; It&#039;s in the gap between 0 and 19.95.&nbsp; The best they can do is try to maybe get 1 out of 1000 users to pay 9.95, but that has 999/1000 users treated like freeloaders.&nbsp; It can&#039;t really be advertising supported because the images
are embedded in other sites and downloaded without going to the hosting site.<br /><br />An example of a site running the software:<br />http://www.imagez.ws/<br /><br />Forum:<br />http://www.mihalism.net/<br /><br />Download:<br />http://code.google.com/p/mihalismmh/<br /><br />What do you think?&nbsp; If I made a Bitcoin payment integration for this, would anyone be
interested in running it?&nbsp; It might be the first fully automated service available to buy with Bitcoins.&nbsp; The advantage it could offer over the free services is general file upload hosting of large files without making downloading users go to the upload site and jump through hoops.&nbsp; It would give a normal link directly to the file.
1130	130	6	1274043704	1130	0		xx	1	Re: Could the bitcoin network be destroyed by someone generating endless bitcoin add	When you generate a new bitcoin address, it only takes disk space on your own computer (like 500 bytes).&nbsp; It&#039;s like generating a new PGP private key, but less CPU intensive because it&#039;s ECC.&nbsp;
The address space is effectively unlimited.&nbsp; It doesn&#039;t hurt anyone, so generate all you want.
1131	129	8	1274045856	1131	0		xx	1	Re: For a website taking payments with bitcoins, better: IP or bitcoin addresses?	[quote author=Xunie link=topic=129.msg1124#msg1124 date=1273873973]<br />I suggest we disable IP transactions while the user uses a Proxy!<br />Just to be on the safe side.<br />[/quote]<br />That&#039;s a
good idea.&nbsp; At the very least a warning dialog explaining that it&#039;ll connect to the IP and send the information cleartext, giving the chance to cancel.<br /><br />
1132	55	6	1274049441	1134	1274053985	satoshi xx	1	Re: URI-scheme for bitcoin	[quote author=Karmicads link=topic=55.msg1038#msg1038 date=1272694013]<br />A freenet URI is like this:<br /><br />http://127.0.0.1:8888/USK@oshw3DxmJUt7q4ThF4dCez5IXbc9hCGcv0VuwLRCmeQ,ckeXv20F1gBzkqssB4RXHZ2nB1YRT8Pb8KYZk8wj-bs,AQACAAE/occamsrazor/6/f.pdf<br
/>[/quote]<br /><br />There you go, we could easily do it the same way, like:<br />http://127.0.0.1:8330/?to=&lt;bitcoinaddress&gt;;amount=&lt;amount&gt;<br /><br />Bitcoin can answer port 8330 on local loopback just as it does for JSON-RPC on 8332. &nbsp;It would give an HTTP answer.<br /><br /><br />[quote author=DataWraith link=topic=55.msg1045#msg1045 date=1272798789]<br
/>A bitcoin-link should be more like mailto: than magnet: IMHO.<br />[/quote]<br /><br />I think we can do that.<br /><br />Although it would be possible for Bitcoin to take care of business in the HTTP response by presenting HTML UI to the user, as a user I would wonder if some website is trying to trick me or if I&#039;m really talking to my own Bitcoin server.<br /><br />The
HTTP response could simply be HTML with the JavaScript equivalent of the back button, sending it back to the page. &nbsp;Bitcoin then pops up the Send Bitcoins dialog with the destination bitcoin address and amount already filled in. &nbsp;It would work just like a mailto: link that pops up a new email with the address filled in.<br /><br />127.0.0.1 loopback is accessible
by any user on the machine, it doesn&#039;t have per-user separation, but it&#039;s OK because it would only serve the convenience function of pre-filling the fields in a dialog. &nbsp;You&#039;d still have to press Send. &nbsp;We&#039;d have to make sure the Send button is not selected so it couldn&#039;t jump into the foreground while you&#039;re typing a space or enter.<br /><br /><br />
1133	135	4	1274050439	1133	0		xx	1	Re: Exception: 9key_error error Does it happen every time you run it, or just happened once at some random time?<br /><br />I&#039;ve never seen that fail before.&nbsp; It&#039;s a call to OpenSSL that I assumed would never fail, but I put an error check there just in case.&nbsp; I can&#039;t
imagine how it would fail.&nbsp; Out of memory maybe.<br /><br />The code is:<br /><br />key.h:<br />&nbsp; &nbsp; EC_KEY* pkey;<br /><br />&nbsp; &nbsp; &nbsp; &nbsp; pkey = EC_KEY_new_by_curve_name(NID_secp256k1);<br />&nbsp; &nbsp; &nbsp; &nbsp; if (pkey == NULL)<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; throw key_error(&quot;CKey::CKey() : EC_KEY_new_by_curve_name
failed&quot;);<br /><br />NID_secp256k1 is a constant.
1134	101	4	1274052880	1135	1274055988	satoshi xx	1	Re: removing bitcoin addresses	SheriffWoody:<br />Bitcoin addresses you generate are kept forever. &nbsp;A bitcoin address must be kept to show ownership of anything sent to it. &nbsp;If you were able to delete a bitcoin address and someone sent to it, the money would be lost. &nbsp;They&#039;re
only about 500 bytes.<br /><br />sirius-m:<br />Thousands of own addresses should not be any problem at all.&nbsp; If you&#039;ve generated 50000 BTC, then you already have 1000 own addresses, one for each 50 generated.&nbsp; Those are hidden, they&#039;re not shown in the UI.<br /><br />It would be a good idea to add a little code that keeps giving the same address to
the same IP. &nbsp;Here&#039;s what I did in C++ to keep giving the same key (aka bitcoin address) until they use it:<br /><br /> &nbsp; &nbsp;// Keep giving the same key to the same ip until they use it<br /> &nbsp; &nbsp;if (!mapReuseKey.count(pfrom-&gt;addr.ip))<br /> &nbsp; &nbsp; &nbsp; &nbsp;mapReuseKey[pfrom-&gt;addr.ip] = GenerateNewKey();<br /> &nbsp; &nbsp;<br />
&nbsp; &nbsp;...sends the key mapReuseKey[pfrom-&gt;addr.ip]<br /><br />...later...<br /><br /> &nbsp; &nbsp;// Received something with this key<br /> &nbsp; &nbsp;mapReuseKey.erase(pfrom-&gt;addr.ip);<br /><br />If it&#039;s not convenient to know when you&#039;ve received, just clear the cached keys every 20 minutes.<br /><br />I want to add a parameter to getnewaddress
for number of days to expire if nothing is received with the address.<br />
can update it.&nbsp; <br />- Get the src directory from the 0.3.1 release candidate posted in the development forum, any version will do:<br />http://www.bitcoin.org/smf/index.php?topic=383.0<br />- Make a subdirectory under src: locale/??/LC_MESSAGES<br />(?? could be anything really, &quot;en&quot; or your language 2-letter code)<br />- Put your .po file there<br />-
Open it with poedit<br />- In poedit, Catalog-&gt;Update from sources<br /><br />The key is that the src directory with the sourcefiles needs to be 3 directories up from the .po file.
3247	151	6	1279219434	3247	0		xx	1	Re: Website and software translations	[quote author=SmokeTooMuch link=topic=151.msg2619#msg2619 date=1279047355]<br />I recommend to remove the download links at the bottom of the main page.<br />As you can see the links on the English page points to the new 0.3 release, but the other languages
only contain links for the old 0.2 version.<br />There&#039;s a download box with the current releases on the right anyway, so why not remove the links from the translated pages.<br />[/quote]<br />I updated them to 0.3.0.<br /><br />I am tempted to remove the download links from the other languages and only keep it on English.<br /><br />They will need to be updated for
0.3.1 soon.&nbsp; Perhaps there&#039;s a way for someone to manage the updating of the translated drupal pages.
3257	151	6	1279221134	3257	0		xx	1	Re: Website and software translations	Thanks for the Spanish and French translations!&nbsp; The edited and updated .po files are attached.<br /><br />I uploaded these to the SVN.
3264	390	3	1279221635	3264	0		xx	1	.po file management	Does anyone want to take over management of the .po files?<br /><br />You would monitor the translation forum when translators come along with .po files.<br /><br />The job is basically what I&#039;ve been doing with them, which includes editing the .po file as a text file
to fix up spacing, using poedit on it to update the strings from the latest sourcecode and maybe fixing up anything the automatic update got wrong, generating the .mo file. &nbsp;Edit their e-mail address out of the header, put their forum name instead. &nbsp;Need to know how to use SVN. &nbsp;Attach the .po file back to the person so if they make any more changes they can
go from the edited version. &nbsp;Would make more sense for a non-developer since you don&#039;t need any development skills for this.
3295	383	6	1279230034	3295	0		xx	1	Re: 0.3.1 release candidate, please test	[quote author=knightmb link=topic=383.msg3269#msg3269 date=1279222630]<br />On Windows, the priority of the Coin Generation is still net for normal. If you run BitCoin in Generate Coin mode, then load up something to eat up all the CPU (like CPU
hog for example: http://www.microtask.ca/cpuhog.html) you&#039;ll see that both BitCoin and CPU hog share the CPU 50/50 instead of CPU Hog taking all the CPU and BitCoin running only on idle/low process. The khash/s is also reduced in half, so further evidence that the threads are not running in a lower than normal prioirty.<br />[/quote]<br />I was not able to reproduce
this.&nbsp; I have dual-proc, so I ran two memory hogs.&nbsp; Bitcoin got 0% of CPU according to the task manager.&nbsp; The khash/sec meter stayed stuck because it couldn&#039;t get any CPU to update it.<br /><br />Do you have dual-proc?&nbsp; Are you sure you weren&#039;t running a single processor hog?
3305	383	6	1279231655	3305	0		xx	1	Re: 0.3.1 release candidate, please test	[quote author=knightmb link=topic=383.msg3274#msg3274 date=1279224946]<br />On the Linux client (64 bit), the &quot;minimize on close&quot; will still minimize to tray (causing X server hang after a short while by spawning multiple tray icons).<br
/>[/quote]<br />I updated the first post with a link to rc2 for linux with the fix for this.&nbsp; Please check that this is fixed for you.&nbsp; Thanks!<br /><br />http://www.bitcoin.org/download/bitcoin-0.3.1.rc2-linux.tar.gz
3306	383	6	1279231819	3306	0		xx	1	Re: 0.3.1 release candidate, please test	[quote author=db link=topic=383.msg3278#msg3278 date=1279226348]<br />The listreceivedbyaddress and getreceivedbyaddress commands are duplicated in bincoind help. (Same in 0.3.0.)<br />[/quote]<br />Yes a bug.&nbsp; It&#039;ll have to be fixed in the next version.
3308	391	4	1279232306	3308	0		xx	1	Re: &quot;SetIcons(): icon bundle doesn't contain any suitable icon&quot;	That&#039;s surprising that we&#039;ve never heard of that before now.<br /><br />Maybe you&#039;re the first person to ever run it on Vista&nbsp; :) <br /><br />I have to guess it has something to do with your
display color depth selection.&nbsp; e.g. 8-bit, 16-bit, 24-bit, 32-bit, what is it?&nbsp; Do you have a weird video card, display setup or running it on a tablet or mobile or something?
3309	299	4	1279232550	3309	0		xx	1	Re: Runaway CPU usage for 64bit BitCoin (Linux Client)	The fix for the thread priority level on linux is available in the 0.3.1 release candidate here:<br />http://www.bitcoin.org/smf/index.php?topic=383.msg3198#msg3198
3319	383	6	1279236184	3319	0		xx	1	Re: 0.3.1 release candidate, please test	[quote author=RHorning link=topic=383.msg3311#msg3311 date=1279232968]<br />I don&#039;t see either happening, although it did get put into the &quot;Startup&quot; folder. &nbsp;That is so Windows 95ish (just kidding..... Microsoft has so screwed
this up that it isn&#039;t even funny). &nbsp;I would recommend the registry settings for a number of reasons including the fact that most software puts the startup in that location, even though I personally find the startup folder to be more attractive and how most software on Windows [i]should behave[/i].<br />[/quote]<br />It could go either way.&nbsp; The Startup folder
has the advantage that the end user can see it and manually remove it with the regular UI (not regedit) if they already blew away the Bitcoin directory and its uninstaller.&nbsp; Bitcoin will not relentlessly keep re-adding it if you delete it manually.<br /><br />OpenOffice is another example of something that puts its link in the Startup folder.
3323	391	4	1279237283	3323	0		xx	1	Re: &quot;SetIcons(): icon bundle doesn't contain any suitable icon&quot;	[quote author=bdonlan link=topic=391.msg3320#msg3320 date=1279236434]<br />in 120DPI mode. <br />[/quote]<br />What is &quot;120DPI mode&quot;?&nbsp; Is that an actual setting somewhere?&nbsp; Sounds like an obscure
enough candidate.&nbsp; I suppose it needs twice the resolution icon to fill the size of the upper left corner icon.&nbsp; Only one size is provided.
3339	383	6	1279241072	3339	0		xx	1	Re: 0.3.1 release candidate, please test	Run it with the undocumented switch -minimizetotray and the option is available in the options menu.<br /><br />I don&#039;t know how to fix it.&nbsp; It&#039;s something wrong deep inside wxWidgets or GTK or Gnome.
3350	295	5	1279245727	3350	0		xx	1	Re: Donations to freebitcoins.appspot.com needed!	5 BTC seems like a lot these days, maybe the normal amount should be 1 or 2 BTC.<br /><br />This is an important service so new users can at least get something if generating is too hard.
3362	391	4	1279248209	3362	0		xx	1	Re: &quot;SetIcons(): icon bundle doesn't contain any suitable icon&quot;	That must be it then.<br /><br />It must be looking for a larger icon like 20x20 but we don&#039;t have one.
3488	43	1	1279291572	3488	0		xx	1	Re: Proof-of-work difficulty increasing The proof-of-work difficulty is currently 45.38.&nbsp; (see http://www.alloscomp.com/bitcoin/calculator.php)&nbsp; <br /><br />It&#039;s about to increase again in a few hours.&nbsp; It&#039;s only been 3-4 days since the last increase, so I expect it will
increase by the max of 4 times, or very nearly the max.&nbsp; That would put it at 181.54.<br /><br />The target time between adjustments is 14 days, 14/3.5 days = 4.0 times increase.
3492	400	4	1279291924	3492	0		xx	1	Re: Assertion Failure - Ubuntu Lucid	That&#039;s the first time I&#039;ve seen this error.<br /><br />How many blocks do you have? (in the status bar)<br /><br />You should move your blk*.dat files (in ~/.bitcoin) to another directory and let it start over downloading the block chain again.&nbsp;
If you don&#039;t mind, could you keep the old blk*.dat files for a little while in case I need to look at them?<br />
3495	296	4	1279292123	3495	0		xx	1	Re: Fedora 13 libcrypto Please try the 0.3.1 release candidate, it should at least resolve the libcrypto dependency:<br /><br />http://www.bitcoin.org/smf/index.php?topic=383.0<br /><br />Let me know if that works.
3499	303	4	1279292493	3499	0		xx	1	Re: Resending transaction	Bitcoin automatically rebroadcasts your transactions if it receives new blocks that don&#039;t contain them.&nbsp; It may take about an hour to get rebroadcasted.&nbsp; It is relentless though.&nbsp; It will keep nagging the network forever until your transaction gets into a block.
3505	383	6	1279292999	3505	0		xx	1	Re: 0.3.1 release candidate, please test	Because of all the dependencies that different systems don&#039;t have.&nbsp; It&#039;s easier to just static link what we can.&nbsp; It doesn&#039;t increase the size by very much.
3510	393	6	1279294620	3510	0		xx	1	Re: Source code documentation	I like that in libraries for the external API&#039;s, but you can probably tell from the code that I&#039;m not a fan of it for interior functions.&nbsp; Big obligatory comment headers for each function space out the code and make you hesitate about creating a
small little function where the comment header would be bigger than the function.&nbsp; They&#039;re some trouble for maintenance, as changes to the function then require duplicate changes in the comment header.&nbsp; I like to keep code compact so you can see more code on the screen at once.<br /><br />To add them now at this point, what would be written would just be
what&#039;s obvious from looking at the function.<br /><br />The external API we have, in rpc.cpp, the usage documentation is in the help string.<br /><br />Sorry to be a wet blanket.
3520	360	6	1279296833	3520	0		xx	1	Re: Hash() function not secure	SHA256 is not like the step from 128 bit to 160 bit.<br /><br />To use an analogy, it&#039;s more like the step from 32-bit to 64-bit address space.&nbsp; We quickly ran out of address space with 16-bit computers, we ran out of address space with 32-bit computers at
4GB, that doesn&#039;t mean we&#039;re going to run out again with 64-bit anytime soon.<br /><br />SHA256 is not going to be broken by Moore&#039;s law computational improvements in our lifetimes.&nbsp; If it&#039;s going to get broken, it&#039;ll be by some breakthrough cracking method.&nbsp; An attack that could so thoroughly vanquish SHA256 to bring it within computationally
tractable range has a good chance of clobbering SHA512 too.<br /><br />If we see a weakness in SHA256 coming gradually, we can transition to a new hash function after a certain block number.&nbsp; Everyone would have to upgrade their software by that block number.&nbsp; The new software would keep a new hash of all the old blocks to make sure they&#039;re not replaced with
another block with the same old hash.
3524	397	6	1279298834	3524	0		xx	1	Re: Request: expected bitcoins per day display	Many businesses are like that. &nbsp;For a car salesman, when will the next customer walk in the door?<br /><br />On the OP&#039;s question, it&#039;s a good feature, but the question is, how would we word it so people don&#039;t expect to get
something after that specific amount of time? &nbsp;&quot;it said 7 days and I waited more than a week and didn&#039;t get anything!&quot; &nbsp;Approx, average, but still they&#039;re going to think that way.&nbsp; It can&#039;t be a whole sentence, unless we think of somewhere else to put it, but where would that be? &nbsp;Suggestions?<br /><br />The difficulty quadrupled
a few minutes ago to 181.54. &nbsp;It&#039;s going to take typically about a week to generate now.
3526	43	1	1279299414	3526	0		xx	1	Re: Proof-of-work difficulty increasing It adjusted to 181.54 a few minutes ago.&nbsp; Typical time to get a block is about a week now.<br /><br />The difficulty can adjust down as well as up.<br /><br />The network should be generating close to 6 blocks per hour now.
3534	393	6	1279300547	3534	0		xx	1	Re: Source code documentation	It&#039;s in init.cpp.<br /><br />It&#039;s a wxWidgets app, so it doesn&#039;t have a main() function. &nbsp;It may in a little while, since I&#039;m pretty close to making bitcoind build w/o wxBase. &nbsp;(it&#039;ll be in init.cpp)<br /><br />Sorry about
my choice of the filename &quot;main.cpp&quot;, another possible name would have been &quot;core.cpp&quot;. &nbsp;It&#039;s much too late to change. &nbsp;I still prefer main.cpp.<br /><br />We&#039;re still in great need of sample code showing the recommended way to use the JSON-RPC functions, like for a basic account system on a typical storefront website. &nbsp;Using
getreceivedbylabel using the username as the label, changing to a new bitcoin address once the stored one for that account gets used. &nbsp;I posted a sample code fragment on the forum somewhere. &nbsp;(search on getreceivedbylabel or getnewaddress) &nbsp;The sample code could be a plain vanilla bank site where you can deposit and send payments.
3536	383	6	1279301177	3536	0		xx	1	Re: 0.3.1 release candidate, please test	Good point.&nbsp; If you&#039;re going to have more than 8 LAN nodes connect to one gateway node, then you&#039;d better have the gateway node set up so it can receive incoming connections.&nbsp; Otherwise, while the gateway node has 8 or more
connections, it will not try to add any more outbound connections.&nbsp; As the outside nodes you&#039;re connected to come and go, it doesn&#039;t make new outbound connections to replace them.&nbsp; You&#039;ll be fine if you can accept incoming connections, then there will be plenty of others connecting to you.
3537	43	1	1279301368	3537	0		xx	1	Re: Proof-of-work difficulty increasing Yes, about 20 hours. &nbsp;(120 conf / 6 blocks per hour = 20 hours) &nbsp;That&#039;s the normal length of time before you can spend it. &nbsp;You know long before that that you won one.
3540	378	1	1279302425	3540	0		xx	1	Re: bitcoin trademark?	No, not related at all.
3545	403	1	1279303124	3545	0		xx	1	Re: The dollar cost of bitmining energy Neat chart.<br /><br />Difficulty just increased by 4 times, so now your cost is US$0.02/BTC.
3559	364	6	1279304584	3559	0		xx	1	Re: Website integration for bitcoin	I&#039;ve been trying to encourage someone to write and release some sample Python code showing the recommended way to do the typical accounting stuff, but to no avail. &nbsp;It would be nice if you didn&#039;t have to re-invent the wheel like you&#039;re
doing here. &nbsp;Search on getnewaddress and you should find a thread where I gave a small fragment of sample pseudocode.
12368	1013	1	1284138753	12368	0		xx	1	Re: Won't let me send coins because it requires a transaction fee?	The fix is in SVN rev 151.<br /><br />You will be able to send your stuck 0.01 (actually 0.01000010) when you next upgrade.<br />
12372	1007	6	1284142266	12372	0		xx	1	Re: Auto-detect for 128-bit 4-way SSE2	[quote author=teknohog link=topic=1007.msg12336#msg12336 date=1284060725]<br />Since the function CallCPUID function contains x86 assembler, it breaks the build on other architectures. I&#039;ve changed line 2770 in main.cpp to<br /><br />#if defined(__GNUC__)
&amp;&amp; defined(CRYPTOPP_X86_ASM_AVAILABLE)<br /><br />to make it compile again, at least on ARM.<br />[/quote]<br />Added in SVN rev 152
12483	589	6	1284313220	12483	0		xx	1	Re: Running on a port other than 8333	[quote author=lachesis link=topic=589.msg8544#msg8544 date=1281453895]<br />[s]Also, does Bitcoin open the BerkeleyDB as exclusive, precluding the need for a file lock?[/s]It does not -- did my own tests.<br />[/quote]<br />Is there a way to open BerkeleyDB
exclusive?<br /><br />DB_PRIVATE is the worst of both worlds. &nbsp;DB_PRIVATE is not exclusive, but it does make it get screwed up if another process tries to access it at the same time.<br /><br />I&#039;ve dropped the DB_PRIVATE flag in rev 153.
12484	920	6	1284314439	12484	1284315904	satoshi xx	1	Re: RFC: remove DB_PRIVATE flag Trying it without the DB_PRIVATE flag in rev 153. &nbsp;We need to keep an eye on what&#039;s different.<br /><br />On Windows at least, it creates six __db.001 - __db.006 files with sizes from 24K to 4MB. &nbsp;It doesn&#039;t delete them on exit, it just
leaves them behind.<br /><br />The docs say it uses memory mapped files. &nbsp;I assume they have the same file permissions as the database files, so the same user access restrictions apply.<br /><br />Tests on Windows private LAN download of 78500 blocks:<br />with DB_PRIVATE &nbsp; &nbsp; 20 minutes 51 seconds<br />without DB_PRIVATE &nbsp; 20 minutes 51 seconds<br /><br
/>I wasn&#039;t expecting them to come out exactly the same.
12494	989	6	1284319493	12494	0		xx	1	Re: Switch to GPL	If the only library is closed source, then there&#039;s a project to make an open source one.<br /><br />If the only library is GPL, then there&#039;s a project to make a non-GPL one.<br /><br />If the best library is MIT, Boost, new-BSD or public domain, then we can stop
re-writing it.<br /><br />I don&#039;t question that GPL is a good license for operating systems, especially since non-GPL code is allowed to interface with the OS. &nbsp;For smaller projects, I think the fear of a closed-source takeover is overdone.<br />
13201	1023	4	1284916923	13201	0		xx	1	Re: Memory leak Bouncing between 0 and 2 connections could be if it&#039;s connecting to itself.&nbsp; Are you using the &quot;-connect&quot; switch?<br /><br />Did you compile it or is this a release build, and what version? <br /><br />I&#039;m not sure how the 200Kb/sec, since it waits at
least a half second between connection attempts.&nbsp; How fast is it flickering between 0 and 2 connections?&nbsp; Faster than twice a second?<br /><br />The wait function on linux is:<br /><br />inline void Sleep(int64 n)<br />{<br />&nbsp; &nbsp; boost::thread::sleep(boost::get_system_time() + boost::posix_time::milliseconds(n));<br />}<br /><br />If that doesn&#039;t
work right, then it would be possible for it to spin through the loop as fast as it can.
13206	1034	6	1284922006	13206	1284923076	satoshi xx	1	Re: Issues building bitcoin on Windows 7	The lines it&#039;s tripping on:<br />[code]<br />ERROR extern map&lt;string, string&gt; mapAddressBook;<br />ERROR extern CCriticalSection cs_mapAddressBook;<br />ERROR extern vector&lt;unsigned char&gt; vchDefaultKey;<br />OK extern bool
fClient;<br />OK extern int nBestHeight;<br /><br /><br />OK extern unsigned int nWalletDBUpdated;<br />ERROR extern DbEnv dbenv;<br />[/code]<br /><br />So it&#039;s acting like nothing is defined, not even map and vector.<br /><br />Yet, db.h is included by headers.h (and only there, nowhere else) which includes vector, map, util.h and everything before db.h.<br /><br />Is
VC trying to use precompiled headers and screwing it up?&nbsp; Could there be some leftover precompiled header files in your directory from previously failed attempts that it&#039;s finding and using?<br /><br />There&#039;s an installer package now that makes it really easy to install MinGW.&nbsp; Don&#039;t use the latest version 4.5.0, use a few versions back like 4.4.1
(1.908.0) or 1.812.0.&nbsp; A setup program completely installs everything, it&#039;s not hard like it used to be.&nbsp; I think the only thing I had to do was rename make*.exe something to make.exe.<br />http://tdm-gcc.tdragon.net/<br /><br />Off topic, but: It would be nice if someone would hack on getting tcatm&#039;s 4-way 128-bit SSE2 code working on Windows.&nbsp;
There&#039;s something with MinGW&#039;s optimisation, I&#039;m not sure but maybe a problem with 16-byte alignment on the stack, that makes it segfault.&nbsp; With some fiddling, I was able to get his code to work in a test program, but not in Bitcoin itself for some reason.<br />
13211	1063	6	1284926291	13211	0		xx	1	Re: Bug?  /usr/bin/bitcoind &quot;&quot;	I don&#039;t know anything about any of the bug trackers.&nbsp; If we were to have one, we would have to make a thoroughly researched choice.<br /><br />We&#039;re managing pretty well just using the forum.&nbsp; I&#039;m more likely to see bugs
posted in the forum, and I think other users are much more likely to help resolve and ask follow up questions here than if they were in a bug tracker.&nbsp; A key step is other users helping resolve the simple stuff that&#039;s not really a bug but some misunderstanding or confusion.<br /><br />I keep a list of all unresolved bugs I&#039;ve seen on the forum.&nbsp; In some
cases, I&#039;m still thinking about the best design for the fix.&nbsp; This isn&#039;t the kind of software where we can leave so many unresolved bugs that we need a tracker for them.
13219	1048	6	1284932970	13219	0		xx	1	Re: The case for removing IP transactions	Probably best to disable receiving by IP unless you specifically intend to use it.&nbsp; This is a lot of surface area that nobody uses that doesn&#039;t need to be open by default.<br /><br />In storefront cases, you would typically only want
customers to send payments through your automated system that only hands out bitcoin addresses associated with particular orders and accounts.&nbsp; Random unidentified payments volunteered to the server&#039;s IP address would be unhelpful.<br /><br />In general, sending by IP has limited useful cases.&nbsp; If connecting directly without a proxy, the man-in-the-middle
risk may be tolerable, but no privacy.&nbsp; If you use a privacy proxy, man-in-the-middle risk is unacceptably high.&nbsp; If we went to all the work of implementing SSL, only large storefronts usually go to the trouble of getting a CA cert, but most of those cases would still be better off to use bitcoin addresses.<br /><br />I uploaded this change to SVN rev 156.&nbsp;
The switch to enable is &quot;-allowreceivebyip&quot;.<br /><br />Senders with this version will get the error &quot;Recipient is not accepting transactions sent by IP address&quot;.&nbsp; Older version senders will get &quot;Transfer was not accepted&quot;.<br /><br />I used a different name for the switch because &quot;-allowiptransactions&quot; sounds like it includes
sending.&nbsp; If there&#039;s a better name for the switch, we can change it again.
13221	1032	1	1284936420	13221	0		xx	1	Re: Message Encryption as a built-in feature?	Theymos already said this...&nbsp; ECDSA does not support encrypting messages.&nbsp; Only digital signatures.<br />
13829	994	1	1285258115	13829	0		xx	1	Re: Always pay transaction fee? [quote author=satoshi link=topic=994.msg12237#msg12237 date=1283967014]<br />The current threshold is 200KB per block, or about 1000 transactions per block. &nbsp;I think it should be lowered to 50KB per block. &nbsp;That would still be more than 100 times the
average transactions per block.<br />[/quote]<br />I implemented this change in SVN rev 157.<br /><br />The reason I previously made it so high was to allow very large transactions without hitting the transaction fee. &nbsp;The threshold was around 26,000 BTC for transactions made of 50 BTC generated coins. &nbsp;Even though it was 100 times easier to generate back then,
only a few people ever encountered the fee at that level. &nbsp;The new threshold puts it at around 11,000 BTC for sending generated coins. &nbsp;It would mostly only be reached with generated bitcoins. &nbsp;If you bought your bitcoins, they&#039;ll be denominated in larger transactions and won&#039;t be anywhere near the fee limit, unless you bought them in several hundred
separate transactions. &nbsp;Even if you do reach the fee level, you only have to pay it once to bundle your little transactions together.
13831	1269	6	1285258748	13831	0		xx	1	Internal version number In the next release (0.3.13), I&#039;m going to change the format of the internal version number integer from 313 to 31300, for instance 31305 = 0.3.13.5.&nbsp; The last number represents changes on the SVN between releases and ought to be properly represented in the
version number.&nbsp; Otherwise, it would be a pain if we had a mistake or something in one of the sub versions that needed to be worked around.
13833	960	4	1285259305	13833	0		xx	1	Re: Warning : Check your system   ( Help me )	I don&#039;t understand, are you under the impression that the program sets the system clock?&nbsp; It doesn&#039;t.<br /><br />[quote author=Cdecker link=topic=960.msg13212#msg13212 date=1284927248]<br />We already have ways to synchronize
(approximately) the clients, so why not make use of that?<br />[/quote]<br />We use an internal offset based on the median of other nodes&#039; times, but for security reasons we don&#039;t let them offset us by more than an hour.&nbsp; If they indicate we&#039;re off by more than an hour, then we resort to alerting the user to fix their clock.
13844	671	7	1285264615	16337	1286660882	satoshi xx	1	Re: Porn	Bitcoin would be convenient for people who don&#039;t have a credit card or don&#039;t want to use the cards they have, either don&#039;t want the spouse to see it on the bill or don&#039;t trust giving their number to &quot;porn guys&quot;, or afraid of recurring billing.
13848	1271	6	1285267196	13848	0		xx	1	Re: How divisible are bitcoins - the technical side	I would not encourage using the extra decimal places.&nbsp; They&#039;re only intended for future use.<br /><br />You are correct that above 0.01 can still have additional precision, but the recipient won&#039;t be able to see it.&nbsp;
The UI will show it rounded down.
13849	1269	6	1285267580	13849	0		xx	1	Re: Internal version number	I don&#039;t think it should cause any problems for version comparisons.&nbsp; 31300 &gt; 312.
14132	1277	3	1285520404	14132	0		xx	1	Re: Un-sticky the &quot;Post your Static IP&quot; thread?	Good, it really isn&#039;t needed anymore.&nbsp; The old IP&#039;s listed aren&#039;t known to have -allowreceivebyip so they&#039;re not much use, and we&#039;re downplaying the send-by-IP option anyway.&nbsp; Laszlo&#039;s IRC
allows TOR users, and also they can get seeded with the seed nodes, so it&#039;s not needed for that anymore either.
14136	1283	6	1285522466	14136	0		xx	1	Re: How To Make a Distributed BitCoin Escrow Service	It&#039;s not implemented yet, but the network can support a transaction that requires two signatures.&nbsp; It&#039;s described here:<br />http://www.bitcoin.org/smf/index.php?topic=750.0<br /><br />It&#039;s absolutely safer than a
straight payment without escrow, but not as good as a human arbitrated escrow, assuming you trust the human enough.<br /><br />In this kind of escrow, a cheater can&#039;t win, but it&#039;s still possible for you to lose.&nbsp; It at least takes away the profit motive for cheating you.&nbsp; The seller is assured that the money is reserved for him, while the buyer retains
the leverage that the seller hasn&#039;t been paid yet until completion.<br />
14714	1306	6	1285864733	14714	0		xx	1	Re: I broke my wallet, sends never confirm now. As you figured out, the root problem is we shouldn&#039;t be counting or spending transactions until they have at least 1 confirmation.&nbsp; 0/unconfirmed transactions are very much second class citizens.&nbsp; At most, they are advice that something
has been received, but counting them as balance or spending them is premature.<br /><br />I made changes so they show up in lighter print, with the credit amount in square brackets like [+1.23], and the amount not counted towards your balance and not available for spending.&nbsp; This doesn&#039;t apply to transactions you sent, which you implicitly trust, since you wrote
them.<br /><br />I didn&#039;t make it (+1.23) because parenthesis in accounting means negative.&nbsp; I hope square brackets is different enough to be clear what is meant.<br /><br />The JSON-RPC interface can still see 0/unconfirmed if it wants by specifying 0 confirmations.<br /><br />I uploaded the changes to SVN rev 158.&nbsp; I will post a 0.3.13 RC shortly.<br /><br
/>If you have any of these transactions in your wallet, do not send any payments until you&#039;ve upgraded to 0.3.13, which will be coming soon.<br /><br />If you&#039;ve already sent any of these transactions, or you&#039;re the creator of them, then use theymos&#039; patch or make the following change and use it to send your clean transactions to a new wallet to clean
things up.<br /><br />change:<br />&nbsp; &nbsp; if (pcoin-&gt;GetDepthInMainChain() &lt; 1 &amp;&amp; pcoin-&gt;GetDebit() &lt;= 0)<br />&nbsp; &nbsp; &nbsp; &nbsp; continue;<br />to:<br />&nbsp; &nbsp; if (pcoin-&gt;GetDepthInMainChain() &lt; 1)<br />&nbsp; &nbsp; &nbsp; &nbsp; continue;<br />
14720	1306	6	1285865940	14720	0		xx	1	Re: I broke my wallet, sends never confirm now. 0.3.13 release candidate, please test:<br />http://www.bitcoin.org/download/bitcoin-0.3.13-rc1-win32-setup.exe<br />
14722	1322	6	1285866255	14722	0		xx	1	0.3.13 RC1 for Windows, please test	0.3.13 release candidate, to be released soon so please test:<br />http://www.bitcoin.org/download/bitcoin-0.3.13-rc1-win32-setup.exe<br /><br />- don&#039;t count or spend payments until they have 1 confirmation<br />&nbsp; &nbsp;
http://www.bitcoin.org/smf/index.php?topic=1306.0<br />- internal version number from 312 to 31300<br />- only accept transactions sent by IP address if -allowreceivebyip is specified<br />- dropped DB_PRIVATE Berkeley DB flag<br />- fix problem sending the last cent with sub-cent fractional change<br />- auto-detect whether to use 128-bit 4-way SSE2 on Linux<br />Gavin
Andresen:<br />- option -rpcallowip= to accept json-rpc connections from another machine<br />- clean shutdown on SIGTERM on Linux<br />
14729	652	12	1285869032	14729	0		xx	1	Re: BitCoin Wikipedia page DELETED!!!	If you do, I think it should be a very brief, single paragraph article like 100 words or less that simply identifies what Bitcoin is.<br /><br />I wish rather than deleting the article, they put a length restriction.&nbsp; If something is not famous enough,
there could at least be a stub article identifying what it is.&nbsp; I often come across annoying red links of things that Wiki ought to at least have heard of.<br /><br />The article could be as simple as something like:<br />&quot;Bitcoin is a peer-to-peer decentralised /link/electronic currency/link/.&quot;<br /><br />The more standard Wiki thing to do is that we should
have a paragraph in one of the more general categories that we are an instance of, like Electronic Currency or Electronic Cash.&nbsp; We can probably establish a paragraph there.&nbsp; Again, keep it short.&nbsp; Just identifying what it is.<br />
14732	1314	1	1285870316	14769	1285885215	satoshi xx	1	Re: Prioritized transactions, and tx fees	It ramps up the fee requirement as the block fills up:<br /><br />&lt;50KB &nbsp;free<br />50KB &nbsp; 0.01<br />250KB &nbsp;0.02<br />333KB &nbsp;0.03<br />375KB &nbsp;0.04<br />etc.<br /><br />It&#039;s a typical pricing mechanism. &nbsp;After
the first 50KB sells out, the price is raised to 0.01. &nbsp;After 250KB is sold, it goes up to 0.02. &nbsp;At some price, you can pretty much always get in if you&#039;re willing to outbid the other customers.<br /><br />Just including the minimum 0.01 goes a long way.
14734	1314	1	1285870942	14734	0		xx	1	Re: Prioritized transactions, and tx fees	True, the switch should be something more dynamic that pays per KB.&nbsp; It&#039;s harder to think of how to explain it.
14736	1291	4	1285871261	14736	0		xx	1	Re: Remote RPC access	It can be safe if you&#039;re using it over your own LAN, like if you have multiple servers at a location that talk to each other.<br /><br />0.3.13 RC1 is available for Windows:<br />http://www.bitcoin.org/download/bitcoin-0.3.13-rc1-win32-setup.exe<br />
14787	1322	6	1285893166	14787	0		xx	1	Re: 0.3.13 RC1 for Windows, please test Too late for 0.3.13, but I&#039;ll try to find time to add it to the next version.
14788	1327	6	1285893275	15666	1286383026	satoshi xx	1	Version 0.3.13, please upgrade	Version 0.3.13 is now available. &nbsp;You should upgrade to prevent potential problems with 0/unconfirmed transactions.&nbsp; Note: 0.3.13 prevents problems if you haven&#039;t already spent a 0/unconfirmed transaction, but if that already happened,
you need 0.3.13.2.<br /><br />Changes:<br />- Don&#039;t count or spend payments until they have 1 confirmation.<br />- Internal version number from 312 to 31300.<br />- Only accept transactions sent by IP address if -allowreceivebyip is specified.<br />- Dropped DB_PRIVATE Berkeley DB flag.<br />- Fix problem sending the last cent with sub-cent fractional change.<br />-
Auto-detect whether to use 128-bit 4-way SSE2 on Linux.<br />Gavin Andresen:<br />- Option -rpcallowip= to accept json-rpc connections from another machine.<br />- Clean shutdown on SIGTERM on Linux.<br /><br />Download:<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.13/<br /><br />(Thanks Laszlo for the Mac OSX build!)<br /><br />Note:<br />The SSE2
auto-detect in the Linux 64-bit version doesn&#039;t work with AMD in 64-bit mode. &nbsp;Please try this instead and let me know if it gets it right:<br />http://www.bitcoin.org/download/bitcoin-0.3.13.1-specialbuild-linux64.tar.gz<br /><br />You can still control the SSE2 use manually with -4way and -4way=0.<br /><br />Version 0.3.13.2 (SVN rev 161) has improvements for
the case where you already had 0/unconfirmed transactions that you might have already spent. &nbsp;Here&#039;s a Windows build of it:<br />http://www.bitcoin.org/download/bitcoin-0.3.13.2-win32-setup.exe<br />
15102	1327	6	1286129826	15102	0		xx	1	Re: Version 0.3.13	[quote author=ShadowOfHarbringer link=topic=1327.msg14997#msg14997 date=1286024407]<br />That&#039;s nice, however the automatic 4way detection is not working on my Gentoo AMD 64 version client.<br /><br />I still have to add the &quot;-4way&quot; switch.<br />[/quote]<br
/>Forgot to say, I suspected the detect might not work on 64-bit AMD.&nbsp; I found it hard to believe but AMD reports a different model number in 64-bit mode.<br /><br />Could you grep CPUID your debug.log and tell me what it says?&nbsp; (and anyone else with 64-bit AMD)&nbsp; And what AMD chip do you have?<br /><br />Do all AMDs that support 64-bit have the better SSE2 hardware also?
15110	1327	6	1286134746	15110	0		xx	1	Re: Version 0.3.13, please upgrade	Could a few people please run this special build?&nbsp; It&#039;ll amnesty the dust spam transactions, which will clear up the 0/unconfirmed problem for now.&nbsp; We really just need one block letting them through to clear up the previous transactions.&nbsp;
Post if you generate a block with this.<br /><br />These are binaries only.&nbsp; The linux version is 64-bit only.<br />http://www.bitcoin.org/download/bitcoin-0.3.13.1-specialbuild-win32.zip<br />http://www.bitcoin.org/download/bitcoin-0.3.13.1-specialbuild-linux64.tar.gz<br /><br />SHA1 fb7c66270281ed058c570627cf7baff0bdc16e5d bitcoin-0.3.13.1-specialbuild-win32.zip<br
/>SHA1 9fc44ea5f2109618073e2cfd887e2cc266eb31a9 bitcoin-0.3.13.1-specialbuild-linux64.tar.gz<br /><br />The linux 64-bit version includes a change to the cpuid 4-way 128-bit SSE2 autodetect for AMD in 64-bit mode, if you&#039;d like to test that and see if that&#039;s better.
15112	1327	6	1286135372	15112	0		xx	1	Re: Version 0.3.13, please upgrade	[quote author=tcatm link=topic=1327.msg15111#msg15111 date=1286135145]<br />983 Mhash/s box.<br />[/quote]<br />Seriously?&nbsp; What hardware is that?
15116	1327	6	1286136144	15116	0		xx	1	Re: Version 0.3.13, please upgrade	[code]<br />diff -u old\\main.cpp new\\main.cpp<br />--- old\\main.cpp\tSun Oct 03 20:57:20 2010<br />+++ new\\main.cpp\tSun Oct 03 20:57:54 2010<br />@@ -2831,6 +2831,10 @@<br />&nbsp; &nbsp;  bool fUseSSE2 = ((fIntel &amp;&amp; nFamily * 10000 + nModel
&gt;=&nbsp; 60026) ||<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; (fAMD&nbsp;  &amp;&amp; nFamily * 10000 + nModel &gt;= 160010));<br /> <br />+&nbsp; &nbsp; // AMD reports a lower model number in 64-bit mode<br />+&nbsp; &nbsp; if (fAMD &amp;&amp; sizeof(void*) &gt; 4 &amp;&amp; nFamily * 10000 + nModel &gt;= 160004)<br />+&nbsp;
&nbsp; &nbsp; &nbsp; fUseSSE2 = true;<br />+<br />&nbsp; &nbsp;  static bool fPrinted;<br />&nbsp; &nbsp;  if (!fPrinted)<br />&nbsp; &nbsp;  {<br />@@ -2989,6 +2993,17 @@<br /> <br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  // Transaction fee based on block size<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  int64
nMinFee = tx.GetMinFee(nBlockSize);<br />+&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; //////// temporary code<br />+&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if (nBlockSize &lt; MAX_BLOCK_SIZE_GEN / 10 &amp;&amp; GetWarnings(&quot;statusbar&quot;) == &quot;&quot;)<br />+&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; {<br />+&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if (nBestHeight &lt; 91000)<br />+&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; nMinFee = 0;<br />+&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if (nBestHeight &lt; 100000
&amp;&amp; nTxSize &lt; 2000)<br />+&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; nMinFee = 0;<br />+&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if (nBestHeight &lt; 110000 &amp;&amp; nBestHeight % 10 == 0)<br />+&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; nMinFee = 0;<br />+&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }<br />+&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; //////// temporary code<br /> <br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  map&lt;uint256, CTxIndex&gt; mapTestPoolTmp(mapTestPool);<br />&nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;	if (!tx.ConnectInputs(txdb, mapTestPoolTmp, CDiskTxPos(1,1,1), pindexPrev, nFees, false, true, nMinFee))<br />diff -u old\\serialize.h new\\serialize.h<br />--- old\\serialize.h\tSun Oct 03 20:57:45 2010<br />+++ new\\serialize.h\tSun Oct 03 20:57:54 2010<br />@@ -22,8 +22,8 @@<br /> class CAutoFile;<br />
static const unsigned int MAX_SIZE = 0x02000000;<br /> <br />-static const int VERSION = 31300;<br />-static const char* pszSubVer = &quot;&quot;;<br />+static const int VERSION = 31301;<br />+static const char* pszSubVer = &quot; test1&quot;;<br />[/code]
15136	1327	6	1286139247	15136	0		xx	1	Re: Version 0.3.13, please upgrade	[quote author=theymos link=topic=1327.msg15118#msg15118 date=1286136591]<br />ArtForz is already running with no fees, and he has 20-30% of the network&#039;s CPU power. The person who originally sent the broken transactions deleted his wallet, though,
and the network has forgotten these historical transactions, so any transactions based on this won&#039;t confirm.<br />[/quote]<br />Transactions aren&#039;t accepted or displayed as 0/unconfirmed until your node has a path of transactions back to the block chain.<br /><br />Any transactions in your wallet also have bundled with them all unrecorded transactions required to
reach the block chain. &nbsp;If you have a transaction that is displayed as 0/unconfirmed, then you have all the previous unrecorded transactions it depends on and you will also rebroadcast those transactions when you rebroadcast yours.<br /><br />If a no-fee block has already been generated and hasn&#039;t helped, then I need to look at what&#039;s wrong. &nbsp;It&#039;s
a part of code that doesn&#039;t get much use. &nbsp;They should be recorded in the wallets of everyone who has a transaction depending on them.<br /><br />[quote author=theymos link=topic=1327.msg15118#msg15118 date=1286136591]<br />The person who originally sent the broken transactions deleted his wallet<br />[/quote]<br />Sigh... why delete a wallet instead of moving it
aside and keeping the old copy just in case? &nbsp;You should never delete a wallet.<br /><br />[quote author=tcatm link=topic=1327.msg15119#msg15119 date=1286136647]<br />It&#039;s running. Should find a block within 3 hours.<br />[/quote]<br />It may take a while to collect re-broadcast transactions.&nbsp; It&#039;ll help if you can accept inbound connections so you&#039;ll
be listening to more nodes.&nbsp; Even if you find a block in 3 hours, keep it running continuously for a few days at least.<br />
15139	1347	6	1286140048	15139	0		xx	1	Re: [PATCH] increase block size limit	[quote author=theymos link=topic=1347.msg15126#msg15126 date=1286137719]<br />Applying this patch will make you incompatible with other Bitcoin clients.<br />[/quote]<br />+1 theymos.&nbsp; Don&#039;t use this patch, it&#039;ll make you incompatible with
the network, to your own detriment.<br /><br />We can phase in a change later if we get closer to needing it.
15142	1332	1	1286141404	15171	1286151761	satoshi xx	1	Re: How to overthrow the GPU Oligarchs	[quote author=theymos link=topic=1332.msg14966#msg14966 date=1285999871]<br />[quote author=lzsaver link=topic=1332.msg14960#msg14960 date=1285998587]<br />Can you tell more about it:<br />&quot;they have to do weird things with extraNonce, which
increases the size of the block header&quot;.<br />[/quote]<br />When you generate, you calculate hashes of the block header. Hashing more data is slower than hashing less data, so the block header is critically of a fixed size for everyone, with one exception.[/quote]<br />This is the point of confusion. &nbsp;extraNonce is not part of the block header, it is part of the
first transaction. &nbsp;It does not slow down your hashing. &nbsp;It does not change the size of the header.<br /><br />We need to be vigilant and nip in the bud any misconception that the contents of your block slows down your hash speed. &nbsp;It doesn&#039;t.<br /><br />extraNonce never needs to be very big. &nbsp;We could reset it every second whenever the time changes
if we wanted. &nbsp;Worst case, if you didn&#039;t want to keep track of incrementing it, extraNonce could be 4 random bytes and the chance of wasting time from collision would be negligible.<br /><br />Separate machines are automatically collision proof because they have different generated public keys in the first transaction. &nbsp;That also goes for each thread too.<br />
15147	1327	6	1286142200	15147	0		xx	1	Re: Version 0.3.13, please upgrade	ShadowOfHarbringer, is yours faster with -4way?<br /><br />If it is, then I&#039;m thinking that any AMD that supports 64-bit has 128-bit SSE2.<br /><br />The specialbuild version I posted here looks for model 4 or higher.&nbsp; If yours is faster with
-4way, then I should change it to always use SSE2 with any AMD with 64-bit.<br />
15150	1023	4	1286143620	15150	0		xx	1	Re: Memory leak You&#039;re connecting to yourself.&nbsp; All 21 connection attempts were to a node with version 31300 (0.3.13).&nbsp; Not everyone has 0.3.13 yet.<br /><br />IRC seems to be working.&nbsp; It ought to have other nodes to try.<br /><br />There may be something I need to do to
make sure it doesn&#039;t try to connect to itself again right away after disconnecting.&nbsp; I can&#039;t see how it&#039;s happening though, it should be resetting nLastTry which would put it to the back of the queue, but the log doesn&#039;t show it.<br /><br />You can try moving addr.dat aside.&nbsp; Maybe there&#039;s something wrong in it.<br /><br />Are you using -addnode?
15167	1327	6	1286149579	15167	0		xx	1	Re: Version 0.3.13, please upgrade	Make sure you keep your node online so it&#039;ll keep rebroadcasting transaction b412a0. &nbsp;It haven&#039;t seen it rebroadcast since 29/09/2010 16:41.
15176	151	6	1286156681	15176	0		xx	1	Re: Website and software translations	Thanks eurekafag, Russian translation added to SVN rev 160.
15360	151	6	1286220061	15360	0		xx	1	Re: Website and software translations	[quote author=eurekafag link=topic=151.msg15248#msg15248 date=1286189756]<br />Where can I find the latest English .po file to keep the translation up-to-date?<br />[/quote]<br />poedit does it. &nbsp;Either get the src directory from a release, or download
instruction that&#039;s really slow?&nbsp; I&#039;m not sure how available it is, but I think Intel used to have a profiler for profiling on a per instruction level.&nbsp; I guess if tcatm doesn&#039;t have a system with the slow processor to test with, there&#039;s not much hope.&nbsp; But it would be really nice if this was working on most CPUs.
8388	753	6	1281379841	8393	1281380890	satoshi xx	1	Re: bitcoin generation broken in 0.3.8? I found that SSE2 only added a slight 2% speedup, which didn&#039;t seem worth the incompatibility. &nbsp;I was trying to take the safer option.<br /><br />It doesn&#039;t look to me like Crypto++ could be deciding whether to use SSE2 at
runtime. &nbsp;There&#039;s one place where it detects SSE2 for deciding some block count parameter, but the SSE2 stuff is all #ifdef at compile time and I can&#039;t see how that would switch at runtime. &nbsp;Maybe I&#039;m not looking in the right place.<br /><br />Should we enable SSE2 in all the makefiles? &nbsp;It seems like we must in case someone compiles with
64-bit.<br /><br />I will recompile the 64-bit part of the Linux 0.3.8 release.
8402	765	1	1281383218	8402	0		xx	1	Version 0.3.8.1 update for Linux 64-bit When we switched to Crypto++ 5.6.0 SHA-256 in version 0.3.6, generation got broken on the Linux 64-bit build.&nbsp; Version 0.3.8.1 is on SourceForge with the 64-bit binary updated.<br /><br />Download:<br
/>http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.8/bitcoin-0.3.8.1-linux.tar.gz/download<br /><br />Future versions after 0.3.8 will probably require SSE2.&nbsp; Anyone have Pentium 3 or older where this would be a problem?
8413	760	6	1281384806	8413	0		xx	1	Re: What could be the transition plan to Y2038 compliant Bitcoin?	[b]unsigned[/b] int is good until 2106. &nbsp;Surely the network will have to be totally revamped at least once by then.<br /><br />There should not be any signed int. &nbsp;If you&#039;ve found a signed int somewhere,
please tell me (within the next 25 years please) and I&#039;ll change it to unsigned int.
8417	753	6	1281386046	8417	0		xx	1	Re: bitcoin generation broken in 0.3.8?  (64-bit)	I uploaded 0.3.8.1 for Linux with re-built 64-bit.&nbsp; I ran a difficulty 1 test with it and it has generated blocks.<br /><br />http://www.bitcoin.org/smf/index.php?topic=765.0<br /><br />Download:<br
/>http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.8/bitcoin-0.3.8.1-linux.tar.gz/download<br />
8422	765	1	1281387306	8422	0		xx	1	Re: Version 0.3.8.1 update for Linux 64-bit	That&#039;s a good point, I believe you could run with generation off if you don&#039;t have SSE2.<br /><br />How about add to the top of cryptopp/config.h:<br /><br />#if !defined(_M_X64) &amp;&amp; !defined(__x86_64__)<br />#define CRYPTOPP_DISABLE_SSE2
&nbsp;1<br />#endif<br /><br />that would disable SSE2 for 32-bit builds. &nbsp;(at least with GCC or MSVC)
8424	766	6	1281387525	8424	0		xx	1	Connection limits	SVN rev 125:<br />- Always make 8 outbound connections even if have 8 inbound<br />- Limit outbound connections to one per a.b.?.? range<br />- Switch -maxconnections=#<br /><br />I added the (currently undocumented) switch -maxconnections=#.&nbsp; You shouldn&#039;t use
it unless you need to because your router can&#039;t maintain a lot of connections, then try -maxconnections=30.<br /><br />I haven&#039;t really tested -maxconnections much, could someone test it?<br />
8431	721	1	1281389319	8431	0		xx	1	Re: Bitcoin minting is thermodynamically perverse	The heat from your computer is not wasted if you need to heat your home.&nbsp; If you&#039;re using electric heat where you live, then your computer&#039;s heat isn&#039;t a waste.&nbsp; It&#039;s equal cost if you generate the heat with
your computer.<br /><br />If you have other cheaper heating than electric, then the waste is only the difference in cost.<br /><br />If it&#039;s summer and you&#039;re using A/C, then it&#039;s twice.<br /><br />Bitcoin generation should end up where it&#039;s cheapest.&nbsp; Maybe that will be in cold climates where there&#039;s electric heat, where it would be essentially free.
8628	765	1	1281483960	8628	0		xx	1	Re: Version 0.3.8.1 update for Linux 64-bit	SVN rev 128: disable SSE2 on 32-bit.&nbsp; This may only disable it for MSVC and GCC. &nbsp;Other compilers might have different 64-bit defines.
8637	770	1	1281485662	8637	0		xx	1	Re: Not a suggestion	This is a very interesting topic. &nbsp;If a solution was found, a much better, easier, more convenient implementation of Bitcoin would be possible.<br /><br />Originally, a coin can be just a chain of signatures. &nbsp;With a timestamp service, the old ones could be
dropped eventually before there&#039;s too much backtrace fan-out, or coins could be kept individually or in denominations. &nbsp;It&#039;s the need to check for the absence of double-spends that requires global knowledge of all transactions.<br /><br />The challenge is, how do you prove that no other spends exist? &nbsp;It seems a node must know about all transactions to
be able to verify that. &nbsp;If it only knows the hash of the in/outpoints, it can&#039;t check the signatures to see if an outpoint has been spent before. &nbsp;Do you have any ideas on this?<br /><br />It&#039;s hard to think of how to apply zero-knowledge-proofs in this case.<br /><br />We&#039;re trying to prove the absence of something, which seems to require knowing
about all and checking that the something isn&#039;t included.
8649	750	6	1281490202	8649	0		xx	1	Re: Escrow	[quote author=jgarzik link=topic=750.msg8566#msg8566 date=1281466437]<br />Ask some real-world business owners if they want to tell their customers about the chance of the money being lost forever, unrecoverable by either party.<br />[/quote]<br />That makes it sound like it might
somehow get lost and the parties can&#039;t get it even if they want to cooperate.<br /><br />When you pay for something up front, you can&#039;t get it back either.&nbsp; Consumers seem comfortable with that.&nbsp; It&#039;s no worse than that.<br /><br />Either party always has the option to release it to the other.<br /><br />[quote author=nelisky link=topic=750.msg8585#msg8585
date=1281471636]<br />But the money burning solution, while great at preventing economically viable fraud, does nothing to prevent revenge and actually makes everyone loose if one side is dishonest. I would certainly not endorse that.<br />[/quote]<br />Then you must also be against the common system of payment up front, where the customer loses.<br /><br />Payment up front:
customer loses, and the thief gets the money.<br />Simple escrow: customer loses, but the thief doesn&#039;t get the money either.<br /><br />Are you guys saying payment up front is better, because at least the thief gets the money, so at least someone gets it?<br /><br />Imagine someone stole something from you.&nbsp; You can&#039;t get it back, but if you could, if it had
a kill switch that could be remote triggered, would you do it?&nbsp; Would it be a good thing for thieves to know that everything you own has a kill switch and if they steal it, it&#039;ll be useless to them, although you still lose it too?&nbsp; If they give it back, you can re-activate it.<br /><br />Imagine if gold turned to lead when stolen.&nbsp; If the thief gives it
back, it turns to gold again.<br /><br />It still seems to me the problem may be one of presenting it the right way.&nbsp; For one thing, not being so blunt about &quot;money burning&quot; for the purposes of game theory discussion.&nbsp; The money is never truly burned.&nbsp; You have the option to release it at any time forever.<br />
8651	784	6	1281490950	8651	0		xx	1	Re: Compile error in SVN r127	Updated SVN.&nbsp; Thanks.<br /><br />There&#039;s little hope of not repeatedly stumbling over that in the future. &nbsp;It doesn&#039;t break the compile for me.
8798	770	1	1281560879	8798	0		xx	1	Re: Not a suggestion	Still thinking this idea through...<br /><br />The only job the network needs to do is to tell whether a spend of an outpoint is the first or not.<br /><br />If we&#039;re willing to have clients keep the history for their own money, then some of the information may not
need to be stored by the network, such as:<br />- the value<br />- the association of inpoints and outpoints in one transaction<br /><br />The network would track a bunch of independent outpoints.&nbsp; It doesn&#039;t know what transactions or amounts they belong to.&nbsp; A client can find out if an outpoint has been spent, and it can submit a satisfying inpoint to mark it
spent.&nbsp; The network keeps the outpoint and the first valid inpoint that proves it spent.&nbsp; The inpoint signs a hash of its associated next outpoint and a salt, so it can privately be shown that the signature signs a particular next outpoint if you know the salt, but publicly the network doesn&#039;t know what the next outpoint is.<br /><br />I believe the clients
would have to keep the entire history back to the original generated coins.&nbsp; Someone sending a payment would have to send data to the recipient, as well as still communicating with the network to mark outpoints spent and check that the spend is the first spend.&nbsp; Maybe the data transfer could be done as an e-mail attachment.<br /><br />The fact that clients have
to keep the entire history reduces the privacy benefit.&nbsp; Someone handling a lot of money still gets to see a lot of transaction history.&nbsp; The way it retrospectively fans out, they might end up seeing a majority of the history.&nbsp; Denominations could be made granular to limit fan-out, but a business handling a lot of money might still end up seeing a lot of the history.<br />
8803	782	4	1281563211	8803	0		xx	1	Re: Lost large number of bitcoins	[quote author=sirius-m link=topic=782.msg8657#msg8657 date=1281492113]<br />I added to the FAQ the warning to back up after each transaction. Is it necessary btw to stop the client before making a backup? That&#039;s a bit inconvenient. Automatic backups
would be useful indeed.<br />[/quote]<br />You can get away with backing up without stopping the client if you don&#039;t do anything or receive a payment within a few seconds before the backup. &nbsp;(like 5 seconds) <br /><br />[quote author=gridecon link=topic=782.msg8795#msg8795 date=1281559568]<br />Wait, I&#039;m confused again. I thought the essence of the surprise
was that Bitcoin is programmed to &quot;empty your wallet&quot; for EACH transaction. <br />[/quote]<br />No, it doesn&#039;t usually empty your wallet with each transaction. &nbsp;It uses the smallest set of coins it can find to add up to near the amount. &nbsp;In this case, unfortunately, his wallet had a single 9000 BTC bill in it, and it had to break it to get 1 BTC and 8999 BTC change.
8804	788	6	1281566425	8804	0		xx	1	Re: Where is the separate discussion devoted to possible Bitcoin weaknesses.	It doesn&#039;t have to be such a breaking change.&nbsp; New nodes could accept old transactions for a long time until most nodes have already upgraded before starting to refuse transactions without PoW.&nbsp;
Or, they could always accept old transactions, but only a limited number per time period.<br /><br />I&#039;ve thought about PoW on transactions many times, but usually I end up thinking a 0.01 transaction fee is essentially similar and better.&nbsp; 0.01 is basically a proof of work, but not wasted.&nbsp; But if the problem is validating loads of transactions, then PoW
could be checked faster.<br /><br />A more general umbrella partial solution would be to implement the idea where an unlikely dropoff in blocks received is detected.&nbsp; Then an attacker would still need a substantial portion of the network&#039;s power to benefit from a DoS attack.<br /><br />[quote author=gavinandresen link=topic=788.msg8761#msg8761 date=1281543056]<br
/>Bitcoin&#039;s p2p network is subject to various kinds of denial of service attacks.<br /><br />There, I said it.<br />[/quote]<br />+1<br /><br />Any demonstration tests at this point would only show what we already know, and divert dev time from strengthening the system to operational fire fighting.<br />
8810	287	1	1281569330	8810	0		xx	1	Re: Flood attack 0.00000001 BC	It would be nice to keep the blk*.dat files small as long as we can.<br /><br />The eventual solution will be to not care how big it gets.<br /><br />But for now, while it&#039;s still small, it&#039;s nice to keep it small so new users can get going faster.&nbsp;
When I eventually implement client-only mode, that won&#039;t matter much anymore.<br /><br />There&#039;s more work to do on transaction fees.&nbsp; In the event of a flood, you would still be able to jump the queue and get your transactions into the next block by paying a 0.01 transaction fee.&nbsp; However, I haven&#039;t had time yet to add that option to the UI.<br
/><br />Scale or not, the test network will react in the same ways, but with much less wasted bandwidth and annoyance.
8814	790	6	1281571326	8814	0		xx	1	Re: BSD detection	[quote author=dkaparis link=topic=790.msg8807#msg8807 date=1281567616]<br />There is this piece of code in headers.h:<br />[tt]<br />#ifdef __WXMAC_OSX__<br />#define __WXMAC__ 1<br />#define __WXOSX__ 1<br />#define __BSD__ 1<br />#endif<br />#endif<br />[/tt]<br />[/quote]<br
/>That code was a bad idea anyway, I&#039;m deleting it.&nbsp; Any Mac code should only use __WXMAC_OSX__, not __WXMAC__ or __WXOSX__, and we should stop using __BSD__.<br /><br />[quote]<br />[tt]<br />#if (defined(__unix__) || defined(unix)) &amp;&amp; !defined(USG)<br />#include &lt;sys/param.h&gt;<br />#endif<br />[/tt]<br />[/quote]<br />Will that definitely cause BSD
to be defined on Mac?<br />
8836	770	1	1281581216	8836	0		xx	1	Re: Not a suggestion	[quote author=Red link=topic=770.msg8824#msg8824 date=1281575419]<br />[quote author=satoshi link=topic=770.msg8798#msg8798 date=1281560879]<br />I believe the clients would have to keep the entire history back to the original generated coins. &nbsp;The fact that clients
have to keep the entire history reduces the privacy benefit. &nbsp;<br />[/quote]<br /><br />I thought this too at first. But then I convinced myself otherwise.<br />[/quote]<br />Are you back to talking about the existing Bitcoin system here?<br /><br />I was talking about in the hypothetical system I was describing, if the network doesn&#039;t know the values and lineage
of the transactions, then it can&#039;t verify them and vouch for them, so the clients would have to keep the history all the way back.<br /><br />If a client wasn&#039;t present until recently, the two ways to convince it that a transaction has a valid past is:<br />1) Show it the entire history back to the original generated coin.<br />2) Show it a history back to a
when looking for received payments, and the json-rpc safe mode stops automated websites from making any more trades until they&#039;re upgraded.<br /><br />The json-rpc methods that return errors during an alert are:<br />sendtoaddress<br />getbalance<br />getreceivedbyaddress<br />getreceivedbylabel<br />listreceivedbyaddress<br />listreceivedbylabel<br /><br />
10723	890	6	1282521452	10723	0		xx	1	Re: integrating digital payments into p2p protocols	Hey Zooko!<br /><br />I wanted to thank you for posting about Bitcoin on your blog a year or two ago, back when I announced it on the Cryptography mailing list.
11068	820	6	1282689836	11068	0		xx	1	Re: tcatm's 4-way SSE2 for Linux 32/64-bit is in 0.3.10 [quote author=ArtForz link=topic=820.msg10609#msg10609 date=1282409791]<br />[list]<br />[li]AMD K10: 2 128bit units[/li]<br />[li]intel nehalem: 3 128bit units[/li]<br />[/list]<br />[/quote]<br />This probably explains why hyperthreading
increases performance with -4way.&nbsp; If three SSE2 units is excessive, then hyperthreading would help keep them all busy.
11074	898	6	1282693872	11150	1282753992	satoshi xx	1	Re: Development of alert system If you&#039;re so paranoid that you&#039;re getting hysterical over this, then surely you&#039;re paranoid enough that if a warning message displays on the status bar, you&#039;ll check the website and forum.<br /><br />I think if another bug like the
overflow bug occurs, it&#039;s important that automated websites stop trading until their admins can check out what&#039;s going on and decide what to do. &nbsp;If you decide it&#039;s a false alarm and want to take your chances, you can use the &quot;-disablesafemode&quot; switch.
11078	898	6	1282694796	11078	0		xx	1	Re: Development of alert system This is in SVN rev 142 as version 0.3.11.
11150	898	6	1282749457	11150	1282754394	satoshi xx	1	Re: Development of alert system It can&#039;t do arbitrary actions remotely. &nbsp;Maybe some of you are responding to other posters who suggested the alert system should do more?<br /><br />If there is an alert, the following json-rpc methods return an error:<br />sendtoaddress<br
/>getbalance<br />getreceivedbyaddress<br />getreceivedbylabel<br />listreceivedbyaddress<br />listreceivedbylabel<br /><br />The remaining 14 methods function as normal. <br /><br />I believe the safer option should be enabled by default. &nbsp;If you want your server to keep trading and ignore an alert saying the money its receiving might be like the money from the
overflow bug, then you can use the switch and not blame anyone else if you lose your money.<br /><br />Worst case if you leave alerts enabled, your site stops trading until you upgrade or add the -disablesafemode switch.<br /><br />Getting surprised by some temporary down time when your node would otherwise be at risk is better than getting surprised by a thief draining
all your inventory.<br /><br />Someday when we haven&#039;t found any new bugs for a long time and it has been thoroughly security reviewed without finding anything, this can be scaled back. &nbsp;I&#039;m not arguing that this is the permanent way of things forever. &nbsp;It&#039;s still beta software.<br />
11151	898	6	1282754420	11151	0		xx	1	Re: Development of alert system I changed the switch name to -disablesafemode.
11155	898	6	1282755375	11159	1282759524	satoshi xx	1	Re: Development of alert system [quote author=jimbobway link=topic=898.msg11153#msg11153 date=1282754722]<br />[quote author=BioMike link=topic=898.msg10742#msg10742 date=1282540543]<br />@mizerydearia, I think the quote button is easier to find then the reply one. <br /><br />So,
theoretical this is a first control system where &lt;some goverment&gt; can arrest satoshi and demand <br />that he hands over his key (or get it from his computer) and shut down the complete network?<br /><br />Or is that not possible? How far would &lt;some goverment&gt; get?<br />[/quote]<br /><br />A few rhetorical questions for satoshi:<br /><br />Can you resist
waterboarding?<br />Can you endure electric shock?<br />All forms of torture?<br />Lastly, are you Jack Bauer by any chance? &nbsp; Seriously.<br />[/quote]<br />WRT the alert system, who cares? &nbsp;The most the key can do is temporarily disable six json-rpc commands until the site owners either add the -disablesafemode switch or upgrade. &nbsp;All nodes keep running
and generating, the network stays up. &nbsp;If I&#039;m not available, any script kiddie can figure out how to add two characters and make a new version that disables the alert system. &nbsp;It would be a temporary inconvenience only.<br /><br />[quote author=BioMike link=topic=898.msg10742#msg10742 date=1282540543]<br />So, theoretical this is a first control system where
&lt;some goverment&gt; can arrest satoshi and demand <br />that he hands over his key (or get it from his computer) and shut down the complete network?<br />[/quote]<br />This is what makes me think the people objecting don&#039;t know what they&#039;re talking about. &nbsp;It can&#039;t &quot;shut down the complete network&quot;. <br /><br />
11158	898	6	1282759170	11158	0		xx	1	Re: Development of alert system [quote author=nelisky link=topic=898.msg11092#msg11092 date=1282699712]<br />So what kind of warning do admins get from bitcoind? Is there something we can grep from debug.log? Or will rpc calls raise some specific error? Is there a way to locally force this to
happen, for unittesting services?<br />[/quote]<br />getinfo has a new field that shows any alert messages or other errors that would be displayed on the status bar.<br /><br />The rpc methods return a json-rpc error with the error description &quot;Safe mode: &quot; followed by additional text specified by the alert.<br /><br />I added the switch &quot;-testsafemode&quot;
for you. &nbsp;SVN rev 145.<br /><br />This stuff is very new and may still be subject to change.<br /><br />[quote author=mizerydearia link=topic=898.msg11079#msg11079 date=1282695110]<br />I just discovered http://www.bitcoin.org/wiki/doku.php?id=man_page and don&#039;t see any reference to -disablesafemode. &nbsp;Perhaps it should be added! &nbsp;Also others liek -4way
should be added as well.<br />[/quote]<br />Many switches are intentionally undocumented, like if their functionality is still under construction or I haven&#039;t settled on their name yet, or just test code not intended for release.<br /><br />-4way should eventually be replaced by an auto-detect.
11219	898	6	1282781292	11219	0		xx	1	Re: Development of alert system [quote author=BioMike link=topic=898.msg11162#msg11162 date=1282760625]<br />[quote author=satoshi link=topic=898.msg11155#msg11155 date=1282755375]<br />[quote author=BioMike link=topic=898.msg10742#msg10742 date=1282540543]<br />So, theoretical this is a first
control system where &lt;some goverment&gt; can arrest satoshi and demand <br />that he hands over his key (or get it from his computer) and shut down the complete network?<br /><br />Or is that not possible? How far would &lt;some goverment&gt; get?<br />[/quote]<br />This is what makes me think the people objecting don&#039;t know what they&#039;re talking about. &nbsp;It
can&#039;t &quot;shut down the complete network&quot;. <br />[/quote]<br />I&#039;ve never objected this change/idea, just asking if this was possible and to what extent.<br />What&#039;s wrong with getting informed? ;)<br />[/quote]<br />My apologies, your post was indeed a question not a statement.<br />
11224	920	6	1282782808	11224	0		xx	1	Re: RFC: remove DB_PRIVATE flag Can you provide more details about what removing DB_PRIVATE does?<br /><br />I can&#039;t remember if I had a specific reason for DB_PRIVATE, or if I just copied the flags from some example code.&nbsp; Does removing DB_PRIVATE make it safe for other processes
to open the database simultaneously?&nbsp; That may be an improvement, depending what the side effects are.&nbsp; Does it substantially reduce performance by making it have to write out every change immediately or do other coordination?&nbsp; Are there additional locking or coordination files then?&nbsp; What else changes?&nbsp; You could test by timing an initial block
download with and without DB_PRIVATE, preferably -connect-ing to a local machine so network isn&#039;t a factor.<br /><br />Apparently, DB_PRIVATE doesn&#039;t do what you would hope it would do, which is prevent other processes from being able to open the database.&nbsp; It still lets them, it just screws up if they do.&nbsp; Another option, if there&#039;s a way, would
be to make it lock the database files so they can&#039;t be accessed by other processes.
11227	873	4	1282783445	11227	0		xx	1	Re: Need a post writing up some things users should know	Any backup process/procedure would just be a stopgap until there&#039;s time to properly work on coding solutions in software.&nbsp; We can try to use words to help the situation until code gets there.<br /><br />The main backup
improvement will be pre-made pool of keys, and a rescan at load to scrape missed transactions from the block history.&nbsp; Then a backup will last forward for a long time.<br />
11228	921	6	1282784260	11228	0		xx	1	Re: auto backing up of wallet.dat	I started posting in the other topic but I&#039;ll repeat here, this thread seems more specific to the topic.<br /><br />The main backup improvement will be a pre-generated pool of keys and a rescan at load to scrape missed transactions from the block
history.&nbsp; Then a backup will last forward for a long time.<br /><br />I was starting to post the same idea you said nelisky.<br /><br />How about a json-rpc command that locks the wallet, flushes it, copies wallet.dat to a location you specified, then unlocks it?&nbsp; That would be a smaller project than the pooled keys, so maybe it could be done first.<br /><br
/>What&#039;s the simplest portable way to copy a file?&nbsp; Is there something in Boost?<br /><br />What should it be named?&nbsp; maybe:<br />backupwallet &lt;destination&gt;<br /><br />
11342	930	6	1282870183	11342	0		xx	1	Re: Gentoo Linux Ebuild Try -datadir=<br /><br />Last time I tried $(shell /usr/bin/wx-config), there was immediate hollering about build problems with it. &nbsp;There wasn&#039;t time to investigate at the time.<br /><br />One problem with $(shell /usr/bin/wx-config) is it will pick up any
version (wx 2.8 ) and any configuration (non-UTF-8 ) of wxWidgets that happens to be there. &nbsp;-lwx_gtk2ud-2.9 only matches the right configuration. &nbsp;It fails if wxWidgets was built with the wrong configuration. <br /><br />[quote]<br />Iirc, chatting in #wxwidgets on freenode, the devs there were baffled why that was used.<br />[/quote]<br />Did they say why they
were baffled? <br /><br />[quote]<br />This is because on my system the path is /usr/include/wx-2.9/wx/wx.h<br />[/quote]<br />Why is it there? &nbsp;Was it included by the OS, or did you have to build it? &nbsp;If you built it, I wonder why it would put itself in a different place.<br /><br />Has wxWidgets 2.9 finally started to become available as a debian package?<br
/><br />Maybe we should do this:<br /><br />INCLUDEPATHS= \\<br /> -I&quot;/usr/local/include/wx-2.9&quot; \\<br /> -I&quot;/usr/local/lib/wx/include/gtk2-unicode-debug-static-2.9&quot; \\<br /> -I&quot;/usr/include/wx-2.9&quot; \\<br /> -I&quot;/usr/lib/wx/include/gtk2-unicode-debug-static-2.9&quot;<br /><br />Again, those paths help make sure it&#039;s only 2.9 and will
fail with 2.8.<br /><br />wxWidgets 2.8 comes in ANSI and UTF-16, both wrong for us. &nbsp;It&#039;s tempting because it&#039;s so easily available as a package; a lot of people were frustrated by it until we started hardcoding 2.9 into the makefile.<br />
11345	921	6	1282871622	11345	0		xx	1	Re: auto backing up of wallet.dat	If you read it into memory and write it out, it could fail in tight memory situations. <br /><br />I&#039;m looking for something like copyfile(const char* from, const char* to) or copyfile(path from, path to), preferably something in Boost if it has it.&nbsp;
If you find it for me, it&#039;s more likely I&#039;ll get to implementing it.<br /><br />[quote author=nelisky link=topic=921.msg11232#msg11232 date=1282785717]<br />As for the file copy, why add to the boost dependency? I for one would love to get a core lib with very little deps.<br />[/quote]<br />We require Boost for JSON and a dozen things replacing dependencies on
wxWidgets.&nbsp; Boost is good, portable stuff, we should not shy away from it.
11350	921	6	1282877647	11350	0		xx	1	Re: auto backing up of wallet.dat	I doubt there&#039;s an mmap(2) on Windows.&nbsp; I&#039;d rather call an existing file copy function than make and test my own.<br /><br />[quote author=nelisky link=topic=921.msg11346#msg11346 date=1282872069]<br />But if you are already using features
from boost::filesystem you can use copy_file from that. I just think that, if not already required for something else, it&#039;s a tad overkill.<br />[/quote]<br />Thanks.&nbsp; I thought it would be in there somewhere.<br /><br />We already use boost::filesystem in a dozen places.&nbsp; It&#039;s not a new added dependency.&nbsp; It gives us a lot of portable stuff that
we would otherwise have to have a #ifdef for each OS and test everywhere.<br />
11399	921	6	1282924077	11400	1282925765	satoshi xx	1	Re: auto backing up of wallet.dat	Sorry, I&#039;ve been so busy lately I&#039;ve been skimming messages and I still can&#039;t keep up.<br /><br />We want to avoid Windows API calls whenever possible. &nbsp;They usually take about 6-8 parameters and a lot of testing to get right,
it takes a page of code to do something simple.<br /><br />I usually shy away from iostreams. &nbsp;Seems like I too often hit limitations. &nbsp;They kind of botched the C++ streams standard in the 90&#039;s, which is too bad, streams can be very powerful and useful when done right.&nbsp; Using it in rpc.cpp may still turn out to be a mistake.<br /><br />Bottom line is
I&#039;d rather call an existing file copy function than make and test my own.
11400	928	6	1282925596	11400	0		xx	1	Re: New web service: obtain dump of bitcoin block NNNN	That&#039;s kind of interesting as an upside-down bar chart of how many blocks were produced each day.&nbsp; The target is 144 blocks per day.
11403	845	7	1282927166	11407	1282932204	satoshi xx	1	Re: Bitcoins are most like shares of common stock	Bitcoins have no dividend or potential future dividend, therefore not like a stock.<br /><br />More like a collectible or commodity.
11405	583	7	1282930327	11409	1282933037	satoshi xx	1	Re: Bitcoin does NOT violate Mises' Regression Theorem	As a thought experiment, imagine there was a base metal as scarce as gold but with the following properties:<br />- boring grey in colour<br />- not a good conductor of electricity<br />- not particularly strong, but not ductile
5769	461	6	1280094256	5769	0		xx	1	Re: JSON-RPC password	[quote author=BitLex link=topic=461.msg5753#msg5753 date=1280090738]<br />i got some problems here too trying to get this run on PHP.<br />so far i had no luck, neither the wiki-sample (jsonRPCClient trying to fopen(http://username:password@localhost:8332/)), nor my curl-sample
(using setopt CURLOPT_HTTPAUTH, CURLAUTH_BASIC) seem to work.<br />[/quote]<br />That&#039;s strange, didn&#039;t someone just say that was supposed to work? &nbsp;(what library was he using?) &nbsp;Post if you figure out what wrong.<br /><br />I hope it&#039;s not going to put up this much of a fight for all PHP users.<br /><br />Looks like we&#039;ve got the Fortran scenario already.
5771	461	6	1280094691	5771	0		xx	1	Re: JSON-RPC password	[quote author=gavinandresen link=topic=461.msg5768#msg5768 date=1280093899]<br />Great catch! &nbsp;Simpler fix is to specify the BIO_FLAGS_BASE64_NO_NL in the rpc.cpp/EncodeBase64 function<br />[/quote]<br />SVN rev 111
5772	458	4	1280095617	5772	0		xx	1	Re: md5?	For future reference, here&#039;s my public key.&nbsp; It&#039;s the same one that&#039;s been there since the bitcoin.org site first went up in 2008.&nbsp; Grab it now in case you need it later.<br /><br />http://www.bitcoin.org/Satoshi_Nakamoto.asc
5778	571	6	1280096856	5778	0		xx	1	Re: Stealing Coins	Sorry, actually it&#039;s ECDSA (Elliptic Curve Digital Signature Algorithm) not RSA.&nbsp; I shouldn&#039;t have said &quot;prime numbers&quot;.&nbsp; ECDSA doesn&#039;t take much time to generate a keypair.
5904	576	6	1280165013	5904	0		xx	1	bitcoind without wxWidgets	I replaced the last of the few wxBase dependencies in bitcoind.<br /><br />bitcoind now compiles without wxWidgets or wxBase in SVN rev 112.<br /><br />main(int argc, char* argv&#91;]) is added to init.cpp.&nbsp; CMyApp and the Startup folder stuff are moved to
ui.cpp.&nbsp; ui.cpp and uibase.cpp aren&#039;t linked by bitcoind.<br /><br />The makefiles have -DGUI to control whether the GUI is used.<br /><br />I test compiled MinGW, VC and Ubuntu.&nbsp; I don&#039;t know if I broke the Mac OSX build, someone will need to check that.<br />
5920	501	6	1280169691	5920	0		xx	1	Re: Bitcoin x64 for Windows	[quote author=Olipro link=topic=501.msg5815#msg5815 date=1280126357]<br />Credit to tcatm for the caching part of the SHA context - this offers absolutely brilliant performance. Additionally, the Intel compiler really comes into its own here as its parallelisation
abilities give a massive performance boost over Visual Studio.<br /><br />Performance: 4700khash/s on 4 cores, I think that speaks for itself.<br /><br />I&#039;ve included both the VS and Intel build, but there&#039;s really no comparison, the Intel build craps all over VS.<br />[/quote]<br />Is that still starting from Crypto++?&nbsp; Lets get this into the main sourcecode.
5978	572	6	1280194182	5978	0		xx	1	Re: Bitcoin x86 for Windows	[quote author=Olipro link=topic=572.msg5851#msg5851 date=1280149481]<br />Crypto++ 5.6.0: http://www.cryptopp.com/<br />Cached SHA256: http://pastebin.com/rJAYZJ32 (although I&#039;m pretty sure this is publically submitted elsewhere, I was linked to it on IRC)<br
/>[/quote]<br />I added the cached SHA256 state idea to the SVN, rev 113. &nbsp;The speedup is about 70%. &nbsp;I credited it to tcatm based on your post in the x64 thread. <br /><br />I can compile the Crypto++ 5.6.0 ASM SHA code with MinGW but as soon as it runs it crashes. &nbsp;It says its for MASM (Microsoft&#039;s assembler) and the sample command line they give looks
like Visual C++. &nbsp;Does it only work with the MSVC and Intel compilers?
5990	43	1	1280199898	5990	0		xx	1	Re: Proof-of-work difficulty increasing New difficulty factor 244.213223092<br />+35%<br /><br />I updated the first post.<br /><br />date, difficulty factor, % change<br />2009&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 1.00<br />30/12/2009&nbsp; &nbsp; 1.18&nbsp;  +18%<br />11/01/2010&nbsp; &nbsp;
1.31&nbsp;  +11%<br />25/01/2010&nbsp; &nbsp; 1.34&nbsp; &nbsp; +2%<br />04/02/2010&nbsp; &nbsp; 1.82&nbsp;  +36%<br />14/02/2010&nbsp; &nbsp; 2.53&nbsp;  +39%<br />24/02/2010&nbsp; &nbsp; 3.78&nbsp;  +49%<br />08/03/2010&nbsp; &nbsp; 4.53&nbsp;  +20%<br />21/03/2010&nbsp; &nbsp; 4.57&nbsp; &nbsp; +9%<br />01/04/2010&nbsp; &nbsp; 6.09&nbsp;	+33%<br />12/04/2010&nbsp; &nbsp;
7.82&nbsp;  +28%<br />21/04/2010&nbsp;	11.46&nbsp;  +47%<br />04/05/2010&nbsp;  12.85&nbsp;  +12%<br />19/05/2010&nbsp;  11.85&nbsp; &nbsp; -8%<br />29/05/2010&nbsp;	16.62&nbsp;  +40%<br />11/06/2010&nbsp;  17.38&nbsp; &nbsp; +5%<br />24/06/2010&nbsp;  19.41&nbsp;  +12%<br />06/07/2010&nbsp;	23.50&nbsp;  +21%<br />13/07/2010&nbsp;  45.38&nbsp;  +93%<br />16/07/2010&nbsp;
181.54&nbsp; +300%<br />27/07/2010&nbsp; 244.21&nbsp;  +35%<br />
6069	572	6	1280255250	6082	1280259888	satoshi xx	1	Re: Bitcoin x86 for Windows	[quote author=BlackEye link=topic=453.msg5774#msg5774 date=1280095943]<br />I was able to integrate the SHA256 functionality from Crypto++ 5.6.0 into Bitcoin. &nbsp;This is the fastest SHA256 yet using the SSE2 assembly code. &nbsp;Since Bitcoin was sending
unaligned data to the block hash function, I had to change the MOVDQA instruction to MOVDQU.<br /><br />I think using the SHA256 functionality from Crypto++ 5.6.0 is the way forward right now.<br />[/quote]<br />I added a subset of the Crypto++ 5.6.0 library to the SVN. &nbsp;I stripped it down to just SHA and 11 general dependency files. &nbsp;There shouldn&#039;t be any
other crypto in there other than SHA.<br /><br />I aligned the data fields and it worked. &nbsp;The ASM SHA-256 is about 48% faster. &nbsp;The combined speedup is about 2.5x faster than version 0.3.3.<br /><br />I guess it&#039;s using SSE2. &nbsp;It automatically sets its build configuration at compile time based on the compiler environment.<br /><br />It looks like it
has some SSE2 detection at runtime, but it&#039;s hard to tell if it actually uses it to fall back if it&#039;s not available. &nbsp;I want the release builds to have SSE2. &nbsp;SSE2 has been around since the first Pentium 4. &nbsp;A Pentium 3 or older would be so slow, you&#039;d be wasting your electricity trying to generate on it anyway.<br /><br />This is SVN rev 114.
6083	572	6	1280260062	6083	0		xx	1	Re: Bitcoin x86 for Windows	OK, thanks. &nbsp;I&#039;d also like to know if it runs fine as long as you don&#039;t turn on Generate. &nbsp;You&#039;d think as long as it doesn&#039;t actually execute any SSE2 instructions, it would still load. &nbsp;At least Pentium 3&#039;s could run it without generating.
6268	601	4	1280350706	6268	0		xx	1	Re: Having problems specifing -datadir	It was able to reproduce this.&nbsp; The database doesn&#039;t like the relative path.<br /><br />&quot;bitcoind -datadir=./subdir getinfo&quot; works against a running daemon, but trying to start the daemon as &quot;bitcoind -datadir=./subdir&quot; gets
that exception.<br /><br />I guess we should resolve the full path before passing it to the database.<br /><br />It looks like you were the first one to ever use -datadir with a relative path.
6273	604	6	1280352203	6273	0		xx	1	Re: Build error SVN r115 on my Mac: workaround	Was that the only thing I broke in the OSX build?! &nbsp;Does it actually work after just that one change?<br /><br />I had to do that for makefile.vc also. &nbsp;It compiled, but SHA-256 didn&#039;t work correctly; it returned the same incorrect
hash each time.<br /><br />We&#039;ll disable it now, and if anyone figures out how to fix it, we can re-enable it then. &nbsp;It&#039;s still 1.7x faster from the midstate optimisation.<br /><br />The Crypto++ ASM SHA-256 works with GCC on Linux and Windows (MinGW).<br /><br />I uploaded this makefile.osx change to SVN. &nbsp;(let me know if that compiles now)
6301	587	6	1280366183	6301	0		xx	1	Re: Difficulty	You were looking at the wrong code. &nbsp;Here&#039;s the code that applies:<br /><br />[code]<br />bool CBlock::CheckBlock() const<br />{<br />...<br /> &nbsp; &nbsp;// Check timestamp<br /> &nbsp; &nbsp;if (nTime &gt; GetAdjustedTime() + 2 * 60 * 60)<br /> &nbsp; &nbsp; &nbsp;
&nbsp;return error(&quot;CheckBlock() : block timestamp too far in the future&quot;);<br />...<br /><br />bool CBlock::AcceptBlock()<br />{<br /> &nbsp; ...<br /> &nbsp; &nbsp;// Check timestamp against prev<br /> &nbsp; &nbsp;if (nTime &lt;= pindexPrev-&gt;GetMedianTimePast())<br /> &nbsp; &nbsp; &nbsp; &nbsp;return error(&quot;AcceptBlock() : block&#039;s timestamp is
too early&quot;);<br />[/code]<br /><br />The timestamp is limited to up to 2 hours in the future.&nbsp; It can be earlier than the previous block, but it must be greater than the median of the last 11 blocks.&nbsp; The reason for doing it that way is so the time can get corrected in the next block if the previous block had the time too far in the future, like what happened.<br /><br />
6306	532	6	1280368838	6306	0		xx	1	Re: Scalability and transaction rate	The current system where every user is a network node is not the intended configuration for large scale.&nbsp; That would be like every Usenet user runs their own NNTP server.&nbsp; The design supports letting users just be users.&nbsp; The more burden
it is to run a node, the fewer nodes there will be.&nbsp; Those few nodes will be big server farms.&nbsp; The rest will be client nodes that only do transactions and don&#039;t generate.<br /><br />[quote author=bytemaster link=topic=532.msg6269#msg6269 date=1280350782]<br />Besides, 10 minutes is too long to verify that payment is good.&nbsp; It needs to be as fast
as swiping a credit card is today.<br />[/quote]<br />See the snack machine thread, I outline how a payment processor could verify payments well enough, actually really well (much lower fraud rate than credit cards), in something like 10 seconds or less.&nbsp; If you don&#039;t believe me or don&#039;t get it, I don&#039;t have time to try to convince you, sorry.<br
/>http://www.bitcoin.org/smf/index.php?topic=423.msg3819#msg3819<br />
6307	338	4	1280369446	6307	0		xx	1	Re: wiki registration email?	WTF?&nbsp; How did we get on that?&nbsp; AFAIK, the only e-mail is if you tell the forum to do notifications, and I guess the wiki registration.&nbsp; I&#039;d consider turning off the forum notification e-mails, I don&#039;t know why we have that.
6451	626	1	1280430786	15289	1286199456	satoshi exclamation	1	*** ALERT *** Upgrade to 0.3.6	Please upgrade to 0.3.6 ASAP! &nbsp;We fixed an implementation bug where it was possible that bogus transactions could be displayed as accepted. &nbsp;Do not accept Bitcoin transactions as payment until you upgrade to version 0.3.6!<br /><br />If you
can&#039;t upgrade to 0.3.6 right away, it&#039;s best to shut down your Bitcoin node until you do.<br /><br />Also in 0.3.6, faster hashing:<br />- midstate cache optimisation thanks to tcatm<br />- Crypto++ ASM SHA-256 thanks to BlackEye<br />Total generating speedup 2.4x faster.<br /><br />Download:<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.6/<br
/><br />Windows and Linux users: if you got 0.3.5 you still need to upgrade to 0.3.6.<br />
6469	626	1	1280433351	6469	0		xx	1	Re: *** ALERT *** version 0.3.6 Haven&#039;t had time to update the SVN yet. &nbsp;Wait for 0.3.6, I&#039;m building it now. &nbsp;You can shut down your node in the meantime. &nbsp;
6480	626	1	1280435415	6480	0		xx	1	Re: *** ALERT *** version 0.3.6 SVN is updated with version 0.3.6.<br /><br />Uploading Windows build of 0.3.6 to Sourceforge now, then will rebuild linux.
6490	626	1	1280438438	6500	1280439408	satoshi xx	1	Re: *** ALERT *** Upgrade to 0.3.6 ASAP!	0.3.6 Linux build is back to the old makefile.unix. &nbsp;It static links libjpeg so that shouldn&#039;t be a problem.<br /><br />Is that working better?<br /><br />If you got 22DbRunRecoveryException and you&#039;ve used someone else&#039;s
build before, you may need to delete (or move the files somewhere else) database/log.000000*<br /><br />Windows and Linux users: if you got 0.3.5 you still need to upgrade to 0.3.6.
6502	626	1	1280439795	6502	0		xx	1	Re: *** ALERT *** Upgrade to 0.3.6 ASAP!	&quot;./bitcoin: /lib64/libc.so.6: version `GLIBC_2.11&#039; not found (required by ./bitcoin)&quot; isn&#039;t a new problem that started with 0.3.6 is it? &nbsp;This was built on the same OS installations as 0.3.0.<br /><br />Unfortunately I
upgraded to Ubuntu 10.04 before 0.3.0. &nbsp;I will not upgrade anymore. &nbsp;I don&#039;t know when I might have time to reinstall to downgrade, but at least by not upgrading, it&#039;ll gradually fix itself.
6508	628	6	1280441055	6508	0		xx	1	Re: Implementation bug prior to 0.3.6	Actually, it works well to just PM me.&nbsp; I&#039;m the one who&#039;s going to be fixing it.&nbsp; If you find a security flaw, I would definitely like to hear from you privately to fix it before it goes public.
6512	615	4	1280441311	6512	0		xx	1	Re: Transaction disappeared in the void...	If the transaction didn&#039;t go out immediately at first, like if you weren&#039;t connected at the time, it may take up to 2 hours to resend it.&nbsp; Long term, it does keep relentlessly sending it.<br /><br />I&#039;ll shorten that length of
time in a future version.<br /><br />You do need to have downloaded the complete block chain (currently 71040 blocks) before you&#039;ll see any confirms.&nbsp; Same with the recipient.
6516	612	4	1280441844	6516	0		xx	1	Re: Linux distribution download Yeah, acutely aware that I should have stayed on 9.04 or 9.10.&nbsp; It&#039;s a lot more work to downgrade than upgrade and I&#039;ve been squeezed for time.&nbsp; Ubuntu is the most popular distro, so I&#039;m staying with that.
6542	626	1	1280445132	6542	0		xx	1	Re: *** ALERT *** Upgrade to 0.3.6 ASAP!	[quote author=lachesis link=topic=626.msg6515#msg6515 date=1280441676]<br />On Debian testing 32-bit, I get a few build errors, all resembling:<br />[code]script.cpp:114: error:
 was not declared in this scope[/code]<br />I got these
when attempting to &quot;make bitcoind&quot; without &quot;make clean&quot; or &quot;make&quot; first. It looks like the bitcoind build instructions don&#039;t compile the headers first, but they also don&#039;t delete the headers.h.gch, so the old headers are used if present.<br /><br />If anyone else gets this error, the simplest solution is to &quot;make clean&quot; and
retry the build.<br />[/quote]<br />We don&#039;t really need pre-compiled header.&nbsp; It only makes it compile slightly faster.&nbsp; I think I&#039;ll just get rid of it.&nbsp; Even still, you&#039;d still need to remember to &quot;make -f makefile.unix clean&quot; or delete headers.h.gch one more time to get rid of the leftover file.<br /><br />Damn that GLIBC_2.11.&nbsp;
I thought I&#039;d been careful not to accept any of the updates.
thoroughly deep block, then trust that if so many nodes all said the history up to then was correct then it must be true.<br /><br />But if the network didn&#039;t know all the values and lineage of the transactions, it couldn&#039;t do 2), I don&#039;t think.<br />
8919	790	6	1281647660	8919	0		xx	1	Re: BSD detection	This is in SVN rev 130. &nbsp;Check that it compiles right.<br /><br />[code]<br />#if (defined(__unix__) || defined(unix)) &amp;&amp; !defined(USG)<br />#include &lt;sys/param.h&gt; &nbsp;// to get BSD define<br />#endif<br />#ifdef __WXMAC_OSX__<br />#ifndef BSD<br
/>#define BSD 1<br />#endif<br />#endif<br />[/code]<br />
8920	795	6	1281648031	8920	0		xx	1	Bugfixes in SVN rev 130 Misc bugfixes in rev 130:<br /><br />fix -datadir with relative path<br />autostart is now off by default except on windows<br />fix occasional &quot;vector iterator not dereferencable&quot; assertion when compiled with msvc<br />fix readlink compile warning on linux
build<br />use sys/param.h and BSD define instead of __BSD__<br />-paytxfee switch, e.g. -paytxfee=0.01
8922	691	6	1281648884	8922	0		xx	1	Re: Bitcoin Watchdog Service	True, there would probably be someone with a dial-up modem or satellite dish internet.&nbsp; Rarer would be someone who has both that and the wired internet that has the outage, but if it&#039;s a big enough segment to matter, out of a million people there&#039;s
bound to be a multi-home geek.<br /><br />ISP network cuts are just your local area. &nbsp;If you still have communication with the rest of your area, it would probably be something like 1/1000 of the world or less. &nbsp;Block generation in the segment would take several hours per block.<br /><br />I favour the plan to monitor if the frequency of blocks received drops too
slow. &nbsp;That covers a large range of possibilities.
8924	601	4	1281649409	8924	0		xx	1	Re: Having problems specifing -datadir	Fixed in SVN rev 130.
8929	648	6	1281650843	8958	1281667996	satoshi xx	1	Re: 4 hashes parallel on SSE2 CPUs for 0.3.6	That big of a difference in speed, by a factor of 4 or 6, feels like it&#039;s likely to be some quirky weak spot or instruction that the old chip is slow with. &nbsp;Unless it&#039;s a touted feature of the i5 that they made SSE2 six times
faster.<br /><br />A quick summary:<br />Xeon Quad &nbsp; &nbsp; &nbsp; &nbsp;41% slower<br />Core 2 Duo &nbsp; &nbsp; &nbsp; &nbsp;55% slower<br />Core 2 Duo&nbsp; &nbsp; &nbsp; &nbsp; same (vess)<br />Core 2 Quad &nbsp; &nbsp; &nbsp;50% slower<br />Core i5 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;200% faster (nelisky)<br />Core i5&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
100% faster (vess)<br />AMD Opteron &nbsp; &nbsp;105% faster<br /><br />aceat64:<br />My system went from ~7100 to ~4200.<br />This particular system has dual Intel Xeon Quad-Core CPUs (E5335) @ 2.00GHz.<br /><br />impossible7:<br />on an Intel Core 2 Duo T7300 running x86_64 linux it was 55% slower compared to the stock version (r121)<br /><br />nelisky:<br />My Core2Quad
(Q6600) slowed down 50%, <br />my i5 improved ~200%, <br /><br />impossible7:<br />on an AMD Opteron 2374 HE running x86_64 linux I got a 105% improvement (!)<br />
8960	795	6	1281669323	8960	0		xx	1	Re: Bugfixes in SVN rev 130	No, that&#039;s not what it is.<br /><br />-paytxfee allows you to include a transaction fee with your transactions. &nbsp;If transaction confirmations become slow, you can get priority by using &quot;-paytxfee=0.01&quot;. &nbsp;Any transactions you send would
cost an extra 0.01. &nbsp;There&#039;s no reason to use more than 0.01.<br /><br />It&#039;s just there in case we need it. &nbsp;It probably won&#039;t be needed, and it can be explained more if we do.
9041	691	6	1281719367	9041	0		xx	1	Re: Bitcoin Watchdog Service	[quote]<br />But there will be no irc server to bootstrap from.<br />[/quote]<br />Which doesn&#039;t matter because you can&#039;t access sourceforge to download the software either.<br /><br />If you&#039;ve ever been connected before, you don&#039;t need IRC
to bootstrap anymore. &nbsp;Even if you haven&#039;t, you can bootstrap from seed nodes. &nbsp;IRC is completely redundant since 0.3.0.
9046	806	6	1281721200	9452	1281888021	satoshi xx	1	Version 0.3.9 rc1, please test	Here&#039;s a test build if you&#039;d like to help test before 0.3.9 is released.<br />(or if you&#039;d rather get upgrading out of the way now instead of waiting)<br /><br />Downloads: &nbsp;(binaries only)<br />http://www.bitcoin.org/download/bitcoin-0.3.9.rc1-win32.zip<br
/>(http://www.bitcoin.org/download/bitcoin-0.3.9.rc1-linux.tar.gz)<br /><br />SHA1 a36ea00cce27b4b083755df73a3d1e5e5729884e bitcoin-0.3.9.rc1-win32.zip<br />SHA1 bbb333b0ea57302740ad1bb9948520d00f884f9d bitcoin-0.3.9.rc1-linux.tar.gz<br /><br />Edit:<br />Linux please test rc2 instead.&nbsp; This adds a -4way switch for tcatm&#039;s 4-way SSE2.&nbsp; This will only be for
Linux:<br />http://www.bitcoin.org/download/bitcoin-0.3.9.rc2-linux.tar.gz<br /><br />SHA1 47d9998f7d15fe81234a5c89a542da9d0664df40 bitcoin-0.3.9.rc2-linux.tar.gz<br /><br />Please report back your results<br />http://www.bitcoin.org/smf/index.php?topic=820
9074	770	1	1281727727	9074	0		xx	1	Re: Not a suggestion	I&#039;m not grasping your idea yet.&nbsp; Does it hide any information from the public network?&nbsp; What is the advantage?<br /><br />If at least 50% of nodes validated transactions enough that old transactions can be discarded, then everyone saw everything and
could keep a record of it.<br /><br />Can public nodes see the values of transactions?&nbsp; Can they see which previous transaction the value came from?&nbsp; If they can, then they know everything.&nbsp; If they can&#039;t, then they couldn&#039;t verify that the value came from a valid source, so you couldn&#039;t take their generated chain as verification of it.<br
/><br />Does it hide the bitcoin addresses?&nbsp; Is that it?&nbsp; OK, maybe now I see, if that&#039;s it.<br /><br />Crypto may offer a way to do &quot;key blinding&quot;.&nbsp; I did some research and it was obscure, but there may be something there.&nbsp; &quot;group signatures&quot; may be related.<br /><br />There&#039;s something here in the general area:<br
/>http://www.users.zetnet.co.uk/hopwood/crypto/rh/<br /><br />What we need is a way to generate additional blinded variations of a public key.&nbsp; The blinded variations would have the same properties as the root public key, such that the private key could generate a signature for any one of them.&nbsp; Others could not tell if a blinded key is related to the root key,
or other blinded keys from the same root key.&nbsp; These are the properties of blinding.&nbsp; Blinding, in a nutshell, is x = (x * large_random_int) mod m.<br /><br />When paying to a bitcoin address, you would generate a new blinded key for each use.<br /><br />Then you need to be able to sign a signature such that you can&#039;t tell that two signatures came from the
same private key.&nbsp; I&#039;m not sure if always signing a different blinded public key would already give you this property.&nbsp; If not, I think that&#039;s where group signatures comes in.&nbsp; With group signatures, it is possible for something to be signed but not know who signed it.<br /><br />As an example, say some unpopular military attack has to be ordered,
but nobody wants to go down in history as the one who ordered it.&nbsp; If 10 leaders have private keys, one of them could sign the order and you wouldn&#039;t know who did it.<br />
9134	807	6	1281742754	9134	0		xx	1	Re: Proposed change to sendtoaddress API call	It&#039;s too soon to start junking up the API for backward compatibility at all costs.<br /><br />Just return &quot;&lt;txid&gt;&quot;.
9145	648	6	1281746958	9145	0		xx	1	Re: 4 hashes parallel on SSE2 CPUs for 0.3.6	MinGW on Windows has trouble compiling it:<br /><br />g++ -c -mthreads -O2 -w -Wno-invalid-offsetof -Wformat -g -D__WXDEBUG__ -DWIN32 -D__WXMSW__ -D_WINDOWS -DNOPCH -I&quot;/boost&quot; -I&quot;/db/build_unix&quot; -I&quot;/openssl/include&quot;
-I&quot;/wxwidgets/lib/gcc_lib/mswud&quot; -I&quot;/wxwidgets/include&quot; -msse2 -O3 -o obj/sha256.o sha256.cpp<br /><br />sha256.cpp: In function `long long int __vector__ Ch(long long int __vector__, long long int __vector__, long long int __vector__)&#039;:<br />sha256.cpp:31: internal compiler error: in perform_integral_promotions, at cp/typeck.c:1454<br />Please
submit a full bug report,<br />with preprocessed source if appropriate.<br />See &lt;URL:http://www.mingw.org/bugs.shtml&gt; for instructions.<br />make: *** [obj/sha256.o] Error 1<br />
9159	648	6	1281759749	9161	1281763550	satoshi xx	1	Re: 4 hashes parallel on SSE2 CPUs for 0.3.6	If you haven&#039;t already, try aligning thash. &nbsp;It might matter. &nbsp;Couldn&#039;t hurt.<br /><br />[quote author=tcatm link=topic=648.msg9147#msg9147 date=1281747187]<br />Looks like we&#039;re triggering a compiler bug in the
tree optimizer. Can you try to compile it -O0?<br />[/quote]<br />No help from -O0, same error.<br /><br />MinGW is GCC 3.4.5.&nbsp; Probably the problem.<br /><br />I&#039;ll see if I can get a newer version of MinGW.<br /><br />
9228	648	6	1281808537	9228	0		xx	1	Re: 4 hashes parallel on SSE2 CPUs for 0.3.6	Got the test working on 32-bit with MinGW GCC 4.5.&nbsp; Exactly 50% slower than stock with Core 2.<br />
9278	648	6	1281823573	9359	1281843827	satoshi xx	1	Re: 4 hashes parallel on SSE2 CPUs for 0.3.6	MinGW GCC 4.5.0:<br />Crypto++ doesn&#039;t work, X86_SHA256_HashBlocks() never returns<br />I only got 4-way working with test.cpp but not when called by BitcoinMiner<br /><br />MinGW GCC 4.4.1:<br />Crypto++ works<br />4-way SIGSEGV<br
/><br />GCC is definitely not aligning __m128i. <br /><br />Even if we align our own __m128i variables, the compiler may decide to use a __m128i behind the scenes as a temporary variable.<br /><br />By making our __m128i variables aligned and changing these inlines to defines, I was able to get it to work on 4.4.1 with -O0 only:<br />#define Ch(b, c, d) &nbsp;((b &amp; c) ^
(~b &amp; d))<br />#define Maj(b, c, d) &nbsp;((b &amp; c) ^ (b &amp; d) ^ (c &amp; d))<br />#define ROTR(x, n) (_mm_srli_epi32(x, n) | _mm_slli_epi32(x, 32 - n))<br />#define SHR(x, n) &nbsp;_mm_srli_epi32(x, n)<br /><br />But that&#039;s with -O0.<br /><br />
9359	648	6	1281843629	9359	0		xx	1	Re: 4 hashes parallel on SSE2 CPUs for 0.3.6	On both MinGW GCC 4.4.1 and 4.5.0 I have it working with test.cpp but SIGSEGV when called by BitcoinMiner. &nbsp;So now it doesn&#039;t look like it&#039;s the version of GCC, it&#039;s something else, maybe just the luck of how the stack is
aligned.<br /><br />I have it working fine on GCC 4.3.3 on Ubuntu 32-bit.<br /><br />I found the problem with Crypto++ on MinGW 4.5.0. &nbsp;Here&#039;s the patch for that:<br />[code]<br />--- \\old\\sha.cpp\tMon Jul 26 13:31:11 2010<br />+++ \\new\\sha.cpp\tSat Aug 14 20:21:08 2010<br />@@ -336,7 +336,7 @@<br /> \tROUND(14, 0, eax, ecx, edi, edx)<br /> \tROUND(15, 0,
ecx, eax, edx, edi)<br /> <br />-\tASL(1)<br />+ &nbsp; &nbsp;ASL(label1) &nbsp; // Bitcoin: fix for MinGW GCC 4.5<br /> \tAS2(add WORD_REG(si), 4*16)<br /> \tROUND(0, 1, eax, ecx, edi, edx)<br /> \tROUND(1, 1, ecx, eax, edx, edi)<br />@@ -355,7 +355,7 @@<br /> \tROUND(14, 1, eax, ecx, edi, edx)<br /> \tROUND(15, 1, ecx, eax, edx, edi)<br /> \tAS2(\tcmp\t\tWORD_REG(si),
K_END)<br />-\tASJ(\tjne,\t1, b)<br />+ &nbsp; &nbsp;ASJ( &nbsp; &nbsp;jne, &nbsp; &nbsp;label1, &nbsp;) &nbsp; // Bitcoin: fix for MinGW GCC 4.5<br /> <br /> \tAS2(\tmov\t\tWORD_REG(dx), DATA_SAVE)<br /> \tAS2(\tadd\t\tWORD_REG(dx), 64)<br />[/code]<br />
9452	820	6	1281887529	9653	1281927129	satoshi xx	1	tcatm's 4-way SSE2 for Linux 32/64-bit is in 0.3.10	0.3.10 has tcatm&#039;s 4-way SSE2 as an option switch.<br /><br />Use the switch &quot;-4way&quot; to turn it on. &nbsp;Without the switch you get Crypto++ ASM SHA-256.<br /><br />I could only get this working with Linux.<br /><br
/>Download:<br />Get 0.3.10 from http://www.bitcoin.org/smf/index.php?topic=827.0<br /><br />Please report back your CPU and results! &nbsp;I think it&#039;s pretty clear that Core 2 and lower are slower, i5 faster. &nbsp;I don&#039;t think we&#039;ve heard any i7 results yet. &nbsp;We need to know about the different models of AMD or other less common CPUs.<br />
9454	813	1	1281890236	9454	1281891016	satoshi xx	1	Re: Potential disaster scenario Some places where generation will gravitate to:<br />1) places where it&#039;s cheapest or free<br />2) people who want to help for idealogical reasons<br />3) people who want to get some coins without the inconvenience of doing a transaction to buy
them<br /><br />There are legitimate places where it&#039;s free. &nbsp;Generation is basically free anywhere that has electric heat, since your computer&#039;s heat is offsetting your baseboard electric heating. &nbsp;Many small flats have electric heat out of convenience.<br /><br />How expensive is heating oil? &nbsp;With the price of oil so high, if it&#039;s actually
more expensive than electric, then generating would have negative cost.<br /><br />There&#039;s also kids putting it on their parent&#039;s power bill, employees their employer, botnets, etc.<br /><br />Case 3 comes into play for small amounts. &nbsp;The overhead of doing an exchange doesn&#039;t make sense if you just need a small bit of pocket change for incidental
micropayments. &nbsp;I think this is a nice advantage vs fiat currency, instead of all the seigniorage going to one big entity, let it go in convenience amounts to people who need to scrape up a small amount of change.<br />
9475	806	6	1281895901	9475	0		xx	1	Re: Version 0.3.9 rc1, please test	[quote author=jgarzik link=topic=806.msg9467#msg9467 date=1281894387]<br />the extended-help might have been based on my idea, but the code was somewhat different.<br />[/quote]<br />The idea was the main part.&nbsp; When you posted your patch, I realized
it should have been done that way instead of &quot;-?&quot;.&nbsp; I always had reservations about &quot;-?&quot; because it intrudes on the possible parameter values, and the help response is based on the version of the caller instead of the server.
9478	820	6	1281896606	9478	0		xx	1	Re: tcatm's 4-way SSE2 for Linux 32/64-bit 0.3.9 rc2	I hope someone can test an i5 or AMD to check that I built it right.&nbsp; I don&#039;t have either to test with.<br /><br />I&#039;m also curious if it performs much worse on 32-bit linux vs 64-bit.
9483	820	6	1281897807	9483	0		xx	1	Re: tcatm's 4-way SSE2 for Linux 32/64-bit 0.3.9 rc2	I just uploaded a quick build so testers can check if I built it right.&nbsp; (I don&#039;t have an i5 or AMD)&nbsp; If it checks out, I&#039;ll put together the full package and do all the release stuff.
1834	199	6	1277652613	1834	0		xx	1	Re: 1.3 almost ready	MinGW still only has good old stable 3.4.5. &nbsp;There&#039;s not much reason for them to update it. <br /><br />When I looked at the 3.4.5 compiled SHA disassembly, I couldn&#039;t see any room for improvement at all. &nbsp;I can&#039;t imagine how 8% more could be
squeezed out of it. &nbsp;Is it possible Windows could have 8% more overhead?&nbsp; Not making system calls or anything, just plain busy computational code, could task switching and other housekeeping operations take away that much?
1838	202	7	1277665569	1838	0		xx	1	Re: Major Meltdown	Here&#039;s an answer to a similar question about how to recover from a major meltdown.<br />https://www.bitcoin.org/smf/index.php?topic=191.msg1585#msg1585<br /><br />[quote author=satoshi link=topic=191.msg1585#msg1585 date=1276547990]<br />If SHA-256 became completely
broken, I think we could come to some agreement about what the honest block chain was before the trouble started, lock that in and continue from there with a new hash function.<br /><br />If the hash breakdown came gradually, we could transition to a new hash in an orderly way.&nbsp; The software would be programmed to start using a new hash after a certain block number.&nbsp;
Everyone would have to upgrade by that time.&nbsp; The software could save the new hash of all the old blocks to make sure a different block with the same old hash can&#039;t be used. <br />[/quote]
1924	223	6	1278098496	1924	0		xx	1	Re: Feature Request: Limiting Connections	Thanks for the feedback on this.<br /><br />One thing we could do is lower the outbound connections from 15 to 10 or maybe even 5. &nbsp;The choice of 15 was arbitrary. &nbsp;It just needs to be enough for redundancy and fast exponential propagation
of messages. &nbsp;10 would still be plenty. &nbsp;5 should be fine. &nbsp;10 is good as a nice round number so users can see that it stopped intentionally.<br /><br />It would help to implement UPnP so there would be more inbound accepting nodes. &nbsp;Your number of connections is the ratio of inbound accepting nodes to out-only times 15. &nbsp;We need to encourage more
people to accept inbound connections.<br /><br />I will implement a feature to stop accepting inbound connections once you hit a certain number.<br /><br />Which version are you running?<br /><br />Anyone know how many connections typical P2P software like BitTorrent can get up to?<br /><br />
1926	199	6	1278103037	1926	0		xx	1	Re: 1.3 almost ready	[quote author=dkaparis link=topic=199.msg1842#msg1842 date=1277676145]<br />On a related note, is the thing compilable by Visual C++? I&#039;m inclined to give it a try when I get around to it.<br />[/quote]<br />It is, but generating is more than twice as slow.
1927	199	6	1278107865	2006	1278445482	satoshi xx	1	Re: 0.3 almost ready	(reverted to rc2)<br /><br />Links removed, 0.3 is now released, so go to http://www.bitcoin.org to download it.<br />
1928	217	6	1278108221	1928	0		xx	1	Re: Beta?	OK, back to 0.3 then.<br /><br />Please download RC4 and check it over as soon as possible. &nbsp;I&#039;d like to release it soon.<br /><br />http://www.bitcoin.org/smf/index.php?topic=199.msg1927#msg1927<br /><br />Other than the version number change, which included changes
in readme.txt and setup.nsi, I reduced the maximum number of outbound connections from 15 to 8 so nodes that accept inbound don&#039;t get too many connections. &nbsp;15 was a lot more than needed. &nbsp;8 is still plenty for redundancy.
1929	223	6	1278109220	1929	1278110023	satoshi xx	1	Re: Feature Request: Limiting Connections	I reduced max outbound connections from 15 to 8 in RC4.<br /><br />15 was way more than we needed for redundancy. &nbsp;8 is still plenty of redundancy.<br /><br />As the nodes upgrade to this version, this will cut in half the number of
connections that inbound accepting nodes get.<br /><br />If anyone wants more than 8 connections, they can open port 8333 on their firewall.
1947	199	6	1278280348	1947	0		xx	1	Re: 0.3 almost ready -- please test the Mac version!	Laszlo&#039;s build is going to be our first Mac release so please test it!
1976	234	1	1278365474	8103	1281199857	satoshi xx	1	Re: Slashdot Submission for 1.0 BTW, I did come to my senses after that brief bout with 1.3, this release is still going to be 0.3 beta not 1.0.<br /><br />I really appreciate the effort, but there are a lot of problems.<br /><br />We don&#039;t want to lead with &quot;anonymous&quot;. &nbsp;(I&#039;ve
been meaning to edit the homepage)<br /><br />&quot;The developers expect that this will result in a stable-with-respect-to-energy currency outside the reach of any government.&quot; -- I am definitely not making an such taunt or assertion. <br /><br />It&#039;s not stable-with-respect-to-energy. &nbsp;There was a discussion on this. &nbsp;It&#039;s not tied to the cost of
energy. &nbsp;NLS&#039;s estimate based on energy was a good estimated starting point, but market forces will increasingly dominate. <br /><br />Sorry to be a wet blanket. &nbsp;Writing a description for this thing for general audiences is bloody hard. &nbsp;There&#039;s nothing to relate it to.
2004	238	1	1278441155	2007	1278454321	satoshi xx	1	Bitcoin 0.3 released!	Announcing version 0.3 of Bitcoin, the P2P cryptocurrency! &nbsp;Bitcoin is a digital currency using cryptography and a distributed network to replace the need for a trusted central server. &nbsp;Escape the arbitrary inflation risk of centrally managed
currencies! &nbsp;Bitcoin&#039;s total circulation is limited to 21 million coins. &nbsp;The coins are gradually released to the network&#039;s nodes based on the CPU power they contribute, so you can get a share of them by contributing your idle CPU time.<br /><br />What&#039;s new:<br />- Command line and JSON-RPC control<br />- Includes a daemon version without GUI<br />-
Transaction filter tabs<br />- 20% faster hashing<br />- Hashmeter performance display<br />- Mac OS X version (thanks to Laszlo)<br />- German, Dutch and Italian translations (thanks to DataWraith, Xunie and Joozero)<br /><br />Get it at http://www.bitcoin.org or read the forum to find out more.
2006	199	6	1278445398	2006	0		xx	1	Re: 0.3 almost ready -- please test the Mac version!	0.3 released<br />http://www.bitcoin.org/smf/index.php?topic=238.msg2004#msg2004<br /><br />
2010	84	6	1278466267	2010	0		xx	1	Re: On IRC bootstrapping	Everybody needs to connect to the same IRC server and channel so they can find each other.<br /><br />[quote author=Vasiliev link=topic=84.msg1785#msg1785 date=1277509815]<br />You may want to leave Freenode in as a fallback server -- if his server doesn&#039;t
work, use Freenode&#039;s.<br />[/quote]<br />It might not be good if we suddenly rushed freenode with a ton of users all at once.<br /><br />The fallback is our own seed system. <br /><br />irc.lfnet.org is pretty old and has impressive uptime. &nbsp;I think it&#039;s going to be fine.<br /><br />We could take IRC out at some point if we want, but I&#039;d rather ease into
it and just test our own seed system as a backup for now, and I really like the complementary redundant attributes of the two different systems.
2068	246	4	1278613459	2068	0		xx	1	Re: bitcoin 0.3 win64 - broken access to APPDATA if non-latin characters in username	Thanks for finding that.&nbsp; We switched from ANSI in 0.2 to UTF-8 in version 0.3, so it must be related to that.<br /><br />Just to confirm, if you log in with the non-latin character username, not having
an appdata/Bitcoin directory yet, and run Bitcoin and let it create the database from scratch, does it work or not?
2071	241	6	1278616320	2071	1278617262	satoshi xx	1	Re: Anonymity	It&#039;s hard to imagine the Internet getting segmented airtight. &nbsp;It would have to be a country deliberately and totally cutting itself off from the rest of the world.<br /><br />Any node with access to both sides would automatically flow the block chain over,
such as someone getting around the blockade with a dial-up modem or sat-phone. &nbsp;It would only take one node to do it. &nbsp;Anyone who wants to keep doing business would be motivated.<br /><br />If the network is segmented and then recombines, any transactions in the shorter fork that were not also in the longer fork are released into the transaction pool again and
are eligible to get into future blocks. &nbsp;Their number of confirmations would start over.<br /><br />If anyone took advantage of the segmentation to double-spend, such that there are different spends of the same money on each side, then the double-spends in the shorter fork lose out and go to 0/unconfirmed and stay that way.<br /><br />It wouldn&#039;t be easy to take
advantage of the segmentation to double-spend.&nbsp; If it&#039;s impossible to communicate from one side to the other, how are you going to put a spend on each side?&nbsp; If there is a way, then probably someone else is also using it to flow the block chain over.<br /><br />You would usually know whether you&#039;re in the smaller segment. &nbsp;For example, if your
country cuts itself off from the rest of the world, the rest of the world is the larger segment. &nbsp;If you&#039;re in the smaller segment, you should assume nothing is confirmed.
2077	246	4	1278644495	2077	0		xx	1	Re: bitcoin 0.3 win64 - broken access to APPDATA if non-latin characters in username	I think I see where the problem is.&nbsp; Coincidentally, I recently coded a replacement for the function in question which should fix it.&nbsp; It&#039;s not enabled yet, but in the SVN version it prints a
debug message in debug.log showing the new directory value and old value for comparison.
2078	242	1	1278646126	2078	0		xx	1	Re: BTC Vulnerability? (Massive Attack against BTC system. Is it really?)	What the OP described is called &quot;cornering the market&quot;. &nbsp;When someone tries to buy all the world&#039;s supply of a scarce asset, the more they buy the higher the price goes. &nbsp;At some point,
it gets too expensive for them to buy any more. &nbsp;It&#039;s great for the people who owned it beforehand because they get to sell it to the corner at crazy high prices. &nbsp;As the price keeps going up and up, some people keep holding out for yet higher prices and refuse to sell.<br /><br />The Hunt brothers famously bankrupted themselves trying to corner the silver
market in 1979:<br />&quot;Brothers Nelson Bunker Hunt and Herbert Hunt attempted to corner the world silver markets in the late 1970s and early 1980s, at one stage holding the rights to more than half of the world&#039;s deliverable silver.[1] During Hunt&#039;s accumulation of the precious metal silver prices rose from $11 an ounce in September 1979 to nearly $50 an ounce
in January 1980.[2] Silver prices ultimately collapsed to below $11 an ounce two months later,[2] much of the fall on a single day now known as Silver Thursday, due to changes made to exchange rules regarding the purchase of commodities on margin.[3]&quot;<br /><br />http://en.wikipedia.org/wiki/Cornering_the_market<br />
2092	246	4	1278689825	2092	0		xx	1	Re: bitcoin 0.3 win64 - broken access to APPDATA if non-latin characters in username	I tested this with a non-lower-ASCII account name on XP and confirmed the bug, then tested that the new GetDefaultDataDir fixed it. &nbsp;This change is revision 102 of the SVN.
2132	240	6	1278766682	2132	0		xx	1	Re: Security	I&#039;ll start thinking about how to do this.<br /><br />At the moment, you can kind of use -connect.&nbsp; You can use -connect to make it connect to local computers on your LAN, like -connect=192.168.0.100.&nbsp; If you start it out blank and don&#039;t let it connect to the
main network, the difficulty is still at the original low difficulty.&nbsp; If you&#039;ve port-forwarded though, then outside nodes might still connect inward to you.<br /><br />With -connect it still uses IRC, do you think it shouldn&#039;t get on IRC when you&#039;re telling it to only connect to specific nodes with -connect?&nbsp; The main scenario for -connect is where
you have a server farm, with two connected to the network and the rest connected to the first two.&nbsp; In that case, you wouldn&#039;t want the -connect computers on IRC.<br /><br />void ThreadIRCSeed(void* parg)<br />{<br />&nbsp; &nbsp; if (mapArgs.count(&quot;-connect&quot;))<br />&nbsp; &nbsp; &nbsp; &nbsp; return;<br />
2133	202	7	1278768977	2133	0		xx	1	Re: Major Meltdown	[quote author=llama link=topic=202.msg1920#msg1920 date=1278022907]<br />However, if something happened and the signatures were compromised (perhaps integer factorization is solved, quantum computers?), then even agreeing upon the last valid block would be worthless.<br
/>[/quote]<br />True, if it happened suddenly.&nbsp; If it happens gradually, we can still transition to something stronger.&nbsp; When you run the upgraded software for the first time, it would re-sign all your money with the new stronger signature algorithm.&nbsp; (by creating a transaction sending the money to yourself with the stronger sig)
2863	263	3	1279123682	2863	0		xx	1	Re: IRC You shouldn&#039;t chat in the #bitcoin room.<br /><br />Do you think it&#039;ll gravitate toward #bitcoin-dev on freenode or lfnet?&nbsp; freenode&#039;s the better choice because you may get noticed by other people on freenode.
2867	323	4	1279124523	2867	0		xx	1	Re: No blocks downloaded... why?	So that was responsible for keeping blocks from downloading?<br /><br />The link: &quot;Win32 CPU Cycles vs &#039;Live Protection&#039; Engines&quot;<br /><br />For BitcoinFX, Live Protection was keeping it from getting CPU for generating coins.&nbsp;
You said your friend was getting 1400-1600 khash/s, so it was getting CPU.&nbsp; I guess Live Protection must have been blocking some other part of the program then?
2871	327	1	1279124979	2871	0		xx	1	Re: resource hog	In Windows, you select the process in the task manager, right click, Set Priority.&nbsp; Set it to BelowNormal or Low.&nbsp; That shouldn&#039;t make a difference though.<br /><br />If you turn off Generate Coins, does the CPU usage go flat?&nbsp; That would confirm that
all the CPU time it&#039;s taking is generate, which is idle priority already.<br /><br />It could be it&#039;s slow just because you have too many things running at once and you&#039;re out of memory.&nbsp; When you switch from one thing to another, it has to page it in from disk.
2880	343	1	1279127042	2880	0		xx	1	Re: stopped prodicing coins	Thanks for making that calculator.<br /><br />The difficulty doubled a day or two ago, plus it&#039;s just random and you can have surprisingly long dry spells.
2885	298	4	1279128890	2885	0		xx	1	Re: Building Bitcoin 0.3	It doesn&#039;t work with wxWidgets 2.8, it needs wxWidgets 2.9.&nbsp; Unfortunately, there isn&#039;t a Debian package of wxWidgets 2.9 yet.<br />
7381	696	1	1280881777	7422	1280891384	satoshi xx	1	Re: Please upgrade to 0.3.8!	I guess SourceForge hasn&#039;t updated its mirrors yet. &nbsp;The files are there on the admin side, but not on the user side. &nbsp;I have no idea how long that will take. &nbsp;It&#039;s always been immediate in the past.<br /><br />Edit: SourceForge is updated now.
7385	635	1	1280882440	7385	0		xx	1	Re: Building initial transaction trust through &quot;coin ripping&quot; The software is designed to support things like this.&nbsp; I was going to post details of the plans for Escrow, but since getting slashdotted I haven&#039;t had time.
7524	287	1	1280939136	7676	1281020709	satoshi xx	1	Re: Flood attack 0.00000001 BC	[quote author=Insti link=topic=287.msg7498#msg7498 date=1280933911]<br />It seems to do more harm than good because it prevents micropayment implementations such as the one bytemaster is suggesting.[/quote]<br />Bitcoin isn&#039;t currently practical for
very small micropayments. &nbsp;Not for things like pay per search or per page view without an aggregating mechanism, not things needing to pay less than 0.01. &nbsp;The dust spam limit is a first try at intentionally trying to prevent overly small micropayments like that.<br /><br />Bitcoin is practical for smaller transactions than are practical with existing payment
methods. &nbsp;Small enough to include what you might call the top of the micropayment range. &nbsp;But it doesn&#039;t claim to be practical for arbitrarily small micropayments. <br />
7687	287	1	1281024201	7687	0		xx	1	Re: Flood attack 0.00000001 BC	Forgot to add the good part about micropayments. &nbsp;While I don&#039;t think Bitcoin is practical for smaller micropayments right now, it will eventually be as storage and bandwidth costs continue to fall. &nbsp;If Bitcoin catches on on a big scale, it may
already be the case by that time. &nbsp;Another way they can become more practical is if I implement client-only mode and the number of network nodes consolidates into a smaller number of professional server farms. &nbsp;Whatever size micropayments you need will eventually be practical. &nbsp;I think in 5 or 10 years, the bandwidth and storage will seem trivial.<br /><br
/>I am not claiming that the network is impervious to DoS attack. &nbsp;I think most P2P networks can be DoS attacked in numerous ways. &nbsp;(On a side note, I read that the record companies would like to DoS all the file sharing networks, but they don&#039;t want to break the anti-hacking/anti-abuse laws.)<br /><br />If we started getting DoS attacked with loads of wasted
transactions back and forth, you would need to start paying a 0.01 minimum transaction fee. &nbsp;0.1.5 actually had an option to set that, but I took it out to reduce confusion. &nbsp;Free transactions are nice and we can keep it that way if people don&#039;t abuse them.<br /><br />That brings up the question: if there was a minimum 0.01 fee for each transaction, should
we automatically add the fee if it&#039;s just the minimum 0.01? &nbsp;It would be awfully annoying to ask each time. &nbsp;If you have 50.00 and send 10.00, the recipient would get 10.00 and you&#039;d have 39.99 left. &nbsp;I think it should just add it automatically. &nbsp;It&#039;s trivial compared to the fees many other types of services add automatically.<br /><br
/>[quote author=FreeMoney link=topic=287.msg7569#msg7569 date=1280950232]<br />Does including more slow down your hashing rate? &nbsp;<br />[/quote]<br />No, not at all.<br />
7694	287	1	1281025820	7694	0		xx	1	Re: Flood attack 0.00000001 BC	[quote author=bytemaster]<br />Payments would generally be advanced, say 1 BTC at a time and when the connection closes any &quot;change&quot; would be returned. &nbsp;This rule makes it impossible to pay for a simple &quot;search query&quot; with no further
transactions.<br />[/quote]<br />One alternative is to use a round-up system. &nbsp;You pay for, say, 1000 pages or images or downloads or searches or whatever at a time. &nbsp;When you&#039;ve used up your 1000 pages, you pay for another 1000 pages. &nbsp;If you only use 1 page, then you have 999 left that you may never use, but it&#039;s not a big deal because the cost
per 1000 is still small.<br /><br />Or you could pay per day. &nbsp;The first time you access the site on a given day, you pay for 24 hours of access.<br /><br />Per 1000 or per day may be easier for consumers to get their heads around too. &nbsp;They worry about per item because it&#039;s harder to figure if it might add up too fast. &nbsp;Unlimited for 24 hours they know
what the cost will be. &nbsp;Or if 1000 seems like plenty, they&#039;re not worrying that it&#039;s costing more with each click if they figure 1000 is more than they&#039;ll probably use.
7696	287	1	1281026398	7696	0		xx	1	Re: Flood attack 0.00000001 BC	[quote author=bytemaster link=topic=287.msg7684#msg7684 date=1281022759]<br />The only solution to this problem is to make broadcasting of a transaction &quot;non free&quot;. &nbsp;Namely, if you want me to include it you have to pay me. &nbsp;The net (no pun
intended) result is that each client would need to pay other clients to whom they even send their transaction, not just the individual who gets it in a block. &nbsp; In this way the laws of economics take over and no one gets a free ride on the transaction broadcast system. &nbsp;<br />[/quote]<br />I don&#039;t know a way to implement that. &nbsp;The transaction fee to
the block creator uses a special trick to include the transaction fee without any additional size. &nbsp;If there was a transaction for each transaction fee, then what about the transactions fees for the transaction fee&#039;s transaction?
7703	704	1	1281027963	7703	0		xx	1	Re: Who's the Spanish jerk draining the Faucet? Silently failing would look bad.<br /><br />[quote author=gavinandresen link=topic=704.msg7575#msg7575 date=1280954455]<br />1. Rate limit based on the first byte of the IP address (79. or 81. in this case).<br />[/quote]<br />Definitely
needed. &nbsp;What rate are you thinking of? &nbsp;Ultimately, it&#039;s better to rate limit it than to let it all drain out.<br /><br />[quote author=gavinandresen link=topic=704.msg7575#msg7575 date=1280954455]<br />3. Rate limit based on last two domains of reverse DNS lookup of the IP address (rima-tde.net in this case).<br />[/quote]<br />That might work surprisingly
well. &nbsp;If it works, it keeps them from hitting the rate limit, but the rate limit is there as the last line of defence. <br /><br />[quote author=gavinandresen link=topic=704.msg7575#msg7575 date=1280954455]<br />4. Make the standard amount given away 0.5 Bitcoins (Bitcoins have gone up 10 times in value since I started the Faucet).<br />[/quote]<br />Definitely time to lower it. <br />
7705	711	6	1281029320	7705	0		xx	1	Re: bitcoind transaction to ip address	It&#039;s not implemented.<br /><br />It turned out nobody liked that mode of transfer anyway, so it hasn&#039;t had much development attention.
7706	713	6	1281029901	7706	0		xx	1	Re: Transaction Overload Solution	I can&#039;t think of a way to implement that.&nbsp; All the transaction fees would be additional transactions.&nbsp; What about the transaction fees for the transaction fee&#039;s transaction?<br />
7710	287	1	1281030583	7710	0		xx	1	Re: Flood attack 0.00000001 BC	[quote author=bytemaster link=topic=287.msg7699#msg7699 date=1281026812]<br />Right now the transaction fee address is left &quot;blank&quot; and the block generator fills it out.<br />Now you would fill it in with the address of the person you are asking to build
the block. &nbsp;<br />[/quote]<br />If you&#039;re only going to have one person work on building the block, that could take days.&nbsp; Oh, do you mean send a different variation to each node with the tx fee written to them?<br /><br />The way it is now, it&#039;s whoever builds this gets it.<br /><br />If we needed to, we could have a BitTorrent-esque tit-for-tat for
transaction broadcast.&nbsp; Relay paying transactions to me, or I won&#039;t relay them to you.&nbsp; It probably won&#039;t be an actual problem though.&nbsp; It only takes one node relaying like it should to cancel out 7 others greedily not relaying.
7712	645	1	1281031710	7712	0		xx	1	Re: A proposal for a semi-automated Escrow mechanism	A transaction can be written that requires two signatures to spend it next.&nbsp; You write a payment that requires the signature of both the recipient and the sender to spend it.&nbsp; To release the escrow, you give the recipient the
signature for your half, or the payee can return it by giving you his signed half.&nbsp; There&#039;s no mediator in this simple case.&nbsp; The recourse is to refuse to ever release it, essentially burning the money.
8103	723	1	1281198497	8103	0		xx	1	Re: latency and locality	Once you get away from a system where each node&#039;s influence is proportional to their CPU power, then what else do you use to determine who is (approximately) one person?<br />
8114	721	1	1281203169	8125	1281205034	satoshi xx	1	Re: Bitcoin minting is thermodynamically perverse	It&#039;s the same situation as gold and gold mining. &nbsp;The marginal cost of gold mining tends to stay near the price of gold. &nbsp;Gold mining is a waste, but that waste is far less than the utility of having gold available
as a medium of exchange.<br /><br />I think the case will be the same for Bitcoin. &nbsp;The utility of the exchanges made possible by Bitcoin will far exceed the cost of electricity used. &nbsp;Therefore, [i]not[/i] having Bitcoin would be the net waste.<br /><br />[quote author=gridecon link=topic=721.msg7889#msg7889 date=1281113280]<br />As an overall point, I also do
not agree with the idea that the very high computational burden of coin generation is in fact a necessity of the current system. As I understand it, currency creation is fundamentally metered by TIME - and if that is the fundamental controlling variable, what is the need for everyone to &quot;roll as many dice as posible&quot; within that given time period? The &quot;chain
of proof&quot; for coin ownership and transactions doesn&#039;t depend on the method for spawning coins. <br />[/quote]<br />Each node&#039;s influence on the network is proportional to its CPU power. &nbsp;The only way to show the network how much CPU power you have is to actually use it.<br /><br />If there&#039;s something else each person has a finite amount of that
we could count for one-person-one-vote, I can&#039;t think of it. &nbsp;IP addresses... much easier to get lots of them than CPUs.<br /><br />I suppose it might be possible to measure CPU power [i]at certain times[/i]. &nbsp;For instance, if the CPU power challenge was only run for an average of 1 minute every 10 minutes. &nbsp;You could still prove your total power at
given times without running it all the time. &nbsp;I&#039;m not sure how that could be implemented though. &nbsp;There&#039;s no way for a node that wasn&#039;t present at the time to know that a past chain was actually generated in a duty cycle with 9 minute breaks, not back to back.<br /><br />Proof-of-work has the nice property that it can be relayed through untrusted
middlemen. &nbsp;We don&#039;t have to worry about a chain of custody of communication. &nbsp;It doesn&#039;t matter who tells you a longest chain, the proof-of-work speaks for itself.
8137	645	1	1281211499	8137	0		xx	1	Re: A proposal for a semi-automated Escrow mechanism	[quote author=jgarzik link=topic=645.msg7723#msg7723 date=1281034830]<br />Due to that recourse, it is unlikely to be used as an escrow mechanism :)<br />[/quote]<br />Really?&nbsp; Do you think people won&#039;t be able to understand the
benefit?&nbsp; (If your response is an argument that there&#039;s no benefit at all, I guess that will reinforce the case that people won&#039;t be able to understand it.)
8140	750	6	1281212032	8140	0		xx	1	Escrow	Here&#039;s an outline of the kind of escrow transaction that&#039;s possible in software. &nbsp;This is not implemented and I probably won&#039;t have time to implement it soon, but just to let you know what&#039;s possible.<br /><br />The basic escrow: The buyer commits a payment to
escrow. The seller receives a transaction with the money in escrow, but he can&#039;t spend it until the buyer unlocks it. The buyer can release the payment at any time after that, which could be never. This does not allow the buyer to take the money back, but it does give him the option to burn the money out of spite by never releasing it. The seller has the option to
release the money back to the buyer.<br /><br />While this system does not guarantee the parties against loss, it takes the profit out of cheating.<br /><br />If the seller doesn&#039;t send the goods, he doesn&#039;t get paid. The buyer would still be out the money, but at least the seller has no monetary motivation to stiff him.<br /><br />The buyer can&#039;t benefit
by failing to pay. He can&#039;t get the escrow money back. He can&#039;t fail to pay due to lack of funds. The seller can see that the funds are committed to his key and can&#039;t be sent to anyone else.<br /><br />Now, an economist would say that a fraudulent seller could start negotiating, such as &quot;release the money and I&#039;ll give you half of it back&quot;,
but at that point, there would be so little trust and so much spite that negotiation is unlikely. Why on earth would the fraudster keep his word and send you half if he&#039;s already breaking his word to steal it? I think for modest amounts, almost everyone would refuse on principle alone.<br />
8145	648	6	1281215761	8145	0		xx	1	Re: 4 hashes parallel on SSE2 CPUs for 0.3.6	[quote author=impossible7 link=topic=648.msg7838#msg7838 date=1281094640]<br />CRITICAL_BLOCK is a macro that contains a for loop. The assertion failure indicates that break has been called inside the body of the loop. The only break statement in
this block is in line 2762. In the original source file, there is no break statement in this critical block. I think you must remove lines 2759-2762. The is nothing like that in the original main.cpp.<br />[/quote]<br />Sorry about that.&nbsp; CRITICAL_BLOCK isn&#039;t perfect.&nbsp; You have to be careful not to break or continue out of it.&nbsp; There&#039;s an assert
that catches and warns about break.&nbsp; I can be criticized for using it, but the syntax would be so much more bloated and error prone without it.<br /><br />Is there a chance the SSE2 code is slow on Intel because of some quirk that could be worked around?&nbsp; For instance, if something works but is slow if it&#039;s not aligned, or thrashing the cache, or one type of
whether to spend your priority now or save it for later. &nbsp;I don&#039;t think we&#039;ll need to get into that much detail though. &nbsp;There&#039;s a wide enough difference between normal users and flooders.<br /><br />Priority doesn&#039;t have to do everything. &nbsp;Once you know there&#039;s a flood, you can add -paytxfee=0.01.&nbsp; Hopefully with priority,
your transactions before that should be at worst slow, not stuck.
22119	1786	6	1289846264	22119	0		xx	1	Re: Need OP_BLOCKNUMBER to allow &quot;time&quot; limited transactions	We can&#039;t safely do OP_BLOCKNUMBER. &nbsp;In the event of a block chain reorg after a segmentation, transactions need to be able to get into the chain in a later block. &nbsp;The OP_BLOCKNUMBER transaction and all its
dependants would become invalid. &nbsp;This wouldn&#039;t be fair to later owners of the coins who weren&#039;t involved in the time limited transaction.<br /><br />nTimeLock does the reverse. &nbsp;It&#039;s an open transaction that can be replaced with new versions until the deadline. &nbsp;It can&#039;t be recorded until it locks. &nbsp;The highest version when the
deadline hits gets recorded. &nbsp;It could be used, for example, to write an escrow transaction that will automatically permanently lock and go through unless it is revoked before the deadline. &nbsp;The feature isn&#039;t enabled or used yet, but the support is there so it could be implemented later.<br />
22952	1850	6	1290210624	22966	1290215068	satoshi xx	1	Re: Transaction / spam flood attack currently under way [quote author=creighto link=topic=1850.msg22896#msg22896 date=1290198552]<br />Perhaps in addition to the age priority rule recently implimented, there should be a minimum age rule [u]without[/u] a transaction fee. &nbsp;Said another
way, perhaps a generation rule that says that a free transaction must be 3 blocks deep before it can be transfered again for free. &nbsp;This will still allow real users to immediately spend new funds if they have to, while still permitting real users to reshuffle funds to suit their needs without an overhead cost. &nbsp;I think that this would significantly inhibit the type
of spamming attack that is currently underway.<br />[/quote]<br />I&#039;m doing something like that. &nbsp;Priority is a more formalised version of the concept you&#039;re describing.<br /><br />[quote author=FreeMoney link=topic=1842.msg22844#msg22844 date=1290188384]<br />As it stands now 3.15 has a lot of free transaction space and that space is given first to transactions
with the highest [age]*[value]/[size] correct? Would it be reasonable to make some arbitrary portion of the free space require [age]*[value]/[size] &gt; C ?<br /><br />Maybe set C so that a standard 1BTC transaction can get into the main free area on the next block. And a .1 can get in after waiting about 10 blocks. And make the area which allows [age]*[value]/[size] &lt;
C to let in about a dozen transactions or so.<br />[/quote]<br />Yes, like this. &nbsp;And the no-priority-requirement area is 3K, about a dozen transactions per block.<br /><br />I just uploaded SVN rev 185 which has a minimal priority requirement for free transactions. &nbsp;Transaction floods are made up of coins that are re-spent over and over, so they depend on their
own 0 conf transactions repeatedly. &nbsp;0 conf transactions have 0 priority, so free transactions like that will have to wait for one transaction to get into a block at a time.<br /><br />Version 0.3.15 doesn&#039;t write transactions using 0 conf dependencies unless that&#039;s all it has left, so normal users shouldn&#039;t usually have a problem with this.<br /><br />I
think this is a good compromise short of making the default fee 0.01. &nbsp;It&#039;s not so much to ask that free transactions can only be used to turn coins over so often. &nbsp;If you&#039;re using free transactions, you&#039;re taking charity and there has to be some limit on how often you can use it with the same coins.<br /><br />We&#039;ve always said free transactions
may be processed more slowly. &nbsp;You can help ensure your transactions go through quickly by adding -paytxfee=0.01.<br />
23097	1334	42	1290273860	23100	1290274758	satoshi xx	1	Re: OpenCL miner for the masses [quote author=m0mchil link=topic=1334.msg23018#msg23018 date=1290248179]<br />updated to SVN 186<br />[/quote]<br />Thanks m0mchil for keeping up on the updates!<br /><br />GPU miners, please upgrade as soon as possible to shut down the free transaction
abuse! &nbsp;This version has the new priority-based limit on free transaction spam.<br /><br />[quote author=m0mchil link=topic=1334.msg22251#msg22251 date=1289903441]<br />Just updated to SVN 181 and fixed getwork patch to wait 60 seconds between rebuilding the block with new transactions. This is actually the behavior of the original client, was forgotten in the patch
by mistake. &nbsp;Fixes heavy CPU usage on every getwork request (this became obvious with recent heavy transaction spam). Please upgrade.<br />[/quote]<br />Before SVN 184, compiling transactions into a block used an n^2 algorithm. &nbsp;The new efficient single-pass algorithm is orders of magnitude quicker. &nbsp;(O(n) vs O(n^2)/2 algorithm, n=200 maybe 10 to 100 times quicker)
23876	1901	6	1290541812	24089	1290617023	satoshi xx	1	New getwork	I uploaded a redesign of m0mchil&#039;s getwork to SVN rev 189 (version 31601)<br /><br />m0mchil&#039;s external bitcoin miner idea has solved a lot of problems. &nbsp;GPU programming is immature and hard to compile, and I didn&#039;t want to add additional dependencies
to the build. &nbsp;getwork allows these problems to be solved separately, with different programs for different hardware and OSes. &nbsp;It&#039;s also convenient that server farms can run a single Bitcoin node and the rest only run getwork clients.<br /><br />The interface has a few changes:<br /><br />getwork [data]<br />If [data] is not specified, returns formatted
hash data to work on:<br /> &nbsp;&quot;midstate&quot; : precomputed hash state after hashing the first half of the data<br /> &nbsp;&quot;data&quot; : block data<br /> &nbsp;&quot;hash1&quot; : formatted hash buffer for second hash<br /> &nbsp;&quot;target&quot; : little endian hash target<br />If [data] is specified, tries to solve the block and returns true if it was
successful. &nbsp;[data] is the same 128 byte block data that was returned in the &quot;data&quot; field, but with the nonce changed.<br /><br />Notes: <br />- It does not return work when you submit a possible hit, only when called without parameter.<br />- The block field has been separated into data and hash1.<br />- data is 128 bytes, which includes the first half
that&#039;s already hashed by midstate.<br />- hash1 is always the same, but included for convenience.<br />- Logging of &quot;ThreadRPCServer method=getwork&quot; is disabled, it would be too much junk in the log.<br />
23891	1901	6	1290545727	23891	0		xx	1	Re: New getwork It&#039;s not an exact drop-in replacement. &nbsp;I wanted to clean up the interface a little. &nbsp;It only requires a few changes.<br /><br />ScanHash_ functions aren&#039;t going away. &nbsp;BTW, the interface of this is designed to mirror the parameters of that (midstate, data, hash1).<br />
24095	1901	6	1290619261	24096	1290619891	satoshi xx	1	Re: New getwork [quote author=jgarzik link=topic=1901.msg24008#msg24008 date=1290574062]<br />I suspect something weird going on with ByteReverse (or lack thereof). &nbsp;It&#039;s quite unclear whether or not &#039;data&#039; and &#039;nonce&#039; must be byte-reversed, and in what
way.<br />[/quote]<br />getwork does the byte-reversing. &nbsp;midstate, data and hash1 are already big-endian, and you pass data back still big-endian, so you work in big-endian and don&#039;t have to do any byte-reversing. &nbsp;They&#039;re the same data that is passed to the ScanHash_ functions. &nbsp;You can take midstate, data and hash1, put them in 16-byte aligned
buffers and pass them to a ScanHash_ function, like ScanHash(pmidstate, pdata + 64, phash1, nHashesDone). &nbsp;If a nonce is found, patch it into data and call getwork.<br /><br />I should probably change the ScanHash_ functions to use pdata instead of pdata + 64 so they&#039;re consistent.<br /><br />target is little endian, it&#039;s supposed to be the same as how
m0mchil&#039;s did it. &nbsp;(if it&#039;s not, then it should be fixed) &nbsp;That&#039;s the only case where you would use byte reverse. &nbsp;I think you do it like: if ByteReverse((unsigned int*)hash[6]) &lt; (unsigned int*)target[6].<br /><br />[quote author=DiabloD3 link=topic=1901.msg24050#msg24050 date=1290598271]<br />Satoshi, please fix your implementation of
getwork so it complies with m0mchill&#039;s specification<br />[/quote]<br />This is the new spec.&nbsp; It shouldn&#039;t be hard to update your miner to use it.<br /><br />The changes are:<br />- It does not return work when you submit a possible hit, only when called without parameter.<br />- The block field has been split into data and hash1.<br />- state renamed to
midstate for consistency.<br />- extranonce not needed.<br />
24101	1334	42	1290621189	24101	0		xx	1	Re: OpenCL miner for the masses A revised version of getwork is now in the official client, but the miners need to be updated a little to use it.<br />
24438	1931	6	1290707499	24438	0		xx	1	Re: RFC: ship block chain 1-74000 with release tarballs?	It&#039;s not the downloading that takes the time, it&#039;s verifying and indexing it.<br /><br />Bandwidthwise, it&#039;s more efficient than if you downloaded an archive.&nbsp; Bitcoin only downloads the data in blk0001.dat,
which is currently 55MB, and builds blkindex.dat itself, which is 47MB.&nbsp; Building blkindex.dat is what causes all the disk activity.<br /><br />During the block download, it only flushes the database to disk every 500 blocks.&nbsp; You may see the block count pause at ??499 and ??999.&nbsp; That&#039;s when it&#039;s flushing.<br /><br />Doing your own verifying and
indexing is the only way to be sure your index data is secure.&nbsp; If you copy blk0001.dat and blkindex.dat from an untrusted source, there&#039;s no way to know if you can trust all the contents in them.<br /><br />Maybe Berkeley DB has some tweaks we can make to enable or increase cache memory.<br />
24460	1946	6	1290715656	24473	1290718093	satoshi xx	1	Version 0.3.17	Version 0.3.17 is now available. <br /><br />Changes:<br />- new getwork, thanks m0mchil<br />- added transaction fee setting in UI options menu<br />- free transaction limits<br />- sendtoaddress returns transaction id instead of &quot;sent&quot;<br />- getaccountaddress &lt;account&gt;<br
/><br />The UI transaction fee setting was easy since it was still there from 0.1.5 and all I had to do was re-enable it.<br /><br />The accounts-based commands: move, sendfrom and getbalance &lt;account&gt; will be in the next release. &nbsp;We still have some more changes to make first.<br /><br />Downloads:<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.17/<br />
24662	1931	6	1290792721	24662	0		xx	1	Re: RFC: ship block chain 1-74000 with release tarballs?	I tested it on a slow 7 year old drive, where bandwidth and CPU were clearly not the bottleneck. &nbsp;Initial download took 1 hour 20 minutes.<br /><br />If it&#039;s taking a lot longer than that, certainly 24 hours, then it
must be downloading from a very slow node, or your connection is much slower than around 15KB per sec (120kbps), or something else is wrong. &nbsp;It would be nice to know what appears to be the bottleneck when that happens.<br /><br />Every 10 minutes or so when the latest block is sent, it should have the chance to change to a faster node. &nbsp;When the latest block is
broadcast, it requests the next 500 blocks from other nodes, and continues the download from the one that sends it fastest. &nbsp;At least, that&#039;s how it should work.<br /><br />[quote author=jgarzik link=topic=1931.msg24522#msg24522 date=1290737263]<br />[quote author=satoshi link=topic=1931.msg24438#msg24438 date=1290707499]<br />Maybe Berkeley DB has some tweaks
we can make to enable or increase cache memory.<br />[/quote]<br />Which of the [url=http://en.wikipedia.org/wiki/ACID]ACID[/url] properties do you need, while downloading?<br />[/quote]<br />It may only need more read caching. &nbsp;It has to read randomly all over blk0001.dat and blkindex.dat to index. &nbsp;It can&#039;t assume the file is smaller than memory, although
it currently still is. &nbsp;Caching would be effective, since most dependencies are recent.<br /><br />Someone should experiment with different Berkeley DB settings and see if there&#039;s something that makes the download substantially faster. &nbsp;If something substantial is discovered, then we can work out the particulars.<br /><br />[quote]<br />Adding BDB records is
simply appending to a log file, until you issue a checkpoint. &nbsp;The checkpoint then updates the main database file.[/quote]<br />We checkpoint every 500 blocks.
24673	1946	6	1290795810	24673	0		xx	1	Re: Version 0.3.17	Laszlo does them, but I haven&#039;t asked him to do one for a while because there wasn&#039;t anything major.&nbsp; I&#039;ll ask him to do this version.
24708	1901	6	1290807073	24708	0		xx	1	Re: New getwork That&#039;s what it does, it returns true/false.
24719	1925	42	1290808961	24719	0		xx	1	Re: New demonstration CPU miner available	You should try it with tcatm&#039;s 4-way SSE2 SHA in sha256.cpp. &nbsp;It compiles fine as a C file, just rename sha256.cpp to sha256.c.&nbsp; I was able to get it to work in simple tests on Windows, but not when linked in with Bitcoin. &nbsp;It
may have a better chance of working as part of a C program instead of C++.<br /><br />Currently it&#039;s only enabled in the Linux build, so if you get it to work you could make it available to Windows users. &nbsp;It&#039;s about 100% speedup on AMD CPUs.
25119	1976	41	1290960210	25126	1290961520	satoshi xx	1	Re: Cooperative mining	ribuck&#039;s description is spot on.<br /><br />Pool operators can modify their getwork to take one additional parameter, the address to send your share to.<br /><br />The easy way for the pool operator would be to wait until the next block is found and divy it
up proportionally as:<br />user&#039;s near-hits/total near-hits from everyone<br /><br />That would be easier and safer to start up. &nbsp;It also has the advantage that multiple hits from the same user can be combined into one transaction. &nbsp;A lot of your hits will usually be from the same people.<br /><br />The instant gratification way would be to pay a fixed amount
to the seed nodes, just connect and get the list, so it won&#039;t be a burden on them.<br /><br />What do you think, should I go ahead with adding the seeds?<br /><br />It&#039;ll still try IRC first. &nbsp;The IRC has the advantage that it lists nodes that are currently online, since they have to stay connected to stay on the list, but the disadvantage that it&#039;s a
single point of failure. &nbsp;The &quot;addr&quot; system has no single point of failure, but can only tell you what nodes have recently been seen, so it takes a little longer to get connected since some of the nodes you try have gone offline. &nbsp;The combination of the two gets us the best of both worlds and more total robustness.<br /><br />Is there anyone who wants
to volunteer to run an IRC server in case freenode gets tired of us?
1582	158	6	1276545224	1582	0		xx	1	Re: Hostnames instead of IP Addresses	SirArthur has a good point about the normal online merchant case, which is what the send-by-IP option is more suited to.&nbsp; This is the case where the merchant will have a server on a static IP and their own domain name and SSL cert.<br /><br />Instead
of connecting by IP, we can connect to a domain name by SSL, using the existing CA infrastructure to authenticate that you&#039;re connected to the owner of that domain.<br /><br />The user would send to domain.com (or www.domain.com is ok too).&nbsp; That would be very natural and users could see and verify that what they entered is who they intend to pay.<br /><br />The
SSL also makes it safe for TOR users.<br /><br />Problem is, I think merchants would still prefer to use bitcoin addresses to be certain they know what the payment is for.&nbsp; You simply cannot count on users to enter the right thing in the comment fields to identify the transaction.&nbsp; It would only approach practical if we had a mailto style link that prepopulates
the comment field with the order number, but then the link could just as well be a bitcoin address. <br /><br />Just having an open bitcoin server at domain.com that users could send unidentified payments to would be too much of a liability.&nbsp; Regular users aren&#039;t used to the idea of having to identify the payment.&nbsp; Merchants would get too many blank payments
followed by &quot;I paid you, where&#039;s my stuff?!&quot; a week later.<br /><br />The payment sequence does have a step where the receiver verifies the order before accepting it.&nbsp; It can reject the payment and return an error message if it doesn&#039;t contain a valid order number.&nbsp; That would require a difficult level of integration of custom code with the bitcoin server though.
1585	191	6	1276547990	1585	0		xx	1	Re: Dealing with SHA-256 Collisions	SHA-256 is very strong.&nbsp; It&#039;s not like the incremental step from MD5 to SHA1.&nbsp; It can last several decades unless there&#039;s some massive breakthrough attack.<br /><br />If SHA-256 became completely broken, I think we could come to some
agreement about what the honest block chain was before the trouble started, lock that in and continue from there with a new hash function.<br /><br />If the hash breakdown came gradually, we could transition to a new hash in an orderly way.&nbsp; The software would be programmed to start using a new hash after a certain block number.&nbsp; Everyone would have to upgrade by
that time.&nbsp; The software could save the new hash of all the old blocks to make sure a different block with the same old hash can&#039;t be used.
1588	179	6	1276554115	1588	0		xx	1	Re: Technical clarifications	3) Nothing, if sending by bitcoin address<br />5) It is decentralised.&nbsp; After you have connected to the network the first time, you no longer need IRC.
1590	163	6	1276555214	1590	0		xx	1	Re: Can't Build r80 from SVN	Sorry, I didn&#039;t test compile on linux the last few revisions.<br /><br />Reverted makefile.unix.
1595	165	6	1276645289	1595	0		xx	1	Re: What is the incentive to collect transactions?	[quote author=theymos link=topic=165.msg1373#msg1373 date=1275755169]<br />Adding transactions to the block you&#039;re working on will slow down your generation rate<br />[/quote]<br />The premise is false.&nbsp; Adding more transactions
to the block you&#039;re working on does NOT slow down your generation rate.&nbsp; When generate is scanning hashes, it only hashes the header of the block, which is constant size.&nbsp; The header contains a hash of the transactions (the Merkle root) and is only updated occasionally.<br /><br />If necessary I can write code to make nodes prefer not to use a block if it
doesn&#039;t contain enough of the transactions they know about.&nbsp; A discouraged block would almost always fail to be included in the main chain, but would be accepted if it did get in.&nbsp; I doubt this will be necessary, since there&#039;s no real advantage for nodes not to include all transactions.
1596	55	6	1276647347	1596	1276648436	satoshi xx	1	Re: URI-scheme for bitcoin	http://127.0.0.1:8330/?to=domain.com&amp;amount=200.00&amp;comment=order_12345<br />or<br />http://127.0.0.1:8330/?to=&lt;bitcoinaddress&gt;&lt;separatorchar&gt;1.2.3.4&amp;amount=200.00<br /><br />But as long as the link is already doing the typing for
you, I don&#039;t see much benefit in using a domain address instead of bitcoin address. &nbsp;With a bitcoin address, the user can&#039;t send an unidentified payment. &nbsp;They can&#039;t send payment until they&#039;ve been given a correct bitcoin address to send to.<br /><br />What would be nice about sending by domain is you could visually verify who it&#039;s going
to.<br /><br /><br />A more crucial issue is what if the browser isn&#039;t allowed to connect to 127.0.0.1:<br />http://www.bitcoin.org/smf/index.php?topic=63.msg1589#msg1589<br /><br />and if that&#039;s true, then what about that example freenet link that had 127.0.0.1 in it?
1600	151	6	1276707214	1600	0		xx	1	Re: Website translations	Thanks DataWraith!&nbsp; The German translation is uploaded to SVN.<br /><br />This is great, we&#039;ve already got 3 major languages.
1609	184	1	1276794476	1609	0		xx	1	Re: new binary release? I&#039;m working on getting version 0.3 released as soon as I can. &nbsp;Just a last few things left to do. &nbsp;It&#039;s been a long time since 0.2 and we need to get a prebuilt bitcoind with command line and JSON-RPC available. &nbsp;This time we&#039;ll have both
32-bit and 64-bit linux binaries, and Laszlo is going to build a Mac OSX release. &nbsp;Plus, we&#039;ll include the German, Dutch and Italian translations by DataWraith, Xunie and Joozero (thanks you guys!).
1611	195	6	1276800368	1611	0		xx	1	Re: Transactions and Scripts: DUP HASH160 ... EQUALVERIFY CHECKSIG	The nature of Bitcoin is such that once version 0.1 was released, the core design was set in stone for the rest of its lifetime.&nbsp; Because of that, I wanted to design it to support every possible transaction type
I could think of.&nbsp; The problem was, each thing required special support code and data fields whether it was used or not, and only covered one special case at a time.&nbsp; It would have been an explosion of special cases.&nbsp; The solution was script, which generalizes the problem so transacting parties can describe their transaction as a predicate that the node
network evaluates.&nbsp; The nodes only need to understand the transaction to the extent of evaluating whether the sender&#039;s conditions are met.<br /><br />The script is actually a predicate.&nbsp; It&#039;s just an equation that evaluates to true or false.&nbsp; Predicate is a long and unfamiliar word so I called it script.<br /><br />The receiver of a payment does a
template match on the script.&nbsp; Currently, receivers only accept two templates: direct payment and bitcoin address.&nbsp; Future versions can add templates for more transaction types and nodes running that version or higher will be able to receive them.&nbsp; All versions of nodes in the network can verify and process any new transactions into blocks, even though they
may not know how to read them.<br /><br />The design supports a tremendous variety of possible transaction types that I designed years ago.&nbsp; Escrow transactions, bonded contracts, third party arbitration, multi-party signature, etc.&nbsp; If Bitcoin catches on in a big way, these are things we&#039;ll want to explore in the future, but they all had to be designed at the
beginning to make sure they would be possible later.<br /><br />I don&#039;t believe a second, compatible implementation of Bitcoin will ever be a good idea.&nbsp; So much of the design depends on all nodes getting exactly identical results in lockstep that a second implementation would be a menace to the network.&nbsp; The MIT license is compatible with all other licenses
and commercial uses, so there is no need to rewrite it from a licensing standpoint.
1617	195	6	1276877834	1617	0		xx	1	Re: Transactions and Scripts: DUP HASH160 ... EQUALVERIFY CHECKSIG	A second version would be a massive development and maintenance hassle for me. &nbsp;It&#039;s hard enough maintaining backward compatibility while upgrading the network without a second version locking things in. &nbsp;If the
second version screwed up, the user experience would reflect badly on both, although it would at least reinforce to users the importance of staying with the official version. &nbsp;If someone was getting ready to fork a second version, I would have to air a lot of disclaimers about the risks of using a minority version. &nbsp;This is a design where the majority version wins if
there&#039;s any disagreement, and that can be pretty ugly for the minority version and I&#039;d rather not go into it, and I don&#039;t have to as long as there&#039;s only one version.<br /><br />I know, most developers don&#039;t like their software forked, but I have real technical reasons in this case.<br /><br />[quote author=gavinandresen link=topic=195.msg1613#msg1613
date=1276804694]<br />I admire the flexibility of the scripts-in-a-transaction scheme, but my evil little mind immediately starts to think of ways I might abuse it. &nbsp;I could encode all sorts of interesting information in the TxOut script, and if non-hacked clients validated-and-then-ignored those transactions it would be a useful covert broadcast communication channel.<br
/><br />That&#039;s a cool feature until it gets popular and somebody decides it would be fun to flood the payment network with millions of transactions to transfer the latest Lady Gaga video to all their friends...<br />[/quote]<br />That&#039;s one of the reasons for transaction fees. &nbsp;There are other things we can do if necessary.<br /><br />[quote author=laszlo
link=topic=195.msg1612#msg1612 date=1276800631]<br />How long have you been working on this design Satoshi? &nbsp;It seems very well thought out, not the kind of thing you just sit down and code up without doing a lot of brainstorming and discussion on it first. &nbsp;Everyone has the obvious questions looking for holes in it but it is holding up well :)<br />[/quote]<br
/>Since 2007. &nbsp;At some point I became convinced there was a way to do this without any trust required at all and couldn&#039;t resist to keep thinking about it. &nbsp;Much more of the work was designing than coding.<br /><br />Fortunately, so far all the issues raised have been things I previously considered and planned for.
1619	84	6	1276882098	1619	0		xx	1	Re: On IRC bootstrapping	The SVN version now uses IRC first and if that fails it falls back to a hardcoded list of seed nodes. &nbsp;There are enough seed nodes now that many of them should still be up by the time of the next release. &nbsp;It only briefly connects to a seed node to get
the address list and then disconnects, so your connections drop back to zero for while. &nbsp;At that point, be patient. &nbsp;It&#039;s only slow to get connected the first time.<br /><br />This means TOR users won&#039;t need to -addnode anymore, it&#039;ll get connected automatically. &nbsp;
1620	183	5	1276902514	1620	0		xx	1	Re: Get 5 free bitcoins from freebitcoins.appspot.com	Excellent choice of a first project, nice work. &nbsp;I had planned to do this exact thing if someone else didn&#039;t do it, so when it gets too hard for mortals to generate 50BTC, new users could get some coins to play with right
away. &nbsp;Donations should be able to keep it filled. &nbsp;The display showing the balance in the dispenser encourages people to top it up.<br /><br />You should put a donation bitcoin address on the page for those who want to add funds to it, which ideally should update to a new address whenever it receives something.
1646	149	6	1277140821	1646	0		xx	1	Re: Bitcoin in Ubuntu 10.04	[quote author=NewLibertyStandard link=topic=149.msg1203#msg1203 date=1274632092]<br />Bitcoin looks ugly in Ubuntu&#039;s new default theme. It seems that some, but not all of the theme settings are being picked up. The unselected file menu should have light text
with a dark background, but it incorrectly has light text with a light background. They&#039;re similar enough that it&#039;s unreadable on my display. It should be fixed before the next stable release.<br />[/quote]<br />This is now fixed in the SVN version.<br />1) Menu bar default color.<br />2) Balance bar not a different color.<br />3) Background behind bitcoin address
and balance now the same color as toolbar.<br /><br />I checked all the standard themes and it seems reasonable with all of them.<br /><br />Ubuntu minimize,maximize,close buttons to the right:<br />gconf-editor<br />apps-&gt;metacity-&gt;general<br />button_layout=menu:minimize,maximize,close<br /><br />They&#039;ve got it awfully buried considering 9 out of 10 users are
used to having it on the right.
1647	198	1	1277142506	1647	0		xx	1	Re: Dying bitcoins	Lost coins only make everyone else&#039;s coins worth slightly more.&nbsp; Think of it as a donation to everyone.<br /><br />[quote author=laszlo link=topic=198.msg1640#msg1640 date=1277128469]<br />I wonder though, is there a point where the difficulty of generating
a new coinbase is so high that it would make more sense to try to recover keys for lost coins or steal other people&#039;s coins instead?&nbsp; The difficulty of that is really high so for now it makes a lot more sense to generate but I just wonder what the real figures are.. would that ever become more productive?&nbsp; Maybe Satoshi can address this..<br />[/quote]<br
/>Computers have to get about 2^200 times faster before that starts to be a problem.&nbsp; Someone with lots of compute power could make more money by generating than by trying to steal.
1648	43	1	1277143757	1648	0		xx	1	Re: Proof-of-work difficulty increasing I integrated the hashmeter idea into the SVN version.&nbsp; It displays khash/s in the left section of the status bar.<br /><br />Two new log messages:<br />21/06/2010 01:23 hashmeter&nbsp;  2 CPUs&nbsp; &nbsp; 799 khash/s<br />21/06/2010 01:23 generated
50.00<br /><br />grep your debug.log for &quot;generated&quot; to see what you&#039;ve generated, and grep for &quot;hashmeter&quot; to see the performance.&nbsp; On windows, use:<br /> findstr &quot;hashmeter generated&quot; &quot;%appdata%\\bitcoin\\debug.log&quot;<br /><br />I have the hashmeter messages once an hour.&nbsp; How often do you think it should be?
1653	149	6	1277178356	1654	1277179504	satoshi xx	1	Re: Bitcoin in Ubuntu 10.04	On Ubuntu 10.04 it wouldn&#039;t remove the taskbar button cleanly, so I made it leave it there.<br /><br />But now that you mention it, it&#039;s probably better to have the feature, even if it&#039;s messy, than not to have it, though it may confuse a
few people when the taskbar button temporarily stays around but disappears if you click on it.<br /><br />Updated SVN.<br /><br />Thanks for testing.
1654	199	6	1277179313	1946	1278280234	satoshi xx	1	0.3 almost ready -- please test the Mac version!	I finished everything on my list to do for version 0.3. &nbsp;The code on SVN is about ready to release.<br /><br />Testing at this point is much appreciated.
1656	197	1	1277181326	1656	0		xx	1	Re: How fast do the fastest computers generate bitcoins?	I&#039;ve noticed that hashing performance doesn&#039;t vary as much between CPUs as you&#039;d expect.&nbsp; Compared to an old CPU, a newer CPU doesn&#039;t show as much of a speedup at hashing as it does on general benchmarks.<br
/><br />I guess recent CPU optimizations must have concentrated on things like I/O and branch prediction.&nbsp; Most programs are a bunch of memory access, comparisons and branching, they rarely get down to cranking away at maths for very long.<br /><br />The latest SVN version has a khash/s display.&nbsp; Around 400 khash/s per processor is typical.
1668	149	6	1277224783	1668	0		xx	1	Re: Bitcoin in Ubuntu 10.04	It&#039;s too late now for feature changes to 0.3, but I&#039;ll add that to the post-0.3 to do list.&nbsp; I never would have noticed that if you hadn&#039;t pointed it out.
1669	43	1	1277225474	1669	0		xx	1	Re: Proof-of-work difficulty increasing Agree.&nbsp; Certainly too trivial to clutter the user&#039;s attention with.<br /><br />I changed it to every 30 minutes.<br /><br />If I increased it to every 10 minutes, it would still be a small enough presence in the log file.&nbsp; Question is whether
that would be more output than the user wants when they grep.
1670	199	6	1277226127	1670	0		xx	1	Re: 0.3 almost ready	[quote author=lachesis link=topic=199.msg1658#msg1658 date=1277187602]<br />It would be nice if the listtransactions RPC method were finished before the next release, though. <br />[/quote]<br />My fear is too many programmers would latch onto that for checking for received
payments. &nbsp;It can never be reliable that way. &nbsp;The list/getreceivedbyaddress/label functions are the only way to do it reliably.<br /><br />We shouldn&#039;t delay forever until every possible feature is done.&nbsp; There&#039;s always going to be one more thing to do.
1671	199	6	1277228228	1785	1277510538	satoshi xx	1	Re: 0.3 almost ready	Here&#039;s RC1 for windows for testing:<br />(removed, see RC2 below)<br /><br />Please only download this if you&#039;re going to test and report back whether everything seems fine or not. &nbsp;Make sure to look through the files in &quot;c:\\program files\\bitcoin&quot;
1675	199	6	1277233901	1675	0		xx	1	Re: 0.3 almost ready	[quote author=davidonpda link=topic=199.msg1673#msg1673 date=1277231006]<br />EXCEPTION: 22DbRunRecoveryException<br />DBENv::open: DB_RUNRECOVERY: Fatal error, run database recovery<br />C:\\Program Files\\Bitcoin\\bitcoin.exe in OnInit()<br />[/quote]<br />What operating
system?<br /><br />Normally when it does that it&#039;s because the directory where the data directory should go doesn&#039;t exist. &nbsp;See if the &quot;%appdata%&quot; directory exists.<br /><br />Do you get that error with 0.2 also? &nbsp;It&#039;s hard to see how you could get that with 0.3 and not with 0.2 since there&#039;s nothing different in that regard.<br />
1677	199	6	1277234713	1677	0		xx	1	Re: 0.3 almost ready	davidonpda, were you also running laszlo&#039;s build previously?<br /><br />Check if the &quot;%appdata%&quot; directory exists, and &quot;%appdata%\\bitcoin&quot;<br /><br />Try:<br /> rename &quot;%appdata%\\bitcoin&quot; bitcoin2 <br /><br />does it work then?
1679	199	6	1277235983	1679	0		xx	1	Re: 0.3 almost ready	You figured it out faster than I could post a reply. &nbsp;:)<br /><br />It looks like laszlo&#039;s build of Berkeley DB has database/log.* files that are not compatible with ours. &nbsp;The .dat files are fine, their format shouldn&#039;t ever change. &nbsp;All data is
stored in the .dat files. &nbsp;All your own data is stored in wallet.dat. &nbsp;If you had waited for it to redownload the block chain, your missing transactions and generateds would have appeared as the block chain reached the point where those transactions were recorded.<br /><br />When you copied the directory except log.0000000002, that&#039;s the best solution.&nbsp;
You should be good now.<br /><br />The database/log.* files only contain temporary database data. &nbsp;If you exited bitcoin normally the last time, not exited by forced terminating it or crashing, then the database/log.* files can normally be deleted safely. &nbsp;They&#039;re only used so that if the database is in the middle of a transaction when the computer crashes
or the program is killed or crashes, then it could recover without losing data.<br /><br />Please keep running v0.3 if at all possible, don&#039;t go back to v0.2.10.<br /><br />Anyone else who hits this problem, move the database\\log.000000000* files somewhere else.&nbsp; (if it works fine after that, you can delete them later)<br /><br />I&#039;m reluctant to make the
installer delete or move those files.&nbsp; If the previous run was stopped by crashing or killed, that would be the wrong thing to do.<br />
1686	199	6	1277245419	1686	0		xx	1	Re: 0.3 almost ready	Laszlo figured out that enabling some more optimisation increased performance about 20%, so 0.3 hashes 20% faster than 0.2.0, but I assume he used that in his own build.<br /><br />30khash increase to what total rate?&nbsp; (to figure the % increase)
1748	199	6	1277401205	1786	1277511267	satoshi xx	1	Re: 0.3 almost ready	Here&#039;s RC1 for linux for testing:<br />(link removed, see below)<br /><br />It contains both 32-bit and 64-bit binaries.<br /><br />Recent changes:<br /><br />build-unix.txt:<br />- Added instructions for building wxBase, which is needed to compile bitcoind.<br />-
The package libboost-dev doesn&#039;t install anything anymore, you need to get libboost-all-dev.<br />- Updated version numbers.<br /><br />makefile.unix:<br />- The libboost libraries have removed the &quot;-mt&quot; from their filenames in 1.40. &nbsp;If you&#039;re compiling with Boost 1.38 or lower, like on Ubuntu Karmic, you would need to change it back to boost_system-mt
and boost_filesystem-mt.
1760	199	6	1277432261	1760	1277434814	satoshi xx	1	Re: 0.3 almost ready	I don&#039;t know. &nbsp;Maybe someone with more Linux experience knows how to install the library it needs.<br /><br />I built it on Ubuntu 10.04. &nbsp;I hope that wasn&#039;t a mistake. &nbsp;Maybe it should have been built on an older version for more backward
compatibility. &nbsp;Is this a problem on Linux, that if you build on the latest version, then it has trouble working on older versions?&nbsp; Is there any way I can downgrade to an older version of GCC on 10.04?<br /><br />The 64-bit version shouldn&#039;t be any faster than the 32-bit version, but it would be great if someone could do a side-by-side comparison of the two
linux versions and check. &nbsp;SHA-256 is a 32-bit algorithm and nothing in BitcoinMiner uses 64-bit at all.<br /><br />We don&#039;t need to bother with a 64-bit version for Windows. &nbsp;32-bit programs work on all versions of Windows. &nbsp;It&#039;s not like Linux where the 64-bit OS wants 64-bit programs.<br /><br />I&#039;m also curious if it&#039;s a little faster
on linux than windows.<br /><br />Do you think I should make the directories:<br />/bin32/<br />/bin64/<br />instead of<br />/bin/32/<br />/bin/64/
1769	199	6	1277475006	1769	0		xx	1	Re: 0.3 almost ready	Thanks virtualcoin, that&#039;s a perfect comparison.<br /><br />The 8% speedup from 32-bit Windows (2310k) to 32-bit Linux (2500k) is probably from the newer version of GCC on Linux (4.4.3 vs 3.4.5).<br /><br />The 15% speedup from 32-bit to 64-bit Linux is more of a
mystery.&nbsp; The code is completely 32-bit.<br /><br />Hmm, I think the 8 extra registers added by x86-64 must be what&#039;s helping.&nbsp; That would make a significant difference to SHA if it could hold most of the 16 state variables in registers.
1779	215	1	1277500515	1779	0		xx	1	Re: Bitcoin clients getting k-lined from the IRC bootstrapping channel	We need more details about what happened MadHatter.<br /><br />Both 0.2 and 0.3 have a backup way of getting connected without IRC, it&#039;s just slower to get connected.<br /><br />0.2 can find other nodes without IRC if
it&#039;s ever been connected before, but a new install can&#039;t discover the network for the first time without IRC.<br /><br />0.3 can also seed without IRC.&nbsp; It can operate entirely without IRC if it needs to, but it&#039;s better having IRC for redundancy.
1781	84	6	1277505647	1781	0		xx	1	Re: On IRC bootstrapping	[quote author=laszlo link=topic=84.msg1580#msg1580 date=1276540258]<br />I run an IRC server you can use, it&#039;s fairly stable but it&#039;s not on redundant connections or anything.&nbsp; It is only two servers right now but we don&#039;t mess with it or
anything, it just runs.<br /><br />My box is a dedicated irc server:<br /> 2:28PM&nbsp; up 838 days, 20:54, 1 user, load averages: 0.06, 0.08, 0.08<br /><br />You can use irc.lfnet.org to connect.<br />[/quote]<br />This seems like a good idea.<br /><br />What does everyone think, should we make the switch for 0.3?
1787	199	6	1277512329	1805	1277580009	satoshi xx	1	Re: 0.3 almost ready	Lets try using Laszlo&#039;s irc.lfnet.org instead of freenode. &nbsp;Here&#039;s RC2, that&#039;s the only change in it:<br /><br />(see below for download links)<br />
1797	215	1	1277562486	1797	0		xx	1	Re: Bitcoin clients getting k-lined from the IRC bootstrapping channel	Freenode is too visible, right in the middle of where all those users and moderators are hanging out.&nbsp; Laszlo&#039;s option is a much better fit for us.<br /><br />I made 0.3.0.RC2 available that uses irc.lfnet.org
instead of freenode if you want to start switching over:<br />http://www.bitcoin.org/smf/index.php?topic=199.msg1787#msg1787
1800	199	6	1277565010	1800	0		xx	1	Re: 0.3 almost ready	The first panel of the status bar is shared with the help description of menu items as you hover over them.&nbsp; Since all our menu item descriptions are blank, it replaces it with blank when you&#039;re hovering in a menu.
1803	217	6	1277571763	1803	0		xx	1	Beta?	Is it about time we lose the Beta?&nbsp; I would make this release version 1.3.
1806	199	6	1277580065	1926	1278107771	satoshi xx	1	Re: 1.3 almost ready	Changed the version number to 1.3 and removed &quot;Beta&quot;.<br /><br />(links removed, see below)<br /><br />Uses irc.lfnet.org.<br />
1814	177	1	1277585906	1814	0		xx	1	Re: Bitcoin mobile.	[quote author=sirius-m link=topic=177.msg1452#msg1452 date=1276177876]<br />You can of course use services like vekja.net or mybitcoin.com on a mobile browser, depositing money there to the extent you trust them. <br />[/quote]<br />I think that&#039;s the best option
right now.&nbsp; Like cash, you don&#039;t keep your entire net worth in your pocket, just walking around money for incidental expenses.<br /><br />They could make a smaller version of the site optimized for mobile.&nbsp; If there was an app, it could be a front end to one of those, with the main feature being QR-code reader, or maybe there&#039;s already a universal QR-code
reading app that web sites can be designed to accept scans from.<br /><br />If there was an iPhone app that was just a front end for vekja or mybitcoin, not a big involved P2P, would apple approve it and if not, on what basis?&nbsp; It could always be an Android app instead.&nbsp; An app is not really necessary though, just a mobile sized website.<br /><br />A web interface
to your own Bitcoin server at home wouldn&#039;t be a solution for everyone.&nbsp; Most users don&#039;t have a static IP, and it&#039;s too much trouble to set up port forwarding.<br />
1815	171	6	1277586366	1815	0		xx	1	Re: Building BitCoin Client completely Headless The linux release candidate in the &quot;1.3 almost ready&quot; thread contains prebuilt bitcoind.
1816	206	5	1277588392	1816	0		xx	1	Re: Bitcoin Faucet changes	Many big ISPs give you a new IP every time you connect, usually in the same class B (a.b.?.?). &nbsp;Maybe you should have a minimum time between payments per class-B.<br /><br />If you can&#039;t solve the problem, you can always keep lowering the amount of
bitcoins given until it&#039;s manageable, and always require captcha.
1827	217	6	1277642630	1827	0		xx	1	Re: Beta?	But 1.0 sounds like the first release.&nbsp; For some things newness is a virtue but for this type of software, maturity and stability are important.&nbsp; I don&#039;t want to put my money in something that&#039;s 1.0.&nbsp; 1.0 might be more interesting for a moment, but after
that we&#039;re still 1.0 and everyone who comes along thinks we just started.&nbsp; This is the third major release and 1.3 reflects that development history.&nbsp; (0.1, 0.2, 1.3)
1828	218	6	1277643758	1828	0		xx	1	Re: IPv6, headless client, and more	Welcome, Harry.<br /><br />I hadn&#039;t thought about starting out using bitcoind without using bitcoin first.&nbsp; I guess for now, this thread serves as the tutorial.&nbsp; <br /><br />The focus for bitcoind so far has been more on backend support for
websites.&nbsp; There&#039;s demand for things that would be nice for adminning headless generators like listgenerated.&nbsp; For the moment, you can grep the debug.log file for &quot;generated&quot; and &quot;hashmeter&quot; for some feedback.&nbsp; Generated blocks take about 24 hours before they&#039;re credited to your balance.
4037	437	6	1279479501	4037	0		xx	1	Re: Bitcoin 0.3.2 released	The change list is basically encompassed by what&#039;s listed in the first message. &nbsp;Everyone should upgrade to get the important security improvements.<br /><br />Minimizing to tray had at least 3 different glitches and bugs on Linux, including a crash one,
so I disabled it again.&nbsp; You can still re-enable the option with &quot;-minimizetotray&quot; if you want to use it anyway.&nbsp; The bugs/glitches are somewhere in wxWidgets or GTK or Gnome and I don&#039;t know how to fix them.&nbsp; Sorry, I just don&#039;t know what else to do, it&#039;s just too glitchy and buggy to have as a mainline feature.
4059	461	6	1279486162	4059	0		xx	1	JSON-RPC password	I uploaded to SVN my changes to add a password to JSON-RPC. &nbsp;If you&#039;re set up to build, please test it.<br /><br />The -server switch is replaced with -rpcpw=&lt;password&gt;, which is also used with bitcoind.<br />bitcoin -rpcpw=&lt;password&gt; &nbsp; &nbsp;--
runs with JSON-RPC port open<br />bitcoind -rpcpw=&lt;password&gt; &nbsp; -- daemon with password<br /><br />If you have a better idea for the switch name, let me know, but keep in mind there will eventually be a password for encrypting the database too.&nbsp; I&#039;m not sure but I think they may want to use different passwords for the two.<br /><br />It gives a warning if
you don&#039;t set a password.<br /><br />All commands now require the password as the first parameter. &nbsp;It&#039;ll tell you that if you run &quot;bitcoind help&quot;.<br /><br />The central code:<br /><br /> &nbsp;// Check password<br /> &nbsp;if (params.size() &lt; 1 || params[0].type() != str_type)<br /> &nbsp; &nbsp; &nbsp;throw runtime_error(&quot;First parameter
must be the password.&quot;);<br /> &nbsp;if (params[0].get_str() != strRPCPassword)<br /> &nbsp;{<br /> &nbsp; &nbsp; &nbsp;if (strRPCPassword.size() &lt; 15)<br /> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Sleep(50);<br /> &nbsp; &nbsp; &nbsp;begin = strRequest.end();<br /> &nbsp; &nbsp; &nbsp;printf(&quot;ThreadRPCServer incorrect password attempt\\n&quot;);<br /> &nbsp; &nbsp;
&nbsp;throw runtime_error(&quot;Incorrect password.&quot;);<br /> &nbsp;}<br /><br />Any comments on these decisions?<br /><br />1) if (strRPCPassword.size() &lt; 15) Sleep(50); &nbsp;-- this means if it&#039;s a short password, it&#039;ll wait 50ms after each attempt. &nbsp;This might be used as a DoS attack, but I figured if it&#039;s a short password, it&#039;s more
important to protect against brute force password scan. &nbsp;This may tell outsiders whether the password is less than 15 characters, but less than 15 isn&#039;t all that noteworthy, most passwords are less than 15. &nbsp;If you want to close the DoS possibility, just use a password 15 characters or longer.<br /><br />2) begin = strRequest.end(); &nbsp;-- if it&#039;s a single
request with multiple invocations, I throw away the rest if one has a bad password. &nbsp;This is so you can&#039;t stuff it with millions of password attempts in one packet. &nbsp;What do you think, is this the right thing to do? &nbsp;(multiple invocation is probably almost never used anyway)<br /><br />I also fixed the two duplicated commands listed in the help:<br /><br
/>getaddressesbylabel &lt;pw&gt; &lt;label&gt;<br />getbalance &lt;pw&gt;<br />getblockcount &lt;pw&gt;<br />getblocknumber &lt;pw&gt;<br />getconnectioncount &lt;pw&gt;<br />getdifficulty &lt;pw&gt;<br />getgenerate &lt;pw&gt;<br />getinfo &lt;pw&gt;<br />getlabel &lt;pw&gt; &lt;bitcoinaddress&gt;<br />getnewaddress &lt;pw&gt; [label]<br />getreceivedbyaddress &lt;pw&gt;
&lt;bitcoinaddress&gt; [minconf=1]<br />getreceivedbylabel &lt;pw&gt; &lt;label&gt; [minconf=1]<br />help &lt;pw&gt;<br />listreceivedbyaddress &lt;pw&gt; [minconf=1] [includeempty=false]<br />listreceivedbylabel &lt;pw&gt; [minconf=1] [includeempty=false]<br />sendtoaddress &lt;pw&gt; &lt;bitcoinaddress&gt; &lt;amount&gt; [comment] [comment-to]<br />setgenerate &lt;pw&gt;
&lt;generate&gt; [genproclimit]<br />setlabel &lt;pw&gt; &lt;bitcoinaddress&gt; &lt;label&gt;<br />stop &lt;pw&gt;<br />
4068	453	6	1279488249	4071	1279489045	satoshi xx	1	Re: MSVC build &amp; SHA-256	OpenSSL doesn&#039;t have any interface for doing just the low level raw block hash part of SHA256. &nbsp;SHA256 begins by wrapping your data in a specially formatted buffer. &nbsp;Setting up the buffer takes an order of magnitude longer than the actual
hashing if you&#039;re only hashing one or two blocks like we do. &nbsp;It&#039;s intended that the time is amortised if you were hashing many KB or MB of data. &nbsp;In BitcoinMiner, we format the buffer once and keep reusing it.<br /><br />If you can find SHA256 code that&#039;s faster (with MinGW/GCC) than what we&#039;ve got, that would be really great! &nbsp;(although,
keep licensing in mind) &nbsp;The one we have is the only one I tried, so there&#039;s significant chance for improvement. <br /><br />When I wrote it more than 2 years ago, there were screaming hot SHA1 implementations but minimal attention to SHA256. &nbsp;That&#039;s a lot of time for them to come up with better stuff. &nbsp;SHA256 was a lot slower than the fastest SHA1
at the time than I thought it should be. &nbsp;Obviously SHA256 should be slower than SHA1 by a certain amount, but not by as much as I saw.<br /><br />(hope you don&#039;t mind I renamed your thread, SHA-256 optimisation is something important that I keep forgetting about)
4073	431	1	1279490178	4073	0		xx	1	Re: Nenolod, the guy that wants to prove Bitcoin doesn't work.	Typically, over 25,000 BTC.
4095	441	1	1279496127	4095	0		xx	1	Re: Did block generation crawl to a halt?	Nice graph! &nbsp;A moving average to smooth it out would be nice.<br /><br />http://nullvoid.org/bitcoin/statistix.php&nbsp;says 212 blocks in the last 24 hours, or 8.8 per hour.
4169	461	6	1279514593	4169	0		xx	1	Re: JSON-RPC password	Right, that is quite a bit better.&nbsp; <br /><br />Can you give me any examples of other stuff that does it that way?&nbsp; (and what the command line looks like)<br /><br />The main change you&#039;re talking about here is instead of -rpcpw= when you start bitcoind,
you&#039;d use a switch that specifies a text file to go and read it from, right?&nbsp; (any ideas what I should name the switch?)
4263	479	1	1279555298	5905	1280165660	satoshi xx	1	Warning: don't use -server or bitcoind where you web browse (v0.3.2 and lower)	Don&#039;t use the -server or -daemon switch or run bitcoind on a machine where you use a web browser. &nbsp;It opens port 8332 on 127.0.0.1, the local loopback address, and you wouldn&#039;t think that web
browsers could cross-site access it, but it is possible.<br /><br />We&#039;re working on a release soon that puts a password on the JSON-RPC interface, but until then, avoid using the -server switch, and don&#039;t web browse on the same machine where bitcoind is running.<br /><br />Update:<br />The JSON-RPC HTTP authentication feature in 0.3.3 solves this problem.
4268	461	6	1279556450	4268	0		xx	1	Re: JSON-RPC password	So you drop a settings file in the ~/.bitcoin directory, that sounds better. &nbsp;In the &quot;no password is set&quot; warning, it could tell you where the file is and what to do.<br /><br />What is the most popular and common settings file format?<br /><br />HTTP basic
authentication should be considered. &nbsp;In actual practice though, it&#039;s more work for web developers to figure out how to specify the password through some extra parameter in the HTTP or JSON-RPC wrapper than to just stick an extra parameter at the beginning of the parameter list. &nbsp;What do you think? &nbsp;Does HTTP basic authentication get us any additional
benefits?&nbsp; Moving it off the parameter list but then you still have to specific it in a more esoteric place I&#039;m not sure is a net win. <br /><br />[quote author=gavinandresen link=topic=461.msg4215#msg4215 date=1279540959]<br />I was confused for a bit because the password is given LAST on the command line, but FIRST in the JSON-RPC params list. &nbsp;I agree that
reading the command-line password from a file would be more convenient and more secure.<br />[/quote]<br />You&#039;re also confusing me, what do you mean? &nbsp;Did I do something unintended?
4508	342	1	1279651108	4934	1279767768	satoshi xx	1	Re: They want to delete the Wikipedia article	Bitcoin is an implementation of Wei Dai&#039;s b-money proposal http://weidai.com/bmoney.txt on Cypherpunks http://en.wikipedia.org/wiki/Cypherpunks in 1998 and Nick Szabo&#039;s Bitgold proposal http://unenumerated.blogspot.com/2005/12/bit-gold.html<br
/><br />The timing is strange, just as we are getting a rapid increase in 3rd party coverage after getting slashdotted. &nbsp;I hope there&#039;s not a big hurry to wrap the discussion and decide. &nbsp;How long does Wikipedia typically leave a question like that open for comment?<br /><br />It would help to condense the article and make it less promotional sounding as
soon as possible. &nbsp;Just letting people know what it is, where it fits into the electronic money space, not trying to convince them that it&#039;s good. &nbsp;They probably want something that just generally identifies what it is, not tries to explain all about how it works.<br /><br />If you post in http://en.wikipedia.org/wiki/Wikipedia:Articles_for_deletion/Bitcoin
please don&#039;t say &quot;yeah, but bitcoin is really important and special so the rules shouldn&#039;t apply&quot; or argue that the rule is dumb or unfair. &nbsp;That only makes it worse. &nbsp;Try to address how the rule is satisfied.<br /><br />Search &quot;bitcoin&quot; on google and see if you can find more big references in addition to the infoworld and slashdot
ones. &nbsp;There may be very recent stuff being written by reporters who heard about it from the slashdot article.<br /><br />I hope it doesn&#039;t get deleted. &nbsp;If it does, it&#039;ll be hard to overcome the presumption.&nbsp; Institutional momentum is to stick with the last decision.&nbsp; (edit: or at least I assume so, that&#039;s how the world usually works,
but maybe Wiki is different)<br />
4577	461	6	1279670720	4577	0		xx	1	Re: JSON-RPC password	Still need to know what&#039;s the most typical settings file format on Linux.&nbsp; Is there a standard file extension?&nbsp; I&#039;ve never seen a settings file using JSON, and it doesn&#039;t look very human friendly with everything required to be in quotes.&nbsp;
I think what I usually see is like:<br /># comment<br />setting=value<br /><br />Is there a settings file thing in Boost?<br /><br />When you&#039;re using bitcoind to issue commands from the command line as a client, can we have it get the password from the settings file then too?<br /><br />Gavin pointed out I forgot to increment the column of numbers in CommandLineRPC,
so the current -rpcpw= implementation doesn&#039;t work right from the command line with non-string parameters.&nbsp; (JSON-RPC is fine)&nbsp; Still under construction.
4646	461	6	1279691494	4646	0		xx	1	Re: JSON-RPC password	I was researching config file formats, here&#039;s a comparison.<br /><br />YAML is massive. &nbsp;I&#039;m not sure there&#039;s a lightweight easy to build library we can integrate into our project. &nbsp;Seems overkill.<br /><br />JSON is tempting and I&#039;m inclined
to like it, but two main sticking points:<br />1) No comments! &nbsp;How can you have a config file where you can&#039;t comment out a line to disable it?<br />2) Not very user friendly to have to &quot;quote&quot; all the strings, including the keys, and also have to remember the comma at the end of lines.<br />{<br /> &nbsp; &nbsp;&quot;key&quot; : &quot;value&quot;,<br
/>}<br /><br />I suppose we could easily preprocess JSON reading the config file one line at a time, truncate the lines at any # character (and/or &quot;//&quot;?), concatenate them into a string and pass it to JSON, so you could go:<br /># comment<br />&quot;key&quot; : &quot;value&quot;, &nbsp; # still have to remember the comma <br />&quot;key2&quot; : &quot;value&quot;,
&nbsp; // comment like this or both<br /><br />Boost has boost::program_options.<br /><br />We could read lines ourselves and feed them into a map&lt;string, string&gt; mapConfig.<br /><br />while (!eof)<br /> &nbsp;read line<br /> &nbsp;if &#039;#&#039; found, truncate line<br /> &nbsp;split line at first &#039;:&#039; -&gt; key, value<br /> &nbsp;mapConfig.insert(key,
value)<br /><br />If we use the syntax:<br /># comment<br />key : value<br /><br />...and don&#039;t allow whitespace indenting before the keys, I guess we would be a subset of YAML and could switch to YAML someday if we need more complexity. <br /><br />If we go with self parsed, that doesn&#039;t mean we can&#039;t use JSON on particular parameter values as needed. &nbsp;If
an option needs a list or more structured data, it could always parse its value as json:<br />key : [&quot;item1&quot;, &quot;item2&quot;, &quot;item3&quot;]<br /><br />Although it has to be all on one line then.<br /><br />I guess I&#039;m leaning towards self parsed mapConfig:<br /># comment<br />key : value<br />
4758	461	6	1279728477	4758	0		xx	1	Re: JSON-RPC password	[quote author=gavinandresen link=topic=461.msg4709#msg4709 date=1279714270]<br />I just did a quick survey of 20 .conf files in /etc on my debian system, and found:<br /> 1 file used &quot;key value&quot;<br /> 5 used &quot;key=value&quot;&nbsp; <br />[/quote]<br />Thanks
for that survey!<br /><br />I find &quot;key value&quot; a little unnatural.&nbsp; There ought to be a more definite separator between key and value that suggests assignment.&nbsp; The space people may just be getting lazy using their language&#039;s split function.<br />key=some full sentence with spaces in it.&nbsp; # seems more clear<br />key some full sentence with
spaces in it.&nbsp; # than this<br /><br />Allright then, lets go with self-parsed mapConfig, syntax:<br /># comment<br />key=value<br /><br />file extension .conf.&nbsp; What&#039;s the filename, is it ~/.bitcoin/settings.conf or ~/.bitcoin/bitcoin.conf or what?&nbsp;  <br /><br />I think we better strip whitespace at the beginning and end of the key and the value.<br />#
user who likes column formatted <br />k&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; = value<br />key&nbsp; &nbsp; &nbsp; &nbsp;  = value<br />longerkey =&nbsp;  this sentence would be this&nbsp; &nbsp; # &quot;this sentence would be this&quot;<br />&nbsp; &nbsp; &nbsp; &nbsp; key = value&nbsp;  # guess this is ok too<br />&nbsp; nextkey = value<br />&nbsp; &nbsp; &nbsp; right =
justified<br /><br />The normal syntax should be &quot;key=value&quot;, but you can&#039;t blame people for the occasional &quot;key = value&quot;.
1135	54	4	1274054163	1135	0		xx	1	Re: Setting up multiple bitcoin machines behind NAT	At the moment, it always assumes the incoming port is 8333, so it would tell other bitcoin nodes to connect to router:8333 even if you&#039;re redirecting from another port number.<br /><br />I&#039;m not in a big hurry to fix this because
I can&#039;t think of any benefit to having more than one incoming connection port.&nbsp; If you&#039;re providing one incoming port, then you&#039;ve done your bit to help the network.&nbsp; Having two incoming ports to the same person doesn&#039;t help redundancy.<br /><br />If you have many computers, then using the -connect switch on most of them to connect locally makes more sense.
1143	112	8	1274151491	1143	0		xx	1	Re: Is there a way to automate bitcoin payments for a website?	A little late, but in case anyone else has the same issue.&nbsp; The compile dump had 2 warnings (that were 20 lines long) and 2 link errors.&nbsp; The errors were:<br />[quote]<br />obj/nogui/init.o(.gnu.linkonce.t._ZNK13wxArrayString4ItemEm+0x13):
In function `wxArrayString::Item(unsigned long) const&#039;:<br />/usr/local/include/wx-2.9/wx/buffer.h:42: undefined reference to `wxTheAssertHandler&#039;<br /><br />obj/nogui/init.o(.gnu.linkonce.t._ZNK13wxArrayString4ItemEm+0x45): In function `wxArrayString::Item(unsigned long) const&#039;:<br />/usr/src/bitcoin/trunk/uint256.h:526: undefined reference to `wxOnAssert(char
const*, int, char const*, char const*, wchar_t const*)&#039;<br />[/quote]<br /><br />Those are probably due to switching to the release build of wxWidgets instead of debug.&nbsp; They&#039;re moving towards only debug build and ditching the release build, so they probably don&#039;t care that their release build is broken by referring to non-existent assert stuff.&nbsp;
There&#039;s nothing to fear about the debug build.&nbsp; It&#039;s fully suitable for releases.<br /><br />bitcoind runs as a daemon and can either be controlled by command line or JSON-RPC.<br /><br />Thanks madhatter and generica for detailing the instructions for building on freebsd.
1149	125	4	1274213206	1149	0		xx	1	Re: Ummmm... where did my bitcoins go?	It&#039;s not the download so much as verifying all the signatures in all the blocks as it downloads that takes a long time.<br /><br />How long is the initial block download typically taking?&nbsp; Does it slow down half way through or is about the
same speed the whole way?<br /><br />I&#039;ve thought about ways to do a more cursory check of most of the chain up to the last few thousand blocks.&nbsp; It is possible, but it&#039;s a lot of work, and there are a lot of other higher priority things to work on.<br /><br />Simplified Payment Verification is for lightweight client-only users who only do transactions and
don&#039;t generate and don&#039;t participate in the node network.&nbsp; They wouldn&#039;t need to download blocks, just the hash chain, which is currently about 2MB and very quick to verify (less than a second to verify the whole chain).&nbsp; If the network becomes very large, like over 100,000 nodes, this is what we&#039;ll use to allow common users to do transactions
without being full blown nodes.&nbsp; At that stage, most users should start running client-only software and only the specialist server farms keep running full network nodes, kind of like how the usenet network has consolidated.<br /><br />SPV is not implemented yet, and won&#039;t be implemented until far in the future, but all the current implementation is designed around
supporting it.<br /><br />In the meantime, sites like [url=http://vekja.net]vekja.net[/url] and [url=http://www.mybitcoin.com]www.mybitcoin.com[/url] have been experimenting with account-based sites.&nbsp; You create an account on a website and hold your bitcoins on account there and transfer in and out.&nbsp; Creating an account on a website is a lot easier than installing
and learning to use software, and a more familiar way of doing it for most people.&nbsp; The only disadvantage is that you have to trust the site, but that&#039;s fine for pocket change amounts for micropayments and misc expenses.&nbsp; It&#039;s an easy way to get started and if you get larger amounts then you can upgrade to the actual bitcoin software.
1169	30	5	1274391822	1169	0		xx	1	Re: We accept Bitcoins	[quote author=DataWraith link=topic=30.msg1161#msg1161 date=1274298762]<br />Can I just butt in with a question on why that is? To me it seems that if Bitcoin uses public-key cryptography to transfer ownership of the coins, it should be a trivial matter to include a short
message that is only readable by the recipient.<br />[/quote]<br />Almost but not quite. &nbsp;Bitcoin uses EC-DSA, which can only do digital signing, not encryption. &nbsp;RSA can do both, but I didn&#039;t use it because it&#039;s an order of magnitude bigger and would have been impractical.
1252	157	6	1274898445	1254	1274899988	satoshi xx	1	JSON-RPC programming tips using labels	I added label related functions to help with managing multiple addresses per user. &nbsp;New or renamed functions are:<br /> getreceivedbyaddress -- amount received on a single address<br /> getreceivedbylabel -- amount received by
all addresses with this label<br /> listreceivedbyaddress -- list addresses and amounts they&#039;ve received<br /> listreceivedbylabel -- list labels and amounts they&#039;ve received<br /> setlabel -- misc label functions for completeness<br /> getlabel<br /> getaddressesbylabel<br /><br />For consistency I renamed getamountreceived-&gt;getreceivedbyaddress and
getallreceived-&gt;listreceivedbyaddress. &nbsp;The old names are still there so as not to break existing code, but they&#039;re deprecated.<br /><br />The idea is that if you give the username whenever you call getnewaddress, you can get the user&#039;s total received across all their addresses using the &quot;bylabel&quot; functions. &nbsp;You can freely change their
address without worrying about tracking all their old addresses.<br /><br />A good way to automate changing the user&#039;s receiving address: just before displaying their current address, check if it has been used to receive anything, if it has then replace it with a new one:<br /><br />// Get a new address whenever the current one has received anything<br />if (strAddr
== &quot;&quot; || getreceivedbyaddress(strAddr) &gt; 0)<br /> &nbsp; strAddr = getnewaddress(strUsername); // Label the address with username<br />Display(strAddr); // Display their current receiving address<br /><br />// Get total received by all the user&#039;s addresses<br />getreceivedbylabel(strUsername, 0) // unconfirmed<br />getreceivedbylabel(strUsername, 1) //
available balance<br /><br />If you&#039;re just getting one particular user&#039;s balance, such as in response to a page request by that user, use getreceivedbylabel, but if you&#039;re scanning over all users, it&#039;s better to use listreceivedbylabel to get the complete list and scan against the result. &nbsp;Scanning users with getreceivedbylabel would be n-squared,
using listreceivedbylabel is n-log-n (or n linear).<br /><br />You should only really need to scan all users if you&#039;re polling in order to spontaneously take action in response to money received, rather than the user going to a webpage, seeing their balance and telling you what to do with it. &nbsp;It&#039;s not necessary to poll very frequently. &nbsp;If you require
1 confirmation, that&#039;ll take an average of 10 minutes anyway, so there&#039;s no point in polling more often than every few minutes.<br /><br />If you&#039;re selling digital goods and services, where you don&#039;t lose much if someone gets a free access, and it can&#039;t be resold for profit, I think you&#039;re fine to accept 0 confirmations.<br /><br />It&#039;s
mostly only if you were selling gold or currency that you&#039;d need multiple confirmations.<br />
1254	154	6	1274899864	1254	0		xx	1	Re: Tracing a coin's lineage	[quote author=Xunie link=topic=154.msg1242#msg1242 date=1274835004]<br />Can&#039;t we force a user to use a new address for receiving payments?<br />Every time a payment is received display another Bitcoin address in the address bar. (only transactions via Bitcoin
addresses, NOT IPs of course, since that&#039;d be useless, right?)<br />The actual key would still be kept to ensure that the user would still receive payments of people sending to the same address.<br />[/quote]<br />This is on my list.&nbsp; I will soon make the &quot;Your Bitcoin Address:&quot; window automatically change whenever you receive anything to the address
displayed.<br /><br />I&#039;m also recommending this approach for the implementation of web apps.&nbsp; I just posted some sample code showing a suggested way of implementing this.<br /><br />Versions on SVN since 0.2.4 already have a &quot;New...&quot; button next to the address bar to encourage changing it manually too.<br /><br />@theymos: If nothing else, we can fall
back on that solution in the future.
1256	145	6	1274904574	1256	0		xx	1	Re: CLI bitcoin generation	[quote author=molybdenum link=topic=145.msg1194#msg1194 date=1274553860]<br />An optional parameter to specify the minimum number of blocks after that transaction (getallreceived 1 for current behavior, or just getallreceived, getallreceived 5 for the paranoid,
getallreceived 0 for instant confirms)?<br />[/quote]<br />Yeah, that actually is what it is.&nbsp; getallreceived 0 should do what you want.&nbsp; (now it&#039;s renamed to listreceivedbyaddress 0)&nbsp; The default is 1 confirmation, but I think in reality most digital goods and services can be 0 confirmations.&nbsp; Like you say, if you need more than 0 confirmations,
you could show two numbers, unconfirmed and available balance, so they immediately see their transaction went through.<br /><br />listreceivedbyaddress [minconf=1] [includeempty=false]<br />[minconf] is the minimum number of confirmations before payments are included.<br />[includeempty] whether to include addresses that haven&#039;t received any payments.<br />Returns
an array of objects containing:<br />&nbsp; &quot;address&quot; : receiving address<br />&nbsp; &quot;label&quot; : the label of the receiving address<br />&nbsp; &quot;amount&quot; : total amount received by the address<br />&nbsp; &quot;confirmations&quot; : number of confirmations of the most recent transaction included<br /><br />or listreceivedbylabel if you&#039;re
labelling addresses with their username.<br /><br />So far I&#039;ve concentrated on functions for web merchants, not so much on stuff for remote management of headless coin generators yet.
1258	153	6	1274906074	1258	0		xx	1	Re: Share database blocks ?	It does in fact download 500 blocks at a time, then the counter counts one at a time as it verifies the blocks.<br /><br />The advantage of letting bitcoin download and verify the blocks is that you do not have to trust the person you&#039;re downloading them
from. &nbsp;If you downloaded the blk*.dat files from some site, you would have to trust that site, since you would be accepting the data without verifying it yourself. &nbsp;If you&#039;re copying blk*.dat from another computer of yours, that should be fine.<br /><br />How long is the initial block download taking for you?
1259	151	6	1274908594	3234	1279218020	satoshi xx	1	Re: Website translations	Does anyone want to translate the Bitcoin client itself? &nbsp;It would be great to have at least one other language in the 0.3 release.<br /><br />All you have to do is get poedit and translate the po file I&#039;m attaching to this post. &nbsp;It&#039;s
less than 750 words.<br /><br />Updated bitcoin.po attachment for 0.3.1
1260	141	4	1274909672	1260	0		xx	1	Re: Odd amount of generated coins	In the SVN version, if a transaction requires a transaction fee, it says<br />&quot;This transaction is over the size limit.&nbsp; You can still send it for a fee of #,<br />which goes to the nodes that process your transaction and helps to support the
network.<br />Do you want to pay the fee?&quot;<br /><br />If you don&#039;t have enough money with the fee added, it says<br />&quot;Total exceeds your balance when the # transaction fee is included&nbsp; &quot;
1269	151	6	1274969902	3235	1279218120	satoshi xx	1	Re: Website translations	Hurray! &nbsp;We have our first language. &nbsp;I uploaded it to SVN to go in with the 0.3 release.<br /><br />
1322	158	6	1275502695	1322	0		xx	1	Re: Hostnames instead of IP Addresses	The current sending by IP is not very useful: it connects to the IP, so you&#039;d like to use TOR for anonymity, but then it can totally be eavesdropped and man-in-the-middled.<br /><br />The future plan for sending to an IP is to make it a bitcoin address
plus IP, like:<br /><br />1auaDZCFYqaGx4FKS5WenNfurk2SkoDu4h&lt;someseparatorcharacter&gt;1.2.3.4<br />or<br />1auaDZCFYqaGx4FKS5WenNfurk2SkoDu4h&lt;someseparatorcharacter&gt;domain.com<br /><br />I need suggestions for the separator character.&nbsp; &quot;:&quot; is a candidate, but IPv6 has : in it and that might get confusing.&nbsp; Something that&#039;s allowed in url
parameters would be nice.<br /><br />I want to use SSL for the connection, using the bitcoin address&#039; public key as the cert.&nbsp; You would be certain you&#039;re connected to who you thought, and safely encrypted.&nbsp; The bitcoin address would not be used for the transaction, only for authentication.&nbsp; A new generated bitcoin address would be sent through the
SSL connection.<br /><br />Since it&#039;s authenticated, it would then be safe to allow the IP address to be a domain name.&nbsp; Some care taken that if a proxy is used, it uses socks4a instead of DNS lookup.
1323	43	1	1275504338	1323	0		xx	1	Re: Proof-of-work difficulty increasing That&#039;s a good idea.&nbsp; I&#039;m not sure where exactly to fit that in, but it could certainly calculate the expected average time between blocks generated, and then people would know what to expect.<br /><br />Every node and each processor has a
different public key in its block, so they&#039;re guaranteed to be scanning different territory.<br /><br />Whenever the 32-bit nonce starts over at 1, bnExtraNonce gets incremented, which is an arbitrary precision integer.
1324	151	6	1275517089	1324	0		xx	1	Re: Website translations	I uploaded the 93% complete Dutch translation to SVN.&nbsp; Thanks!
1579	84	6	1276539201	1580	1276541297	satoshi xx	1	Re: On IRC bootstrapping	Bitcoin has its own distributed address directory using the &quot;addr&quot; message. &nbsp;It&#039;s about time we coded in a list of the current long running static nodes to seed from. &nbsp;I can add code so new nodes do not preferentially stay connected
would be more automation friendly. &nbsp;Or what about an http interface on some port other than 80 to manage it with a browser?<br /><br />
45	12	6	1260473509	45	0		xx	1	Re: A few suggestions	[quote author=madhatter2 link=topic=12.msg44#msg44 date=1260453617]<br />Front ends can also be ran on clients with very low cpu power such as mobile phones. <br />[/quote]<br />That&#039;s a good approach for mobile.&nbsp; Programmatic API used by PHP (any language) to
present a web UI covers remote admin, mobile and any other client that can&#039;t be online all the time with a static IP.&nbsp; It would be like webmail.&nbsp; It would be easier for new users to get started if they only need to create an account on a website, not install software.<br /><br />[quote]<br />The app could be pre-seeded before downloading. Pre-seeding would also
cure the TOR+IRC problem. I know that people will want to run this system over I2P+TOR.<br />[/quote]<br />Yeah, we can phase out IRC when there are enough static nodes to preprogram a seed list.&nbsp; Once you get seeded, you don&#039;t need IRC.<br /><br />[quote]<br />Also you could pre-seed the blocks so they won&#039;t have to be downloaded upon initial run. (Downloading
28,000 blocks on a slower ADSL takes forever I couldn&#039;t imagine how long it would take when there are millions of blocks -- a lifetime).<br />[/quote]<br />There were some issues in 0.1.5 where the initial block download could get bogged down.&nbsp; 0.2 has code to make sure it goes smoothly.&nbsp; It ought to take less than an hour, I think.&nbsp; I need to hurry up
and get 0.2 out the door.<br /><br />The blocks increase linearly, it&#039;ll be decades before it&#039;s millions.&nbsp; In theory, the block download time should top out 8 months from now when Moore&#039;s Law will be growing faster than the block chain.<br /><br />[quote]<br />Can you give me CVS access or something? (If not, can I send you patches?) I&#039;d like to
help out. <br />[/quote]<br />It&#039;s SVN on sourceforge.&nbsp; PM or e-mail me your sourceforge account and I&#039;ll give you access.<br /><br />[quote]<br />I am mostly a Linux/BSD guy and I would like to lend my expertise in those areas.<br />[/quote]<br />That&#039;s great because that&#039;s where I have less expertise.&nbsp; For instance, I haven&#039;t researched
the best way to do the &quot;Start Bitcoin on system startup&quot; feature on Linux.&nbsp; On Windows, the option adds/removes an icon in the Startup folder.<br />
46	13	1	1260478142	46	1260480802	satoshi xx	1	Re: Questions about Bitcoin	1-3:<br />For that level of anonymity you need to connect through TOR, which will be possible with version 0.2, which is only a few weeks away. &nbsp;I&#039;ll post TOR instructions at that time.<br /><br />4:<br />Version 0.1.5: backup the whole
%appdata%\\Bitcoin directory.<br />Version 0.2: you can backup just wallet.dat.<br /><br />5:<br />Nope. &nbsp;The whole design is all about preventing that from working.<br /><br />6:<br />Those coins can never be recovered, and the total circulation is less. &nbsp;Since the effective circulation is reduced, all the remaining coins are worth slightly more. &nbsp;It&#039;s
the opposite of when a government prints money and the value of existing money goes down.<br /><br />7:<br />It&#039;s currently 29,296 blocks. &nbsp;The circulation is the number of blocks times 50, so the current circulation is 1,464,800 bc. &nbsp;<br /><br />If you only have 24k blocks, it must not have finished the initial block download. &nbsp;Exit bitcoin and start
it again. &nbsp;Version 0.2 is better/faster at the initial block download.<br /><br />8:<br />Typically a few hundred right now. &nbsp;It&#039;s easy now but it&#039;ll get harder as the network grows.<br /><br />9:<br />Good question, it&#039;s TCP. &nbsp;The website needs to be updated to say TCP port 8333.<br /><br />The port forwarding is so other nodes can connect to
you, so it helps you stay connected because you are able to be connected with more nodes. &nbsp;You also need it to receive payments by IP address.<br /><br />10:<br />No, the other nodes won&#039;t accept that.<br /><br />Being open source means anyone can independently review the code. &nbsp;If it was closed source, nobody could verify the security. &nbsp;I think it&#039;s
essential for a program of this nature to be open source.<br /><br />11:<br />Slower machines produce fewer coins. &nbsp;It&#039;s proportional to CPU speed.<br /><br />12:<br />There are more coming.<br /><br />13:<br />It uses a transactional database called Berkeley DB. &nbsp;It will not lose data in a system crash. &nbsp;Transactions are written to the database immediately
when they&#039;re received.<br /><br />14:<br />For now, you can just multiply the total blocks by 50. &nbsp;The Bitcoin network has been running for almost a year now. &nbsp;The design and coding started in 2007.
49	13	1	1260554337	49	0		xx	1	Re: Questions about Bitcoin	That&#039;s true, with the send-to-IP option, you are sending to whoever answers that IP.&nbsp; Sending to a bitcoin address doesn&#039;t have that problem.<br /><br />The plan is to implement an IP + bitcoin address option that would have the benefits of both.&nbsp;
It would still use a different address for each transaction, but the receiver would sign the one-time-use address with the given bitcoin address to prove it belongs to the intended receiver.<br />
50	12	6	1260559675	53	1260631982	satoshi xx	1	Re: A few suggestions	Right, the SVN has the almost-release-candidate 0.2 source, which can also be built and run on Linux. &nbsp; It hasn&#039;t been tested on FreeBSD.<br /><br />[quote author=madhatter2 link=topic=12.msg47#msg47 date=1260507559]<br />If we can get to the point where we
have a working backend process that will run on FreeBSD I can run always-on seeds.<br />[/quote]<br />That would be a big help. &nbsp;TOR users wouldn&#039;t have to worry about how to get seeded, and we wouldn&#039;t depend on IRC.<br /><br />It can be run in a few simple modes without access to the UI if you don&#039;t mind a minimized window on the desktop. &nbsp;(0.1.5
doesn&#039;t have -min so it would be an open window)<br /><br />To only run a seed:<br />bitcoin -min -gen=0<br /><br />You could sort of monitor it by looking at debug.log. &nbsp;To stop it, kill the process, the database won&#039;t mind.<br /><br />To generate:<br />bitcoin -min -gen<br /><br />To get the generated bitcoins, you&#039;d have to copy wallet.dat (with
version 0.2) to a machine with a UI, swap in the wallet.dat, run bitcoin and transfer the coins to your main account. &nbsp;(With version 0.1.5 you&#039;d have to copy the whole &quot;%appdata%/Bitcoin&quot; directory.) &nbsp;There is one caveat about copying wallet.dat: if you happened to kill the program at the exact moment that it generated a coin or received a payment,
wallet.dat might not work by itself and you&#039;d have to copy the whole directory.<br /><br />[quote]<br />I really think that having the download package contain a daily seed snapshot will improve the bootstrapping. I have seen instances on new test installs here where the application will sit with 0 connections / 1 block. Upon inspecting the debug.log I find that the
IRC server (freenode, I believe) claims I am already connected and refuses to let me seed the application. (Just an example).<br />[/quote]<br />I see, that would happen with multiple nodes using the same NAT or VPN or some ISP that funnels everyone through a few proxy servers. &nbsp;I just committed a fix to SVN for this. &nbsp;If it gets &quot;433&quot; name already in use
(it was error 433, right?), it&#039;ll retry with a non-address random username. &nbsp;<br /><br />[quote]<br />In any event, I would like to help. I have a lot of time and a project like this one is very exciting.<br />[/quote]<br />That&#039;s great, any help is really appreciated!<br />
54	12	6	1260640364	54	0		xx	1	Re: A few suggestions	The average total coins generated across the network per day stays the same.&nbsp; Faster machines just get a larger share than slower machines.&nbsp; If everyone bought faster machines, they wouldn&#039;t get more coins than before.<br /><br />We should have a gentleman&#039;s
agreement to postpone the GPU arms race as long as we can for the good of the network.&nbsp; It&#039;s much easer to get new users up to speed if they don&#039;t have to worry about GPU drivers and compatibility.&nbsp; It&#039;s nice how anyone with just a CPU can compete fairly equally right now.
55	12	6	1260641830	55	0		xx	1	Re: A few suggestions	[quote author=madhatter2 link=topic=12.msg51#msg51 date=1260599661]<br />I almost have the svn 0.2 compiling on Mac OS X 10.4.11/Intel (I also have a PPC970 machine here as well so a PPC build would be possible as well). The windowing is native carbon too via wxwidgets! It
is FAST! ;) I had to create a new makefile (makefile.osx; based on makefile.unix of course.. given any thought to using autoconf?) and put some ifdef&#039;s into header.h. I have patches. I will keep toying around. I might try it on FreeBSD next.<br />[/quote]<br />Mac support would be nice.&nbsp; wxWidgets really pays off for cross platform.<br /><br />Please don&#039;t
try PPC.&nbsp; PPC is big-endian and Bitcoin is little-endian, there would be endless endian bugs making it harder for me to debug the network if there&#039;s a potentially byte-swapping node out there.&nbsp; PPC is on its way out anyway.<br /><br />Considered autoconf.&nbsp; Autoconf is a necessity for large projects with a quagmire makefile, but I think we&#039;re small
enough that it&#039;s more optimal without it.&nbsp; I&#039;d rather keep the makefile simple as long as possible.<br /><br />[quote]<br />I think that breaking bitcoin into two apps is ideal. A wxwidgets front end (since it is mostly all there) and a backend that binds to a control TCP socket. I have been reading over the source to see how hard it would be to break it apart
and I think it should be fairly simple. Of course an API would have to be developed.<br />[/quote]<br />My head hurts just thinking about that.&nbsp; Funnelling all the UI backend through a TCP connection would make everything twice as hard.&nbsp; There&#039;s too much bandwidth between the UI and the internal data structures in order to keep the listview control updated,
because of the way the listview control works.<br /><br />I&#039;d rather have command line control, that would get us remote admin and batch automation.
62	12	6	1260723085	62	0		xx	1	Re: A few suggestions	There would be a command line switch at runtime to tell it to run without UI.&nbsp; All it needs to do is not create the main window.&nbsp; A simplistic way would be to disable &quot;pframeMain-&gt;Show&quot; and &quot;ptaskbaricon-&gt;Show&quot; in ui.cpp.&nbsp; The
network threads don&#039;t care that the UI isn&#039;t there.&nbsp; The only other UI is a message box in CheckDiskSpace if it runs out of disk space.<br /><br />Then a separate command line utility to communicate with it to do things.&nbsp; Not sure what it should be named.<br /><br />&quot;natural deflation&quot;... I like that name for it.&nbsp; Yes, there will be natural
deflation due to payment mistakes and lost data.&nbsp; Coin creation will eventually get slow enough that it is exceeded by natural deflation and we&#039;ll have net deflation.
67	12	6	1260810956	67	1260811634	satoshi xx	1	Re: A few suggestions	[quote author=madhatter2 link=topic=12.msg66#msg66 date=1260802899]<br />Can anyone shed some light here?<br /><br />g++ -c -O0 -Wno-invalid-offsetof -Wformat -g -D[b]__WXMAC__[/b] -DNOPCH -DBUILD_MACOSX -I&quot;/usr/include&quot; -I&quot;/usr/local/include/wx-2.8&quot;
-I&quot;/usr/local/include&quot; -I&quot;/usr/local/boost_1_41_0&quot; -I&quot;/sw/include/db4&quot; -I&quot;/usr/local/ssl/include&quot; -I&quot;/usr/local/lib/wx/include/mac-ansi-release-2.8&quot; -o headers.h.gch headers.h<br />...<br />ui.h:430: error: no matching function for call to &#039;wxTextCtrl::SetValue(const [b]std::basic_string[/b]&lt;char, std::char_traits&lt;char&gt;,
std::allocator&lt;char&gt; &gt;&amp;)&#039;<br />/usr/local/include/wx-2.8/wx/textctrl.h:303: note: candidates are: virtual void wxTextCtrlBase::SetValue([b]const wxString&amp;[/b])<br />[/quote]<br /><br />It looks like the implicit conversion from std::string to wxString isn&#039;t working. &nbsp;That&#039;s used everywhere, the conversion needs to work.<br /><br />wxString
is complicated by supporting win32&#039;s 16-bit wchar and 8-bit ansi dual-compile. &nbsp;You can get that problem on Windows if the &quot;unicode&quot; (meaning wchar) build is used, so that wxString is wchar and std::string is char.<br /><br />It&#039;s probably some wxWidgets compile defines or build configuration. &nbsp;What &quot;configure&quot; options did you use?<br
/><br />I&#039;m not sure __WXMAC__ is the right define. &nbsp;It may be the Mac Classic support that&#039;s complicating wxString, and we only want OSX. &nbsp;Try __WXOSX__ (or see below)<br /><br />http://docs.wxwidgets.org/stable/wx_cppconst.html<br />&quot;There are two wxWidgets ports to Mac OS. One of them, wxMac, exists in two versions: Classic and Carbon. The Classic
version is the only one to work on Mac OS version 8. The Carbon version may be built either as CFM or Mach-O (binary format, like ELF) and the former may run under OS 9 while the latter only runs under OS X. Finally, there is a new Cocoa port which can only be used under OS X. To summarize:<br /><br /> &nbsp; &nbsp;* If you want to test for all Mac platforms, classic and
OS X, you should test both __WXMAC__ and __WXCOCOA__.<br /> &nbsp; &nbsp;* If you want to test for any GUI Mac port under OS X, use __WXOSX__.<br /> &nbsp; &nbsp;* If you want to test for any port under Mac OS X, including, for example, wxGTK and also wxBase, use __DARWIN__&quot;
70	12	6	1260909452	70	0		xx	1	Re: A few suggestions	[quote author=madhatter2 link=topic=12.msg68#msg68 date=1260854469]<br />It is also throwing the same std::string issue on the latest version of Ubuntu Linux.<br />[/quote]<br />Then it must be something you&#039;re doing differently with building or configuring wxWidgets.<br
/><br />What options did you use on the wxWidgets &quot;configure&quot; script?&nbsp; The options I used are in build-unix.txt.<br /><br />[quote]<br />One question: how do I enable the debug.log? I have tried stopping bitcoin and touching ~/.bitcoin/debug.log and starting bitcoin again. It never seems to write to the file. Am I missing something?<br />[/quote]<br />Never
heard of that happening.&nbsp; Is there anything in debug.log?&nbsp; If you touched the file, that sounds like something is there.&nbsp; Does the program have write access to the file?
for each near-hit immediately, and the operator takes the risk from randomness of having more or less near-hits before a block is found. <br /><br />Either way, the user who submits the hit that solves the block should get an extra amount off the top, like 10 BTC.<br /><br />New users wouldn&#039;t really even need the Bitcoin software. &nbsp;They could download a miner,
create an account on mtgox or mybitcoin, enter their deposit address into the miner and point it at anyone&#039;s pool server. &nbsp;When the miner says it found something, a while later a few coins show up in their account.<br /><br />Miner writers better make sure they never false-positive near-hits.&nbsp; Users will depend on that to check if the pool operator is cheating
them. &nbsp;If the miner wrongly says it found something, users will look in their account, not find anything, and get mad at the pool operator.
25138	1931	6	1290964381	25180	1290974879	satoshi xx	1	Re: RFC: ship block chain 1-74000 with release tarballs?	Despite everything else said, the current next step is:<br />[quote]<br />Someone should experiment with different Berkeley DB settings and see if there&#039;s something that makes the download substantially faster. &nbsp;If
something substantial is discovered, then we can work out the particulars.<br />[/quote]<br />In particular, I suspect that more read caching might help a lot.<br /><br />[quote author=jgarzik link=topic=1931.msg25017#msg25017 date=1290911609]<br />Another new user on IRC, Linux this time, was downloading at a rate of 1 block every 4 seconds -- estimated total download
time around 4 days.<br />[/quote]<br />Then something more specific was wrong. &nbsp;That&#039;s not due to normal initial download time. &nbsp;Without more details, it can&#039;t be diagnosed. &nbsp;If it was due to slow download, did it speed up after 10-20 minutes when the next block broadcast should have made it switch to a faster source? &nbsp;debug.log might have
clues. &nbsp;How fast is their Internet connection? &nbsp;Was it steadily slow, or just slow down at one point?<br /><br />[quote]<br />We have the hashes for genesis block through block 74000 hardcoded (compiled) into bitcoin, so there&#039;s no reason why we shouldn&#039;t be able to automatically download a compressed zipfile of the block database from [i]anywhere[/i],
unpack it, verify it, and start running.<br />[/quote]<br />The 74000 checkpoint is not enough to protect you, and does nothing if the download is already past 74000. &nbsp;-checkblocks does more, but is still easily defeated. &nbsp;You still must trust the supplier of the zipfile.<br /><br />If there was a &quot;verify it&quot; step, that would take as long as the current
normal initial download, in which it is the indexing, not the data download, that is the bottleneck.<br /><br />[quote author=jgarzik link=topic=1931.msg25058#msg25058 date=1290929635]<br />Presumably at some point there will be a lightweight client that only downloads block headers, but there will still be hundreds of thousands of those...<br />[/quote]<br />80 bytes per
header and no indexing work. &nbsp;Might take 1 minute.<br /><br />[quote]<br />uncompressed data using a protocol (bitcoin P2P) that wasn&#039;t designed for bulk data transfer.<br />[/quote]<br />The data is mostly hashes and keys and signatures that are uncompressible.<br /><br />The speed of initial download is not a reflection of the bulk data transfer rate of the
protocol. &nbsp;The gating factor is the indexing while it downloads.<br /><br />
25148	1990	3	1290966519	25148	0		xx	1	Disabled &quot;remove topic&quot; for topic starters	grondilu deleted the whole &quot;What will governments do against Bitcoin?&quot; thread, which had diverged more into a philosophical debate about politics.<br /><br />I removed the &quot;Remove own topics&quot; permission for regular
users. &nbsp;I didn&#039;t know they could do that. &nbsp;It would be OK if it only deleted if it only has your own posts in it, like if you accidentally posted in the wrong place.<br /><br />At the same time, I enabled &quot;Move own topic&quot;. &nbsp;
25154	1986	1	1290967599	25157	1290968565	satoshi xx	1	Re: Is safe running bitcoins with the same wallet on more computers simultaneously?	[quote]<br />Will it be synchronized automatically?<br />[/quote]<br />Very much not. &nbsp;Using multiple copies of wallet.dat is not recommended or supported, in fact all of Bitcoin is designed to
defeat that. &nbsp;Both copies will get screwed up.<br /><br />If you&#039;re trying to consolidate your generated coins into one wallet, a better solution now is to run getwork miners on the additional systems. &nbsp;jgarzik has a CPU miner, and it supports tcatm&#039;s 4-way SSE2, so on Windows it&#039;s up to twice as fast as the built-in SHA if you have an AMD or recent
Intel (core 3, 5 or 7).<br /><br />New demonstration CPU miner available:<br />http://www.bitcoin.org/smf/index.php?topic=1925.0<br />
25449	1931	6	1291061952	25461	1291063992	satoshi xx	1	Re: RFC: ship block chain 1-74000 with release tarballs?	It seems like you&#039;re inclined to assume everything is wrong more than is actually so.<br /><br />Writing the block index is light work. &nbsp;Building the tx index is much more random access per block. &nbsp;I suspect
reading all the prev txins is what&#039;s slow. &nbsp;Read caching would help that. &nbsp;It&#039;s best if the DB does that. &nbsp;Maybe it has a setting for how much cache memory to use.<br /><br />[quote]<br />1) bitcoin should be opening databases, not just environment, at program startup, and closing database at program shutdown. <br />[/quote]<br />Already does
that. &nbsp;See CDB. &nbsp;The lifetime of the (for instance) CTxDB object is only to support database transactions and to know if anything is still using the database at shutdown.<br /><br />[quote]<br />And, additionally, bitcoin forces a database checkpoint, pushing all transactions from log into main database.<br />[/quote]<br />If it was doing that it would be much
slower. &nbsp;It&#039;s supposed to be only once a minute or 500 blocks:<br /><br /> &nbsp; &nbsp;if (strFile == &quot;blkindex.dat&quot; &amp;&amp; IsInitialBlockDownload() &amp;&amp; nBestHeight % 500 != 0)<br /> &nbsp; &nbsp; &nbsp; &nbsp;nMinutes = 1;<br /> &nbsp; &nbsp;dbenv.txn_checkpoint(0, nMinutes, 0);<br /><br />Probably should add this:<br /> &nbsp; &nbsp;if
(!fReadOnly)<br /> &nbsp; &nbsp; &nbsp; &nbsp;dbenv.txn_checkpoint(0, nMinutes, 0);<br /><br />[quote]<br />2) For the initial block download, txn commit should occur once every N records, not every record. &nbsp;I suggest N=1000.<br />[/quote]<br />Does transaction commit imply flush? &nbsp;That seems surprising to me. &nbsp;I assume a database op wrapped in a transaction
would be logged like any other database op. &nbsp;Many database applications need to wrap almost every pair of ops in a transaction, such as moving money from one account to another. (debit a, credit b) &nbsp;I can&#039;t imagine they&#039;re required to batch all their stuff up themselves.<br /><br />In the following cases, would case 1 flush once and case 2 flush twice?<br
/><br />case 1:<br />write<br />write<br />write<br />write<br />checkpoint<br /><br />case 2:<br />begin transaction<br />write<br />write<br />commit transaction<br />begin transaction<br />write<br />write<br />commit transaction<br />checkpoint<br /><br />Contorting our database usage will not be the right approach. &nbsp;It&#039;s going to be BDB settings and caching.
25799	2007	6	1291143751	25799	0		xx	1	Re: Incompatible wallet format with latest bitcoin-git ?	What was this wallet used with? &nbsp;An early accounts patch or git build?<br /><br />It&#039;s while loading the wallet. &nbsp;I assume it must be in this:<br /><br /> &nbsp; &nbsp;else if (strType == &quot;acentry&quot;)<br />
&nbsp; &nbsp;{<br /> &nbsp; &nbsp; &nbsp; &nbsp;string strAccount;<br /> &nbsp; &nbsp; &nbsp; &nbsp;ssKey &gt;&gt; strAccount;<br /> &nbsp; &nbsp; &nbsp; &nbsp;uint64 nNumber;<br /> &nbsp; &nbsp; &nbsp; &nbsp;ssKey &gt;&gt; nNumber;<br /> &nbsp; &nbsp; &nbsp; &nbsp;if (nNumber &gt; nAccountingEntryNumber)<br /> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;nAccountingEntryNumber =
nNumber;<br /> &nbsp; &nbsp;}<br /><br />You could check that with this:<br /><br /> &nbsp; &nbsp;else if (strType == &quot;acentry&quot;)<br /> &nbsp; &nbsp;{<br /> &nbsp; &nbsp; &nbsp; &nbsp;string strAccount;<br /> &nbsp; &nbsp; &nbsp; &nbsp;assert(!ssKey.empty());<br /> &nbsp; &nbsp; &nbsp; &nbsp;ssKey &gt;&gt; strAccount;<br /> &nbsp; &nbsp; &nbsp; &nbsp;uint64 nNumber;<br
/> &nbsp; &nbsp; &nbsp; &nbsp;if (ssKey.size() != 8 )<br /> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;printf(&quot;***** %s %d\\n&quot;, strAccount.c_str(), ssKey.size());<br /> &nbsp; &nbsp; &nbsp; &nbsp;assert(ssKey.empty() == false);<br /> &nbsp; &nbsp; &nbsp; &nbsp;ssKey &gt;&gt; nNumber;<br /> &nbsp; &nbsp; &nbsp; &nbsp;if (nNumber &gt; nAccountingEntryNumber)<br /> &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;nAccountingEntryNumber = nNumber;<br /> &nbsp; &nbsp;}<br /><br /><br />Was there an interim version of accounts on git at some point that had just (&quot;acentry&quot;, &quot;account&quot;) for the key?<br /><br />If you have gdb, you could run it in gdb and do a backtrace. <br /><br />gdb --args bitcoin ...<br />run<br />(wait for exception)<br />bt<br />
26016	1931	6	1291238739	26016	0		xx	1	Re: RFC: ship block chain 1-74000 with release tarballs?	That&#039;s a good optimisation.&nbsp; I&#039;ll add that next time I update SVN.<br /><br />More generally, we could also consider this:<br /><br />&nbsp; &nbsp; &nbsp; &nbsp; dbenv.set_lk_max_objects(10000);<br />&nbsp; &nbsp;
&nbsp; &nbsp; dbenv.set_errfile(fopen(strErrorFile.c_str(), &quot;a&quot;)); /// debug<br />&nbsp; &nbsp; &nbsp; &nbsp; dbenv.set_flags(DB_AUTO_COMMIT, 1);<br />+&nbsp; &nbsp; &nbsp;	dbenv.set_flags(DB_TXN_NOSYNC, 1);<br />&nbsp; &nbsp; &nbsp; &nbsp; ret = dbenv.open(strDataDir.c_str(),<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
DB_CREATE&nbsp; &nbsp;	|<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  DB_INIT_LOCK&nbsp; |<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  DB_INIT_LOG&nbsp;  |<br /><br />We would then rely on dbenv.txn_checkpoint(0, 0, 0) in CDB::Close() to flush after wallet writes.<br />
26999	1735	12	1291540088	26999	0		xx	1	Re: Wikileaks contact info?	[quote author=RHorning link=topic=1735.msg26876#msg26876 date=1291501064]<br />Basically, bring it on.&nbsp; Let&#039;s encourage Wikileaks to use Bitcoins and I&#039;m willing to face any risk or fallout from that act.<br />[/quote]<br />No, don&#039;t &quot;bring
it on&quot;.<br /><br />The project needs to grow gradually so the software can be strengthened along the way.<br /><br />I make this appeal to WikiLeaks not to try to use Bitcoin.&nbsp; Bitcoin is a small beta community in its infancy.&nbsp; You would not stand to get more than pocket change, and the heat you would bring would likely destroy us at this stage.<br />
28228	2151	6	1291839709	28275	1291845280	satoshi xx	1	Re: JSON-RPC method idea: list transactions newer than a given txid	It&#039;s not safe to use listtransactions this way.<br /><br />I know I&#039;ve been criticized for being reluctant about listtransactions. &nbsp;Let me explain my reluctance.<br /><br />Transactions are
dynamic. &nbsp;Past transactions can become unconfirmed, go away and come back, become invalid and disappear, or be replaced by a different double-spend. &nbsp;Their date can change, their order can change.<br /><br />Programmers are naturally inclined to want to use listtransactions like this: feed me the new transactions since I last asked, and I&#039;ll keep my own tally
or static record of them. &nbsp;This will seem to work in all regular use, but if you use the amounts for anything, it is highly exploitable:<br />1) How do you know if a past transaction becomes invalid and disappears?<br />2) When there&#039;s a block-chain reorg, it would be easy to double-count transactions when they get confirmed again.<br />3) A transaction can be
replaced by a double-spend with a different txid. &nbsp;You would count both spends.<br /><br />The model where you assume you only need to see new transactions because you&#039;ve already seen previous transactions is not true. &nbsp;Old transactions can change at any time.<br /><br />Any time you take an action based on payment amounts received, you always need to go back
to bitcoin and ask for a current balance total (or use move or sendfrom), and be ready for the possibility that it can go down.<br /><br />Now that we have the Accounts feature making it easier to do it the right way, we&#039;re better prepared to have listtransactions.<br />
28292	2151	6	1291847805	28292	0		xx	1	Re: JSON-RPC method idea: list transactions newer than a given txid	Then how do you cope with the issues I listed in the message you quoted?
28302	2162	6	1291850364	28518	1291902506	satoshi xx	1	Version 0.3.18	Changes:<br />- Fixed a wallet.dat compatibility problem if you downgraded from 0.3.17 and then upgraded again<br />- IsStandard() check to only include known transaction types in blocks<br />- Jgarzik&#039;s optimisation to speed up the initial block download a little<br
/><br />The main addition in this release is the Accounts-Based JSON-RPC commands that Gavin&#039;s been working on (more details at http://www.bitcoin.org/smf/index.php?topic=1886.0). &nbsp;<br />- getaccountaddress<br />- sendfrom<br />- move<br />- getbalance<br />- listtransactions<br /><br />Download:<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.18/<br />
28313	2151	6	1291853537	28313	0		xx	1	Re: JSON-RPC method idea: list transactions newer than a given txid	I&#039;m not talking about the normal risk for a given minconf level, I&#039;m talking about additional pitfalls from listtransactions when used this way.<br /><br />[quote author=satoshi link=topic=2151.msg28292#msg28292
date=1291847805]<br />2) When there&#039;s a block-chain reorg, it would be easy to double-count transactions when they get confirmed again.<br />[/quote]<br />The OP&#039;s example of listtransactions &lt;account&gt; [count=10] [txid] seems to imply and it would be very easy for programmers to assume that if they pass in the last txid of the previous call to listtransactions,
they will never see the same transaction more than once, which is not the case. &nbsp;It would be very easy to double-count payments if you don&#039;t maintain your own persistent map or dictionary to track which txid&#039;s you&#039;ve already accepted.<br /><br />It doesn&#039;t seem right to have a function that seems tailor made to be used a certain obvious way, and
4775	461	6	1279733469	4775	0		xx	1	Re: JSON-RPC password	boost::program_options has the same &quot;key=value&quot; format.&nbsp; Gavin pointed out we can use it in a simple way as a parser without getting into all the esoteric c++ syntax like typed value extraction.&nbsp; We can use more features if we want later.<br /><br
/>Lets go ahead with HTTP basic authentication instead of password as a parameter.
4928	461	6	1279766063	4928	0		xx	1	Re: JSON-RPC password	[quote author=gavinandresen link=topic=461.msg4908#msg4908 date=1279761086]<br />TODO: dialog box or debug.log warning if no rpc.user/rpc.password is set, explaining how to set.<br />[/quote]<br />In many of the contexts of this RPC stuff, you can print to the console with
fprintf(stdout, like this:<br />#if defined(__WXMSW__) &amp;&amp; wxUSE_GUI<br />&nbsp; &nbsp; &nbsp; &nbsp; MyMessageBox(&quot;Warning: rpc password is blank, use -rpcpw=&lt;password&gt;\\n&quot;, &quot;Bitcoin&quot;, wxOK | wxICON_EXCLAMATION);<br />#else<br />&nbsp; &nbsp; &nbsp; &nbsp; fprintf(stdout, &quot;Warning: rpc password is blank, use -rpcpw=&lt;password&gt;\\n&quot;);<br />#endif
5337	461	6	1279904860	5337	0		xx	1	Re: JSON-RPC password	[quote author=gavinandresen link=topic=461.msg5296#msg5296 date=1279897905]<br />Question for everybody:&nbsp; should I add a section to the wiki page describing, in detail, how to do HTTP Basic authentication?&nbsp; PHP and Python make is really easy-- just use the
http://user:pass@host:port/ URL syntax.<br />[/quote]<br />Yes, I think that would be really good so each dev doesn&#039;t have to figure it out themselves.&nbsp; We need a simple example for each of Python, PHP and Java importing the json-rpc library and using it to do a getinfo or something, including doing the http authentication part.
5338	461	6	1279905271	5338	0		xx	1	Re: JSON-RPC password	Gavin&#039;s changes look good.&nbsp; I think everything is complete.&nbsp; Here&#039;s a test build, please test it!<br /><br />http://www.bitcoin.org/download/bitcoin-0.3.2.5-win32.zip<br />http://www.bitcoin.org/download/bitcoin-0.3.2.5-linux.tar.gz<br />
5339	548	4	1279905827	5339	0		xx	1	Re: bitcoind not responding to RPC	If I recall correctly, 500 is the prescribed status code for JSON-RPC error responses.&nbsp; There is still a JSON response in the body of the reply telling the explanation of the error, which could be something like
{&quot;result&quot;:&quot;&quot;,&quot;error&quot;:&quot;bitcoin address not found&quot;,&quot;id&quot;:&quot;1&quot;}.
5349	550	6	1279909496	5376	1279915726	satoshi xx	1	Faster initial block download (5x faster)	By making some adjustments to the database settings, I was able to make the initial block download about 5 times faster. &nbsp;It downloads in about 30 minutes.<br /><br />The database default had it writing each block to disk synchronously,
which is not necessary. &nbsp;I changed the settings to let it cache the changes in memory and write them out in a batch. &nbsp;Blocks are still written transactionally, so either the complete change occurs or none of it does, in either case the data is left in a valid state.<br /><br />I only enabled this change during the initial block download. &nbsp;When you come
within 2000 blocks of the latest block, these changes turn off and it slows down to the old way.<br /><br />I built a test build if you&#039;d like to start using it:<br /><br />http://www.bitcoin.org/download/bitcoin-0.3.2.5-win32.zip<br />http://www.bitcoin.org/download/bitcoin-0.3.2.5-linux.tar.gz<br /><br />These binaries also include Gavin Andresen&#039;s JSON-RPC HTTP
authentication feature and the other important security improvements from 0.3.2.<br /><br />I&#039;ve been running a test over the last 24 hours that kills and restarts it randomly every 2-60 seconds (poor thing) while it&#039;s trying to do an initial block download and it&#039;s been fine.<br /><br />There are no changes to the way it handles wallet.dat. &nbsp;This change
is only for blk*.dat and the non-critical addr.dat. &nbsp;You can always delete blk*.dat if it gets screwed up and let it re-download.<br />
5378	550	6	1279916007	5378	0		xx	1	Re: Faster initial block download	[quote author=knightmb link=topic=550.msg5369#msg5369 date=1279913578]<br />Is there a safety reason to stop within the last 2000 blocks or can it be tweaked to stop at remaining 500 blocks for example?<br />[/quote]<br />Not really.&nbsp; I&#039;ll change it to 1000 next time.
5383	461	6	1279917543	5383	0		xx	1	Re: JSON-RPC password	I don&#039;t think authentication should be disabled by default if there&#039;s no conf file or the config file doesn&#039;t contain &quot;rpcpassword&quot;, but what if it contains &quot;rpcpassword=&quot;?<br /><br />I can see both points.<br /><br />What if the programmer
can&#039;t figure out how to do HTTP authentication in their language (Fortran or whatever) or it&#039;s not even supported by their JSON-RPC library? &nbsp;Should they be able to explicitly disable the password requirement?<br /><br />OTOH, what if there&#039;s a template conf file, with<br />rpcpassword= &nbsp;# fill in a password here<br /><br />There are many systems
that don&#039;t allow you to log in without a password. &nbsp;This forum, for instance. &nbsp;Gavin&#039;s point seems stronger.<br /><br />BTW, I haven&#039;t tested it, but I hope having rpcpassword= &nbsp;in the conf file is valid. &nbsp;It&#039;s only if you use -server or -daemon or bitcoind that it should fail with a warning. &nbsp;If it doesn&#039;t need the password,
it should be fine. &nbsp;Is that right?
5416	528	4	1279933148	5416	0		xx	1	Re: JSON-RPC Multiple Invocations	Obviously it&#039;s a bug that it repeats the header.<br /><br />I was trying to follow the 1.0 spec: http://json-rpc.org/wiki/specification&nbsp;  It called for multiple invocation.<br /><br />I think they mean it&#039;s like this, but I&#039;m not sure:<br
/><br />Post:<br />{&quot;method&quot;: &quot;postMessage&quot;, &quot;params&quot;: [&quot;Hello all!&quot;], &quot;id&quot;: 99}<br />{&quot;method&quot;: &quot;postMessage&quot;, &quot;params&quot;: [&quot;I have a question:&quot;], &quot;id&quot;: 101}<br /><br />Reply:<br />{&quot;result&quot;: 1, &quot;error&quot;: null, &quot;id&quot;: 99}<br />{&quot;result&quot;: 1,
&quot;error&quot;: null, &quot;id&quot;: 101}<br /><br />I can&#039;t remember where I think I saw that it&#039;s supposed to send back HTTP status 500 for an error reply.&nbsp; If it contains multiple responses and one is an error, I wonder if that makes the status 500 for the whole thing, I guess so.&nbsp; Maybe it should always return 200.&nbsp; I think someone sounded
like the 500 might be causing a problem.<br /><br />This probably gets fixed after 0.3.3.&nbsp; Until then, just use single invocation.&nbsp; I wonder if any JSON-RPC package even supports multiple invocation, probably not.<br /><br />It would be nice if we could pin down better how multiple-invocation is supposed to work, if at all, before trying to fix it, and whether
returning HTTP status 500 for error response is right.<br /><br />
5419	548	4	1279934158	5419	0		xx	1	Re: bitcoind not responding to RPC	Can anyone confirm if JSON-RPC over HTTP is supposed to use status 500 if the reply is an error reply?&nbsp; I can&#039;t remember where I picked that up, maybe it&#039;s wrong.&nbsp; It seems like 200 would make more sense unless there&#039;s something
wrong with the mechanics of the HTTP request itself.&nbsp; (and maybe that&#039;s what it said and I forgot and spread 500 to all error responses)
5432	479	1	1279938549	5781	1280099585	satoshi xx	1	Re: Warning: don't use -server or bitcoind on a machine where you web browse	The JSON-RPC HTTP authentication feature in 0.3.3 solves this problem.
5443	556	1	1279942372	5443	0		xx	1	Version 0.3.2.5 -- please test! Please test 0.3.2.5 in preparation for the 0.3.3 release!&nbsp; This build is looking good and should be the one that goes into 0.3.3.&nbsp; I encourage you to go ahead and upgrade now if you&#039;re on Windows or Linux.<br /><br />New features:<br />- Gavin
Andresen&#039;s HTTP authentication to secure JSON-RPC<br />- 5x faster initial block download, under 30 minutes<br /><br />Download here:<br />http://www.bitcoin.org/download/bitcoin-0.3.2.5-win32.zip<br />http://www.bitcoin.org/download/bitcoin-0.3.2.5-linux.tar.gz<br /><br />Thanks!
5450	555	6	1279944260	5450	0		xx	1	Re: Reading/Writing Blocks and FLATDATA FLATDATA was a workaround to serialize a fixed field length array.&nbsp; There was a cleaner way to make it understand how to serialize arrays directly, but MSVC6 couldn&#039;t do it and I wanted to keep compatibility with MSVC6 at that time.&nbsp; We
don&#039;t support MSVC6 anymore because we use something in Boost that doesn&#039;t.&nbsp; We lost support for it after 0.2.0.&nbsp; Maybe someday I&#039;ll swap in the clean way that just knows how to serialize fixed length arrays without wrapping them in FLATDATA.
5694	567	6	1280069193	5694	0		xx	1	Re: a simple traffic load test run	Was that on the test network?<br />http://www.bitcoin.org/smf/index.php?topic=363.0
5698	567	6	1280071792	5698	0		xx	1	Re: a simple traffic load test run	Please do these tests on the test network.&nbsp; That&#039;s what it&#039;s for. &nbsp;Thanks.
5706	569	1	1280076846	5706	0		moved	1	MOVED: a simple traffic load test run	This topic has been moved to [url=https://www.bitcoin.org/smf/index.php?board=6]Development &amp; Technical Discussion[/url].<br /><br />[iurl]https://www.bitcoin.org/smf/index.php?topic=567.0[/iurl]
5707	570	1	1280076909	5707	0		xx	1	Bitcoin 0.3.3 released -- PLEASE UPGRADE	Please upgrade to 0.3.3!&nbsp; Important security improvements were made in 0.3.2 and 0.3.3.<br /><br />New features:<br />- Gavin Andresen&#039;s HTTP authentication to secure JSON-RPC<br />- 5x faster initial block download, under 30 minutes
5712	571	6	1280079922	5712	0		xx	1	Re: Stealing Coins	It&#039;s best if you tell it to me privately so it can be fixed first.<br /><br />I just e-mailed you my e-mail address.&nbsp; (or you could PM me here)
5724	571	6	1280084783	5724	0		xx	1	Re: Stealing Coins	Red, thanks for telling me privately first!&nbsp; Please go ahead and post it (and relieve the suspense for everyone!)<br /><br />His point is that transactions paid to a Bitcoin Address are only as secure as the hash function.&nbsp; To make Bitcoin Addresses short,
they are a hash of the public key, not the public key itself.&nbsp; An attacker would only have to break the hash function, not ECDSA.
5740	571	6	1280088100	5740	0		xx	1	Re: Stealing Coins	[quote author=knightmb link=topic=571.msg5736#msg5736 date=1280087042]<br />If I figure out that Public Key 123456 generates Hash ABCD<br />and<br />Public Key 654321 also generates Hash ABCD<br />[i]I&#039;m still left without the Private Key.[/i]<br /><br />But from
what you are saying, all I need is Public Key 654321 and I can spend coin pretending to be Public Key 123456.<br />[/quote]<br />You would still have to sign it with public key 654321. &nbsp;You need to find a collision using a public key for which you know the private key.<br /><br />When you claim a Bitcoin Address transaction, you give your public key that matches the
hash, then you must sign it with that key.<br /><br />Red&#039;s point is that it&#039;s easy to quickly generate insecure public keys which you could break and find the private key after you find a collision.<br /><br />He points out that if the public key was required to be a secure one, one which must have required significant work to find the prime numbers, that would
increase the strength above that of the hash function alone. &nbsp;Someone trying to brute force would have to take time generating a key for each attempt.<br />
5754	571	6	1280090881	5809	1280114781	satoshi xx	1	Re: Stealing Coins	[quote]Here is a paper that claims to find SHA-1 collisions in 2^52 crypto operations. And optimally secure hash would take 2^80 operations. 2^52 time is still large, but it is getting into cluster and botnet range.<br />[/quote]<br />2^80 is if you can use a birthday
attack. &nbsp;You can&#039;t use a birthday attack for this, so the difficulty is the full 2^160 bits.&nbsp; Although, if you were trying to crack any one of 1 million (2^20) transactions, you could do a partial birthday attack 2^160/2^20 = 2^140.<br /><br />Bitcoin Addresses are the only place where 160-bit hash is used. &nbsp;Everything else is SHA-256. &nbsp;They&#039;re
calculated as:<br /><br />bitcoinaddress = RIPEMD-160(SHA-256(publickey))<br /><br />Correct me if I&#039;m wrong (please, and I&#039;ll gladly eat crow) but I think it would be hard to use an analytical attack on RIPEMD-160 in this case. &nbsp;An analytical attack prescribes a certain range or pattern of inputs to try that will greatly increase your chance of finding a
collision. &nbsp;Here, you don&#039;t have that kind of control over RIPEMD-160&#039;s input, because the input is the output of SHA-256. &nbsp;If an analytical attack helps you find an input to RIPEMD-160 that produces a collision, what are you going to do with it? &nbsp;You still have to get SHA-256 to output that value, so you would still have to break SHA-256 too.<br
/><br />For brute force, RIPEMD-160(SHA-256(x)) is no stronger than RIPEMD-160 alone. &nbsp;But for analytical attack, it seems like you must analytical attack both RIPEMD-160 and SHA-256. &nbsp;If I&#039;m wrong, then the strength is the same as RIPEMD-160 and the SHA-256 only serves as one round of key strengthening.
5767	461	6	1280093669	5767	0		xx	1	Re: JSON-RPC password	[quote author=lachesis link=topic=461.msg5738#msg5738 date=1280087555]<br />I found what appears to be a bug: with a long enough username and password combination, the base64 encoder in bitcoind produces authorization headers that look like this:<br />[code]<br />...<br
/>Authorization: Basic YWJiYWJiYWFiYmE6aGVsbG93b3JsZGhlbGxvd29ybGRoZWxsb3dvcmxkaGVsbG93<br />b3JsZGhlbGxvd29ybGRoZWxsb3dvcmxk<br />[/code]<br />It inserts a newline every 64 characters, which obviously breaks the Authorization header, so commands like &quot;bitcoin getinfo&quot; fail. The server still works fine with properly behaving clients.<br /><br />This can be solved
by removing the newlines (and maybe &#039;\\r&#039;s) from result at the end of the Base64Encode function:<br />[code]<br />result.erase(std::remove(result.begin(), result.end(), &#039;\\n&#039;), result.end());<br />result.erase(std::remove(result.begin(), result.end(), &#039;\\r&#039;), result.end());<br />[/code]<br />[/quote]<br />+1 to you for having such a long password
that you found this bug.<br /><br />Uploaded to SVN as rev 110.<br />
I dont know other devs . Gavin has been honest for the 3 years I have followed him he gets my vote

    permalink
    save
    parent
    report
    give gold
    reply

]luckdragon69 -1 points 10 hours ago

I like Gavin too, until he start trying to be the boss of the other devs

    permalink
    save
    parent
    report
    give gold
    reply

]xxDan_Evansxx 1 point 21 hours ago

I hope the core devs can reach a consensus solution and communicate it to the community soonish. I don't think consensus means that the change should wait until everyone agrees that it is time, otherwise whoever decided the blocksize should be the smallest and/or change the latest would ultimately be in charge of the decision. Similarly, everyone shouldn't have to jump because
of whoever says it's time to go the soonest or for the biggest blocksize. Please, talk this out and communicate a consensus solution which will be implemented under whatever timeline you can agree to collectively. I am certain that you can do it. Everyone should offer what they feel is the right solution both now and for the future, then reach a compromise incorporating as
many good ideas as possible. Thanks in advance!

    permalink
    save
    report
    give gold
    reply

]donbrownmon 1 point 11 hours ago

Unfortunately it seems the other core devs with Blockstream have ideas they want to impose that aren't mature and aren't in bitcoin's best interest, so they can make money from related consulting work.

    permalink
    save
    parent
    report
    give gold
    reply

]seweso 1 point 17 hours ago

The best solution: 1) put in a 20Mb hard limit which comes in effect in 6 months. 2) Make a soft limit of 1 Mb the default. 3) Begin writing code so that hitting the soft/hard limit doesn't crash any client. 4) Make sure clients can actually increase transaction fees if there is congestion on the network.

This means that in normal circumstances nothing would change. But if the shit hits the fan then miners can increase the soft limit. :D

    permalink
    save
    report
    give gold
    reply

]ncsakira 1 point 15 hours ago

How about a compromise? 20 mb hard limit with 2*last2weeksaveragesize soft limit ?

    permalink
    save
    report
    give gold
    reply

]pgrigor 1 point 10 hours ago

    If you don't like it, found another project.

FTFY

    permalink
    save
    report
    give gold
    reply

]snaxion 1 point 10 hours ago

Gavin, please be our Linus Torvalds (but not quite as rude). :)

    permalink
    save
    report
    give gold
    reply

]BlockchainCartman 1 point 10 hours ago

https://s-media-cache-ak0.pinimg.com/originals/07/ec/bc/07ecbc4044de89dc2f5c70adf2a82a8e.jpg

    permalink
    save
    report
    give gold
    reply

]ganesha1024 1 point 8 hours ago

Bitcoin is working and up until now it has behaved like there was no blocksize limit, because demand hasn't filled the blocks.

Keeping the limit at 1MB is actually introducing new dynamics into the system by imposing scarcity where previously there was none, once demand fills up the blocks.

So raising the block limit seems to be the conservative approach to me.

    permalink
    save
    report
    give gold
    reply

]portabello75 1 point 6 hours ago

It is seriously concerning that so many core developers act as destructionist based on their involvement in commercial projects. In the "real world" no board member of a chairy would be taken seriously if they were co owners or stake holders In a possibly competing for profit company.

    permalink
    save
    report
    give gold
    reply

]DakotaChiliBeans 1 point 4 hours ago

Selling pitchforks 500 bits, torches 100 bits, and I have some fair condition slightly used villagers for 2500 bits. Get em while you can.

    permalink
    save
    report
    give gold
    reply

]usrn 1 point 23 hours ago

Warning: the discussion below is pretty much retarded. It doesn't worth the trouble and time to read through.

    permalink
    save
    report
    give gold
    reply

]pointjudith 0 points 13 hours ago

Should be top comment.

    permalink
    save
    parent
    report
    give gold
    reply

]coinx-ltc -3 points 1 day ago

Bitcoin calls itself decentralised. This is the opposite. Hey basically says that he knows best and doesn't give a shit about other opinions. He should be careful. He won't be able to develop Bitcoin alone with Mike. This is not about the block size increase, it is about how to reach consensus.

    permalink
    save
    report
    give gold
    reply

]AmIHigh 11 points 1 day ago*

Sometimes consensus can't be reached. If there's no pressure you can wait, like we have for 3 years now. As the pressure builds,at some point, someone needs to make a decision.

We could debate if we've reached that time, but Gavin strongly believes we've reached it if we want to leave the proper time for all nodes to upgrade.

Given the scenario that Gavin thinks we're in, a decision needs to be made, and he'll make it with or without full consensus and let the network decide.

"He's the lead developer on this. Satoshi chose him, he's the right one to make the choice in this scenario.

This is exactly what should be happening in a situation like this.

    permalink
    save
    parent
    report
    give gold
    reply

]awemany 2 points 17 hours ago

Also, it isn't exactly consensus or decentralized if the other core devs block what a majority of Bitcoiners out there want - or is it?

    permalink
    save
    parent
    report
    give gold
    reply

]amnesiac-eightyfour 0 points 20 hours ago

A new Reddit account just to post this? That seems a bit weird...

On topic: bigger blocks are needed, if Bitcoin wants to grow in importance; a decision has to be taken by someone at some point.

    permalink
    save
    report
    give gold
    reply

]btcdrak 1 point 12 hours ago

Yup, he says he threw his weight about over p2sh too and we know how that ended: with a vastly inferior and buggy implementation rather than BIP17 which turned out to be infinitely better.

    permalink
    save
    report
    give gold
    reply

]Bitcoin_Error_Log 1 point 8 hours ago

Go ahead and throw your weight around, Gavin. You'll learn how much weight you actually carry.

    permalink
    save
    report
    give gold
    reply

]romerun 1 point 8 hours ago

he spoke as if he were satoshi himself

    permalink
    save
    report
    give gold
    reply

]PhiMinD 0 points 1 day ago*

Dont forget this gem,

https://www.youtube.com/watch?v=RIafZXRDH7w&feature=youtu.be&t=2585

I wonder if Mike Hearn is a anarchist, because his point about "If someone voted for me to jump off a cliff I wouldn't." Explains perfectly why the concept of democracy is absurd and dangerous.

    permalink
    save
    report
    give gold
    reply

]luke-jrLuke Dashjr - Bitcoin Expert -1 points 1 day ago

There are many possibilities besides democracy... it's not either-that-or-anarchy.

    permalink
    save
    parent
    report
    give gold
    reply

]PhiMinD 1 point 18 hours ago

The choice is between monopolized force and voluntary interaction.

    permalink
    save
    parent
    report
    give gold
    reply

]GibbsSamplePlatter -2 points 23 hours ago

jerk off motion

    permalink
    save
    report
    give gold
    reply

]luckdragon69 -4 points 1 day ago

Can we vote President Gavin out of commit access and reinstitute the law of DAC?

    permalink
    save
    report
    give gold
    reply

]rydan -1 points 19 hours ago

Do it. Allow yourself to become the centralized authority that Bitcoin needs.

    permalink
    save
    report
    give gold
    reply

]whipowill -1 points 10 hours ago

I've never had confidence in Gavin. I see him as a total liability. He was just in the right place at the right time and fell ass-backwards into his current role. Let the market decide where to take Bitcoin.

    permalink
    save
    report
    give gold
    reply

]gr8n8au 0 points 17 hours ago

i dont know what is best and cant decide.. i hope the community somehow gets it right..

    permalink
    save
    report
    give gold
    reply

]john_doe_1337 0 points 9 hours ago

It is time to replace him.

    permalink
    save
    report
    give gold
    reply

]todu -2 points 23 hours ago

Today with a block size cap at 1 MB I run a full node on one of my home computers with no problem. If the cap would be raised to 2 MB, I would just as easily be able to run a "50 % node" if my client software would allow me such a configuration setting.

This isn't a "full node or no node at all" situation, is it?

If the Bitcoin Core client software would offer a settings option for the amount of participation the user would like to contribute, I don't see any dramatic decrease in "full nodes" on the network. If you'd add up all the "half nodes" you'd get just as much "node capacity" overall.

Actually, "full" node participation should increase whenever a "participation amount setting" would get implemented in the Bitcoin Core software, because then people who today don't think they have the necessary computer and bandwidth resources to run a full node and therefore don't run a full node at all, would become able to suddenly participate with a "10 %" or maybe even "50 %" node.

In the long run, "node participation" would maybe become more centralized, if the bitcoin network usage would grow faster than Moore's Law. But even with a very large amount of "1 (one) % nodes" instead of today's "100 % nodes", I think that the network should always experience having enough nodes to keep functioning smoothly, efficiently and for all practical purposes be
enough decentralized to be secure.

    permalink
    save
    report
    give gold
    reply

]shesek1 1 point 22 hours ago

What you're asking for isn't really possible. With pruning we could only save disk space by not holding all the historical blocks, but every full node would still need to hold the entire UTXO set and mempool (requiring RAM), receive all new transactions/blocks (requiring bandwidth) and validate all the new transactions/blocks (requiring CPU).

    permalink
    save
    parent
    report
    give gold
    reply

]awemany 1 point 9 hours ago

    What you're asking for isn't really possible.

...yet. Coalescing old UTXOs might in principle constrain the UTXO set long term to basically O(1) (albeit for high values of '1'). Yes, new development, yes, far future, but in principle I do not see any obstacles. And I have seen discussions along these lines in several places.

    permalink
    save
    parent
    report
    give gold
    reply

]DakotaChiliBeans 2 points 15 hours ago

you can already do that sort of with max connections in the bitcoin.conf file.

    permalink
    save
    parent
    report
    give gold
    reply

[+]meshekk comment score below threshold  (3 children)

Ibtcchina.com | Never wrestle with a pig. You get dirty & the pig likes it
Mined by AntPool usa1
Mined by AntPool bj1.:
Mined by glacier2015
Mined by AntPool bj5
u=https://cpr.sm/FwSgjk4Iu2
Mined by AntPool bj6
ASCRIBESPOOLREGISTER
ASCRIBESPOOLREPLENISH
ASCRIBESPOOLREPLENISH
Mined by ss13155612108
ASCRIBESPOOLTRANSFER
Mined by AntPool sc182
Mined by AntPool sc182
Kbtcchina.com | Akemi Miyashita & Jon Southurst, Tatsu's parents 2011 Sept 1
736b794e4554Hello World!!!
Mined by AntPool bj6
skyNETHello World!!!
ASCRIBESPOOLREGISTER
ASCRIBESPOOLREGISTER
ASCRIBESPOOLREGISTER
ASCRIBESPOOLREGISTER
ASCRIBESPOOLREGISTER
ASCRIBESPOOLREGISTER
Fbtcchina.com | Lightspeed (LSVP.com) believes in the future of Bitcoin
16:14 < ebfull> gavin's got it in bitcoin-git/smartfee branch
16:43 < midnightmagic> gmaxwell: Is this Raoul Raoul? That guy that shows up when I mention his name? https://bitcointalk.org/index.php?action=profile;u=9477
16:49 < midnightmagic> He must not know about this channel yet.
17:15 < adam3us> had a minor thought about slightly improving committed tx: if you want to decommit (reveal the tx to the network), previously it was discussed as sending it to the network, and as i recall people pointed out a risk that the miners could refuse to validate it and therefore you'd be prevented from compacting utxo and have to respend it in committed form
17:17 < adam3us> however replying to mastercoin about their impact on the bitcoin network thread it occurred to me, the full nodes can validate whether the key decommit is valid to relay, they have the committed tx to compare it to, so they dont need miners
17:17 < adam3us> and a decommit is small, its just a sym crypto key and the last txid of the committed spend path
17:20 < gmaxwell> ha!
17:20 < gmaxwell> we don't need to have a consensus about your deleted data... so long as we don't authenticate it.
17:21 < gmaxwell> kinda breaks using a comitted utxo though, alas.
22:41 < gmaxwell> http://www.smbc-comics.com/?id=3175#comic
23:51 < warren> We're getting complaints of MacOS X corruption from several users now.	I didn't get around to posting the bounty in public yet.
23:51 < warren> maybe it's time to define it
--- Log closed Fri Nov 15 00:00:43 2013
--- Log opened Fri Nov 15 00:00:43 2013
00:49 < BlueMatt> definitely
03:02 < gmaxwell> https://bitcointalk.org/index.php?topic=334316.msg3588908#msg3588908
03:02 < gmaxwell> adam3us: ^ you might like that.
03:37 < warren> are we going to stick with testnet3 for 0.9?
03:38 < warren> there was talk of restart earlier
03:38 < warren> (this matters to test code in other implementations)
05:11 < adam3us> gmaxwell: yes good, i am going to post a cross link on another thread to your reasoned explanation
05:15 < adam3us> gmaxwell: unfortunately (because its more technically challenging) it seems cryptographic anonymity is a better shelling point than mixing - people can look at the mix and see ooh its some % mixed with bad event X - if its mathematically unknowable, they just shrug and say so what its cash, i have identity of my customers, thats all i need to know
05:15 < midnightmagic> You can pretend to say "2% of your coins are tained."
05:15 < adam3us> gmaxwell: but i agree if & until someone figures out how to do that efficiently we need to blur the taint to meaninglessness by default in most clients
05:17 < adam3us> gmaxwell, midnightmagic: the problem is when people like CoinValidation get in the mix, they create  counter-veiling and potentially viral counter effect where people avoid mixing, rather than increasing mixing.  if that happens it may cause a price run of selling tainted coins at lower & lower is counts.
05:20 < gmaxwell> adam3us: yea, there is a symmetry break we need to have, where either privacy is easy and common, or where privacy is mostly useless and only available at great expense.
05:21 < gmaxwell> If only some people use the privacy stuff then everyone will be driven away from wanting to use it for fear of association.
05:22 < gmaxwell> Theymos announced a match on the CJ bounty.
05:22 < gmaxwell> FWIW.
05:23 < adam3us> gmaxwell: btw yday about computational PIR i meant computational variant of multi-node to reduce bandwidth.  where n-1 of the n request strings are RNG seeds (there's a footnote in mojonation tech paper about my having suggested it to them).  mojo was an agoric p2p anonymous storage system.  ex-mojo people include bram cohen (bittorrent), zooko (tahoe-lafs)
they took the bits of mojo and expanded them
05:25 < gmaxwell> adam3us: interesting! I'll look into that. Yea, I'm vaguely familar with mojonation... I know zooko worked on it. (amusingly zooko asked if I knew about it, and I misheard him, and said no, and he looked so crestfallen. :) )
05:25 < adam3us> gmaxwell: still musing if there is a way to use TD's noisy bloom request to get secure spv searching for sender randomization of static
05:26 < adam3us> gmaxwell: its too simple to read: just instead of sending n random strings that xor to 1 bit remaining, you send n-1 seeds and one random string, no longer info theoretic secure if you can break the stream cipher/rng
05:31 < adam3us> nice matonis (9000 twitter followers) just retweeted via petertodd my rant about coin validation.  i think dark wallet are going to reach their funding target.  I offered them free crypto advice.
05:34 < petertodd> adam3us: I'm going to their hackathon in a few weeks
05:47 < adam3us> petertodd: cool.  people going to vegas conf?
05:47 < petertodd> vegas conf? didn't know there was one
05:52 < warren> I'm considering going to vegas conf.
05:53 < adam3us> http://www.mediabistro.com/insidebitcoins/ i'm not the most in the loop guy - there are 100s of bitcoin conf & I dont know which are the most relevant - just i was going to be in the us anyway so i figured why not
05:53 < warren> not exactly sure how useful it is though
05:53 < warren> quite expensive looking
05:53 < adam3us> warren: hoteil is cheap tho $66 in amsterdam it was $100s for a mediocre 2*!
05:55 < adam3us> warren: yes usefulness - the only recognizable names are reiner/armory and charlie lee's brother from btcchina - someone tell me whats the most useful.  i have limited idea.	there are loads, there was another one in amsterdam 2months after the previous one - they  didnt get critical mass interest so canceled.  (they were soliciting speakers)
05:56 < TD> good morning
06:00 < adam3us> we should have a bitcoin wizards BoF: recommended for wizards only - others heads will spin so they wont get much out of it
06:03 < warren> adam3us: the conference sign up fee is rather large
06:04 < gmaxwell> or we just hold our own conference. :P
06:05 < adam3us> warren: it is, yes just meant its offset by the hotel cost.  i paid $930 for 4 nights at a bad 2* for the amsterdam conf.  their conf hotel is $66/night
06:06 < warren> 2* ?
06:06 < adam3us> gmaxwell: why not.  round up the brains lock them in a room, until they fix fungibility :)
06:06 < adam3us> warren: actually i guess it was 3-star, but it was so bad i mentally graded it as a 2-star missold as 3*
06:09 < adam3us> warren: in malta you can stay at a swank 5* around the corner from me for $110/night - amsterdam is too expensive
06:43 < gmaxwell> $450. :P
06:45 < adam3us> gmaxwell: bay area? right expensive. btw https://bitcointalk.org/index.php?topic=333882.msg3590223#msg3590223 link to your post
06:45 < adam3us> gmaxwell: but maybe sleep :)
06:46 < gmaxwell> Bitcoin price, not hotels.
07:02 < wumpus> sigh... http://www.reddit.com/r/Bitcoin/comments/1qnqn1/a_pledge_i_invite_you_to_help_us_stop_the_threats/ :-(
07:03 < wumpus> some people conflate everything
07:19 < TD> a lot of people don't read
07:19 < TD> it's the very nature of a pitchfork-wielding mob
07:19 < TD> i lolled at the "bitcoin developers are too political .... it should be writte in C" post
07:20 < gmaxwell> wumpus: its the sort of thing where you should ignore their words and read their feelings and have sympathy.
07:20 < gmaxwell> This is very important.
07:20 < gmaxwell> ...
07:20 < gmaxwell> Because it's impossible to strangle them over the internet.
07:20 < TD> haha
07:21  * TD is reminded of jwz's "cock shaped sound wave" w.r.t linux video
07:36 < wumpus> watch out we're getting together and going to FORK the project... well wow, yes that's how open source works, go ahead and do some useful work
07:36 < wumpus> hehehe
07:37 < TD> yeah. over time i've come to realise the importance of communicating ideas in as few words as possible, on the internet. because a lot of people just won't read something if it's long, they'll assume you said what they expect you to have said
07:37 < TD> and then their responses won't make any sense.
07:37 < TD> but sometimes it's hard to sum up complicated ideas in a short space
07:38 < wumpus> well the problem is that there are a lot of ideas here, most of them not so much complicated, but a lot of them, and seemingly people conflate them all into one
07:38 < TD> everyone loves the idea of "us vs them". it's just fundamental to human nature.
07:39 < TD> people like to pick sides and feel like they're fighting for their side
07:39 < TD> whether it's us vs the terrorists, west vs east, anarchists vs the foundation, liberals vs conservatives etc. often these fights don't make a ton of sense but they help people feel belonging
07:40 < wumpus> agreed
07:40 < wumpus> but sometimes it does get in my nerves, we're sort of al on the same side here
07:43 < warren> I just convinced mastercoin's lead dev that their design is 1) stupid 2) at risk of being filtered by BTC pools and messed up 3) unnecessarily pays a tax on every MSC tx to benefit a centralized entity that externalizes costs 4) and could be done with two TXO per tx instead of four.
07:46 < wumpus> I haven't looked at mastercoin yet tbh
07:52 < adam3us> warren: go warren :) petettodd claimed otherwise on their thread, but i think if they use eg committed tx and a side-chain they only need a timestamp from bitcoin main
07:53 < adam3us> warren: (i think peter was pointing out without committed tx, chain has no stake or incentive in any direction for msc)
07:55 < warren> hmm, #3 has no technical reason not to fix, except the centralized entity that created Mastercoin wouldn't support a proposal to change the protocol where they lose perpetual tax income.
07:55 < warren> #4 it is actually possible with one TXO
07:55 < Fistful_1f_LTC> could they still move mastercoin to another independant blockchain ?
07:56 < warren> I'm trying to suggest that....
07:56 < adam3us> Fistful_1f_LTC: I think so ripper123 (mastercoin ceo?) mentioned it himself on the thread
05:25 < adam3us> a real hard problem
05:25 < petertodd> adam3us: ok, so lets bolt-on some anonymity to my txin commitments scheme. heck, with SCIP you'd be done actually - you don't need to show your txins exist, just prove they're real.
05:25 < petertodd> adam3us: remember your comment about how single-coin values would be anonymous...
05:25 < adam3us> petertodd: SCIP might fail the conservative crypto assumption, it seems if you go for it with SCIP there are a lot of options in the SCIP-coin area
05:26 < adam3us> petertodd: yes.  got to figure out what structure the private keys need so you can prove ownership of a sub-branch with log (n-k) where n is the number of coins and k the depth of the branch you own
05:27 < adam3us> petertodd: how's ttxin commitment work? did you write about it on forum?
05:27 < petertodd> adam3us: yeah, so lets ditch SCIP and stick with single-coin methods instead. with txin commitments you can roughly bound proof size without fancy math with demurrange, which is probably needed anyway to have a defined incentive to mine.
05:27 < petertodd> adam3us: heh, I've actually got a draft sitting in mutt that I haven't sent yet on it...
05:27 < adam3us> btw another downside of x-prize is people then get all secretive and competitive - i prefer open design
05:27 < petertodd> indeed
05:28 < petertodd> brb, gonna timestamp #bitcoin-wizards into the blockchain for credit :P
05:28 < adam3us> i wouldnt be surprised if that could be net negative
05:28 < petertodd> yeah
05:28 < petertodd> this is stuff where basic ideas are still being researched - it's not like your typical x-prize which is actually more similar to engineering
05:29 < petertodd> adam3us: you going to submit anything to this: http://fc14.ifca.ai/bitcoin/cfp.html ?
05:30 < adam3us> nope i tend not to do formal publictions if i have anything to say i just put a pdf on my website :) also the deadline is quite soon right
05:30 < petertodd> yes, very
05:30 < adam3us> (huge lead time 3months?)
05:31 < petertodd> yeah, and I only found out about it nov 7th myself, which I think would be true of everyone...
05:33 < adam3us> petertodd: the other thing i was wondering is you can still use bloom SPV approach with committed tx
05:34 < petertodd> adam3us: thing with bloom is it makes the assumption that you have this chunk of data, and you scan for txs in it - that's a bad assumption
05:34 < adam3us> petertodd: you just have to dload more; maybe if you put big miners in the payment chain, they can assert to having validated the payment path by their hash
05:35 < petertodd> adam3us: with the original pay-to-ip (or now payment protocol) version of bitcoin you never need to scan the blockchain to find coins (in theory)
05:35 < adam3us> petertodd: because the spender gives them to you
05:36 < petertodd> exactly
05:36 < adam3us> petertodd: well if you're going to do that you can safely use static addresses with a public variant of BIP 32 i posted about.  spender adds random value to your address.  Q'=yG+Q
05:36 < petertodd> which opens up a tonne of possibilities
05:36 < petertodd> sure, I mentioned a similar idea using the block hash as the nonce
05:37 < adam3us> petertodd: i was thinking a downside of payment protocol is it implies tighter integration between between browser and bitcoin client; browsers are notoriously security buggy
05:38 < petertodd> adam3us: who said a payment protocol needs the browser?
05:38 < adam3us> petertodd: right now you can scan a qr code on a browser
05:38 < petertodd> or just paste a URL into your wallet and let it do the magic
05:38 < adam3us> petertodd: with a smartphone and send the payment via the block chain, malware i the browser cant use the callback as an attack vector on your wallet because it has optical isolation
05:39 < adam3us> petertodd: yes but i mean if the spender has to inform the recipient of the key used because the spender randomized the recipients address (without forcing the recipient to be a full node)
05:40 < petertodd> adam3us: well I'm assuming a payment protocol with positive authentication of who you are sending too
05:40 < adam3us> petertodd: the implication is a send to ip, or hook from wallet to browser http post.	send to ip could be ok
05:41 < petertodd> adam3us: yeah, heck, "send via cut-n-paste"
05:41 < petertodd> adam3us: provided the proof of a txin isn't too unweidly, or at worst click and download a file to import to your wallet. It's all less nice than short addresses, but none of it is a showstopper.
05:41 < adam3us> petertodd: yes i am just saying something semi-related that you can convert a static address into a dynamic address if the sender has a way to notify the recipient of the dynamic address
05:43 < petertodd> adam3us: yeah, so use a prefix-filter rather than bloom filter and implement bitmessage - pick your anonymity set based on how much bandwidth for unrelated messages you can tolerate. Of course, sender just sends you the addr
05:43 < adam3us> petertodd: or you could do it anyway via broadcast if the recipient is a full node to trial decrypt all dynamic addr payments; does seem like a waste of bandwidth to communicate via broadcast any bits that dont need miner validation
05:44 < adam3us> petertodd: the only reason to not send it direct is if the recipient is a user, who is not online much; then something like bitmessage is more sensible than full broadcast.  i think people may be a bit hungup on broadcast as the most robust distributed delivery
05:44 < adam3us> petertodd: you could even email it to them.  it is encrypted.
05:45 < petertodd> adam3us: right, but you see where I'm going with that... so if you assume a prefix-filtered broadast medium, if you just add order to it you've also got txin commitments :P
05:45 < adam3us> petertodd: i think the prefix filter is probably the same thing as what i was calling bloom bait in discussion here with gmaxwell
05:45 < petertodd> adam3us: and yeah, you're totally right that a simple data packet that you send to the receipient, somehow, makes a lot of sense
05:45 < petertodd> adam3us: bloom bait?
05:46 < adam3us> petertodd: eg you put 1 byte of the non-randomized public key as a prefix, then spv clients can ask for such messages from full nodes with some privacy
05:46 < petertodd> adam3us: yeah, exactly that
05:47 < petertodd> adam3us: point is, that's a totally different, and more scalable, mechanism that bloom
05:47 < adam3us> petertodd: bloom bait because the Q'=yG+Q is randomized so badly you have no idea without downloading them all.  if you use 1 byte of Q also, your anonymity set is reduced but you reduce your bandwidth by 1/256
05:47 < petertodd> adam3us: also has some potential for attac if not handled well...
05:47 < petertodd> adam3us: yup
05:47 < petertodd> adam3us: and fundementally anonymity sets are about bandwidht anyway, so tht's not a surprising trade-off
05:48 < adam3us> petertodd: eg make an addr with same last byte as your target, and spam it with minimum non-dust payments to sabotage your victims spv ability to find their payment
05:48 < adam3us> petertodd: i was wondering about a multi-node pir solution
05:48 < petertodd> adam3us: yup, which gets to how part of that needs to have clearly defined costs
05:48 < petertodd> adam3us: pir?
05:49 < adam3us> petertodd: private info retrieval ... if you have two machines with a ddatabase, ou can ask one to xor rrandom bits from the db and the other to xor random bits, but with 1 bit different, xor the 2 results and you have your result but each db knows nothing without colluding
05:50 < adam3us> petertodd: you can make one of the bitstrings be a seed to a prng to halve request bandwidth; there is even some funky stuff where you can have single db pir
05:50 < adam3us> petertodd: but its a bit bandwidth heavy and cpu heavy
05:50 < petertodd> adam3us: ahh
05:51 < petertodd> adam3us: IMO better if you aren't thinking in terms of clients and servers anyway
05:51 < adam3us> petertodd: however allt he bandwidth and cpu can be tuned by reducing the anonyity set
05:51 < adam3us> petertodd: yes client is spv client, server is a random selection of full nodes, like spv operatin but a different request privacy mechanism than noisy bloom
05:53 < adam3us> petertodd: single db computational pir is kind of amazing that its possible.  works via homomorphically encrypted xor
05:54 < adam3us> petertodd: BUT rsa public key encrypted value PER BIT... jeeze (bandwidth) and public key op per db index bit on the server also, result is compact though one public key value
05:55 < adam3us> petertodd: so txin commitments  relates to fidelity bonds at a guess? ;)
05:55 < petertodd> adam3us: when you pick a random full node, how do you know they are independent? :P
05:55 < petertodd> adam3us: no, not at all. txin commitments just means the blockchain exists as a mechanism to commit to the txins of a transaction, and transactions are arranged such that the txouts are committed to by the txins
05:56 < adam3us> petertodd: indeed.  however its just address linkability - not security.  now they are linkable .  if you o that with random nodes, and try to avoid being herded to a hostile group of nodes, its an improvement
05:56 < petertodd> adam3us: here, give me a minute and I'll publish :P
06:00 < petertodd> published! hopefully there weren't any glaring editing mistakes I'd forgotten about...
06:01 < petertodd> adam3us: ok, so remember, the key thing about this is that like committed txs in general, you never have to publish the whole tx publicly
06:01 < adam3us> ok
06:02 < petertodd> adam3us: so it is securety, just not quite as strong as it could be if you used some more fancy crypto
06:02 < adam3us> petertodd: i do like that you dont publish as it simplifies miner validation.	seems to me miner validation is a protocol complexity risk
06:03 < adam3us> petertodd: its better if the distributed signature (global hashing) is focussing on something extremely simple - ordering
18:32 < warren> And p2pool would need to accept any share solutions that come in a short while (maybe 2 seconds) after work switches
18:46 < warren> argh, this isn't as easy as I thought
--- Log closed Thu Mar 28 00:00:09 2013
--- Log opened Thu Mar 28 00:00:09 2013
01:23 < gmaxwell> I googled for 'access oblivious DHT' and got "Penis Extender With Topical DHT"
01:27 < warren> Keep up with the latest street lingo.
01:57 < amiller> gmaxwell i learned all about oblivious merkle trees, it's really interesting
01:58 < amiller> i tried to think of how that would apply to bitcoin but its strange because it hides access patterns for 'reads' as well as writes
01:58 < amiller> which means every time data is *read* from an untrusted service, it has to be rewritten back as well
01:58 < gmaxwell> yea, "oram"
01:59 < amiller> the data has to be encrypted for hiding the access patterns to make sense
01:59 < gmaxwell> I found a new cake-taker in this subfield for "paper doesn't do what it claims": http://www.cs.stonybrook.edu/~petertw/papers/usable.pir.williams.2008.pdf
02:00 < amiller> but maybe it would make sense for reads to be out of scope
02:01 < amiller> and it would only need to be oblivious regarding writes
02:08 < gmaxwell> (The paper claims that it prevents a system which makes PIR (like ORAM but for a public database) pratical (e.g. cheaper than just sending the whole database)
 but half way through page 2 you find out that they need a trusted computing oracle (IBM4764) to do it.
 not at all mentioned in the abstract.
04:59 < gmaxwell> gah. muggle hardly knows how bitcoin works at all, and his first reflex is to use it as a freeking broadcast medium:
04:59 < gmaxwell> 01:57 < Belxjander> topi`: well the only idea I have at the moment is to make an AppEngine python instance where I can pull ticker data from the blockchain...
05:05 < Graet> yeah, interesting concept, but who puts ticker data in for him to pull?
05:06 < gmaxwell> Graet: Where is your robe, wizard hat, and fitting scowl of disapproval?
05:06 < gmaxwell> :P
05:07 < Graet> i have 1 of 3 :P
05:20 < warren> I finally had time to read about the conference.  dang.  $300 registration fee.
05:20 < warren> roundtrip airfare at that time would be ~$700 right now
05:25 < Graet> only 7 and a bit btc
05:25 < Graet> will cost me ~12 in airfares each way
05:25 < Graet> ;)
05:26 < Graet> but i'd propbly fly in one side of the country and out the other ;)
05:27 < warren> I feel really stupid ... my BTC balance is 0.6
--- Log closed Thu Mar 28 07:23:15 2013
--- Log opened Thu Mar 28 07:23:27 2013
14:39 < gmaxwell> I wonder how two nodes could realize that they're both talking to a common third without disclosing who they're talking to each other.
14:40 < gmaxwell> On the subject of how do you prevent sociopaths from running nodes that connect to every other node simply because its cheap for them to do and may confer some imaginary benefit.
14:45 < petertodd> ..or less than imaginary benefit...
14:46 < petertodd> We've both independently come up with p2pool PoW's, so there is that.
14:53 < petertodd> oh, never mind
14:56 < gmaxwell> p2pool has a much stronger usecase for pows though, and a by-defintion way of geting them cheaply. :P
14:58 < petertodd> yeah, I'll punt and say "WITH SCIENCE! I mean CRYPTO!"
15:04 < warren> (It also helps that p2pool bogs down if you have too many connections.)
15:14 < gmaxwell> warren: the point for p2pool would be an outright attack... at least for a while it was very common for mining pools to get attacked.
15:15 < warren> Happens every day now for litecoin.
15:16 < warren> gmaxwell: I mean, "On the subject of how do you prevent sociopaths from running nodes that connect to every other node simply because its cheap for them to do and may confer some imaginary benefit."  p2pool fails badly if you tried to do that.
15:17 < gmaxwell> indeed, fair enough.
15:17 < warren> mostly an implementation issue
15:17 < warren> you can hack it to do more outgoing connections but it bloats and goes haywire
15:17 < warren> and really slow
15:20 < warren> gmaxwell: someone wrote a script that polls the entire p2pool address list and generates a web page that lists all public p2pool nodes and their fees.  He's afraid of releasing it though, for fear of making p2pool a DoS target.
15:27 < petertodd> It's not an absolute protection by any means, but a decent protection would be to encourage alternate network transports, including ones that rely on central services. twitter.com/blockheaders is a funny example, but seriously using Amazon EC2 message broadcast facilities and similar methods would be good
15:29 < gmaxwell> petertodd: agreed there
 that was also a reason I thought a udp transport would be interesting,
 though it seems jeff's work is still connection oriented.
15:31 < petertodd> gmaxwell: Yeah, I haven't looked at it in detail, but blockheader data seems particularly suited to UDP.
15:32 < petertodd> gmaxwell: The client should be able to store and compute stuff about raw block headers, some kind of "pending tx data" state.
15:33 < gmaxwell> petertodd: "new block with a verification level of 0"
15:33 < gmaxwell> well I suppose 1. Zero would be totally stateless validation I guess.
15:34 < petertodd> gmaxwell: Yup. "unknown chain with 10 bazillion knownwork"
20:04 < warren> "Bitcoin is a hedge against the entire global currency system." -- Bloomberg Businessweek
20:04 < warren> both funny and scary
21:11 < jgarzik> gmaxwell: UDP need not be connection oriented
21:11 < jgarzik> gmaxwell: That was just a convenient way to solve a few problems
21:12 < jgarzik> gmaxwell: UDP would be great for block headers, but you have to figure out how to know the membership list for receiving a broadcast.  You have to avoid amplification attacks inherent in many broadcast/subscription setups.
21:12 < jgarzik> petertodd: ^
21:14 < gmaxwell> jgarzik: sure, you can use cookies to do stateless bidi handshaking to setup an association with no state until the other side has shown its there, for example.
21:14 < jgarzik> gmaxwell: There were also issues with UDP-only CNode's that I did not want to step into, in the current implementation.  Needs-TCP-cxn was a cheat way to ensure there is always a CNode, even for UDP.
21:15 < jgarzik> cannot easily feed UDP messages into ProcessMessage() engine without a CNode
21:15 < jgarzik> etc.
21:15 < jgarzik> gmaxwell: agree it's possible, and the UDP implementation actually does a bit with cookies
21:16 < gmaxwell> ::nods:: there should probably be an always up dummy node for "all udp peers"  ... though another reason to build the udp stuff as a proxy first. :)
21:19 < BlueMatt> doesnt jgarzik have his own full-node implementation now? why didnt he code udp for that?
21:19 < jgarzik> I was thinking UDP broadcast of: block header + list of transactions
21:19 < BlueMatt> also, wouldnt that have been easier...
21:19 < jgarzik> BlueMatt: because bitcoind is more important? :)
21:19 < BlueMatt> well...ok fair enough
21:32  * BlueMatt seriously wishes the world would move off bitcoind, or...I suppose that the world could move off of bitcoind safely
21:34 < petertodd> jgarzik: bidi == bidirectional?
21:37 < gmaxwell> petertodd: yes.
21:38 < jgarzik> BlueMatt: why?  I think bitcoind is the best, most secure full node implementation out there
21:39 < BlueMatt> jgarzik: thats my point, I wish there was a library that was as secure so that we could get eaiser...stuff
21:39 < BlueMatt> something with reasonable code structure
21:39 < jgarzik> BlueMatt: what... stuff do you want?   :)
21:40 < jgarzik> Note that Java is no example of reasonable code structure ;p
21:40 < petertodd> ...and spaces apparently. :P
21:40 < sipa> i wonder
21:40 < BlueMatt> jgarzik: hell no, I'd like a C library...anyway, look at how hard it is to write your own network layer for UDP
21:40 < BlueMatt> jgarzik: you have limitations based on existing structure
21:41 < BlueMatt> that means something there is too interconnected
21:41 < BlueMatt> and it shouldnt be
21:41 < BlueMatt> also, yes, can we s/    /\t/
21:41 < jgarzik> BlueMatt: I had limitations based on what I could do in 30 minutes ;p
21:41 < sipa> wouldn't it be nice to fork bitcoind, and drop wallet and GUI
21:41 < sipa> and clean up the core
21:41 < BlueMatt> sipa: YES!
21:41 < petertodd> sipa: ACK
21:41 < BlueMatt> or...do that wallet protocol shit luke is always talking about
21:42 < sipa> wallet protocol is for talking with a wallet
21:42 < BlueMatt> nfc if its designed well, but implement the idea
21:42 < sipa> i just don't want a wallet in the first place
21:42 < BlueMatt> yes, pull out wallet and then give it a separate wallet
21:42 < petertodd> Everything related to validation and mining should be in one codebase, and nothing else in that codebase.
21:42 < sipa> to focus on what bitcoind imho should be: the core of the network
21:42 < jgarzik> sipa: certainly makes things easier :)  That's my goal with "brd", hidden inside picocoin.git
21:42 < gmaxwell> why do you think I keep trying to get etotheipi to hoist armory onto the RPC?  ... I want to dump the reference wallet into his lap. :P
21:42 < BlueMatt> yes, and it can also relay lists of txn and blocks so that wallets can attach
21:42 < petertodd> gmaxwell: sssh! he might be listening!
21:42 < sipa> BlueMatt: meh, wallets just do SPV
21:42 < sipa> done
21:42 < BlueMatt> well, ok fine
21:43 < sipa> or listen to events from a trusted bitcoind
21:43 < sipa> i don't care, really
21:43 < petertodd> Main thing wallets need is the searchable UTXO set. hint hint
21:43 < BlueMatt> how pissed would laanjw be if we did that?
21:43 < sipa> petertodd: hell no
21:43 < gmaxwell> There are some stats and such a wallet would want from its parent fullnode.
21:43 < sipa> petertodd: imho a wallet shouldn't need a thing
21:43 < gmaxwell> petertodd: thats SPV incompatible.
21:43 < jgarzik> sounds like an electrum server/client split ;p
21:43  * jgarzik runs
12:06 < gmaxwell> I expect a lot of value can be added by adding a bunch of tinyram specific peephole optimizations (esp if you know the true cost of varrious opcodes)
12:06 < realzies> https://docs.google.com/file/d/0Bx3Ty2UX6yDLSnM3aU04YUFSNU0/edit
12:06 < realzies> mmm indeed
12:20 < gmaxwell> realzies: I wonder why they bother keeping the primary input in a tape when they require to you load it into memory in the preamble?
12:20 < gmaxwell> why not just eliminate the preamble and say that the input is in memory?
12:21 < realzies> mmm I mislinked the other pdf: https://docs.google.com/file/d/0Bx3Ty2UX6yDLeUdVODY4M3M4QWM
12:25 < realzies> gmaxwell: maybe that would make unnecessary requirements for the initial memory
12:25 < realzies> ie. now, perhaps, memory is assumed to initialize all-zero
12:25 < realzies> just a guess?
12:25 < gmaxwell> realzies: the preamble effectively creates that requirement.
12:26 < realzies> yeah just read the "initial state" section
12:26 < gmaxwell> I suppose a different prover that still reads tinyram might have a different preamble requirement.
12:26 < petertodd> realzies: congrats!
12:26 < realzies> petertodd: heh, those go to eli
12:26 < realzies> and his team
12:27 < petertodd> realzies: well, for them I just have stunned wonderment...
12:27 < realzies> :D
12:28 < gmaxwell> So, they said that their proofs are 6156 bits for 80 bit security.
12:29 < petertodd> gmaxwell: I'm not sure if squential vs. parallel is the issue here - the function should be sequential only, but it should also be something where a big table acts as a trap-door
12:29 < petertodd> gmaxwell: sure it's nice if the defender can compute it in parallel too, but that's not the issue - they only have to have one copy of the trap-door table
12:31 < gmaxwell> if the defender only has one table then can't attackers cooperate to store one table themselves?
12:31 < gmaxwell> e.g. defender has 100 MB, and an attacker has 100MB shared by his 1000 sybils.
12:32 < petertodd> Of course, but the only way they can co-operate sufficiently fast is to just be one machine, and we're back to the fact that a single high-speed, high-bandwidth machine can perform a DoS attack.
12:32 < petertodd> (high # of IPs too)
12:33 < petertodd> I'm just trying to prevent someone from attacking multiple targets at once.
12:33 < gmaxwell> realzies: so I think those numbers do suggest that zk-snarks are viable as a SCRIPTSIG in a blockchain currency on bandwidth,storage grounds.
12:34 < gmaxwell> sadly, a botnet actually has surplus computation. :(
12:36 < petertodd> of course, but doing this does force them to use cpu-time/ram, which gets their resource usage to a point higher than the defenders sum resource usage
12:37 < petertodd> We know we can't win against an arbitrarily large attacker, but we can make the minimum attack resources orders of magnitude higher than they are now.
12:38 < petertodd> Right now it looks like a small number of EC2 nodes would make SPV clients unusuable after all...
12:40 < gmaxwell> there are multiple facets of defending against this.
12:41 < gmaxwell> Obviously you can make the attack more expensive.
12:41 < gmaxwell> Another thing would be to make it more easy to moot:
12:41 < gmaxwell> Give every node a second authenticated listening port that you can only connect to if you know some node key.
12:41 < gmaxwell> Give every client the ability to just drop in some addr:node-keys settings.
12:42 < gmaxwell> Then if an attack happens, you obtain keys from a couple friends...
12:42 < gmaxwell> and then you are attackproof
12:42 < gmaxwell> (of course, you could do this before the attack happens too)
12:44 < petertodd> Yeah, you can defend by creating a darknet basically.
12:44 < petertodd> Similarly SPV nodes can simply connect to friends.
12:45 < petertodd> Basically we're just looking for a way to distinguish a valid SPV node from one run by an attacker, and we do that by making it expensive to connect in a way that we can afford.
12:45 < petertodd> You can just as equally ask for SPV nodes to give you a fee-paying transaction, and kick them if it doesn't get mined.
12:46 < gmaxwell> people are spazzy about fees.
12:46 < gmaxwell> I imagine that 10x that _actual_ electricity cost in POW is acceptable over a fee.
12:50 < petertodd> Yeah, but remember we're talking about Android clients here - the cost to do a PoW is huge for them.
12:51 < gmaxwell> I know.
12:53 < realzies> gmaxwell: mmm
12:55 < petertodd> The other nice thing, is if you are thinking about trying to prevent someone from peering with the whole network, you can scale the work/resources required by the % of 1's in the peers bloom filter. (100% if they don't specify one)
12:57 < gmaxwell> sadly, lots of ones in the bloom filter doesn't prevent you from becoming cpu/disk bound.
12:58 < amiller> realzies, any chance you'd share the draft with me
12:58 < amiller> of the tinyram paper
12:58 < amiller> i'll ask permission myself if you don't want to violate implied confidentiality but it shouldn't be a big concern because it has alreay been peer reviewed
12:58 < petertodd> I'm thinking lots of ones means they'll match on a high % of the transactions, and thus give you visibility to the state of the network.
12:59 < petertodd> IE we want it to cost just as much to act as a full peer to snoop the network, as to act as a few SPV nodes to snoop the network.
12:59 < amiller> realzies, i realized you already pasted link to the tinyram spc, but i mean the crypto 2013 paper nsarks for c
13:01 < gmaxwell> amiller: it's the last link.
13:01 < amiller> there's just two link and they're both the same?
13:01 < amiller> except for 'edit'
13:02 < realzies> amiller: I did
13:02 < gmaxwell> 09:21 < realzies> mmm I mislinked the other pdf:  https://docs.google.com/file/d/0Bx3Ty2UX6yDLeUdVODY4M3M4QWM
13:03 < realzies> ahh
13:03 < realzies> ^^
13:03 < amiller> i must have pinged out
13:03 < realzies> ty gmaxwell
13:08 < gmaxwell> So their verifier runs in 50ms for input (number of field elements) size 2^6.
13:10 < gmaxwell> (this is on a multicore 2.4ghz opteron box, but I expect that verification time is not parallel)
13:10 < gmaxwell> the proving is slow though.
13:13 < gmaxwell> For a circuit of size 2*10^6 it takes them 66 minutes (and this box has 48 cores)
13:13 < gmaxwell> The circuit size is effectively 1200 * number of tinyram cycles.
13:14 < gmaxwell> (cycles meaning execution time)
13:22 < amiller> how much is that per proof in EC$
13:23 < amiller> assuming all of the coordination issues and latency are solved, and you just have to post an appropriate btc bounty to get the horde to work on it, that's still a lot of power
13:23 < gmaxwell> the proving is highly parallel fortunately.
13:23 < amiller> if you can relate the cost of computing a hash to the cost of one of these field ops, you could bound the number of these per day using the current PoW network
13:24 < amiller> you know, in the idealistic unfathomable case that all the network's Work actually coincides with such proving
13:25 < gmaxwell> I'm unsure as to what model you're imaginging where the network is expending computation on proving.
13:26 < gmaxwell> e.g. thats inapplicable to using SCIP as scriptsigs.
13:28 < gmaxwell> I'd say maybe in proving that the transactions in a block are valid... but that has an unfortunate property of making the POW work proportional to the number of transactions in a block... which is undesirable.
13:28 < gmaxwell> though does create some natural bounds on scalablity!
13:28 < gmaxwell> hm....
13:28 < amiller> i don't think it necessarily has that unfortunate property but it's interesting - anyway still even just with the scriptsig case...
13:29 < amiller> the point is it's a lot of work but it's easy to check, so it would be nice to use bitcoin as a way of outsourcing it to the public
13:29 < amiller> vanity address mining is the closest analogy
13:29 < gmaxwell> petertodd: What would happen to the concerns about the blocksize limit if instead block difficulty were  diff*f(transactions) ?
13:29 < gmaxwell> amiller: oh thats irrelevant.
13:30 < petertodd> petertodd: Doesn't change anything IMO because diff has nothing to do with censorship-resistant bandwidth.
13:30 < petertodd> er, gmaxwell:
13:30 < gmaxwell> amiller: you do the work for your vanity generation _outside_ of the SCIP enviroment. Then you use only the SCIP to get a signature of knoweldge for a faithful answer.
13:30 < petertodd> gmaxwell: On the other hand, I *really* like jdillon's voting scheme.
13:31 < gmaxwell> petertodd: F() might as well be a function matching the two.
13:32 < petertodd> gmaxwell: If diff has anything to do with it, people can make it irrelevant by voting with diff taken into account.
13:33 < gmaxwell> petertodd: Was this a proposal to use PoS to vote for parameters like that?
13:33 < petertodd> gmaxwell: Yes, and a very clevery done one that can't be manipulated by miners.
13:34 < gmaxwell> petertodd: the thing I don't like about that (ignoring solving the censorship problems) is, of course, that reduces to "give mtgox or blockchain.info unilateral say".
13:34 < gmaxwell> Current control over funds is not exactly 1:1 with empowering the users of bitcoin.
13:34 < gmaxwell> Uh, but it's probably better than letting miners pick.
13:34 < gmaxwell> How does John solve the problem of miners denying sufferage?
13:34 < petertodd> gmaxwell: Basically, your vote is what *enables* a miner to prove to the world that the people holding Bitcoins want the blocksize to be something. A txout without such a vote is a vote for the status quo, and txouts age over time to account for lost coins. (after one year)
13:35 < petertodd> gmaxwell: Basically the scheme recognizes that miners can always reduce the blocksize limit, but forces them to prove concent of bitcoin holders to raise it.
13:36 < gmaxwell> ah, thats interesting. Making it one-sided removes the censorship risk.
01:26 < adam3us> petertood: so it is an improvement, but one cant use it for bitcoin mining as that is first-past-the post and this has a progress; though it could be ok for other proof of sacrifice
01:27 < petertodd> adam3us: Is it the best known way - in terms of proof-size - to combine multiple proof-of-foo's?
01:27 < adam3us> petertodd: best I've seen yes
01:29 < petertodd> adam3us: OK. See, I've been thinking about proof-of-stake stuff, and it seems to me that one way to give a proof-of-stake-using blockchain SPV verifiability would be to use some kind of proof-of-? combining algorithm.
01:30 < petertodd> adam3us: Proof-of-stake needs a random beacon anyway, so use it to control what part of the merkle tree of previous stake proofs is revealed.
01:31 < adam3us> a space efficient way to prove stake
01:31 < petertodd> Exactly
01:31 < adam3us> petertodd: i guess you need to prove possession of the private keys, and you could just bundle all your money onto one address and then sign with that?
01:32 < petertodd> I've got a tentative design for a way to do distributed consensus based on having nodes pick a subset of the UTXO space to store and verify, and using proof-of-utxo-posession and proof-of-stake combined for the proof-of-? function.
01:32 < jgarzik> petertodd, technically speaking, "fee" can be anyone-can-spend or miner's fee. I'm ok with either.  Want to avoid burn-the-money sacrifice.
01:32 < adam3us> petertodd: or if you do it in parts, using this approach, if the number of stakes is not a power of 2 it may not fully accurate (only to the nearest power of 2?)
01:32 < petertodd> jgarzik: yup, so make it anyone-can-spend and we're good and have small proofs.
01:33 < amiller_> adam3us, in that paper the subsolutions have to be computed sequentially
01:33 < adam3us> petertodd: proof of holding the utxo set could be pretty useful to prevent willfully ignorant miners
01:34 < amiller_> the proof is basically a short sample of the work after you've done it
01:34 < petertodd> adam3us: Yes, even Bitcoin is going to need it because with UTXO proofs in the coinbase you can do distributed low-bandwidth mining without verification.
01:35 < petertodd> adam3us: A nice way to mine anonymously regardless of what the blocksize is, but it undermines the 51% attack security badly.
01:35  * jgarzik makes "anyone can spend" explicit
01:36 < amiller_> there's no good proof of holding the utxo set until you build it into the proof-of-lotto-whatever
01:36 < amiller_> if it's separate it will just be cheaper to have someone lie for you
01:36 < adam3us> amiller_: ok, but only to the extent that parents have to be calculated after their children
01:36 < petertodd> adam3us: power of 2? I should be able to modify that paper to allow for uneven proof values
01:36 < petertodd> adam3us: then add zero-value padding or whatever
01:36 < amiller_> adam3us, no you have to do sequentially as well
01:37 < adam3us> petertodd: probably
01:37  * amiller_ rereads more carefully to make sure
01:37 < amiller_> if not then the way i have in mind is better anyway
01:37 < amiller_> basically the leaves have to be computed sequentially
01:37 < amiller_> and you have to build a merkle tree on top of all the leaves
01:37 < amiller_> and then the proof is a sample of those
01:38 < adam3us> amiller_: the leaves are h(i||s) s is service string, i is node number
01:38 < petertodd> amiller_: Yeah, and for my application the proof-of-holding-the-utxo set needs to really be a proof-of-work in itself to serve as a random beacon; kinda like scrypt in a way.
01:39 < petertodd> amiller_: I was thinking at the very bottom of the merkle sum tree for the UTXO set compute H(utxo | H(block header | nonce)) and call that computation the proof-of-work.
01:40 < petertodd> amiller_: s/block header/prevblockhash/ actually
01:40 < adam3us> amiller_: you could force it to be sequential eg h_i = h(h_{i-1}||s) for the leaves
01:40 < adam3us> amiller_: but why? to make it less parallelizable?
01:41 < petertodd> amiller_: likely with an additional scrypt like thing to make nonce sequential and random access in some way
01:41 < petertodd> amiller_: but defeating ASIC UTXO implementations is optional
01:41 < amiller_> yeah to make it less parallelizable i guess
01:41 < amiller_> if less parallelizable is a goal, which is often is for pow
01:42 < petertodd> Given I'm thinking about including proof-of-stake, I'm certainely leaning against ASICs... :)
01:42 < adam3us> amiller_: i figured its a bit unproductive because you can always parallelize  non-interactive problem by creating lots of problems and runnng them in parallel
01:43 < adam3us> amiller_: it might make asic a little more difficult
01:44 < amiller_> yeah i think you're right now
01:44 < amiller_> i can't remember what it is i had in mind then.
01:44 < petertodd> adam3us: yeah, a proof-of-work for a crypto coin *must* be parallizable to some degree, or you can't have decentralized mining. But you often want the minimum economic production unit to be "one standard CPU + ram" rather than "250um^2" of silicon
01:44 < amiller_> but yeah the idea (i thought was in this paper) was to reduce variance by having the work involve incremental progress
01:45 < adam3us> amiller_: it could make cheating a bit harder (not compting all nodes) especially if the recipient could expect preimage of leaves randoly also
01:45 < petertodd> amiller_: *while* still keeping proof size small.
01:46 < adam3us> there is progress, and it is partially ordered because of the tree, so the result is reducing variance even tho there is some order flexibiliy
01:47 < amiller_> hmm... so i guess then it's fine just there's no reason to make it sequential since that doesn't really reduce parllelism anyway
01:48 < adam3us> petertodd: its a bit related (asic unfriendly pow) i was thinking eg many hash functions (sha1, ripemd, etc) say 64 hash functions; then selecting which hash function to use based on the beacon, or just based on incrementing counter
01:49 < adam3us> the other thing for asic unfriendly is some dynamic behavior, if which operation to execute is data dependent thats CPU behavior
01:49 < petertodd> adam3us: All that does is changes the minimum economic production unit from, say, 50um^2 to ~1500um^2. If anything it could make the ASIC problem worse by increasing the barriers to entry.
01:49 < adam3us> amiller_: i do like their concept of keeping proof size small, that seems likely reusable
01:49 < amiller_> why not just say you want it to be optimal for intel cpus
01:49 < amiller_> and then find some benchmark for intel x86 cpus
01:50 < amiller_> whatever it is they do that they're best at and optimized for and nothing else can dollar for dollar beat them at
01:50 < amiller_> and then build a proof of work around sampling that functionality
01:50 < amiller_> if that's the goal
01:50 < petertodd> adam3us: I *really* think you want solidly memory hard functions where the vast majority of resources are tied up in silicon to store data.
01:50 < adam3us> i think so yes; eg just choose x86 instructions randomly and execute them, hash the result or soething like that
01:51 < adam3us> but gpus are better cpus - most of the silion in a cpu is wasted on single thread performance optimizations
01:51 < adam3us> so i think maybe better to optimize gpus
01:51 < petertodd> adam3us: At least then the best hashs/$ solutions will be met by implementations that take a bunch of memory and wire it up to many cheap microprocessors - something easily doable on a cottage industry level; PCB design and layout is easy.
01:51 < amiller_> imo the only thing that makes sense is to make the pow exercise some functionality we actually *care* about, which basically means utxo proofs
01:52 < adam3us> memory hard i am not sure; cant an asic include the optimal amount of ram also; or 100-port RAM or something special
01:52 < amiller_> everythign else is goofy
01:52 < petertodd> adam3us: They can, but then the ASIC looks like a memory chip and isn't much cheaper than one.
01:53 < adam3us> petertodd: i was thinking many ported memory could be a problem
01:53 < amiller_> hrm i have no idea how many ported ram works
01:53 < adam3us> petertodd: it allows massive reuse of ram, which normal memory doesnt provide
01:54 < amiller_> what do SSDs perform like, vs many ported ram and 'normal' ram
01:54 < adam3us> amiller_: much video ram is dual ported - two independent access channels
01:54 < petertodd> adam3us: Right, but that's why you want to ensure that the problem is random-access-bandwidth limited.
01:54 < petertodd> adam3us: Reuse doesn't do you any good if the data in ram changes constantly.
01:54 < adam3us> petertodd: well thats my point if a normal ram has 4 channels etc, ok; but if i can access 1024 ports simultaneously
01:55 < amiller_> that's really interesting
01:56 < petertodd> adam3us: Although, for a UTXO proof-of-posession/pow hybrid that's an interesting point... your optimal design would likely be a set of multi-ported ram holding the master copy of the UTXO set, which has multi-port access to the slaves which are changed at every new cycle... hmm...
01:56 < petertodd> adam3us: For a pure scrypt-like it's not an issue, but here it is.
01:56 < adam3us> i guess my meta point is never underestimate hardware guys; you can optimize anything in hardware, and its always possible to do better than software
01:57 < adam3us> i'm not a hardware guy, but i did hear there were people working on scrypt asics
01:57 < petertodd> dam3us: I *am* a hardware guy, and that's just not true, at least if you want a large performance/$ increase.
01:58 < gmaxwell> maybe it would help if you were clear about what kind of performance improvement you're talking about.
01:58 < petertodd> gmaxwell: 10x
01:58 < adam3us> right, the best ou can hope for is the perf/$ increase ismodest
16:57 < ebfull> i'll try changing it to simulate larger miners
16:57 < adam3us> ebfull: sounds good might be interesting to know what gamma is achievable (ratio of race wins) with realistic latency as cribbed from pool operators
16:57 < adam3us> ebfull: i predicted worse than 50%
16:58 < ebfull> what did you write your simulator in?
16:58 < adam3us> ebfull: which makes profitable alpha (hashrate percent) of between 25% and 33%
16:58 < adam3us> ebfull: C
16:58 < adam3us> ebfull: but it sucks so i abandoned it - you really need to consider triple collisions and such things so my structure was bad
16:59 < ebfull> i considered writing one in c, but i wanted other people to be able to rapidly prototype ideas and changes to the simulation
16:59 < ebfull> i can make this javascript one fast enough for smaller simulations but i probably should write a better one
17:00 < ebfull> i also liked being able to throw in d3 (for graph rendering)
17:00 < ebfull> should i continue with this javascript one or work on a new one
17:00 < amiller> i like the javascript one tbh
17:00 < amiller> it's presentable, that's the main advantage and that's huge
17:01 < amiller> i haven't looked at your code to comment on whether it's flexible/maintainable/presentable so i have no idea what the effort is required to add new little features
17:01 < adam3us> ebfull: wow graphics, wasnt expecting that, mine being written by me was unix console app :)
17:01 < ebfull> it's definitely a mess but i can clean it up well
17:01 < ebfull> ya haha
17:02 < ebfull> you can turn them off if you don't care about them though
17:02 < ebfull> they can use up browser memory
--- Log closed Sat Nov 09 00:00:49 2013
--- Log opened Sat Nov 09 00:00:49 2013
04:09 < adam3us> gmaxwell:  miner can instead try to find p' that satisfies [H(p')+H(p'||2)]*G =? Q'
04:11 < gmaxwell> 01:08 < adam3us> gmaxwell: but i think x=H(p), Q=xG, b=H(p||2), Q'=xG+bG=(x+b)G, is Q itself is grindable and you give Q to the kdf miner
04:12 < gmaxwell> I'm suggesting that the private key is x+b+z
04:13 < gmaxwell> and z is the index found  by starting with xG and incrementing until you reach the first distingushed point (By some well known scheme).
04:13 < adam3us> gmaxwell: yes sorry that was incorrectly written
04:14 < gmaxwell> yea, it's not (statistical) zero knoweldge.
04:15 < adam3us> gmaxwell: x=H(p), Q=xG, b=H(p||2), Q'=xG+bG=(x+b)G kdf miner finds Q'+zG/2^k?=0 tells user z
04:16 < adam3us> gmaxwell: seems similar to https://bitcointalk.org/index.php?topic=311000.msg3402287#msg3402287
04:16 < gmaxwell> yea, the downside is that the kdf miner says screw you and searches for your passphrase instead. :P worse, he doesn't have to solve the hardening to do it.
04:16 < gmaxwell> so a system which was randomly blinded and thus zero knoweldge would be better.
04:17 < gmaxwell> e.g. if your passphrase just has 16 bits of entropy, he just searches for a passphrase that gives the right Q' query.
04:17 < adam3us> gmaxwell: that one was one-use is a stretched sig instead of a stretched kdf
04:22  * gmaxwell -> bed
04:23 < adam3us> 'night
08:42 < adam3us> gmaxwell: btw the point of stretched public key / signature in https://bitcointalk.org/index.php?topic=311000.msg3402287#msg3402287 is its offline wallet compatible unlike the blind/unblind there is no unblind step so no need for 3 msg flow (blind, (kdf), unblind, sign), verify, it becomes (sign), kdf/verify the first signature verify is expensive
--- Log closed Sun Nov 10 00:00:56 2013
--- Log opened Sun Nov 10 00:00:56 2013
16:23 < adam3us> hmm did people see this comment bytecoins thread about selfish-miners:
16:23 < adam3us> HanSolo said "For block-height ties, prefer the block whose locally-observed arrival time is closest to its internal timestamp."
16:23 < adam3us> that seems quite elegant and simple as a way to frustrate racing
16:25 < adam3us> there is a time in the coinbase, and a side effect of selfish withholding is that the time becomes stale; conversely if a selfish miner tries to correct by putting a futuristic time, it may overshoot and have a not-yet valid time
16:36 < Luke-Jr> indeed, I do like that idea
16:37 < Luke-Jr> but I may be biased since BFGMiner is probably the only miner that actually keeps the ntime header accurate :P
16:37 < adam3us> oh i suppose many f he asic miners load up a static coin base and dont want to reload as they have slow start time and lose mining duty cycle by updating time...hmm thats unfortunate
16:46 < adam3us> think thats fundamental or tough luck?
16:46 < adam3us> a small dis-economy of scale for asic miners
16:48 < gmaxwell> Does it really help that much? it still leaves you with the weird incentive that you can keep mining at the current block and replace a later announcement.
16:49 < gmaxwell> er earlier announcement.
16:49 < gmaxwell> e.g. say the earlier announcement wasn't so close (due to latency, whatever, and you have many observation points)
16:49 < gmaxwell> you're better off keeping mining at this block with your time set somewhat forward and then announcing when you'll nail the time.
16:50 < gmaxwell> plus you create huge incentives to slightly skew nodes times... potentially making the whole network britally dependent on ntp for subsecond accuracy.
16:52 < gmaxwell> oh the memory pool idea is interesting!
17:02 < gavinandresen> yes, very interesting
  ByteCoin is always worth listening to
17:05 < gavinandresen> If we start relaying all valid chains (not just first one we've seen) then I'm not sure what will happen. There are lots of possible reasonable policies for choosing between two chains of the same height
17:06 < Luke-Jr> adam3us: no, it's mostly a software thing
17:06 < gavinandresen> I could imagine:  pick the chain with the most transactions (discourage miners who mine single-transaction blocks).  ByteCoin's algorithm.  Pick one at random (Eyal/Sirer suggestion).	Pick the one you saw first.
17:07 < gavinandresen> My intuition is that decision should be left up to miners, and that it is best if miners are somewhat uncertain what policy or policies other miners are using to decide.
17:07 < Luke-Jr> gavinandresen: might have to write code to fabricate dummy transactions so blocks get priority then..
17:08 < gmaxwell> Luke-Jr: answered by uncertanty.
17:08 < Luke-Jr> gavinandresen: how about pick the one with the most elevens in the hash?
17:08 < gavinandresen> I know how much engineers LOVE uncertainty
17:08 < gmaxwell> E.g. if the network used most txn than that would be the case, and it would have bad anti-convergence outcomes. If only _some_ miners did, thats another matter.
17:08 < gavinandresen> Oooh!  Elevenses!
17:09 < gmaxwell> But I don't think we have enough mining distribution to actually make uncertantly useful... you really only care about the policy of a super majority.
17:09 < Luke-Jr> I suppose realistically, it's a miner-specific policy in the end
17:09 < Luke-Jr> would be nice if there was a way to kick miners who insisted on using "bitcoind defaults"
17:09 < gmaxwell> plus at least today it's very hard to get most miners to adopt non-standard policy.
17:09 < Luke-Jr> force them to make some decisions
17:09 < gavinandresen> gmaxwell: it'd be pretty easy to code up three or four policies and pick one at random in the reference implementation if miner doesn't choose.
17:10 < Luke-Jr> would it be bad to block off getblocktemplate and getwork if the miner didn't set options?
17:10 < gavinandresen> Of course, if there is one we think has the most desirable properties then that could be default
17:10 < gmaxwell> I wish people accepting 1 confirmed transactions didn't seem to be so common now. :(
17:10 < gavinandresen> Forcing miners to choose is something I've been thinking about with respect to minimum acceptable fees/priority, too.
17:10 < gmaxwell> (because this sort of thing will increase the incidence of 1/2 high reorgs)
17:13 < Luke-Jr> gavinandresen: think something like that is simple enough to be merged easily?
17:14 < gavinandresen> something like what?  block-tiebreaking logic?  The hard bit is relaying orphans
 depending on how we do it
17:14 < Luke-Jr> gavinandresen: denying GBT/getwork unless the mining options are explicitly set
17:14 < Luke-Jr> maybe with an error message that suggests random values (within reasonable ranges) as an example
17:15 < gavinandresen> Luke-Jr: I'd vote yes for that, I don't think it would be very controversial, it goes along with the whole "dev team shouldn't make policy decisions" notion
17:16 < gavinandresen> recommendations, yes, decisions, no
17:16 < Luke-Jr> as things stand right now with most pools, any recommendations will be decisions in practice :/
17:17 < gmaxwell> I don't think any tiebreaking schemes should be offered without simulation results showing they don't produce much more/larger reorgs. We can't get away with offering someone that will cause harm saying that we're not making police, since many people will take the fact that we distributed it as proof that its good.
17:17 < midnightmagic> +1 analyses
17:17 < gmaxwell> also, if we're not able to make a strong recommendation, how are those pools to decide?
17:18 < Luke-Jr> we could recommend ranges
17:18 < gmaxwell> Most of the pool operators know less about how this work then we do collectively. (If nothing else, they are one or two man operations who have a lot more to worry about than their bitcoind)
17:18 < gavinandresen> yup, agreed
17:19 < gmaxwell> Luke-Jr: I suspect that would work okay for some things perhaps not others.
17:19 < gavinandresen> all of this is not high on my personal priority list, so I welcome analyses and simulation and debate
17:19 < gavinandresen>
 as long as it doesn't suck up a ton of my time...
13:48 < amiller_> eh i'm sort of wrong, anyway this is my favorite summary http://emsec.ruhr-uni-bochum.de/media/crypto/attachments/files/2011/04/becker_1.pdf
--- Log closed Sun Mar 03 14:17:21 2013
--- Log opened Sun Mar 03 14:17:26 2013
14:17 !niven.freenode.net [freenode-info] channel trolls and no channel staff around to help? please check with freenode support: http://freenode.net/faq.shtml#gettinghelp
14:31 < HM> amiller_: yeah it's interesting
14:31 < HM> blinding is also interesting
14:32 < HM> although i have a crypto scenario i wanted to apply blinding to but apparently can't
14:37 < HM> amiller_: thanks for the merkle paper
14:38 < HM> I think there's a crossover between the SRP protocol and the blinding method on that Kong paper
14:38 < amiller_> np i like dumping links to papers it helps me to keep references cycling in my head
14:39 <@sipa> ha
14:42 < HM> I have a scenario where i thought I could use D-H to establish a shared key, but obviously you need 1 private key available
14:42 < TD> by the way, i was able to obtain something that claims to be a threshold RSA implementation
14:42 < TD> if someone wants to play with splitting of signing keys let me know, otherwise i'll try it at some point
14:43 <@sipa> dobyou have a link, TD?
14:43 <@sipa> do you
14:43 < TD> no
14:43 < TD> it was emailed to me by a researcher i contacted
14:43 < TD> so i'd have to send you the same attachment
14:44 < TD> or i could upload it somewhere
14:44 < TD> even better, it's a subcomponent of a larger codebase, which claims to be a "byzatine fault-tolerant state machine replication system"
14:45 <@sipa> i searched for such a thing, but couldn't find anything about it
14:45 < HM> i thought it'd be possible for Alice to force Bob to compute b*aG, but if they know you're doing so and know aG they can still return b*xG where x is anything of their choosing.
14:45 <@sipa> somehow i'd be surprised that it would be possible on (unmodified) RSA and not be known
14:46 < HM> blinding only works when the blinds (or whatever you call them) are truly random
14:46 < HM> afaict
14:46 < TD> the Shoup paper from 2000 describes how to do transparent threshold RSA
14:46 < TD> so it appears to be an implementation of that
14:47 < TD> hmm
14:47 < TD> actually, the Shoup paper says that whilst the signatures have the same format, there are constraints on the keys
14:47 < TD> which would be problematic for splitting existing code-signing keys
14:47 < TD> let me see
14:56 < TD> academic code. lovely :)
14:58 < TD> i'm being a bit unfair
14:58 < TD> it seems to be fairly well documented, even though the code was clearly written by people who looked at openssl and said "what a fine API, let's copy that"
14:58 <@sipa> haha
14:59 < HM> macro's! what a novel idea! there should be a paper on how to abuse these
14:59 <@sipa> HM: you know repeated application of the c preprocessor is turning comolete :p
14:59 <@sipa> turing
15:00 < TD> you know when all defined structures use single-letter variable names, you're dealing with something a bit retro
15:00 < TD> this is from 2004 though
15:00 < HM> errm, is it?
15:01 < HM> i know C++ templates are but i thought the macro language lacked the necessaries
15:02 < TD> yes
15:02 < TD> it expects to be able to generate its own keys. hmm.
15:04 < TD> annoying. android has no support for key rotation. so it means we'd have to unpublish the old app, publish the new app, notify users to switch and migrate the wallets across
15:10 < TD> hmmm
15:10 < TD> "we do however place some restrictions on the key. it must be a strong prime exceeding l"
15:10 < TD> l is the total number of shares
15:10 < TD> so if there are 5 signers, "a strong prime exceeding 5" would be satisfied by basically any key
15:11 < TD> "the modulus must be the product of two strong primes"
15:11 < TD> isn't this just a statement of requirements on a normal RSA key?
15:17 < HM> sounds like it
15:18 < HM> so this is a public key based secret sharing scheme?
15:27 < TD> HM: yes. http://www.shoup.net/papers/thsig.pdf
15:33 < TD> hmmmm
15:34 < TD> maybe there is a difference
15:34 < HM> does this scheme still require that the entity doing the final sign keep all the shares it handle confidential?
15:34 < TD> modulus = p'q' where p = 2p' + 1
15:34 < TD> same for q
15:34 < TD> HM: no.
15:34 < TD> HM: that's just doing a Shamirs secret share on the private key
15:34 < TD> this is different
15:34 < HM> right. okay
15:35 < TD> you split a key, and then to calculate signatures the private key is never needed to be recombined
15:35 < TD> oh, no, sorry
15:35 < TD> modulus = pq as normal.
15:35 <@sipa> TD: sounds like a Sophie Germaine prime
15:36 < TD> m=p'q'
15:39 < TD> ok, i give up trying to understand the details of this scheme
15:40 < TD> it says at the start it is "exceedingly simple" and then takes nearly 4 pages of dense equations to describe it
15:40 <@sipa> haha, sounds academic :D
15:40 < TD> but anyway, as far as i can tell, any "normal" RSA key can be used and the signatures are normal RSA sigs
15:40 < TD> which is exactly what we need, especially on android
15:40 < TD> super
15:41 < HM> hmm the SRP protocol uses the hash of 2 publicly exchange parameters in the arithmetic
15:41 < HM> I don't understand why
15:43 < TD> SRP?
15:45 < HM> Secure remote password protocol
15:46 < HM> it's a password based mutual authentication scheme
22:32 < nanotube> gmaxwell: i totally am. :)
23:43 < midnightmagic> ... it does exist.
--- Log closed Mon Mar 04 00:00:39 2013
--- Log opened Mon Mar 04 00:00:39 2013
00:13 <@gmaxwell> Why do people keep saying that!
00:15 < midnightmagic> I wasn't expecting it to, because you referred to it as just plain "wizards" which suggested it was off-irc.
00:16 < midnightmagic> i took a random stab and voila
00:19 <@gmaxwell> Well, it was mentioned in full in bitcoin-dev... this is where I've shunted the cryptocurrency rocket science discussion which isn't directly related to current bitcoin. (I'm concerned that excessive OT and rocket-science talk in #bitcoin-dev disenfranchises bitcoin users from keeping track of whats being done to their currency)
00:21 < nanotube> i think this channel is a good idea. :)
00:21 <@gmaxwell> there has been some pretty awesome rocket science talk in here too.
00:24 < nanotube> hehe
00:27 < midnightmagic> I recall you mentioned something about shunting it elsewhere. :)
00:27 < midnightmagic> i think it's a good idea fwiw
00:48 <@gmaxwell> It occured to me that for the sum-hash-tree stuff that we're not constrained to any particular binary tree geometry, so we should prefer ones that result in each split having half the coins on each side. This minimizes the amount of balance information leaked.
00:49 <@gmaxwell> But we also don't want any branches becoming too long, since that would make the proofs fat.
00:49 <@gmaxwell> I think this can be used to build a sutiable tree: http://en.wikipedia.org/wiki/Package-merge_algorithm
00:51 <@gmaxwell> The 'alphabet' is the accounts, the probablity of the 'symbols' is balance/total. The length limit would be set to some small multiple of log2(n). The resulting huffman codewords are just the branching decisions in the binary tree.
00:52 <@gmaxwell> amusingly, I saw a nice package-merge implementation a few days ago and thought "what else could I use this for?"
01:23 <@gmaxwell> Another fun thing is that the banks own balance can be split up any number of ways, since the bank doesn't have to worry about producing compact proofs for it... so it could be divided up to fill in any unmatched branches.
01:25 < petertodd> Although by that point, you almost might as well say the banks balance is just whatever is in error in the sum tree.
01:28 <@gmaxwell> ::nods:: sure, just trying to maximally conceal the balance distribution. So grafting on (parts of) the bank balance anywhere in the tree that helps is useful.
01:31 < petertodd> One interesting model, would be if multiple entities held their own private keys, with the bank quickly querying them to do the actual signing, in which case the banks balance is just a set of accounts that happen to have keys associated with them, unlike normal accounts.
01:31 < petertodd> Such entities would have to be on-line to do a trade, but they could provide liquidity basically.
01:31 < petertodd> Might be too complex to explain, but it's interesting.
01:33 <@gmaxwell> (likewise, large accounts
 which already tend to have short proofs
 could have their balances split in two, assuming the clients were setup to accept fragmented balance statements)
01:36 <@gmaxwell> (at the limit, you divide every account down to the base units, ... but then the proofs are rather enormous, but you leak nothing under all conditions)
01:39 < petertodd> Yeah, basically the accounts become chaum token amounts...
01:39 < petertodd> Probably simple enough to just have client support for more than one account basically.
01:40 < petertodd> The server doesn't need to know accounts are being split up.
09:35 < HM> ok i've sussed out ECDSA and vaguely key recovery in my head now
09:35 < HM> I'm really enjoying this EC stuff
09:44 < HM> If i'm understanding correctly taking r = (x of kG) mod n means there are 2 possible values of kG for some values of r
09:45 < HM> Still trying to understand how the order of the curves and cofactors and such all tie together
09:45 < HM> but i think this is because the cofactor is 1 for k1
10:06 < HM> sipa's code seems to make sense to me
10:07 <@sipa> wow, you can read that? :p
10:07 < HM> lol
10:07 < HM> despite OpenSSLs api's yes
10:07 <@sipa> i think my implementation of hal's optimization is better openssl-interacting code :)
10:09 < HM> x of (kG) mod N has 2 suitable values on the bitcoin curve. one < n and one > n. so your code uses i to select either r or r+n
10:09 < HM> then computes kG using the curve
10:09 < HM> right?
10:09 < HM> uses 'i'
10:09 < HM>  if (!BN_copy(x, order)) { ret=-1; goto err; }
21:51 < BlueMatt> jgarzik: Im seeing lots of dos bans going out on my testnet node as well as a few on my non-listening mainnet node...
21:51 < phantomcircuit> yeah i remember there's one place where mapWallet[] is used and it doesn't check that the transaction is actually in mapWallet
21:51 < gmaxwell> BlueMatt: are they nodes that are sending you empty vins?
21:51 < BlueMatt> gmaxwell: yes
21:52 < gmaxwell> I wish we knew what caused that. Best theory right now is that there is some wallet bug.
21:52 < BlueMatt> did petertodd fix his testnet dnsseed that was apparently broken?
21:52 < BlueMatt> gmaxwell: if only there was a way to message someone based on ip...
21:53 < gmaxwell> BlueMatt: we've actually talked to some people with it, and determined at least one of the people with it had a wallet with a empty transaction in it that it was rebroacasting.
21:53 < BlueMatt> ahh, fun
21:53 < BlueMatt> before I just restarted my node, I had two peers that were doing so (out of 8)
21:54 < BlueMatt> so it doesnt appear to be uncommon
21:59 < phantomcircuit> BlueMatt, in walletdb.cpp line ~240 the "tx" logic
21:59 < phantomcircuit> you can see that if the transaction is corrupted in anyway it will be erased from mapWallet
22:00 < phantomcircuit> im guessing there is something else that fails to check that a tx is in mapWallet before accessing it
22:00 < phantomcircuit> and thus creates a default tx
22:00 < phantomcircuit> which has an empty vin
22:01 < gmaxwell> but then how does that get saved?
22:01 < BlueMatt> maybe its not?
22:01 < gmaxwell> no, I think we know it got saved (e.g. got a wallet file from someone expirencing it)
22:02 < BlueMatt> ok
22:02 < gmaxwell> though perhaps I should grep my logs to be sure.
22:02 < BlueMatt> did you get the actual wallet file, or just reports?
22:02 < phantomcircuit> gmaxwell, when the wallet was flushed all the values in mapWallet are blindly updated i think
22:03 < gmaxwell> BlueMatt: I think sipa got an actual wallet file, but I could be misremembering.
22:03 < phantomcircuit> for example wallet.cpp if(!ExtractDestination(mapWallet[txin.prevout.hash].vout[txin.prevout.n].scriptPubKey, address))
22:04 < phantomcircuit> that would add a default CTransaction if txin.prevous.hash isn't in the wallet
22:05 < BlueMatt> did anyone file an issue for this?
22:05 < phantomcircuit> BlueMatt, no idea
22:05  * BlueMatt doesnt see one, creating
22:05 < gmaxwell> phantomcircuit: hehe. I bet I added that.
22:06 < phantomcircuit> when i was looking at vtxprev i realized that a bunch of the tx records in the wallet are just the default ctor
22:06 < phantomcircuit> and all the vtxprev values are
22:06 < phantomcircuit> 10254401 (Pieter Wuille		   2012-05-14 23:44:52 +0200  603)     if (ExtractDestination(txout.scriptPubKey, address) && ::IsMine(*this, address))
22:06 < phantomcircuit> sipa, ^
22:06 < phantomcircuit> :)
22:06 < phantomcircuit> fortunately the wallet code is very robust against that type of failure
22:06 < phantomcircuit> so it's not a big deal
22:06 < gmaxwell> yea, well, we're relaying empty txn and our peers disconnect us for that.
22:07 < BlueMatt> should I pull-request a commit to fix
22:07 < BlueMatt> https://github.com/bitcoin/bitcoin/issues/3190
22:07 < gmaxwell> I still don't see how adding empty txn in map wallet should result in that.
22:07 < BlueMatt> oops
22:07 < phantomcircuit> gmaxwell, iirc the resend logic is really simple, it's just, if (tx not confirmed) {send tx}
22:08 < phantomcircuit> it doesn't try to determine whether it's a double spend or invalid or anything
22:08 < BlueMatt> the wallet relay logic specifically prevents the tx from getting verified before relay iirc
22:08 < gmaxwell> yea, we need to improve that generally, as it super highly identifies nodes.
22:08 < BlueMatt> (though somehow I remember removing that and getting it merged, but I dunno)
22:09 < gmaxwell> e.g. if someone sends you an invalid double spend, they're probably the source of the txn.
22:09 < gmaxwell> Or you mutate someone's transaction and then their node will continue to beacon the invalid duplicate forever.
22:09 < phantomcircuit> gmaxwell, or they're the recipient and are the victim
22:09 < gmaxwell> (in fact, the wallet on my laptop is currently doing that)
22:09 < phantomcircuit> either way it means the tx is in their wallet
22:10 < phantomcircuit> brb stealing candy
22:10 < gmaxwell> (because I spent some anyone can spend garbage txn and someone beat me in the race)
22:11 < BlueMatt> phantomcircuit: really? leave the kids alone
22:12 < phantomcircuit> BlueMatt, im taking it from my neighbor
22:12 < gmaxwell> hm actually I have free confirmation 0 txn in my laptop wallet.
22:12 < BlueMatt> is it just me or is 0.8.1 very popular?
22:12 < BlueMatt> is that the version before dust or so?
22:13 < gmaxwell> ah, orphan blocks. :)
22:13 < phantomcircuit> BlueMatt, it's the version which made a significant improvement in performance enough that people stopped noticing
22:13 < gmaxwell> BlueMatt: it's very popular because its what fixed the hardfork 0.8 bug.
22:13 < gmaxwell> 0.8 people moved to for performance, and 0.8.1 people moved to because zomg hardfork.
22:14 < BlueMatt> ahh, and then never upgraded beyond then
22:14 < gmaxwell> If it bothers you, you could resolve that issue with four lines of python ... :(
22:14 < gmaxwell> (it's trivial to crash pre 0.8.4)
22:14 < BlueMatt> wasnt there a security issue or two fixed
22:14 < BlueMatt> yea...thought so...
22:14 < amiller> we did our first run of the entire network connectivity mapper today
22:14 < gmaxwell> double plus if you get a negative nversion txn mined just before, then they won't come back.
22:14 < BlueMatt> you can thank me for that :)
22:14 < amiller> hopefully no one has noticed any weird or hamrful transaction patterns
22:14 < phantomcircuit> gmaxwell, the hard part is actually getting a list of active nodes
22:14 < phantomcircuit> heh
22:15 < gmaxwell> amiller: someone was complaining about their node crashing earlier in #eligius, but I assum it's unrelated.
22:15 < phantomcircuit> amiller, whatcha doin
22:15 < gmaxwell> phantomcircuit: luke provides one.
22:15 < amiller> phantomcircuit, i told you a while ago about the first version of our connectivity tester, it's matured a bit since hten
22:15 < phantomcircuit> ah
22:16 < phantomcircuit> hmm
22:16 < amiller> but basically we want to go through every pair of nodes we can connect to and determine whether they're connected
22:16 < amiller> (or, whether they're connected via a single other node we can't connect to)
22:16 < phantomcircuit> i'd release mine but it's got a bunch of unrelated attack code in it
22:16 < phantomcircuit> too much effort to sanitize
22:16 < gmaxwell> amiller: can you estimate the size of the network you can't connect to?
22:17 < amiller> we could if the kid who is running this did what i asked but i'm not adminning any system to do so
22:17  * BlueMatt ponders the ethicacy of pointing one entry in dnsseed to a amiller-scanning node so they get lots of incoming connections too
22:17 < amiller> basically that would just involve having a bunch of long standing nodes
22:17 < gmaxwell> like, we know the size of the connectable network is frighteningly low, but I have hope that the unconnectable network is reasonably large.
22:17 < gmaxwell> BlueMatt: please never do something like that.
22:17 < BlueMatt> thought so
22:17 < amiller> we've estimated it's 30k which matches what everyone says but it's not a great kind of estimate
22:17 < phantomcircuit> amiller, how can you do that beyond just counting incoming connections and extrapolating?
22:17 < amiller> phantomcircuit, yes that's all we can do
22:18 < BlueMatt> gmaxwell: well, for testnet my "dnsseed" is a static list of {my desktop}
22:18 < gmaxwell> BlueMatt: about the furtherst I'd go is twiddling to get load on a node for development testing.
22:18 < amiller> the best way to do it would be with planetlab or something, start a bunch of nodes and keep them up a lot
22:18 < phantomcircuit> amiller, then it's basically 4 * 30
22:18 < phantomcircuit> thousand
22:18 < gmaxwell> oh well testnet I don't give a shit about, do whatever with that. :P
22:18 < amiller> the more nodes you have up you can infer
22:18 < phantomcircuit> oh /8
22:18 < phantomcircuit> so ~15k
22:18 < amiller> what i want to do is find the smallest cut
22:18 < BlueMatt> gmaxwell: yea, Ive never even done that, nor do I plan on it
22:18 < phantomcircuit> unless the number of connections a listening nodes gets has changed significantly
22:18 < amiller> the smallest number of public nodes needed to crash to actually partition the network
22:18 < amiller> or various other metrics i dunno
22:18 < BlueMatt> oh, no, thats a lie, I wanted to crash my node once to debug a memory issue
22:19 < BlueMatt> well, thats all Ive done
22:19 < amiller> really the point is just that the technique for probing connections is really clever
22:19 < gmaxwell> BlueMatt: yea, I recall you doing that for load, I think thats fine.
22:19  * BlueMatt offers node-crashing service for devs who need it :p
22:19 < phantomcircuit> amiller, the question is what % of the network you need to crash to partition some other % of the network
22:19 < gmaxwell> BlueMatt: esp since if you give bad dns data to bitcoinj nodes its trivial to partition them entirely. :(
22:19 < phantomcircuit> the 500ms connect() timeout should probably be increased actually
22:19 < phantomcircuit> the more i think about that the more i think 3000ms is safer
22:20 < gmaxwell> phantomcircuit: it's high for tor, but making it high has other problems.
22:20 < BlueMatt> gmaxwell: heh, yea, there was a bug the other day that the other testnet dnsseed was down and I was moving my server, so they were stuck unable to connect
22:20 < phantomcircuit> gmaxwell, yeah but im saying to make it even higher
01:20 < petertodd> encryption makes public data private data :)
01:20 < amiller> i want my random strings stored, everywhere, and i'll pay good btc for it!
01:21 < amiller> it's not porn, it's just /dev/urandom's greatest hits vols. 15-22
01:22 < amiller> so yeah, how many copies do you want and what are you willing to pay for it
01:22 < amiller> i don't know how to express that.
01:22 < petertodd> Actually, this is pretty easy: use a  non-interactive proof to determine the counter-party actually posesses the data, and have them give it to you encrypted, then hand over the encryption key as part of the scriptSig to prove they can spend the reward transaction.
01:22 < gmaxwell> well, if you wait long enough your data will show up in a storage proof. :P
01:22 < amiller> right, extractability :)
01:22 < gmaxwell> like delay line memory.
01:23 < amiller> (although i might have to get the whole thing and not just a block of my choice at a time)
01:23 < amiller> so one thing i've been thinking about
01:23 < amiller> is that in the real world the way things like this are done is by involving some exclusivity
01:23 < petertodd> gmaxwell: You mean Indiiana Jones style secure government warehouse memory?
01:23 < amiller> like i have a call for proposals that is announced to the public, then i anonymously select the winner
01:24 < amiller> but then the winner and i have an exclusive arrangement
01:24 < amiller> so they don't have to keep competing
01:24 < amiller> this has some advantages and some disadvantages but really several options should be possible
01:24 < amiller> anyway the part i wanted to mention, that relates to SPV security, is this
01:25 < amiller> it would probably be super expensive if i was trying to pay the whole bitcoin network to be ready to validate my custom PoR proofs
01:25 < petertodd> aside: you can use probabalistic payments with the "data hand over" protocol to pay to get data.
01:25 < amiller> petertodd, that's a good idea.
01:26 < petertodd> Makes is cheap to validate them too, amortized.
01:26 < amiller> anyway so it's hard (Without PCP) to fully check the por proof with cryptographic soundness
01:26 < amiller> what's a lot easier is to make an economic argument about work
01:26 < amiller> that if thousands of PoR's are computed
01:26 < petertodd> por==proof-of-reception?
01:26 < petertodd> or proof-of-retainment?
01:26 < amiller> proof of retreival
01:27 < petertodd> IE, por means I prove I can retreive some data?
01:27 < amiller> it's basically just like, select a dozen blocks at random and prove you can fetch them and hash them with something
01:27 < petertodd> Yeah, and you don't need PCP at all for that.
01:28 < petertodd> Heck, you could do it with the current scripting language I think had we not disabled the cool opcodes...
01:28 < petertodd> (oh, you'd need OP_BLOCKHASH)
01:28 < amiller> you do sort of need pcp
01:28 < petertodd> why?
01:28 < petertodd> I'm not computing anything
01:28 < amiller> it's the same thing we talked about at some previous point
01:28 < amiller> where if you want to check some sequential thing
01:28 < amiller> the way to do it efficiently is just to check a small sample
01:29 < amiller> but then there could be a small number of incorrect pieces that you wouldn't have super great chance of detecting
01:29 < amiller> PCP is basically about amplifying those errors such that the small sample catches them anyway
01:29 < petertodd> So what? Store the data in the first place with sufficient error correction.
01:30 < petertodd> Same solution, but applied in a way that's simple rather than black magic.
01:30 < amiller> i need to have a sequential proof though
01:30 < amiller> like
01:30 < amiller> at least some number like k iterations
01:31 < amiller> the reason is that in the "puzzle solving" setting, unlike the ordinary interaction setting,
01:31 < amiller> if you draw a nonce that says "go fetch block X5" and X5 happens to be a block that you are skipming out on by not storing
01:31 < amiller> you can just skip that challenge and go on to the next
01:31 < amiller> you don't have to worry about this in the client server setting because the server has to answer all the client's challenges
01:31 < petertodd> No you don't: if I sample, say, 64 totally random samples of the data I have a 50:50 chance of getting away with fraud if I fail to store roughly 1% of the data. So store the data in the first palce with an error-correction-code that can handle >1% losses.
01:32 < amiller> the way around this is to make the 64 random sampels *sequential*
01:32 < petertodd> That makes things worse, not better.
01:33 < amiller> no because it's rpetty cheap to reroll and ask for a new choice of 64
01:33 < petertodd> If they are sequential I can fail to store more of the data by leaving out larger chunks.
01:33 < amiller> sorry not sequential liek that
01:33 < amiller> i mean
01:33 < amiller> you have to do the first one
01:33 < amiller> take the hash of that data you jsut fetched
01:33 < amiller> use that to compute your next challenge
01:33 < amiller> and so on, 64 times
01:34 < amiller> rather than getting to look at all 64 indexes at the beginning to decide if you want to respond to this challenge or ignore it and ask for a new one
01:34 < petertodd> Ah, but who says it has to be cheap? This is a txout script, it can work by first getting the prevblockhash, using that to select the subset, and if you can provide that proof, you get to spend it. Obviously miners are most likely to be able to actually get the tx mined.
01:34 < amiller> that works just as well i guess
01:34 < petertodd> You only get one roll per block, so if you are a miner you're incentive is to have the data handy to try to put the corresponding txout in your block.
01:34 < amiller> anyway, still, validating 64 chunks of data?
01:35 < amiller> that might not be too expensive
01:35 < petertodd> It's a trade-off between # of txouts you use to pay people vs. txout size vs. chance your data won't actually get stored.
01:36 < amiller> right
01:36 < petertodd> 64 is very conservative, even just proving one is probably fine
01:36 < amiller> but, this is my new thought for tonight....
01:36 < amiller> SPV suggests an additional way
01:36 < amiller> maybe not everyone has to validate the whole secure PoR
01:36 < petertodd> Although also, multiple proofs in one tx can be more space efficient as the merkle paths share state
01:36 < amiller> for disbursing payment
01:36 < amiller> it may just be enough that you have to do the same amount of work
01:36 < amiller> with a moderate chance of failure
01:37 < petertodd> (merkleized ASTs would be ideal for this you know...)
01:37 < petertodd> yeah, plenty of trade-offs
01:38 < petertodd> the interesting thing is so how many ops do we need to enable/add to make this happen? I'm pretty sure it's just the string manipulation stuff + op_prevblockhash + op_blockheight
01:38 < amiller> good question
01:39 < amiller> (i still don't like the one-try-per-block idea as much as having it be self-selected, but lets assume either case for the sake of this question)
01:40 < amiller> i could do almost the whole thing with just string manipulation and a hash
01:40 < amiller> blockheight or cumulative difficult probably is important yeah
01:40 < petertodd> yeah, you need that PRNG
01:40 < amiller> especially if there's like a time quality to this
01:42 < petertodd> yeah, and that time quality is really useful
01:42 < amiller> so suppose i wanted to use this
01:42 < petertodd> like, I might want to spend a few years in a cave, and come back and stil have my data
01:42 < amiller> yeah
01:42 < amiller> so suppose you preallocate the funds for it
01:42 < amiller> and determine how fast they get spent
01:42 < amiller> it's like setting the puzzle difficulty
01:42 < amiller> do i have a jackpot that rolls over or something
01:43 < petertodd> the txouts act like jackpots kinda, and with op_blockheight their jackpots that unlock
01:43 < petertodd> so make them frequent enough that the future value isn't discounted too much
01:45 < amiller> so how to people decide to participate in this
01:45 < amiller> it's extra work
01:45 < amiller> and it's potentially competitive
01:45 < petertodd> indeed
01:45 < petertodd> well, write good software so it's turnkey :)
01:45 < amiller> i am willing to assume things that like perhaps people have intelligent mining clients that know about many currencies and opprtunities and basically select some portfolio of the best work to engage in
01:46 < petertodd> yeah
01:46 < petertodd> if it's automatic the bar can be relatively low
01:46 < amiller> but what makes a puzzle competitivef
01:46 < amiller> or a good deal
01:46 < amiller> i'm starting to think that being able to win some form of exclusivity might be important
01:46 < petertodd> NO
01:46 < amiller> no?
01:47 < petertodd> you want the competition, so that if any given player drops out, there will be backups
01:47 < amiller> yeah
01:47 < petertodd> point is, make the software easy enough that people run it even when the return isn't very high
01:47 < petertodd> the logic should be "Hey! I can make money with this spare harddrive space!"
01:47 < amiller> that's true but not good enough for my standards
01:48 < amiller> because if that's successful then my competition will be other people who are vying for the same storage space!
01:48 < petertodd> it's a decentralized system, you're not going to get better with software
01:48 < petertodd> yes
01:48 < petertodd> whomever can provide the space the cheapest
01:48 < amiller> no i mean
01:48 < amiller> competition among other puzzle-contract-creators
01:48 < amiller> other people trying to purchase storage
01:48 < amiller> how do i make my tx-contract the most attractive deal
01:49 < petertodd> no, this isn't a zero-sum-game
01:49 < amiller> obviously i can pay more money
01:49 < amiller> that sweetens the deal
Mined by f2poolhaobtc
Mined by AntPool usa1
ASCRIBESPOOLREGISTER
ASCRIBESPOOLREPLENISH
ASCRIBESPOOLTRANSFER
Mined by AntPool bj7
u=https://cpr.sm/6zQ2jznCJk
BTCChina Pool | maicoin.com
 Mined by AntPool usa1
ASCRIBESPOOLREGISTER
Mined by zhengyangww
Mined by AntPool sc182
Mined by AntPool bj7
Mined by AntPool sz0
Mined by AntPool usa1
u=http%3A%2F%2Fbit.ly%2F1drFy5R
u=http%3A%2F%2Fbit.ly%2F1QmE9zu
Lgu=http%3A%2F%2Fbit.ly%2F1QcNaes&sha256=bb2937664e5da32422408dd50956d16a35555d6527909e5e93375136f8e8466euR!
Mined by AntPool usa1
ASCRIBESPOOLREGISTER
Mined by AntPool sz0
Mined by nanjinghaowei
Mined by AntPool usa1
Mined by digcoinwgs3
Mined by AntPool bj6
u=https://cpr.sm/hVrS39_PeQ
Mined by AntPool bj5
Mined by AntPool bj7
Mined by florinstefan
Mined by AntPool usa1
(j&The Times 03/Jan/2009 Chancellor on...$
Mined by AntPool sc0
u=https://cpr.sm/bcB7xI9Dt38
Mined by AntPool usa1
Mined at GIVE-ME-COINS.comUx
Mined by AntPool bj7
Mined by f2poolhaobtc
Mined by AntPool bj7
Mined by digcoinwgs3
Mined by zhangzanwen
Mined by metabank0050
Mined by btc379057757
Mined by AntPool bj5
2BTCChina Pool | AARON 4 SARAH, NOTTINGHAM, ENGLAND

blk00000.txt blk00001.txt blk00002.txt blk00003.txt blk00004.txt blk00005.txt blk00006.txt blk00007.txt blk00008.txt blk00009.txt blk00010.txt blk00011.txt blk00012.txt blk00013.txt blk00014.txt blk00015.txt blk00016.txt blk00017.txt blk00018.txt blk00019.txt blk00020.txt blk00021.txt blk00022.txt blk00023.txt blk00024.txt blk00025.txt blk00026.txt blk00027.txt blk00028.txt blk00029.txt blk00030.txt blk00031.txt blk00032.txt blk00033.txt blk00034.txt blk00035.txt blk00036.txt blk00037.txt blk00038.txt blk00039.txt blk00040.txt blk00041.txt blk00042.txt blk00043.txt blk00044.txt blk00045.txt blk00046.txt blk00047.txt blk00048.txt blk00049.txt blk00050.txt blk00051.txt blk00052.txt blk00053.txt blk00054.txt blk00055.txt blk00056.txt blk00057.txt blk00058.txt blk00059.txt blk00060.txt blk00061.txt blk00062.txt blk00063.txt blk00064.txt blk00065.txt blk00066.txt blk00067.txt blk00068.txt blk00069.txt blk00070.txt blk00071.txt blk00072.txt blk00073.txt blk00074.txt blk00075.txt blk00076.txt blk00077.txt blk00078.txt blk00079.txt blk00080.txt blk00081.txt blk00082.txt blk00083.txt blk00084.txt blk00085.txt blk00086.txt blk00087.txt blk00088.txt blk00089.txt blk00090.txt blk00091.txt blk00092.txt blk00093.txt blk00094.txt blk00095.txt blk00096.txt blk00097.txt blk00098.txt blk00099.txt blk00100.txt blk00101.txt blk00102.txt blk00103.txt blk00104.txt blk00105.txt blk00106.txt blk00107.txt blk00108.txt blk00109.txt blk00110.txt blk00111.txt blk00112.txt blk00113.txt blk00114.txt blk00115.txt blk00116.txt blk00117.txt blk00118.txt blk00119.txt blk00120.txt blk00121.txt blk00122.txt blk00123.txt blk00124.txt blk00125.txt blk00126.txt blk00127.txt blk00128.txt blk00129.txt blk00130.txt blk00131.txt blk00132.txt blk00133.txt blk00134.txt blk00135.txt blk00136.txt blk00137.txt blk00138.txt blk00139.txt blk00140.txt blk00141.txt blk00142.txt blk00143.txt blk00144.txt blk00145.txt blk00146.txt blk00147.txt blk00148.txt blk00149.txt blk00150.txt blk00151.txt blk00152.txt blk00153.txt blk00154.txt blk00155.txt blk00156.txt blk00157.txt blk00158.txt blk00159.txt blk00160.txt blk00161.txt blk00162.txt blk00163.txt blk00164.txt blk00165.txt blk00166.txt blk00167.txt blk00168.txt blk00169.txt blk00170.txt blk00171.txt blk00172.txt blk00173.txt blk00174.txt blk00175.txt blk00176.txt blk00177.txt blk00178.txt blk00179.txt blk00180.txt blk00181.txt blk00182.txt blk00183.txt blk00184.txt blk00185.txt blk00186.txt blk00187.txt blk00188.txt blk00189.txt blk00190.txt blk00191.txt blk00192.txt blk00193.txt blk00194.txt blk00195.txt blk00196.txt blk00197.txt blk00198.txt blk00199.txt blk00200.txt blk00201.txt blk00202.txt blk00203.txt blk00204.txt blk00205.txt blk00206.txt blk00207.txt blk00208.txt blk00209.txt blk00210.txt blk00211.txt blk00212.txt blk00213.txt blk00214.txt blk00215.txt blk00216.txt blk00217.txt blk00218.txt blk00219.txt blk00220.txt blk00221.txt blk00222.txt blk00223.txt blk00224.txt blk00225.txt blk00226.txt blk00227.txt blk00228.txt blk00229.txt blk00230.txt blk00231.txt blk00232.txt blk00233.txt blk00234.txt blk00235.txt blk00236.txt blk00237.txt blk00238.txt blk00239.txt blk00240.txt blk00241.txt blk00242.txt blk00243.txt blk00244.txt blk00245.txt blk00246.txt blk00247.txt blk00248.txt blk00249.txt blk00250.txt blk00251.txt blk00252.txt blk00253.txt blk00254.txt blk00255.txt blk00256.txt blk00257.txt blk00258.txt blk00259.txt blk00260.txt blk00261.txt blk00262.txt blk00263.txt blk00264.txt blk00265.txt blk00266.txt blk00267.txt blk00268.txt blk00269.txt blk00270.txt blk00271.txt blk00272.txt blk00273.txt blk00274.txt blk00275.txt blk00276.txt blk00277.txt blk00278.txt blk00279.txt blk00280.txt blk00281.txt blk00282.txt blk00283.txt blk00284.txt blk00285.txt blk00286.txt blk00287.txt blk00288.txt blk00289.txt blk00290.txt blk00291.txt blk00292.txt blk00293.txt blk00294.txt blk00295.txt blk00296.txt blk00297.txt blk00298.txt blk00299.txt blk00300.txt blk00301.txt blk00302.txt blk00303.txt blk00304.txt blk00305.txt blk00306.txt blk00307.txt blk00308.txt blk00309.txt blk00310.txt blk00311.txt blk00312.txt blk00313.txt blk00314.txt blk00315.txt blk00316.txt blk00317.txt blk00318.txt blk00319.txt blk00320.txt blk00321.txt blk00322.txt blk00323.txt blk00324.txt blk00325.txt blk00326.txt blk00327.txt blk00328.txt blk00329.txt blk00330.txt blk00331.txt blk00332.txt blk00333.txt blk00334.txt blk00335.txt blk00336.txt blk00337.txt blk00338.txt blk00339.txt blk00340.txt blk00341.txt blk00342.txt blk00343.txt blk00344.txt blk00345.txt blk00346.txt blk00347.txt blk00348.txt blk00349.txt blk00350.txt blk00351.txt blk00352.txt blk00353.txt blk00354.txt blk00355.txt blk00356.txt blk00357.txt blk00358.txt blk00359.txt blk00360.txt blk00361.txt blk00362.txt blk00363.txt blk00364.txt blk00365.txt blk00366.txt blk00367.txt blk00368.txt blk00369.txt blk00370.txt blk00371.txt blk00372.txt blk00373.txt blk00374.txt blk00375.txt blk00376.txt blk00377.txt blk00378.txt blk00379.txt blk00380.txt blk00381.txt blk00382.txt blk00383.txt blk00384.txt blk00385.txt blk00386.txt blk00387.txt blk00388.txt blk00389.txt blk00390.txt blk00391.txt blk00392.txt blk00393.txt blk00394.txt blk00395.txt blk00396.txt blk00397.txt blk00398.txt blk00399.txt blk00400.txt blk00401.txt blk00402.txt blk00403.txt blk00404.txt blk00405.txt blk00406.txt blk00407.txt blk00408.txt blk00409.txt blk00410.txt blk00411.txt blk00412.txt blk00413.txt blk00414.txt blk00415.txt blk00416.txt blk00417.txt blk00418.txt blk00419.txt blk00420.txt blk00421.txt blk00422.txt blk00423.txt blk00424.txt blk00425.txt blk00426.txt blk00427.txt blk00428.txt blk00429.txt blk00430.txt blk00431.txt blk00432.txt blk00433.txt blk00434.txt blk00435.txt blk00436.txt blk00437.txt blk00438.txt blk00439.txt blk00440.txt blk00441.txt blk00442.txt blk00443.txt blk00444.txt blk00445.txt blk00446.txt blk00447.txt blk00448.txt blk00449.txt blk00450.txt blk00451.txt blk00452.txt blk00453.txt blk00454.txt blk00455.txt blk00456.txt blk00457.txt blk00458.txt blk00459.txt blk00460.txt blk00461.txt blk00462.txt blk00463.txt blk00464.txt blk00465.txt blk00466.txt blk00467.txt blk00468.txt blk00469.txt blk00470.txt blk00471.txt blk00472.txt blk00473.txt blk00474.txt blk00475.txt blk00476.txt blk00477.txt blk00478.txt blk00479.txt blk00480.txt blk00481.txt blk00482.txt blk00483.txt blk00484.txt blk00485.txt blk00486.txt blk00487.txt blk00488.txt blk00489.txt blk00490.txt blk00491.txt blk00492.txt blk00493.txt blk00494.txt blk00495.txt blk00496.txt blk00497.txt blk00498.txt blk00499.txt blk00500.txt blk00501.txt blk00502.txt blk00503.txt blk00504.txt blk00505.txt blk00506.txt blk00507.txt blk00508.txt blk00509.txt blk00510.txt blk00511.txt blk00512.txt blk00513.txt blk00514.txt blk00515.txt blk00516.txt blk00517.txt blk00518.txt blk00519.txt blk00520.txt blk00521.txt blk00522.txt blk00523.txt blk00524.txt blk00525.txt blk00526.txt blk00527.txt blk00528.txt blk00529.txt blk00530.txt blk00531.txt blk00532.txt blk00533.txt blk00534.txt blk00535.txt blk00536.txt blk00537.txt blk00538.txt blk00539.txt blk00540.txt blk00541.txt blk00542.txt blk00543.txt blk00544.txt blk00545.txt blk00546.txt blk00547.txt blk00548.txt blk00549.txt blk00550.txt blk00551.txt blk00552.txt blk00553.txt blk00554.txt blk00555.txt blk00556.txt blk00557.txt blk00558.txt blk00559.txt blk00560.txt blk00561.txt blk00562.txt blk00563.txt blk00564.txt blk00565.txt blk00566.txt blk00567.txt blk00568.txt blk00569.txt blk00570.txt blk00571.txt blk00572.txt blk00573.txt blk00574.txt blk00575.txt blk00576.txt blk00577.txt blk00578.txt blk00579.txt blk00580.txt blk00581.txt blk00582.txt blk00583.txt blk00584.txt blk00585.txt blk00586.txt blk00587.txt blk00588.txt blk00589.txt blk00590.txt blk00591.txt blk00592.txt blk00593.txt blk00594.txt blk00595.txt blk00596.txt blk00597.txt blk00598.txt blk00599.txt blk00600.txt blk00601.txt blk00602.txt blk00603.txt blk00604.txt blk00605.txt blk00606.txt blk00607.txt blk00608.txt blk00609.txt blk00610.txt blk00611.txt blk00612.txt blk00613.txt blk00614.txt blk00615.txt blk00616.txt blk00617.txt blk00618.txt blk00619.txt blk00620.txt blk00621.txt blk00622.txt blk00623.txt blk00624.txt blk00625.txt blk00626.txt blk00627.txt blk00628.txt blk00629.txt blk00630.txt blk00631.txt blk00632.txt blk00633.txt blk00634.txt blk00635.txt blk00636.txt blk00637.txt blk00638.txt blk00639.txt blk00640.txt blk00641.txt blk00642.txt blk00643.txt blk00644.txt blk00645.txt blk00646.txt blk00647.txt blk00648.txt blk00649.txt blk00650.txt blk00651.txt blk00652.txt blk00653.txt blk00654.txt blk00655.txt blk00656.txt blk00657.txt blk00658.txt blk00659.txt blk00660.txt blk00661.txt blk00662.txt blk00663.txt blk00664.txt blk00665.txt blk00666.txt blk00667.txt blk00668.txt blk00669.txt blk00670.txt blk00671.txt blk00672.txt blk00673.txt blk00674.txt blk00675.txt blk00676.txt blk00677.txt blk00678.txt blk00679.txt blk00680.txt blk00681.txt blk00682.txt blk00683.txt blk00684.txt blk00685.txt blk00686.txt blk00687.txt blk00688.txt blk00689.txt blk00690.txt blk00691.txt blk00692.txt blk00693.txt blk00694.txt blk00695.txt blk00696.txt blk00697.txt blk00698.txt blk00699.txt blk00700.txt blk00701.txt blk00702.txt blk00703.txt blk00704.txt blk00705.txt blk00706.txt blk00707.txt blk00708.txt blk00709.txt blk00710.txt blk00711.txt blk00712.txt blk00713.txt blk00714.txt blk00715.txt blk00716.txt blk00717.txt blk00718.txt blk00719.txt blk00720.txt blk00721.txt blk00722.txt blk00723.txt blk00724.txt blk00725.txt blk00726.txt blk00727.txt blk00728.txt blk00729.txt blk00730.txt blk00731.txt blk00732.txt blk00733.txt blk00734.txt blk00735.txt blk00736.txt blk00737.txt blk00738.txt blk00739.txt blk00740.txt blk00741.txt blk00742.txt blk00743.txt blk00744.txt blk00745.txt blk00746.txt blk00747.txt blk00748.txt blk00749.txt blk00750.txt blk00751.txt blk00752.txt blk00753.txt blk00754.txt blk00755.txt blk00756.txt blk00757.txt blk00758.txt blk00759.txt blk00760.txt blk00761.txt blk00762.txt blk00763.txt blk00764.txt blk00765.txt blk00766.txt blk00767.txt blk00768.txt blk00769.txt blk00770.txt blk00771.txt blk00772.txt blk00773.txt blk00774.txt blk00775.txt blk00776.txt blk00777.txt blk00778.txt blk00779.txt blk00780.txt blk00781.txt blk00782.txt blk00783.txt blk00784.txt blk00785.txt blk00786.txt blk00787.txt blk00788.txt blk00789.txt blk00790.txt blk00791.txt blk00792.txt blk00793.txt blk00794.txt blk00795.txt blk00796.txt blk00797.txt blk00798.txt blk00799.txt blk00800.txt blk00801.txt blk00802.txt blk00803.txt blk00804.txt blk00805.txt blk00806.txt blk00807.txt blk00808.txt blk00809.txt blk00810.txt blk00811.txt blk00812.txt blk00813.txt blk00814.txt blk00815.txt blk00816.txt blk00817.txt blk00818.txt blk00819.txt blk00820.txt blk00821.txt blk00822.txt blk00823.txt blk00824.txt blk00825.txt blk00826.txt blk00827.txt blk00828.txt blk00829.txt blk00830.txt blk00831.txt blk00832.txt blk00833.txt blk00834.txt blk00835.txt blk00836.txt blk00837.txt blk00838.txt blk00839.txt blk00840.txt blk00841.txt blk00842.txt blk00843.txt blk00844.txt blk00845.txt blk00846.txt blk00847.txt blk00848.txt blk00849.txt blk00850.txt blk00851.txt blk00852.txt blk00853.txt blk00854.txt blk00855.txt blk00856.txt blk00857.txt blk00858.txt blk00859.txt blk00860.txt blk00861.txt blk00862.txt blk00863.txt blk00864.txt blk00865.txt blk00866.txt blk00867.txt blk00868.txt blk00869.txt blk00870.txt blk00871.txt blk00872.txt blk00873.txt blk00874.txt blk00875.txt blk00876.txt blk00877.txt blk00878.txt blk00879.txt blk00880.txt blk00881.txt blk00882.txt blk00883.txt blk00884.txt blk00885.txt blk00886.txt blk00887.txt blk00888.txt blk00889.txt blk00890.txt blk00891.txt blk00892.txt blk00893.txt blk00894.txt blk00895.txt blk00896.txt blk00897.txt blk00898.txt blk00899.txt blk00900.txt blk00901.txt blk00902.txt blk00903.txt blk00904.txt blk00905.txt blk00906.txt blk00907.txt blk00908.txt blk00909.txt blk00910.txt blk00911.txt blk00912.txt blk00913.txt blk00914.txt blk00915.txt blk00916.txt blk00917.txt blk00918.txt blk00919.txt blk00920.txt blk00921.txt blk00922.txt blk00923.txt blk00924.txt blk00925.txt blk00926.txt blk00927.txt blk00928.txt blk00929.txt blk00930.txt blk00931.txt blk00932.txt blk00933.txt blk00934.txt blk00935.txt blk00936.txt blk00937.txt blk00938.txt blk00939.txt blk00940.txt blk00941.txt blk00942.txt blk00943.txt blk00944.txt blk00945.txt blk00946.txt blk00947.txt blk00948.txt blk00949.txt blk00950.txt blk00951.txt blk00952.txt blk00953.txt blk00954.txt blk00955.txt blk00956.txt blk00957.txt blk00958.txt blk00959.txt blk00960.txt blk00961.txt blk00962.txt blk00963.txt blk00964.txt blk00965.txt blk00966.txt blk00967.txt blk00968.txt blk00969.txt blk00970.txt blk00971.txt blk00972.txt blk00973.txt blk00974.txt blk00975.txt blk00976.txt blk00977.txt blk00978.txt blk00979.txt blk00980.txt blk00981.txt blk00982.txt blk00983.txt blk00984.txt blk00985.txt blk00986.txt blk00987.txt blk00988.txt blk00989.txt blk00990.txt blk00991.txt blk00992.txt blk00993.txt blk00994.txt blk00995.txt blk00996.txt blk00997.txt blk00998.txt blk00999.txt blk01000.txt blk01001.txt blk01002.txt blk01003.txt blk01004.txt blk01005.txt blk01006.txt blk01007.txt blk01008.txt blk01009.txt blk01010.txt blk01011.txt blk01012.txt blk01013.txt blk01014.txt blk01015.txt blk01016.txt blk01017.txt blk01018.txt blk01019.txt blk01020.txt blk01021.txt blk01022.txt blk01023.txt blk01024.txt blk01025.txt blk01026.txt blk01027.txt blk01028.txt blk01029.txt blk01030.txt blk01031.txt blk01032.txt blk01033.txt blk01034.txt blk01035.txt blk01036.txt blk01037.txt blk01038.txt blk01039.txt blk01040.txt blk01041.txt blk01042.txt blk01043.txt blk01044.txt blk01045.txt blk01046.txt blk01047.txt blk01048.txt blk01049.txt blk01050.txt blk01051.txt blk01052.txt blk01053.txt blk01054.txt blk01055.txt blk01056.txt blk01057.txt blk01058.txt blk01059.txt blk01060.txt blk01061.txt blk01062.txt blk01063.txt blk01064.txt blk01065.txt blk01066.txt blk01067.txt blk01068.txt blk01069.txt blk01070.txt blk01071.txt blk01072.txt blk01073.txt blk01074.txt blk01075.txt blk01076.txt blk01077.txt blk01078.txt blk01079.txt blk01080.txt blk01081.txt blk01082.txt blk01083.txt blk01084.txt blk01085.txt blk01086.txt blk01087.txt blk01088.txt blk01089.txt blk01090.txt blk01091.txt blk01092.txt blk01093.txt blk01094.txt blk01095.txt blk01096.txt blk01097.txt blk01098.txt blk01099.txt blk01100.txt blk01101.txt blk01102.txt blk01103.txt blk01104.txt blk01105.txt blk01106.txt blk01107.txt blk01108.txt blk01109.txt blk01110.txt blk01111.txt blk01112.txt blk01113.txt blk01114.txt blk01115.txt blk01116.txt blk01117.txt blk01118.txt blk01119.txt blk01120.txt blk01121.txt blk01122.txt blk01123.txt blk01124.txt blk01125.txt blk01126.txt blk01127.txt blk01128.txt blk01129.txt blk01130.txt blk01131.txt blk01132.txt blk01133.txt blk01134.txt blk01135.txt blk01136.txt blk01137.txt blk01138.txt blk01139.txt blk01140.txt blk01141.txt blk01142.txt blk01143.txt blk01144.txt blk01145.txt blk01146.txt blk01147.txt blk01148.txt blk01149.txt blk01150.txt blk01151.txt blk01152.txt blk01153.txt blk01154.txt blk01155.txt blk01156.txt blk01157.txt blk01158.txt blk01159.txt blk01160.txt blk01161.txt blk01162.txt blk01163.txt blk01164.txt blk01165.txt blk01166.txt blk01167.txt blk01168.txt blk01169.txt blk01170.txt blk01171.txt blk01172.txt blk01173.txt blk01174.txt blk01175.txt blk01176.txt blk01177.txt blk01178.txt blk01179.txt blk01180.txt blk01181.txt blk01182.txt blk01183.txt blk01184.txt blk01185.txt blk01186.txt blk01187.txt blk01188.txt blk01189.txt blk01190.txt blk01191.txt blk01192.txt blk01193.txt blk01194.txt blk01195.txt blk01196.txt blk01197.txt blk01198.txt blk01199.txt blk01200.txt blk01201.txt blk01202.txt blk01203.txt blk01204.txt blk01205.txt blk01206.txt blk01207.txt blk01208.txt blk01209.txt blk01210.txt blk01211.txt blk01212.txt blk01213.txt blk01214.txt blk01215.txt blk01216.txt blk01217.txt blk01218.txt blk01219.txt blk01220.txt blk01221.txt blk01222.txt blk01223.txt blk01224.txt blk01225.txt blk01226.txt blk01227.txt blk01228.txt blk01229.txt blk01230.txt blk01231.txt blk01232.txt blk01233.txt blk01234.txt blk01235.txt blk01236.txt blk01237.txt blk01238.txt blk01239.txt blk01240.txt blk01241.txt blk01242.txt blk01243.txt blk01244.txt blk01245.txt blk01246.txt blk01247.txt blk01248.txt blk01249.txt blk01250.txt blk01251.txt blk01252.txt blk01253.txt blk01254.txt blk01255.txt blk01256.txt blk01257.txt blk01258.txt blk01259.txt blk01260.txt blk01261.txt blk01262.txt blk01263.txt blk01264.txt blk01265.txt blk01266.txt blk01267.txt blk01268.txt blk01269.txt blk01270.txt blk01271.txt blk01272.txt blk01273.txt blk01274.txt blk01275.txt blk01276.txt blk01277.txt blk01278.txt blk01279.txt blk01280.txt blk01281.txt blk01282.txt blk01283.txt blk01284.txt blk01285.txt blk01286.txt blk01287.txt blk01288.txt blk01289.txt blk01290.txt blk01291.txt blk01292.txt blk01293.txt blk01294.txt blk01295.txt blk01296.txt blk01297.txt blk01298.txt blk01299.txt blk01300.txt blk01301.txt blk01302.txt blk01303.txt blk01304.txt blk01305.txt blk01306.txt blk01307.txt blk01308.txt blk01309.txt blk01310.txt blk01311.txt blk01312.txt blk01313.txt blk01314.txt blk01315.txt blk01316.txt blk01317.txt blk01318.txt blk01319.txt blk01320.txt blk01321.txt blk01322.txt blk01323.txt blk01324.txt blk01325.txt blk01326.txt blk01327.txt blk01328.txt blk01329.txt blk01330.txt blk01331.txt blk01332.txt blk01333.txt blk01334.txt blk01335.txt blk01336.txt blk01337.txt blk01338.txt blk01339.txt blk01340.txt blk01341.txt blk01342.txt blk01343.txt blk01344.txt blk01345.txt blk01346.txt blk01347.txt blk01348.txt blk01349.txt blk01350.txt blk01351.txt blk01352.txt blk01353.txt blk01354.txt blk01355.txt blk01356.txt blk01357.txt blk01358.txt blk01359.txt blk01360.txt blk01361.txt blk01362.txt blk01363.txt blk01364.txt blk01365.txt blk01366.txt blk01367.txt blk01368.txt blk01369.txt blk01370.txt blk01371.txt blk01372.txt blk01373.txt blk01374.txt blk01375.txt blk01376.txt blk01377.txt blk01378.txt blk01379.txt blk01380.txt blk01381.txt blk01382.txt blk01383.txt blk01384.txt blk01385.txt blk01386.txt blk01387.txt blk01388.txt blk01389.txt blk01390.txt blk01391.txt blk01392.txt blk01393.txt blk01394.txt blk01395.txt blk01396.txt blk01397.txt blk01398.txt blk01399.txt blk01400.txt blk01401.txt blk01402.txt blk01403.txt blk01404.txt blk01405.txt blk01406.txt blk01407.txt blk01408.txt blk01409.txt blk01410.txt blk01411.txt blk01412.txt blk01413.txt blk01414.txt blk01415.txt blk01416.txt blk01417.txt blk01418.txt blk01419.txt blk01420.txt blk01421.txt blk01422.txt blk01423.txt blk01424.txt blk01425.txt blk01426.txt blk01427.txt blk01428.txt blk01429.txt blk01430.txt blk01431.txt blk01432.txt blk01433.txt blk01434.txt blk01435.txt blk01436.txt blk01437.txt blk01438.txt blk01439.txt blk01440.txt blk01441.txt blk01442.txt blk01443.txt blk01444.txt blk01445.txt blk01446.txt blk01447.txt blk01448.txt blk01449.txt blk01450.txt blk01451.txt blk01452.txt blk01453.txt blk01454.txt blk01455.txt blk01456.txt blk01457.txt blk01458.txt blk01459.txt blk01460.txt blk01461.txt blk01462.txt blk01463.txt blk01464.txt blk01465.txt blk01466.txt blk01467.txt blk01468.txt blk01469.txt blk01470.txt blk01471.txt blk01472.txt blk01473.txt blk01474.txt blk01475.txt blk01476.txt blk01477.txt blk01478.txt blk01479.txt blk01480.txt blk01481.txt blk01482.txt blk01483.txt blk01484.txt blk01485.txt blk01486.txt blk01487.txt blk01488.txt blk01489.txt blk01490.txt blk01491.txt blk01492.txt blk01493.txt blk01494.txt blk01495.txt blk01496.txt blk01497.txt blk01498.txt blk01499.txt blk01500.txt blk01501.txt blk01502.txt blk01503.txt blk01504.txt blk01505.txt blk01506.txt blk01507.txt blk01508.txt blk01509.txt blk01510.txt blk01511.txt blk01512.txt blk01513.txt blk01514.txt blk01515.txt blk01516.txt blk01517.txt blk01518.txt blk01519.txt blk01520.txt blk01521.txt blk01522.txt blk01523.txt blk01524.txt blk01525.txt blk01526.txt blk01527.txt blk01528.txt blk01529.txt blk01530.txt blk01531.txt blk01532.txt blk01533.txt blk01534.txt blk01535.txt blk01536.txt blk01537.txt blk01538.txt blk01539.txt blk01540.txt blk01541.txt blk01542.txt blk01543.txt blk01544.txt blk01545.txt blk01546.txt blk01547.txt blk01548.txt blk01549.txt blk01550.txt blk01551.txt blk01552.txt blk01553.txt blk01554.txt blk01555.txt blk01556.txt blk01557.txt blk01558.txt blk01559.txt blk01560.txt blk01561.txt blk01562.txt blk01563.txt blk01564.txt blk01565.txt blk01566.txt blk01567.txt blk01568.txt blk01569.txt blk01570.txt blk01571.txt blk01572.txt blk01573.txt blk01574.txt blk01575.txt blk01576.txt blk01577.txt blk01578.txt blk01579.txt blk01580.txt blk01581.txt blk01582.txt blk01583.txt blk01584.txt blk01585.txt blk01586.txt blk01587.txt blk01588.txt blk01589.txt blk01590.txt blk01591.txt blk01592.txt blk01593.txt blk01594.txt blk01595.txt blk01596.txt blk01597.txt blk01598.txt blk01599.txt blk01600.txt blk01601.txt blk01602.txt blk01603.txt blk01604.txt blk01605.txt blk01606.txt blk01607.txt blk01608.txt blk01609.txt blk01610.txt blk01611.txt blk01612.txt blk01613.txt blk01614.txt blk01615.txt blk01616.txt blk01617.txt blk01618.txt blk01619.txt blk01620.txt blk01621.txt blk01622.txt blk01623.txt blk01624.txt blk01625.txt blk01626.txt blk01627.txt blk01628.txt blk01629.txt blk01630.txt blk01631.txt blk01632.txt blk01633.txt blk01634.txt blk01635.txt blk01636.txt blk01637.txt blk01638.txt blk01639.txt blk01640.txt blk01641.txt blk01642.txt blk01643.txt blk01644.txt blk01645.txt blk01646.txt blk01647.txt blk01648.txt blk01649.txt blk01650.txt blk01651.txt blk01652.txt blk01653.txt blk01654.txt blk01655.txt blk01656.txt blk01657.txt blk01658.txt blk01659.txt blk01660.txt blk01661.txt blk01662.txt blk01663.txt blk01664.txt blk01665.txt blk01666.txt blk01667.txt blk01668.txt blk01669.txt blk01670.txt blk01671.txt blk01672.txt blk01673.txt blk01674.txt blk01675.txt blk01676.txt blk01677.txt blk01678.txt blk01679.txt blk01680.txt blk01681.txt blk01682.txt blk01683.txt blk01684.txt blk01685.txt blk01686.txt blk01687.txt blk01688.txt blk01689.txt blk01690.txt blk01691.txt blk01692.txt blk01693.txt blk01694.txt blk01695.txt blk01696.txt blk01697.txt blk01698.txt blk01699.txt blk01700.txt blk01701.txt blk01702.txt blk01703.txt blk01704.txt blk01705.txt blk01706.txt blk01707.txt blk01708.txt blk01709.txt blk01710.txt blk01711.txt blk01712.txt blk01713.txt blk01714.txt blk01715.txt blk01716.txt blk01717.txt blk01718.txt blk01719.txt blk01720.txt blk01721.txt blk01722.txt blk01723.txt blk01724.txt blk01725.txt blk01726.txt blk01727.txt blk01728.txt blk01729.txt blk01730.txt blk01731.txt blk01732.txt blk01733.txt blk01734.txt blk01735.txt blk01736.txt blk01737.txt blk01738.txt blk01739.txt blk01740.txt blk01741.txt blk01742.txt blk01743.txt blk01744.txt blk01745.txt blk01746.txt blk01747.txt blk01748.txt blk01749.txt blk01750.txt blk01751.txt blk01752.txt blk01753.txt blk01754.txt blk01755.txt blk01756.txt blk01757.txt blk01758.txt blk01759.txt blk01760.txt blk01761.txt blk01762.txt blk01763.txt blk01764.txt blk01765.txt blk01766.txt blk01767.txt blk01768.txt blk01769.txt blk01770.txt blk01771.txt blk01772.txt blk01773.txt blk01774.txt blk01775.txt blk01776.txt blk01777.txt blk01778.txt blk01779.txt blk01780.txt blk01781.txt blk01782.txt blk01783.txt blk01784.txt blk01785.txt blk01786.txt blk01787.txt blk01788.txt blk01789.txt blk01790.txt blk01791.txt blk01792.txt blk01793.txt blk01794.txt blk01795.txt blk01796.txt blk01797.txt blk01798.txt blk01799.txt blk01800.txt blk01801.txt blk01802.txt blk01803.txt blk01804.txt blk01805.txt blk01806.txt blk01807.txt blk01808.txt blk01809.txt blk01810.txt blk01811.txt blk01812.txt blk01813.txt blk01814.txt blk01815.txt blk01816.txt blk01817.txt blk01818.txt blk01819.txt blk01820.txt blk01821.txt blk01822.txt blk01823.txt blk01824.txt blk01825.txt blk01826.txt blk01827.txt blk01828.txt blk01829.txt blk01830.txt blk01831.txt blk01832.txt blk01833.txt blk01834.txt blk01835.txt blk01836.txt blk01837.txt blk01838.txt blk01839.txt blk01840.txt blk01841.txt blk01842.txt blk01843.txt blk01844.txt blk01845.txt blk01846.txt blk01847.txt blk01848.txt blk01849.txt blk01850.txt blk01851.txt blk01852.txt blk01853.txt blk01854.txt blk01855.txt blk01856.txt blk01857.txt blk01858.txt blk01859.txt blk01860.txt blk01861.txt blk01862.txt blk01863.txt blk01864.txt blk01865.txt blk01866.txt blk01867.txt blk01868.txt blk01869.txt blk01870.txt blk01871.txt blk01872.txt blk01873.txt blk01874.txt blk01875.txt blk01876.txt blk01877.txt blk01878.txt blk01879.txt blk01880.txt blk01881.txt blk01882.txt blk01883.txt blk01884.txt blk01885.txt blk01886.txt blk01887.txt blk01888.txt blk01889.txt blk01890.txt blk01891.txt blk01892.txt blk01893.txt blk01894.txt blk01895.txt blk01896.txt blk01897.txt blk01898.txt blk01899.txt blk01900.txt blk01901.txt blk01902.txt blk01903.txt blk01904.txt blk01905.txt blk01906.txt blk01907.txt blk01908.txt blk01909.txt blk01910.txt blk01911.txt blk01912.txt blk01913.txt blk01914.txt blk01915.txt blk01916.txt blk01917.txt blk01918.txt blk01919.txt blk01920.txt blk01921.txt blk01922.txt blk01923.txt blk01924.txt blk01925.txt blk01926.txt blk01927.txt blk01928.txt blk01929.txt blk01930.txt blk01931.txt blk01932.txt blk01933.txt blk01934.txt blk01935.txt blk01936.txt blk01937.txt blk01938.txt blk01939.txt blk01940.txt blk01941.txt blk01942.txt blk01943.txt blk01944.txt blk01945.txt blk01946.txt blk01947.txt blk01948.txt blk01949.txt blk01950.txt blk01951.txt blk01952.txt blk01953.txt blk01954.txt blk01955.txt blk01956.txt blk01957.txt blk01958.txt blk01959.txt blk01960.txt blk01961.txt blk01962.txt blk01963.txt blk01964.txt blk01965.txt blk01966.txt blk01967.txt blk01968.txt blk01969.txt blk01970.txt blk01971.txt blk01972.txt blk01973.txt blk01974.txt blk01975.txt blk01976.txt blk01977.txt blk01978.txt blk01979.txt blk01980.txt blk01981.txt blk01982.txt blk01983.txt blk01984.txt blk01985.txt blk01986.txt blk01987.txt blk01988.txt blk01989.txt blk01990.txt blk01991.txt blk01992.txt blk01993.txt blk01994.txt blk01995.txt blk01996.txt blk01997.txt blk01998.txt blk01999.txt blk02000.txt blk02001.txt blk02002.txt blk02003.txt blk02004.txt blk02005.txt blk02006.txt blk02007.txt blk02008.txt blk02009.txt blk02010.txt blk02011.txt blk02012.txt blk02013.txt blk02014.txt blk02015.txt blk02016.txt blk02017.txt blk02018.txt blk02019.txt blk02020.txt blk02021.txt blk02022.txt blk02023.txt blk02024.txt blk02025.txt blk02026.txt blk02027.txt blk02028.txt blk02029.txt blk02030.txt blk02031.txt blk02032.txt blk02033.txt blk02034.txt blk02035.txt blk02036.txt blk02037.txt blk02038.txt blk02039.txt blk02040.txt blk02041.txt blk02042.txt blk02043.txt blk02044.txt blk02045.txt blk02046.txt blk02047.txt blk02048.txt blk02049.txt blk02050.txt blk02051.txt blk02052.txt blk02053.txt blk02054.txt blk02055.txt blk02056.txt blk02057.txt blk02058.txt blk02059.txt blk02060.txt blk02061.txt blk02062.txt blk02063.txt blk02064.txt blk02065.txt blk02066.txt blk02067.txt blk02068.txt blk02069.txt blk02070.txt blk02071.txt blk02072.txt blk02073.txt blk02074.txt blk02075.txt blk02076.txt blk02077.txt blk02078.txt blk02079.txt blk02080.txt blk02081.txt blk02082.txt blk02083.txt blk02084.txt blk02085.txt blk02086.txt blk02087.txt blk02088.txt blk02089.txt blk02090.txt blk02091.txt blk02092.txt blk02093.txt blk02094.txt blk02095.txt blk02096.txt blk02097.txt blk02098.txt blk02099.txt blk02100.txt blk02101.txt blk02102.txt blk02103.txt blk02104.txt blk02105.txt blk02106.txt blk02107.txt blk02108.txt blk02109.txt blk02110.txt blk02111.txt blk02112.txt blk02113.txt blk02114.txt blk02115.txt blk02116.txt blk02117.txt blk02118.txt blk02119.txt blk02120.txt blk02121.txt blk02122.txt blk02123.txt blk02124.txt blk02125.txt blk02126.txt blk02127.txt blk02128.txt blk02129.txt blk02130.txt blk02131.txt blk02132.txt blk02133.txt blk02134.txt blk02135.txt blk02136.txt blk02137.txt blk02138.txt blk02139.txt blk02140.txt blk02141.txt blk02142.txt blk02143.txt blk02144.txt blk02145.txt blk02146.txt blk02147.txt blk02148.txt blk02149.txt blk02150.txt blk02151.txt blk02152.txt blk02153.txt blk02154.txt blk02155.txt blk02156.txt blk02157.txt blk02158.txt blk02159.txt blk02160.txt blk02161.txt blk02162.txt blk02163.txt blk02164.txt blk02165.txt blk02166.txt blk02167.txt blk02168.txt blk02169.txt blk02170.txt blk02171.txt blk02172.txt blk02173.txt blk02174.txt blk02175.txt blk02176.txt blk02177.txt blk02178.txt blk02179.txt blk02180.txt blk02181.txt blk02182.txt blk02183.txt blk02184.txt blk02185.txt blk02186.txt blk02187.txt blk02188.txt blk02189.txt blk02190.txt blk02191.txt blk02192.txt blk02193.txt blk02194.txt blk02195.txt blk02196.txt blk02197.txt blk02198.txt blk02199.txt blk02200.txt blk02201.txt blk02202.txt blk02203.txt blk02204.txt blk02205.txt blk02206.txt blk02207.txt blk02208.txt blk02209.txt blk02210.txt blk02211.txt blk02212.txt blk02213.txt blk02214.txt blk02215.txt blk02216.txt blk02217.txt blk02218.txt blk02219.txt blk02220.txt blk02221.txt blk02222.txt blk02223.txt blk02224.txt blk02225.txt blk02226.txt blk02227.txt blk02228.txt blk02229.txt blk02230.txt blk02231.txt blk02232.txt blk02233.txt blk02234.txt blk02235.txt blk02236.txt blk02237.txt blk02238.txt blk02239.txt blk02240.txt blk02241.txt blk02242.txt blk02243.txt blk02244.txt blk02245.txt blk02246.txt blk02247.txt blk02248.txt blk02249.txt blk02250.txt blk02251.txt blk02252.txt blk02253.txt blk02254.txt blk02255.txt blk02256.txt blk02257.txt blk02258.txt blk02259.txt blk02260.txt blk02261.txt blk02262.txt blk02263.txt blk02264.txt blk02265.txt blk02266.txt blk02267.txt blk02268.txt blk02269.txt blk02270.txt blk02271.txt blk02272.txt blk02273.txt blk02274.txt blk02275.txt blk02276.txt blk02277.txt blk02278.txt blk02279.txt blk02280.txt blk02281.txt blk02282.txt blk02283.txt blk02284.txt blk02285.txt blk02286.txt blk02287.txt blk02288.txt blk02289.txt blk02290.txt blk02291.txt blk02292.txt blk02293.txt blk02294.txt blk02295.txt blk02296.txt blk02297.txt blk02298.txt blk02299.txt blk02300.txt blk02301.txt blk02302.txt blk02303.txt blk02304.txt blk02305.txt blk02306.txt blk02307.txt blk02308.txt blk02309.txt blk02310.txt blk02311.txt blk02312.txt blk02313.txt blk02314.txt blk02315.txt blk02316.txt blk02317.txt blk02318.txt blk02319.txt blk02320.txt blk02321.txt blk02322.txt blk02323.txt blk02324.txt blk02325.txt blk02326.txt blk02327.txt blk02328.txt blk02329.txt blk02330.txt blk02331.txt blk02332.txt blk02333.txt blk02334.txt blk02335.txt blk02336.txt blk02337.txt blk02338.txt blk02339.txt blk02340.txt blk02341.txt blk02342.txt blk02343.txt blk02344.txt blk02345.txt blk02346.txt blk02347.txt blk02348.txt blk02349.txt blk02350.txt blk02351.txt blk02352.txt blk02353.txt blk02354.txt blk02355.txt blk02356.txt blk02357.txt blk02358.txt blk02359.txt blk02360.txt blk02361.txt blk02362.txt blk02363.txt blk02364.txt blk02365.txt blk02366.txt blk02367.txt blk02368.txt blk02369.txt blk02370.txt blk02371.txt blk02372.txt blk02373.txt blk02374.txt blk02375.txt blk02376.txt blk02377.txt blk02378.txt blk02379.txt blk02380.txt blk02381.txt blk02382.txt blk02383.txt blk02384.txt blk02385.txt blk02386.txt blk02387.txt blk02388.txt blk02389.txt blk02390.txt blk02391.txt blk02392.txt blk02393.txt blk02394.txt blk02395.txt blk02396.txt blk02397.txt blk02398.txt blk02399.txt blk02400.txt blk02401.txt blk02402.txt blk02403.txt blk02404.txt blk02405.txt blk02406.txt blk02407.txt blk02408.txt blk02409.txt blk02410.txt blk02411.txt blk02412.txt blk02413.txt blk02414.txt blk02415.txt blk02416.txt blk02417.txt blk02418.txt blk02419.txt blk02420.txt blk02421.txt blk02422.txt blk02423.txt blk02424.txt blk02425.txt blk02426.txt blk02427.txt blk02428.txt blk02429.txt blk02430.txt blk02431.txt blk02432.txt blk02433.txt blk02434.txt blk02435.txt blk02436.txt blk02437.txt blk02438.txt blk02439.txt blk02440.txt blk02441.txt blk02442.txt blk02443.txt blk02444.txt blk02445.txt blk02446.txt blk02447.txt blk02448.txt blk02449.txt blk02450.txt blk02451.txt blk02452.txt blk02453.txt blk02454.txt blk02455.txt blk02456.txt blk02457.txt blk02458.txt blk02459.txt blk02460.txt blk02461.txt blk02462.txt blk02463.txt blk02464.txt blk02465.txt blk02466.txt blk02467.txt blk02468.txt blk02469.txt blk02470.txt blk02471.txt blk02472.txt blk02473.txt blk02474.txt blk02475.txt blk02476.txt blk02477.txt blk02478.txt blk02479.txt blk02480.txt blk02481.txt blk02482.txt blk02483.txt blk02484.txt blk02485.txt blk02486.txt blk02487.txt blk02488.txt blk02489.txt blk02490.txt blk02491.txt blk02492.txt blk02493.txt blk02494.txt blk02495.txt blk02496.txt blk02497.txt blk02498.txt blk02499.txt blk02500.txt blk02501.txt blk02502.txt blk02503.txt blk02504.txt blk02505.txt blk02506.txt blk02507.txt blk02508.txt blk02509.txt blk02510.txt blk02511.txt blk02512.txt blk02513.txt blk02514.txt blk02515.txt blk02516.txt blk02517.txt blk02518.txt blk02519.txt blk02520.txt blk02521.txt blk02522.txt blk02523.txt blk02524.txt blk02525.txt blk02526.txt blk02527.txt blk02528.txt blk02529.txt blk02530.txt blk02531.txt blk02532.txt blk02533.txt blk02534.txt blk02535.txt blk02536.txt blk02537.txt blk02538.txt blk02539.txt blk02540.txt blk02541.txt blk02542.txt blk02543.txt blk02544.txt blk02545.txt blk02546.txt blk02547.txt blk02548.txt blk02549.txt blk02550.txt blk02551.txt blk02552.txt blk02553.txt blk02554.txt blk02555.txt blk02556.txt blk02557.txt blk02558.txt blk02559.txt blk02560.txt blk02561.txt blk02562.txt blk02563.txt blk02564.txt blk02565.txt blk02566.txt blk02567.txt blk02568.txt blk02569.txt blk02570.txt blk02571.txt blk02572.txt blk02573.txt blk02574.txt blk02575.txt blk02576.txt blk02577.txt blk02578.txt blk02579.txt blk02580.txt blk02581.txt blk02582.txt blk02583.txt blk02584.txt blk02585.txt blk02586.txt blk02587.txt blk02588.txt blk02589.txt blk02590.txt blk02591.txt blk02592.txt blk02593.txt blk02594.txt blk02595.txt blk02596.txt blk02597.txt blk02598.txt blk02599.txt blk02600.txt blk02601.txt blk02602.txt blk02603.txt blk02604.txt blk02605.txt blk02606.txt blk02607.txt blk02608.txt blk02609.txt blk02610.txt blk02611.txt blk02612.txt blk02613.txt blk02614.txt blk02615.txt blk02616.txt blk02617.txt blk02618.txt blk02619.txt blk02620.txt blk02621.txt blk02622.txt blk02623.txt blk02624.txt blk02625.txt blk02626.txt blk02627.txt blk02628.txt blk02629.txt blk02630.txt blk02631.txt blk02632.txt blk02633.txt blk02634.txt blk02635.txt blk02636.txt blk02637.txt blk02638.txt blk02639.txt blk02640.txt blk02641.txt blk02642.txt blk02643.txt blk02644.txt blk02645.txt blk02646.txt blk02647.txt blk02648.txt blk02649.txt blk02650.txt blk02651.txt blk02652.txt blk02653.txt blk02654.txt blk02655.txt blk02656.txt blk02657.txt blk02658.txt blk02659.txt blk02660.txt blk02661.txt blk02662.txt blk02663.txt blk02664.txt blk02665.txt blk02666.txt blk02667.txt blk02668.txt blk02669.txt blk02670.txt blk02671.txt blk02672.txt blk02673.txt blk02674.txt blk02675.txt blk02676.txt blk02677.txt blk02678.txt blk02679.txt blk02680.txt blk02681.txt blk02682.txt blk02683.txt blk02684.txt blk02685.txt blk02686.txt blk02687.txt blk02688.txt blk02689.txt blk02690.txt blk02691.txt blk02692.txt blk02693.txt blk02694.txt blk02695.txt blk02696.txt blk02697.txt blk02698.txt blk02699.txt blk02700.txt blk02701.txt blk02702.txt blk02703.txt blk02704.txt blk02705.txt blk02706.txt blk02707.txt blk02708.txt blk02709.txt blk02710.txt blk02711.txt blk02712.txt blk02713.txt blk02714.txt blk02715.txt blk02716.txt blk02717.txt blk02718.txt blk02719.txt blk02720.txt blk02721.txt blk02722.txt blk02723.txt blk02724.txt blk02725.txt blk02726.txt blk02727.txt blk02728.txt blk02729.txt blk02730.txt blk02731.txt blk02732.txt blk02733.txt blk02734.txt blk02735.txt blk02736.txt blk02737.txt blk02738.txt blk02739.txt blk02740.txt blk02741.txt blk02742.txt blk02743.txt blk02744.txt blk02745.txt blk02746.txt blk02747.txt blk02748.txt blk02749.txt blk02750.txt blk02751.txt blk02752.txt blk02753.txt blk02754.txt blk02755.txt blk02756.txt blk02757.txt blk02758.txt blk02759.txt blk02760.txt blk02761.txt blk02762.txt blk02763.txt blk02764.txt blk02765.txt blk02766.txt blk02767.txt blk02768.txt blk02769.txt blk02770.txt blk02771.txt blk02772.txt blk02773.txt blk02774.txt blk02775.txt blk02776.txt blk02777.txt blk02778.txt blk02779.txt blk02780.txt blk02781.txt blk02782.txt blk02783.txt blk02784.txt blk02785.txt blk02786.txt blk02787.txt blk02788.txt blk02789.txt blk02790.txt blk02791.txt blk02792.txt blk02793.txt blk02794.txt blk02795.txt blk02796.txt blk02797.txt blk02798.txt blk02799.txt blk02800.txt blk02801.txt blk02802.txt blk02803.txt blk02804.txt blk02805.txt blk02806.txt blk02807.txt blk02808.txt blk02809.txt blk02810.txt blk02811.txt blk02812.txt blk02813.txt blk02814.txt blk02815.txt blk02816.txt blk02817.txt blk02818.txt blk02819.txt blk02820.txt blk02821.txt blk02822.txt blk02823.txt blk02824.txt blk02825.txt blk02826.txt blk02827.txt blk02828.txt blk02829.txt blk02830.txt blk02831.txt blk02832.txt blk02833.txt blk02834.txt blk02835.txt blk02836.txt blk02837.txt blk02838.txt blk02839.txt blk02840.txt blk02841.txt blk02842.txt blk02843.txt blk02844.txt blk02845.txt blk02846.txt blk02847.txt blk02848.txt blk02849.txt blk02850.txt blk02851.txt blk02852.txt blk02853.txt blk02854.txt blk02855.txt blk02856.txt blk02857.txt blk02858.txt blk02859.txt blk02860.txt blk02861.txt blk02862.txt blk02863.txt blk02864.txt blk02865.txt blk02866.txt blk02867.txt blk02868.txt blk02869.txt blk02870.txt blk02871.txt blk02872.txt blk02873.txt blk02874.txt blk02875.txt blk02876.txt blk02877.txt blk02878.txt blk02879.txt blk02880.txt blk02881.txt blk02882.txt blk02883.txt blk02884.txt blk02885.txt blk02886.txt blk02887.txt blk02888.txt blk02889.txt blk02890.txt blk02891.txt blk02892.txt blk02893.txt blk02894.txt blk02895.txt blk02896.txt blk02897.txt blk02898.txt blk02899.txt blk02900.txt blk02901.txt blk02902.txt blk02903.txt blk02904.txt blk02905.txt blk02906.txt blk02907.txt blk02908.txt blk02909.txt blk02910.txt blk02911.txt blk02912.txt blk02913.txt blk02914.txt blk02915.txt blk02916.txt blk02917.txt blk02918.txt blk02919.txt blk02920.txt blk02921.txt blk02922.txt blk02923.txt blk02924.txt blk02925.txt blk02926.txt blk02927.txt blk02928.txt blk02929.txt blk02930.txt blk02931.txt blk02932.txt blk02933.txt blk02934.txt blk02935.txt blk02936.txt blk02937.txt blk02938.txt blk02939.txt blk02940.txt blk02941.txt blk02942.txt blk02943.txt blk02944.txt blk02945.txt blk02946.txt blk02947.txt blk02948.txt blk02949.txt blk02950.txt blk02951.txt blk02952.txt blk02953.txt blk02954.txt blk02955.txt blk02956.txt blk02957.txt blk02958.txt blk02959.txt blk02960.txt blk02961.txt blk02962.txt blk02963.txt blk02964.txt blk02965.txt blk02966.txt blk02967.txt blk02968.txt blk02969.txt blk02970.txt blk02971.txt blk02972.txt blk02973.txt blk02974.txt blk02975.txt blk02976.txt blk02977.txt blk02978.txt blk02979.txt blk02980.txt blk02981.txt blk02982.txt blk02983.txt blk02984.txt blk02985.txt blk02986.txt blk02987.txt blk02988.txt blk02989.txt blk02990.txt blk02991.txt blk02992.txt blk02993.txt blk02994.txt blk02995.txt blk02996.txt blk02997.txt blk02998.txt blk02999.txt blk03000.txt blk03001.txt blk03002.txt blk03003.txt blk03004.txt blk03005.txt blk03006.txt blk03007.txt blk03008.txt blk03009.txt blk03010.txt blk03011.txt blk03012.txt blk03013.txt blk03014.txt blk03015.txt blk03016.txt blk03017.txt blk03018.txt blk03019.txt blk03020.txt blk03021.txt blk03022.txt blk03023.txt blk03024.txt blk03025.txt blk03026.txt blk03027.txt blk03028.txt blk03029.txt blk03030.txt blk03031.txt blk03032.txt blk03033.txt blk03034.txt blk03035.txt blk03036.txt blk03037.txt blk03038.txt blk03039.txt blk03040.txt blk03041.txt blk03042.txt blk03043.txt blk03044.txt blk03045.txt blk03046.txt blk03047.txt blk03048.txt blk03049.txt blk03050.txt blk03051.txt blk03052.txt blk03053.txt blk03054.txt blk03055.txt blk03056.txt blk03057.txt blk03058.txt blk03059.txt blk03060.txt blk03061.txt blk03062.txt blk03063.txt blk03064.txt blk03065.txt blk03066.txt blk03067.txt blk03068.txt blk03069.txt blk03070.txt blk03071.txt blk03072.txt blk03073.txt blk03074.txt blk03075.txt blk03076.txt blk03077.txt blk03078.txt blk03079.txt blk03080.txt blk03081.txt blk03082.txt blk03083.txt blk03084.txt blk03085.txt blk03086.txt blk03087.txt blk03088.txt blk03089.txt blk03090.txt blk03091.txt blk03092.txt blk03093.txt blk03094.txt blk03095.txt blk03096.txt blk03097.txt blk03098.txt blk03099.txt blk03100.txt blk03101.txt blk03102.txt blk03103.txt blk03104.txt blk03105.txt blk03106.txt blk03107.txt blk03108.txt blk03109.txt blk03110.txt blk03111.txt blk03112.txt blk03113.txt blk03114.txt blk03115.txt blk03116.txt blk03117.txt blk03118.txt blk03119.txt blk03120.txt blk03121.txt blk03122.txt blk03123.txt blk03124.txt blk03125.txt blk03126.txt blk03127.txt blk03128.txt blk03129.txt blk03130.txt blk03131.txt blk03132.txt blk03133.txt blk03134.txt blk03135.txt blk03136.txt blk03137.txt blk03138.txt blk03139.txt blk03140.txt blk03141.txt blk03142.txt blk03143.txt blk03144.txt blk03145.txt blk03146.txt blk03147.txt blk03148.txt blk03149.txt blk03150.txt blk03151.txt blk03152.txt blk03153.txt blk03154.txt blk03155.txt blk03156.txt blk03157.txt blk03158.txt blk03159.txt blk03160.txt blk03161.txt blk03162.txt blk03163.txt blk03164.txt blk03165.txt blk03166.txt blk03167.txt blk03168.txt blk03169.txt blk03170.txt blk03171.txt blk03172.txt blk03173.txt blk03174.txt blk03175.txt blk03176.txt blk03177.txt blk03178.txt blk03179.txt blk03180.txt blk03181.txt blk03182.txt blk03183.txt blk03184.txt blk03185.txt blk03186.txt blk03187.txt blk03188.txt blk03189.txt blk03190.txt blk03191.txt blk03192.txt blk03193.txt blk03194.txt blk03195.txt blk03196.txt blk03197.txt blk03198.txt blk03199.txt blk03200.txt blk03201.txt blk03202.txt blk03203.txt blk03204.txt blk03205.txt blk03206.txt blk03207.txt blk03208.txt blk03209.txt blk03210.txt blk03211.txt blk03212.txt blk03213.txt blk03214.txt blk03215.txt blk03216.txt blk03217.txt blk03218.txt blk03219.txt blk03220.txt blk03221.txt blk03222.txt blk03223.txt blk03224.txt blk03225.txt blk03226.txt blk03227.txt blk03228.txt blk03229.txt blk03230.txt blk03231.txt blk03232.txt blk03233.txt blk03234.txt blk03235.txt blk03236.txt blk03237.txt blk03238.txt blk03239.txt blk03240.txt blk03241.txt blk03242.txt blk03243.txt blk03244.txt blk03245.txt blk03246.txt blk03247.txt blk03248.txt blk03249.txt blk03250.txt blk03251.txt blk03252.txt blk03253.txt blk03254.txt blk03255.txt blk03256.txt blk03257.txt blk03258.txt blk03259.txt blk03260.txt blk03261.txt blk03262.txt blk03263.txt blk03264.txt blk03265.txt blk03266.txt blk03267.txt blk03268.txt blk03269.txt blk03270.txt blk03271.txt blk03272.txt blk03273.txt blk03274.txt blk03275.txt blk03276.txt blk03277.txt blk03278.txt blk03279.txt blk03280.txt blk03281.txt blk03282.txt blk03283.txt blk03284.txt blk03285.txt blk03286.txt blk03287.txt blk03288.txt blk03289.txt blk03290.txt blk03291.txt blk03292.txt blk03293.txt blk03294.txt blk03295.txt blk03296.txt blk03297.txt blk03298.txt blk03299.txt blk03300.txt blk03301.txt blk03302.txt blk03303.txt blk03304.txt blk03305.txt blk03306.txt blk03307.txt blk03308.txt blk03309.txt blk03310.txt blk03311.txt blk03312.txt blk03313.txt blk03314.txt blk03315.txt blk03316.txt blk03317.txt blk03318.txt blk03319.txt blk03320.txt blk03321.txt blk03322.txt blk03323.txt blk03324.txt blk03325.txt blk03326.txt blk03327.txt blk03328.txt blk03329.txt blk03330.txt blk03331.txt blk03332.txt blk03333.txt blk03334.txt blk03335.txt blk03336.txt blk03337.txt blk03338.txt blk03339.txt blk03340.txt blk03341.txt blk03342.txt blk03343.txt blk03344.txt blk03345.txt blk03346.txt blk03347.txt blk03348.txt blk03349.txt blk03350.txt blk03351.txt blk03352.txt blk03353.txt blk03354.txt blk03355.txt blk03356.txt blk03357.txt blk03358.txt blk03359.txt blk03360.txt blk03361.txt blk03362.txt blk03363.txt blk03364.txt blk03365.txt blk03366.txt blk03367.txt blk03368.txt blk03369.txt blk03370.txt blk03371.txt blk03372.txt blk03373.txt blk03374.txt blk03375.txt blk03376.txt blk03377.txt blk03378.txt blk03379.txt blk03380.txt blk03381.txt blk03382.txt blk03383.txt blk03384.txt blk03385.txt blk03386.txt blk03387.txt blk03388.txt blk03389.txt blk03390.txt blk03391.txt blk03392.txt blk03393.txt blk03394.txt blk03395.txt blk03396.txt blk03397.txt blk03398.txt blk03399.txt blk03400.txt blk03401.txt blk03402.txt blk03403.txt blk03404.txt blk03405.txt blk03406.txt blk03407.txt blk03408.txt blk03409.txt blk03410.txt blk03411.txt blk03412.txt blk03413.txt blk03414.txt blk03415.txt blk03416.txt blk03417.txt blk03418.txt blk03419.txt blk03420.txt blk03421.txt blk03422.txt blk03423.txt blk03424.txt blk03425.txt blk03426.txt blk03427.txt blk03428.txt blk03429.txt blk03430.txt blk03431.txt blk03432.txt blk03433.txt blk03434.txt blk03435.txt blk03436.txt blk03437.txt blk03438.txt blk03439.txt blk03440.txt blk03441.txt blk03442.txt blk03443.txt blk03444.txt blk03445.txt blk03446.txt blk03447.txt blk03448.txt blk03449.txt blk03450.txt blk03451.txt blk03452.txt blk03453.txt blk03454.txt blk03455.txt blk03456.txt blk03457.txt blk03458.txt blk03459.txt blk03460.txt blk03461.txt blk03462.txt blk03463.txt blk03464.txt blk03465.txt blk03466.txt blk03467.txt blk03468.txt blk03469.txt blk03470.txt blk03471.txt blk03472.txt blk03473.txt blk03474.txt blk03475.txt blk03476.txt blk03477.txt blk03478.txt blk03479.txt blk03480.txt blk03481.txt blk03482.txt blk03483.txt blk03484.txt blk03485.txt blk03486.txt blk03487.txt blk03488.txt blk03489.txt blk03490.txt blk03491.txt blk03492.txt blk03493.txt blk03494.txt blk03495.txt blk03496.txt blk03497.txt blk03498.txt blk03499.txt blk03500.txt blk03501.txt blk03502.txt blk03503.txt blk03504.txt blk03505.txt blk03506.txt blk03507.txt blk03508.txt blk03509.txt blk03510.txt blk03511.txt blk03512.txt blk03513.txt blk03514.txt blk03515.txt blk03516.txt blk03517.txt blk03518.txt blk03519.txt blk03520.txt blk03521.txt blk03522.txt blk03523.txt blk03524.txt blk03525.txt blk03526.txt blk03527.txt blk03528.txt blk03529.txt blk03530.txt blk03531.txt blk03532.txt blk03533.txt blk03534.txt blk03535.txt blk03536.txt blk03537.txt blk03538.txt blk03539.txt blk03540.txt blk03541.txt blk03542.txt blk03543.txt blk03544.txt blk03545.txt blk03546.txt blk03547.txt blk03548.txt blk03549.txt blk03550.txt blk03551.txt blk03552.txt blk03553.txt blk03554.txt blk03555.txt blk03556.txt blk03557.txt blk03558.txt blk03559.txt blk03560.txt blk03561.txt blk03562.txt blk03563.txt blk03564.txt blk03565.txt blk03566.txt blk03567.txt blk03568.txt blk03569.txt blk03570.txt blk03571.txt blk03572.txt blk03573.txt blk03574.txt blk03575.txt blk03576.txt blk03577.txt blk03578.txt blk03579.txt blk03580.txt blk03581.txt blk03582.txt blk03583.txt blk03584.txt blk03585.txt blk03586.txt blk03587.txt blk03588.txt blk03589.txt blk03590.txt blk03591.txt blk03592.txt blk03593.txt blk03594.txt blk03595.txt blk03596.txt blk03597.txt blk03598.txt blk03599.txt blk03600.txt blk03601.txt blk03602.txt blk03603.txt blk03604.txt blk03605.txt blk03606.txt blk03607.txt blk03608.txt blk03609.txt blk03610.txt blk03611.txt blk03612.txt blk03613.txt blk03614.txt blk03615.txt blk03616.txt blk03617.txt blk03618.txt blk03619.txt blk03620.txt blk03621.txt blk03622.txt blk03623.txt blk03624.txt blk03625.txt blk03626.txt blk03627.txt blk03628.txt blk03629.txt blk03630.txt blk03631.txt blk03632.txt blk03633.txt blk03634.txt blk03635.txt blk03636.txt blk03637.txt blk03638.txt blk03639.txt blk03640.txt blk03641.txt blk03642.txt blk03643.txt blk03644.txt blk03645.txt blk03646.txt blk03647.txt blk03648.txt blk03649.txt blk03650.txt blk03651.txt blk03652.txt blk03653.txt blk03654.txt blk03655.txt blk03656.txt blk03657.txt blk03658.txt blk03659.txt blk03660.txt blk03661.txt blk03662.txt blk03663.txt blk03664.txt blk03665.txt blk03666.txt blk03667.txt blk03668.txt blk03669.txt blk03670.txt blk03671.txt blk03672.txt blk03673.txt blk03674.txt blk03675.txt blk03676.txt blk03677.txt blk03678.txt blk03679.txt blk03680.txt blk03681.txt blk03682.txt blk03683.txt blk03684.txt blk03685.txt blk03686.txt blk03687.txt blk03688.txt blk03689.txt blk03690.txt blk03691.txt blk03692.txt blk03693.txt blk03694.txt blk03695.txt blk03696.txt blk03697.txt blk03698.txt blk03699.txt blk03700.txt blk03701.txt blk03702.txt blk03703.txt blk03704.txt blk03705.txt blk03706.txt blk03707.txt blk03708.txt blk03709.txt blk03710.txt blk03711.txt blk03712.txt blk03713.txt blk03714.txt blk03715.txt blk03716.txt blk03717.txt blk03718.txt blk03719.txt blk03720.txt blk03721.txt blk03722.txt blk03723.txt blk03724.txt blk03725.txt blk03726.txt blk03727.txt blk03728.txt blk03729.txt blk03730.txt blk03731.txt blk03732.txt blk03733.txt blk03734.txt blk03735.txt blk03736.txt blk03737.txt blk03738.txt blk03739.txt blk03740.txt blk03741.txt blk03742.txt blk03743.txt blk03744.txt blk03745.txt blk03746.txt blk03747.txt blk03748.txt blk03749.txt blk03750.txt blk03751.txt blk03752.txt blk03753.txt blk03754.txt blk03755.txt blk03756.txt blk03757.txt blk03758.txt blk03759.txt blk03760.txt blk03761.txt blk03762.txt blk03763.txt blk03764.txt blk03765.txt blk03766.txt blk03767.txt blk03768.txt blk03769.txt blk03770.txt blk03771.txt blk03772.txt blk03773.txt blk03774.txt blk03775.txt blk03776.txt blk03777.txt blk03778.txt blk03779.txt blk03780.txt blk03781.txt blk03782.txt blk03783.txt blk03784.txt blk03785.txt blk03786.txt blk03787.txt blk03788.txt blk03789.txt blk03790.txt blk03791.txt blk03792.txt blk03793.txt blk03794.txt blk03795.txt blk03796.txt blk03797.txt blk03798.txt blk03799.txt blk03800.txt blk03801.txt blk03802.txt blk03803.txt blk03804.txt blk03805.txt blk03806.txt blk03807.txt blk03808.txt blk03809.txt blk03810.txt blk03811.txt blk03812.txt blk03813.txt blk03814.txt blk03815.txt blk03816.txt blk03817.txt blk03818.txt blk03819.txt blk03820.txt blk03821.txt blk03822.txt blk03823.txt blk03824.txt blk03825.txt blk03826.txt blk03827.txt blk03828.txt blk03829.txt blk03830.txt blk03831.txt blk03832.txt blk03833.txt blk03834.txt blk03835.txt blk03836.txt blk03837.txt blk03838.txt blk03839.txt blk03840.txt blk03841.txt blk03842.txt blk03843.txt blk03844.txt blk03845.txt blk03846.txt blk03847.txt blk03848.txt blk03849.txt blk03850.txt blk03851.txt blk03852.txt blk03853.txt blk03854.txt blk03855.txt blk03856.txt blk03857.txt blk03858.txt blk03859.txt blk03860.txt blk03861.txt blk03862.txt blk03863.txt blk03864.txt blk03865.txt blk03866.txt blk03867.txt blk03868.txt blk03869.txt blk03870.txt blk03871.txt blk03872.txt blk03873.txt blk03874.txt blk03875.txt blk03876.txt blk03877.txt blk03878.txt blk03879.txt blk03880.txt blk03881.txt blk03882.txt blk03883.txt blk03884.txt blk03885.txt blk03886.txt blk03887.txt blk03888.txt blk03889.txt blk03890.txt blk03891.txt blk03892.txt blk03893.txt blk03894.txt blk03895.txt blk03896.txt blk03897.txt blk03898.txt blk03899.txt blk03900.txt blk03901.txt blk03902.txt blk03903.txt blk03904.txt blk03905.txt blk03906.txt blk03907.txt blk03908.txt blk03909.txt blk03910.txt blk03911.txt blk03912.txt blk03913.txt blk03914.txt blk03915.txt blk03916.txt blk03917.txt blk03918.txt blk03919.txt blk03920.txt blk03921.txt blk03922.txt blk03923.txt blk03924.txt blk03925.txt blk03926.txt blk03927.txt blk03928.txt blk03929.txt blk03930.txt blk03931.txt blk03932.txt blk03933.txt blk03934.txt blk03935.txt blk03936.txt blk03937.txt blk03938.txt blk03939.txt blk03940.txt blk03941.txt blk03942.txt blk03943.txt blk03944.txt blk03945.txt blk03946.txt blk03947.txt blk03948.txt blk03949.txt blk03950.txt blk03951.txt blk03952.txt blk03953.txt blk03954.txt blk03955.txt blk03956.txt blk03957.txt blk03958.txt blk03959.txt blk03960.txt blk03961.txt blk03962.txt blk03963.txt blk03964.txt blk03965.txt blk03966.txt blk03967.txt blk03968.txt blk03969.txt blk03970.txt blk03971.txt blk03972.txt blk03973.txt blk03974.txt blk03975.txt blk03976.txt blk03977.txt blk03978.txt blk03979.txt blk03980.txt blk03981.txt blk03982.txt blk03983.txt blk03984.txt blk03985.txt blk03986.txt blk03987.txt blk03988.txt blk03989.txt blk03990.txt blk03991.txt blk03992.txt blk03993.txt blk03994.txt blk03995.txt blk03996.txt blk03997.txt blk03998.txt blk03999.txt blk04000.txt blk04001.txt blk04002.txt blk04003.txt blk04004.txt blk04005.txt blk04006.txt blk04007.txt blk04008.txt blk04009.txt blk04010.txt blk04011.txt blk04012.txt blk04013.txt blk04014.txt blk04015.txt blk04016.txt blk04017.txt blk04018.txt blk04019.txt blk04020.txt blk04021.txt blk04022.txt blk04023.txt blk04024.txt blk04025.txt blk04026.txt blk04027.txt blk04028.txt blk04029.txt blk04030.txt blk04031.txt blk04032.txt blk04033.txt blk04034.txt blk04035.txt blk04036.txt blk04037.txt blk04038.txt blk04039.txt blk04040.txt blk04041.txt blk04042.txt blk04043.txt blk04044.txt blk04045.txt blk04046.txt blk04047.txt blk04048.txt blk04049.txt blk04050.txt blk04051.txt blk04052.txt blk04053.txt blk04054.txt blk04055.txt blk04056.txt blk04057.txt blk04058.txt blk04059.txt blk04060.txt blk04061.txt blk04062.txt blk04063.txt blk04064.txt blk04065.txt blk04066.txt blk04067.txt blk04068.txt blk04069.txt blk04070.txt blk04071.txt blk04072.txt blk04073.txt blk04074.txt blk04075.txt blk04076.txt blk04077.txt blk04078.txt blk04079.txt blk04080.txt blk04081.txt blk04082.txt blk04083.txt blk04084.txt blk04085.txt blk04086.txt blk04087.txt blk04088.txt blk04089.txt blk04090.txt blk04091.txt blk04092.txt blk04093.txt blk04094.txt blk04095.txt blk04096.txt blk04097.txt blk04098.txt blk04099.txt blk04100.txt blk04101.txt blk04102.txt blk04103.txt blk04104.txt blk04105.txt blk04106.txt blk04107.txt blk04108.txt blk04109.txt blk04110.txt blk04111.txt blk04112.txt blk04113.txt blk04114.txt blk04115.txt blk04116.txt blk04117.txt blk04118.txt blk04119.txt blk04120.txt blk04121.txt blk04122.txt blk04123.txt blk04124.txt blk04125.txt blk04126.txt blk04127.txt blk04128.txt blk04129.txt blk04130.txt blk04131.txt blk04132.txt blk04133.txt blk04134.txt blk04135.txt blk04136.txt blk04137.txt blk04138.txt blk04139.txt blk04140.txt blk04141.txt blk04142.txt blk04143.txt blk04144.txt blk04145.txt blk04146.txt blk04147.txt blk04148.txt blk04149.txt blk04150.txt blk04151.txt blk04152.txt blk04153.txt blk04154.txt blk04155.txt blk04156.txt blk04157.txt blk04158.txt blk04159.txt blk04160.txt blk04161.txt blk04162.txt blk04163.txt blk04164.txt blk04165.txt blk04166.txt blk04167.txt blk04168.txt blk04169.txt blk04170.txt blk04171.txt blk04172.txt blk04173.txt blk04174.txt blk04175.txt blk04176.txt blk04177.txt Show all files
Advertisement: